Download pptx - Mobile application security

Mobile application security

App Alliance WG Meeting

20 November 2013

Kristof Dewulf

Yannick Scheelen

Page 2

Security weaknesses and vulnerabilitiesMobile devices

► Malware goes mobile

EY - App Alliance WG meeting – 20 November

2012

August►Weakness in SSL cert

handling exposes data to interception (iOS)

2013

September ►HTC phone vulnerability

leaks personal data (Android)

2014

April►NotCompatible gains

access to local network preferences (Andriod)

February►Lock screen of

iPhone can be circumvented (iOS)

July►LuckyCat opens a

backdoor that allows remote acces (Android)

May►FakeInst SMS Trojan

cost end-users 30 Miljon dollars (Android)

July►SMSzombie that

abuses china’s SMS payment (Android)

April►Apparent security

certificate turns out to be Android malware

July►The Android “Master

Key” Exploit

September►Banking Trojans

disguise attack targets in the cloud

► Security threats and malware are constantly present

► Smartphone sales are increasing

Android iOS Microsoft Blackberry0

20

40

60

8081.9

12.13.6 1.8

72.6

14.3

2.3 5.2

3Q13 3Q12Source: Gartner.com

TrojanSMS.Agent

TrojanSMS.Boxer

DroidKungFu

FakePlayer

0 20 40 60 80 100 120 140 160

Variants in 2010 Variants in 2011 Variants in 2012

Source: Eset.com

September►iOS 7 Lock Screen

Vulnerability Discovered

%

Page 3

Application weaknesses and vulnerabilitiesMore than meets the eye


► Most tests stop here…

► ...or here

Application code review

Insecure data

storage

SSL/TLS

Bypass authentication or

authorization controls

Bypass validations or manipulate application

business logic

► What about injection attacks?

► Session management?

► Side channel data leakage?

► Sensitive information disclosure?

► Phishing attacks?

► Application and library permissions?

Page 4

Mobile Application SecurityMost common issues


1. There is too much business logic in the application► The mobile devices hold the actual application binary► It’s safer to perform business logic validation on central systems (e.g.

web service/web server)

2. SSL/TLS not/not properly implemented► Certificates’ validity are not often checked► Consider certificate pinning – works perfect for mobile apps!

3. Insecure local data storage► Passwords stored in databases► Personal information is stored without consent of the user (re Privacy

legislation)

Page 5

Mobile Application Security TestingOur approach


Mobile Device

Objective: Identify vulnerabilities on the applications - Android, iOS or Windows.

► Reverse engineer the binary using tools such as:

► Clang (static code)► GDB► IDA (Pro)► Class-dump-z► …

and investigate the source code for passwords, server-side keys, … but also learn how the application works!

► Perform data analysis by looking for sensitive data in databases, logs, back-ups, cached files, debug messages, …

► Verify application’s permissions.

► Analyze application’s business logic.

► Perform security tests similar to other web applications tests (e.g. session management, authentication management, …).

Server-side controls

Objective: Identify vulnerabilities on the server side of the mobile application.

► Perform an in-depth penetration test of the server-side application.

► Perform an in-depth penetration test of the web services or API services.

► Use the information found on the local device to leverage our success.

Communication channel

Objective: Identify vulnerabilities on the data communication channel.

► Mobile applications are highly likely to operate on insecure wireless networks.

► It is essential to review the network protocols the application uses to communicate with the server-side application.

► The use of SSL/TLS is confirmed both though code review and the Burp Suite proxy tool.

Page 6

EYOur recommendations

► Developers: start with security in mind!► Understand the threats:

► On the application► On the channel► On the server side

► Don’t store sensitive data on the device► without consent of the user and without the ability for the user to remove

his/her personal information

► Understand the mobile platform of your application► Understand your audience

► Assess your application


Page 7

Contact details