CNS - Hut3 - Mobile Application (In)Security

..

Mobile Application (In)securityExplaining common mobile application security weaknesses and

how to mitigate them.

Adrian Hayter & Andy Swift

CNS Hut 3 [email protected] / [email protected]

.

..

Mobile Application (In)securityExplaining common mobile application security weaknesses and

how to mitigate them.

Adrian Hayter & Andy Swift

CNS Hut 3 [email protected] / [email protected]

..20

13-1

2-10

Mobile Application (In)security

..

Attack Vectors

When penetration testing a mobile application, CNS Hut3 focuseson four distinct areas:

• The Mobile Application

• The Mobile Device – iPhone, Android, Windows Mobile, etc.

• The Network – everything between the device and the server!

• The Server – most mobile applications interface with one.

Adrian Hayter & Andy Swift Page: 2/25 .

..

Attack Vectors

When penetration testing a mobile application, CNS Hut3 focuseson four distinct areas:

• The Mobile Application

• The Mobile Device – iPhone, Android, Windows Mobile, etc.

• The Network – everything between the device and the server!

• The Server – most mobile applications interface with one.

..20

13-1

2-10


Attack Vectors

..

Apps WorldCNS Hut3 went to Apps World...

...and met some random American guy (Steve Wozniak).


..

Apps WorldCNS Hut3 went to Apps World...

...and met some random American guy (Steve Wozniak).

..20

13-1

2-10


Apps World

..

How much do developers know about security?

Which of these counts as confidential data?

(a) Usernames & Passwords.

(b) Documents obtained after successful authentication.

(c) Session tokens.

(d) All of the above.


..



(a) Usernames & Passwords.

(b) Documents obtained after successful authentication.

(c) Session tokens.

(d) All of the above.

..20

13-1

2-10



..



(a) Usernames & Passwords. (8%)

(b) Documents obtained after successful authentication. (4%)

(c) Session tokens. (0%)

(d) All of the above. (88%)


..



(a) Usernames & Passwords. (8%)

(b) Documents obtained after successful authentication. (4%)

(c) Session tokens. (0%)

(d) All of the above. (88%)

..20

13-1

2-10



..


Which of the following is best practice for data sent to web servers?

(a) Send login credentials over HTTPS. Use regular HTTP foreverything else.

(b) Force everything to be sent over HTTPS.

(c) Provide both HTTP and HTTPS and let the user choose.

(d) Allow HTTP but redirect immediately to HTTPS.


..



(a) Send login credentials over HTTPS. Use regular HTTP foreverything else.

(b) Force everything to be sent over HTTPS.

(c) Provide both HTTP and HTTPS and let the user choose.

(d) Allow HTTP but redirect immediately to HTTPS.

..20

13-1

2-10



..



(a) Send login credentials over HTTPS. Use regular HTTP foreverything else. (8%)

(b) Force everything to be sent over HTTPS. (76%)

(c) Provide both HTTP and HTTPS and let the user choose.(4%)

(d) Allow HTTP but redirect immediately to HTTPS. (12%)


..



(a) Send login credentials over HTTPS. Use regular HTTP foreverything else. (8%)

(b) Force everything to be sent over HTTPS. (76%)

(c) Provide both HTTP and HTTPS and let the user choose.(4%)

(d) Allow HTTP but redirect immediately to HTTPS. (12%)

..20

13-1

2-10



..


How should passwords be stored?

(a) In plaintext.

(b) Encoded using Base64.

(c) Salted and then hashed.

(d) Hashed and then salted.


..



(a) In plaintext.

(b) Encoded using Base64.

(c) Salted and then hashed.

(d) Hashed and then salted.

..20

13-1

2-10



..



(a) In plaintext. (0%)

(b) Encoded using Base64. (20%)

(c) Salted and then hashed. (56%)

(d) Hashed and then salted. (24%)


..



(a) In plaintext. (0%)

(b) Encoded using Base64. (20%)

(c) Salted and then hashed. (56%)

(d) Hashed and then salted. (24%)

..20

13-1

2-10



..


Which of these is the best choice for encrypting sensitive files?

(a) SHA-3

(b) Develop our own (secret) in-house encryption mechanism.

(c) AES-256

(d) 3DES


..



(a) SHA-3

(b) Develop our own (secret) in-house encryption mechanism.

(c) AES-256

(d) 3DES

..20

13-1

2-10



..



(a) SHA-3 (16%)

(b) Develop our own (secret) in-house encryption mechanism.(4%)

(c) AES-256 (76%)

(d) 3DES (4%)


..



(a) SHA-3 (16%)

(b) Develop our own (secret) in-house encryption mechanism.(4%)

(c) AES-256 (76%)

(d) 3DES (4%)

..20

13-1

2-10



..


Which is the correct attitude to have towards server-side security?

(a) We should put more focus on server-side security.

(b) We should put equal focus on both server-side and app-sidesecurity.

(c) We don’t need to focus on server-side security because the appis secure.

(d) We should put more focus on app-side security but be aware ofserver-side security issues.


..



(a) We should put more focus on server-side security.

(b) We should put equal focus on both server-side and app-sidesecurity.

(c) We don’t need to focus on server-side security because the appis secure.

(d) We should put more focus on app-side security but be aware ofserver-side security issues.

..20

13-1

2-10



..



(a) We should put more focus on server-side security. (20%)

(b) We should put equal focus on both server-side andapp-side security. (68%)

(c) We don’t need to focus on server-side security because the appis secure. (0%)

(d) We should put more focus on app-side security but be aware ofserver-side security issues. (12%)


..



(a) We should put more focus on server-side security. (20%)

(b) We should put equal focus on both server-side andapp-side security. (68%)

(c) We don’t need to focus on server-side security because the appis secure. (0%)

(d) We should put more focus on app-side security but be aware ofserver-side security issues. (12%)

..20

13-1

2-10



..

Sensitive Data Storage

As an application developer, you have (almost) no control over theuser’s device. Presume the device is already compromised.

If at all possible, don’t store sensitive data on the device.

Sensitive Data includes:• Credentials (e.g. passwords, keys, etc.)• Session tokens (e.g. cookies)• Files containing user information.

Mitigation: If you handle sensitive data, encrypt it before saving itto the device. Use a strong encryption algorithm like AES-256.


..


As an application developer, you have (almost) no control over theuser’s device. Presume the device is already compromised.

If at all possible, don’t store sensitive data on the device.

Sensitive Data includes:• Credentials (e.g. passwords, keys, etc.)• Session tokens (e.g. cookies)• Files containing user information.

Mitigation: If you handle sensitive data, encrypt it before saving itto the device. Use a strong encryption algorithm like AES-256.

..20

13-1

2-10



..

Device Caches

Many devices keep caches of user input and other data relating tothe application.

• Temporary Files – Downloads, Documents, etc.• User Dictionary – Depending on input type.• Application Snapshots (iOS)

Mitigation: Remove files once they are no longer needed. Specifycorrect input types. Disable caches if possible.


..

Device Caches

Many devices keep caches of user input and other data relating tothe application.

• Temporary Files – Downloads, Documents, etc.• User Dictionary – Depending on input type.• Application Snapshots (iOS)

Mitigation: Remove files once they are no longer needed. Specifycorrect input types. Disable caches if possible.

..20

13-1

2-10


Device Caches

..

Device Caches: iOS Dictionary

Accessible via jailbreaking:• /private/var/mobile/Library/Keyboard/dynamic-text.dat• /private/var/mobile/Library/Keyboard/en_GB-dynamic-

text.dat

The iOS “DynamicDictionary” keeps a record of everything typedinto text boxes (Google searches, Facebook messages, SMS, email,etc.)


..


Accessible via jailbreaking:• /private/var/mobile/Library/Keyboard/dynamic-text.dat• /private/var/mobile/Library/Keyboard/en_GB-dynamic-

text.dat

The iOS “DynamicDictionary” keeps a record of everything typedinto text boxes (Google searches, Facebook messages, SMS, email,etc.)

..20

13-1

2-10



..

Insecure Data Transmission

If data is sent over an unencrypted channel, it can be interceptedand modified.

You can’t control which networks a user connects to. How manypeople can resist free WiFi networks at coffee shops?

Even trusted networks can’t be relied on due to Evil-twin attacks.

Mitigation: Transmit data over an SSL / TLS connection at alltimes.


..


If data is sent over an unencrypted channel, it can be interceptedand modified.

You can’t control which networks a user connects to. How manypeople can resist free WiFi networks at coffee shops?

Even trusted networks can’t be relied on due to Evil-twin attacks.

Mitigation: Transmit data over an SSL / TLS connection at alltimes.

..20

13-1

2-10



..

SSL / TLS

SSL / TLS misconfigurations are some of the most commonsecurity weaknesses.

Application side:• Weak cipher selection.• Accepting invalid certificates.

Server side:• Supporting old protocols, weak ciphers.• Renegotiation Denial of Service, BEAST, CRIME, BREACH

Mitigation: Mostly configuration file changes!


..

SSL / TLS

SSL / TLS misconfigurations are some of the most commonsecurity weaknesses.

Application side:• Weak cipher selection.• Accepting invalid certificates.

Server side:• Supporting old protocols, weak ciphers.• Renegotiation Denial of Service, BEAST, CRIME, BREACH

Mitigation: Mostly configuration file changes!

..20

13-1

2-10


SSL / TLS

..

Jailbreaking / Rooting

People are always going to jailbreak / root their phones. They willbe able to access your application files, and possibly decompile theapplication.

There is no point trying to perform “jailbreak detection”techniques. Your application runs with low privileges. A jailbroken/ rooted device will always be able to evade this detection.

Mitigation: Focus more on security of your application that tryingto prevent people reading your code. If you have code in yourapplication that you don’t want people to see, you shouldn’t beletting people put it on their devices in the first place!


..


People are always going to jailbreak / root their phones. They willbe able to access your application files, and possibly decompile theapplication.

There is no point trying to perform “jailbreak detection”techniques. Your application runs with low privileges. A jailbroken/ rooted device will always be able to evade this detection.

Mitigation: Focus more on security of your application that tryingto prevent people reading your code. If you have code in yourapplication that you don’t want people to see, you shouldn’t beletting people put it on their devices in the first place!

..20

13-1

2-10



..

Android “Master Key” Exploits

A vulnerability found in early 2013 effectively allowed an attackerto embed malicious code within a trusted and signed applicationwithout invalidating the signature.

Despite its name, the “Master Key” exploits don’t actually exposeany Android keys. Instead, a vulnerability in the handling of theZIP-based APK files allows code modification.

Mitigation: Upgrade to Android 4.4. All previous versions arevulnerable (approximately 99% of all Android devices).


..


A vulnerability found in early 2013 effectively allowed an attackerto embed malicious code within a trusted and signed applicationwithout invalidating the signature.

Despite its name, the “Master Key” exploits don’t actually exposeany Android keys. Instead, a vulnerability in the handling of theZIP-based APK files allows code modification.

Mitigation: Upgrade to Android 4.4. All previous versions arevulnerable (approximately 99% of all Android devices).

..20

13-1

2-10



..

User Stupidity

Mitigation: None Known.


..

User Stupidity


..20

13-1

2-10


User Stupidity

..

User Stupidity

Mitigation: None Known.Adrian Hayter & Andy Swift Page: 21/25 .

..

User Stupidity


..20

13-1

2-10


User Stupidity

..

Vulnerabilities vs. Malware

Number of vulnerabilities per mobile OS

iOS vulnerabilitiesare by far the most common.

Jailbreak exploits,lock screen bypasses, numerousnative application related bugs.

Android on the otherhand has less vulnerabilitiesoverall (open source code).


..


Number of vulnerabilities per mobile OS

iOS vulnerabilitiesare by far the most common.

Jailbreak exploits,lock screen bypasses, numerousnative application related bugs.

Android on the otherhand has less vulnerabilitiesoverall (open source code).

..20

13-1

2-10



..

Vulnerabilities vs. MalwareNumber of malware families per mobile OS

Number ofvulnerabilities is not necessarilyan indication of the amount ofmalware a system suffers from.

iOS vulnerabilities areoften more complex, requirea lot of user interaction.

Apple have a rigorous vettingprocess for apps. Android’s

app store has almost no protection whatsoever.


..

Vulnerabilities vs. MalwareNumber of malware families per mobile OS

Number ofvulnerabilities is not necessarilyan indication of the amount ofmalware a system suffers from.

iOS vulnerabilities areoften more complex, requirea lot of user interaction.

Apple have a rigorous vettingprocess for apps. Android’s

app store has almost no protection whatsoever.

..20

13-1

2-10



..

Demos


..

Demos

..20

13-1

2-10


..

Questions?

Ask away, or email:

[email protected] / [email protected]


..

Questions?

Ask away, or email:

[email protected] / [email protected]

..20

13-1

2-10


Questions?

Technology

CNS - Hut3 - Mobile Application (In)Security