Embed Size (px)
Citation preview
E R Y K B U D I P R A T A M A , C E H
C Y B E R S E C U R I T Y C O N S U L T A N T E R N S T & Y O U N G ( E Y )
Mobile Application Security
Application Security Risk
Lack of Binary Protection
Obfuscation
Code modification
Recommendations :
• Obfuscator (ProGuard, DexGuard)
• Jailbreak Detection Controls
• Checksum Controls
• Debugger Detection Controls
• Renewing Secret Tokens
Weak Server Side Controls
Logic flaws
Weak authentication
Weak Session Management
Insecure web server configuration
Injection (SQL, XSS, Command)
Local and Remote Files Control
Input validation for API
Insecure Data Storage
SQLite databases
Log Files
XML Data Stores or Manifest Files
Binary data stores
Cookie stores
SD Card
Recommendations:
• Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
• Avoid exclusively relying upon hardcoded encryption or decryption keys
Insufficient Transport Layer Protection
Recommendations:
Use TLS
Certificate Pinning
Strong cipher suite
Usage of Secure flag for Session Cookies
Usage of HTTP Strict Transport Security (HSTS)
• Lack of Certificate Inspection
• Weak Handshake Negotiation (cipher suite)
• Privacy Information Leakage (via non secure channel)
Unintended Data Leakage
API or encryption keys
Passwords
Internal company information
Debugging or maintenance information
Recommendations:
Store sensitive application data server-side
Avoid hardcoding information in the application
Poor Authorization and Authentication
Recommendations:
Unique identifiers as additional (not only) factors
Differentiate client-side passcode vs. server authentication
Hardware-independent identifiers (ie. Not IMSI, serial, etc.)
Multi-factor authentication, depending on risk
Define & enforce password length, strength & uniqueness
No password, just unique ID
Plain text password
Using GET method
Broken Cryptography
Hardcoded key
Insecure encryption algorithm
RC2
MD4
MD5
SHA1
Client Side Injection
SQL Injection
Local File Inclusion
Javascript Injection (XSS)
Recommendations:
Using parameterized queries
Verify that JavaScript and Plugin support is disabled for any WebViews
Verify that File System Access is disabled for any WebViews
Improper Session Handling
Failure to Invalidate Sessions on the Backend
Lack of Adequate Timeout Protection
Failure to Properly Rotate Cookies
Insecure Token Creation
Thank You
