7
Mobile application security App Alliance WG Meeting 20 November 2013 Kristof Dewulf Yannick Scheelen

Mobile application security

Embed Size (px)

DESCRIPTION

Presentation by EY infosec experts Kristof Dewulf and Yannick Scheelen about mobile applications security. Agoria Alliance WG Meeting 20/11/13

Citation preview

Page 1: Mobile application security

Mobile application security

App Alliance WG Meeting

20 November 2013

Kristof Dewulf

Yannick Scheelen

Page 2: Mobile application security

Page 2

Security weaknesses and vulnerabilitiesMobile devices

► Malware goes mobile

EY - App Alliance WG meeting – 20 November

2012

August►Weakness in SSL cert

handling exposes data to interception (iOS)

2013

September ►HTC phone vulnerability

leaks personal data (Android)

2014

April►NotCompatible gains

access to local network preferences (Andriod)

February►Lock screen of

iPhone can be circumvented (iOS)

July►LuckyCat opens a

backdoor that allows remote acces (Android)

May►FakeInst SMS Trojan

cost end-users 30 Miljon dollars (Android)

July►SMSzombie that

abuses china’s SMS payment (Android)

April►Apparent security

certificate turns out to be Android malware

July►The Android “Master

Key” Exploit

September►Banking Trojans

disguise attack targets in the cloud

► Security threats and malware are constantly present

► Smartphone sales are increasing

Android iOS Microsoft Blackberry0

20

40

60

8081.9

12.13.6 1.8

72.6

14.3

2.3 5.2

3Q13 3Q12Source: Gartner.com

TrojanSMS.Agent

TrojanSMS.Boxer

DroidKungFu

FakePlayer

0 20 40 60 80 100 120 140 160

Variants in 2010 Variants in 2011 Variants in 2012

Source: Eset.com

September►iOS 7 Lock Screen

Vulnerability Discovered

%

Page 3: Mobile application security

Page 3

Application weaknesses and vulnerabilitiesMore than meets the eye

EY - App Alliance WG meeting – 20 November

► Most tests stop here…

► ...or here

Application code review

Insecure data

storage

SSL/TLS

Bypass authentication or

authorization controls

Bypass validations or manipulate application

business logic

► What about injection attacks?

► Session management?

► Side channel data leakage?

► Sensitive information disclosure?

► Phishing attacks?

► Application and library permissions?

Page 4: Mobile application security

Page 4

Mobile Application SecurityMost common issues

EY - App Alliance WG meeting – 20 November

1. There is too much business logic in the application► The mobile devices hold the actual application binary► It’s safer to perform business logic validation on central systems (e.g.

web service/web server)

2. SSL/TLS not/not properly implemented► Certificates’ validity are not often checked► Consider certificate pinning – works perfect for mobile apps!

3. Insecure local data storage► Passwords stored in databases► Personal information is stored without consent of the user (re Privacy

legislation)

Page 5: Mobile application security

Page 5

Mobile Application Security TestingOur approach

EY - App Alliance WG meeting – 20 November

Mobile Device

Objective: Identify vulnerabilities on the applications - Android, iOS or Windows.

► Reverse engineer the binary using tools such as:

► Clang (static code)► GDB► IDA (Pro)► Class-dump-z► …

and investigate the source code for passwords, server-side keys, … but also learn how the application works!

► Perform data analysis by looking for sensitive data in databases, logs, back-ups, cached files, debug messages, …

► Verify application’s permissions.

► Analyze application’s business logic.

► Perform security tests similar to other web applications tests (e.g. session management, authentication management, …).

Server-side controls

Objective: Identify vulnerabilities on the server side of the mobile application.

► Perform an in-depth penetration test of the server-side application.

► Perform an in-depth penetration test of the web services or API services.

► Use the information found on the local device to leverage our success.

Communication channel

Objective: Identify vulnerabilities on the data communication channel.

► Mobile applications are highly likely to operate on insecure wireless networks.

► It is essential to review the network protocols the application uses to communicate with the server-side application.

► The use of SSL/TLS is confirmed both though code review and the Burp Suite proxy tool.

Page 6: Mobile application security

Page 6

EYOur recommendations

► Developers: start with security in mind!► Understand the threats:

► On the application► On the channel► On the server side

► Don’t store sensitive data on the device► without consent of the user and without the ability for the user to remove

his/her personal information

► Understand the mobile platform of your application► Understand your audience

► Assess your application

EY - App Alliance WG meeting – 20 November

Page 7: Mobile application security

Page 7

Contact details