11
nt Session Presented by: Jeff Payne C Brought to you by: 340 Corporate Way, Suite Orange Park, FL 32073 8882 W6 Concurre 4/9/2014 12:45 PM “Security Testing Mobile Applications” overos, Inc. 300, 688770 9042780524 [email protected] www.sqe.com

Security Testing Mobile Applications

Embed Size (px)

DESCRIPTION

Due to the sensitive nature of the personal information often stored on mobile phones, security testing is vital when building mobile applications. Jeff Payne discusses some of the characteristics that make testing mobile applications unique and challenging. These characteristics include how mobile devices store data, fluid trust boundaries due to untrusted applications installed on the device, different and unique aspects of device security models, and differences in the types of threats one must be concerned with. Jeff shares hints and tips for effectively testing mobile applications. Tips include how to test for data privacy, secure session management, the presence of malicious applications, and traditional application security vulnerabilities. Leave with an understanding of what it takes to security test your mobile applications.

Citation preview

Page 1: Security Testing Mobile Applications

 

 

 

nt Session 

 

Presented by: 

Jeff Payne C  

  

Brought to you by: 

  

340 Corporate Way, Suite   Orange Park, FL 32073 888‐2

W6 Concurre4/9/2014   12:45 PM     

“Security Testing Mobile Applications”  

 

overos, Inc.  

    

300,68‐8770 ∙ 904‐278‐0524 ∙ [email protected] ∙ www.sqe.com 

Page 2: Security Testing Mobile Applications

Jeff Payne Coveros, Inc  

Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds secure software applications using agile methods. Since its inception in 2008, Coveros has become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirty papers on software development and testing, and testified before Congress on issues of national importance, including intellectual property rights, cyber terrorism, and software quality.

Page 3: Security Testing Mobile Applications

2/24/2014

1

Security Testing Mobile Applications

Jeffery PayneChief Executive OfficerCoveros, [email protected]

1© Copyright 2013 Coveros, Inc.. All rights reserved.

Bio

Jeffery PayneJeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a

i d ft t d l k t b th b i d t h l

2© Copyright 2013 Coveros, Inc.. All rights reserved.

recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, software research funding, and software quality.

Page 4: Security Testing Mobile Applications

2/24/2014

2

Coveros helps organizations accelerate the delivery of secure, reliable software

About Coveros

Our consulting services:– Agile software development– Application security– Software quality assurance

Agile services

Areas of Expertise

3© Copyright 2013 Coveros, Inc.. All rights reserved.

Agile services– Agility assessments– Process improvement– Hands-on agile software development– Agile project management– Agile testing and automation– Agile training by role

Wh t thi t lk iWhat this talk is NOT about

4© Copyright 2013 Coveros, Inc.. All rights reserved.

Penetration testingTesting toolsTest cases

Page 5: Security Testing Mobile Applications

2/24/2014

3

Wh t thi t lkWhat this talk IS about

5© Copyright 2013 Coveros, Inc.. All rights reserved.

Mobile threatsMobile risksTest strategy based on these

Agenda

Mobile applications: the perfect security stormMobile applications: the perfect security storm– Typical architecture(s)– A changing threat model

Mobile risks and test strategies– Local storage– Session management– Untrusted clients

6© Copyright 2013 Coveros, Inc.. All rights reserved.

– Native code – Mobile platforms– Traditional risks

Getting more help

Page 6: Security Testing Mobile Applications

2/24/2014

4

Mobile Apps: The Perfect Security Storm

Fat clientconcerns

Traditionalsw securityconcernsconcerns

7© Copyright 2013 Coveros, Inc.. All rights reserved.

UntrustedappsUntrustedusers

Traditionalweb securityconcerns

A Changing Threat Model

New Attack Profiles

Mobile Apps: The Perfect Security Storm

New Attack Profiles– Increased access by malicious users– Malicious 3rd party applications– Increased information for attacking application back-ends

Fluid Trust Boundaries– Level of trust necessary to use 3rd party applications

8© Copyright 2013 Coveros, Inc.. All rights reserved.

– Local access to sensitive data

Nuances of Mobile Platforms– Differing security models– Different vulnerabilities due to programming languages

Page 7: Security Testing Mobile Applications

2/24/2014

5

Mobile Risks

Local storage – Storage of data (implicitly or explicitly) on a device

Mobile App Security

g g ( p y p y)

Session management – Managing the on-going interactions between a mobile app user and the rest of a distributed environment

Untrusted clients – Client requests might not be legitimate

Nati e Code Nati e code is still pre alent in mobile applications

9© Copyright 2013 Coveros, Inc.. All rights reserved.

Native Code – Native code is still prevalent in mobile applications

Mobile Platforms – How the device (and OS) configures and controls apps

Traditional Risks – Other risks we already know about

Do Not Allow Storage of Sensitive Data on Devices

Why?Devices use flash memory for local storage

Mobile App Security: Best Practices

– Devices use flash memory for local storage– External devices have global data permissions– Data encryption libraries and key management functions are often

misused by developers– UI screens are captured and stored in “temporary” storage

What to test/check for

10© Copyright 2013 Coveros, Inc.. All rights reserved.

– Sensitive data is properly stored on back-end servers behind a firewall

– Sensitive data is replaced on UI with replacement tokens or partial data when it doesn’t need to be fully viewable

– Encryption routines for any local data uses a computational key derivation function for keys

Page 8: Security Testing Mobile Applications

2/24/2014

6

Make Sure Sessions are Managed CarefullyWhy?

– Mobile application sessions tend to be left open longer on mobile

Mobile App Security: Best Practices

pp p gdevices to support mobile app use cases

– Untrusted applications that are malicious can compromise your applications if session management isn’t secure

– People often leave their phones laying around …

What to test/check for– Idle sessions after automatically terminated after no more than 5

11© Copyright 2013 Coveros, Inc.. All rights reserved.

yminutes

– Device identifier / MEID is not used as a session token– Token revocation is supported and works remotely– Session keys are temporary (to thwart ‘replay attacks’)

Assume No Client (or App) is TrustworthyWhy?

– The increased threat of mobile device compromise means no client

Mobile App Security: Best Practices

p/ App requesting information can be trusted

– Trusted apps may have been misconfigured to allow easy compromise

What to test/check for– Lower levels of encryption (export grade) have been disabled on the

backend servers

12© Copyright 2013 Coveros, Inc.. All rights reserved.

– Test the integrity of all data received from a client or other application

– Test that all data received from a user or client has been sanitized– Test that only the minimum amount of info is returned to clients

when there is an error– Move all default directories on all servers

Page 9: Security Testing Mobile Applications

2/24/2014

7

Test Native Code for Known VulnerabilitiesWhy?

– Mobile platforms often support the development of native code

Mobile App Security: Best Practices

p pp papplications that are vulnerable to traditional attacks

– Software written for Apple devices are written in Objective-C, Java can call native code

– VM’s often include vulnerabilities!

What to test/check for– Check that Address Space Layout Randomization (ASLR) is being

13© Copyright 2013 Coveros, Inc.. All rights reserved.

p y ( ) gused to combat overflow attacks

– Perform traditional secure code scanning on all native code– Recommend avoiding native code if possible

Understand Your Mobile PlatformWhy?

– Each platform uses a different security model

Mobile App Security: Best Practices

p y– Each platform manages applications differently

What to understand– Learn how applications store data, protect it from access, and when

data is physically deleted from the device– Understand the default configurations for applications, browsers,

and communication protocols

14© Copyright 2013 Coveros, Inc.. All rights reserved.

p– Learn how and when information is cached, keyboard keys are

logged, and screenshots are saved– Understand how libraries are loaded and run (and in what order)

Page 10: Security Testing Mobile Applications

2/24/2014

8

Don’t Forget About Traditional RisksWhy?

– Mobile applications are often just mobile front-ends for our

Mobile App Security: Best Practices

pp jtraditional systems (banking, e-commerce, etc.)

– Mysql often ships with devices and are susceptible to SQL injection– Web vulnerabilities exist in thin client mobile apps

What to test/check for– SQL injections

Web application security issues (XSS CRSF etc )

15© Copyright 2013 Coveros, Inc.. All rights reserved.

– Web application security issues (XSS, CRSF, etc.)

Getting Smarter

OWASP Mobile Security Project– https://www.owasp.org/index.php/OWASP Mobile Security Project

Mobile App Security

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

Coveros Labs – R&D in:– Secure mobile development– Malicious code analysis– Cloud security

http://www coveros com/content/coveros labs

16© Copyright 2013 Coveros, Inc.. All rights reserved.

– http://www.coveros.com/content/coveros-labs

Page 11: Security Testing Mobile Applications

2/24/2014

9

Questions?

Thank You

17© Copyright 2013 Coveros, Inc.. All rights reserved.

Contact Information:

Jeffery [email protected]