Upload
techwellpresentations
View
496
Download
1
Embed Size (px)
DESCRIPTION
Due to the sensitive nature of the personal information often stored on mobile phones, security testing is vital when building mobile applications. Jeff Payne discusses some of the characteristics that make testing mobile applications unique and challenging. These characteristics include how mobile devices store data, fluid trust boundaries due to untrusted applications installed on the device, different and unique aspects of device security models, and differences in the types of threats one must be concerned with. Jeff shares hints and tips for effectively testing mobile applications. Tips include how to test for data privacy, secure session management, the presence of malicious applications, and traditional application security vulnerabilities. Leave with an understanding of what it takes to security test your mobile applications.
Citation preview
nt Session
Presented by:
Jeff Payne C
Brought to you by:
340 Corporate Way, Suite Orange Park, FL 32073 888‐2
W6 Concurre4/9/2014 12:45 PM
“Security Testing Mobile Applications”
overos, Inc.
300,68‐8770 ∙ 904‐278‐0524 ∙ [email protected] ∙ www.sqe.com
Jeff Payne Coveros, Inc
Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds secure software applications using agile methods. Since its inception in 2008, Coveros has become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirty papers on software development and testing, and testified before Congress on issues of national importance, including intellectual property rights, cyber terrorism, and software quality.
2/24/2014
1
Security Testing Mobile Applications
Jeffery PayneChief Executive OfficerCoveros, [email protected]
1© Copyright 2013 Coveros, Inc.. All rights reserved.
Bio
Jeffery PayneJeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a
i d ft t d l k t b th b i d t h l
2© Copyright 2013 Coveros, Inc.. All rights reserved.
recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, software research funding, and software quality.
2/24/2014
2
Coveros helps organizations accelerate the delivery of secure, reliable software
About Coveros
Our consulting services:– Agile software development– Application security– Software quality assurance
Agile services
Areas of Expertise
3© Copyright 2013 Coveros, Inc.. All rights reserved.
Agile services– Agility assessments– Process improvement– Hands-on agile software development– Agile project management– Agile testing and automation– Agile training by role
Wh t thi t lk iWhat this talk is NOT about
4© Copyright 2013 Coveros, Inc.. All rights reserved.
Penetration testingTesting toolsTest cases
2/24/2014
3
Wh t thi t lkWhat this talk IS about
5© Copyright 2013 Coveros, Inc.. All rights reserved.
Mobile threatsMobile risksTest strategy based on these
Agenda
Mobile applications: the perfect security stormMobile applications: the perfect security storm– Typical architecture(s)– A changing threat model
Mobile risks and test strategies– Local storage– Session management– Untrusted clients
6© Copyright 2013 Coveros, Inc.. All rights reserved.
– Native code – Mobile platforms– Traditional risks
Getting more help
2/24/2014
4
Mobile Apps: The Perfect Security Storm
Fat clientconcerns
Traditionalsw securityconcernsconcerns
7© Copyright 2013 Coveros, Inc.. All rights reserved.
UntrustedappsUntrustedusers
Traditionalweb securityconcerns
A Changing Threat Model
New Attack Profiles
Mobile Apps: The Perfect Security Storm
New Attack Profiles– Increased access by malicious users– Malicious 3rd party applications– Increased information for attacking application back-ends
Fluid Trust Boundaries– Level of trust necessary to use 3rd party applications
8© Copyright 2013 Coveros, Inc.. All rights reserved.
– Local access to sensitive data
Nuances of Mobile Platforms– Differing security models– Different vulnerabilities due to programming languages
2/24/2014
5
Mobile Risks
Local storage – Storage of data (implicitly or explicitly) on a device
Mobile App Security
g g ( p y p y)
Session management – Managing the on-going interactions between a mobile app user and the rest of a distributed environment
Untrusted clients – Client requests might not be legitimate
Nati e Code Nati e code is still pre alent in mobile applications
9© Copyright 2013 Coveros, Inc.. All rights reserved.
Native Code – Native code is still prevalent in mobile applications
Mobile Platforms – How the device (and OS) configures and controls apps
Traditional Risks – Other risks we already know about
Do Not Allow Storage of Sensitive Data on Devices
Why?Devices use flash memory for local storage
Mobile App Security: Best Practices
– Devices use flash memory for local storage– External devices have global data permissions– Data encryption libraries and key management functions are often
misused by developers– UI screens are captured and stored in “temporary” storage
What to test/check for
10© Copyright 2013 Coveros, Inc.. All rights reserved.
– Sensitive data is properly stored on back-end servers behind a firewall
– Sensitive data is replaced on UI with replacement tokens or partial data when it doesn’t need to be fully viewable
– Encryption routines for any local data uses a computational key derivation function for keys
2/24/2014
6
Make Sure Sessions are Managed CarefullyWhy?
– Mobile application sessions tend to be left open longer on mobile
Mobile App Security: Best Practices
pp p gdevices to support mobile app use cases
– Untrusted applications that are malicious can compromise your applications if session management isn’t secure
– People often leave their phones laying around …
What to test/check for– Idle sessions after automatically terminated after no more than 5
11© Copyright 2013 Coveros, Inc.. All rights reserved.
yminutes
– Device identifier / MEID is not used as a session token– Token revocation is supported and works remotely– Session keys are temporary (to thwart ‘replay attacks’)
Assume No Client (or App) is TrustworthyWhy?
– The increased threat of mobile device compromise means no client
Mobile App Security: Best Practices
p/ App requesting information can be trusted
– Trusted apps may have been misconfigured to allow easy compromise
What to test/check for– Lower levels of encryption (export grade) have been disabled on the
backend servers
12© Copyright 2013 Coveros, Inc.. All rights reserved.
– Test the integrity of all data received from a client or other application
– Test that all data received from a user or client has been sanitized– Test that only the minimum amount of info is returned to clients
when there is an error– Move all default directories on all servers
2/24/2014
7
Test Native Code for Known VulnerabilitiesWhy?
– Mobile platforms often support the development of native code
Mobile App Security: Best Practices
p pp papplications that are vulnerable to traditional attacks
– Software written for Apple devices are written in Objective-C, Java can call native code
– VM’s often include vulnerabilities!
What to test/check for– Check that Address Space Layout Randomization (ASLR) is being
13© Copyright 2013 Coveros, Inc.. All rights reserved.
p y ( ) gused to combat overflow attacks
– Perform traditional secure code scanning on all native code– Recommend avoiding native code if possible
Understand Your Mobile PlatformWhy?
– Each platform uses a different security model
Mobile App Security: Best Practices
p y– Each platform manages applications differently
What to understand– Learn how applications store data, protect it from access, and when
data is physically deleted from the device– Understand the default configurations for applications, browsers,
and communication protocols
14© Copyright 2013 Coveros, Inc.. All rights reserved.
p– Learn how and when information is cached, keyboard keys are
logged, and screenshots are saved– Understand how libraries are loaded and run (and in what order)
2/24/2014
8
Don’t Forget About Traditional RisksWhy?
– Mobile applications are often just mobile front-ends for our
Mobile App Security: Best Practices
pp jtraditional systems (banking, e-commerce, etc.)
– Mysql often ships with devices and are susceptible to SQL injection– Web vulnerabilities exist in thin client mobile apps
What to test/check for– SQL injections
Web application security issues (XSS CRSF etc )
15© Copyright 2013 Coveros, Inc.. All rights reserved.
– Web application security issues (XSS, CRSF, etc.)
Getting Smarter
OWASP Mobile Security Project– https://www.owasp.org/index.php/OWASP Mobile Security Project
Mobile App Security
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Coveros Labs – R&D in:– Secure mobile development– Malicious code analysis– Cloud security
http://www coveros com/content/coveros labs
16© Copyright 2013 Coveros, Inc.. All rights reserved.
– http://www.coveros.com/content/coveros-labs
2/24/2014
9
Questions?
Thank You
17© Copyright 2013 Coveros, Inc.. All rights reserved.
Contact Information:
Jeffery [email protected]