SlideShare uma empresa Scribd logo
1 de 70
Baixar para ler offline
(LEAKED) MOBILE APPLICATION
DATA PRIVACY
YURY CHEMERKIN
SECURITY EXPERT RESEARCHER
[ AGENDA ]
• Intro
• Similar public researchers
• Related/Previous work
• Current results
• Final thoughts
UNTRUSTED PLACES
• Untrusted chargeable places.
• When you connect your device to them you will see a
notification you plugged to PC/Mac
• Untrusted network places.
• When you connect your device to them
• You will see nothing
• You will see a question about untrusted certificate. You
accept or decline it
• Someone make you to install trusted certificate
UNTRUSTED PLACES
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
PROBLEM. WHAT/WHO MAKES US
INSECURE?
• Are we revealing everything about ourselves
everywhere?
• Perhaps
• Don’t we know anything about security and
privacy?
• Perhaps
• Aren’t app developers responsible for security
fails?
• Who said they’re not? They are!
• They prefer not to tell about it only
https://www.itr.co.uk/mobile
-app/
ITR RESEARCH RESULTS.
WHY CONSUMER UNINSTALLED MOBILE
APPS
HOW MUCH DOES YOUR SECURITY
COST?
• Non-Special ‘Home’ Software
• Macroplant Software - $35-70 (home), $200-2500 (enterprise).
• XK72 Software - $50 per license or $400-700 per bundle
• PortSwigger - $300 per year
• … and so on
• Also, cracked edition is available (no difference pirate or buy )
• Special ‘Forensics’ Software
• Elcomsoft Breakers - $80 (home, you have to know your password),
$200 (pro – you don’t have to know it), $800 – bundle
• Elcomsoft Bundles - $1 500 – 2 500
• Oxygen Software – more expensive in twice at least
• … and so on
• Also, cracked edition is available for some old editions (better buy
new edition)
OXYGEN FORENSIC® DETECTIVE
• Oxygen Forensic® Detective introduces offline maps and
new physical approach for Samsung Android devices!
• The updated version offers a new physical method for
Samsung Android OS devices via customer forensic
recovery. This innovative approach allows to bypass
screen lock and extract a full physical image of
supported Samsung devices.
• This innovative approach = root, steal data, deroot
• http://www.oxygen-
forensic.com/en/events/news/666-oxygen-forensic-
detective-introduces-offline-maps-and-new-physical-
approach-for-samsung-android-devices
FACTS ABOUT APP INSECURITY
• At first glance, the VK Music app only displayed legitimate
functionality – it played audio files uploaded to the social
network. But further study showed that it also contained
malicious code designed to steal VKontakte user accounts and
promote certain groups on the social network.
• https://securelist.com/blog/incidents/72458/stealing-to-the-
sound-of-music/
• “In Russia will be kept of phone numbers, logins and passwords
of users. Messages we do not store, they are on the devices of
users,” Moscow representative of the company Viber said.
According to the company’s lawyers, messengers also fall under
the law which requires to store personal data of Russians on
servers located on the territory of the country.
FACTS ABOUT APP INSECURITY
• InstaAgent, an app that connects to Instagram and promises to
track the people that have visited a user's Instagram account,
appears to be storing the usernames and passwords of Instagram
users, sending them to a suspicious remote server.
• An app developer from Peppersoft downloaded InstaAgent -- full
name "Who Viewed Your Profile - InstaAgent" -- and discovered
it's reading Instagram account usernames and passwords,
sending them via clear text to a remote server -
instagram.zunamedia.com.
• http://www.macrumors.com/2015/11/10/malicious-instaagent-
instagram-app/
FACTS ABOUT APP INSECURITY
• Researchers find data leaks in Instagram, Grindr, OoVoo and more. The
problems include storing images and videos in unencrypted form on Web
sites, storing chat logs in plaintext on the device, sending passwords in
plaintext…
• http://www.cnet.com/news/researchers-find-data-leaks-in-instagram-
grindr-oovoo-and-more
• Another Popular Android Application, Another Leak. We have found that
another popular Google play app, “Camera360 Ultimate,” not only
enhances the users’ photos but also inadvertently leaks sensitive data,
which gives malicious parties unauthorized access to users’ Camera360
Cloud accounts and photos.
• https://www.fireeye.com/blog/threat-
research/2015/08/another_popular_andr.html
WHAT COMPANIES THINK
ABOUT
‘QUOTES’ AND INSECURITY
• Instagram said it's moving to encrypted communications for its
images by moving to HTTPS, the secure version of the standard used
to transfer Web data over the Internet.
• They did it but it’s still affected to MITM attacks
• "Message data is stored in an unencrypted format because the
operating systems (both iOS and Android) provide data isolation that
prevents apps from having their storage read by other apps. This is
considered standard in the industry, and is completely safe," the Kik
said.
• Standard… it’s safe… just ROFL… and did you know there is way to
root device without owner knowledge?
WHAT COMPANIES THINK
ABOUT
‘QUOTES’ AND INSECURITY
• SECURITY is core at 4Talk. Starting from secure phone number
registration, to interaction only with confirmed personal contacts,
to fully managing your account from any device you use.
• Y2014 wasn’t protected at all
• Y2015: Protected for Windows in-rest & transit, prevent MITM
• Y2015-2016: Protected for Android in-transit only, prevent MITM
• This app hasn’t PROXY FEATURE (!) So fun protection
• Y2015: Not protected at all for Mac
• Y2016: Network is protected (thanks Apple) for Mac
• Y2015-2016: Not protected for iOS and Mac OS at all
• Data Leakage is data that becomes available when you perform
typical activities. Instead, Vulnerability is a weakness of program.
Thus, Vulnerability ≠ Data Leakage, because no weakness in normal
activities…
• Average security support answer in regards of fail. Just spend small
amount of money ($$) to steal the user data with fake networks in
WHAT COMPANIES THINK
ABOUT
‘QUOTES’ AND INSECURITY
• In its defense, AgileBits insisted that AgileKeychain was still
secure, and noted that the format dates back to 2008 when
the company was concerned about speed and battery drain
problems caused by encryption.
• http://appleinsider.com/articles/15/10/20/1password-to-
change-file-formats-after-key-file-found-to-contain-
unencrypted-data
• If you browse to your .agilekeychain “file” on disk, you find
that it is actually a directory. Inside this directory is a file
named “1Password.html”.
PREVIOUS RESEARCH
• I did many researches on mobile and app security.
• First of them were about something average between OS and Apps
– BlackBerry, Android. It was published and present around the
world
• 2013-2015 Researches
• Cross OS apps - protection concepts, OS specifics per concept,
outlines & remediation, EMM specifics
• “We know Twitter & Dropbox are better secured than bank apps!”
• http://www.slideshare.net/EC-Council/hh-yury-chemerkin
• http://defcamp.ro/dc14/Yury_Chemerkin.pdf
• In 2014 presented results cover ~700 apps
• Also in 2015
• http://def.camp/wp-
content/uploads/dc2015/Chemerkin_Yury_DefCamp_2015.pdf
• In 2015 presented results cover ~700 apps
• 2016 Current results: most interested cases (all up-to-dated prior
SPECIAL PART FOR DEFCAMP
2015.
LAST MINUTE RESEARCH
• Everyone got a booklet-guide. Here was a short
info about trusted taxi companies.
• Meridian – no in-app payment features, store &
transmitting everything in plaintext
• Account, Local’n’Maps, and Device Information
• SpeedTaxi – no in-app payment features, store &
transmitting everything in plaintext. Some issues with a
server
• Account, Local’n’Maps, Device and Message Information
• Cobalcescu – no in-app payment features, store &
transmitting everything in plaintext. Some issues with a
server
• Account and Travel Information
PRETTY INTERESTING SECURITY AND
PRIVACY FAILS
HOW TO FAIL WITH HTTPS
• Be any app like [ AirCanada ] and send information about device and
environment
• Be news/social app like [ Anews/Flipboard ] and send everything in
plaintext via http
• Be storage app like [ Asus WebStorage ] and send credentials in
plaintext
• (also fail with old hash algorithm, see next slides)
• Be travel app like [ AviaSales / Momondo], send everything in plaintext
and rely on 3rd party server MITM protection
• Be storage app like [ Box ], prevent MITM but fail and reveal credentials
to MITM tool
• Be taxi app like [ Gett / MaximTaxi ] and send everything in plaintext,
also fail with MITM protect of my credit card
UNTRUSTED PLACES.
KINVEY IS A BACKEND FOR STORING
FILES & USER ACCOUNTS
UNTRUSTED PLACES. KINVEY.
ADMIN IS LOGGING IN TO KINVEY
CONSOLE
UNTRUSTED PLACES. KINVEY.
APP IS LOGGING IN &
DOWNLOADING FILES
PROTECTION LEVELS.
• Some of 10 levels we’re using (0…9)
• 0 – plaintext (stored as and with 777 access or
transferred as is)
• 2 – weak (shared w/o dev.perm, MITM w/o root-fake
cert)
• 4 – medium (shared w dev.perm, MITM w root-fake cert)
• 5 – cached data
• 6 – protected (looks good but can be patched)
• 7 – strong protected (can’t be patched or bypassed or at
least incredible hard)
APP INSECURITY. DISCLAIMER
• Everything presented further contains information for
educational purposes and only with using only your data &
licenses. Moreover, to each app presented here was not
applied any techniques and actions such as:
• modifying, decompiling, disassembling, decrypting and other
actions with the object code of any Program, aimed at obtaining
source codes of any Program
• Also, as known,
• the User may make a modification of the Software solely for his or
hers own use and reverse engineering for debugging such
modifications.
• All app results are up-to-date and test on up-to-date OS
(iOS 9, Android 5).
• Important note. In fact, no app has been changed at all and if
you’re on old Android OS < 5 or iOS < 9 than your data can be
stolen without or with fake root certificate depend on case,
WE GUARANTEE THE
CONFIDENTIALITY OF YOUR
DATA
• Confidentiality - In information
security, confidentiality "is the
property, that information is not
made available or disclosed to
unauthorized individuals, entities, or
processes" (Excerpt ISO27000).
• https://en.wikipedia.org/wiki/Information_security#C
onfidentiality
WE GUARANTEE THE
CONFIDENTIALITY OF YOUR
DATA
HOTELS.RU
• Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
• Token, Cached Data, Screenshot (iOS
only)
• Network data [Android: Plaintext], [iOS:
Medium]
• Geo Location, Token, Passwords, IDs,
Room Details, Address
• Reveal
2013 2014 2015 2016
Plaintext Plaintext Plaintext
Android:
Plaintext
iOS - Medium
HOTELS.COM
• Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
• Cached data
• Network data [Android: Medium], [iOS:
Medium]
• Geo Location, Device Data, Room Details
2013 2014 2015 2016
N/A N/A Medium Medium
HOTELS.COM. EULA/PRIVACY
• How we protect your information
• We want you to feel confident about using this website and our
Apps to make travel arrangements, and we are committed to
protecting the information we collect. While no website or App can
guarantee security, we have implemented appropriate
administrative, technical, and physical security procedures to help
protect the personal information you provide to us. For example,
only authorized employees are permitted to access personal
information, and they may only do so for permitted business
functions. In addition, we use encryption when transmitting your
sensitive personal information between your system and ours, and
we employ firewalls and intrusion detection systems to help
prevent unauthorized persons from gaining access to your
information.
• https://ru.hotels.com/customer_care/privacy.html#protect
AEROEXPRESS
• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]
• Tickets + QR code, Email, Phone, Password, Screenshot of any app windows (iOS
only)
• Network data [Weak]
• Email, Phone, Password, Unique UserID, Last Login Time, email & phone
confirmed, DeviceID,
• OrderID, Base64(hash of Order), Order URL, Order date, Trip date, cost of order,
• TicketID, Route Info, ticket GUID, token, ticket QR Code
• Bank Card info (number, cvv, name, expiration), tokens, *aeroexpress.ru, *ruru,
*bank (AlfaBank)
• According to release notes & PCI DSS, App doesn’t store bank card info
(payment data). You can’t input that data type manually. However,
• iOS: Doesn’t store data after successful payment
• Android: Stores data after successful payment
• Both: Continue stores data after update - if previous version wasn’t removed and
data not wiped
2013 2014 2015 2016
Weak Weak Weak
Weak, Expect to
remove local card
info but fail
AEROEXPRESS. EULA/PRIVACY
• Certified by the PCI DSS on a yearly basis. The certificate confirms the site's
compliance with the standards of the following international payment
systems: Visa/MasterCard, American Express, JCB, and Discover.
• To obtain the certificate, all the systems that receive, transmit, and encrypt
card information together with the overall structure of the company must
meet the minimum of 288 requirements stated in the PCI SAQ (Self-
Assessment Questionnaire D and Attestation of Compliance).
• The Thawte 128-bit SSL Certificate is a technology of data encryption. The
confidential information about your card number, CVV2 code, and other
details are submitted to our site through encryption. To exchange
information, a standard SSL-encryption is applied; the length of the key is
128 bit. Encrypted, it is further redirected to the bank's processing center
through the payment gateway.
• https://aeroexpress.tickets.ru/en/content/safety_payments.html
AEROEXPRESS.
PASSES PCI DSS CERTIFICATION
• Aeroexpress has passed its PCI DSS certification. Now it is even safer for
passengers to pay for online services provided by this express carrier.
• In early February, Aeroexpress passed its PCI DSS (Payment Card Industry
Data Security Standard) certification, which is aimed at ensuring the secure
processing, storage and transfer of data about Visa and MasterCard
holders. Given the PCI DSS certified security level, Aeroexpress passengers
can pay for tickets via the website or the company’s mobile app using bank
cards and can be confident that their personal data and funds are safely
secured. PCI DSS provides for a comprehensive approach that ensures
information security and unites the payment system programmes of VISA
Account Information Security (AIS), Visa Cardholder Information Security
Program (CISP), and MasterCard Site Data Protection. We would like to
remind you that you can receive a discount of RUB 50 and RUB 100 when
purchasing Standard and Return tickets on the website or via the
company’s mobile app.
PCI DSS. DATE: MARCH 2015
•6.2 Penetration Test Case
Study
….
•Main vulnerabilities ….
• Man in the middle
https://www.pcisecuritystandards.org/documents/Penetr
ation_Testing_Guidance_March_2015.pdf
PLATIUS
• Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
• Same like network data
• Network data [Android: Weak], [iOS: Medium]
• Email, Birthday, Full Name, Phone, Gender,
Activation code,
• Bank Card info (number, cvv, name, expiration),
tokens, *platius, *ruru, *bank (Sberbank)
2013 2014 2015 2016
Android - Weak
iOS - Weak
Android - Weak
iOS - Weak
Android - Weak
iOS - Weak
Android - No changes
iOS - Medium
PLATIUS. EULA/PRIVACY
• 6.4 The administration doesn't guarantee
ensuring confidentiality of information and
data on the Participant and doesn't bear any
responsibility as transfer of the specified data
is carried out by means of open
communication channels for disclosure of such
information.
• https://platius.ru/en-
GB/Information/Agreement
ROCKETBANK
• Locally stored data [Android: Plaintext/Protected], [iOS: Strong
Protected]
• Email, Full Name, Phone, bank code word, Geo Location
• Network data [Android: Weak], [iOS: Medium]
• Email, Full Name, Phone, Activation code, bank code word,
• Passport : Details Data (All Info)
• Full Name, Full Address, Document ID, Birthday, Owner Image
• https://rocketbank.ru/api/v5/emails/..../form
• tariff": "i-am-vip-bitch-9-percent"
• Bitch, please © How I met your mother
2013 2014 2015 2016
Weak Weak Weak
Android - Weak
iOS - Medium
ROCKETBANK. EULA/PRIVACY
• Клиент соглашается, что использование Аутентификационных данных, в том числе
сгенерированных Исполнителем уникальных кодов, направляемых Клиенту на контактный
номер телефона, является надлежащей и достаточной Идентификацией/
Аутентификацией Клиента, в целях совершения операций через Удаленные каналы
обслуживания.
• Unique codes and phone number are 2 params are enough
to perform authenticated actions over internet
• Исполнитель не несет рисков, связанных с неправомерным использованием третьими
лицами информации, указанной в п. I.19 Условий (above)
• Rocketbank Team doesn’t give a shit about risks
• Клиент принимает на себя риски, связанные с возможным нарушением
конфиденциальности, возникающие вследствие использования системы телефонной связи
и сети Интернет.
• The client is only responsible for everything happened
with him and his data over internet. Team is again doesn’t
give a shit about any kind of protection
• https://rocketbank.ru/rules
RBK MONEY
• Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
• Credentials…
• Network data [Android: Medium], [iOS:
Medium]
• Credentials…
2013 2014 2015 2016
Medium Medium Medium Medium
RBK MONEY. EULA/PRIVACY
• This is a question of common sense and caution. The more
careful you are the less chance to be deceived by scammers
and other fraudsters. The main protection from them is
your unique password. To ensure security make password
not shorter than 8 symbols (use combination of random
letters and numbers) Don’t enter it anywhere except for the
RBK Money website and do not reveal it to other people.
Use modern antivirus programs where possible.
• Information about your card is stored, encrypted and
shown only to you. The payment is considered processed
after card activation. RBK Money reserves the right to make
additional payment confirmation by phone.
• http://www.rbkmoney.com/en/support#safety
• http://www.rbkmoney.com/en/support#cards
DELIVERY CLUB
• Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
• Token, address, geo location, password, ID,
full name, phone, short card info
• Network data [Android: Medium], [iOS:
Medium]
• Token, secret, deviceID, Full Name, phone,
email, password, Card Info (short, w/o cvv),
address, geo location, Loyalty Account Info
2013 2014 2015 2016
Plaintext/ Medium
(card)
Plaintext/ Medium
(card)
Plaintext/ Medium
(card)
Medium
DELIVERY CLUB. EULA/PRIVACY
• We implement a variety of security measures to maintain the
safety of your personal information when you place an order
• We offer the use of a secure server. All supplied sensitive/credit
information is transmitted via Secure Socket Layer (SSL)
technology and then encrypted into our Payment gateway
providers database only to be accessible by those authorized with
special access rights to such systems, and are required to keep
the information confidential.
• After a transaction, your private information will be kept on file for
more than 60 days in order to show your actions history and
simplify future orders creation.
• http://www.delivery-club.ru/google_privacy.html
ROSINTER
• Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
• Account info, tokens
• Network data [Android: Weak], [iOS:
Weak]
• Email, Birthday, Full Name, token, apn-
token, Loyalty Account Info, Device Info,
Geo, Phone, Stream
2013 2014 2015 2016
Weak Weak Weak Weak
ANYWAYANYDAY
• Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
• Passenger Info, Passport Info, Loyalty Info,
Birthday, Order/Ticket Info, Trip Info,
Credentials Info
• Network data [Android: Medium], [iOS:
Protected]
• Passenger Info, Passport Info, Loyalty Info,
Birthday, Order/Ticket Info, Trip Info,
Credentials Info
Important note. In fact, app wasn’t changed at
all and if you’re on old iOS < 9 than your data
can be stolen with fake root certificate,
2013 2014 2015 2016
Medium Medium Medium
Android: Medium
iOS: Protected?
ANYWAY. EULA/PRIVACY
• Для защиты персональных данных пользователей от
неправомерного или случайного доступа, уничтожения,
изменения, блокирования, копирования, распространения, а
также иных неправомерных действий с ними третьих лиц
применяются необходимые и достаточные организационные и
технические меры.
• To protect users' personal data against unauthorized or accidental
access, destruction, modification, blocking, copying, distribution,
and other illegal actions of third parties to them we apply the
necessary and sufficient organizational and technical measures.
•
https://www.anywayanyday.com/avia/privacypolicy/
ALFABANK
• Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
• Token (Alfa-Ally-Chat), Screenshot -
Protected
• Network data [Android: Medium], [iOS:
Medium]
• Name, Device Info, Token (Alfa-Ally-
Chat), Password, Login, Account Info,
Payment Info, Short Card Info,
Transaction Info2013 2014 2015 2016
Medium Medium Medium Medium
AMAZON CLOUD, PHOTOS
• Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
• Cached, Sync Documents
• Network data [Android: Protected
Failed], [iOS: Protected Failed]
• Reveal credentials and drop connection
2013 2014 2015 2016
Weak/Medium Weak/Medium Protected Failed Protected Failed
AMAZON APP MARKET, GOOGLE
PLAY, MOBOMARKET
• Network data [Android: Medium]
• Amazon & Google reveal all data
including APK data (can be replaced
with another)
• Network data [Android: Plaintext]
• MoboMarket reveal all data including
APK data (can be replaced with
another)
2013 2014 2015 2016
Amazon – Weak, Google –
Medium, Mobomarket - Plaintext
Amazon – Weak, Google –
Medium, Mobomarket - Plaintext
Amazon – Weak, Google –
Medium, Mobomarket - Plaintext
Amazon – Weak, Google –
Medium, Mobomarket - Plaintext
MOBOMARKET. EULA/PRIVACY
• We encrypt our services and data transmission using SSL. We strive at all
times to ensure that your personal data will be protected against
unauthorized or accidental access, processing, correction or deletion. We
implement appropriate security measures to safeguard and secure your
personal data. Please note, however, that no security measures are 100%
effective. We encourage you to take measures to protect your personal
data.
• You are responsible for maintaining the privacy and the confidentiality of
Information. Please keep yourself informed when accessing the internet
and to always read and review the policy / privacy statement on the site
that you are accessing. Please ensure that you do the following: (i) not to
disclose your password, (ii) not to provide any personal information to
anyone, including their names, (iii) never fill online forms without your
prior authorization. Please use complex passwords with long enough
combinations of letters and numbers that require unusual keyboard
combinations whereas; simple passwords are easy to be broken. Please
never give your password to anyone online. In any event, please change
your password periodically.
• http://www.mobomarket.net/policy.html
GOOGLEPLAY. EULA/PRIVACY
• We work hard to protect Google and our users from unauthorised access to
or unauthorised alteration, disclosure or destruction of information that we
hold. In particular:
• We encrypt many of our services using SSL.
• We offer you two-step verification when you access your Google Account
and a Safe Browsing feature in Google Chrome.
• We review our information collection, storage and processing practices,
including physical security measures, to guard against unauthorised access
to systems.
• We restrict access to personal information to Google employees,
contractors and agents who need to know that information in order to
process it for us and who are subject to strict contractual confidentiality
obligations. They may be disciplined or their contract terminated if they fail
to meet these obligations.
• http://www.google.com/intl/en-GB_ru/policies/privacy/
APP IN THE AIR
• Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
• Loyalty Info, Order/Ticket Info, Trip Info,
Full Info, Trip Info (Media Data), Stats,
UserID, Work Info (from Facebook)
• Network data [Android: Medium], [iOS:
Protected]
• Loyalty Info, Order/Ticket Info, Trip Info,
Full Info, Trip Info (Media Data), Stats,
UserID, Work Info (from Facebook),
Tokens
2013 2014 2015 2016
Plaintext Plaintext Weak Medium Medium
APP IN THE AIR. EULA/PRIVACY
• The security of your personal information is important to us. We do not hold any liability for any
personal data or any sensitive information you provided.
• We follow generally accepted industry standards to protect the personal information submitted, both
during transmission and once we receive it. However, no method of transmission over the Internet, or
method of electronic storage, is 100% secure. Therefore, while our goal to use commercially
acceptable ways to protect your personal information, we cannot guarantee it is absolutely secure.
Please keep it in mind before submitting any information about yourself. Please note that information
that you voluntarily make public in your user profile, or which you disclose by posting comments or
inserting of the Content will be publicly available and viewable by others. We do not hold any liability
for any information that you voluntarily choose to be public through such and/or other explicit
actions.
• We only use personal information collected through the APPINTHEAIR project and our Services for the
purposes described in the Terms http://i.appintheair.mobi/termsofuse. For example, we may use
information we collect:
• provide our Services or information you request, and to process and complete any transactions;
• to your emails, submissions, questions, comments, requests, and complaints and provide customer
service;
• http://www.appintheair.mobi/privacypolicy
ASUS WEBSTORAGE
• Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
• MD5(Password.ToLowerString())
• Network data [Android: Medium], [iOS:
Medium]
• Login, Email, Encryption Key(?), Tokens,
Device Settings, Sync Documents, File
Details
• MD5(Password.ToLowerString())
2013 2014 2015 2016
Medium Medium Medium Medium
ASUS WEBSTORAGE.
EULA/PRIVACY
• We take precautions to protect your personal information against
unauthorized access or unauthorized alteration, disclosure or destruction.
These include internal reviews of our personal information collection,
storage and processing practices and security measures, as well as physical
security measures to guard against unauthorized access to systems where
we store your personal information. Transmission of personal information
between different locations of ASUS Cloud affiliated companies is
performed through our secured wide area network. When you submit
personal information via the service, your information is protected both
online and offline. However, ASUS Cloud cannot guarantee a perfect
security on the internet. When using the internet, we recommended that
you use alphanumerical usernames and passwords and change your
passwords on a regular basis, as well as keep your computer up to date by
applying the latest available security updates for your software and using
such tools as virus/spyware scanners.
• If you have any questions regarding the security of our web site, please
refer to our security web page.
• ISO27001, SSL, AES, RAID, https://www.asuswebstorage.com/navigate/security/
https://service.asuswebstorage.com/privacy/
SKYPE
• Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
• Media data (attachments), Message (or
last messages), friend list, Email/Login,
Snapshot
• Network data [Android: Weak/Strong],
[iOS: Weak/Strong]
• Media data (attachments), Message (or
last messages), Email/Login, Device Data,
UserID, MS Live password, no skype
password2013 2014 2015 2016
Weak/Strong Weak/Strong Weak/Strong Weak/Strong
EVERNOTE
• Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
• Tokens, UserID, Syc Documents (notes),
cached data, SnapShot (iOS only)
• Network data [Android: Medium], [iOS:
Protected]
• Sync Documents (notes), Full name, Account
Details, Credentials, tokens, etc.
• Important note. In fact, app wasn’t
changed at all and if you’re on old iOS < 9
than your data can be stolen with fake root
certificate, otherwise, NO
2013 2014 2015 2016
Medium Medium Medium
Android – Medium
iOS - Protected
EVERNOTE. EULA/PRIVACY
• Evernote is committed to protecting the security of your
information and takes reasonable precautions to protect
it. We use industry standard encryption to protect your
data in transit. This is commonly referred to as
transport layer security (“TLS”) or secure socket layer
(“SSL”) technology. However, internet data
transmissions, cannot be guaranteed to be 100% secure,
and as a result, we cannot ensure the security of
information during its transmission between you and us;
accordingly, you acknowledge that you do so at your
own risk.
• https://evernote.com/legal/privacy.php?noredirect
CYBER GHOST
• Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
• tokens
• Network data [Android:
Medium/Strong Protected], [iOS:
Medium/Strong Protected]
• Login, oauth consumer_key, token,
token_secret, radius_password, geo
location, ip, country, account details,
license key, license expiration2013 2014 2015 2016
N/A N/A
Medium/Strong
Protected
Medium/Strong
Protected
CYBERGHOST. EULA/PRIVACY
• Personal data: CyberGhost collects and uses no personal data, such as
e-mail addresses, name, domicile address and payment information.
• If you register for the Premium-Service of CyberGhost VPN, we store a
fully anonymous User ID, an encoded password and your pay scale
information (activation key, start and end). The stored e-mail
addresses are not linked to a User ID.
• Log data: CyberGhost keeps no logs which enable interference with
your IP address, the moment or content of your data traffic. We make
express reference to the fact that we do not record in logs
communication contents or data regarding the accessed websites or
the IP addresses.
• In March 2012, CyberGhost had successfully passed an audit and
verification conducted by QSCert for the implemented Information
Safety Management System (ISMS) according to the international
industrial standards ISO27001 and ISO9001. The certification confirms
the high quality of the internal safety processes and is renewed yearly
ISO 27001, ISMS, ETC.
• ISO27001 (and similar standards for non-IT areas)
explicitly do not require "have you taken every
sensible precaution to ensure it is", it is sufficient
to have a policy that acknowledges that you haven't
taken a bunch of very sensible precautions and
that you simply accept the risks caused by that
• If a company with a proper ISMS only accepts file
uploads with unsecure FTP, it means they thought
about this and decided either it's not their problem
or they don't care
RESPONSIBLE DEVELOPER VS
LAZY ONE
• Apple (!) & Google (!)
• QIWI – best app with own
cryptography and has
implemented all security
features
• Dropbox - has implemented all
security features
• App in the Air (network, in
progress)
• CyberGhost (network, in
progress)
• Asus Web Storage (pwd, in
progress)
• Sberbank (background fixing)
• Hotels.Ru (network, in progress)
• DeliveryClub (network, in
progress)
• AnywayAnyday (network,
having fun with hardcoded
‘anyway’ 192bit  256bit key)
• Evernote (network)
• … everyone you saw in this
slide or among my researches
PANDA SM MANAGER IOS
APPLICATION - MITM SSL
CERTIFICATE VULNERABILITY
• "Panda Systems Management is the new way to manage and monitor IT
systems."
"Inventory, monitoring, management, remote control and reporting... All
from a single Web-based console"
(https://itunes.apple.com/us/app/panda-sm-manager/id672205099)
• Timeline – Almost 1 Year (!)
• July 19, 2015 - Notified Panda Security via security@pandasecurity.com, e-
mail bounced
July 20, 2015 - Resent vulnerability report to
corporatesupport@us.pandasecurity.com & security@us.pandasecurity.com
July 20, 2015 - Panda Security responded stating they will investigate
July 31, 2015 - Asked for an update on their investigation
August 3, 2015 - Panda Security responded stating that the issue has been
escalated and is still being reviewed
August 14, 2015 - Asked for an update on their investigation
October 16, 2015 - Asked for an update on their investigation
• … NO ANSWER …
March 1, 2016 - Panda Security released version 2.6.0 which resolves this
ADVICES.
YOU’RE DEVELOPER? DON’T CARE ABOUT
SECURITY/PRIVACY?
THEN YOUR CHOICE IS …
• BlackBerry. Protects everything locally stored except public folders &
external storage. Also it’s hardly to MITM except plain http traffic.
Even for Android (!)
• Windows Modern 10 apps. Anti-MITM protection on OS level by
default (still researching it, also can’t confirm it for Android app
support – Project Astoria)
• iOS. Ok. Easy way to make user to install trusted fake certificate to
MITM. Upgrade! Local app files on iOS < 8.3 could be accessed
without jailbreak
• Android. Fail. Easy way to make user to install trusted fake
certificate to MITM. Some vendors prevent unlocking bootloader
without user interaction to avoid root without his asking. But some
doesn’t (!)
REMEDIATION: ANDROID
• Follow security programming guide from Google
• Call ‘setStorageEncryption’ API for locally stored files (new
Android OS v5+)
• Encrypt externally stored files on SD Card or Cloud (any OS)
• Define when encryption signature doesn’t matter, else
avoid it
• Reduce using of ‘MODE_WORLD_READABLE ’ unless it really
needs
• Avoid hardcoded and debug tracks as much as possible
(it’s easy to decompile)
• Add extra protect beyond OS (encryption, wiping, etc.)
REMEDIATION : IOS
• Follow security programming guide from Apple
• Never store credentials on the phone file system. Use API or
web scheme instead
• Define when encryption signature doesn’t matter, else avoid
it
• Use implemented protection mechanism in iOS…
• But … add extra protection layer beyond OS protection in
case of jailbreak
• Use any API and protection mechanisms properly but never
default settings
• Don’t forget to encrypt SQL databases
REMEDIATION : BLACKBERRY
• Follow security programming guide from BlackBerry
• Don’t store credentials in shared folders
• Encrypt data stored in shared folders
• Use implemented protection mechanism in BlackBerry…
• But … add extra protection layer beyond just in case
• Don’t forget to encrypt SQL databases
• Don’t develop Android app-ports
• Try to avoid using ported or Android native app under BlackBerry
• Develop more and use native apps for BlackBerry 
REMEDIATION: WINMOBILE 10
• Credentials stored or transferred in plaintext locally.
• Data usually stored or transferred structured file type
that simplify an analysis
• Signature-based encryption helps quickly decrypt data
(depends on dynamically linked libraries)
• Data stored in SQLite databases usually not encrypted
• Keys may be hardcoded or put in data folder
• Applications could be analyzed on Windows 10 Desktop
via known methods like a desktop applications
REMEDIATION: WIN 10
• Credentials stored or transferred in plaintext
locally.
• Data usually stored or transferred structured file
type that simplify an analysis
• Signature-based encryption helps quickly decrypt
data (depends on dynamically linked libraries)
• Data stored in SQLite databases usually not
encrypted
• Keys may be hardcoded or put in data folder
• Application data folder is access without any
restrictions
REMEDIATION: MAC OS X
• Credentials stored/ transferred in plaintext locally.
• Data stored in a keychain without additional protection or
encryption
• Data usually stored or transferred structured file type that simplify
an analysis
• Signature-based encryption that helps to quickly decrypt data
• Avoiding protection mechanism in iOS that leads to pure
protection eventually
• Data stored in SQLite databases usually not encrypted
• Keys may be hardcoded
• Application data folder is access without any restrictions
[ YURY CHEMERKIN ]
• MULTISKILLED SECURITY EXPERT
• WORK FOR ADVANCED MONITORING
• EXPERIENCED IN:
• REVERSE ENGINEERING & AV, DEVELOPMENT (PAST)
• MOBILE SECURITY, & CLOUD SECURITY
• IAM, COMPLIANCE, FORENSICS
• PARTICIPATION & SPEAKING AT MANY SECURITY
CONFERENCES
(LEAKED) MOBILE APPLICATION
DATA PRIVACY
HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMER
KIN
YURY CHEMERKIN
SEND A MAIL TO:
YURY.S@CHEMERKIN.COM

Mais conteúdo relacionado

Mais procurados

Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile AppsDenim Group
 
Not another *$#@ app: How to avoid IoT fatigue
Not another *$#@ app: How to avoid IoT fatigueNot another *$#@ app: How to avoid IoT fatigue
Not another *$#@ app: How to avoid IoT fatigueRamin Firoozye
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
iPhone transfer software
iPhone transfer softwareiPhone transfer software
iPhone transfer softwarejohnjuly123
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
MultPoint Ltd.company overview 2014 3214 short version
MultPoint Ltd.company overview 2014 3214 short version MultPoint Ltd.company overview 2014 3214 short version
MultPoint Ltd.company overview 2014 3214 short version Ricardo Resnik
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
Recover iPhone data with ease
Recover iPhone data with easeRecover iPhone data with ease
Recover iPhone data with easejenkerry
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersDenim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Smart Use of Smart Phone by Chheda Sanjay Visanji
Smart Use of Smart Phone by Chheda Sanjay VisanjiSmart Use of Smart Phone by Chheda Sanjay Visanji
Smart Use of Smart Phone by Chheda Sanjay VisanjiSanjay Visanji Chheda
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)Dinis Cruz
 

Mais procurados (20)

Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
 
Not another *$#@ app: How to avoid IoT fatigue
Not another *$#@ app: How to avoid IoT fatigueNot another *$#@ app: How to avoid IoT fatigue
Not another *$#@ app: How to avoid IoT fatigue
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
iPhone transfer software
iPhone transfer softwareiPhone transfer software
iPhone transfer software
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
 
Bugsack the mobile jira
Bugsack the mobile jiraBugsack the mobile jira
Bugsack the mobile jira
 
MultPoint Ltd.company overview 2014 3214 short version
MultPoint Ltd.company overview 2014 3214 short version MultPoint Ltd.company overview 2014 3214 short version
MultPoint Ltd.company overview 2014 3214 short version
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
 
Recover iPhone data with ease
Recover iPhone data with easeRecover iPhone data with ease
Recover iPhone data with ease
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to Others
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Smart Use of Smart Phone by Chheda Sanjay Visanji
Smart Use of Smart Phone by Chheda Sanjay VisanjiSmart Use of Smart Phone by Chheda Sanjay Visanji
Smart Use of Smart Phone by Chheda Sanjay Visanji
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)
 

Destaque

Анализ защиты мобильных приложений Facebook, Instagram, LinkedIn, Вконтакте и...
Анализ защиты мобильных приложений Facebook, Instagram, LinkedIn, Вконтакте и...Анализ защиты мобильных приложений Facebook, Instagram, LinkedIn, Вконтакте и...
Анализ защиты мобильных приложений Facebook, Instagram, LinkedIn, Вконтакте и...Advanced monitoring
 
Кто и как атаковал российские организации в 2016-ом. Статистика и тенденции.
Кто и как атаковал российские организации в 2016-ом. Статистика и тенденции.Кто и как атаковал российские организации в 2016-ом. Статистика и тенденции.
Кто и как атаковал российские организации в 2016-ом. Статистика и тенденции.Advanced monitoring
 
Типовые сценарии атак на современные клиент-серверные приложения
Типовые сценарии атак на современные клиент-серверные приложенияТиповые сценарии атак на современные клиент-серверные приложения
Типовые сценарии атак на современные клиент-серверные приложенияAdvanced monitoring
 
Vulnerability Prevention. Управляем уязвимостями – предупреждаем атаки
Vulnerability Prevention. Управляем уязвимостями – предупреждаем атакиVulnerability Prevention. Управляем уязвимостями – предупреждаем атаки
Vulnerability Prevention. Управляем уязвимостями – предупреждаем атакиAdvanced monitoring
 
Расследование инцидентов ИБ с помощью открытых интернет-источников
Расследование инцидентов ИБ с помощью открытых интернет-источниковРасследование инцидентов ИБ с помощью открытых интернет-источников
Расследование инцидентов ИБ с помощью открытых интернет-источниковAdvanced monitoring
 
Игнорируем уязвимости сегодня? Расплачиваемся завтра!
Игнорируем уязвимости сегодня? Расплачиваемся завтра!Игнорируем уязвимости сегодня? Расплачиваемся завтра!
Игнорируем уязвимости сегодня? Расплачиваемся завтра!Advanced monitoring
 
Threat Intelligence вам поможет, если его правильно приготовить…
Threat Intelligence вам поможет, если его правильно приготовить…Threat Intelligence вам поможет, если его правильно приготовить…
Threat Intelligence вам поможет, если его правильно приготовить…Advanced monitoring
 
Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...
Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...
Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...Advanced monitoring
 
Практический опыт мониторинга и анализа компьютерных атак
Практический опыт мониторинга и анализа компьютерных атакПрактический опыт мониторинга и анализа компьютерных атак
Практический опыт мониторинга и анализа компьютерных атакAdvanced monitoring
 
Анализ защищенности ПО и инфраструктур – подходы и результаты
Анализ защищенности ПО и инфраструктур – подходы и результатыАнализ защищенности ПО и инфраструктур – подходы и результаты
Анализ защищенности ПО и инфраструктур – подходы и результатыAdvanced monitoring
 
2015 Ad Blocking Report - The Cost of Adblocking
2015 Ad Blocking Report - The Cost of Adblocking2015 Ad Blocking Report - The Cost of Adblocking
2015 Ad Blocking Report - The Cost of AdblockingPageFair
 

Destaque (11)

Анализ защиты мобильных приложений Facebook, Instagram, LinkedIn, Вконтакте и...
Анализ защиты мобильных приложений Facebook, Instagram, LinkedIn, Вконтакте и...Анализ защиты мобильных приложений Facebook, Instagram, LinkedIn, Вконтакте и...
Анализ защиты мобильных приложений Facebook, Instagram, LinkedIn, Вконтакте и...
 
Кто и как атаковал российские организации в 2016-ом. Статистика и тенденции.
Кто и как атаковал российские организации в 2016-ом. Статистика и тенденции.Кто и как атаковал российские организации в 2016-ом. Статистика и тенденции.
Кто и как атаковал российские организации в 2016-ом. Статистика и тенденции.
 
Типовые сценарии атак на современные клиент-серверные приложения
Типовые сценарии атак на современные клиент-серверные приложенияТиповые сценарии атак на современные клиент-серверные приложения
Типовые сценарии атак на современные клиент-серверные приложения
 
Vulnerability Prevention. Управляем уязвимостями – предупреждаем атаки
Vulnerability Prevention. Управляем уязвимостями – предупреждаем атакиVulnerability Prevention. Управляем уязвимостями – предупреждаем атаки
Vulnerability Prevention. Управляем уязвимостями – предупреждаем атаки
 
Расследование инцидентов ИБ с помощью открытых интернет-источников
Расследование инцидентов ИБ с помощью открытых интернет-источниковРасследование инцидентов ИБ с помощью открытых интернет-источников
Расследование инцидентов ИБ с помощью открытых интернет-источников
 
Игнорируем уязвимости сегодня? Расплачиваемся завтра!
Игнорируем уязвимости сегодня? Расплачиваемся завтра!Игнорируем уязвимости сегодня? Расплачиваемся завтра!
Игнорируем уязвимости сегодня? Расплачиваемся завтра!
 
Threat Intelligence вам поможет, если его правильно приготовить…
Threat Intelligence вам поможет, если его правильно приготовить…Threat Intelligence вам поможет, если его правильно приготовить…
Threat Intelligence вам поможет, если его правильно приготовить…
 
Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...
Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...
Российская криптография: блочные шифры и их режимы шифрования (Russian crypto...
 
Практический опыт мониторинга и анализа компьютерных атак
Практический опыт мониторинга и анализа компьютерных атакПрактический опыт мониторинга и анализа компьютерных атак
Практический опыт мониторинга и анализа компьютерных атак
 
Анализ защищенности ПО и инфраструктур – подходы и результаты
Анализ защищенности ПО и инфраструктур – подходы и результатыАнализ защищенности ПО и инфраструктур – подходы и результаты
Анализ защищенности ПО и инфраструктур – подходы и результаты
 
2015 Ad Blocking Report - The Cost of Adblocking
2015 Ad Blocking Report - The Cost of Adblocking2015 Ad Blocking Report - The Cost of Adblocking
2015 Ad Blocking Report - The Cost of Adblocking
 

Semelhante a Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

Wso2 con byod-shan-ppt
Wso2 con byod-shan-pptWso2 con byod-shan-ppt
Wso2 con byod-shan-pptWSO2
 
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2
 
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...WSO2
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013Petr Dvorak
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
April 2023 CIAOPS Need to Know Webinar
April 2023 CIAOPS Need to Know WebinarApril 2023 CIAOPS Need to Know Webinar
April 2023 CIAOPS Need to Know WebinarRobert Crane
 
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2
 
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2
 
Mobile App Security: A Review
Mobile App Security: A ReviewMobile App Security: A Review
Mobile App Security: A ReviewUmang Singh
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
BYOD for your business with WSO2 Enterprise Mobility Manager
BYOD for your business with WSO2 Enterprise Mobility ManagerBYOD for your business with WSO2 Enterprise Mobility Manager
BYOD for your business with WSO2 Enterprise Mobility ManagerWSO2
 
Breached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseBreached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseResilient Systems
 
Zabezpečení mobilních zařízení ve firemním prostředí
Zabezpečení mobilních zařízení ve firemním prostředíZabezpečení mobilních zařízení ve firemním prostředí
Zabezpečení mobilních zařízení ve firemním prostředíMarketingArrowECS_CZ
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Advanced monitoring
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
WSO2Con USA 2015: Connected Device Management for Enterprise Mobility and Beyond
WSO2Con USA 2015: Connected Device Management for Enterprise Mobility and BeyondWSO2Con USA 2015: Connected Device Management for Enterprise Mobility and Beyond
WSO2Con USA 2015: Connected Device Management for Enterprise Mobility and BeyondWSO2
 
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...Cellebrite
 

Semelhante a Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016 (20)

Wso2 con byod-shan-ppt
Wso2 con byod-shan-pptWso2 con byod-shan-ppt
Wso2 con byod-shan-ppt
 
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
 
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
April 2023 CIAOPS Need to Know Webinar
April 2023 CIAOPS Need to Know WebinarApril 2023 CIAOPS Need to Know Webinar
April 2023 CIAOPS Need to Know Webinar
 
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
 
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
 
Mobile App Security: A Review
Mobile App Security: A ReviewMobile App Security: A Review
Mobile App Security: A Review
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
BYOD for your business with WSO2 Enterprise Mobility Manager
BYOD for your business with WSO2 Enterprise Mobility ManagerBYOD for your business with WSO2 Enterprise Mobility Manager
BYOD for your business with WSO2 Enterprise Mobility Manager
 
Breached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseBreached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident Response
 
Zabezpečení mobilních zařízení ve firemním prostředí
Zabezpečení mobilních zařízení ve firemním prostředíZabezpečení mobilních zařízení ve firemním prostředí
Zabezpečení mobilních zařízení ve firemním prostředí
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
WSO2Con USA 2015: Connected Device Management for Enterprise Mobility and Beyond
WSO2Con USA 2015: Connected Device Management for Enterprise Mobility and BeyondWSO2Con USA 2015: Connected Device Management for Enterprise Mobility and Beyond
WSO2Con USA 2015: Connected Device Management for Enterprise Mobility and Beyond
 
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
 

Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

  • 1. (LEAKED) MOBILE APPLICATION DATA PRIVACY YURY CHEMERKIN SECURITY EXPERT RESEARCHER
  • 2. [ AGENDA ] • Intro • Similar public researchers • Related/Previous work • Current results • Final thoughts
  • 3. UNTRUSTED PLACES • Untrusted chargeable places. • When you connect your device to them you will see a notification you plugged to PC/Mac • Untrusted network places. • When you connect your device to them • You will see nothing • You will see a question about untrusted certificate. You accept or decline it • Someone make you to install trusted certificate
  • 7. PROBLEM. WHAT/WHO MAKES US INSECURE? • Are we revealing everything about ourselves everywhere? • Perhaps • Don’t we know anything about security and privacy? • Perhaps • Aren’t app developers responsible for security fails? • Who said they’re not? They are! • They prefer not to tell about it only
  • 9. HOW MUCH DOES YOUR SECURITY COST? • Non-Special ‘Home’ Software • Macroplant Software - $35-70 (home), $200-2500 (enterprise). • XK72 Software - $50 per license or $400-700 per bundle • PortSwigger - $300 per year • … and so on • Also, cracked edition is available (no difference pirate or buy ) • Special ‘Forensics’ Software • Elcomsoft Breakers - $80 (home, you have to know your password), $200 (pro – you don’t have to know it), $800 – bundle • Elcomsoft Bundles - $1 500 – 2 500 • Oxygen Software – more expensive in twice at least • … and so on • Also, cracked edition is available for some old editions (better buy new edition)
  • 10. OXYGEN FORENSIC® DETECTIVE • Oxygen Forensic® Detective introduces offline maps and new physical approach for Samsung Android devices! • The updated version offers a new physical method for Samsung Android OS devices via customer forensic recovery. This innovative approach allows to bypass screen lock and extract a full physical image of supported Samsung devices. • This innovative approach = root, steal data, deroot • http://www.oxygen- forensic.com/en/events/news/666-oxygen-forensic- detective-introduces-offline-maps-and-new-physical- approach-for-samsung-android-devices
  • 11. FACTS ABOUT APP INSECURITY • At first glance, the VK Music app only displayed legitimate functionality – it played audio files uploaded to the social network. But further study showed that it also contained malicious code designed to steal VKontakte user accounts and promote certain groups on the social network. • https://securelist.com/blog/incidents/72458/stealing-to-the- sound-of-music/ • “In Russia will be kept of phone numbers, logins and passwords of users. Messages we do not store, they are on the devices of users,” Moscow representative of the company Viber said. According to the company’s lawyers, messengers also fall under the law which requires to store personal data of Russians on servers located on the territory of the country.
  • 12. FACTS ABOUT APP INSECURITY • InstaAgent, an app that connects to Instagram and promises to track the people that have visited a user's Instagram account, appears to be storing the usernames and passwords of Instagram users, sending them to a suspicious remote server. • An app developer from Peppersoft downloaded InstaAgent -- full name "Who Viewed Your Profile - InstaAgent" -- and discovered it's reading Instagram account usernames and passwords, sending them via clear text to a remote server - instagram.zunamedia.com. • http://www.macrumors.com/2015/11/10/malicious-instaagent- instagram-app/
  • 13. FACTS ABOUT APP INSECURITY • Researchers find data leaks in Instagram, Grindr, OoVoo and more. The problems include storing images and videos in unencrypted form on Web sites, storing chat logs in plaintext on the device, sending passwords in plaintext… • http://www.cnet.com/news/researchers-find-data-leaks-in-instagram- grindr-oovoo-and-more • Another Popular Android Application, Another Leak. We have found that another popular Google play app, “Camera360 Ultimate,” not only enhances the users’ photos but also inadvertently leaks sensitive data, which gives malicious parties unauthorized access to users’ Camera360 Cloud accounts and photos. • https://www.fireeye.com/blog/threat- research/2015/08/another_popular_andr.html
  • 14. WHAT COMPANIES THINK ABOUT ‘QUOTES’ AND INSECURITY • Instagram said it's moving to encrypted communications for its images by moving to HTTPS, the secure version of the standard used to transfer Web data over the Internet. • They did it but it’s still affected to MITM attacks • "Message data is stored in an unencrypted format because the operating systems (both iOS and Android) provide data isolation that prevents apps from having their storage read by other apps. This is considered standard in the industry, and is completely safe," the Kik said. • Standard… it’s safe… just ROFL… and did you know there is way to root device without owner knowledge?
  • 15. WHAT COMPANIES THINK ABOUT ‘QUOTES’ AND INSECURITY • SECURITY is core at 4Talk. Starting from secure phone number registration, to interaction only with confirmed personal contacts, to fully managing your account from any device you use. • Y2014 wasn’t protected at all • Y2015: Protected for Windows in-rest & transit, prevent MITM • Y2015-2016: Protected for Android in-transit only, prevent MITM • This app hasn’t PROXY FEATURE (!) So fun protection • Y2015: Not protected at all for Mac • Y2016: Network is protected (thanks Apple) for Mac • Y2015-2016: Not protected for iOS and Mac OS at all • Data Leakage is data that becomes available when you perform typical activities. Instead, Vulnerability is a weakness of program. Thus, Vulnerability ≠ Data Leakage, because no weakness in normal activities… • Average security support answer in regards of fail. Just spend small amount of money ($$) to steal the user data with fake networks in
  • 16. WHAT COMPANIES THINK ABOUT ‘QUOTES’ AND INSECURITY • In its defense, AgileBits insisted that AgileKeychain was still secure, and noted that the format dates back to 2008 when the company was concerned about speed and battery drain problems caused by encryption. • http://appleinsider.com/articles/15/10/20/1password-to- change-file-formats-after-key-file-found-to-contain- unencrypted-data • If you browse to your .agilekeychain “file” on disk, you find that it is actually a directory. Inside this directory is a file named “1Password.html”.
  • 17. PREVIOUS RESEARCH • I did many researches on mobile and app security. • First of them were about something average between OS and Apps – BlackBerry, Android. It was published and present around the world • 2013-2015 Researches • Cross OS apps - protection concepts, OS specifics per concept, outlines & remediation, EMM specifics • “We know Twitter & Dropbox are better secured than bank apps!” • http://www.slideshare.net/EC-Council/hh-yury-chemerkin • http://defcamp.ro/dc14/Yury_Chemerkin.pdf • In 2014 presented results cover ~700 apps • Also in 2015 • http://def.camp/wp- content/uploads/dc2015/Chemerkin_Yury_DefCamp_2015.pdf • In 2015 presented results cover ~700 apps • 2016 Current results: most interested cases (all up-to-dated prior
  • 18. SPECIAL PART FOR DEFCAMP 2015. LAST MINUTE RESEARCH • Everyone got a booklet-guide. Here was a short info about trusted taxi companies. • Meridian – no in-app payment features, store & transmitting everything in plaintext • Account, Local’n’Maps, and Device Information • SpeedTaxi – no in-app payment features, store & transmitting everything in plaintext. Some issues with a server • Account, Local’n’Maps, Device and Message Information • Cobalcescu – no in-app payment features, store & transmitting everything in plaintext. Some issues with a server • Account and Travel Information
  • 19. PRETTY INTERESTING SECURITY AND PRIVACY FAILS HOW TO FAIL WITH HTTPS • Be any app like [ AirCanada ] and send information about device and environment • Be news/social app like [ Anews/Flipboard ] and send everything in plaintext via http • Be storage app like [ Asus WebStorage ] and send credentials in plaintext • (also fail with old hash algorithm, see next slides) • Be travel app like [ AviaSales / Momondo], send everything in plaintext and rely on 3rd party server MITM protection • Be storage app like [ Box ], prevent MITM but fail and reveal credentials to MITM tool • Be taxi app like [ Gett / MaximTaxi ] and send everything in plaintext, also fail with MITM protect of my credit card
  • 20. UNTRUSTED PLACES. KINVEY IS A BACKEND FOR STORING FILES & USER ACCOUNTS
  • 21. UNTRUSTED PLACES. KINVEY. ADMIN IS LOGGING IN TO KINVEY CONSOLE
  • 22. UNTRUSTED PLACES. KINVEY. APP IS LOGGING IN & DOWNLOADING FILES
  • 23. PROTECTION LEVELS. • Some of 10 levels we’re using (0…9) • 0 – plaintext (stored as and with 777 access or transferred as is) • 2 – weak (shared w/o dev.perm, MITM w/o root-fake cert) • 4 – medium (shared w dev.perm, MITM w root-fake cert) • 5 – cached data • 6 – protected (looks good but can be patched) • 7 – strong protected (can’t be patched or bypassed or at least incredible hard)
  • 24. APP INSECURITY. DISCLAIMER • Everything presented further contains information for educational purposes and only with using only your data & licenses. Moreover, to each app presented here was not applied any techniques and actions such as: • modifying, decompiling, disassembling, decrypting and other actions with the object code of any Program, aimed at obtaining source codes of any Program • Also, as known, • the User may make a modification of the Software solely for his or hers own use and reverse engineering for debugging such modifications. • All app results are up-to-date and test on up-to-date OS (iOS 9, Android 5). • Important note. In fact, no app has been changed at all and if you’re on old Android OS < 5 or iOS < 9 than your data can be stolen without or with fake root certificate depend on case,
  • 25. WE GUARANTEE THE CONFIDENTIALITY OF YOUR DATA • Confidentiality - In information security, confidentiality "is the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes" (Excerpt ISO27000). • https://en.wikipedia.org/wiki/Information_security#C onfidentiality
  • 27. HOTELS.RU • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • Token, Cached Data, Screenshot (iOS only) • Network data [Android: Plaintext], [iOS: Medium] • Geo Location, Token, Passwords, IDs, Room Details, Address • Reveal 2013 2014 2015 2016 Plaintext Plaintext Plaintext Android: Plaintext iOS - Medium
  • 28. HOTELS.COM • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • Cached data • Network data [Android: Medium], [iOS: Medium] • Geo Location, Device Data, Room Details 2013 2014 2015 2016 N/A N/A Medium Medium
  • 29. HOTELS.COM. EULA/PRIVACY • How we protect your information • We want you to feel confident about using this website and our Apps to make travel arrangements, and we are committed to protecting the information we collect. While no website or App can guarantee security, we have implemented appropriate administrative, technical, and physical security procedures to help protect the personal information you provide to us. For example, only authorized employees are permitted to access personal information, and they may only do so for permitted business functions. In addition, we use encryption when transmitting your sensitive personal information between your system and ours, and we employ firewalls and intrusion detection systems to help prevent unauthorized persons from gaining access to your information. • https://ru.hotels.com/customer_care/privacy.html#protect
  • 30. AEROEXPRESS • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • Tickets + QR code, Email, Phone, Password, Screenshot of any app windows (iOS only) • Network data [Weak] • Email, Phone, Password, Unique UserID, Last Login Time, email & phone confirmed, DeviceID, • OrderID, Base64(hash of Order), Order URL, Order date, Trip date, cost of order, • TicketID, Route Info, ticket GUID, token, ticket QR Code • Bank Card info (number, cvv, name, expiration), tokens, *aeroexpress.ru, *ruru, *bank (AlfaBank) • According to release notes & PCI DSS, App doesn’t store bank card info (payment data). You can’t input that data type manually. However, • iOS: Doesn’t store data after successful payment • Android: Stores data after successful payment • Both: Continue stores data after update - if previous version wasn’t removed and data not wiped 2013 2014 2015 2016 Weak Weak Weak Weak, Expect to remove local card info but fail
  • 31. AEROEXPRESS. EULA/PRIVACY • Certified by the PCI DSS on a yearly basis. The certificate confirms the site's compliance with the standards of the following international payment systems: Visa/MasterCard, American Express, JCB, and Discover. • To obtain the certificate, all the systems that receive, transmit, and encrypt card information together with the overall structure of the company must meet the minimum of 288 requirements stated in the PCI SAQ (Self- Assessment Questionnaire D and Attestation of Compliance). • The Thawte 128-bit SSL Certificate is a technology of data encryption. The confidential information about your card number, CVV2 code, and other details are submitted to our site through encryption. To exchange information, a standard SSL-encryption is applied; the length of the key is 128 bit. Encrypted, it is further redirected to the bank's processing center through the payment gateway. • https://aeroexpress.tickets.ru/en/content/safety_payments.html
  • 32. AEROEXPRESS. PASSES PCI DSS CERTIFICATION • Aeroexpress has passed its PCI DSS certification. Now it is even safer for passengers to pay for online services provided by this express carrier. • In early February, Aeroexpress passed its PCI DSS (Payment Card Industry Data Security Standard) certification, which is aimed at ensuring the secure processing, storage and transfer of data about Visa and MasterCard holders. Given the PCI DSS certified security level, Aeroexpress passengers can pay for tickets via the website or the company’s mobile app using bank cards and can be confident that their personal data and funds are safely secured. PCI DSS provides for a comprehensive approach that ensures information security and unites the payment system programmes of VISA Account Information Security (AIS), Visa Cardholder Information Security Program (CISP), and MasterCard Site Data Protection. We would like to remind you that you can receive a discount of RUB 50 and RUB 100 when purchasing Standard and Return tickets on the website or via the company’s mobile app.
  • 33. PCI DSS. DATE: MARCH 2015 •6.2 Penetration Test Case Study …. •Main vulnerabilities …. • Man in the middle https://www.pcisecuritystandards.org/documents/Penetr ation_Testing_Guidance_March_2015.pdf
  • 34. PLATIUS • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • Same like network data • Network data [Android: Weak], [iOS: Medium] • Email, Birthday, Full Name, Phone, Gender, Activation code, • Bank Card info (number, cvv, name, expiration), tokens, *platius, *ruru, *bank (Sberbank) 2013 2014 2015 2016 Android - Weak iOS - Weak Android - Weak iOS - Weak Android - Weak iOS - Weak Android - No changes iOS - Medium
  • 35. PLATIUS. EULA/PRIVACY • 6.4 The administration doesn't guarantee ensuring confidentiality of information and data on the Participant and doesn't bear any responsibility as transfer of the specified data is carried out by means of open communication channels for disclosure of such information. • https://platius.ru/en- GB/Information/Agreement
  • 36. ROCKETBANK • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • Email, Full Name, Phone, bank code word, Geo Location • Network data [Android: Weak], [iOS: Medium] • Email, Full Name, Phone, Activation code, bank code word, • Passport : Details Data (All Info) • Full Name, Full Address, Document ID, Birthday, Owner Image • https://rocketbank.ru/api/v5/emails/..../form • tariff": "i-am-vip-bitch-9-percent" • Bitch, please © How I met your mother 2013 2014 2015 2016 Weak Weak Weak Android - Weak iOS - Medium
  • 37. ROCKETBANK. EULA/PRIVACY • Клиент соглашается, что использование Аутентификационных данных, в том числе сгенерированных Исполнителем уникальных кодов, направляемых Клиенту на контактный номер телефона, является надлежащей и достаточной Идентификацией/ Аутентификацией Клиента, в целях совершения операций через Удаленные каналы обслуживания. • Unique codes and phone number are 2 params are enough to perform authenticated actions over internet • Исполнитель не несет рисков, связанных с неправомерным использованием третьими лицами информации, указанной в п. I.19 Условий (above) • Rocketbank Team doesn’t give a shit about risks • Клиент принимает на себя риски, связанные с возможным нарушением конфиденциальности, возникающие вследствие использования системы телефонной связи и сети Интернет. • The client is only responsible for everything happened with him and his data over internet. Team is again doesn’t give a shit about any kind of protection • https://rocketbank.ru/rules
  • 38. RBK MONEY • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • Credentials… • Network data [Android: Medium], [iOS: Medium] • Credentials… 2013 2014 2015 2016 Medium Medium Medium Medium
  • 39. RBK MONEY. EULA/PRIVACY • This is a question of common sense and caution. The more careful you are the less chance to be deceived by scammers and other fraudsters. The main protection from them is your unique password. To ensure security make password not shorter than 8 symbols (use combination of random letters and numbers) Don’t enter it anywhere except for the RBK Money website and do not reveal it to other people. Use modern antivirus programs where possible. • Information about your card is stored, encrypted and shown only to you. The payment is considered processed after card activation. RBK Money reserves the right to make additional payment confirmation by phone. • http://www.rbkmoney.com/en/support#safety • http://www.rbkmoney.com/en/support#cards
  • 40. DELIVERY CLUB • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • Token, address, geo location, password, ID, full name, phone, short card info • Network data [Android: Medium], [iOS: Medium] • Token, secret, deviceID, Full Name, phone, email, password, Card Info (short, w/o cvv), address, geo location, Loyalty Account Info 2013 2014 2015 2016 Plaintext/ Medium (card) Plaintext/ Medium (card) Plaintext/ Medium (card) Medium
  • 41. DELIVERY CLUB. EULA/PRIVACY • We implement a variety of security measures to maintain the safety of your personal information when you place an order • We offer the use of a secure server. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our Payment gateway providers database only to be accessible by those authorized with special access rights to such systems, and are required to keep the information confidential. • After a transaction, your private information will be kept on file for more than 60 days in order to show your actions history and simplify future orders creation. • http://www.delivery-club.ru/google_privacy.html
  • 42. ROSINTER • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • Account info, tokens • Network data [Android: Weak], [iOS: Weak] • Email, Birthday, Full Name, token, apn- token, Loyalty Account Info, Device Info, Geo, Phone, Stream 2013 2014 2015 2016 Weak Weak Weak Weak
  • 43. ANYWAYANYDAY • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • Passenger Info, Passport Info, Loyalty Info, Birthday, Order/Ticket Info, Trip Info, Credentials Info • Network data [Android: Medium], [iOS: Protected] • Passenger Info, Passport Info, Loyalty Info, Birthday, Order/Ticket Info, Trip Info, Credentials Info Important note. In fact, app wasn’t changed at all and if you’re on old iOS < 9 than your data can be stolen with fake root certificate, 2013 2014 2015 2016 Medium Medium Medium Android: Medium iOS: Protected?
  • 44. ANYWAY. EULA/PRIVACY • Для защиты персональных данных пользователей от неправомерного или случайного доступа, уничтожения, изменения, блокирования, копирования, распространения, а также иных неправомерных действий с ними третьих лиц применяются необходимые и достаточные организационные и технические меры. • To protect users' personal data against unauthorized or accidental access, destruction, modification, blocking, copying, distribution, and other illegal actions of third parties to them we apply the necessary and sufficient organizational and technical measures. • https://www.anywayanyday.com/avia/privacypolicy/
  • 45. ALFABANK • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • Token (Alfa-Ally-Chat), Screenshot - Protected • Network data [Android: Medium], [iOS: Medium] • Name, Device Info, Token (Alfa-Ally- Chat), Password, Login, Account Info, Payment Info, Short Card Info, Transaction Info2013 2014 2015 2016 Medium Medium Medium Medium
  • 46. AMAZON CLOUD, PHOTOS • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • Cached, Sync Documents • Network data [Android: Protected Failed], [iOS: Protected Failed] • Reveal credentials and drop connection 2013 2014 2015 2016 Weak/Medium Weak/Medium Protected Failed Protected Failed
  • 47. AMAZON APP MARKET, GOOGLE PLAY, MOBOMARKET • Network data [Android: Medium] • Amazon & Google reveal all data including APK data (can be replaced with another) • Network data [Android: Plaintext] • MoboMarket reveal all data including APK data (can be replaced with another) 2013 2014 2015 2016 Amazon – Weak, Google – Medium, Mobomarket - Plaintext Amazon – Weak, Google – Medium, Mobomarket - Plaintext Amazon – Weak, Google – Medium, Mobomarket - Plaintext Amazon – Weak, Google – Medium, Mobomarket - Plaintext
  • 48. MOBOMARKET. EULA/PRIVACY • We encrypt our services and data transmission using SSL. We strive at all times to ensure that your personal data will be protected against unauthorized or accidental access, processing, correction or deletion. We implement appropriate security measures to safeguard and secure your personal data. Please note, however, that no security measures are 100% effective. We encourage you to take measures to protect your personal data. • You are responsible for maintaining the privacy and the confidentiality of Information. Please keep yourself informed when accessing the internet and to always read and review the policy / privacy statement on the site that you are accessing. Please ensure that you do the following: (i) not to disclose your password, (ii) not to provide any personal information to anyone, including their names, (iii) never fill online forms without your prior authorization. Please use complex passwords with long enough combinations of letters and numbers that require unusual keyboard combinations whereas; simple passwords are easy to be broken. Please never give your password to anyone online. In any event, please change your password periodically. • http://www.mobomarket.net/policy.html
  • 49. GOOGLEPLAY. EULA/PRIVACY • We work hard to protect Google and our users from unauthorised access to or unauthorised alteration, disclosure or destruction of information that we hold. In particular: • We encrypt many of our services using SSL. • We offer you two-step verification when you access your Google Account and a Safe Browsing feature in Google Chrome. • We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems. • We restrict access to personal information to Google employees, contractors and agents who need to know that information in order to process it for us and who are subject to strict contractual confidentiality obligations. They may be disciplined or their contract terminated if they fail to meet these obligations. • http://www.google.com/intl/en-GB_ru/policies/privacy/
  • 50. APP IN THE AIR • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • Loyalty Info, Order/Ticket Info, Trip Info, Full Info, Trip Info (Media Data), Stats, UserID, Work Info (from Facebook) • Network data [Android: Medium], [iOS: Protected] • Loyalty Info, Order/Ticket Info, Trip Info, Full Info, Trip Info (Media Data), Stats, UserID, Work Info (from Facebook), Tokens 2013 2014 2015 2016 Plaintext Plaintext Weak Medium Medium
  • 51. APP IN THE AIR. EULA/PRIVACY • The security of your personal information is important to us. We do not hold any liability for any personal data or any sensitive information you provided. • We follow generally accepted industry standards to protect the personal information submitted, both during transmission and once we receive it. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while our goal to use commercially acceptable ways to protect your personal information, we cannot guarantee it is absolutely secure. Please keep it in mind before submitting any information about yourself. Please note that information that you voluntarily make public in your user profile, or which you disclose by posting comments or inserting of the Content will be publicly available and viewable by others. We do not hold any liability for any information that you voluntarily choose to be public through such and/or other explicit actions. • We only use personal information collected through the APPINTHEAIR project and our Services for the purposes described in the Terms http://i.appintheair.mobi/termsofuse. For example, we may use information we collect: • provide our Services or information you request, and to process and complete any transactions; • to your emails, submissions, questions, comments, requests, and complaints and provide customer service; • http://www.appintheair.mobi/privacypolicy
  • 52. ASUS WEBSTORAGE • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • MD5(Password.ToLowerString()) • Network data [Android: Medium], [iOS: Medium] • Login, Email, Encryption Key(?), Tokens, Device Settings, Sync Documents, File Details • MD5(Password.ToLowerString()) 2013 2014 2015 2016 Medium Medium Medium Medium
  • 53. ASUS WEBSTORAGE. EULA/PRIVACY • We take precautions to protect your personal information against unauthorized access or unauthorized alteration, disclosure or destruction. These include internal reviews of our personal information collection, storage and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store your personal information. Transmission of personal information between different locations of ASUS Cloud affiliated companies is performed through our secured wide area network. When you submit personal information via the service, your information is protected both online and offline. However, ASUS Cloud cannot guarantee a perfect security on the internet. When using the internet, we recommended that you use alphanumerical usernames and passwords and change your passwords on a regular basis, as well as keep your computer up to date by applying the latest available security updates for your software and using such tools as virus/spyware scanners. • If you have any questions regarding the security of our web site, please refer to our security web page. • ISO27001, SSL, AES, RAID, https://www.asuswebstorage.com/navigate/security/ https://service.asuswebstorage.com/privacy/
  • 54. SKYPE • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • Media data (attachments), Message (or last messages), friend list, Email/Login, Snapshot • Network data [Android: Weak/Strong], [iOS: Weak/Strong] • Media data (attachments), Message (or last messages), Email/Login, Device Data, UserID, MS Live password, no skype password2013 2014 2015 2016 Weak/Strong Weak/Strong Weak/Strong Weak/Strong
  • 55. EVERNOTE • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • Tokens, UserID, Syc Documents (notes), cached data, SnapShot (iOS only) • Network data [Android: Medium], [iOS: Protected] • Sync Documents (notes), Full name, Account Details, Credentials, tokens, etc. • Important note. In fact, app wasn’t changed at all and if you’re on old iOS < 9 than your data can be stolen with fake root certificate, otherwise, NO 2013 2014 2015 2016 Medium Medium Medium Android – Medium iOS - Protected
  • 56. EVERNOTE. EULA/PRIVACY • Evernote is committed to protecting the security of your information and takes reasonable precautions to protect it. We use industry standard encryption to protect your data in transit. This is commonly referred to as transport layer security (“TLS”) or secure socket layer (“SSL”) technology. However, internet data transmissions, cannot be guaranteed to be 100% secure, and as a result, we cannot ensure the security of information during its transmission between you and us; accordingly, you acknowledge that you do so at your own risk. • https://evernote.com/legal/privacy.php?noredirect
  • 57. CYBER GHOST • Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected] • tokens • Network data [Android: Medium/Strong Protected], [iOS: Medium/Strong Protected] • Login, oauth consumer_key, token, token_secret, radius_password, geo location, ip, country, account details, license key, license expiration2013 2014 2015 2016 N/A N/A Medium/Strong Protected Medium/Strong Protected
  • 58. CYBERGHOST. EULA/PRIVACY • Personal data: CyberGhost collects and uses no personal data, such as e-mail addresses, name, domicile address and payment information. • If you register for the Premium-Service of CyberGhost VPN, we store a fully anonymous User ID, an encoded password and your pay scale information (activation key, start and end). The stored e-mail addresses are not linked to a User ID. • Log data: CyberGhost keeps no logs which enable interference with your IP address, the moment or content of your data traffic. We make express reference to the fact that we do not record in logs communication contents or data regarding the accessed websites or the IP addresses. • In March 2012, CyberGhost had successfully passed an audit and verification conducted by QSCert for the implemented Information Safety Management System (ISMS) according to the international industrial standards ISO27001 and ISO9001. The certification confirms the high quality of the internal safety processes and is renewed yearly
  • 59. ISO 27001, ISMS, ETC. • ISO27001 (and similar standards for non-IT areas) explicitly do not require "have you taken every sensible precaution to ensure it is", it is sufficient to have a policy that acknowledges that you haven't taken a bunch of very sensible precautions and that you simply accept the risks caused by that • If a company with a proper ISMS only accepts file uploads with unsecure FTP, it means they thought about this and decided either it's not their problem or they don't care
  • 60. RESPONSIBLE DEVELOPER VS LAZY ONE • Apple (!) & Google (!) • QIWI – best app with own cryptography and has implemented all security features • Dropbox - has implemented all security features • App in the Air (network, in progress) • CyberGhost (network, in progress) • Asus Web Storage (pwd, in progress) • Sberbank (background fixing) • Hotels.Ru (network, in progress) • DeliveryClub (network, in progress) • AnywayAnyday (network, having fun with hardcoded ‘anyway’ 192bit  256bit key) • Evernote (network) • … everyone you saw in this slide or among my researches
  • 61. PANDA SM MANAGER IOS APPLICATION - MITM SSL CERTIFICATE VULNERABILITY • "Panda Systems Management is the new way to manage and monitor IT systems." "Inventory, monitoring, management, remote control and reporting... All from a single Web-based console" (https://itunes.apple.com/us/app/panda-sm-manager/id672205099) • Timeline – Almost 1 Year (!) • July 19, 2015 - Notified Panda Security via security@pandasecurity.com, e- mail bounced July 20, 2015 - Resent vulnerability report to corporatesupport@us.pandasecurity.com & security@us.pandasecurity.com July 20, 2015 - Panda Security responded stating they will investigate July 31, 2015 - Asked for an update on their investigation August 3, 2015 - Panda Security responded stating that the issue has been escalated and is still being reviewed August 14, 2015 - Asked for an update on their investigation October 16, 2015 - Asked for an update on their investigation • … NO ANSWER … March 1, 2016 - Panda Security released version 2.6.0 which resolves this
  • 62. ADVICES. YOU’RE DEVELOPER? DON’T CARE ABOUT SECURITY/PRIVACY? THEN YOUR CHOICE IS … • BlackBerry. Protects everything locally stored except public folders & external storage. Also it’s hardly to MITM except plain http traffic. Even for Android (!) • Windows Modern 10 apps. Anti-MITM protection on OS level by default (still researching it, also can’t confirm it for Android app support – Project Astoria) • iOS. Ok. Easy way to make user to install trusted fake certificate to MITM. Upgrade! Local app files on iOS < 8.3 could be accessed without jailbreak • Android. Fail. Easy way to make user to install trusted fake certificate to MITM. Some vendors prevent unlocking bootloader without user interaction to avoid root without his asking. But some doesn’t (!)
  • 63. REMEDIATION: ANDROID • Follow security programming guide from Google • Call ‘setStorageEncryption’ API for locally stored files (new Android OS v5+) • Encrypt externally stored files on SD Card or Cloud (any OS) • Define when encryption signature doesn’t matter, else avoid it • Reduce using of ‘MODE_WORLD_READABLE ’ unless it really needs • Avoid hardcoded and debug tracks as much as possible (it’s easy to decompile) • Add extra protect beyond OS (encryption, wiping, etc.)
  • 64. REMEDIATION : IOS • Follow security programming guide from Apple • Never store credentials on the phone file system. Use API or web scheme instead • Define when encryption signature doesn’t matter, else avoid it • Use implemented protection mechanism in iOS… • But … add extra protection layer beyond OS protection in case of jailbreak • Use any API and protection mechanisms properly but never default settings • Don’t forget to encrypt SQL databases
  • 65. REMEDIATION : BLACKBERRY • Follow security programming guide from BlackBerry • Don’t store credentials in shared folders • Encrypt data stored in shared folders • Use implemented protection mechanism in BlackBerry… • But … add extra protection layer beyond just in case • Don’t forget to encrypt SQL databases • Don’t develop Android app-ports • Try to avoid using ported or Android native app under BlackBerry • Develop more and use native apps for BlackBerry 
  • 66. REMEDIATION: WINMOBILE 10 • Credentials stored or transferred in plaintext locally. • Data usually stored or transferred structured file type that simplify an analysis • Signature-based encryption helps quickly decrypt data (depends on dynamically linked libraries) • Data stored in SQLite databases usually not encrypted • Keys may be hardcoded or put in data folder • Applications could be analyzed on Windows 10 Desktop via known methods like a desktop applications
  • 67. REMEDIATION: WIN 10 • Credentials stored or transferred in plaintext locally. • Data usually stored or transferred structured file type that simplify an analysis • Signature-based encryption helps quickly decrypt data (depends on dynamically linked libraries) • Data stored in SQLite databases usually not encrypted • Keys may be hardcoded or put in data folder • Application data folder is access without any restrictions
  • 68. REMEDIATION: MAC OS X • Credentials stored/ transferred in plaintext locally. • Data stored in a keychain without additional protection or encryption • Data usually stored or transferred structured file type that simplify an analysis • Signature-based encryption that helps to quickly decrypt data • Avoiding protection mechanism in iOS that leads to pure protection eventually • Data stored in SQLite databases usually not encrypted • Keys may be hardcoded • Application data folder is access without any restrictions
  • 69. [ YURY CHEMERKIN ] • MULTISKILLED SECURITY EXPERT • WORK FOR ADVANCED MONITORING • EXPERIENCED IN: • REVERSE ENGINEERING & AV, DEVELOPMENT (PAST) • MOBILE SECURITY, & CLOUD SECURITY • IAM, COMPLIANCE, FORENSICS • PARTICIPATION & SPEAKING AT MANY SECURITY CONFERENCES
  • 70. (LEAKED) MOBILE APPLICATION DATA PRIVACY HOW TO CONTACT ME ? ADD ME IN LINKEDIN: HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMER KIN YURY CHEMERKIN SEND A MAIL TO: YURY.S@CHEMERKIN.COM

Notas do Editor

  1. I want talk about software applications and how our data protected by it. I divided my talk into three parts – what we already know about security and heard of security at least. This part is about some facts are published on internet by independent researchers, and published in my talks and presentations too. Second part is about what will we know from this presentation – new results of my research I want to share with you. Last part is suggestion solutions how we could solve it.
  2. Untrusted chargeable places. When you connect your device to them you will see a notification you plugged to PC/Mac. I feel confused because it’s only charging device, plug it to power socket. Why the PC connection, what’s going on here? Untrusted network places. When you connect your device to them You will see nothing. Most difficult case. I talk a bit more on the next slide about it You will see a question about untrusted certificate. You accept or decline it, it’s up to you. If you want get your internet you accept, if not you can’t get you free or paid internet Someone make you to install trusted certificate. Isn’t it easy, just tell your customers they have to obtain a trusted certificate from your site and install it? Wait what? Don’t install untrusted certificates? But this guy told me I need to get the internet, I believe him. Ok, I don’t
  3. How did you know if some place is untrusted ? For example, when I was in JFK airport in New York 1 year ago, I found out my BlackBerry stopped working in prepaid WiFi network. Once gain ‘ prepaid network ‘, not ‘ free ‘. It was working good on Delta Air Lines in the same WiFi network 1 hour before and but stopped in the airport. I feel confused, thought I was doing smth wrong. At the same my iPhone was working almost good. But something was wrong. You can see on this slide what exactly was wrong. Look at the left screenshot. My mail server detected an untrusted certificate in the prepaid network. Same happens to me in Russian public WiFi network in underground rapid transit. Again left screenshot – prepaid network, right screenshot – free network. In both cases, only a few application confirm it was untrusted to use my device in that network. I can’t share details about JFK network, because I had lost my iPhone one month later but I share details about our free network to know let you know smth about Russian rapid transit WiFi network
  4. In this case it’s non-trusted at the same time. Other fields of certificate look good. It also was expired till the October and since November Subway staff issued new certificate that expires in 10 years. Will you trust this network? If someone wants to say yes, I tell you that half year ago, one researcher shows how to make the fake network with the same name to make devices auto connect to it and no data was stolen but it’s possibility. Let’s see what happened when you make someone to install trusted certificate in another case and make people believe they need it
  5. Almost the same. I keep original name of issued organization that belongs to the proxy tool but keep in mind we can use any certificate and issued with ‘right’ name to mislead everyone
  6. Usually, the answer of this question is pretty simple. We are! But here we need to do a small investigation to define what means ‘we are’. It’s well known people tend to share information about themselves. I have to admit that’s true, some do it, some doesn’t. At the same time some of us know a bit more about security , some less, we can be experts in certain fields and fail in another one. Every developer and security expert are telling us we’re guilty in our insecurity. Is that true? I’m a security expert and typical customer of mobile applications and I doubt I fail so many times in it. So, who is responsible for insecurity? Quick investigation shows us 2 simple things
  7. ITR tells us there’re 30% ‘angry men’ who want uninstall your app because privacy concerns. Isn’t it funny to continue telling us vulnerabilities make sense and data leakage doesn’t ?
  8. I think someone of you doubt a bit how is much easy to get access to their data. I don’t want to talk about what happens if you lost your phone or install malicious software. I’m also not going to talk about vulnerabilities. No, really, I don’t like vulnerabilities. It’s application to one build only. What if developers made a mistake in code and it affects to several editions of his software for several years? That’s data protection I’m talking about. How to calculate the cost of you security? I like this way. You can the cheapest software and make a fake public network and steal all data you find in traffic. Or wait, you don’t need even to pay for it if you’re pirate  You also can buy special forensics software if you want, better buy than be pirate if you prefer up-to-date software. So, if you have 1k baks if you pocket and willing to feel yourself a hacker, welcome to the new world. You can, I don’t believe it, all developers in the world can’t fail so much. Ok, not all but I did research last year and examine couple hundreds applications. This year I increased the quantity of them up to 7 hundreds applications. Still not believe? Ok, I have 1 hour to make you change your mind 
  9. Sometimes, we need to stop install unofficial applications to prevent stealing our credentials, but sometimes, oh gods. My country made a decision to make everyone company store personal data in Russian datacenters. I don’t mind but Viber was in rush to say they’ll DO. Yes, just do it. They gonna store credentials even. Is it me or personal data doesn’t include credentials? So it’s case when you have no idea what to install official app or unonffical
  10. http://www.macrumors.com/2015/11/10/malicious-instaagent-instagram-app/ Тут и твит есть
  11. More facts, independent researchers already did same investigation with me and found out same results. We already talk about it
  12. Instagram was sending everything in plaintext till the end of 2014. Now they switched to https but still affected to MITM attacks. Now they’re sure it’s highest secure, just don’t install non-trusted certificate and don’t use public network. We’re not responsible for anything happens to you. Kik Instant Messenger. These developers gonna teach us what’s protection standard and tell us they follow Apple and Google coding guides. Guys are even familiar with way how to get root access without asking owner? Let him just lost his device for 10 minutes and that’s it. What? Don’t lost it? Maybe you will start protect our data instead?
  13. 4talk is one more instant messenger. Previous year, no protection at all, this year, smth is protected but you’re guys still need work hard on it but thanks for working on it. I’m really appreciate my presentations were helpful! Noname guys said data leakage is data that become available when you perform typical activities. Only vulnerabilities are weakness of application. If you don’t talk to us about weakness, just get out. For those developers I have to remind prices to show how much customers data costs to them
  14. Best guys I’ve seen ever. I memorize their post for ages. I knew about storing data in plaintext, so don’t worry. We did just to speed our software up. You know encryption stopped be slowpoke animal several years ago. No comments
  15. … 2011-2013 middle… But I didn’t image I would get more fun when I will check mobile applications! How’s that happened. Chairman of local event asked me to join his event and give a talk about insecurity of bank apps. He said “Make guests scare bank apps but without any deep research”. Well, I had started looking for security fails. I think “Tough guys!”. I made a decision to check more apps that provide payment features and couples non-payment apps. Then I had got a fun. Could you believe that bank apps provide worst security than office apps like Dropbox? Now you know it. What about deep research. I didn’t even check the code of these apps. I only check locally stored data and data transmitted over the network. No special tool and knowledge. It was start point my new research I was doing and presented last year here on DefCamp and HackerHalted in US. But I didn’t finish on it. Current Research includes results of half thousand apps examined to show you worst security and tell what apps are still good.
  16. Meridian --- Name, PhoneNumber Current Location (when you call a taxi) Android Version Name, PhoneNumber, Favourite Addresses Last Location (Coordinats, street) Android Version SpeedTaxi ---- Google Maps Api DeviceModel, OS, Version when send feedback Name, Email, Phone when send feedback Feedback Message Name, Email, Phone Cobalcescu -- Name, Email, Phone Order Coordinate, Order Comment
  17. AirCanada send information about your device and environment without any protection. No MITM need. Usually many apps do the same but at least not via http News applications usually send everything and store everything in plaintext. It’s good for news, but really bad for my credentials. Asus storage app. It requires you to type complex password, convert it to the token and send it in without protection. Travel apps also send everything in plaintext. But if you proceed link to buy a ticket, probably some services detect you’re MITMed Sometimes apps prevent MITM but reveals password for proxy tool, like a Box If App has a payment feature and it’s taxi app like a Gett, you can find out your payment isn’t protected at all.
  18. If you still believe that developers protect your data, be sure they don’t. There’re many oursorced apps, many 3rd party services that help other developers to have backend in 5 mins. It’s really good idea, I mean 3rd party services. My favorite one, Kinvey dot com You see, no any requests about untrusted identity of server.
  19. We’re logging in to the service. Data was caught in plaintext. No protection, email & password without protection at all. At least thanks for https, It makes me feel secure … for a second
  20. Same happens when you’re trying to connect via applications. You get a login and password, download link and some more information
  21. I think guys aren’t familiar with definition of what they wrote. What does it mean according to public source? It’s information is not made available to someone who shouldn’t get access to it. Looks simple. This is second part of small investigation. Humans fails, but developers are humans too and they fail too. So, stop talking only customers fail, okay?!
  22. But what’s your first thought when you get email like this? What did you like it? Look carefully, I see my fake email and my fake password and one more awesome phrase. We guarantee the confidentiality of your data. Are you? Really? Stop kidding me, you fail before I start examine your mobile application even!
  23. Old versions are still in medium section
  24. No privacy policy, there’s privacy tips for clients
  25. Old versions are still in medium section
  26. Old versions are still in medium section
  27. Old versions are still in medium section
  28. So, if you’re lazy developer I Have smth for you. Just a short list of OS you should choose when you’re developing your apps and cry you know better how to protect my data. Choose blackberry or Windows Mobile and don’t store data in public folders. Best way not to do anything and claim customer data protected at high level. You also can choose Windows Modern App. OS has a default protection that prevent MITM attacks at least for now. iOS is merely good OS but better make your customers use up-to-date release because in older editions everyone can have an access to application data without jailbreak. Now everyone needs jailbreak unless you put it in shared folders. Android – only if your vendor has a bootloader protection it can be good choice to avoid rooting your device without your knowledge. Rest of desktop OS doesn’t help you much in preventing data leakage
  29. For local storage the enterprise android device administration API can be used to force encryption to local file-stores using “setStorageEncryption” Ask user to encrypt device For SD Card Storage some security can be achieved via the ‘javax.crypto’ library. You have a few options, but an easy one is simply to encrypt any plain text data with a master password and AES 128. Ensure any shared preferences properties are NOT MODE_WORLD_READABLE unless explicitly required for information sharing between apps. Avoid exclusively relying upon hardcoded encryption or decryption keys when storing sensitive information assets. AnywayAnyday password with AES encryption Consider providing an additional layer of encryption beyond any default encryption mechanisms provided by the operating system
  30. Never store credentials on the phone file system. Force the user to authenticate using a standard web or API login scheme (over HTTPS) to the application upon each opening and ensure session timeouts are set at the bare minimum to meet the user experience requirements. Where storage or caching of information is necessary consider using a standard iOS encryption library such as CommonCrypto. However, for particularly sensitive apps, consider using whitebox cryptography solutions that avoid the leakage of binary signatures found within common encryption libraries. If the data is small, using the provided apple keychain API is recommended but, once a phone is jailbroken or exploited the keychain can be easily read. This is in addition to the threat of a bruteforce on the devices PIN, which as stated above is trivial in some cases. For databases consider using data encryption For items stored in the keychain mobile devices ensure a strong PIN is forced, alphanumeric, larger than 4 characters. Avoid default configuration to store sensitive pieces of information as it stores data in plist files. Avoid exclusively relying upon hardcoded encryption or decryption keys when storing sensitive information assets. Consider providing an additional layer of encryption beyond any default encryption mechanisms provided by the operating system
  31. Never store credentials on the phone file system. Force the user to authenticate using a standard web or API login scheme (over HTTPS) to the application upon each opening and ensure session timeouts are set at the bare minimum to meet the user experience requirements. Where storage or caching of information is necessary consider using a standard iOS encryption library such as CommonCrypto. However, for particularly sensitive apps, consider using whitebox cryptography solutions that avoid the leakage of binary signatures found within common encryption libraries. If the data is small, using the provided apple keychain API is recommended but, once a phone is jailbroken or exploited the keychain can be easily read. This is in addition to the threat of a bruteforce on the devices PIN, which as stated above is trivial in some cases. For databases consider using data encryption For items stored in the keychain mobile devices ensure a strong PIN is forced, alphanumeric, larger than 4 characters. Avoid default configuration to store sensitive pieces of information as it stores data in plist files. Avoid exclusively relying upon hardcoded encryption or decryption keys when storing sensitive information assets. Consider providing an additional layer of encryption beyond any default encryption mechanisms provided by the operating system
  32. Never store credentials on the phone file system. Force the user to authenticate using a standard web or API login scheme (over HTTPS) to the application upon each opening and ensure session timeouts are set at the bare minimum to meet the user experience requirements. Where storage or caching of information is necessary consider using a standard iOS encryption library such as CommonCrypto. However, for particularly sensitive apps, consider using whitebox cryptography solutions that avoid the leakage of binary signatures found within common encryption libraries. If the data is small, using the provided apple keychain API is recommended but, once a phone is jailbroken or exploited the keychain can be easily read. This is in addition to the threat of a bruteforce on the devices PIN, which as stated above is trivial in some cases. For databases consider using data encryption For items stored in the keychain mobile devices ensure a strong PIN is forced, alphanumeric, larger than 4 characters. Avoid default configuration to store sensitive pieces of information as it stores data in plist files. Avoid exclusively relying upon hardcoded encryption or decryption keys when storing sensitive information assets. Consider providing an additional layer of encryption beyond any default encryption mechanisms provided by the operating system
  33. Never store credentials on the phone file system. Force the user to authenticate using a standard web or API login scheme (over HTTPS) to the application upon each opening and ensure session timeouts are set at the bare minimum to meet the user experience requirements. Where storage or caching of information is necessary consider using a standard iOS encryption library such as CommonCrypto. However, for particularly sensitive apps, consider using whitebox cryptography solutions that avoid the leakage of binary signatures found within common encryption libraries. If the data is small, using the provided apple keychain API is recommended but, once a phone is jailbroken or exploited the keychain can be easily read. This is in addition to the threat of a bruteforce on the devices PIN, which as stated above is trivial in some cases. For databases consider using data encryption For items stored in the keychain mobile devices ensure a strong PIN is forced, alphanumeric, larger than 4 characters. Avoid default configuration to store sensitive pieces of information as it stores data in plist files. Avoid exclusively relying upon hardcoded encryption or decryption keys when storing sensitive information assets. Consider providing an additional layer of encryption beyond any default encryption mechanisms provided by the operating system
  34. http://def.camp/wp-content/uploads/2015/02/defcamp-6-2.png.