This document summarizes a presentation about mobile application security. The presentation covered several key topics: (1) trends driving increased mobile usage and threats, (2) the OWASP Mobile Top 10 risks, (3) examples of real vulnerabilities found in enterprise mobile apps, (4) methods for assessing mobile app security like threat modeling, and (5) resources for development and QA teams to improve mobile app security. The goal is to help organizations understand mobile security challenges and integrate security practices into the mobile software development lifecycle.
2. About the Presenter
• Jason Haddix (@jhaddix)
• Director of Penetration Testing at HP/Fortify on their ShadowLabs team.
• Previously worked in HP’s Professional Services as a security consultant,
and an engineer & pen tester for Redspin.
• Frequent attender, presenter, & CTF participant at security cons such as
Defcon, BlackHat, Brucon, DerbyCon, etc.
• Contributor/columnist to PentesterScripting.com, Ethicalhacker.net, and
Hakin9 magazine.
3. Overview
• Trends and the need for mobile appsec
• Overview of threat landscape
• Classifying vulnerabilities and exploring metrics
• Threat modeling and risk profiling mobile apps
• Exploring a few high risk areas
• The mobile app SDLC
• Fortify on Demand’s Testing Methods for QA and Security Groups
• Resources for development and QA teams facing mobile security
Data from Smart Insights, 2011
4. Trends and Threats | Adoption
• Global mobile data traffic will
increase 26-fold between 2010 and
2015
• Two-thirds of the world’s mobile data
traffic will be video by 2015
• There will be nearly one mobile
device per capita by 2015 (~6 billion)
Data from Smart Insights, 2011
5.
6. Why do we care?
Your critical business Regulations and More than 60% of
applications face the Standards (PCI, applications have
Internet HIPAA, SOX, etc) serious flaws
9. Same Old Server
Information
Operations Software
Security Services
9
10. Mobile Application Security Challenges
• Difficult to train and retain staff - very
difficult to keep skills up-to-date
• Constantly changing environment
• New attacks constantly emerge
• Compliance Requirements
• Too many tools for various results
• Apps are getting launched on a daily basis
with Security not being involved.
• Junior Developers are typically the ones
creating the apps.
11. How you see your world
Get Sales Data
Get the username
Get the password
Edit my account
Remember the User
Generate Reports
12. How an attacker sees your world
Insufficient Data Storage
SQL Injection
Data Leakage
Cross Site Scripting
Sensitive Information Disclosure
Improper Session Handling
Weak Server Side Controls
Client Side Injection
14. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
15. OWASP Mobile Top 10 Risks
SQLite
M1 – Insecure Data Storage Logging M6 – Improper Session Handling
Plist Files
Manifest Files
Binary data stores
M2 – Weak Server Side Controls SD Card Storgage M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
16. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
EVERYTHING in the
OWASP Top 10
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
17. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
Insecure SSL
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
Encryption
Unsigned and
Unforced Certificate
M4 – Client Side Injection M9 – Broken Cryptography
Validation
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
18. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
SQLite Injection
M4 – Client Side Injection M9 – Broken Cryptography
XSS via Webview
LFI
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
Etc
19. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
Poor Password
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
Complexity
Account disclosure
via Login or Forgot
M4 – Client Side Injection M9 – Broken Cryptography
Password
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
20. OWASP Mobile Top 10 Risks
Indefinite Sessions
Weak cookie
M1 – Insecure Data Storage M6 – Improper Session Handling
“hashing”
home rolled session
management
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
Using phone ID as
part of session
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
21. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
Inter-process
communication
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
Android intents
iOs URL schemes
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
22. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
Keystroke logging
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
Screenshot caching
Logs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
Temp files
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
23. OWASP Mobile Top 10 Risks
Rolling your own
crypto
M1 – Insecure Data Storage M6 – Improper Session Handling
Antiquated crypto
libraries
M2 – Weak Server Side ControlsEncoding != M7 – Security Decisions via Untrusted Inputs
encryption
Obfuscation !=
encryption
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
Serialization !=
encryption
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
24. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
Hardcoded secrets!
API keys, server-side
M4 – Client Side Injection M9 – Broken Cryptography
database passwords,
etc
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
26. Vulnerabilities by Risk
• Case study of 120 Mobile 90
applications for 1 Enterprise 80
client
70
• 234 vulnerabilities 60
50
• 66% of applications contained
a critical or high vulnerability 40
that: 30
• Disclosed 1 or more users 20
personal data
10
• Exposed multiple users
personal data 0
• Compromised the Critical High Medium Low Informational
applications server
27. Vulnerabilities by OWASP Top 10 Category
80
70 M1: Insecure Data Storage
M2: Weak Server Side Controls
60 M3: Insufficient Transport Layer
Protection
50 M4: Client Side Injection
M5: Poor Authorization and
40
Authentication
M6: Improper Session Handling
30
M7: Security Decisions Via Untrusted
20
Inputs
M8: Side Channel Data Leakage
10 M9: Broken Cryptography
M10: Sensitive Information Disclosure
0
M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 Other
28. Other?
• Poor Code Quality and Applications
Hardening
• Unreleased Resources
• No ASLR or Memory
Management frameworks
enabled.
• Privacy Leaks
• UUID, Wifi, device
names, geolocations, etc, leaked
to Ad Agencies
30. Mobile SDLC
Security Foundations – Mobile Applications
Architecture
Plan Requirements Build Test Production
& Design
Mobile Security Application Specific Mobile Secure Coding Mobile Application Security Assessment
Development Threat Modeling and Training (Static, Dynamic, Server, Network, Client)
Standards Analysis
Mobile Secure Coding Mobile Firewall
Mobile Application Threat Modeling CBT Standards Wiki
Security Process for Developers MDM
Design Static Analysis
Mobile Risk Dictionary
Mobile Security
Policies
31. How do we get started?
1. Find your published apps
2. Threat model them based on the information they handle
3. Assess and fix published apps
4. Give resources to developers to write secure code
32. Threat Modeling a Mobile App
Identify business objectives: Types of data at risk with a mobile app:
• Identify the data the application will use • Usernames & Passwords
• PII vs Non-PII • UDID
• Credentials & access • Geolocation/address/zip
• Where is it stored? • DoB
• Payment information? • Device Name
• Network Connection Name
• Credit Card Data or Account Data
• Updates to Social media
• Chat logs
• Cookies
• Etc…
41. Other Resources for QA, Security Managers, and Devs
• Fortify’s 7 Ways to Hang Yourself with Android Presentation
• Fortify on Demand’s iOS Penetration Testing Presentation
• Fortify’s VulnCAT
42.
43. Other Resources
• OWASP Top 10 Mobile Risks Page
• OWASP IOS Developer Cheat Sheet
• Google Androids Developer Security Topics 1
• Google Androids Developer Security Topics 2
• Apple's Introduction to Secure Coding
45. Parting Thoughts
• Remember that mobile sites face the Internet as well; obscurity != security
• Web teams and mobile teams often not the same; mobile development teams are
often behind in security training
• Track the data flow; threat modeling / risk assessment
• Start with Risk Profiling and exposure (deployed apps)
• It all starts with the code; coding standards are pivotal
46. Parting Thoughts II
• Give developers prescriptive guidance, show with examples
• Don’t store it (PII) at all if you don’t need to
• If you have a 3rd party dev team deploy a contract that enforces coding based on
secure mobile dev standards
• Mobile Device Management (MDM) is not a substitute for secure code
• Finally, don’t be intimidated by “mobile”; the same fundamentals are still in play