Presentation from OWASP Serbia from 7.4.2015. Topics: OWASP Mobile project, OWASP Mobile Top 10 risks, OWASP Seraphimdroid

1. Mobile security and OWASP mobile
Nikola Milošević
nikola.milosevic@owasp.org
@dreadknight011

2. About OWASP
• The Open Web Application Security Project (OWASP) is a worldwide not-for-profit
organization focused on improving the security of software. Our mission is to make
software security visible, so that individuals and organizations worldwide can make
informed decisions about true software security risks.
• Values:
• OPEN – transparent finances, open source code
• INNOVATION - encourages experimenting
• GLOBAL - everyone can contribute
• INTEGRITY - honest and truthful, vendor neutral, global community
• Over 300 local chapters with at least quarterly meetings
• Over 130 projects
• OWASP chapter in Serbia since 2012

3. About Me
• My name is Nikola Milošević
• OWASP Serbia local chapter founder
• OWASP Manchester local chapter leader
• OWASP Seraphimdroid project leader
• 2014 Google Summer of Code mentor
• OWASP anti-malware project contributor
• Teaching assistant and PhD student at the University of
Manchester
• Research: Text mining, natural language processing, linked
big data, semantic web (lot of buzzwords)

4. Going mobile

5. Internet of things

6. Security perspective
• Smart means vulnerable
• Main motives: Money, processing power

7. Simple example

8. OWASP Mobile project
• Composed of several smaller project:
•Top 10 mobile risks
•Mobile Tools
•GoatDroid,iGoat
•Seraphimdroid
•Damn Vulnerable iOS Application
•MobiSec
•...
•Mobile Security testing
•Mobile Application Threat Model

9. Mobile Top 10
• aa

10. 1. Weak Server side controls
• Everything that a mobile application can do badly that does not take
place on the phone
• Unvalidated input affecting API, web service, web application
• Injections (SQL, XSS, XXE...), Authentication flaws, Session
Management flaws, Access control vulnerabilities, Local and Remote
File Includes
• Secure coding and configuration
practices must be used on server-side
of the mobile application.

11. 2. Insecure Data Storage
• Assumption that users or malware will not access file
system
• Sensitive and personal information stored in sensitive
format
• Identity Theft, Fraud, Reputation Damage, External Policy
Violation (PCI) or Material Loss
• SQLite databases, Log Files, Plist Files, XML Data Stores or
Manifest Files, Binary data stores, Cookie stores, SD Card,
Cloud synced
• Do not save data, cryptography

12. 3. Insufficient Transport layer
protection
• Application may not use TLS for all client-server
communication
• Could be hard to exploit
• Identity theft, reputation damage, fraud
• Use TLS and SSL correctly, do not allow unsigned
certificates, additional encryption, avoid mixed SSL sessions

13. 4. Unintended data leakage
• Unintended data leakage occurs when a developer places
sensitive information or data in a location on the mobile
device that is easily accessible by other apps on the device.
• Privacy Violations, PCI Violations, Reputational Damage;
or Fraud.
• The way the OS, frameworks
caches data, images,
key-presses, logging,
and buffers.

14. 5. Poor Authorization and
Authentication
• Usually automated
• Bypass application
• Authorizes with
back-end server
• Poor or missing authentication schemes allow to execute
functionality within the app or backend server used by the
mobile app
• Authentication failure exposes authorization
• Re-enforce authentication on server-side
• Local integrity checks (M10)

15. 6. Broken Cryptography
• Weak encryption algorithms or flaws within the
encryption process
• Unauthorized retrieval of
sensitive information
• The best algorithms don't
matter if you mishandle your
keys.
•Always use modern algorithms that are accepted as strong
by the security community

16. 7. Client Side Injection
• Results in the execution of malicious code on the mobile
device via the mobile app.
• Cross-Application Scripting Attacks
• XML, SQL, code injection, XSS
• Input validation

17. 8. Security Decision via
Unstructured Inputs
• Hidden fields and values or any hidden functionality to
distinguish higher level users from lower level users
• Weak implementation of such functionalities leads to
improper behavior
• Hooking functionality, IPC as an attack vector
• White-list of trusted applications, value validation

18. 9. Improper Session Handling
• Occurs when the session token is unintentionally shared
with the adversary during the transaction
•Failure to Invalidate Sessions on the Backend
•Lack of Adequate Timeout
•Protection
•Failure to Properly Rotate
•Cookies
•Insecure Token Creation
• Adversary can impersonate the user

19. 10. Lack of Binary Protection
• A lack of binary protections results in a mobile app that
can be analyzed, reverse-engineered, and modified by an
adversary in rapid fashion
• Jailbreak Detection Controls;
• Checksum Controls;
• Certificate Pinning Controls;
• Debugger Detection Controls.
• Protection only slows down the adversary

20. OWASP Seraphimdroid
• OWASP Seraphimdroid is an Android app
• Features:
• Privacy protection
• Anti-theft
• Dynamic malicious action protection
• Education and awareness
• Open source

21. OWASP Seraphimdroid
• Development started in 2013 as Lab project
• First version published after Google Summer of Code 2014
• Furquan Ahmed
•3 months full-time student coding
• Google sponsored with $5500
• Added 11 500+ lines of code
• Currently it is Incubator project
• OWASP review board gave it trumps up

22. OWASP Seraphimdroid

23. Conclusion
• You cannot be 100% safe, but you can make it hard –
Defense in Depth
• Avoid storing sensitive data on the device
• If you have to, encrypt with PBE master key encryption
• Use anti-debug and anti-reversing measures
• Clear memory after use
• Test on a Jailbroken or rooted device – see what the bad guys will see
• Know your data, know your platform, know your tools and
use that knowledge to protect your apps

24. Thank you
http://inspiratron.org
nikola.milosevic@owasp.org
@dreadknight011