Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The Mobile Threat Landscape.

Similar presentations


Presentation on theme: "© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The Mobile Threat Landscape."— Presentation transcript:

1 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The Mobile Threat Landscape Daniel Miessler Principal Security Architect, HP Fortify June 2013

2 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6 Ways to Build an Insecure Mobile Application Daniel Miessler Principal Security Architect, HP Fortify June 2013

3 Agenda - Introduction - Why Mobile Security Matters - Mobile Security Differences - Attacker Perspective - Common Mobile Vulnerabilities - Takeaways - Questions

4 Introduction Daniel Miessler, CISSP, CISA, GCIA Principal Security Architect, HP Fortify -10 years experience doing security testing -5 years experience doing appsec testing -Web Application Vulnerability Assessments -Mobile Application Vulnerability Assessments -Application Security Process Development -Enterprise Security Consulting

5 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Why Mobile Security Matters

6 Considerations | Mobile Traffic Increases Global mobile data traffic will increase 26-fold between 2010 and 2015 There will be nearly one mobile device per capita by 2015 (~7 billion) Mobile payments will exceed 984 Billion by 2014 Data from Smart Insights, Yankee Group 2012

7 Mobile performance is becoming extraordinary Using a desktop (static) computer will become increasingly rare Home computer will come to mean better input and display options Considerations | Mobile Ubiquity

8 Mobile computing will soon be known as computing Computing somewhere other than your mobile device will be the activity that requires a name Attackers follow the users Considerations | Mobile Ubiquity II

9 Mobile development is the hottest type of development right now. New surface area equals dangerous surface area If anyones going to put features over security to get the product out the door, its likely to be a mobile team Many enterprise mobile developers havent had the security training that other types of developers have had Many assume that because mobile back ends arent visited directly they are more secure (obscurity assumption) Considerations | Mobile Insecurity

10 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mobile Security Differences

11 Q: Whats the difference between regular security and mobile security? Mobile Security Differences

12 Mobile Security Differences | Thick-client Testing Client Server Network ABAP C/C++ Java Objective C Python VB6 COBOL Cold Fusion XML SQL ASP.NET VB.NET C# Classic ASP HTML Flex JavaScript/AJ AX JSP PHP VBScript

13 Mobile Security Differences | Thick-client Testing: Client Client Server Network ABAP C/C++ Java Objective C Python VB6 COBOL Cold Fusion XML SQL ASP.NET VB.NET C# Classic ASP HTML Flex JavaScript/AJ AX JSP PHP VBScript Credentials in memory Credentials on filesystem Data stored on filesystem Poor cert management

14 Mobile Security Differences | Thick-client Testing: Network Client Server Network ABAP C/C++ Java Objective C Python VB6 COBOL Cold Fusion XML SQL ASP.NET VB.NET C# Classic ASP HTML Flex JavaScript/AJ AX JSP PHP VBScript Credentials in memory Credentials on filesystem Data stored on filesystem Poor cert management Cleartext credentials Cleartext data Backdoor data Data leakage

15 Mobile Security Differences | Thick-client Testing: Server Client Server Network ABAP C/C++ Java Objective C Python VB6 COBOL Cold Fusion XML SQL ASP.NET VB.NET C# Classic ASP HTML Flex JavaScript/AJ AX JSP PHP VBScript Credentials in memory Credentials on filesystem Data stored on filesystem Poor cert management Cleartext credentials Cleartext data Backdoor data Data leakage Injection Flaws Authentication Session Management Access Control Logic Flaws

16 Q: Whats the difference between this and mobile? Mobile Security Differences

17 Mobile Security Differences | Mobile Security Client Server Network ABAP C/C++ Java Objective C Python VB6 COBOL Cold Fusion XML SQL ASP.NET VB.NET C# Classic ASP HTML Flex JavaScript/AJ AX JSP PHP VBScript Credentials in memory Credentials on filesystem Data stored on filesystem Poor cert management Cleartext credentials Cleartext data Backdoor data Data leakage Injection Flaws Authentication Session Management Access Control Logic Flaws

18 A: Not much. Mobile Security Differences

19 Mobile Security Differences | Expanded Mobile Risk Two key differences Magnified network vulnerability Your network traffic is more likely to be visible to others with a mobile device than at work or home Magnified physical vulnerability As with most other types of computer, once the attacker has physical access, its over

20 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Attacker Perspective

21 Much of security comes down to seeing things from a different perspective, and mobile is no different

22 Attacker Perspective | What Users See Get the username Get the password Remember the User Get Sales Data Edit my account Generate Reports

23 SQL Injection Cross Site Scripting Improper Session Handling Data Leakage Sensitive Information Disclosure Weak Server Side Controls Client Side Injection Insufficient Data Storage Attacker Perspective | What Attackers See

24 Attacker Perspective | What Users See

25 Attacker Perspective | What Attackers See

26 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Common Mobile Vulnerabilities 2013 Edition

27 Common Vulnerabilities | Most Apps Are Vulnerable Most high-scrutiny (see: previously hacked) mobile apps are decently secure now, but the next tier down still have many issues Evaluating any given application is likely to yield significant vulnerabilities The younger, more eager the shop– the higher the chance of issues

28 Common Vulnerabilities | OWASP Open Web Application Security Project Thought leader in web security Runs many projects designed to help industry security their applications OWASP Top 10 Risk Rating Methodology Vulnerability Prevention Cheat sheets Our team is heading up the Mobile Top

29 OWASP Mobile Top 10 Risks M1 – Insecure Data StorageM6 – Improper Session Handling M2 – Weak Server Side ControlsM7 – Security Decisions via Untrusted Inputs M3 – Insufficient Transport Layer ProtectionM8 – Side Channel Data Leakage M4 – Client Side InjectionM9 – Broken Cryptography M5 – Poor Authorization and AuthenticationM10 – Sensitive Information Disclosure

30 Common Vulnerabilities | Real-world Perspective Definitely check out the OWASP Top 10, but this is more about what were seeing in the wild We constantly test mobile applications from the top companies in the world, and these are the top categories of issue we find in those applications

31 Case study of 120 Mobile applications for a single enterprise customer (results are typical) 66% of applications contained a critical or high vulnerability that either: Disclosed 1 or more users personal data Compromised the backend system Common Vulnerabilities | Real-world Results 66 %

32 Common Vulnerabilities | Logic Flaws Logic flaws are due to faulty developer assumptions, i.e. not thinking like an attacker Changing an arbitrary users password Bypassing multi-step authentication Free product by skipping payment step Product + refund by submitting negative number Defeating a business limit by entering a high negative number Getting a bulk discount on only one item by modifying the cart manually afterwards

33 Common Vulnerabilities | Logic Flaw Defense Logic flaws are avoided by performing exhaustive vulnerability assessments before going to production Fully understand the anticipated flow of the application Assume the mind of the attacker Identify places that developers likely made assumptions Attempt to take advantage of those assumptions As a developer, think in terms of abuse vs. just regular use

34 Common Vulnerabilities | Poor TLS Implementations Many mobile developers are allowing SSL communication with any host Trusting any certificate it sees Allows expired certificates Allows trivial MiTM attacks Can connect to HTTPS once, and then fall back Once in the middle, attackers can model your apps functionality enroute to breaking it

35 Common Vulnerabilities | Poor TLS Implementation TLS protection has multiple levels of security Ensure HTTPS is always enabled Attempt to match the name of the remote certificate Certificate pinning* Recognize that nothing is fool-proof, and adjust according to your apps specific needs Remember that pinning was a defense against compromised CAs, not against MiTM

36 Common Vulnerabilities | Promiscuous Client-side Storage Perhaps the most abused functionality is client-side storage Storage of credentials in plist files, SQLite databases Failure to use KeyChain to store credentials Storage of sensitive application data on filesystem Apps (e.g.: banks) storing their images in the public folder rather than in their sandbox Applications logging to the system log, but sending sensitive app data along with it

37 Common Vulnerabilities | Promiscuous Client-side Storage Be cautious of anything you save anywhereincluding on the client-side Ensure youre using the platform-recommended solution to store credentials Ensure you are storing everything from your app into the app sandbox so it cannot be read by other applications Check all logging functionality and note what youre sending Observe your log files within the XCode log viewer and ensure you are not storing anything sensitive

38 Q: What data on your iOS device is protected by the built-in encryption, i.e. the passcode? Common Vulnerabilities | Promiscuous Client-side Storage

39 A: By default, only and texts. In other words, most application data being stored on an iOS device is available to anyone who steals your phoneeven if it is locked and has a passcode. Common Vulnerabilities | Promiscuous Client-side Storage

40 DEMO Corporate issued iPhone Latest software (6.1.4) Not jailbroken Locked With passcode

41 Common Vulnerabilities | Promiscuous Client-side Storage Be cautious of anything you save anywhereincluding on the client-side Ensure youre using the platform-recommended solution to store credentials Ensure you use the Data Protection API to store any sensitive data; it will not be protected by default: (See: NSFileProtectionComplete in developer documenetation) Ensure you are storing everything from your app into the app sandbox so it cannot be read by other applications Check all logging functionality and note what youre sending Observe your log files within the XCode log viewer and ensure you are not storing anything sensitive

42 Common Vulnerabilities | Failure to Harden Binaries There are a number of binary defenses that developers are not implementing ASLR PIE (memory randomization) Stack Smashing Protection Enabled (Canary-based) Automatic Reference Counting (memory resources) Binary debug not disabled User path information disclosure

43 Common Vulnerabilities | Failure to Harden Binaries Use all defenses possible to harden your binaries before release While some are not critical security issues, they still can have an impact on the overall quality of your application

44 Common Vulnerabilities | Privacy Violations Many applications violate privacy without developers being aware Does the application access GeoLocation data? Does the application access your Address Book? Does the application access your Photos? If so, what is your app doing with this data? Does your application use analytics engines? If so, what does it send there? (UUID, app data?)

45 Common Vulnerabilities | Privacy Violations Go with an absolute least-privilege approach Dont access any data that could be considered private if you dont need it There are applications out there that can evaluate what a given binary accesses (AppAuthority, HP Risker)

46 Common Vulnerabilities | Assumption of Web Obscurity A massive number of applications we see and compromise are compromised due to backend vulnerabilities Promiscuous web services Full SQL statements right in web service calls (saved money on MSSQL Server Manager) Blatant SQLi, XSS, CSRF, File Includes, etc. Many developers assume whos coming here? The datastores are often shared! Shared hosting means compromise of multiple customers

47 Common Vulnerabilities | Assumption of Web Obscurity Harden your web backend as if the mobile app didnt even exist Remember how easy it is to MiTM a mobile app Assume everyone can see your traffic This means they can see all the paths and parameters for your backend Assume attackers will come knocking Consider the risks of shared hosting, as others might not be taking these stepseven if you did

48 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Takeaways

49 Its an interesting time for mobile security Everyones heading to mobile, and the attackers are following Mobile is on the leading edge of development, so mobile projects are especially susceptible to security shortcuts Most non-scrutinized applications have major vulnerabilities that are easily found

50 Takeaways Think like an attacker and follow some basic steps to help you evaluate your own applications without much cost Assume the attacker has access to the device and visibility of all traffic going to and from the server, and code accordingly (learn from cryptography) As part of a threat modeling step, track your sensitive data through your app, from user to device to network to server; see where its vulnerable Dont store PII if you dont have to

51 Takeaways Remember that you must explicitly use the Data Protection APIs otherwise your data will still be available to a thief Dont be intimidated by mobile security; the fundamentals are the same Use industry-tested methods for implementing security; be extremely weary of DIY solutions for input validation, encryption, authentication, etc. Take advantage of the resources available to help you, e.g.: platform secure coding guides, OWASP, etc.

52 Takeaways | Resources iOS Security Guide _Oct12.pdf _Oct12.pdf Android Security Guide OWASP Mobile Top 10 https://www.owasp.org/index.php/OWASP_Mobile_Security_ Project https://www.owasp.org/index.php/OWASP_Mobile_Security_ Project OWASP iOS Developer Cheat sheet https://www.owasp.org/index.php/IOS_Developer_Cheat_Sh eet https://www.owasp.org/index.php/IOS_Developer_Cheat_Sh eet

53 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank You


Download ppt "© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The Mobile Threat Landscape."

Similar presentations


Ads by Google