hp angle light 16x9 eb green - sans malfeasance... · hakin9 magazine, nmap, nessus, etc… about...
TRANSCRIPT
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing
• Director of Penetration Testing at HP Fortify on Demand. • Previously worked in HP’s Professional Services as a security
consultant, and an engineer & pen tester for RedSpin, Citrix, etc. • Frequent attender, presenter, & CTF participant at security cons
such as Defcon, BlackHat, Brucon, DerbyCon, etc. • Contributor/columnist to PentesterScripting.com, Ethicalhacker.net,
Hakin9 magazine, Nmap, Nessus, Etc…
About the Presenter
About FoD Mobile
Mobile Trends and Threats | Adoption
• Global mobile data traffic will increase 26-fold between 2010 and 2015
• Two-thirds of the world’s mobile data traffic will be video by 2015
• There will be nearly one mobile device per capita by 2015 (~6 billion)
New Devices
6
server connection
os
Same Old Story
7
server
browser
Same Old Server
8
Security Services
Operations Software
Information
Mobile Application Security Challenges
• Difficult to train and retain staff - very difficult to keep skills up-to-date
• Constantly changing environment • New attacks constantly emerge • Compliance Requirements • Too many tools for various results • Apps are getting launched on a daily basis
with Security not being involved. • Junior Developers are typically the ones
creating the apps.
How you see your world
Get the username
Get the password
Remember the User
Get Sales Data
Edit my account
Generate Reports
How an attacker sees your world
SQL Injection
Cross Site Scripting
Improper Session Handling
Data Leakage
Sensitive Information Disclosure
Weak Server Side Controls Client Side Injection
Insufficient Data Storage
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
SQLite Logging
Plist Files Manifest Files
Binary data stores SD Card Storgage
EVERYTHING in the OWASP Top 10 Insecure SSL
Encryption
Unsigned and Unforced Certificate
Validation SQLite Injection
XSS via Webview
LFI
Poor Password Complexity
Account disclosure via
Login or Forgot Password
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
Indefinite Sessions
Weak cookie “hashing”
home rolled session
management
Using phone ID as part of session Inter-process
communication
Android intents
iOs URL schemes Keystroke logging
Screenshot caching
Logs
Temp files
Bad Crypto
Encoding/ Obfuscation/
Serialization != encryption Hardcoded secrets!
API keys, server-side database passwords,
etc
Case Study #1
0
10
20
30
40
50
60
70
80
90
Critical High Medium Low Informational
• Case study of 120 Mobile applications for 1 Enterprise client
• 234 vulnerabilities
• 66% of applications contained a critical or high vulnerability that:
• Disclosed 1 or more users personal data
• Exposed multiple users personal data
• Compromised the applications server
Vulnerabilities by OWASP Mobile Top 10 Category
0
10
20
30
40
50
60
70
80
M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 Other
M1: Insecure Data Storage M2: Weak Server Side Controls M3: Insufficient Transport Layer Protection M4: Client Side Injection M5: Poor Authorization and Authentication M6: Improper Session Handling M7: Security Decisions Via Untrusted Inputs M8: Side Channel Data Leakage M9: Broken Cryptography M10: Sensitive Information Disclosure
Other?
• Poor Code Quality and Applications Hardening
• Unreleased Resources • No ASLR or Memory
Management frameworks enabled.
• Privacy Leaks
• UUID, Wi-Fi, device names,
geolocations, etc, leaked to Ad Agencies
Banking Case Study
Mobile SDLC Security Foundations – Mobile Applications
Build Production Test Architecture
& Design Requirements Plan
Mobile Security Development
Standards
Application Specific Threat Modeling and
Analysis
Mobile Secure Coding Training
Mobile Application Security Assessment (Static, Dynamic, Server, Network, Client)
Threat Modeling CBT for Developers
Mobile Secure Coding Standards Wiki
Mobile Risk Dictionary
Mobile Firewall Mobile Security
Policies Static Analysis
MDM
How do we get started?
1. Find your published apps
2. Threat model them based on the information they handle
3. Assess and fix published apps
4. Give resources to developers to write secure code
Threat Modeling a Mobile App
Identify business objectives:
• Identify the data the application will use
• PII vs. Non-PII
• Credentials & access
• Where is it stored?
• Payment information?
Types of data at risk with a mobile app: • Usernames & Passwords
• UDID
• Geolocation/address/zip
• DoB
• Device Name
• Network Connection Name
• Credit Card Data or Account Data
• Updates to Social media
• Chat logs
• Cookies
• Etc…
Web Application
Mobile Methodology
Network
Client Application
Static Analysis
Dynamic Analysis
Static Analysis
Dynamic Analysis
Mobile Methodology
Mobile Assessment
Application Mapping
Client Attacks
Network Attacks
Server Attacks
Platform Mapping
Appl. Arch
Binary Analysis
File system Analysis
Memory Analysis
Runtime Hacking
Priv Leaks
TCP Attacks
Web Attacks
Under. App
Data Flow Mapping
Insecure API
Sensitive File Artifact
Weak Encrypt
Plaintext Traffic
Buffer Overflows
SQLi XSS
Fortify On Demand’s Mobile Application Security Risks, Controls, and Procedures Document
Android & iOS Security Checklists
• Fortify’s 7 Ways to Hang Yourself with Android Presentation
• Fortify on Demand’s iOS Penetration Testing Presentation
• Fortify’s VulnCAT
Other Resources for QA, Security Managers, and Devs
• OWASP Top 10 Mobile Risks Page
• OWASP IOS Developer Cheat Sheet
• Google Androids Developer Security Topics 1
• Google Androids Developer Security Topics 2
• Apple's Introduction to Secure Coding
Other Resources
Parting Thoughts
• Remember that mobile sites face the Internet as well; obscurity != security
• Start with Risk Profiling and exposure (deployed apps)
• Give developers guidance and resources
• Don’t store it (PII) at all if you don’t need to
• If you have a 3rd party dev team deploy a contract that enforces coding based on
secure mobile dev standards
• Mobile Device Management (MDM) is not a substitute for secure code
• Finally, don’t be intimidated by “mobile”; the same fundamentals are still in play
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you