© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing

• Director of Penetration Testing at HP Fortify on Demand. • Previously worked in HP’s Professional Services as a security

consultant, and an engineer & pen tester for RedSpin, Citrix, etc. • Frequent attender, presenter, & CTF participant at security cons

such as Defcon, BlackHat, Brucon, DerbyCon, etc. • Contributor/columnist to PentesterScripting.com, Ethicalhacker.net,

Hakin9 magazine, Nmap, Nessus, Etc…

About the Presenter

About FoD Mobile

Mobile Trends and Threats | Adoption

• Global mobile data traffic will increase 26-fold between 2010 and 2015

• Two-thirds of the world’s mobile data traffic will be video by 2015

• There will be nearly one mobile device per capita by 2015 (~6 billion)

New Devices

6

server connection

os

Same Old Story

7

server

browser

Same Old Server

8

Security Services

Operations Software

Information

Mobile Application Security Challenges

• Difficult to train and retain staff - very difficult to keep skills up-to-date

• Constantly changing environment • New attacks constantly emerge • Compliance Requirements • Too many tools for various results • Apps are getting launched on a daily basis

with Security not being involved. • Junior Developers are typically the ones

creating the apps.

How you see your world

Get the username

Get the password

Remember the User

Get Sales Data

Edit my account

Generate Reports

How an attacker sees your world

SQL Injection

Cross Site Scripting

Improper Session Handling

Data Leakage

Sensitive Information Disclosure

Weak Server Side Controls Client Side Injection

Insufficient Data Storage

OWASP Mobile Top 10 Risks

M1 – Insecure Data Storage M6 – Improper Session Handling

M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs

M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage

M4 – Client Side Injection M9 – Broken Cryptography

M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure

OWASP Mobile Top 10 Risks

M1 – Insecure Data Storage M6 – Improper Session Handling

M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs

M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage

M4 – Client Side Injection M9 – Broken Cryptography

M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure

SQLite Logging

Plist Files Manifest Files

Binary data stores SD Card Storgage

EVERYTHING in the OWASP Top 10 Insecure SSL

Encryption

Unsigned and Unforced Certificate

Validation SQLite Injection

XSS via Webview

LFI

Poor Password Complexity

Account disclosure via

Login or Forgot Password

OWASP Mobile Top 10 Risks

M1 – Insecure Data Storage M6 – Improper Session Handling

M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs

M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage

M4 – Client Side Injection M9 – Broken Cryptography

M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure

Indefinite Sessions

Weak cookie “hashing”

home rolled session

management

Using phone ID as part of session Inter-process

communication

Android intents

iOs URL schemes Keystroke logging

Screenshot caching

Logs

Temp files

Bad Crypto

Encoding/ Obfuscation/

Serialization != encryption Hardcoded secrets!

API keys, server-side database passwords,

etc

Case Study #1

0

10

20

30

40

50

60

70

80

90

Critical High Medium Low Informational

• Case study of 120 Mobile applications for 1 Enterprise client

• 234 vulnerabilities

• 66% of applications contained a critical or high vulnerability that:

• Disclosed 1 or more users personal data

• Exposed multiple users personal data

• Compromised the applications server

Vulnerabilities by OWASP Mobile Top 10 Category

0

10

20

30

40

50

60

70

80

M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 Other

M1: Insecure Data Storage M2: Weak Server Side Controls M3: Insufficient Transport Layer Protection M4: Client Side Injection M5: Poor Authorization and Authentication M6: Improper Session Handling M7: Security Decisions Via Untrusted Inputs M8: Side Channel Data Leakage M9: Broken Cryptography M10: Sensitive Information Disclosure

Other?

• Poor Code Quality and Applications Hardening

• Unreleased Resources • No ASLR or Memory

Management frameworks enabled.

• Privacy Leaks

• UUID, Wi-Fi, device names,

geolocations, etc, leaked to Ad Agencies

Banking Case Study

Mobile SDLC Security Foundations – Mobile Applications

Build Production Test Architecture

& Design Requirements Plan

Mobile Security Development

Standards

Application Specific Threat Modeling and

Analysis

Mobile Secure Coding Training

Mobile Application Security Assessment (Static, Dynamic, Server, Network, Client)

Threat Modeling CBT for Developers

Mobile Secure Coding Standards Wiki

Mobile Risk Dictionary

Mobile Firewall Mobile Security

Policies Static Analysis

MDM

How do we get started?

1. Find your published apps

2. Threat model them based on the information they handle

3. Assess and fix published apps

4. Give resources to developers to write secure code

Threat Modeling a Mobile App

Identify business objectives:

• Identify the data the application will use

• PII vs. Non-PII

• Credentials & access

• Where is it stored?

• Payment information?

Types of data at risk with a mobile app: • Usernames & Passwords

• UDID

• Geolocation/address/zip

• DoB

• Device Name

• Network Connection Name

• Credit Card Data or Account Data

• Updates to Social media

• Chat logs

• Cookies

• Etc…

Web Application

Mobile Methodology

Network

Client Application

Static Analysis

Dynamic Analysis

Static Analysis

Dynamic Analysis

Mobile Methodology

Mobile Assessment

Application Mapping

Client Attacks

Network Attacks

Server Attacks

Platform Mapping

Appl. Arch

Binary Analysis

File system Analysis

Memory Analysis

Runtime Hacking

Priv Leaks

TCP Attacks

Web Attacks

Under. App

Data Flow Mapping

Insecure API

Sensitive File Artifact

Weak Encrypt

Plaintext Traffic

Buffer Overflows

SQLi XSS

Fortify On Demand’s Mobile Application Security Risks, Controls, and Procedures Document

Android & iOS Security Checklists

• Fortify’s 7 Ways to Hang Yourself with Android Presentation

• Fortify on Demand’s iOS Penetration Testing Presentation

• Fortify’s VulnCAT

Other Resources for QA, Security Managers, and Devs

• OWASP Top 10 Mobile Risks Page

• OWASP IOS Developer Cheat Sheet

• Google Androids Developer Security Topics 1

• Google Androids Developer Security Topics 2

• Apple's Introduction to Secure Coding

Other Resources

Parting Thoughts

• Remember that mobile sites face the Internet as well; obscurity != security

• Start with Risk Profiling and exposure (deployed apps)

• Give developers guidance and resources

• Don’t store it (PII) at all if you don’t need to

• If you have a 3rd party dev team deploy a contract that enforces coding based on

secure mobile dev standards

• Mobile Device Management (MDM) is not a substitute for secure code

• Finally, don’t be intimidated by “mobile”; the same fundamentals are still in play

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you