Crowdsourced Cybersecurity

Mobile Application Security Threats through the Eyes of the Attacker

Mobile Application Security Threats through the Eyes of the Attacker

2

Our Speaker

Jason is the Director of Technical Operations at Bugcrowd. He trains and works with internal application security engineers to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industry’s relations with the researchers. Jason’s interests and areas of expertise include mobile penetration testing, black box web application auditing, network/infrastructural security assessments, binary reverse engineering, and static analysis.

Jason Haddix

@jhaddix

Mobile Application Security Threats through the Eyes of the Attacker

3

Agenda

o Mobile is everywhere o  Top Ten Mobile App Risks

What are they? What are some examples?

o  Focusing on the big 3 o  Resources for security and dev teams o Questions

Mobile Application Security Threats through the Eyes of the Attacker

4

Mobile is everywhere Mobile is computing

•  There are 1.2 billion mobile users. By 2018 that number with be 5 billion.

•  Mobile adoption is growing 8x faster than traditional web applications.

•  Mobile payments will exceed $90 Billion by 2017

Mobile Application Security Threats through the Eyes of the Attacker

5

Mobile is everywhere Attackers go where the users are

•  It’s not just phones, tables, IoT devices, etc are all “mobile” now.

•  With that kind of adoption hackers have shifted to these new surface areas.

Mobile Application Security Threats through the Eyes of the Attacker

6

2014 Draft OWASP Mobile Top 10 Risks

M1 – Weak Server Side

Controls

M10 – Lack of Binary

Protections

M9 – Improper Session

Handling

M5 – Poor Authorization

and Authentication

M6 – Broken Cryptography

M7 – Client Side

Injection

M8 – Security Decisions Via

Untrusted Inputs

M2 – Insecure

Data Storage

M3 – Insufficient Transport

Layer Protection

M4 – Unintended

Data Leakage

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks

Mobile Application Security Threats through the Eyes of the Attacker

7

Data Storage

Mobile Application Security Threats through the Eyes of the Attacker

8

Take a look at your mobile OS and ensure that none of the operating systems features leak private data. Unintended Data Leakage

iOS: •  Logging (NSLog in production) •  Application Background Screenshot •  URL Caching •  Keyboard Press Caching •  Copy/Paste buffer Caching •  Photo Sharing

Android •  URL Caching (Both request and

response) •  Logging (log.d) •  Exported Content Providers

Mobile Application Security Threats through the Eyes of the Attacker

9

http://s3jensen.blogspot.com/2014/02/credit-karma-ios-vulnerability.html

Mobile Application Security Threats through the Eyes of the Attacker

10

Pro-Tips for the mobile dev Don’t Store or Store Securely

•  If at all possible don’t store passwords or PII. •  There are several storage mechanisms for each platform.

Some are safer than others.

•  iOS: When storage is necessary for small data fragments, use the iOS keychain. In addition store all strings in encrypted format, even in the keychain. Never use plists for data storage (NSUserDefaults)

•  iOS: For larger data-sets, files, and databases (coredata or sqlite), utilize Apple’s Data Protection API with a minimum of the designation NSFileProtectionCompleteUnlessOpen

•  Android: Use the Andriod Keystore (crypted values) and avoid saving to the external storage (Sdcard) as it is a shared storage mechanism.

Mobile Application Security Threats through the Eyes of the Attacker

11

Encrypt and Protect Traffic

Mobile Application Security Threats through the Eyes of the Attacker

12

Poor TLS implementations Common Vulnerabilities

Mobile Application Security Threats through the Eyes of the Attacker

13

Over the Wire

o  When the application runs, it will be talking to multiple servers. o  It will also be using an untrusted network 50% of the time. o  Always use HTTPS, disable HTTP endpoints.

o  Set appropriate cookies: secure, HTTPonly o  Use appropriate cipher strength for SSL o  Use appropriate certificate management calls

o  Use Certificate pinning where possible o  https://github.com/iSECPartners/ssl-conservatory

Mobile Application Security Threats through the Eyes of the Attacker

14

Poor TLS implementations Common Vulnerabilities

•  Trusting any certificate it sees •  Allows expired certificates •  Allows trivial MiTM attacks •  Can connect to HTTPS once, and then fall back (mixed mode) •  ++

SSL Checklist for Penetration Testers

Mobile Application Security Threats through the Eyes of the Attacker

15

Server Side Protections

Mobile Application Security Threats through the Eyes of the Attacker

16

Highlights Protect the Server

•  The server side is the most often overlooked piece of the mobile application, and therefore usually yields the most critical vulnerabilities.

•  Validate all input, use whitelisting approach for special/control characters.

•  While not a silver bullet, there are several open source WAF’s and libraries depending on platform (modsecurity, OWASP ESAPI, IIS Sec modules)

•  Think about authentication API requests and how they can be abused.

•  Keep webserver software and framework updated. (this includes XML parsers ;)

•  If the backend is WS based, return the proper content type. •  Use POST instead of GET where possible. •  "Cache-Control : no-cache, no-store“ is important

Mobile Application Security Threats through the Eyes of the Attacker

17

OWASP Proactive Controls

1: Parameterize Queries 2: Encode Data 3: Validate All Inputs 4: Implement Appropriate Access Controls 5: Establish Identity and Authentication Controls 6: Protect Data and Privacy 7: Implement Logging, Error Handling and Intrusion Detection 8: Leverage Security Features of Frameworks and Security Libraries 9: Include Security-Specific Requirements 10: Design and Architect Security In

Mobile Application Security Threats through the Eyes of the Attacker

18

More Resources

Mobile Application Security Threats through the Eyes of the Attacker

19

Proxy the application during QA testing to audit for data leakage

http://codewithchris.com/tutorial-using-charles-proxy-with-your-ios-development-and-http-debugging/

Mobile Application Security Threats through the Eyes of the Attacker

20

Check for unencrypted files https://github.com/dmayer/idb

Mobile Application Security Threats through the Eyes of the Attacker

21

Data storage, protection, and testing on the device

iOS Developer ü  iOS: Data Protection

Classes ü  iOS: Encrypted Core Data

guide ü  iOS Security Guide

iOS Tester ü  idb iOS assessment tool ü  OWASP iOS Testing Cheat

sheet

Android Developer ü  Android: CERT Secure Coding

Practices for Android ü  Jssec.org Secure Android

Coding Manual

Android Tester ü  Android Debug Bridge (adb) ü  Drozer Android Toolkit

Mobile Application Security Threats through the Eyes of the Attacker

22 22

Key Takeaways

1.  Start with identifying and fixing the “top 3” 2. Keep a well trained and staffed

development and assessment team 3. Utilize provided resources

Mobile Application Security Threats through the Eyes of the Attacker

23

QUESTIONS?

bugcrowd.com jhaddix@bugcrowd.com @jhaddix