You think your mobile app is secure, but is it really? In this session from Xamarin Evolve 2016 in Orlando, Alec will give you the Top 10 mobile threats to be aware of and take an in-depth look at how to mitigate some of these threats using Xamarin and the OWASP Mobile Security Project. A video of the talk is available here: https://youtu.be/rCT9kiA7SE0?list=PLM75ZaNQS_Fb7I6E9MDnMgwW1GGZIijf_
3. Intro to Standards
How can you prove to an enterprise client that your apps are secure?
What boxes might a security conscious client require you to tick to
comply with policy?
What are the industry guidelines for app security?
4. The Open Web Application Security Project
OWASP Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP Top 10 for Mobile 2014 / 2016
https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
OWASP Application Security Verification Standards (ASVS) v3.0
https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf
Chapter 17 covers mobile
5. OWASP Top 10 for Mobile 2014
M1 – Weak server side controls
M2 – Insecure data storage on the device
M3 – Insufficient transport layer protection
M4 – Unintended data leakage
M5 – Poor authentication and authorization
M6 – Broken cryptography
M7 – Client side injection
M8 – Security decisions via untrusted inputs
M9 – Improper session handling
M10 – Lack of binary protection
7. 2014 2016 RC
M1 – Weak server side controls
M2 – Insecure data storage on the device
M3 – Insufficient transport layer protection
M4 – Unintended data leakage
M5 – Poor authentication and authorization
M6 – Broken cryptography
M7 – Client side injection
M8 – Security decisions via untrusted inputs
M9 – Improper session handling
M10 – Lack of binary protection
M1 – Improper Platform Usage
M2 – Insecure Data Storage
M3 – Insecure Communication
M4 – Insecure Authentication
M5 – Insufficient Cryptography
M6 – Insecure Authorization
M7 – Client Code Quality
M8 – Code Tampering
M9 – Reverse Engineering
M10 – Extraneous Functionality
8. Why do common breaches still occur?
• Rush to release
• Insufficient testing
• Malware-infected apps and devices
• Lower security budgets for mobile apps
• Lack of expertise
• Lack of policies
Ponemon Institute: https://www.ponemon.org/news-2/64
• Assumption that the OS covers all security requirements
• Weaknesses due to cross-platform development and compilation
OWASP docs
9. M1 – Improper Platform Usage
Misuse of a platform feature or failure to use platform security controls
• Violation of published guidelines
• Violation of convention or common practice
• Unintentional misuse
• Includes requesting too many permissions, or the wrong permissions
Example
- usesClearTextTraffic on Android, API23+
11. Exposing usesClearTextTraffic in Xamarin
using Services;
using Xamarin.Forms;
[assembly:Dependency(typeof(M1.Droid.NetworkSecurityPolicyService_Droid))]
namespace M1.Droid
{
public class NetworkSecurityPolicyService_Droid : INetworkPolicyService
{
public NetworkSecurityPolicyService_Droid()
{
}
public bool isClearTextTrafficPermitted()
{
return Android.Security.NetworkSecurityPolicy.Instance.IsCleartextTrafficPermitted;
}
}
}
12. Checking usesClearTextTraffic in Xamarin
public async Task<string> DownloadContentDishonour(string url)
{
WebClient client = new WebClient();
return await client.DownloadStringTaskAsync(url);
}
13. Checking usesClearTextTraffic in Xamarin
public async Task<string> DownloadContentHonour(string url)
{
if (networkPolicyService != null
&& url.StartsWith("http:")
&& !networkPolicyService.isClearTextTrafficPermitted)
{
throw new InvalidOperationException(
"Clear text network requests are not permitted");
}
WebClient client = new WebClient();
return await client.DownloadStringTaskAsync(url);
}
14. M1 – Improper Platform Usage - Components
…that honour usesClearTextTraffic
• DownloadManager
• MediaPlayer
• SocketHandler
• Java.* / Android.* HTTP, FTP, WebSockets,
XMPP, IMAP, SMTP network components
• Some third party libraries
• OkHttp
• ModernHttpClient
…that dishonour usesClearTextTraffic
• Android.WebKit.WebView
• Java.* / Android.* UDP and TCP connections
• Any related low-level network stacks
• All managed networking components
Sydney Mobile .Net (Xamarin) Developers
http://www.meetup.com/SydneyMobileDotNetDevelopers/
15. M2 – Insecure Data Storage
2014 M2 – Insecure Data Storage
• SQL databases
• Log files
• XML datastores / manifest files
• Binary data stores
• SD card
• Cloud sync’d folders
2014 M4 – Unintended Data Leakage
• Leaked without developer’s knowledge
• Cached data
• Images – e.g. task switcher
• Key presses
• Logging
• Buffers
This covers two of the 2014 top 10 risks:
16. Blurring the screen during auto-snapshot
public override void OnResignActivation(UIApplication uiApplication)
{
// 1. Take a screenshot
// 2. Blur it
// 3. Add the blurred view to the RootViewController.View
base.OnResignActivation(uiApplication);
}
public override void OnActivated(UIApplication uiApplication)
{
// 4. Remove the blurred view, if there is one
base.OnActivated(uiApplication);
}
17. Blurring the screen during auto-snapshot
// 1. Take a screenshot
UIView view = UIApplication.SharedApplication.KeyWindow.RootViewController.View;
UIGraphics.BeginImageContext(view.Frame.Size);
view.DrawViewHierarchy(view.Frame, true);
UIImage image = UIGraphics.GetImageFromCurrentImageContext();
UIGraphics.EndImageContext();
18. Blurring the screen during auto-snapshot
// 2. Blur it
UIImage newImage = null;
using(var inputImage = new CoreImage.CIImage(image)) {
using(var blur = new CoreImage.CIGaussianBlur()) {
blur.Image = inputImage;
blur.Radius = 25f;
using(var outputImage = blur.OutputImage) {
using(var context = CoreImage.CIContext.FromOptions(new CoreImage.CIContextOptions()
{ UseSoftwareRenderer = false })) {
using(var cgImage = context.CreateCGImage(outputImage,
new System.Drawing.RectangleF (
new System.Drawing.PointF(0,0),
new System.Drawing.SizeF((float)image.Size.Width, (float)image.Size.Height)))) {
newImage = UIImage.FromImage(cgImage);
}
}
}
}
}
19. Blurring the screen during auto-snapshot
// 3. Add the blurred view to the RootViewController.View
view.AddSubview(new UIImageView(newImage));
// 4. Remove the blurred view, if there is one
int lastIndex = UIApplication.SharedApplication.KeyWindow
.RootViewController.View.Subviews.GetUpperBound(0);
if (lastIndex > 0)
{
UIApplication.SharedApplication.KeyWindow
.RootViewController.View.Subviews[lastIndex]
.RemoveFromSuperview();
}
20. M2 – Insecure Data Storage
iOS Developer Cheat Sheet
- https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet
- Small amounts of sensitive data should go in the Keychain
- Recommends usage of a third party encryption API “not encumbered by
inherent weaknesses in Apple’s encryption”
- Singles out SQLCipher
- Key management then becomes critical ( M5)
- https://www.owasp.org/index.php/Key_Management_Cheat_Sheet
Windows Mobile 10 Security Guide
- https://technet.microsoft.com/en-us/library/mt674915(v=vs.85).aspx
21. M3 – Insecure Communication
This covers:
• Poor handshaking
• Incorrect SLL versions
• Weak negotiation
• Cleartext communication of sensitive assets *
• SSL certificate validity
* Sensitive assets can include things like the IMEI and other hardware addresses. Some
jurisdictions consider these to be private data that must be given the same privacy treatment as a
phone number or home address
23. M4 – Insecure Authentication
In general, follow the same rules as a web app for authentication
i.e. if porting a web app, it should not be possible to authenticate with less auth factors than
the web browser
Never use a device identifier (UDID, IP, MAC address, IMEI) to identify
a user or a session
Remember that some jurisdictions treat these as personal data
24. M4 – Insecure Authentication
Avoid out-of-band authentication tokens being sent to the same
device as the user is using to login (e.g. SMS to phone)
http://www.smh.com.au/technology/consumer-security/malware-hijacks-big-four-
australian-banks-apps-steals-twofactor-sms-codes-20160309-gnf528.html
25. M5 – Insufficient Cryptography
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
• Only store sensitive data that you need
• Use strong approved authenticated encryption
• Store a one-way and salted value of passwords
• Ensure that the cryptographic protection remains secure even if
access controls fail
• Ensure that any secret key is protected from unauthorised access
• Follow applicable regulations on use of cryptography
• PCLCrypto component
26. M5 – Insufficient Cryptography
Use of hardware information in key:
SQLCipher advice
- What’s unacceptable is to use this in entirety and nothing else
- They propose it’s acceptable to use it as a portion of a key, but point
out that it’s critical that at least a portion of the key is both:
- Entered by the user
- Never stored on the device
https://discuss.zetetic.net/t/sqlcipher-database-key-material-and-selection/25
27. M6 – Insecure Authorization
App may restrict functions based on user’s authorization level
Web service endpoints cannot assume this is sufficient
Classic finding is a server implicitly trusting the mobile code to only
generate requests appropriate to the user’s privilege level
Of course this cannot be assumed of a compromised app
28. M7 – Client Code Quality
Is Your App Secure?
- Kerry Lothrop, Thursday
Think Like a Hacker
- Sam Rehman & Lou Crocker, Wednesday
32. Where to from here?
Source: Arxan State of Application Security 2016 – Financial Services Report
2014 M3 2016 M3
Insecure Communication
2014 M10 2016 M9
Reverse Engineering
Remembering…
33. Where to from here?
• OWASP ASVS
• PCI standards
• If you don’t have a security policy, reference these
standards
• If you do have a security policy, check it against these
standards
• If you’re writing or reviewing a security policy, check it
against these standards
• Awareness and further research
• Build in house expertise, outsource, bring in specialised
security products / consultants
• A combination of the above
http://www.amazon.com/Xamarin-Unleashed-Alec-Tucker/dp/0672337509