Top 7 Mobile App Attacks and How to Prevent Them

2,214 views
1,937 views

Published on

Here's your chance to learn about the most common mobile threats and how to protect your organization from malicious attack. The slides:

> DESCRIBE why mobile apps are uniquely vulnerable
> SURVEY the 7 most common mobile attacks
> HIGHLIGHT ways to find mobile app vulnerabilities

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,214
On SlideShare
0
From Embeds
0
Number of Embeds
120
Actions
Shares
0
Downloads
64
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Top 7 Mobile App Attacks and How to Prevent Them

  1. 1. Top 7 Mobile App Attacks and How To Prevent Them Sameer Dixit Managed Services Chris Harget Product Marketing
  2. 2. Agenda Enterprise Mobile App Trends Top Mobile App Attacks How To Be Safer 2 Cenzic, Inc. - Confidential, All Rights Reserved.
  3. 3. Mobile App Factoids  ~14 Billion tablet-app downloads in 20131  ~82 Billion smartphone-app downloads in 20132  Average US smartphone user has 41 apps and spends 39 minutes/day using them3  91% of apps free, only 9% paid for – Gartner 2012  1. ABI Research March 2013 prediction  2. Portio Research March 2013 forecast  3. Nielsen,http://www.nielsen.com/us/en/newswire/2012/state-of-the-appnation%C3%A2%C2%80%C2%93-a-year-of-change-and-growth-in-u-s-smartphones.html
  4. 4. Mobile User Service Options Mobile-Optimized Web Sites Native Mobile Apps  HTML5 gives some cross-platform capability  Native container => tighter integration  No install, convenient for low-usage apps  More user commitment required to begin  Works with standard vulnerability scanning  Requires mobilespecific vulnerability scanning
  5. 5. Mobile App Space Less Mature  Fewer security experts than on Web apps  Development practices often leave out security  New kinds of data to secure (GPS, camera, Microphone, Texts, International calling)
  6. 6. Mobile App Security Is Harder  Mobile devices are less physically secure  Mobile traffic more likely to be visible to others – Through the air
  7. 7. Mobile Apps For Customers  Shopping App  Rewards Programs, Coupons  Games/Marketing  Account Management
  8. 8. Mobile Apps For Employees  Email, Calendar, Contacts, Tasks  Salesforce.com  Order Entry  Quoting Tool  Field Support  Inventory Tracking  Point of Sale  Field Enablement  Approvals  Collaboration
  9. 9. Mobile Apps For Partners  Order Entry  Order Tracking  Technical Support  Inventory Availability  Lead Referral  Product Catalogue  Price List
  10. 10. Enterprise Mobile Apps Trends  Give free apps to prospects/customers for acquisition/retention – The share of app revenue from in-app purchases will grow from 10% in 2011 to 41% in 2016 - Gartner  By 2016, 25% of enterprises will have private app stores – Gartner, April 2013 – Reduce risk from BYOD (Bring Your Own Device)  Mobile Apps often funded/developed by business units, not IT
  11. 11. Enterprise Mobile App Dev. Costs  54% of apps cost $25K-$100K. 11 Cenzic, Inc. - Confidential, All Rights Reserved.
  12. 12. Enterprise Mobile App Update Frequency  80% of Respondents update mobile apps at least 2x/year. – 12 http://www.anypresence.com/Mobile_Readiness_Report_2013.php Cenzic, Inc. - Confidential, All Rights Reserved.
  13. 13. Summing Up Trends  Enterprises developing apps for many reasons  Data and brand exposure increasing rapidly  Mobile app security practices generally inadequate
  14. 14. Top 7 Mobile App Attacks 14 Cenzic, Inc. - Confidential, All Rights Reserved.
  15. 15. 1. Exploiting Unencrypted Data Sensitive plist, xml and sqlite files E.g., Last logged in user, address, usernames, GPS coordinates, photos, videos etc. Stored passwords 15 Cenzic, Inc. - Confidential, All Rights Reserved.
  16. 16. 2. Excessive Access Privileges • Some apps unnecessarily grant access to user’s… • …Phone Directory, Calendar, GPS, Camera, Microphone, etc. • =>Theft of corporate info, fraud, and violation of privacy 16 Cenzic, Inc. - Confidential, All Rights Reserved.
  17. 17. 3. Exploiting Inputs That Are Not Validated • SQL Injection • XML Bombs • Cross-Site Scripting 17 Cenzic, Inc. - Confidential, All Rights Reserved.
  18. 18. 4. Session Left Active When App Exited • Poor Session Management • User closes app, but is not logged out of server • Attacker may pick up session and steal data, funds or merchandise 18 Cenzic, Inc. - Confidential, All Rights Reserved.
  19. 19. 5. Insecure Transmission • GET request for: • Username, Account Number, GPS coordinates, Device UDID, User Info, etc. • • …Sent In The Clear! Mobile traffic more likely to be visible to others than wired traffic 19 Cenzic, Inc. - Confidential, All Rights Reserved.
  20. 20. 6. Parameter Manipulation in Mobile Web Services “Parameter Manipulation in REST Services” • E.g., …/id/1234 • change to …/id/3456/ • Gives access to another ID’s account 20 Cenzic, Inc. - Confidential, All Rights Reserved.
  21. 21. 7. Lack of Automated Lockouts • Unlike Web apps, most mobile apps don’t implement lockout capability after 3, or 5 or 10 failed login attempts. • PIN or password is often cached on the mobile device • If someone gets control of your phone or tablet, they may be able to bruteforce hack your app passwords without the server ever knowing 21 Cenzic, Inc. - Confidential, All Rights Reserved.
  22. 22. Mobile App Attacks In Action…
  23. 23. LIVE HACK I – Unencrypted Data Storage 23 Cenzic, Inc. - Confidential, All Rights Reserved.
  24. 24. LIVE HACK II - Insecure Data Transmission 24 Cenzic, Inc. - Confidential, All Rights Reserved.
  25. 25. A Few… 25 Cenzic, Inc. - Confidential, All Rights Reserved.
  26. 26. 1. Encrypt Data Storage • Encrypt…sensitive plist, xml and sqlite files that contains information such as • …last logged in user, address, usernames, GPS coordinates, photos and videos etc. 26 Cenzic, Inc. - Confidential, All Rights Reserved.
  27. 27. 2. Restrict Access Privileges Restrict granting excess permissions and privileges to the application on the device. Example: Disallow Update Access to user’s phone Directory, Calendar, GPS, Camera, Microphone etc. 27 Cenzic, Inc. - Confidential, All Rights Reserved.
  28. 28. 3. Validate Inputs Ensure that application validates all inputs… …both at client and server side… …to avoid issues such as XSS, SQL, XML Bomb, information disclosure etc. 28 Cenzic, Inc. - Confidential, All Rights Reserved.
  29. 29. 4. Manage Sessions Assertively In a native client server mobile application, always invalidate the session after logout… …both at the client and at the server side. 29 Cenzic, Inc. - Confidential, All Rights Reserved.
  30. 30. 5. Use POST Request For Sensitive Data Use an encrypted POST request rather than GET for sensitive information such as… …Username, Account Number, GPS coordinates, Device UDID, and Address etc. 30 Cenzic, Inc. - Confidential, All Rights Reserved.
  31. 31. 6. Encrypt REST Parameters • Obfuscate session-related info • Use strict session management policies with tighter authorization boundary and privileges 31 Cenzic, Inc. - Confidential, All Rights Reserved.
  32. 32. 7. Use Automated Lockouts • If a mobile app login fails 5-10x in a row, lockout in some fashion, flag activity in app and server logs, etc. • Lock the application for a period of time to avoid brute-force hacks 32 Cenzic, Inc. - Confidential, All Rights Reserved.
  33. 33. Cenzic Can Help • Cenzic is a leading provider of Mobile Application Scanning Services. • 10+ Years • Leverages patented Hailstorm™ engine for more consistently accurate and efficient results • Cenzic experts conduct business logic and forensic analysis of mobile apps 33 Cenzic, Inc. - Confidential, All Rights Reserved.
  34. 34. Customers Rate Cenzic Higher • 2013 Gartner surveyed App Security Testing Customers • ONLY Cenzic scored high marks from customers in Accuracy, Service, Support and Overall Satisfaction • Cenzic provides the best services! 34 Cenzic, Inc. - Confidential, All Rights Reserved.
  35. 35. Complete Enterprise Security by Cenzic Enterprise Application Security Pre-production & App Development 35 Cenzic, Inc. - Confidential, All Rights Reserved. Production Partner / Supply Chain
  36. 36. Application Security for Web, Web Services & Mobile +1.408.429-7400 36

×