Here's your chance to learn about the most common mobile threats and how to protect your organization from malicious attack. The slides:
> DESCRIBE why mobile apps are uniquely vulnerable
> SURVEY the 7 most common mobile attacks
> HIGHLIGHT ways to find mobile app vulnerabilities
1. Top 7 Mobile App Attacks and
How To Prevent Them
Sameer Dixit Managed Services
Chris Harget Product Marketing
2. Agenda
Enterprise Mobile App Trends
Top Mobile App Attacks
How To Be Safer
2
Cenzic, Inc. - Confidential, All Rights Reserved.
3. Mobile App Factoids
ď§ ~14 Billion tablet-app downloads in 20131
ď§ ~82 Billion smartphone-app downloads in 20132
ď§ Average US smartphone user has 41 apps and
spends 39 minutes/day using them3
ď§ 91% of apps free, only 9% paid for â Gartner 2012
ď§ 1. ABI Research March 2013 prediction
ď§ 2. Portio Research March 2013 forecast
ď§ 3. Nielsen,http://www.nielsen.com/us/en/newswire/2012/state-of-the-appnation%C3%A2%C2%80%C2%93-a-year-of-change-and-growth-in-u-s-smartphones.html
4. Mobile User Service Options
Mobile-Optimized Web Sites
Native Mobile Apps
ď§ HTML5 gives some
cross-platform capability
ď§ Native container =>
tighter integration
ď§ No install, convenient
for low-usage apps
ď§ More user commitment
required to begin
ď§ Works with standard
vulnerability scanning
ď§ Requires mobilespecific vulnerability
scanning
5. Mobile App Space Less Mature
ď§ Fewer security experts than on Web apps
ď§ Development practices often leave out security
ď§ New kinds of data to secure (GPS, camera,
Microphone, Texts, International calling)
6. Mobile App Security Is Harder
ď§ Mobile devices are less physically secure
ď§ Mobile traffic more likely to be visible to others
â Through the air
7. Mobile Apps For Customers
ď§ Shopping App
ď§ Rewards Programs, Coupons
ď§ Games/Marketing
ď§ Account Management
8. Mobile Apps For Employees
ď§ Email, Calendar, Contacts, Tasks
ď§ Salesforce.com
ď§ Order Entry
ď§ Quoting Tool
ď§ Field Support
ď§ Inventory Tracking
ď§ Point of Sale
ď§ Field Enablement
ď§ Approvals
ď§ Collaboration
9. Mobile Apps For Partners
ď§ Order Entry
ď§ Order Tracking
ď§ Technical Support
ď§ Inventory Availability
ď§ Lead Referral
ď§ Product Catalogue
ď§ Price List
10. Enterprise Mobile Apps Trends
ď§ Give free apps to prospects/customers for
acquisition/retention
â The share of app revenue from in-app purchases will
grow from 10% in 2011 to 41% in 2016 - Gartner
ď§ By 2016, 25% of enterprises will have private app
stores â Gartner, April 2013
â Reduce risk from BYOD (Bring Your Own Device)
ď§ Mobile Apps often funded/developed by business
units, not IT
11. Enterprise Mobile App Dev. Costs
ď§ 54% of apps cost $25K-$100K.
11
Cenzic, Inc. - Confidential, All Rights Reserved.
12. Enterprise Mobile App Update Frequency
ď§ 80% of Respondents update mobile apps at least 2x/year.
â
12
http://www.anypresence.com/Mobile_Readiness_Report_2013.php
Cenzic, Inc. - Confidential, All Rights Reserved.
13. Summing Up Trends
ď§ Enterprises developing apps for many reasons
ď§ Data and brand exposure increasing rapidly
ď§ Mobile app security practices generally inadequate
14. Top 7 Mobile App Attacks
14
Cenzic, Inc. - Confidential, All Rights Reserved.
15. 1. Exploiting Unencrypted Data
ď§Sensitive plist, xml and sqlite files
ď§E.g., Last logged in user, address,
usernames, GPS coordinates,
photos, videos etc.
ď§Stored passwords
15
Cenzic, Inc. - Confidential, All Rights Reserved.
16. 2. Excessive Access Privileges
⢠Some apps unnecessarily grant
access to userâsâŚ
⢠âŚPhone Directory, Calendar, GPS,
Camera, Microphone, etc.
⢠=>Theft of corporate info, fraud,
and violation of privacy
16
Cenzic, Inc. - Confidential, All Rights Reserved.
17. 3. Exploiting Inputs That Are Not Validated
⢠SQL Injection
⢠XML Bombs
⢠Cross-Site Scripting
17
Cenzic, Inc. - Confidential, All Rights Reserved.
18. 4. Session Left Active When App Exited
⢠Poor Session Management
⢠User closes app, but is not logged out
of server
⢠Attacker may pick up session and
steal data, funds or merchandise
18
Cenzic, Inc. - Confidential, All Rights Reserved.
19. 5. Insecure Transmission
⢠GET request for:
â˘
Username, Account Number, GPS
coordinates, Device UDID, User Info, etc.
â˘
â˘
âŚSent In The Clear!
Mobile traffic more likely to be visible to
others than wired traffic
19
Cenzic, Inc. - Confidential, All Rights Reserved.
20. 6. Parameter Manipulation in Mobile Web Services
âParameter Manipulation in REST
Servicesâ
⢠E.g.,
âŚ/id/1234
⢠change to
âŚ/id/3456/
⢠Gives access to another IDâs account
20
Cenzic, Inc. - Confidential, All Rights Reserved.
21. 7. Lack of Automated Lockouts
⢠Unlike Web apps, most mobile apps
donât implement lockout capability
after 3, or 5 or 10 failed login attempts.
⢠PIN or password is often cached on
the mobile device
⢠If someone gets control of your phone
or tablet, they may be able to bruteforce hack your app passwords
without the server ever knowing
21
Cenzic, Inc. - Confidential, All Rights Reserved.
26. 1. Encrypt Data Storage
⢠EncryptâŚsensitive
plist, xml and
sqlite files that contains
information such as
⢠âŚlast logged in user, address,
usernames, GPS coordinates,
photos and videos etc.
26
Cenzic, Inc. - Confidential, All Rights Reserved.
27. 2. Restrict Access Privileges
ď§Restrict granting excess
permissions and privileges to the
application on the device.
ď§Example: Disallow Update
Access to userâs phone Directory,
Calendar, GPS, Camera,
Microphone etc.
27
Cenzic, Inc. - Confidential, All Rights Reserved.
28. 3. Validate Inputs
ď§Ensure that application
validates all inputsâŚ
ď§âŚboth at client and server
sideâŚ
ď§âŚto avoid issues such as
XSS, SQL, XML Bomb,
information disclosure etc.
28
Cenzic, Inc. - Confidential, All Rights Reserved.
29. 4. Manage Sessions Assertively
ď§In a native client server mobile
application, always invalidate the
session after logoutâŚ
ď§âŚboth at the client and at the
server side.
29
Cenzic, Inc. - Confidential, All Rights Reserved.
30. 5. Use POST Request For Sensitive Data
ď§Use an encrypted POST
request rather than GET for
sensitive information such asâŚ
ď§âŚUsername, Account Number,
GPS coordinates, Device UDID,
and Address etc.
30
Cenzic, Inc. - Confidential, All Rights Reserved.
31. 6. Encrypt REST Parameters
⢠Obfuscate session-related info
⢠Use strict session management policies
with tighter authorization boundary and
privileges
31
Cenzic, Inc. - Confidential, All Rights Reserved.
32. 7. Use Automated Lockouts
⢠If a mobile app login fails 5-10x in a row,
lockout in some fashion, flag activity in app
and server logs, etc.
⢠Lock the application for a period of time to
avoid brute-force hacks
32
Cenzic, Inc. - Confidential, All Rights Reserved.
33. Cenzic Can Help
⢠Cenzic is a leading provider of Mobile
Application Scanning Services.
⢠10+ Years
⢠Leverages patented Hailstormâ˘
engine for more consistently accurate
and efficient results
⢠Cenzic experts conduct business logic
and forensic analysis of mobile apps
33
Cenzic, Inc. - Confidential, All Rights Reserved.
34. Customers Rate Cenzic Higher
⢠2013 Gartner surveyed App
Security Testing Customers
⢠ONLY Cenzic scored high marks
from customers in Accuracy,
Service, Support and Overall
Satisfaction
⢠Cenzic provides the best services!
34
Cenzic, Inc. - Confidential, All Rights Reserved.
35. Complete Enterprise Security by Cenzic
Enterprise Application Security
Pre-production &
App Development
35
Cenzic, Inc. - Confidential, All Rights Reserved.
Production
Partner /
Supply Chain