Mobile application security

  • 646 views
Uploaded on

Presentation by EY infosec experts Kristof Dewulf and Yannick Scheelen about mobile applications security. …

Presentation by EY infosec experts Kristof Dewulf and Yannick Scheelen about mobile applications security.
Agoria Alliance WG Meeting 20/11/13

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
646
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
13
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Mobile application security App Alliance WG Meeting 20 November 2013 Kristof Dewulf Yannick Scheelen
  • 2. Security weaknesses and vulnerabilities Mobile devices Smartphone sales are increasing ► 3Q13 % 100 81.9 80 3Q12 ► Malware goes mobile Source: Gartner.com Source: Eset.com TrojanSMS.Agent TrojanSMS.Boxer 72.6 DroidKungFu 60 40 FakePlayer 12.114.3 20 3.6 2.3 1.8 5.2 Microsoft Blackberry 0 0 Android iOS Variants in 2012 20 40 60 80 Variants in 2011 100 120 140 160 Variants in 2010 Security threats and malware are constantly present ► August April July February July September ► Weakness in SSL cert handling exposes data to interception (iOS) ► NotCompatible gains access to local network preferences (Andriod) ► LuckyCat opens a backdoor that allows remote acces (Android) ► Lock screen of iPhone can be circumvented (iOS) ► The Android “Master Key” Exploit ► iOS 7 Lock Screen Vulnerability Discovered 2013 2012 2014 September May July April September ► HTC phone vulnerability leaks personal data (Android) ► FakeInst SMS Trojan cost end-users 30 Miljon dollars (Android) ► SMSzombie that abuses china’s SMS payment (Android) ► Apparent security certificate turns out to be Android malware ► Banking Trojans disguise attack targets in the cloud Page 2 EY - App Alliance WG meeting – 20 November
  • 3. Application weaknesses and vulnerabilities More than meets the eye ► Bypass authentication or authorization controls Bypass validations or manipulate application business logic Application code review Page 3 ► ...or here ► What about injection attacks? ► Session management? ► Side channel data leakage? ► Sensitive information disclosure? ► SSL/ Insecure TLS data storage Most tests stop here… Phishing attacks? ► Application and library permissions? EY - App Alliance WG meeting – 20 November
  • 4. Mobile Application Security Most common issues 1. There is too much business logic in the application ► ► The mobile devices hold the actual application binary It’s safer to perform business logic validation on central systems (e.g. web service/web server) 2. SSL/TLS not/not properly implemented ► ► Certificates’ validity are not often checked Consider certificate pinning – works perfect for mobile apps! 3. Insecure local data storage ► ► Page 4 Passwords stored in databases Personal information is stored without consent of the user (re Privacy legislation) EY - App Alliance WG meeting – 20 November
  • 5. Mobile Application Security Testing Our approach Communication channel Mobile Device Objective: Identify vulnerabilities on the applications - Android, iOS or Windows. Server-side controls Objective: Identify vulnerabilities on the data communication channel. Objective: Identify vulnerabilities on the server side of the mobile application. Reverse engineer the binary using tools such as: ► Clang (static code) ► GDB ► IDA (Pro) ► Class-dump-z ► … ► Mobile applications are highly likely to operate on insecure wireless networks. ► Perform an in-depth penetration test of the server-side application. ► It is essential to review the network protocols the application uses to communicate with the server-side application. ► Perform an in-depth penetration test of the web services or API services. ► Use the information found on the local device to leverage our success. and investigate the source code for passwords, server-side keys, … but also learn how the application works! ► ► ► Perform data analysis by looking for sensitive data in databases, logs, backups, cached files, debug messages, … ► Verify application’s permissions. ► Analyze application’s business logic. ► The use of SSL/TLS is confirmed both though code review and the Burp Suite proxy tool. Perform security tests similar to other web applications tests (e.g. session management, authentication management, …). Page 5 EY - App Alliance WG meeting – 20 November
  • 6. EY Our recommendations ► ► Developers: start with security in mind! Understand the threats: ► ► ► ► On the application On the channel On the server side Don’t store sensitive data on the device ► without consent of the user and without the ability for the user to remove his/her personal information ► Understand the mobile platform of your application Understand your audience ► Assess your application ► Page 6 EY - App Alliance WG meeting – 20 November
  • 7. Contact details Page 7