Your SlideShare is downloading. ×
0
Mobile application security
App Alliance WG Meeting
20 November 2013
Kristof Dewulf
Yannick Scheelen
Security weaknesses and vulnerabilities
Mobile devices
Smartphone sales are increasing

►

3Q13

%
100

81.9

80

3Q12

►
...
Application weaknesses and vulnerabilities
More than meets the eye

►

Bypass
authentication or
authorization
controls
Byp...
Mobile Application Security
Most common issues
1. There is too much business logic in the application
►
►

The mobile devi...
Mobile Application Security Testing
Our approach
Communication channel

Mobile Device
Objective: Identify vulnerabilities ...
EY
Our recommendations
►
►

Developers: start with security in mind!
Understand the threats:
►
►
►

►

On the application
...
Contact details

Page 7
Upcoming SlideShare
Loading in...5
×

Mobile application security

705

Published on

Presentation by EY infosec experts Kristof Dewulf and Yannick Scheelen about mobile applications security.
Agoria Alliance WG Meeting 20/11/13

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
705
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
13
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Mobile application security"

  1. 1. Mobile application security App Alliance WG Meeting 20 November 2013 Kristof Dewulf Yannick Scheelen
  2. 2. Security weaknesses and vulnerabilities Mobile devices Smartphone sales are increasing ► 3Q13 % 100 81.9 80 3Q12 ► Malware goes mobile Source: Gartner.com Source: Eset.com TrojanSMS.Agent TrojanSMS.Boxer 72.6 DroidKungFu 60 40 FakePlayer 12.114.3 20 3.6 2.3 1.8 5.2 Microsoft Blackberry 0 0 Android iOS Variants in 2012 20 40 60 80 Variants in 2011 100 120 140 160 Variants in 2010 Security threats and malware are constantly present ► August April July February July September ► Weakness in SSL cert handling exposes data to interception (iOS) ► NotCompatible gains access to local network preferences (Andriod) ► LuckyCat opens a backdoor that allows remote acces (Android) ► Lock screen of iPhone can be circumvented (iOS) ► The Android “Master Key” Exploit ► iOS 7 Lock Screen Vulnerability Discovered 2013 2012 2014 September May July April September ► HTC phone vulnerability leaks personal data (Android) ► FakeInst SMS Trojan cost end-users 30 Miljon dollars (Android) ► SMSzombie that abuses china’s SMS payment (Android) ► Apparent security certificate turns out to be Android malware ► Banking Trojans disguise attack targets in the cloud Page 2 EY - App Alliance WG meeting – 20 November
  3. 3. Application weaknesses and vulnerabilities More than meets the eye ► Bypass authentication or authorization controls Bypass validations or manipulate application business logic Application code review Page 3 ► ...or here ► What about injection attacks? ► Session management? ► Side channel data leakage? ► Sensitive information disclosure? ► SSL/ Insecure TLS data storage Most tests stop here… Phishing attacks? ► Application and library permissions? EY - App Alliance WG meeting – 20 November
  4. 4. Mobile Application Security Most common issues 1. There is too much business logic in the application ► ► The mobile devices hold the actual application binary It’s safer to perform business logic validation on central systems (e.g. web service/web server) 2. SSL/TLS not/not properly implemented ► ► Certificates’ validity are not often checked Consider certificate pinning – works perfect for mobile apps! 3. Insecure local data storage ► ► Page 4 Passwords stored in databases Personal information is stored without consent of the user (re Privacy legislation) EY - App Alliance WG meeting – 20 November
  5. 5. Mobile Application Security Testing Our approach Communication channel Mobile Device Objective: Identify vulnerabilities on the applications - Android, iOS or Windows. Server-side controls Objective: Identify vulnerabilities on the data communication channel. Objective: Identify vulnerabilities on the server side of the mobile application. Reverse engineer the binary using tools such as: ► Clang (static code) ► GDB ► IDA (Pro) ► Class-dump-z ► … ► Mobile applications are highly likely to operate on insecure wireless networks. ► Perform an in-depth penetration test of the server-side application. ► It is essential to review the network protocols the application uses to communicate with the server-side application. ► Perform an in-depth penetration test of the web services or API services. ► Use the information found on the local device to leverage our success. and investigate the source code for passwords, server-side keys, … but also learn how the application works! ► ► ► Perform data analysis by looking for sensitive data in databases, logs, backups, cached files, debug messages, … ► Verify application’s permissions. ► Analyze application’s business logic. ► The use of SSL/TLS is confirmed both though code review and the Burp Suite proxy tool. Perform security tests similar to other web applications tests (e.g. session management, authentication management, …). Page 5 EY - App Alliance WG meeting – 20 November
  6. 6. EY Our recommendations ► ► Developers: start with security in mind! Understand the threats: ► ► ► ► On the application On the channel On the server side Don’t store sensitive data on the device ► without consent of the user and without the ability for the user to remove his/her personal information ► Understand the mobile platform of your application Understand your audience ► Assess your application ► Page 6 EY - App Alliance WG meeting – 20 November
  7. 7. Contact details Page 7
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×