Security Testing Mobile Applications
Upcoming SlideShare
Loading in...5
×
 

Security Testing Mobile Applications

on

  • 425 views

Due to the sensitive nature of the personal information often stored on mobile phones, security testing is vital when building mobile applications. Jeff Payne discusses some of the characteristics ...

Due to the sensitive nature of the personal information often stored on mobile phones, security testing is vital when building mobile applications. Jeff Payne discusses some of the characteristics that make testing mobile applications unique and challenging. These characteristics include how mobile devices store data, fluid trust boundaries due to untrusted applications installed on the device, different and unique aspects of device security models, and differences in the types of threats one must be concerned with. Jeff shares hints and tips for effectively testing mobile applications. Tips include how to test for data privacy, secure session management, the presence of malicious applications, and traditional application security vulnerabilities. Leave with an understanding of what it takes to security test your mobile applications.

Statistics

Views

Total Views
425
Views on SlideShare
424
Embed Views
1

Actions

Likes
0
Downloads
11
Comments
0

1 Embed 1

http://admin.communities.techwell.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security Testing Mobile Applications Security Testing Mobile Applications Document Transcript

  •       nt Session    Presented by:  Jeff Payne  C       Brought to you by:      340 Corporate Way, Suite   Orange Park, FL 32073  888‐2 W6  Concurre 4/9/2014    12:45 PM          “Security Testing Mobile Applications”      overos, Inc.             300, 68‐8770 ∙ 904‐278‐0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com 
  • Jeff Payne Coveros, Inc   Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds secure software applications using agile methods. Since its inception in 2008, Coveros has become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirty papers on software development and testing, and testified before Congress on issues of national importance, including intellectual property rights, cyber terrorism, and software quality.
  • 2/24/2014 1 Security Testing Mobile Applications Jeffery Payne Chief Executive Officer Coveros, Inc. jeff.payne@coveros.com www.coveros.com 1© Copyright 2013 Coveros, Inc.. All rights reserved. Bio Jeffery Payne Jeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a i d ft t d l k t b th b i d t h l 2© Copyright 2013 Coveros, Inc.. All rights reserved. recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, software research funding, and software quality.
  • 2/24/2014 2 Coveros helps organizations accelerate the delivery of secure, reliable software About Coveros Our consulting services: – Agile software development – Application security – Software quality assurance Agile services Areas of Expertise 3© Copyright 2013 Coveros, Inc.. All rights reserved. Agile services – Agility assessments – Process improvement – Hands-on agile software development – Agile project management – Agile testing and automation – Agile training by role Wh t thi t lk iWhat this talk is NOT about 4© Copyright 2013 Coveros, Inc.. All rights reserved. Penetration testing Testing tools Test cases
  • 2/24/2014 3 Wh t thi t lkWhat this talk IS about 5© Copyright 2013 Coveros, Inc.. All rights reserved. Mobile threats Mobile risks Test strategy based on these Agenda Mobile applications: the perfect security stormMobile applications: the perfect security storm – Typical architecture(s) – A changing threat model Mobile risks and test strategies – Local storage – Session management – Untrusted clients 6© Copyright 2013 Coveros, Inc.. All rights reserved. – Native code – Mobile platforms – Traditional risks Getting more help
  • 2/24/2014 4 Mobile Apps: The Perfect Security Storm Fat client concerns Traditional sw security concernsconcerns 7© Copyright 2013 Coveros, Inc.. All rights reserved. Untrusted apps Untrusted users Traditional web security concerns A Changing Threat Model New Attack Profiles Mobile Apps: The Perfect Security Storm New Attack Profiles – Increased access by malicious users – Malicious 3rd party applications – Increased information for attacking application back-ends Fluid Trust Boundaries – Level of trust necessary to use 3rd party applications 8© Copyright 2013 Coveros, Inc.. All rights reserved. – Local access to sensitive data Nuances of Mobile Platforms – Differing security models – Different vulnerabilities due to programming languages
  • 2/24/2014 5 Mobile Risks Local storage – Storage of data (implicitly or explicitly) on a device Mobile App Security g g ( p y p y) Session management – Managing the on-going interactions between a mobile app user and the rest of a distributed environment Untrusted clients – Client requests might not be legitimate Nati e Code Nati e code is still pre alent in mobile applications 9© Copyright 2013 Coveros, Inc.. All rights reserved. Native Code – Native code is still prevalent in mobile applications Mobile Platforms – How the device (and OS) configures and controls apps Traditional Risks – Other risks we already know about Do Not Allow Storage of Sensitive Data on Devices Why? Devices use flash memory for local storage Mobile App Security: Best Practices – Devices use flash memory for local storage – External devices have global data permissions – Data encryption libraries and key management functions are often misused by developers – UI screens are captured and stored in “temporary” storage What to test/check for 10© Copyright 2013 Coveros, Inc.. All rights reserved. – Sensitive data is properly stored on back-end servers behind a firewall – Sensitive data is replaced on UI with replacement tokens or partial data when it doesn’t need to be fully viewable – Encryption routines for any local data uses a computational key derivation function for keys
  • 2/24/2014 6 Make Sure Sessions are Managed Carefully Why? – Mobile application sessions tend to be left open longer on mobile Mobile App Security: Best Practices pp p g devices to support mobile app use cases – Untrusted applications that are malicious can compromise your applications if session management isn’t secure – People often leave their phones laying around … What to test/check for – Idle sessions after automatically terminated after no more than 5 11© Copyright 2013 Coveros, Inc.. All rights reserved. y minutes – Device identifier / MEID is not used as a session token – Token revocation is supported and works remotely – Session keys are temporary (to thwart ‘replay attacks’) Assume No Client (or App) is Trustworthy Why? – The increased threat of mobile device compromise means no client Mobile App Security: Best Practices p / App requesting information can be trusted – Trusted apps may have been misconfigured to allow easy compromise What to test/check for – Lower levels of encryption (export grade) have been disabled on the backend servers 12© Copyright 2013 Coveros, Inc.. All rights reserved. – Test the integrity of all data received from a client or other application – Test that all data received from a user or client has been sanitized – Test that only the minimum amount of info is returned to clients when there is an error – Move all default directories on all servers
  • 2/24/2014 7 Test Native Code for Known Vulnerabilities Why? – Mobile platforms often support the development of native code Mobile App Security: Best Practices p pp p applications that are vulnerable to traditional attacks – Software written for Apple devices are written in Objective-C, Java can call native code – VM’s often include vulnerabilities! What to test/check for – Check that Address Space Layout Randomization (ASLR) is being 13© Copyright 2013 Coveros, Inc.. All rights reserved. p y ( ) g used to combat overflow attacks – Perform traditional secure code scanning on all native code – Recommend avoiding native code if possible Understand Your Mobile Platform Why? – Each platform uses a different security model Mobile App Security: Best Practices p y – Each platform manages applications differently What to understand – Learn how applications store data, protect it from access, and when data is physically deleted from the device – Understand the default configurations for applications, browsers, and communication protocols 14© Copyright 2013 Coveros, Inc.. All rights reserved. p – Learn how and when information is cached, keyboard keys are logged, and screenshots are saved – Understand how libraries are loaded and run (and in what order)
  • 2/24/2014 8 Don’t Forget About Traditional Risks Why? – Mobile applications are often just mobile front-ends for our Mobile App Security: Best Practices pp j traditional systems (banking, e-commerce, etc.) – Mysql often ships with devices and are susceptible to SQL injection – Web vulnerabilities exist in thin client mobile apps What to test/check for – SQL injections Web application security issues (XSS CRSF etc ) 15© Copyright 2013 Coveros, Inc.. All rights reserved. – Web application security issues (XSS, CRSF, etc.) Getting Smarter OWASP Mobile Security Project – https://www.owasp.org/index.php/OWASP Mobile Security Project Mobile App Security https://www.owasp.org/index.php/OWASP_Mobile_Security_Project Coveros Labs – R&D in: – Secure mobile development – Malicious code analysis – Cloud security http://www coveros com/content/coveros labs 16© Copyright 2013 Coveros, Inc.. All rights reserved. – http://www.coveros.com/content/coveros-labs
  • 2/24/2014 9 Questions? Thank You 17© Copyright 2013 Coveros, Inc.. All rights reserved. Contact Information: Jeffery Payne jeff.payne@coveros.com 703.431.2920