SlideShare a Scribd company logo

Android in the healthcare workplace

Download as PPT, PDF
Thomas Richards
Thomas Richards

This document summarizes a case study where the author performed a security assessment of Android software used in a home health care company. The assessment found issues with authentication, authorization, encryption of data at rest and in transit, and lack of transport layer protection. The vendor was notified of the findings and planned to address them by implementing unique setup codes and SSL, though the current version still lacked SSL. The study demonstrated the importance of independently assessing mobile healthcare apps for security issues.

Technology
1 of 27
Android in the Healthcare Workplace: A Case Study Thomas Richards g13net@gmail.com OWASP 04/05/12 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
About me My name is Tom Twitter: @g13net Website: www.g13net.com Independent Vulnerability Researcher(at night!) 13 Published vulnerabilities with 5 CVE-IDs assigned IT Support Analyst (by day) OWASP 2
Why this talk? With the growth of mobile devices, companies are looking to capitalize on this for business purposes Very rapidly writing applications for these mobile platforms Security is a concern OWASP 3
What this talk is This talk is about a security assessment performed on a product my company uses This is not about the Android platform itself, or security issues with it OWASP 4
Background Home Health Company (visiting nurses) Transitioned from Laptop with thick client software to Mobile platform Flexibility and Mobility are huge for a 75% mobile workforce New product, rewritten for Android from Windows Mobile OWASP 5
HIPAA Concerns HIPAA is the word in Healthcare Need to Protect PHI Encryption! At Rest In Transit OWASP 6
Deploying Devices Deployed 250 Android Tablets Running Froyo (2.2) MDM Solutions No Imaging OWASP 7
About the software Runs on Android Not available in the market Clinicians sync to get data Patient data(records) are kept on the device Vendor stated data on the device was encrypted as well as data in transit OWASP 8
How did I perform this assessment? Android Emulator! Able to observe traffic in real time Used OWASP Mobile Top 10 and Web Top 10 as guidelines OWASP 9
Authentication and Authorization Only two pieces of information were needed to configure a device: Server name and Agent ID Agent IDs are sequential No way to validate an approved device is being configured Finding Server name and Agent ID would lead to complete compromise OWASP 10
Setup Screen OWASP 11
Password User’s password was configured and stored locally No complexity requirements OWASP 12
Data at rest I was able to determine that the data in the local database was encrypted (yay!) It was protected by the user’s password and using built in SQLite APIs for encrypting a database OWASP 13
Data in Transit No SSL! Using HTTP, they used POST methods to retrieve data from the server Now treat this as a web app also OWASP 14
Traffic capture screenshot OWASP 15
POST Request Screenshot OWASP 16
Interesting Side Note Going to sync1.vendor.com/falcon showed form based login prompt. Also not in HTTPs, tried to connect to it via Going to: sync1.vend.com/falcon/mobiledevicehandler.fal Displayed custom encoding OWASP 17
Session Handling No Cookies present. The server would not know if the request was proper which could lead to Replay attacks. OWASP 18
Insufficient Transport Layer Protection Obvious Issues Custom “encoding” After some RE, not encryption! (no key present) Some Plaintext available I was able to analyze their protocol. OWASP 19
Server name Identification Plaintext! OWASP 20
Agent ID Identification After observing traffic with different Agent IDs, I was able to determine where in the string it lived OWASP 21
Agent ID Identification Cont. Raw Hex: aa10ffffffff00010102633a1020000000000081 aa10ffffffff0001010264ee1020000000000081 Converting the hex “633a” and “64ee” to decimal revealed the Agent IDs. This coupled with Server Name in plaintext could lead to complete compromise of data OWASP 22
Server Identification No attempts were made to disguise the identity of web server and technology used OWASP 23
Notifying the Vendor Brought this to the attention of my boss who asked me to write it up Submitted write-up to the vendor CTO Came and stated they were aware of these issues (they lied to us in the beginning) OWASP 24
Vendor’s Plan Setup Codes Unique 8 character string generated on server end before setting up a device SSL (eventually) As of current version, still no SSL present. They stated it would have been in Dec 2011 release OWASP 25
Protecting Ourselves Ask vendor if the app has been independently assessed for security issues (companies specialize in this!) Assess the software yourself. OWASP 26
Thank you! OWASP 27

Recommended

Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
Web Security 100
Web Security 100Web Security 100
Web Security 100
Eric Smith
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
Telefónica
 
Owasp universal-http-do s
Owasp universal-http-do sOwasp universal-http-do s
Owasp universal-http-do s
E Hacking
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
Tommy Tracx Xaypanya
 
t r
t rt r
t r
electronicmingle01
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
Shivam Porwal
 

Recommended

Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
Web Security 100
Web Security 100Web Security 100
Web Security 100
Eric Smith
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
Telefónica
 
Owasp universal-http-do s
Owasp universal-http-do sOwasp universal-http-do s
Owasp universal-http-do s
E Hacking
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
Tommy Tracx Xaypanya
 
t r
t rt r
t r
electronicmingle01
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
Shivam Porwal
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
инструкции и утилиты для удаления остатков антивирусных программ
инструкции и утилиты для удаления остатков антивирусных программинструкции и утилиты для удаления остатков антивирусных программ
инструкции и утилиты для удаления остатков антивирусных программ
belhonka
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
Siddharth Phatarphod
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
Troubleshooting the Windows Installer
Troubleshooting the Windows Installer Troubleshooting the Windows Installer
Troubleshooting the Windows Installer
AppDetails
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019
Balázs Tatár
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
Haitham Raik
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
Terrance Medina
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Acs trb g42
Acs trb g42Acs trb g42
Acs trb g42
Marisela Da Silva
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
Luca Bongiorni
 
4 owasp egypt_12_4_2014_ebrahim_hegazy
4 owasp egypt_12_4_2014_ebrahim_hegazy4 owasp egypt_12_4_2014_ebrahim_hegazy
4 owasp egypt_12_4_2014_ebrahim_hegazy
sunil kumar
 
PVS-Studio 7.12 New Features for Finding Safety and Security Threats
PVS-Studio 7.12 New Features for Finding Safety and Security ThreatsPVS-Studio 7.12 New Features for Finding Safety and Security Threats
PVS-Studio 7.12 New Features for Finding Safety and Security Threats
Andrey Karpov
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
Shreyas N
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019
African Cyber Security Summit
 
What If
What IfWhat If
What If
amyandavagrace5
 
Android in the healthcare workplace - GrrCON and DerbyCON
Android in the healthcare workplace - GrrCON and DerbyCONAndroid in the healthcare workplace - GrrCON and DerbyCON
Android in the healthcare workplace - GrrCON and DerbyCON
Thomas Richards
 

More Related Content

What's hot

OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
инструкции и утилиты для удаления остатков антивирусных программ
инструкции и утилиты для удаления остатков антивирусных программинструкции и утилиты для удаления остатков антивирусных программ
инструкции и утилиты для удаления остатков антивирусных программ
belhonka
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019
Balázs Tatár
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
Haitham Raik
 
4 owasp egypt_12_4_2014_ebrahim_hegazy
4 owasp egypt_12_4_2014_ebrahim_hegazy4 owasp egypt_12_4_2014_ebrahim_hegazy
4 owasp egypt_12_4_2014_ebrahim_hegazy
sunil kumar
 

What's hot (20)

OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
инструкции и утилиты для удаления остатков антивирусных программ
инструкции и утилиты для удаления остатков антивирусных программинструкции и утилиты для удаления остатков антивирусных программ
инструкции и утилиты для удаления остатков антивирусных программ
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Troubleshooting the Windows Installer
Troubleshooting the Windows Installer Troubleshooting the Windows Installer
Troubleshooting the Windows Installer
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Acs trb g42
Acs trb g42Acs trb g42
Acs trb g42
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
 
4 owasp egypt_12_4_2014_ebrahim_hegazy
4 owasp egypt_12_4_2014_ebrahim_hegazy4 owasp egypt_12_4_2014_ebrahim_hegazy
4 owasp egypt_12_4_2014_ebrahim_hegazy
 
PVS-Studio 7.12 New Features for Finding Safety and Security Threats
PVS-Studio 7.12 New Features for Finding Safety and Security ThreatsPVS-Studio 7.12 New Features for Finding Safety and Security Threats
PVS-Studio 7.12 New Features for Finding Safety and Security Threats
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
 
Owasp
Owasp Owasp
Owasp
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
 
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019
 

Viewers also liked

Time management inspiration
Time management inspirationTime management inspiration
Time management inspiration
Suvorov
 
Curso entornos saludables
Curso entornos saludablesCurso entornos saludables
Curso entornos saludables
Adriana Grosso
 
Cosmoprof 2012 - Le tendenze del packaging
Cosmoprof 2012 - Le tendenze del packagingCosmoprof 2012 - Le tendenze del packaging
Cosmoprof 2012 - Le tendenze del packaging
Multiconsult S.r.l.
 

Viewers also liked (8)

What If
What IfWhat If
What If
 
Android in the healthcare workplace - GrrCON and DerbyCON
Android in the healthcare workplace - GrrCON and DerbyCONAndroid in the healthcare workplace - GrrCON and DerbyCON
Android in the healthcare workplace - GrrCON and DerbyCON
 
Picking blackberries
Picking blackberriesPicking blackberries
Picking blackberries
 
Time management inspiration
Time management inspirationTime management inspiration
Time management inspiration
 
Curso entornos saludables
Curso entornos saludablesCurso entornos saludables
Curso entornos saludables
 
Portfolio2012
Portfolio2012Portfolio2012
Portfolio2012
 
Offset.az Price List
Offset.az Price ListOffset.az Price List
Offset.az Price List
 
Cosmoprof 2012 - Le tendenze del packaging
Cosmoprof 2012 - Le tendenze del packagingCosmoprof 2012 - Le tendenze del packaging
Cosmoprof 2012 - Le tendenze del packaging
 

Similar to Android in the healthcare workplace

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
Positive Hack Days
 

Similar to Android in the healthcare workplace (20)

OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
mobsf.pdf
mobsf.pdfmobsf.pdf
mobsf.pdf
 
Toronto node js_meetup
Toronto node js_meetupToronto node js_meetup
Toronto node js_meetup
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 

Android in the healthcare workplace

  • 1. Android in the Healthcare Workplace: A Case Study Thomas Richards g13net@gmail.com OWASP 04/05/12 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. About me My name is Tom Twitter: @g13net Website: www.g13net.com Independent Vulnerability Researcher(at night!) 13 Published vulnerabilities with 5 CVE-IDs assigned IT Support Analyst (by day) OWASP 2
  • 3. Why this talk? With the growth of mobile devices, companies are looking to capitalize on this for business purposes Very rapidly writing applications for these mobile platforms Security is a concern OWASP 3
  • 4. What this talk is This talk is about a security assessment performed on a product my company uses This is not about the Android platform itself, or security issues with it OWASP 4
  • 5. Background Home Health Company (visiting nurses) Transitioned from Laptop with thick client software to Mobile platform Flexibility and Mobility are huge for a 75% mobile workforce New product, rewritten for Android from Windows Mobile OWASP 5
  • 6. HIPAA Concerns HIPAA is the word in Healthcare Need to Protect PHI Encryption! At Rest In Transit OWASP 6
  • 7. Deploying Devices Deployed 250 Android Tablets Running Froyo (2.2) MDM Solutions No Imaging OWASP 7
  • 8. About the software Runs on Android Not available in the market Clinicians sync to get data Patient data(records) are kept on the device Vendor stated data on the device was encrypted as well as data in transit OWASP 8
  • 9. How did I perform this assessment? Android Emulator! Able to observe traffic in real time Used OWASP Mobile Top 10 and Web Top 10 as guidelines OWASP 9
  • 10. Authentication and Authorization Only two pieces of information were needed to configure a device: Server name and Agent ID Agent IDs are sequential No way to validate an approved device is being configured Finding Server name and Agent ID would lead to complete compromise OWASP 10
  • 11. Setup Screen OWASP 11
  • 12. Password User’s password was configured and stored locally No complexity requirements OWASP 12
  • 13. Data at rest I was able to determine that the data in the local database was encrypted (yay!) It was protected by the user’s password and using built in SQLite APIs for encrypting a database OWASP 13
  • 14. Data in Transit No SSL! Using HTTP, they used POST methods to retrieve data from the server Now treat this as a web app also OWASP 14
  • 17. Interesting Side Note Going to sync1.vendor.com/falcon showed form based login prompt. Also not in HTTPs, tried to connect to it via Going to: sync1.vend.com/falcon/mobiledevicehandler.fal Displayed custom encoding OWASP 17
  • 18. Session Handling No Cookies present. The server would not know if the request was proper which could lead to Replay attacks. OWASP 18
  • 19. Insufficient Transport Layer Protection Obvious Issues Custom “encoding” After some RE, not encryption! (no key present) Some Plaintext available I was able to analyze their protocol. OWASP 19
  • 21. Agent ID Identification After observing traffic with different Agent IDs, I was able to determine where in the string it lived OWASP 21
  • 22. Agent ID Identification Cont. Raw Hex: aa10ffffffff00010102633a1020000000000081 aa10ffffffff0001010264ee1020000000000081 Converting the hex “633a” and “64ee” to decimal revealed the Agent IDs. This coupled with Server Name in plaintext could lead to complete compromise of data OWASP 22
  • 23. Server Identification No attempts were made to disguise the identity of web server and technology used OWASP 23
  • 24. Notifying the Vendor Brought this to the attention of my boss who asked me to write it up Submitted write-up to the vendor CTO Came and stated they were aware of these issues (they lied to us in the beginning) OWASP 24
  • 25. Vendor’s Plan Setup Codes Unique 8 character string generated on server end before setting up a device SSL (eventually) As of current version, still no SSL present. They stated it would have been in Dec 2011 release OWASP 25
  • 26. Protecting Ourselves Ask vendor if the app has been independently assessed for security issues (companies specialize in this!) Assess the software yourself. OWASP 26
  • 27. Thank you! OWASP 27