Security –Enterprise MobileApplicationsVenkat Alagarsamyvenkat.email@example.com/in/VenkatAlagarsamywww.scribd.com/VenkatAlagarsamywww.facebook.com/Venkatachalapathi.Alagarsamywww.slideshare.net/VenkatAlagarsamywww.twitter.com/TwitsOfVenkatVenkatAlagarsamy.blogspot.inLast Updated: 18th Jan 2013
Corporate Data Users• It is a business fact that nearly 60% of all corporateemployees access content through public networkusing phones, tablets and other hand-held devices.• Other than employees, the customers and vendorstoo access the corporate database anywhere,anytime on any device.• Public
Statistics• 80% of corporate users using the device withoutknowing security threats.• 80% of corporate users using the jail Brokendevice• 70% of users do not have Anti-virus on their device• 70% is the possibility that the application gettingmisused.• 55% user losing sensitive credentials andcorporate data to a hacker.
The ChallengeThe rapid adoption of mobile application by thecorporate has created a significant securitychallenge because the corporate data is accessedoutside of the firewall/DMZ. So the challenges tocorporate mobile application developers are:How do I secure mobile application with/without limitedusers?How to secure the application itself?What is to be developed as mobile application?How should I provision this application to users?
Attacks – Device Based• Device based attacks– Misplaced or lost the device• Unencrypted credentials• Insecure Storage• Cached Data– Malware installation due to down loading unknownapplication• Malicious certificates• Reconfigure proxy settings or• Allow man-in-the-middle (MiTM) visibility into every usertransaction.
Attacks – Network andServer Based• Identity Spoofing (IP address Spoofing)– Using a special programs attacker would construct IPpackets that appear to originate from valid addressesinside the corporate intranet.– After gaining access to the network with a valid IPaddress, the attacker can modify, reroute, or deletedata.• Password Attacks– Obtain lists of valid user and computer names andnetwork information.– Modify server and network configurations, including
Attacks – Network andServer Based• Denial-of-Service Attack– Randomize the attention of corporate internalInformation Systems staff so that they do not see theintrusion immediately, which allows the attacker to makemore attacks during the diversion.– Send invalid data to applications or network services,which causes abnormal termination or behavior of theapplications or services.– Flood a computer or the entire network with traffic until ashutdown occurs because of the overload.– Block traffic, which results in a loss of access to networkresources by authorized users.
Attacks – Network andServer Based• Man-in-the-Middle Attack– actively monitoring, capturing, and controlling allcommunication and re-route a data exchange• Compromised-key-attack– By getting the compromised key, the attacker candecode any secured encrypted data and the use thedata as required.• Sniffer Attack– Analyze network and gain information to eventuallycause network to crash or to become corrupted.– Read transaction/data communications.
Attacks – Network andServer Based• Application-Layer AttackAn application-layer attack targets application servers bydeliberately causing a fault in a servers operating systemor applications. This results in the attacker gaining theability to bypass normal access controls. The attacker takesadvantage of this situation, gaining control of application,system, or network, and can do any of the following:– Read, add, delete, or modify data or operating system.– Introduce a virus program that uses corporate computersand software applications to copy viruses throughoutcorporate network.– Introduce a sniffer program to analyze network and gaininformation that can eventually be used to crash or tocorrupt legacy systems and network.
Device Security - ReverseEngineering• Understand the logic and application securityweakness• Look for key words like password, key, SQL andsecurity logic (AES/DES)• Modify the code to bi-pass client side checks andrebuild app• Send request with altered data pack from modifiedapps• Steps: Get Executable Understand the technology
Device Security -ReverseEngineering – Tools UsedOS De-compressorObject -> Class ->FunctionsEditorWindows Winzip ILSpy VisualStudioNotepadObfuscator preemptive.com/products/dotfuscator/overviewconfuser.codeplex.com/Android Winzip Dex2Jar and JD-GUI NotepadObfuscator http://proguard.sourceforge.net/iOS iExplorer OTool and Class-dump-z
Device Security – Malwares Malwares (Worms and Trojans) are installed in thedevice either by SMS/MMS or by untrustedapplication download. Destroy Operating system Provide misleading information Steal data/cookies Deactivate other trusted applications Plant spyware to spy calendars, email accounts,notes etc.
Device Security – MalwareSamplesVirus Name OS Symptom, Propagation and DamagesCabir SymbianDisplay „Caribe‟ whenever phone is turned on.Spread to other phone using BluetoothDuts WindowsAffect EXE file more than 4KBSkulls - Trojan WindowsReplace all icons with image of skull.Commwarrior SymbianSpread by MMS and Bluetooth. Hunt devicesrunning Bluetooth and send infected filesGingermaster- TrojanAndroidHidden malware. Steal device details and send toremote server.DroidKunFu –TrojanAndroidGets privileges of root and install com.google andssearch.apk, which remove files, open and autodownload of some applications. It also sendsdevice data to remote server.
Device Security – Some BestPractices (User) Download applications from the official applicationstore only. Otherwise you expose yourself and yourmobile phone software provider does not protect you. Don‟t jailbreak or root device. If cracked software isinstalled you are inheriting a risk. Install an antivirus. Antivirus protects device againstapps that try to steal data. Before installing the application, from application storeunderstand and agree to the application device/datausage.‟ Disable Bluetooth and other wireless componentswhen not in use.
Device Security – EnterpriseApplication Design Practices Should adhere to corporate password policy Transfer the data only through SSL or VPN (Use VPN if possible) Auto disable all unwanted components like Bluetooth when notrequired Make sure there is no memory leakage Do not store any critical data offline. If required, encrypt data andstore using encrypted database like SQLCipher Ensure the device is registered for using the application Ensure the user logged-in is the right user to use the device andapplication Provide Single sign-on Provide remote-wipe if device lost Use dynamic key for encryption of in/out data where the key iscontrolled by server Do not use any special characters or SQL, in posting data
Network Security It is an activities designed to protect network for its Usability Reliability Integrity Safety From the threats like Viruses, worms, and Trojan horses Spyware and adware Zero-day attacks, also called zero-hour attacks Denial of service attacks Data interception and theft Identity theft
Network Security Components• Multiple layers of security. If one fails, others stillstand.• Network security is accomplished throughhardware and software. The software must beconstantly updated and managed to protect fromemerging threats.• Network security components often include:– Anti-virus and anti-spyware– Firewall, to block unauthorized access to your network(DMZ)– Intrusion prevention systems (IPS), to identify fast-spreading threats, such as zero-day or zero-hour attacks
Attackers – How they do?• Most popular attacks using– Reverse Engineering– Cross site scripting (XSS)– SQL Injection
Cross-site Scripting - XSSTypes• Stored XSS Attacks – Permanently stores injectedcode in targeted components like database,message forum, visitor log, comment field, etc.• Reflected XSS Attacks – Injected code is reflectedoff the web server– As a response such as error message, search result etc.– eMail messageWhen a user is tricked into clicking on a malicious link orsubmitting a specially crafted form, the injected code travels tothe vulnerable web server, which reflects the attack back to theuser‟s browser. The browser then executes the code because itcame from a "trusted" server.
XSS – Prevention SummaryDataTypeContextCode Sample DefenseStringHTMLBody<span>UNTRUSTED DATA </span>•HTML Entity EncodingStringSafeHTMLAttributes<input type=“text”name=“fname”value=“UNTRUSTED DATA”>•Aggressive HTML Entity Encoding•Only place untrusted data into white list ofsafe attributes•Strictly validate unsafe attributes such asbackground, id and nameStringGETParameter<ahref=“/site/search?value=UNTRUSTEDDATA”> clickme</a>URL Encoding StringStrinUntrustedURL ina SRC<ahref="UNTRUSTEDURL">clickme</a>•Cannonicalize input•URL Validation•Safe URL verification•Whitelist http and https URLs only (AvoidSource:https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary
XSS Prevention – TestingTools• Commercial License:o Veracode Dynamic Scannero Whitehato HP WebInspecto Cenzic Hailstormo IBM AppScano NTOSpidero Qualyso Burp Professional• Free/Open Source:o W3afo XSS-Me and Access-Meo OWASP ZAPo Skipfisho Wfuzzo Reference for more tools :
SQL Injection• SQL Injection Attack (SQLIA) is the one of the top10 vulnerability, identified by OWASP.• It is a insertion of a SQL in posted request fromclient application to server.• By injecting SQL, the attacker can– Read sensitive database– Modify (insert/update/delete) database– Execute admin operations– Alter DB structure– Bi-pass user authentication
Sub Classes of SQLIA• Classic SQLIA• Inference SQL injection• Interacting with SQLinjection• Database managementsystem-specific SQLIA• Compounded SQLIA• SQL injection +insufficient authentication• SQL injection + DDoSattacksSource: http://en.wikipedia.org/wiki/SQL_injection
Prevention of SQL Injection –Primary Defense Prepare Statements (Parameterized Queries) –Attacker can not change the intent of a query.Recommendations Java EE – use PreparedStatement() with bind variables .NET – use parameterized queries like SqlCommand() or OleDbCommand() withbind variables PHP – use PDO with strongly typed parameterized queries (using bindParam()) Hibernate - use createQuery() with bind variables (called named parameters inHibernate) SQLite - use sqlite3_prepare() to create a statement object Stored Procedures – Same like Prepare Statement Escaping All User Supplied InputReferenceOWASP: https://www.owasp.org/index.php/ESAPIGoogle: http://owasp-esapi-
Prevention of SQL Injection –Additional DefenseLeast PrivilegeWhite list Input ValidationReference:http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet
Architectural andDevelopment consideration Validate the Device Registration from Server Always use VPN (at least SSL) network for communication Encrypt the critical data in both ends Use Dynamic Encryption keys. A Encryption key should be used for onlyone communication and it should have automatic expiry. The key should have some complex generation logic. Do not store entire initial complete encryption key in device. i.e., a completekey should be generated based on partial key. Do no cache, store data. Do not create any cookies Disable all network components that are not used by the application Enforce password policy Enable single sign-on using servers like LDAP Disable client-scripting Do not keep any SQL in client side If necessary, to store offline data, use encrypted DB like SQLCipher Always validate the both input and output data for its format and canonical
Conclusion The security of mobile application should be ensured at alllevels and by all players Application/service providers Organization Device providers Registries Data Centers/Cloud Services Government CERTs Users All players in this ecosystem must apply the basic rules foreffective security Coordination Communication and