Enterprise mobileapplicationsecurity
Upcoming SlideShare
Loading in...5

Enterprise mobileapplicationsecurity






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Enterprise mobileapplicationsecurity Enterprise mobileapplicationsecurity Presentation Transcript

  • Security –Enterprise MobileApplicationsVenkat Alagarsamyvenkat.alagarsamy@gmail.comwww.linkedin.com/in/VenkatAlagarsamywww.scribd.com/VenkatAlagarsamywww.facebook.com/Venkatachalapathi.Alagarsamywww.slideshare.net/VenkatAlagarsamywww.twitter.com/TwitsOfVenkatVenkatAlagarsamy.blogspot.inLast Updated: 18th Jan 2013
  • Corporate Data Users• It is a business fact that nearly 60% of all corporateemployees access content through public networkusing phones, tablets and other hand-held devices.• Other than employees, the customers and vendorstoo access the corporate database anywhere,anytime on any device.• Public
  • Statistics• 80% of corporate users using the device withoutknowing security threats.• 80% of corporate users using the jail Brokendevice• 70% of users do not have Anti-virus on their device• 70% is the possibility that the application gettingmisused.• 55% user losing sensitive credentials andcorporate data to a hacker.
  • The ChallengeThe rapid adoption of mobile application by thecorporate has created a significant securitychallenge because the corporate data is accessedoutside of the firewall/DMZ. So the challenges tocorporate mobile application developers are:How do I secure mobile application with/without limitedusers?How to secure the application itself?What is to be developed as mobile application?How should I provision this application to users?
  • Attacks – Device Based• Device based attacks– Misplaced or lost the device• Unencrypted credentials• Insecure Storage• Cached Data– Malware installation due to down loading unknownapplication• Malicious certificates• Reconfigure proxy settings or• Allow man-in-the-middle (MiTM) visibility into every usertransaction.
  • Attacks – Network andServer Based• Identity Spoofing (IP address Spoofing)– Using a special programs attacker would construct IPpackets that appear to originate from valid addressesinside the corporate intranet.– After gaining access to the network with a valid IPaddress, the attacker can modify, reroute, or deletedata.• Password Attacks– Obtain lists of valid user and computer names andnetwork information.– Modify server and network configurations, including
  • Attacks – Network andServer Based• Denial-of-Service Attack– Randomize the attention of corporate internalInformation Systems staff so that they do not see theintrusion immediately, which allows the attacker to makemore attacks during the diversion.– Send invalid data to applications or network services,which causes abnormal termination or behavior of theapplications or services.– Flood a computer or the entire network with traffic until ashutdown occurs because of the overload.– Block traffic, which results in a loss of access to networkresources by authorized users.
  • Attacks – Network andServer Based• Man-in-the-Middle Attack– actively monitoring, capturing, and controlling allcommunication and re-route a data exchange• Compromised-key-attack– By getting the compromised key, the attacker candecode any secured encrypted data and the use thedata as required.• Sniffer Attack– Analyze network and gain information to eventuallycause network to crash or to become corrupted.– Read transaction/data communications.
  • Attacks – Network andServer Based• Application-Layer AttackAn application-layer attack targets application servers bydeliberately causing a fault in a servers operating systemor applications. This results in the attacker gaining theability to bypass normal access controls. The attacker takesadvantage of this situation, gaining control of application,system, or network, and can do any of the following:– Read, add, delete, or modify data or operating system.– Introduce a virus program that uses corporate computersand software applications to copy viruses throughoutcorporate network.– Introduce a sniffer program to analyze network and gaininformation that can eventually be used to crash or tocorrupt legacy systems and network.
  • Device Security - ReverseEngineering• Understand the logic and application securityweakness• Look for key words like password, key, SQL andsecurity logic (AES/DES)• Modify the code to bi-pass client side checks andrebuild app• Send request with altered data pack from modifiedapps• Steps: Get Executable Understand the technology
  • Device Security -ReverseEngineering – Tools UsedOS De-compressorObject -> Class ->FunctionsEditorWindows Winzip ILSpy VisualStudioNotepadObfuscator preemptive.com/products/dotfuscator/overviewconfuser.codeplex.com/Android Winzip Dex2Jar and JD-GUI NotepadObfuscator http://proguard.sourceforge.net/iOS iExplorer OTool and Class-dump-z
  • Device Security – Malwares Malwares (Worms and Trojans) are installed in thedevice either by SMS/MMS or by untrustedapplication download. Destroy Operating system Provide misleading information Steal data/cookies Deactivate other trusted applications Plant spyware to spy calendars, email accounts,notes etc.
  • Device Security – MalwareSamplesVirus Name OS Symptom, Propagation and DamagesCabir SymbianDisplay „Caribe‟ whenever phone is turned on.Spread to other phone using BluetoothDuts WindowsAffect EXE file more than 4KBSkulls - Trojan WindowsReplace all icons with image of skull.Commwarrior SymbianSpread by MMS and Bluetooth. Hunt devicesrunning Bluetooth and send infected filesGingermaster- TrojanAndroidHidden malware. Steal device details and send toremote server.DroidKunFu –TrojanAndroidGets privileges of root and install com.google andssearch.apk, which remove files, open and autodownload of some applications. It also sendsdevice data to remote server.
  • Device Security – AntivirusProtection SoftwareOperatingSystemBullGuardLookoutMcAfeeESETKasperskyTrendMicroF-SecureWebrootNetQinAndroidYesYesYesYesYesYesYesYesYesSymbianYesYesYesYesYesBlackBerryYesYesYesWindowsYesYes
  • Device Security – Some BestPractices (User) Download applications from the official applicationstore only. Otherwise you expose yourself and yourmobile phone software provider does not protect you. Don‟t jailbreak or root device. If cracked software isinstalled you are inheriting a risk. Install an antivirus. Antivirus protects device againstapps that try to steal data. Before installing the application, from application storeunderstand and agree to the application device/datausage.‟ Disable Bluetooth and other wireless componentswhen not in use.
  • Device Security – EnterpriseApplication Design Practices Should adhere to corporate password policy Transfer the data only through SSL or VPN (Use VPN if possible) Auto disable all unwanted components like Bluetooth when notrequired Make sure there is no memory leakage Do not store any critical data offline. If required, encrypt data andstore using encrypted database like SQLCipher Ensure the device is registered for using the application Ensure the user logged-in is the right user to use the device andapplication Provide Single sign-on Provide remote-wipe if device lost Use dynamic key for encryption of in/out data where the key iscontrolled by server Do not use any special characters or SQL, in posting data
  • Network Security It is an activities designed to protect network for its Usability Reliability Integrity Safety From the threats like Viruses, worms, and Trojan horses Spyware and adware Zero-day attacks, also called zero-hour attacks Denial of service attacks Data interception and theft Identity theft
  • Network Security Components• Multiple layers of security. If one fails, others stillstand.• Network security is accomplished throughhardware and software. The software must beconstantly updated and managed to protect fromemerging threats.• Network security components often include:– Anti-virus and anti-spyware– Firewall, to block unauthorized access to your network(DMZ)– Intrusion prevention systems (IPS), to identify fast-spreading threats, such as zero-day or zero-hour attacks
  • Attackers – How they do?• Most popular attacks using– Reverse Engineering– Cross site scripting (XSS)– SQL Injection
  • Cross-site Scripting (XSSAttack)• As documented by Symantec 2007, 84%vulnerability are caused by XSS attacks.• Cross-Site Scripting (XSS) attacks occur when:– Data enters a Web application through an untrustedsource, most frequently a web request.– The data is included in dynamic content that is sent to aweb user without being validated for malicious code• It is a process of injecting a malicious content inweb page and have the content (usually ActiveX,JavaScript, VBScript, Applet, Flash, HTML etc)executed in client browser– To steal client data.
  • Cross-site Scripting - XSSTypes• Stored XSS Attacks – Permanently stores injectedcode in targeted components like database,message forum, visitor log, comment field, etc.• Reflected XSS Attacks – Injected code is reflectedoff the web server– As a response such as error message, search result etc.– eMail messageWhen a user is tricked into clicking on a malicious link orsubmitting a specially crafted form, the injected code travels tothe vulnerable web server, which reflects the attack back to theuser‟s browser. The browser then executes the code because itcame from a "trusted" server.
  • XSS – Prevention SummaryDataTypeContextCode Sample DefenseStringHTMLBody<span>UNTRUSTED DATA </span>•HTML Entity EncodingStringSafeHTMLAttributes<input type=“text”name=“fname”value=“UNTRUSTED DATA”>•Aggressive HTML Entity Encoding•Only place untrusted data into white list ofsafe attributes•Strictly validate unsafe attributes such asbackground, id and nameStringGETParameter<ahref=“/site/search?value=UNTRUSTEDDATA”> clickme</a>URL Encoding StringStrinUntrustedURL ina SRC<ahref="UNTRUSTEDURL">clickme</a>•Cannonicalize input•URL Validation•Safe URL verification•Whitelist http and https URLs only (AvoidSource:https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary
  • XSS – Prevention Summary(Contd…) Source:https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules_SummaryDataTypeContextCode Sample DefenseStringCSSValue<divstyle="width: UNTRUSTEDDATA;">Selection</div>•Strict structural validation•CSS Hex encoding•Good design of CSS FeaturesStringJavaScriptVariable<script>varcurrentValue=UNTRUSTEDDATA;</script><script>someFunction(UNTRUSTEDDATA);</script>•Ensure JavaScript variables are quoted•JavaScript Hex Encoding•JavaScript Unicode Encoding•Avoid backslash encoding (" or or )HTMLHTMLBody<div>UNTRUSTEDHTML</div>•HTML Validation (JSoup, AntiSamy, HTMLSanitizer)Strin DOM<script>document.write("UNTRUSTED
  • XSS Prevention – OutputEncodingSource:https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules_SummaryEncodingTypeEncoding MechanismHTML EntityEncodingConvert & to &amp;Convert < to &lt;Convert > to &gt;Convert " to &quot;Convert to &#x27;Convert / to &#x2F;HTMLAttributeEncodingExcept for alphanumeric characters, escape all characters withthe HTML Entity &#xHH; format, including spaces. (HH = HexValue)URLEncodingStandard percent encoding, see:http://www.w3schools.com/tags/ref_urlencode.aspJavaScriptEncodingExcept for alphanumeric characters, escape all characters withthe uXXXX unicode escaping format (X = Integer).CSS escaping supports XX and XXXXXX. Using a twocharacter escape can cause problems if the next character
  • XSS Prevention – TestingTools• Commercial License:o Veracode Dynamic Scannero Whitehato HP WebInspecto Cenzic Hailstormo IBM AppScano NTOSpidero Qualyso Burp Professional• Free/Open Source:o W3afo XSS-Me and Access-Meo OWASP ZAPo Skipfisho Wfuzzo Reference for more tools :
  • SQL Injection• SQL Injection Attack (SQLIA) is the one of the top10 vulnerability, identified by OWASP.• It is a insertion of a SQL in posted request fromclient application to server.• By injecting SQL, the attacker can– Read sensitive database– Modify (insert/update/delete) database– Execute admin operations– Alter DB structure– Bi-pass user authentication
  • Sub Classes of SQLIA• Classic SQLIA• Inference SQL injection• Interacting with SQLinjection• Database managementsystem-specific SQLIA• Compounded SQLIA• SQL injection +insufficient authentication• SQL injection + DDoSattacksSource: http://en.wikipedia.org/wiki/SQL_injection
  • Prevention of SQL Injection –Primary Defense Prepare Statements (Parameterized Queries) –Attacker can not change the intent of a query.Recommendations Java EE – use PreparedStatement() with bind variables .NET – use parameterized queries like SqlCommand() or OleDbCommand() withbind variables PHP – use PDO with strongly typed parameterized queries (using bindParam()) Hibernate - use createQuery() with bind variables (called named parameters inHibernate) SQLite - use sqlite3_prepare() to create a statement object Stored Procedures – Same like Prepare Statement Escaping All User Supplied InputReferenceOWASP: https://www.owasp.org/index.php/ESAPIGoogle: http://owasp-esapi-
  • Prevention of SQL Injection –Additional DefenseLeast PrivilegeWhite list Input ValidationReference:http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet
  • Prevention of SQL Injection –Testing Tools SQL Inject-Me SQLMAP SQLler SQLbftools SQL Injection brute-force SQLBrute BobCat AbsintheSource: http://rochakchauhan.com/blog/2008/01/10/top-15-free-sql-injection-scanners/ SQL Injection Pen-testing tools SQID Blind SQL InjectionPerl tool SQL Power Injector FJ-Injector framework SQLNinja Automatic SQL Injector NGGSS SQL Injector
  • Architectural andDevelopment consideration Validate the Device Registration from Server Always use VPN (at least SSL) network for communication Encrypt the critical data in both ends Use Dynamic Encryption keys. A Encryption key should be used for onlyone communication and it should have automatic expiry. The key should have some complex generation logic. Do not store entire initial complete encryption key in device. i.e., a completekey should be generated based on partial key. Do no cache, store data. Do not create any cookies Disable all network components that are not used by the application Enforce password policy Enable single sign-on using servers like LDAP Disable client-scripting Do not keep any SQL in client side If necessary, to store offline data, use encrypted DB like SQLCipher Always validate the both input and output data for its format and canonical
  • Conclusion The security of mobile application should be ensured at alllevels and by all players Application/service providers Organization Device providers Registries Data Centers/Cloud Services Government CERTs Users All players in this ecosystem must apply the basic rules foreffective security Coordination Communication and