• Share
  • Email
  • Embed
  • Like
  • Private Content
Testdroid: How to Test Security and Vulnerability of Your Android and iOS Apps
 

Testdroid: How to Test Security and Vulnerability of Your Android and iOS Apps

on

  • 866 views

Interested in a presentation video? Sign up at testdroid.com/webinars-archive ...

Interested in a presentation video? Sign up at testdroid.com/webinars-archive

Majority of today’s mobile apps consist of third-party code/libraries. This is a prudent and well-accepted development practice that offloads the task of developing code for non-core functions of your mobile app – or game. Identifying third-party code, its vulnerabilities and its license restrictions, is highly critical in order to understand your security exposure and your liability.

Statistics

Views

Total Views
866
Views on SlideShare
864
Embed Views
2

Actions

Likes
2
Downloads
16
Comments
0

2 Embeds 2

http://www.linkedin.com 1
https://www.chatwork.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Testdroid: How to Test Security and Vulnerability of Your Android and iOS Apps Testdroid: How to Test Security and Vulnerability of Your Android and iOS Apps Presentation Transcript

    • How to Test Security and Vulnerability of Your Android and iOS Apps 4 December 2013 Ville-Veikko Helppi Antti Häyrynen Technical Product Manager Security Specialist ville-veikko.helppi@bitbar.com antti.hayrynen@codenomicon.com
    • webinar Agenda • Mobile Apps & Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 2
    • webinar Agenda • Mobile Apps & Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 3
    • webinar Security Testing for Mobile Apps • How to test something you don’t know it exists? • Security testing doesn’t replace white/black box testing but can complement it very well • e.g. Android protects • User data • System resources • Application isolation • Security at the OS level © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 4
    • webinar Hot debate about Android security • Open Platform – All source code available • Linux security (e.g. users, process isolation, IPC) • Filesystem permissions • Cryptography (API) • Memory management • 1.5 -> 4.2 • Application security • Android has defenses to protect itself – not data! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 5
    • webinar Mobile Apps & Open Source Components Blurred Blurred © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 6
    • webinar Mobile Apps & Third-Party Components • Majority of today’s applications consist largely of third-party code/libraries and application-specific glue to hold everything together • This is a prudent and well-accepted development practice that offloads the task of developing code for non-core functions of the application • Each piece of third-party code has an associated license whose terms can affect the distribution and licensing of your application © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 7
    • webinar Mobile Apps & Third-Party Components • Identifying 3rd party code, its vulnerabilities and its licenses, is critical in order to understand your security exposure and your liability: • • • • • Know those 3rd party components/libs used in your app Identify binding software licenses for 3rd party code Identify vulnerabilities in 3rd party components that could be security risks in your application (and its users) 3rd party components evolve and change – it’s important to know what is new and what makes your app vulnerable Instant way of checking any app (Android & iOS) will enable you to focus on your core activities © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 8
    • webinar Agenda • Mobile Apps & Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 9
    • webinar Apps for Mobile Subverticals Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile • Testdroid has helped thousands of app developers in these subverticals! • What are the critical elements in each these verticals? • How are the security requirements different in each subvertical? © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 10
    • webinar Apps for Mobile Subverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –User Experience! –Resource consumption & validation (CPU, Mem…) –Fully utilizing hardware – e.g. Touch screen –Access to graphics APIs (e.g. OpenGL ES) •Open source license © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 11
    • webinar Apps for Mobile Subverticals •Top requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Usability! –Functional and Behavioral testing –Metrics analysis for all captured data (e.g. logs, screenshots, perf stats) –Relation to other apps •Open source license © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 12
    • webinar Apps for Mobile Subverticals •Top requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Performance! –Connectivity, robustness and durability –Screen orientation (portrait vs. landscape) –Graphics quality, streaming capabilities –User profiles •Security & Vulnerability © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 13
    • webinar Apps for Mobile Subverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Security! –Secure connectivity with back-end systems –Top Quality – extremely brand sensitive vertical –Compliances and verification between real devices and infrastructure •Security is the no. 1 thing © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 14
    • webinar Apps for Mobile Subverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Data! –Connectivity and data connection with back-ends –Configurability of the app –Bad quality WILL hurt the brand and make customers leave your app •Security, Licenses © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 15
    • webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 16
    • Is your mobile app safe? Codenomicon AppCheck
    • Mobile software •Software development is increasingly shifting into mobile •Android and iOS dominant platforms, followed by WP and Qt –All different, even on preferred programming language level •Volumes larger than traditionally, average revenue per user much lower
    • Mobile software paradigm •Traditionally software opens files and handles them. –Only Android supports this properly via registering as content handler •The modern way is to have client / server architecture –Mobile device is a client. Payload is usually json, protobuf, xml or media.
    • Traditional Threats •Open malicious file / content (via email, web etc) that contains an exploit -> target popped. •In Android, content handlers can have these issues. –Platform somewhat limits what the attacker can do unless privilege escalation is possible. –For example PDF readers, video players etc.
    • Modern threats •In the modern app paradigm, the mobile client “enriches” content from pre-defined server –Usually SSL protected –Certificate checks? •Cert pinning? •Attacks somewhat limited to either –Man in the middle –Injecting malice via server
    • IOS apps •IOS apps are Mach binaries usually written in Objective-C •Packaging follows the common paradigm – manifest, code and resources inside zip •Inside the device executable code is usually encrypted, but in clear before blessed by Apple. –Can be decrypted on jailbroken devices. •Allows mixing of C into apps -> common OSS libs can be used.
    • Anatomy of an Android app •The simplest form: simple java application. –Manifest, .dex, resource files •Manifest has meta data (app name, permissions, content handler registrations etc) •DEX contains java byte code –With or without proguard obfuscation. •Resource files contain images etc. •Optionally native code (usually just ARM) in lib/
    • Native code •Sometimes java is not enough. –~15% of android apps contain native code •.so’s in lib/ –Among popular apps, the amount is much higher •If the native code processes untrusted data, it’s out of dalvik supervision. –Can corrupt memory and contain exploitable bugs.
    • Third party code •Modern world contains plenty of ready components either as open source or licensable. •People use them to –Avoid re-inventing the wheel –Save time and costs –Create better software – many of those components are actually great at what they do. •Apps that use them inherit the bugs they have. •Since there’s no “package management” in Android like in Linux distros, apps bundle third party code with them. –Fixing 3rd party bugs require actions from app vendor
    • Third party code in Android apps •There are different types of 3rd party libs popular in Android, for example –Ad networks –Protocol clients –Content decoders/encoders –Shiny UI widgets –Cross-platform app frameworks –Most of the Java 3rd party libs usable in Android •Either Java or native
    • Introducing Appcheck •Codenomicon Appcheck makes it easy and fast to increase your application security •Integrated into Testdroid •Works on binaries, no source code necessary. •Main idea is to look for third party code from apps and categorize them.
    • Vulnerabilities •Third party libraries may contain vulnerabilities that endanger application security •Common pitfalls in android libraries include for example missing certificate checks, missing crypto, privacy issues •In native libraries common native code problems persist. •Vulnerability feeds provide vulnerability information on common components –http://nvd.nist.gov/ –Appcheck performs matching against vulnerability feeds
    • Ad networks •Ad networks vary from benign to outright evil –Some replace dial tone –Some have critical vulnerabilities –Some may send more information than user is willing to accept •Appcheck detects all the common ad networks.
    • Licenses •Third party code sometimes comes with some strings attached in form of licenses –Eg. GPL requires you to distribute source code of derivative works –Apache license requires some attribution –GPLv3 forbids DRM •Common pitfall in Android would be to bundle for example LGPL lib in on .so with rest of the native code •Appcheck makes all the used licenses visible
    • Improving security •By being aware of security issues of reusable third party components in their apps, developers can take action to fix issues •If you source software, you can use Appcheck to check what supplier has actually bundled inside the app.
    • Conclusions •Mobile applications face threats and risks stemming from bundled 3rd party code. •Third party code scanning gives you actionable results to –Remove or mitigate known vulnerabilities –Eliminate license risk –Remove overlapping and unwanted functionality such as privacy leaks
    • webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 33
    • webinar Testdroid Products Complete Solution for Mobile Apps/Games Testing © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 34
    • webinar Testdroid & Appcheck – Get Your App an Insurance for Security & Vulnerability! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 35
    • webinar Testdroid Blog and Webinars – Because it is important to how to automate your testing! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 36
    • webinar Codenomicon Website and Events © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 37
    • webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 38
    • webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 39
    • webinar © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 40