Mobile Application Security – Effective           Methodology,         Effective Testing!     OWASP InfoSec India Conferen...
hemil@espheresecurity.net                                                                http://www.espheresecurity.com   ...
Past, Present and Future                                                                 Focus                            ...
Enterprise Technology Trend• 2007. Web services would rocket from  $1.6 billion in 2004 to $34 billion. [IDC]• 2008. Web S...
Mobile Infrastructure                           Other                           Office                           s        ...
Mobile App Environment  Internet                         DMZ                                          Trusted             ...
Mobile AppsOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Gartner StatisticsOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Gartner StatisticsOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Mobile Changes• Application Infrastructure   Changing dimension                       Web                             Mobi...
Mobile Changes• Security Threats Changing dimension                      Web                               Mobile (T1) Ent...
Black Review flow                                            Mobile and Device Security        Architecture Review        ...
White Review flow                                       Mobile and Device Security  Architecture Review                  •...
Mobile Top 10 - OWASP•   Insecure Data Storage•   Weak Server Side Controls•   Insufficient Transport Layer Protection•   ...
Insecure StorageOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Insecure Storage• Why application needs to store data  – Ease of use for the user  – Popularity  – Competition  – Activity...
Insecure Storage• How attacker can gain access  – Wifi  – Default password after jail breaking (alpine)  – Physical Theft ...
Insecure Storage• What information we usually find  – Authentication Credentials  – Authorization tokens  – Financial Stat...
Local file accessOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Insecure Network              CommunicationOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Insecure Network Channel• Easy to perform MiM attacks as Mobile  devices uses untrusted network i.e  open/Public WiFi, Hot...
Insecure Network Channel• Can sniff the traffic to get an access to  sensitive data• SSL is the best way to secure  commun...
Session tokenOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Unauthorized Dialing/SMSOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Unauthorized Dialing/SMS• Social Engineering using Mobile Devices• Attacker plays with user’s mind• User installs applicat...
AndroidOS.FakePlayer•   August 2010•   Sends costly International SMS•   One SMS Costs – 25 USD (INR 1250)•   Application ...
GGTracker• June 2010• Another Application which sends  International SMS• One SMS Costs – 40 USD (INR 2000)• Application S...
UI ImpersonationOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
UI Impersonation• Attack has been there since long• On a mobile stack, known as UI  impersonation• Other names are Phishin...
UI Impersonation• Victim looses credit card information or  authentication credentials or secret• One application can crea...
NetFlix• Oct -2011• Steals users “netflix” account information• Application shows error message to user  “Compatibility is...
Activity MonitoringOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Activity Monitoring• Sending a blind carbon copy of each  email to attacker• Listening all phone calls• Email contact list...
Activity Monitoring• Attacker can monitor –  – Audio Files  – Video  – Pictures  – Location  – Contact List  – Call/Browse...
Android.Pjapps• Early 2010• Steal/Change users information• Application –  – Send and monitor incoming SMS messages  – Rea...
System ModificationOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
System Modification• Application will attempt to modify system  configuration to hide itself (Historically this  is known ...
iKee – iPhone Worm• “ikee” iPhone Worm                                                                    After infected b...
PII Information LeakageOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
PII Information Leakage• Application usually have access to user’s  private information i.e. Owner Name,  Location, Physic...
PII InformationOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Hardcoded SecretsOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Hardcoded Secrets• Easiest way for developer to solve  complex issues/functionality• Attacker can get this information by ...
Keychain DumperOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Language Specific IssuesOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Language Specific Issues• Application in iOS are developed in  Objective-C language which is derived  from classic C langu...
dexdumpConvert dump .dex files:        OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
SQL Injection in Local database  OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
SQL Injection in Local database• Most Mobile platforms uses SQLite as  database to store information on the  device• Using...
Injection…OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Information in Common           ServicesOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Common Services• KeyBoard, Clipboard are shared amongst  all the applications.• Information stored in clipboard can be  ac...
Server Side IssuesOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Server Side Issues• Most Application makes server side calls  to either web services or some other  component. Security of...
Server Side IssuesError handling, Session management,Protocol abuse, Input validations, XSS,CSRF, Logic bypass, Insecure c...
Binary auditingOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Using GDBOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Pen testing Check list        (iOS Applications)OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Pen testing Check list• Fuzz all possible Inputs to the application  and validate output (Query String, POST  data, extern...
Pen testing Check list• Check network connection (grep for  NSURL, CFStream, NSStream)• Check Database connection and quer...
Pen testing Check list• Check implementation of URLSchemes in  handleOpenURL• Check what is stored in keychain  (kSecAttrA...
Pen testing Check list• Check how critical data is stored  (NSUserDefaults should not be used to  store critical data)• Ch...
Pen testing Check list• Check whether application uses  UIWebView (How application loads HTLM  and where it is rendered fr...
Pen testing Check list• Check whether critical data fields are  hidden in applicationWillTerminate and  applicationWillEnt...
Thank you                                                    Hemil Shah                                              hemil...
Upcoming SlideShare
Loading in...5
×

Mobile application security – effective methodology, efficient testing! hemil shah

1,594

Published on

Mobile Application Security – Effective Methodology, Efficient Testing! - Hemil Shah - OWASP India Conference 2012

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,594
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Mobile application security – effective methodology, efficient testing! hemil shah"

  1. 1. Mobile Application Security – Effective Methodology, Effective Testing! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  2. 2. hemil@espheresecurity.net http://www.espheresecurity.com Who Am I?• Hemil Shah – hemil@espheresecurity.net• Past experience – HBO, KPMG, IL&FS, Net Square• Interest – Application security research (Web & Mobile)• Published research – Articles / Papers – Packstroem, etc. – Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  3. 3. Past, Present and Future Focus 2010 Cloud OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  4. 4. Enterprise Technology Trend• 2007. Web services would rocket from $1.6 billion in 2004 to $34 billion. [IDC]• 2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead. [Gartner]• 2009. Enterprise 2.0 in action and penetrating deeper into the corporate environment• 2010. Flex/HTML5/Cloud/API/Mobile era. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  5. 5. Mobile Infrastructure Other Office s Internet Exchange firewall DMZDial-up router VPN intranet www mail RAS Database India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) OWASP InfoSec
  6. 6. Mobile App Environment Internet DMZ Trusted SOAP/JSON etc.Mobile W E Scripted Application B Web Web Servers S Server Engine And E Static pages onlyWeb Dynamic pages (HTML,HTM, etc.) (ASP,DHTML, PHP, Integrated RClient CGI, etc.) Framework V X I ASP.NET on C .Net Framework, E J2EE App Server, S Web Services, DB etc. Internal/Corporate OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  7. 7. Mobile AppsOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  8. 8. Gartner StatisticsOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  9. 9. Gartner StatisticsOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  10. 10. Mobile Changes• Application Infrastructure Changing dimension Web Mobile (AI1) Protocols HTTP & HTTPS JSON, SOAP, REST etc. over HTTP & HTTPS (AI2) Information HTML transfer JSON, JS Objects, XML, etc. structures (AI3) Technology Java, DotNet, PHP, Cocoa, Java with Platform Python and so on SDKs, HTML5 (AI4) Information Mainly on Server Side Client and Server Side Store/Process OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  11. 11. Mobile Changes• Security Threats Changing dimension Web Mobile (T1) Entry points Structured Scattered and multiple (T2) Dependencies Limited  Multiple technologies  Information sources  Protocols (T3) Vulnerabilities Server side [Typical  Web services [Payloads] injections]  Client side [Local Storage] (T4) Exploitation Server side exploitation Both server and client side exploitation OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  12. 12. Black Review flow Mobile and Device Security Architecture Review •Insecure storage •Insecure network Communication - Carriers network security & WiFi network attacks •Unauthorized dialing & SMS Scoping •UI Impersonation/Spoofing •Activity monitoring and data retrieval Server Side Application Footprinting •Sensitive data leakage •Hardcoded passwords/keys •Language issues Mobile Application Footprinting •Timely application update •Jail breaking/Physical device theft •KeyBoard cache/ClipBoard issue Application Discovery •Reading information from SQLite database •Insecure Protocol Handler implementation •And few other loopholes Application Threat ModelingApplication Deployment Assessment Application Security – Authentication, Access Controls/Authorization, API misuse, Path traversal,Application Enumeration and Profiling Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Vulnerability Assessment Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Mitigation Strategies Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing. Reporting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  13. 13. White Review flow Mobile and Device Security Architecture Review •Insecure storage •Insecure network Communication - Carriers network security & WiFi network attacks •Unauthorized dialing & SMS Scoping •UI Impersonation/Spoofing •Activity monitoring and data retrieval •Sensitive data leakage Threat Modeling •Hardcoded passwords/keys •Language issues Code Enumeration •Timely application update •Jail breaking/Physical device theft •KeyBoard cache/ClipBoard issue Code Mapping and •Reading information from SQLite database Functionality •Insecure Protocol Handler implementation •And few other loopholesSecurity Controls & Cases Sample Security Control Categories – Authentication, Entry Point Discoveries Access Controls/Authorization, API misuse, Path traversal,Class, Function & Variable Sensitive information leakage, Error handling, Session management, Tracing Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Vulnerability Detection Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Mitigation Controls Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, Reporting XML injection, Canonicalization, Logging and auditing. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  14. 14. Mobile Top 10 - OWASP• Insecure Data Storage• Weak Server Side Controls• Insufficient Transport Layer Protection• Client Side Injection• Poor Authorization and Authentication• Improper Session Handling• Security Decisions Via Untrusted Inputs• Side Channel Data Leakage• Broken Cryptography• Sensitive Information Disclosure OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  15. 15. Insecure StorageOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  16. 16. Insecure Storage• Why application needs to store data – Ease of use for the user – Popularity – Competition – Activity with single click – Decrease Transaction time – Post/Get information to/from Social Sites• 9 out of 10 applications have this vulnerability OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  17. 17. Insecure Storage• How attacker can gain access – Wifi – Default password after jail breaking (alpine) – Physical Theft – Temporary access to device OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  18. 18. Insecure Storage• What information we usually find – Authentication Credentials – Authorization tokens – Financial Statements – Credit card numbers – Owner’s Information – Physical Address, Name, Phone number – Social Engineering Sites profile/habbits – SQL Queries OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  19. 19. Local file accessOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  20. 20. Insecure Network CommunicationOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  21. 21. Insecure Network Channel• Easy to perform MiM attacks as Mobile devices uses untrusted network i.e open/Public WiFi, HotSpot, Carrier’s Network• Application deals with sensitive data i.e. – Authentication credentials – Authorization token – PII Information (Privacy Violation) (Owner Name, Phone number, UDID) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  22. 22. Insecure Network Channel• Can sniff the traffic to get an access to sensitive data• SSL is the best way to secure communication channel• Common Issues – Does not deprecate HTTP requests – Allowing invalid certificates – Sensitive information in GET requests OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  23. 23. Session tokenOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  24. 24. Unauthorized Dialing/SMSOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  25. 25. Unauthorized Dialing/SMS• Social Engineering using Mobile Devices• Attacker plays with user’s mind• User installs application• Application sends premium rate SMS or a premium rate phone call to unknown number• Used by Malware/Trojans OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  26. 26. AndroidOS.FakePlayer• August 2010• Sends costly International SMS• One SMS Costs – 25 USD (INR 1250)• Application Sends SMS to – – 3353 & 3354 numbers in Russia OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  27. 27. GGTracker• June 2010• Another Application which sends International SMS• One SMS Costs – 40 USD (INR 2000)• Application Sends Premium SMS to US numbers OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  28. 28. UI ImpersonationOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  29. 29. UI Impersonation• Attack has been there since long• On a mobile stack, known as UI impersonation• Other names are Phishing Attack, ClickJacking• Attacker plays with user’s mind and try to impersonate as other user or other application OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  30. 30. UI Impersonation• Victim looses credit card information or authentication credentials or secret• One application can create local PUSH notification as it is created from apple store• Flow in review process of AppStore – Anyone can name anything to their application OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  31. 31. NetFlix• Oct -2011• Steals users “netflix” account information• Application shows error message to user “Compatibility issues with the user’s hardware” when user enters username and password• Once error message, application uninstalls itself OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  32. 32. Activity MonitoringOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  33. 33. Activity Monitoring• Sending a blind carbon copy of each email to attacker• Listening all phone calls• Email contact list, pictures to attacker• Read all emails stored on the device• Usual intension of Spyware/Trojans OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  34. 34. Activity Monitoring• Attacker can monitor – – Audio Files – Video – Pictures – Location – Contact List – Call/Browser/SMS History – Data files OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  35. 35. Android.Pjapps• Early 2010• Steal/Change users information• Application – – Send and monitor incoming SMS messages – Read/write to the users browsing history and bookmarks – Install packages and Open Sockets – Write to external storage – Read the phones state OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  36. 36. System ModificationOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  37. 37. System Modification• Application will attempt to modify system configuration to hide itself (Historically this is known as ROOTKIT)• Configuration changes makes certain attack possible i.e. – – Modifying device proxy to get user’s activity monitoring – Configure BCC email sending to attacker OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  38. 38. iKee – iPhone Worm• “ikee” iPhone Worm After infected by “ikee“ – Change root password iPhone look like this – Change wallpaper to Ricky Martin. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  39. 39. PII Information LeakageOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  40. 40. PII Information Leakage• Application usually have access to user’s private information i.e. Owner Name, Location, Physical Address, AppID, Phone Number• This information needs to be handled very carefully as per the law in some countries• Storing this information in plain text is not allowed in some countries OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  41. 41. PII InformationOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  42. 42. Hardcoded SecretsOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  43. 43. Hardcoded Secrets• Easiest way for developer to solve complex issues/functionality• Attacker can get this information by either reverse engineering application or by checking local storage OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  44. 44. Keychain DumperOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  45. 45. Language Specific IssuesOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  46. 46. Language Specific Issues• Application in iOS are developed in Objective-C language which is derived from classic C language• Along with this derivation, it also derives security issues in C language i.e. overflow attacks• Using Dex2jar, source code of android application can be accessed OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  47. 47. dexdumpConvert dump .dex files: OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  48. 48. SQL Injection in Local database OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  49. 49. SQL Injection in Local database• Most Mobile platforms uses SQLite as database to store information on the device• Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensitive database information• In case application is not filtering input, SQL Injection on local database is possible OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  50. 50. Injection…OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  51. 51. Information in Common ServicesOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  52. 52. Common Services• KeyBoard, Clipboard are shared amongst all the applications.• Information stored in clipboard can be accessed by all the application• Sensitive information should not be allowed to copy/paste in the application OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  53. 53. Server Side IssuesOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  54. 54. Server Side Issues• Most Application makes server side calls to either web services or some other component. Security of server side component is equally important as client side• Controls to be tested on the server side – Security Control Categories for Server Side Application– Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  55. 55. Server Side IssuesError handling, Session management,Protocol abuse, Input validations, XSS,CSRF, Logic bypass, Insecure crypto, DoS,Malicious Code Injection, SQL injection,XPATH and LDAP injections, OS commandinjection, Parameter manipulations,BruteForce, Buffer Overflow, HTTPresponse splitting, HTTP replay, XMLinjection, Canonicalization, Logging andauditing. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  56. 56. Binary auditingOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  57. 57. Using GDBOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  58. 58. Pen testing Check list (iOS Applications)OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  59. 59. Pen testing Check list• Fuzz all possible Inputs to the application and validate output (Query String, POST data, external HTML, RSS Feed or database feed)• Audit traditional memory unsafe methods (strcpy, memcpy)• Watch out for format string vulnerabilities• Look for hard coded credentials / secrets OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  60. 60. Pen testing Check list• Check network connection (grep for NSURL, CFStream, NSStream)• Check Database connection and queries (grep SQL strings and SQLLite queries)• Check only trusted certificate are allowed (Look for setAllowsAnyHTTPSCertificate and didReceiveAuthenticationChallenge)• Check what is logged (grep NSLog) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  61. 61. Pen testing Check list• Check implementation of URLSchemes in handleOpenURL• Check what is stored in keychain (kSecAttrAccessibleWhenUnlocked or kSecAttrAccessibleAfterFirstUnlock attributes when calling SecItemAdd or SecItemUpdate) and the file system (NSDataWritingFileProtectionComplete). OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  62. 62. Pen testing Check list• Check how critical data is stored (NSUserDefaults should not be used to store critical data)• Check Server Side controls• Decrypt the binary and run strings to find sensitive information OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  63. 63. Pen testing Check list• Check whether application uses UIWebView (How application loads HTLM and where it is rendered from? Is URL visible?)• Check whether copy-paste functionality is enabled in sensitive fields (PII fields)• Install your favorite proxy to monitor + fuzz web traffic• Run the app using disassemble to monitor calls OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  64. 64. Pen testing Check list• Check whether critical data fields are hidden in applicationWillTerminate and applicationWillEnterBackground to prevent screenshot caching• Check how application handles PII information OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  65. 65. Thank you Hemil Shah hemil@espheresecurity.net +91 99790 55100OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)

×