• Save
Mobile Threats  and Owasp Top 10 Risks
Upcoming SlideShare
Loading in...5
×
 

Mobile Threats and Owasp Top 10 Risks

on

  • 4,079 views

In this session, the focus will be on OWASP Top 10 mobile risks and prevention tips. Hackers’ exploitation of these most common mobile vulnerabilities will be demonstrated in the session.

In this session, the focus will be on OWASP Top 10 mobile risks and prevention tips. Hackers’ exploitation of these most common mobile vulnerabilities will be demonstrated in the session.

Statistics

Views

Total Views
4,079
Views on SlideShare
3,773
Embed Views
306

Actions

Likes
10
Downloads
0
Comments
0

9 Embeds 306

http://mangastorytelling.tistory.com 228
http://rmini.tistory.com 58
http://www.linkedin.com 9
https://twitter.com 4
http://search.daum.net 3
http://www.hanrss.com 1
https://si0.twimg.com 1
http://www.slashdocs.com 1
https://www.linkedin.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Mobile Threats  and Owasp Top 10 Risks Mobile Threats and Owasp Top 10 Risks Presentation Transcript

    • Mobile Threats andOWASP Mobile Top 10 Risks
    • About Me Founder & CEO of SecurBay Services Pvt. Ltd. • Past: MIEL, Opus Software, Digite, HDFC Bank, Standard Chartered Bank • Conferences: ISACA, c0c0n • Trainings/Workshop : Application Security Founder & Editor of SecurityCrunch • Online Daily Newsletter covering topics on Information Security • Free Subscription • Readership across 30+ countries • www.securitycrunch.in © SecurBay 2012 3
    • Agenda Introduction  Mobile Apps  Mobile Threatscape  OWASP Mobile Top 10 Risks  Mobile Controls  Questions © SecurBay 2012 4
    • Mobile = MeROTI, KAPDA, MAKAN … AND MOBILE DEVICE © SecurBay 2012 5
    • There is an App for that … © SecurBay 2012 6
    • There is an App for that … © SecurBay 2012 7
    • There is an App for that … © SecurBay 2012 8
    • There is an App for that … © SecurBay 2012 9
    • Rise of the Apps1 Million Mobile Apps$15 Billion of income from app sales in 2011*30 Billion app Downloads from App Market Place* Source: Gartner © SecurBay 2012 10
    • Types of Mobile Apps• Native apps • Objective C on the iPhone or Java on Android devices. • Use all the phone’s features, such as the mobile phone camera, geolocation, and the user’s address book. • E.g. Messaging, Telephony, Multimedia• Web apps • Web apps run in the phone’s browser • The same base code can be used to support all devices, including iPhone and Android. • E.g. Mobile Banking, Reservation Systems• Hybrid solutions • A hybrid app is a native app with embedded HTML • Facebook, Google Chat, Shopping © SecurBay 2012 11
    • Mobile Apps Vs Traditional Web Apps Web Apps Mobile AppsDistribution Direct Access MarketplaceDatabase Server Side Local StorageReverse Engineering Difficult Possible Limited Access to Direct Access to Personal DataPrivacy Issues Personal Data © SecurBay 2012 12
    • Mobile Threat Model• Mobile Threat Model is similar to WebApp Threat Model But.. • Platforms vary substantially • External dependencies completely out of your control • It’s more than just apps • Cloud/network integration • Device platform considerations © SecurBay 2012 13
    • Mobile Threat Model Backend Systems Trust Boundaries APPS OS Hardware © SecurBay 2012 14
    • Concern Areas Data Data at RestSpecific Data in Use Data in MotionPlatform Operating System PatchesSpecific Malware App Coding VulnerabilitiesSpecific © SecurBay 2012 15
    • Testing the Security of Mobile ApplicationsType of Analysis ActivitiesStatic Analysis Source Code Source Code Scanning Manual Source Code Review Binary Reverse EngineeringDynamic Analysis Debugger Execution Traffic Capture via ProxyForensic Analysis File Permission Analysis File Content Analysis © SecurBay 2012 16
    • Mobile Testing Mobile Emulators © SecurBay 2012 17
    • Testing Tools• Rooted device or Rooted Emulator• ADB(Android debug Bridge)• WireShark, BurpProxy• SQLite Editor, Droidsheep• APKTOOL, Agnitio, JD-GUI (utility that displays Java source codes of ".class" files) © SecurBay 2012 18
    • What is rooting? • Rooting is the term for gaining access to the root (admin) of a device • Rooting method depends on the make of the mobile device © SecurBay 2012 19
    • Testing AppsSource: OWASP Source: McAfee © SecurBay 2012 20
    • Rooting : Why shouldn’t I?• Rooting voids device warranty• If wrongly done, you may endup with bricked phone in your hand• Easy to get affected with viruses and malwares 21
    • OWASP Mobile Top 10 Risks OWASP Mobile Top 10 RiskM1 – Insecure Data Storage M6 – Improper Session HandlingM2 – Weak Server Side Controls M7 – Security Decisions Via Untrusted InputsM3 – Insufficient Transport M8 – Side Channel Data LeakageLayer ProtectionM4 – Client Side Injection M9 – Broken CryptographyM5 – Poor Authorization and M10 – Sensitive Information Authentication Disclosure Source: OWASP Demo © SecurBay 2012 22
    • M1 – Insecure Data Storage• Data stored unprotected which can be accessed by unauthorized application / person• Happens due to: •Data stored unencrypted •Caching of data •Global or weak permissions •Ignorance of platform specific best-practices © SecurBay 2012 23
    • DEMO
    • iPhone App – Path steps on Privacy LandminePath App was sending users contact details to its servers Path CEO: We screwed up by uploading your personal data, and we’ve erased it!!! © SecurBay 2012 25
    • M1 – Insecure Data Storage• Impact •Confidentiality of data lost •Credentials disclosed •Privacy violations •Non-compliance• Prevention Tips •Store ONLY what is absolutely required •Never use public storage areas (ie- SD card) •Leverage secure containers and platform provided file encryption APIs •Do not grant files world readable or world writeable permissions © SecurBay 2012 26
    • M2 – Weak Server Side Controls• Applies to the backend services• Happens due to: •Insecure backend API & platforms• Impact •Confidentially of data lost •Integrity of data not trusted © SecurBay 2012 27
    • M2 – Weak Server Side Controls• Prevention Tips •OWASP Web Top 10, Cloud Top 10, Web Services Top 10 •Cheat sheets, development guides, ESAPI © SecurBay 2012 28
    • M3 – Insufficient Transport Layer Protection• Lack of encryption for transmitted data• Happens due to: •Weakly encrypted data in transit •No encryption at all Remember This ? © SecurBay 2012 29
    • DEMO
    • M3 – Insufficient Transport Layer Protection• Impact •Man-in-the-middle attacks •Tampering wireless data in transit •Confidentiality of data lost• Prevention Tips •Ensure that all sensitive data leaving the device is encrypted •This includes data over carrier networks, WiFi, and even NFC (Near field communication) •Do not ignore security exceptions warnings © SecurBay 2012 31
    • M4 – Client Side Injection• Apps using browser libraries •Pure web apps •Hybrid web/native apps © SecurBay 2012 32
    • DEMO
    • M4 – Client Side Injection• Impact •Device compromise •Toll fraud •Privilege escalation• Prevention Tips •Sanitize or escape untrusted data before rendering or executing it •Use parameterized statements for database calls © SecurBay 2012 34
    • M5 – Poor Authorization and Authentication• Some apps rely solely on immutable, potentially compromised values (IMEI, IMSI, UUID)• Eg: Changing the application would no longer ask for authentication © SecurBay 2012 35
    • M5 – Poor Authorization and Authentication• Impact •Unauthorized access •Privilege escalation• Prevention Tips •Never use device ID or subscriber ID as sole authenticator •Contextual info can enhance things, but only as part of a multi-factor implementation © SecurBay 2012 36
    • M6 – Improper Session Handling• Mobile app session time is generally longer for convenience and usability• Apps maintain sessions via • HTTP cookies • OAuth tokens • SSO authentication services• Demo: Facebook session captured & browsed © SecurBay 2012 37
    • DEMO
    • M6 – Improper Session Handling• Impact •Privilege escalation •Unauthorized access •Circumvent licensing and payments• Prevention Tips •Re-authenticate users after fixed idle time •Ensure that tokens can be revoked quickly in the event of a lost/stolen device © SecurBay 2012 39
    • M7 – Security Decisions Via Untrusted Inputs• Change in application security permission set in AndroidManifest.xml file• May happen due to: • Malware • Client side injection © SecurBay 2012 40
    • DEMO
    • M7 – Security Decisions Via Untrusted Inputs• Impact •Can be leveraged to bypass permissions and security models• Prevention Tips •Check caller’s permissions at input boundaries •Prompt the user for additional authorization before allowing •In a situation when permission checks cannot be performed, ensure additional steps are required to launch sensitive actions © SecurBay 2012 42
    • M8 – Side Channel Data Leakage• Mix of not disabling platform features and programmatic flaws• Sensitive data resides at unintended places • Web caches • Keystroke logging • Screenshots (ie- iOS backgrounding) • Logs (system, crash) • Temp directories• Understand what 3rd party libraries are doing with user data (ad networks, analytics) © SecurBay 2012 43
    • M8 – Side Channel Data Leakage• Impact •Data retained indefinitely •Privacy violations• Prevention Tips •Never log credentials, or other sensitive data to system logs •Remove sensitive data before screenshots are taken •Carefully review any third party libraries you introduce and the data they consume •Test your applications across as many platform versions as possible © SecurBay 2012 44
    • M9 – Broken Cryptography• Two primary categories • Broken implementations using strong crypto libraries • Custom, easily defeated cryptography © SecurBay 2012 45
    • M9 – Broken Cryptography• Impact •Confidentiality of data lost •Privilege escalation •Circumvent business logic• Prevention Tips •Storing the key with the encrypted data defeats everything •Leverage battle-tested crypto libraries vice writing your own •Leverage platform features © SecurBay 2012 46
    • M10 – Sensitive Information Disclosure• Apps can be reverse engineered with relative ease• Application logging © SecurBay 2012 47
    • DEMO
    • M10 – Sensitive Information Disclosure• Impact •Credentials disclosed •Intellectual property exposed• Prevention Tips •Keep proprietary and sensitive business logic on the server •Never hardcode a password in application binary © SecurBay 2012 49
    • Best Practices 50
    • Top 10 mobile controls and design principles1. Identify and protect sensitive data on the mobile device2. Handle password credentials securely on the device3. Ensure sensitive data is protected in transit4. Implement user authentication/authorization and session management correctly5. Keep the backend APIs (services) and the platform (server) secure © SecurBay 2012 51
    • Top 10 mobile controls and design principles6. Perform data integration with third party services/applications securely7. Pay specific attention to the collection and storage of consent for the collection and use of the user’s data8. Implement controls to prevent unauthorised access to paid- for resources (wallet, SMS, phone calls etc...) Risks9. Ensure secure distribution/provisioning of mobile applications10. Carefully check any runtime interpretation of code for errors © SecurBay 2012 52
    • References• OWASP Mobile Top Ten Risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Proj ect#Top_Ten_Mobile_Risks• OWASP - Top Ten Mobile Controls https://www.owasp.org/index.php/OWASP_Mobile_Security_Proj ect#Top_Ten_Mobile_Controls• OWASP GoatDroid Project https://www.owasp.org/index.php/OWASP_Mobile_Security_Proj ect#OWASP_GoatDroid_Project © SecurBay 2012 53
    • Questions© SecurBay 2012
    • Thank you, ISACA! santosh@securbay.com @ satamsantosh © SecurBay 2012
    • > Innovative Solutions & Services 56