Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile application security


Published on

Presentation by EY infosec experts Kristof Dewulf and Yannick Scheelen about mobile applications security.
Agoria Alliance WG Meeting 20/11/13

Published in: Technology
  • Be the first to comment

Mobile application security

  1. 1. Mobile application security App Alliance WG Meeting 20 November 2013 Kristof Dewulf Yannick Scheelen
  2. 2. Security weaknesses and vulnerabilities Mobile devices Smartphone sales are increasing ► 3Q13 % 100 81.9 80 3Q12 ► Malware goes mobile Source: Source: TrojanSMS.Agent TrojanSMS.Boxer 72.6 DroidKungFu 60 40 FakePlayer 12.114.3 20 3.6 2.3 1.8 5.2 Microsoft Blackberry 0 0 Android iOS Variants in 2012 20 40 60 80 Variants in 2011 100 120 140 160 Variants in 2010 Security threats and malware are constantly present ► August April July February July September ► Weakness in SSL cert handling exposes data to interception (iOS) ► NotCompatible gains access to local network preferences (Andriod) ► LuckyCat opens a backdoor that allows remote acces (Android) ► Lock screen of iPhone can be circumvented (iOS) ► The Android “Master Key” Exploit ► iOS 7 Lock Screen Vulnerability Discovered 2013 2012 2014 September May July April September ► HTC phone vulnerability leaks personal data (Android) ► FakeInst SMS Trojan cost end-users 30 Miljon dollars (Android) ► SMSzombie that abuses china’s SMS payment (Android) ► Apparent security certificate turns out to be Android malware ► Banking Trojans disguise attack targets in the cloud Page 2 EY - App Alliance WG meeting – 20 November
  3. 3. Application weaknesses and vulnerabilities More than meets the eye ► Bypass authentication or authorization controls Bypass validations or manipulate application business logic Application code review Page 3 ► ...or here ► What about injection attacks? ► Session management? ► Side channel data leakage? ► Sensitive information disclosure? ► SSL/ Insecure TLS data storage Most tests stop here… Phishing attacks? ► Application and library permissions? EY - App Alliance WG meeting – 20 November
  4. 4. Mobile Application Security Most common issues 1. There is too much business logic in the application ► ► The mobile devices hold the actual application binary It’s safer to perform business logic validation on central systems (e.g. web service/web server) 2. SSL/TLS not/not properly implemented ► ► Certificates’ validity are not often checked Consider certificate pinning – works perfect for mobile apps! 3. Insecure local data storage ► ► Page 4 Passwords stored in databases Personal information is stored without consent of the user (re Privacy legislation) EY - App Alliance WG meeting – 20 November
  5. 5. Mobile Application Security Testing Our approach Communication channel Mobile Device Objective: Identify vulnerabilities on the applications - Android, iOS or Windows. Server-side controls Objective: Identify vulnerabilities on the data communication channel. Objective: Identify vulnerabilities on the server side of the mobile application. Reverse engineer the binary using tools such as: ► Clang (static code) ► GDB ► IDA (Pro) ► Class-dump-z ► … ► Mobile applications are highly likely to operate on insecure wireless networks. ► Perform an in-depth penetration test of the server-side application. ► It is essential to review the network protocols the application uses to communicate with the server-side application. ► Perform an in-depth penetration test of the web services or API services. ► Use the information found on the local device to leverage our success. and investigate the source code for passwords, server-side keys, … but also learn how the application works! ► ► ► Perform data analysis by looking for sensitive data in databases, logs, backups, cached files, debug messages, … ► Verify application’s permissions. ► Analyze application’s business logic. ► The use of SSL/TLS is confirmed both though code review and the Burp Suite proxy tool. Perform security tests similar to other web applications tests (e.g. session management, authentication management, …). Page 5 EY - App Alliance WG meeting – 20 November
  6. 6. EY Our recommendations ► ► Developers: start with security in mind! Understand the threats: ► ► ► ► On the application On the channel On the server side Don’t store sensitive data on the device ► without consent of the user and without the ability for the user to remove his/her personal information ► Understand the mobile platform of your application Understand your audience ► Assess your application ► Page 6 EY - App Alliance WG meeting – 20 November
  7. 7. Contact details Page 7