Common Security Pitfalls for Mobile Apps in the Enterprise


Published on

Video and slides synchronized, mp3 and slide download available at URL

Watkins and Hanna discuss the top 5 security mistakes made by developers, examining them in detail by looking at the code and highlighting the risks from both the consumer and developer perspective. Filmed at

Kevin Watkins is the CTO and part of the founding team at Appthority, The Authority in App Security™. Prior to founding Appthority, he served as the Research Architect at McAfee Labs. Steve Hanna is the lead research scientist of Appthority. He received his Ph.D. and Master's Degree in Computer Science from University of California Berkeley.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Common Security Pitfalls for Mobile Apps in the Enterprise

  1. 1. Mobile App (in)Security Kevin Watkins Steve Hanna, PhD CTO, Co-Founder Lead Researcher
  2. 2. Watch the video with slide synchronization on! /mobile-enterprise-security News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month
  3. 3. Presented at QCon San Francisco Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
  4. 4. Overview  App Reputation Report: Market Overview - Current app ecosystem  Consequences of risky apps - How risky apps affect end users and corporations  Epic Fails in Top Applications - Mistakes made by popular applications  Top 5 app developer mistakes and solutions © 2013 Appthority, Inc. 2
  5. 5. Reputation Report: Summer 2013 Breakdown the Most Popular Apps © 2013 Appthority, Inc. 3
  6. 6. Reputation Report: Summer 2013 Risky Applications: Paid Apps vs. Free Apps © 2013 Appthority, Inc. 4
  7. 7. Risky Application Impact • Each application can affect the end user • If an app is unsafe or risky, device can be wiped or unregistered from the MDM • Poorly developed apps risk the user’s productivity and data. • Impact is broad • Banned from MDM means loss of sales volume and developer revenue • Lowers developer reputation • Potential lifetime ban from enterprises © 2013 Appthority, Inc. 5
  8. 8. Appthority Top 5 Fails 1. Using Risky SDKs Adware/Analytic/3rd party libs 2. Permissions and Bypassing User Consent accessing device features without user consent, under/over privileged apps 3. Dirty Laundry 4. Improper Handling of Private App Data 5. Bad Cryptography weak or no algorithms, predictable seeds © 2013 Appthority, Inc. 6
  9. 9. Fail #1: Adware/Analytic SDK Ad networks introduce external risk!  Permissions added to app by a popular Adware SDK: - INTERNET, ACCESS_NETWORK_STATE, READ_PHONE_STATE, RECEIVE_BOOT_COMPLETED, LAUNCHER.INSTALL_SHORTCUT, WRITE_EXTERNAL_STORAGE, ACCESS_WIFI_STATE, ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, GET_ACCOUNTS, BROWSER.READ_HISTORY_BOOKMARKS  These break COPPA, corporate data privacy policies  Developers may add many Adware SDKs - Potentially aggressive: Apperhand, Vulna/Applovin © 2013 Appthority, Inc. 7
  10. 10. Fail #1: Adware/Analytic SDK (Cont.) Private data sent by these SDKs... APIKEY TIMESTAMP LAT IMEI APP ID LONG PHONE LAT COUNTRY LONG CITY STATE © 2013 Appthority, Inc. ZIP AGE 8
  11. 11. Which Ad networks to use? Evaluating an ad network  Ad network reputation 1. Evaluate end-users and developers opinion about a library with 2. respect to potential privacy and security impacts. Do they treat their developers well? Are their customer complaints?  Type of Data Collected 1. Discover what kinds of data the network is known to collect. 2. Is it private, potentially sensitive or does it uniquely identify the 3. user? Does it collect the data in a clandestine manner? © 2013 Appthority, Inc. 9
  12. 12. Which Ad networks to use? Evaluating an ad network  Tactics and Methodology 1. Evaluate the methodology used by the ad network to collect data. 2. Does a network collect too much data or use aggressive tactics in 3. exchange for higher click through payouts? Is the payout abnormally high or higher than popular competitors? Is the ad network dynamically updatable? Does it receive commands from a C&C network?  Long term impact 1. Decide if short term gains are worth potentially hurting long 2. term reputation. Combining all the questions above, are you willing to stake your reputation on a questionable ad network? © 2013 Appthority, Inc. 10
  13. 13. Fail #2 Permission Abuse & Bypassing Consent Potential problems with permissions 1. Underprivileged Application Sidesteps permission system to obtain same behavioral results. 2. Overprivileged Application Requests permissions that are unneeded. 3. The Confused Deputy Perform actions on behalf of another agent. Like sending SMS messages. © 2013 Appthority, Inc. 11
  14. 14. Fail #2 Permissions and Bypassing Consent App behavior must adhere to permissions requested  Application is underprivileged, side-steps permission system yet is still able to track user  Yet...  ACCESS_COURSE_LOCATION not in manifest - Doesn’t request any permissions to geo-track the app user © 2013 Appthority, Inc. Good way to get kicked out of Enterprises, E*trade! 12
  15. 15. Fail #2 Permissions and Bypassing Consent Application should request the minimal set of permissions necessary to operate correctly. Frequently unneeded yet requested permissions. Actions can be accomplished with Intents to the target application.  CAMERA – Take picture using default capture.  INTERNET – Open URL in Browser.  CALL_PHONE – Open default phone dialer. However, autoupdate encourages overprovisioning to make dev lifecycle smoother! Adrienne Porter Felt, Erika Chin, Steven Hanna, Dawn Song, and David Wagner. Android Permissions Demystified. ACM CCS 2011. © 2013 Appthority, Inc. 13
  16. 16. Fail #2 Permissions and Bypassing Consent Apps must check intent permissions and guard its Broadcast Receivers! Potential for abuse, the confused deputy performs actions on behalf of another agent. Example: Application A has 2 components: MainA main application component, RecA broadcast receiver, it has permission SEND_SMS. Application B has no permissions. The Confused Deputy Application A Application B Intent Main Rec NO PERMISSIONS SEND_SMS SMS Message © 2013 Appthority, Inc. Who sent the SMS message? 14
  17. 17. Permission abuse! Extreme permission abuse!  Grand Theft Auto Walkthrough Game  10k+ Downloads  Pulled from market  Requests 50 permissions! © 2013 Appthority, Inc. 15
  18. 18. 50 requested permissions! com.lge.launcher.permission.READ_SETTINGS android.permission.ACCESS_COARSE_LOCATION com.lge.launcher.permission.WRITE_SETTINGS android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_LOCATION_EXTRA_COMMANDS com.motorola.dlauncher.permission.INSTALL_SHORTCUT com.motorola.dlauncher.permission.READ_SETTINGS android.permission.ACCESS_NETWORK_STATE com.motorola.dlauncher.permission.WRITE_SETTINGS android.permission.ACCESS_WIFI_STATE com.motorola.launcher.permission.INSTALL_SHORTCUT android.permission.BROADCAST_STICKY com.motorola.launcher.permission.READ_SETTINGS android.permission.CAMERA com.motorola.launcher.permission.WRITE_SETTINGS android.permission.GET_ACCOUNTS com.teslacoilsw.launcher.permission.READ_SETTINGS android.permission.GET_TASKS com.teslacoilsw.launcher.permission.WRITE_SETTINGS android.permission.INTERNET org.adw.launcher.permission.READ_SETTINGS android.permission.MODIFY_AUDIO_SETTINGS org.adw.launcher.permission.WRITE_SETTINGS android.permission.READ_CONTACTS android.permission.READ_PHONE_STATE S android.permission.RECEIVE_BOOT_COMPLETED android.permission.RECEIVE_SMS android.permission.RECORD_AUDIO android.permission.RECORD_VIDEO android.permission.SYSTEM_ALERT_WINDOW com.fede.launcher.permission.READ_SETTINGS android.permission.VIBRATE com.fede.launcher.permission.WRITE_SETTINGS android.permission.WAKE_LOCK android.permission.WRITE_CONTACTS android.permission.WRITE_EXTERNAL_STORAGE com.lge.launcher.permission.INSTALL_SHORTCUT com.anddoes.launcher.permission.READ_SETTINGS com.anddoes.launcher.permission.WRITE_SETTINGS Including vendor permissions! © 2013 Appthority, Inc. 16
  19. 19. More permission abuse! Extreme permission abuse!  Joke Screen Melt Wallpaper  STILL ON MARKET  Requests 45 permissions!  Including: Aggressive adware! © 2013 Appthority, Inc. android.permission.INSTALL_PACKAGES android.permission.DELETE_PACKAGES android.permission.RECORD_AUDIO android.permission.MOUNT_FORMAT_FILESYSTEM S android.permission.GET_ACCOUNTS android.permission.SET_WALLPAPER 17
  20. 20. Fail #3 Dirty Laundry & Pandora for iOS App includes debugging information, giving as a view into the development environment (and developer/s) © 2013 Appthority, Inc. 18
  21. 21. Fail #4 Improper Handling of Private Data: Tinder What we Found in the Tinder App...  Our analysis engines alerted us that the App was sending exact geo-location information over the network  We found much more was being sent over the network – including the full name of all matches, exact birth-date/age, and Facebook ID profile ID © 2013 Appthority, Inc. 19
  22. 22. Fail #4 Improper Handling of Private Data: Tinder © 2013 Appthority, Inc. 20
  23. 23. Fail #4 Improper Handling of Private Data: Tinder © 2013 Appthority, Inc. 21
  24. 24. Fail #4 Improper Handling of Private Data: Tinder We made the Tinder report public ... © 2013 Appthority, Inc. 22
  25. 25. Fail #4 Improper Handling of Private Data: Tinder The Tinder API “profile” returns a target profile information, including the “distance_mi” away and they did remove the “pos”: STILL A FAIL! Knowing the Tinder API “ping” sets the geographical position: How would you use the profile (to get the distance_mi) + ping API (to set the lon, lat) and obtain the exact geo-location of target? Hint: Shortest path.... © 2013 Appthority, Inc. 23
  26. 26. Fail #4 Improper Handling of Private Data: Tinder Not limited to just Tinder... 500,000+ Installs + Skout, 10,000,000+ installs © 2013 Appthority, Inc. Swoon, 500,000 + installs Cheeky, 100,000+ installs 24
  27. 27. Fail #5 Using Bad or No Cryptography What we Found in the Postogram App...  Our analysis engines alerted us that the App was uploading private photos  We found Postogram was sending all private photos to an unprotected server with filenames that were predictable (deterministic) © 2013 Appthority, Inc. 25
  28. 28. Fail #5 Using Bad or No Cryptography © 2013 Appthority, Inc. 26
  29. 29. Fail #5 Bad Cryptography Use Best Practices and PROTECT PRIVATE DATA 1. Not using SSL/Encryption for private data 2. Storing passwords/oauth tokens in plaintext 3. Not expiring oauth tokens properly (open to replay attacks) © 2013 Appthority, Inc. 27
  30. 30. The Reality is... These mistakes are easily avoidable  Best practice guidelines for storing private information do exist  Tools to help do exist (for bigger dev shops, adding these tools into the SLDC)  Having a mindset of "What if this was my private information?”  Have an accurate & current privacy policy: Don’t make us call you out  © 2013 Appthority, Inc. 28
  31. 31. Questions? Thank you! Kevin Watkins Steve Hanna, PhD CTO & Co-Founder Lead Researcher
  32. 32. Watch the video with slide synchronization on!