2. Presenter Logo
► Prior to modern Tsunami warning systems, these
a similar problem now
► Tectonic shifts in technologies due to
consumerization mobilification
► What is our warning system?
► Anti-virus? Firewalls? The App Stores?
►
correct precursor events or even at the
technological dependencies necessary;
Time to wake up!
3. Presenter Logo
Tsunami Root Cause Analysis
► The root cause of a tsunami is an
earthquake, a long ways away from
anyone and very hard to see with the
naked eye
► The result of the earthquake is a massive
wave which can wreak destruction at great
distances
4. Presenter Logo
►
application threats
► According to firms that sell Anti-Virus, we
need to install A/V on mobile devices to
protect ourselves (except for Apple which tells
should just trust them)
► What other messages are out there for mobile
application security?
► Carriers will protect us?
► Handset manufacturers will protect us?
Mobile ApplicationSecurityAnalysis
5. Presenter Logo
►
►
► What are the actual application threats how vulnerable are apps?
► Wait, the apps are just isolated executables
of n-tiered application architectures?
► What permissions have we given these apps?
Ooops
6. Presenter Logo
► Static analysis tools give us some insight into the overall
quality of an executable published to the app stores
► IntegriCell partnered with experts in static analysis to
evaluate iOS and Android applications
►
► Astounding number of security problems in even these very
small apps (average size was ~4 mb) connected to very
simple back-end platforms (mostly JSON)
7. Presenter Logo
► 55 applications reviewed
► All analysis performed
without permission of
application owner
► Application names withheld
► (We tried asking for
permission but none would
grant it)
► Significant numbers of false
positives in these numbers
due to de-compilers used to
begin analysis
ApplicationVulnerabilities
Vulnerability Type % of Occurrence
SQL Injection (client) 35%
AuthZ Weakness (client) 48%
CRLF Injection (client) 51%
XSite Scripting (client) 28%
Directory Traversal (client) 38%
Unencrypted Data (client) 99%
Crypto Material Errors (client) 14%
Reflected XSS (client) 28%
Clear-text Password (network) 72%
Unreleased Streams (client) 12%
8. Presenter Logo
► 55 back-ends
evaluated
with
and other tools
► Every application
tested had some sort
of back-end
component (API, ad-
server connection,
etc.)
► Predominantly Linux
back-end servers with
JSON installed
Vulnerabilities % of Occurrence
Unencrypted Data 99%
Unrestricted Passwords 74%
Session Termination Flaw (network) 82%
AuthN Bypass 79%
Default Permissions & ACL’s 99%
Directory Browsing 95%
Web Server Patch & Configuration 100%
9. Presenter Logo
► One application tested was just really, really bad
► 200+ code flaws (in 3 mb of compiled code!)
► 40+ unique web server vulnerabilities
(excluding 20+ critical updates that were not installed)
►
stores?
► The app stores do not perform any sort of static or dynamic analysis
of the applications; they ONLY assure that permissions are requested
and granted as stated in the application manifest.
TheWall of Shame
10. Presenter Logo
► Try to attack millions of smartphones and
tablets with unique drivers, unknown
patch levels, etc?
► Attack the back-ends and piggy back on
► Working with Marvin team we
discovered:
Permissions found among 2500+ apps % of Occurrence
READ_CONTACTS 31%
READ_SMS 9%
ACCESS_FINE_LOCATION 65%
11. Presenter Logo
► Automated static analysis tools are economical. REQUIRE
YOUR APP PROVIDERS TO GIVE YOU AN ANALYSIS BEFORE
ACCEPT DELIVERY!
►
worth it. Application back-ends will be the point of attack
for large-scale exploitation
► Understand how transitive trust models work on mobile
devices. Best option is to deploy a PIM container for
enterprise data.
The Bottom Line
12. Thanks for your attention!
AaronTurner
aaron.turner@integricell.com