Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Is my app secure?

1,341 views

Published on

Talk given in Bsides Lisbon 2015 by me and Herman Duarte.

Based on our experience on testing mobile applications, both on Android and iOS, we challenged ourselves on doing an assessment of both app stores' applications, using OWASP mobile top 10 as a reference in terms of vulnerabilities to search for.
As a criteria for choosing the apps to test, we focused on the most common mobile applications available in the Portuguese Android and iOS app stores, from several categories such as finance, social media, medical and security.
For this talk we expect to highlight the most interesting design choices both good and bad and what should be done to avoid such mistakes.

Published in: Technology

Is my app secure?

  1. 1. Neo: Is my App Secure ? Herman Duarte @hdontwit Cláudio André @clviper 1
  2. 2. Agenda ●  Who ●  Objectives ●  Approach ●  Building blocks ●  Analysis Statistics ●  How we did it ●  Interesting findings ●  Q&A 2
  3. 3. Who Herman Duarte @hdontwit 3
  4. 4. Who Cláudio André @clviper 4
  5. 5. Who -  We work @ Integrity S.A. -  Awesome co-workers and awesome workplace. -  We identify security issues for our clients to help them lower their security risks. 5
  6. 6. -  Evaluate iOS and Android apps from a security point of view. -  Automate pentest tasks for both Android and iOS -  Share results. -  Have fun :) Objectives 11
  7. 7. Approach
  8. 8. 13
  9. 9. 14
  10. 10. 15
  11. 11. +50  Apps  
  12. 12. Client 17
  13. 13. Network 18
  14. 14. Server 19
  15. 15. 20
  16. 16. 21
  17. 17. Vulns by Owasp Risk 23
  18. 18. Android Vulns by Owasp Risk 24
  19. 19. iOS Vulns by Owasp Risk 25
  20. 20. Insecure Data Storage 26
  21. 21. Transport Layer Security Android iOS 27
  22. 22. Certificate Pinning 28
  23. 23. iOS Background Screenshot 29
  24. 24. Android Obfuscation 30
  25. 25. Android Obfuscated Apps By Category 31
  26. 26. iOS Binary Protection All  apps  analyzed  have  the  following  security  features   enabled  in  the  binary:     ●  PIE  (Posi=on  Independent  Executable  aka  ASLR)   ●  ARC  (Automa=c  Reference  Coun=ng)   ●  SSPRO  (Stack  Smashing  Protec=on)   ●  Encrypted  binary   32
  27. 27. 34
  28. 28. -  iOS and Android Security Analyser Tools -  Command line. -  Way to mass analyse ipas and apks. -  Search and Downloads apps (Android only) -  Bulk decryption of apps (iOS only) -  Bulk install, uninstall and backup of apps -  Easy way to extend heuristics check (Android only, for now) 35 iStat & Droidstat
  29. 29. 36 iStat https://youtu.be/bOtosGya_G4
  30. 30. 37 https://youtu.be/zPKUj8rb_ok Droidstat – Intro Video
  31. 31. Droidstat - Checks Config File 38
  32. 32. 39 https://youtu.be/uWJZa0vgbQ4 Droidstat – Example Findings Video
  33. 33. Interesting Findings
  34. 34. Invoice Registration App (Android) 41 -  Under 100.000 installs. -  The credentials used for this service is used on multiple Portuguese Government Public Services websites.
  35. 35. Invoice Registration App (Android) 42
  36. 36. Invoice Registration App (Android) 43
  37. 37. Invoice Registration App (Android) 44
  38. 38. Invoice Registration App 45
  39. 39. Invoice Registration App 46
  40. 40. Invoice Registration App (Android) 47
  41. 41. Invoice Registration App (Android) 48
  42. 42. Invoice Registration App (Android) 49
  43. 43. Invoice Registration App 50
  44. 44. Invoice Registration App (Android) 51
  45. 45. Invoice Registration App (Android) Recommendations: -  Use right TLS implementations that correctly validate TLS certificates. -  Use strong cryptographic algorithms to store sensitive information. 52
  46. 46. Invoice Registration App – Dev Response 53 “As for the problems, although I think that both are difficult to replicate in a real case , I recognize that the app can be improved , taking this into account we will release an update until the weekend to solve the problems.” June 9
  47. 47. Invoice Registration App – Dev Response 54 “As for the problems, although I think that both are difficult to replicate in a real case , I recognize that the app can be improved , taking this into account we will release an update until the weekend to solve the problems.” June 9 “The update of this weekend corrects the problems mentioned. Thanks again for the analysis.” June 22
  48. 48. Shopping App (Android & iOS) 55 -  Between 1M and 5M installs -  More than 10M users.
  49. 49. Shopping App (Android & iOS) 56
  50. 50. Shopping App (Android & iOS) 57
  51. 51. Shopping App (Android & iOS) 58
  52. 52. Shopping App (Android & iOS) 59
  53. 53. Shopping App (Android & iOS) 60
  54. 54. Shopping App (Android & iOS) 61
  55. 55. Shopping App (Android & iOS) 62
  56. 56. Shopping App (Android & iOS) Recommendations: -  Correctly override TLS implementations or use the framework’s default one, that correctly validate certificates chains. 63
  57. 57. Mr.Smith: So, you’re asking me if your app is secure?
  58. 58. M2 - Insecure Data Storage ●  In iOS some applications still uses property list files (.plist), or NSUserDefaults (files created in the app Documents folder) to store sensitive information, instead of the keychain. ●  In Android some applications store sensitive information in shared preferences file and SQLite databases without any type of encryption. 65
  59. 59. M3 - Insufficient Transport Layer Protection ●  The OS’s framework already does the hard work in TLS, so what we have seen is that the majority of TLS is correctly implemented; Nonetheless when developers override the default implementation, most of the time bad things happen. ●  We have seen that in Android, Certificate Pinning, is more used that in iOS applications. 66
  60. 60. M4 - Unintended Data Leakage ●  In iOS the background screenshot information leakage happens most of the time, because it is a side effect of the OS behaviour, that most of developers are not aware of. 67
  61. 61. M10 - Lack of Binary Protections ●  Regarding Obfuscation we have seen in Android that there are not many apps obfuscated although the SDK comes with tools to do this out of the box. ●  In iOS because of default configurations of XCode, binary security features (e.g. PIE, ARC, SSPRO) are applied in all of the apps analyzed. 68
  62. 62. Q&A

×