Mobile Malfeasance - Exploring Dangerous Mobile Vulnerabilities

1,404 views

Published on

A look at the Top 10 Mobile Application vulnerabilities, and statistics around their manifestations.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,404
On SlideShare
0
From Embeds
0
Number of Embeds
32
Actions
Shares
0
Downloads
69
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • MobileApplications are
  • How long does it take to get started?
  • Mobile Malfeasance - Exploring Dangerous Mobile Vulnerabilities

    1. 1. Mobile MalfeasanceExploring Dangerous Mobile CodeAnd ApplicationsJason Haddix – Director of Penetration TestingFortify On Demand©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
    2. 2. About the Presenter • Jason Haddix (@jhaddix) • Director of Penetration Testing at HP/Fortify on their ShadowLabs team. • Previously worked in HP’s Professional Services as a security consultant, and an engineer & pen tester for Redspin. • Frequent attender, presenter, & CTF participant at security cons such as Defcon, BlackHat, Brucon, DerbyCon, etc. • Contributor/columnist to PentesterScripting.com, Ethicalhacker.net, and Hakin9 magazine.
    3. 3. Overview • Trends and the need for mobile appsec • Overview of threat landscape • Classifying vulnerabilities and exploring metrics • Threat modeling and risk profiling mobile apps • Exploring a few high risk areas • The mobile app SDLC • Fortify on Demand’s Testing Methods for QA and Security Groups • Resources for development and QA teams facing mobile securityData from Smart Insights, 2011
    4. 4. Trends and Threats | Adoption • Global mobile data traffic will increase 26-fold between 2010 and 2015 • Two-thirds of the world’s mobile data traffic will be video by 2015 • There will be nearly one mobile device per capita by 2015 (~6 billion)Data from Smart Insights, 2011
    5. 5. Why do we care? Your critical business Regulations and More than 60% of applications face the Standards (PCI, applications have Internet HIPAA, SOX, etc) serious flaws
    6. 6. New Devices connection server os 7
    7. 7. Same Old Story server browser 8
    8. 8. Same Old Server Information Operations Software Security Services 9
    9. 9. Mobile Application Security Challenges• Difficult to train and retain staff - very difficult to keep skills up-to-date• Constantly changing environment• New attacks constantly emerge• Compliance Requirements• Too many tools for various results• Apps are getting launched on a daily basis with Security not being involved.• Junior Developers are typically the ones creating the apps.
    10. 10. How you see your world Get Sales Data Get the username Get the password Edit my account Remember the User Generate Reports
    11. 11. How an attacker sees your world Insufficient Data Storage SQL Injection Data Leakage Cross Site Scripting Sensitive Information DisclosureImproper Session Handling Weak Server Side Controls Client Side Injection
    12. 12. Exploring Insecure MobileCode©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
    13. 13. OWASP Mobile Top 10 RisksM1 – Insecure Data Storage M6 – Improper Session HandlingM2 – Weak Server Side Controls M7 – Security Decisions via Untrusted InputsM3 – Insufficient Transport Layer Protection M8 – Side Channel Data LeakageM4 – Client Side Injection M9 – Broken CryptographyM5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
    14. 14. OWASP Mobile Top 10 Risks SQLiteM1 – Insecure Data Storage Logging M6 – Improper Session Handling Plist Files Manifest Files Binary data storesM2 – Weak Server Side Controls SD Card Storgage M7 – Security Decisions via Untrusted InputsM3 – Insufficient Transport Layer Protection M8 – Side Channel Data LeakageM4 – Client Side Injection M9 – Broken CryptographyM5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
    15. 15. OWASP Mobile Top 10 RisksM1 – Insecure Data Storage M6 – Improper Session HandlingM2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs EVERYTHING in the OWASP Top 10M3 – Insufficient Transport Layer Protection M8 – Side Channel Data LeakageM4 – Client Side Injection M9 – Broken CryptographyM5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
    16. 16. OWASP Mobile Top 10 RisksM1 – Insecure Data Storage M6 – Improper Session HandlingM2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs Insecure SSLM3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage Encryption Unsigned and Unforced CertificateM4 – Client Side Injection M9 – Broken Cryptography ValidationM5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
    17. 17. OWASP Mobile Top 10 RisksM1 – Insecure Data Storage M6 – Improper Session HandlingM2 – Weak Server Side Controls M7 – Security Decisions via Untrusted InputsM3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage SQLite InjectionM4 – Client Side Injection M9 – Broken Cryptography XSS via Webview LFIM5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure Etc
    18. 18. OWASP Mobile Top 10 RisksM1 – Insecure Data Storage M6 – Improper Session HandlingM2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs Poor PasswordM3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage Complexity Account disclosure via Login or ForgotM4 – Client Side Injection M9 – Broken Cryptography PasswordM5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
    19. 19. OWASP Mobile Top 10 Risks Indefinite Sessions Weak cookieM1 – Insecure Data Storage M6 – Improper Session Handling “hashing” home rolled session managementM2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs Using phone ID as part of sessionM3 – Insufficient Transport Layer Protection M8 – Side Channel Data LeakageM4 – Client Side Injection M9 – Broken CryptographyM5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
    20. 20. OWASP Mobile Top 10 RisksM1 – Insecure Data Storage M6 – Improper Session Handling Inter-process communicationM2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs Android intents iOs URL schemesM3 – Insufficient Transport Layer Protection M8 – Side Channel Data LeakageM4 – Client Side Injection M9 – Broken CryptographyM5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
    21. 21. OWASP Mobile Top 10 RisksM1 – Insecure Data Storage M6 – Improper Session Handling Keystroke loggingM2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs Screenshot caching LogsM3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage Temp filesM4 – Client Side Injection M9 – Broken CryptographyM5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
    22. 22. OWASP Mobile Top 10 Risks Rolling your own cryptoM1 – Insecure Data Storage M6 – Improper Session Handling Antiquated crypto librariesM2 – Weak Server Side ControlsEncoding != M7 – Security Decisions via Untrusted Inputs encryption Obfuscation != encryptionM3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage Serialization != encryptionM4 – Client Side Injection M9 – Broken CryptographyM5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
    23. 23. OWASP Mobile Top 10 RisksM1 – Insecure Data Storage M6 – Improper Session HandlingM2 – Weak Server Side Controls M7 – Security Decisions via Untrusted InputsM3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage Hardcoded secrets! API keys, server-sideM4 – Client Side Injection M9 – Broken Cryptography database passwords, etcM5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
    24. 24. Real Examples from in theEnterprise©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
    25. 25. Vulnerabilities by Risk • Case study of 120 Mobile 90 applications for 1 Enterprise 80 client 70 • 234 vulnerabilities 60 50 • 66% of applications contained a critical or high vulnerability 40 that: 30 • Disclosed 1 or more users 20 personal data 10 • Exposed multiple users personal data 0 • Compromised the Critical High Medium Low Informational applications server
    26. 26. Vulnerabilities by OWASP Top 10 Category 80 70 M1: Insecure Data Storage M2: Weak Server Side Controls 60 M3: Insufficient Transport Layer Protection 50 M4: Client Side Injection M5: Poor Authorization and 40 Authentication M6: Improper Session Handling 30 M7: Security Decisions Via Untrusted 20 Inputs M8: Side Channel Data Leakage 10 M9: Broken Cryptography M10: Sensitive Information Disclosure 0 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 Other
    27. 27. Other?• Poor Code Quality and Applications Hardening • Unreleased Resources • No ASLR or Memory Management frameworks enabled.• Privacy Leaks • UUID, Wifi, device names, geolocations, etc, leaked to Ad Agencies
    28. 28. Fixing the Problem©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
    29. 29. Mobile SDLC Security Foundations – Mobile Applications Architecture Plan Requirements Build Test Production & Design Mobile Security Application Specific Mobile Secure Coding Mobile Application Security Assessment Development Threat Modeling and Training (Static, Dynamic, Server, Network, Client) Standards Analysis Mobile Secure Coding Mobile Firewall Mobile Application Threat Modeling CBT Standards Wiki Security Process for Developers MDM Design Static Analysis Mobile Risk Dictionary Mobile Security Policies
    30. 30. How do we get started?1. Find your published apps2. Threat model them based on the information they handle3. Assess and fix published apps4. Give resources to developers to write secure code
    31. 31. Threat Modeling a Mobile AppIdentify business objectives: Types of data at risk with a mobile app:• Identify the data the application will use • Usernames & Passwords • PII vs Non-PII • UDID • Credentials & access • Geolocation/address/zip • Where is it stored? • DoB • Payment information? • Device Name • Network Connection Name • Credit Card Data or Account Data • Updates to Social media • Chat logs • Cookies • Etc…
    32. 32. How to Assess?©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
    33. 33. Mobile Methodology Client Application Web Application Static Analysis Static Analysis Network Dynamic Analysis Dynamic Analysis
    34. 34. BlackBox Mobile Methodology Mobile Assessment Application Client Network Server Mapping Attacks Attacks Attacks TCP HTTPPlatform Appl. Binary File system Memory Install RunT Attack AttackMapping Arch Analysis Analysis Analysis Traffic Traffic s s Under. Data Flow Insecure Sensitive Weak Plaintext Buffer SQLi App Mapping API File Artifact Encrypt Traffic Overflows XSS
    35. 35. MOBILE ASSESSMENT – TOOLS• Fortify• WebInspect• IDAPro• Jad• Undx• Burp Suite• AdpSmali / Backsmali• AndroGuard• Blackberry Swiss Army Knife• iPhone SDK• Mallory• Netfilter / iptables• Custom iOS and Android Scripts
    36. 36. Resources©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
    37. 37. Fortify On Demand’s Mobile Application SecurityRisks, Controls, and Procedures Document
    38. 38. Fortify on Demand’s Android & iOS Security Checklists
    39. 39. Other Resources for QA, Security Managers, and Devs• Fortify’s 7 Ways to Hang Yourself with Android Presentation• Fortify on Demand’s iOS Penetration Testing Presentation• Fortify’s VulnCAT
    40. 40. Other Resources• OWASP Top 10 Mobile Risks Page• OWASP IOS Developer Cheat Sheet• Google Androids Developer Security Topics 1• Google Androids Developer Security Topics 2• Apples Introduction to Secure Coding
    41. 41. Parting Thoughts©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
    42. 42. Parting Thoughts• Remember that mobile sites face the Internet as well; obscurity != security• Web teams and mobile teams often not the same; mobile development teams are often behind in security training• Track the data flow; threat modeling / risk assessment• Start with Risk Profiling and exposure (deployed apps)• It all starts with the code; coding standards are pivotal
    43. 43. Parting Thoughts II• Give developers prescriptive guidance, show with examples• Don’t store it (PII) at all if you don’t need to• If you have a 3rd party dev team deploy a contract that enforces coding based on secure mobile dev standards• Mobile Device Management (MDM) is not a substitute for secure code• Finally, don’t be intimidated by “mobile”; the same fundamentals are still in play
    44. 44. Questions?Contact:Jason.Haddix@hp.com

    ×