Security Imperatives
for iOS and Android
Session #A5
8, April 2014
8:30am
Clinton Mugge and Gary Bahadur
Symosis Security
Copyright 2014 RBS Citizens
Distributed by MIS Training Institute with permission of owner.
All rights reserved. Printed i...
MIS Training Institute Session A5 - Slide 3
© Symosis Security
Who are we?
 Clinton Mugge
 Application and Network Secur...
MIS Training Institute Session A5 - Slide 4
© Symosis Security
Agenda
Introduction
iOS / Android Apps Top Risks
Countermea...
MIS Training Institute Session A5 - Slide 5
© Symosis Security
Audience Poll
• What mobile OS do you mostly
use?
• How man...
MIS Training Institute Session A5 - Slide 6
© Symosis Security
There is an App for that!
MIS Training Institute Session A5 - Slide 7
© Symosis Security
What do Attackers Want?
 Credentials - To your
device, To ...
MIS Training Institute Session A5 - Slide 8
© Symosis Security
Security and Privacy Concerns
 Side Channel Data Leakage
...
MIS Training Institute Session A5 - Slide 9
© Symosis Security
Agenda
Introduction
Mobile Apps Top Risks
1. Side Channel L...
MIS Training Institute Session A5 - Slide 10
© Symosis Security
1. Side Channel Data Leakage
Data leakage via platform def...
MIS Training Institute Session A5 - Slide 11
© Symosis Security
Demo 1: Snapshot File
Tools: iExplore, Reflection
Device: ...
MIS Training Institute Session A5 - Slide 12
© Symosis Security
TaxAct Mobile Security Hole
Snapshot
MIS Training Institute Session A5 - Slide 13
© Symosis Security
TaxSlayer Mobile Security Hole
Snapshot
MIS Training Institute Session A5 - Slide 14
© Symosis Security
TaxAct Response
MIS Training Institute Session A5 - Slide 15
© Symosis Security
MIS Training Institute Session A5 - Slide 16
© Symosis Security
LinkedIn Plist identity theft
MIS Training Institute Session A5 - Slide 17
© Symosis Security
Agenda
Introduction
Mobile Apps Top 3 Risks
1. Side Channe...
MIS Training Institute Session A5 - Slide 18
© Symosis Security
2. Insecure Transport/Server Controls
Failing to encrypt s...
MIS Training Institute Session A5 - Slide 19
© Symosis Security
Demo 2: Insecure Transport
Tools: MITM Proxy, Reflection, ...
MIS Training Institute Session A5 - Slide 20
© Symosis Security
Credentials sent over HTTP iOS App
MIS Training Institute Session A5 - Slide 21
© Symosis Security
Unencrypted Cookies over HTTP
Instagram iOS App
MIS Training Institute Session A5 - Slide 22
© Symosis Security
TOC
Mobile Platform Risks
Mobile Apps Top 3 Risks
1. Side ...
MIS Training Institute Session A5 - Slide 23
© Symosis Security
3. Insecure Data Storage
Locally stored data both on nativ...
MIS Training Institute Session A5 - Slide 24
© Symosis Security
Demo 3: local files
Tools: iExplore, Reflection
SQLite fil...
MIS Training Institute Session A5 - Slide 25
© Symosis Security
Cached Credentials and tax data in the clear
MIS Training Institute Session A5 - Slide 26
© Symosis Security
JacksonHewitt Tax Documents in the Clear
MIS Training Institute Session A5 - Slide 27
© Symosis Security
JacksonHewitt Responses
MIS Training Institute Session A5 - Slide 28
© Symosis Security
Unencrypted Cache with Master Password in
Keeper
MIS Training Institute Session A5 - Slide 29
© Symosis Security
TOC
Mobile Platform Risks
Mobile Apps Top 3 Risks
1. Side ...
MIS Training Institute Session A5 - Slide 30
© Symosis Security
4. Privacy
MIS Training Institute Session A5 - Slide 31
© Symosis Security
Privacy Threat & Impact
 UDID, Mac Address, Device ID
 L...
MIS Training Institute Session A5 - Slide 32
© Symosis Security
Path uploads your entire iPhone address
book to its servers
MIS Training Institute Session A5 - Slide 33
© Symosis Security
WhatsApp sends messages unencrypted
over HTTP
MIS Training Institute Session A5 - Slide 34
© Symosis Security
LinkedIn transmits confidential info
insecurely
MIS Training Institute Session A5 - Slide 35
© Symosis Security
Agenda
Introduction
Mobile Apps Top Risks
Countermeasures
...
MIS Training Institute Session A5 - Slide 36
© Symosis Security
Side Channel Data Leakage
Start by identifying all potenti...
MIS Training Institute Session A5 - Slide 37
© Symosis Security
Encrypt Sensitive Data
Data Protection API - set the NSFil...
MIS Training Institute Session A5 - Slide 38
© Symosis Security
Strategic Recommendations
 Establish common set of securi...
PLEASE
REMEMBER TO FILL OUT THE
SESSION EVALUATIONS.
THANK YOU!
Upcoming SlideShare
Loading in …5
×

InfoSec World 2014 Security Imperatives for IOS and Android

473 views

Published on

A5 Security Imperatives For iOS & Android Apps DEMO
Kartik Trivedi, Co-Founder, Symosis
Clinton Mugge, Partner, Symosis
Understand emerging iOS and Android apps security threats
Learn how to design, develop and test secure apps
Protect against inadvertent customer and corporate data leakage in mobile apps
Mobile app security and privacy best practices from leading companies
Get free eval access to iOS/Android app top 10 security CBT

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
473
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

InfoSec World 2014 Security Imperatives for IOS and Android

  1. 1. Security Imperatives for iOS and Android Session #A5 8, April 2014 8:30am Clinton Mugge and Gary Bahadur Symosis Security
  2. 2. Copyright 2014 RBS Citizens Distributed by MIS Training Institute with permission of owner. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted by electronic, mechanical or any other means without the prior written permission of MIS Training Institute and the respective owner of the copyright. Trademarked product and company names mentioned in this publication are the property of their respective owners. ISW14040714
  3. 3. MIS Training Institute Session A5 - Slide 3 © Symosis Security Who are we?  Clinton Mugge  Application and Network Security Providers  20 Years in Info Sec – Security Assessments, Penetration Testing, Compliance & Training, Investigations, Incident Response  Free Mobile App Security / Training Evaluations  Gary Bahadur  20 Years in Info Sec – Compliance & Training, Security Assessments, Risk Assessments  Author of “Securing the Clicks” Network Security in the Age of Social Media  Free Risk Assessment Software “Razient”
  4. 4. MIS Training Institute Session A5 - Slide 4 © Symosis Security Agenda Introduction iOS / Android Apps Top Risks Countermeasures
  5. 5. MIS Training Institute Session A5 - Slide 5 © Symosis Security Audience Poll • What mobile OS do you mostly use? • How many of you are involved with mobile security, privacy, audits? • Any mobile developers / architects? • Does your employer have mobile presence?
  6. 6. MIS Training Institute Session A5 - Slide 6 © Symosis Security There is an App for that!
  7. 7. MIS Training Institute Session A5 - Slide 7 © Symosis Security What do Attackers Want?  Credentials - To your device, To external services (email, banking, etc)  Access to your device  Use your device (botnets, spamming), Steal trade secrets or other sensitive data  Personal Data - Full Name, SINSSN, address book data, location data  Cardholder Data - Card Numbers, Expiration, CVV  Health Data - Prescription information, medical records, procedure summary  Corporate Data - IP, Design Docs
  8. 8. MIS Training Institute Session A5 - Slide 8 © Symosis Security Security and Privacy Concerns  Side Channel Data Leakage  Insufficient Transport Layer Protection  Weak Server Side Controls  Insecure Data Storage  Client Side Injection  Poor Authorization and Authentication  Improper Session Handling  Security Decisions Via Untrusted Inputs  Broken Cryptography  Sensitive Information Disclosure  Hardcoded password/keys  Privacy compliance  Identity exposure  Activity monitoring and data retrieval  Unauthorized dialing, SMS, and payments  Unauthorized network connectivity (data exfiltration or command & control)  UI (unique identifier) impersonation  System modification (rootkit, APN proxy configuration)  Mobile Malware  Criminals Target and Infect App Stores  Social-Engineering  Geolocation compromise  Security Regulatory Compliance  Device Risk  Application management  Installation of un-verified / unsigned 3rd party apps
  9. 9. MIS Training Institute Session A5 - Slide 9 © Symosis Security Agenda Introduction Mobile Apps Top Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures
  10. 10. MIS Training Institute Session A5 - Slide 10 © Symosis Security 1. Side Channel Data Leakage Data leakage via platform defaults, use of third party libraries, logging, etc  Property List Files  SnapShot (ie- iOS Backgrounding)  iOS logs Sometimes result of programmatic flaws
  11. 11. MIS Training Institute Session A5 - Slide 11 © Symosis Security Demo 1: Snapshot File Tools: iExplore, Reflection Device: iPhone 5, IOS 6 latest version, iPhone 4, IOS 5 Snapshot –  TaxAct Mobile  TaxSlayer
  12. 12. MIS Training Institute Session A5 - Slide 12 © Symosis Security TaxAct Mobile Security Hole Snapshot
  13. 13. MIS Training Institute Session A5 - Slide 13 © Symosis Security TaxSlayer Mobile Security Hole Snapshot
  14. 14. MIS Training Institute Session A5 - Slide 14 © Symosis Security TaxAct Response
  15. 15. MIS Training Institute Session A5 - Slide 15 © Symosis Security
  16. 16. MIS Training Institute Session A5 - Slide 16 © Symosis Security LinkedIn Plist identity theft
  17. 17. MIS Training Institute Session A5 - Slide 17 © Symosis Security Agenda Introduction Mobile Apps Top 3 Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures
  18. 18. MIS Training Institute Session A5 - Slide 18 © Symosis Security 2. Insecure Transport/Server Controls Failing to encrypt sensitive network traffic consisting of sensitive data Insecure server controls - web, application and backend API - can lead to security compromise
  19. 19. MIS Training Institute Session A5 - Slide 19 © Symosis Security Demo 2: Insecure Transport Tools: MITM Proxy, Reflection, Flixster Insecure Transport – User ID, Movies Browsing, Home Area, Purchase Intent
  20. 20. MIS Training Institute Session A5 - Slide 20 © Symosis Security Credentials sent over HTTP iOS App
  21. 21. MIS Training Institute Session A5 - Slide 21 © Symosis Security Unencrypted Cookies over HTTP Instagram iOS App
  22. 22. MIS Training Institute Session A5 - Slide 22 © Symosis Security TOC Mobile Platform Risks Mobile Apps Top 3 Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures
  23. 23. MIS Training Institute Session A5 - Slide 23 © Symosis Security 3. Insecure Data Storage Locally stored data both on native and browser based apps that includes  SQLite  Sensitive Files  Cache Files
  24. 24. MIS Training Institute Session A5 - Slide 24 © Symosis Security Demo 3: local files Tools: iExplore, Reflection SQLite files – Runtastic, TaxSlayer, TaxAct, JacksonHewitt Flat Files – Jackson Hewitt Jackson Hewitt #JacksonHewitt /TaxSlayer #TaxSlayer Tools: iExplorer
  25. 25. MIS Training Institute Session A5 - Slide 25 © Symosis Security Cached Credentials and tax data in the clear
  26. 26. MIS Training Institute Session A5 - Slide 26 © Symosis Security JacksonHewitt Tax Documents in the Clear
  27. 27. MIS Training Institute Session A5 - Slide 27 © Symosis Security JacksonHewitt Responses
  28. 28. MIS Training Institute Session A5 - Slide 28 © Symosis Security Unencrypted Cache with Master Password in Keeper
  29. 29. MIS Training Institute Session A5 - Slide 29 © Symosis Security TOC Mobile Platform Risks Mobile Apps Top 3 Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures
  30. 30. MIS Training Institute Session A5 - Slide 30 © Symosis Security 4. Privacy
  31. 31. MIS Training Institute Session A5 - Slide 31 © Symosis Security Privacy Threat & Impact  UDID, Mac Address, Device ID  Location Training  Usage Tracking - Google, Flurry, Mobclix  Contacts Access & Sharing  Shares / Uploads Phone Number  3rd Party Connections – Facebook, twitter
  32. 32. MIS Training Institute Session A5 - Slide 32 © Symosis Security Path uploads your entire iPhone address book to its servers
  33. 33. MIS Training Institute Session A5 - Slide 33 © Symosis Security WhatsApp sends messages unencrypted over HTTP
  34. 34. MIS Training Institute Session A5 - Slide 34 © Symosis Security LinkedIn transmits confidential info insecurely
  35. 35. MIS Training Institute Session A5 - Slide 35 © Symosis Security Agenda Introduction Mobile Apps Top Risks Countermeasures 1. Disable side channel data leakage 2. Use HTTPS and secure IOS Safe methods 3. Insecure Data storage 4. Privacy
  36. 36. MIS Training Institute Session A5 - Slide 36 © Symosis Security Side Channel Data Leakage Start by identifying all potential side channel data which includes  Plist files – Ensure no sensitive data is written  Disable Snapshots  Disable System / keystroke logs  Disable Web caches  Disable Cut-and-paste buffers  Clean up Core Data Do not store sensitive data (e.g., credentials, tokens, PII) in property list files. Use iOS Keychain
  37. 37. MIS Training Institute Session A5 - Slide 37 © Symosis Security Encrypt Sensitive Data Data Protection API - set the NSFileProtectionKey on an existing file Keychain – Sensitive data like passwords and keys should be stored in the Keychain and not in insecure locations like plist files CCCrypt & javax.crypto.* package for Android - provides access to AES, DES, 3DES SQLCipher (IOS & Android) - transparent 256- bit AES encryption of database files
  38. 38. MIS Training Institute Session A5 - Slide 38 © Symosis Security Strategic Recommendations  Establish common set of security requirements. Perform periodic security scans and audits  Invest in security education for all stakeholders  Perform server side data validation and canonicalization  Define and deploy secure configuration  Do not log credentials, PII and other sensitive data  Design and implement all apps under the assumption that the user’s device will be lost or stolen  Review all third party libraries before use
  39. 39. PLEASE REMEMBER TO FILL OUT THE SESSION EVALUATIONS. THANK YOU!

×