Security Imeprative for iOS and Android Apps

837 views

Published on

Security Imeprative for iOS and Android Apps, Mobile application security, symosis

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
837
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Please make a selection by clicking on the
  • What mobile OS do you mostly use?How many of you are responsible for mobile security?Any iOS or Android developers / architects?Tech management? Auditors?Security testers / QA?How many are involved with mobile device management, policy development and/or security?When you hear mobile security, what do you think of first? MDM/BYOD/MAM?
  • Mobile App Growth
  • http://appnationconference.com/main/research/By far, the largest contributor to this number will be app-enabled commerce, supplemented by forecasted revenue from downloads, in-advertising and virtual goods
  • Please make a selection by clicking on the
  • Side channel data leakage applies to data leakage via platform defaults, use of third party libraries, logging, etc. In order to provide the visual iOS has been proven to capture and store snapshots.This occurs when a device suspends (rather than terminates), when either the home button is pressed, or a phone call or other event temporarily suspends the applicationPlist is a structured text file that contains essential configuration information for a bundled executable
  • H&R blockCheck Images Cached
  • A PLIST (Property List) file is an XML file that holds application properties. Some applications store sensitive information in the plist files including authentication credentials, PIN and oAUTH tokensPlist files can be found in several location in the application directory . An example location and plist file content storing sensitive authentication credentials are shown on the screen
  • http://www.zdnet.com/blog/security/security-hole-exposes-android-ios-to-facebook-identity-theft/11356
  • http://blog.scoopz.com/2012/04/07/linkedin-ios-app-also-vulnerable-to-plist-identity-theft/
  • http://thenextweb.com/mobile/2012/04/06/security-hole-in-facebook-ios-app-doesnt-require-jailbreak-or-theft-and-dropbox-has-it-too/
  • H&R blockCheck Images Cached
  • Please make a selection by clicking on the
  • Web sites and servers sometimes have improperly configured SSL certificates. This causes warning messages which are often ignored by the users. This results in users Phishing attacks where users end up providing personal information and private data to malicious websites that look like legitimate applicationsApplications that fall back or can be forced out of an encrypting mode can also be abused by attackers resulting in insecure communication. This is common on sites that operate on both HTTP and HTTPS services, or by the implementation of older versions of SSL on the web server that are vulnerable to downgrade attacks.
  • http://blogs.denverpost.com/techknowbytes/2012/02/09/southwest-airlines-iphone-app-vulnerable-to-hackers-study-says/3264/
  • http://www.mobilemag.com/2012/12/06/security-threat-unencrypted-cookies-in-instagram-ios-app/
  • In 2011, it was discovered that Android devices transmitted data and AuthToken session cookie via insecure HTTP. AuthToken is not bound to any session or device and thus would allow an adversary to access any personal data which is made available through the service API. This includes Google calendar, picasa and contact information for that user. For more Reference: http://www.uni-ulm.de/in/mi/mitarbeiter/koenings/catching-authtokens.htmlThe issue here is the use of insecure HTTP channel which allows network eavesdropping of the authToken and user data
  • http://www.theverge.com/2012/2/14/2798008/ios-apps-and-the-address-book-what-you-need-to-know
  • http://www.databreaches.net/?p=25428
  • Please make a selection by clicking on the
  • InsecureData Storage applies to the locally stored data by the mobile applications. There are two types of mobiles apps - native apps and browser based apps. Native apps are apps that is installed in the handset, processes data locally and may connect to the internet for updates or sending user specific information to the server. Example: Gaming apps, News apps, etc. Browser based apps are apps that are accessible via mobile browser. This vulnerability applies to both categories of apps.Most apps stores user specific information on mobile devices. This data may be stored in clear text and may includeUsername and passwordPII, SSN, Health InformationDevice ID, Application configurationAccount Number, Credit Card, Financial Information
  • http://blog.fox-it.com/2013/04/05/security-advisory-unencrypted-storage-of-confidential-information-in-keeper-password-data-vault-v5-3-for-ios/
  • http://blog.agilebits.com/2012/04/06/oauth-dropbox-and-your-1password-data/
  • Please make a selection by clicking on the
  • http://www.truste.com/blog/2012/03/02/mobile-app-privacy-policies-are-now-the-law/
  • https://www.demworks.org/blog/2013/05/instant-messaging-smartphones-whatsapps-lack-security
  • http://thenextweb.com/insider/2012/06/06/linkedins-ios-app-collects-and-sends-names-emails-and-meeting-notes-from-your-calendar-back-in-plain-text/
  • Insecure transport layer protection is considered a high risk security vulnerabilityThe impact could includeLoss of Data Confidentiality & Integrity when sensitive information is revealed to the attackerData Tampering when attacker modifies application traffic and force user accept itMan-in-the-Middle (MITM attack) if an attacker diverts all traffic through an insecure channelImpersonation if the attacker hijacks user account
  • Please make a selection by clicking on the
  • To disable snapshots, use one of the 3 solutions provided1. Set the key window’s hidden property to YES. This will cause whatever content is currently displayed on the screen to be hidden, resulting in a blank screenshot where any content would normally reside.    [ UIApplicationsharedApplication ].keyWindow.hidden = YES;Bear in mind that, if you have any other views behind the current view, these may become visible when the key window is hidden. Ensure that you are adequately hiding any other windows when performing this action.
  • Disable the auto-correct feature for any sensitive information, not just for password fields. Since the keyboard caches sensitive information, it may be recoverable. For UITextField, look into setting the autocorrectionType property to UITextAutocorrectionNo to disable caching. Set UITextField to OFF to prevent caching altogetherAdd an enterprise policy to clear the keyboard dictionary at regular intervals. This can be done by the end user by simply going to the Settings application, General > Reset > Reset Keyboard Dictionary
  • It is recommended to use NSURLConnection along with canAuthenticateAgainstProtectionSpace. The syntax is shown on the screen
  • To protect the authorization token when set in a cookie the application should be specifying the /secure directive. This will result in the application sending that specific cookie only over an HTTPS connection. In Java Servlet 3.0 or newer environment, secure cookie flag is enforced using a the web.xml configuration setting shown on screen
  • Avoid local storage on the device.If local storage is required, encrypt data securelyData is encrypted on IOS and Android platform using several ways includingData Protection API (iOS)Keychain (iOS)Common Crypto (iOS)Sqlite (iOS & Android)Java Crypto (Android)
  • Please make a selection by clicking on the
  • How well do you know your Data Center?How secure and resilient are your applications?Visibility TransparencyMeasurabilityControl AwarenessProactive
  • How well do you know your Data Center?How secure and resilient are your applications?Visibility TransparencyMeasurabilityControl AwarenessProactive
  • Rest-based API’s that provides feeds on power, cooling, physical security, etc..Ability to shift workloads to different geographical locations on physical security breachesEasy integration with SDDC softwareComplete Integration of the physical, environmental & logical layers of cloud stack
  • With great power comes great responsibility: Design considerations for mobile ApplicationProximity-based access controlMulti-factor authentication Location-aware access controlContext-based accessRemote app and data kill-switchSensitive credentials stored server sideConfigurable TTLSensitive cached data stored in encrypted volume(e.g keychain for IO.OS)
  • Security Imeprative for iOS and Android Apps

    1. 1. For the Demo… please download and install the following apps on your mobile device 1
    2. 2. Security Imperative for iOS / Android Apps ISACA Sacramento July 2013
    3. 3. Who are we? • Kartik Trivedi (kartik@symosis.com) – Co-founder of Symosis – Application & Mobile security – 13 Years in Info Sec – Security Assessments, Penetration testing, Compliance & Training – Free Mobile App Security / Training Eval • Lenin Aboagye (laboagye@io.com) – Director, Information Security & Compliance, IO – Cloud / Mobile security expert – Media & Television, Education, Health, Real Estate and Energy industries experience 3
    4. 4. Agenda Introduction iOS / Android Apps Top Risks Countermeasures Mobility in Data Center 4
    5. 5. Audience Poll 5 • What mobile OS do you mostly use? • How many of you are involved with mobile security, privacy, audits? • Any mobile developers / architects? • Does your employer have mobile presence?
    6. 6. There is an App for that! 6
    7. 7. There is an App for that! • Pay bills • File income taxes • Pay property tax • Scan & Shop • Deposit checks • Transfer money • Store medical records • Refill prescription • Manage health information • Remember your meds • Book flight / hotel • Medscape / pharmacopia 7 • Small Business Payroll • Pay invoice • Location based check in • Personal finance • Investments & 401k • Health & Fitness • Productivity • Facebook / twitter • Place bets on sports • Utilities • Store passwords • Document storage
    8. 8. From 2013-2017, the app economy will double from $72B USD to $151B USD 8
    9. 9. What do Attackers Want? • Credentials - To your device, To external services (email, banking, etc) • Access to your device • Sniff your connections, Use your device (botnets, spamming), Steal trade secrets or other sensitive data 9 • Personal Data - Full Name, SINSSN, Address book data • Location data • Cardholder Data - Card Numbers, Expiration, CVV • Health Data - Prescription information, medical records, procedure summary • Corporate Data - IP, Design Docs
    10. 10. Security Concerns • Side Channel Data Leakage • Insufficient Transport Layer Protection • Weak Server Side Controls • Insecure Data Storage • Client Side Injection • Poor Authorization and Authentication • Improper Session Handling • Security Decisions Via Untrusted Inputs • Broken Cryptography • Sensitive Information Disclosure • Hardcoded password/keys • Privacy compliance • Identity exposure 10 • Activity monitoring and data retrieval • Unauthorized dialing, SMS, and payments • Unauthorized network connectivity (data exfiltration or command & control) • UI (unique identifier) impersonation • System modification (rootkit, APN proxy configuration) • Mobile Malware • Criminals Target and Infect App Stores • Social-Engineering • Geolocation compromise • Security Regulatory Compliance • Device Risk • Application management • Installation of un-verified / unsigned 3rd party apps
    11. 11. Agenda Introduction Mobile Apps Top Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures Mobility in Data Center 11
    12. 12. 1. Side Channel Data Leakage Data leakage via platform defaults, use of third party libraries, logging, etc • Property List Files • SnapShot (ie- iOS backgrounding) Sometimes result of programmatic flaws
    13. 13. Demo 1: Plist File Tools: iExplore, Reflection Device: iPhone 5, IOS 6 latest version, iPhone 4, IOS 5 13
    14. 14. 14
    15. 15. 15 Facebook Plist Mobile Security Hole Allows Identity Theft
    16. 16. LinkedIn Plist identity theft 16
    17. 17. DropBox Plist Security hole 17
    18. 18. Demo 2: Snapshots Tools: iExplore, Reflection Device: iPhone 5, IOS 6 latest version, iPhone 4, IOS 5 18
    19. 19. Agenda Introduction Mobile Apps Top 3 Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures Mobility in Data Center 19
    20. 20. 2. Insecure Transport/Server Controls Failing to encrypt sensitive network traffic consisting of sensitive data Insecure server controls - web, application and backend API - can lead to security compromise
    21. 21. Demo 3: Insecure Transport Tools: MITM Proxy, Reflection Insecure Transport 21
    22. 22. Tumblr – Password sent unencrypted 22
    23. 23. 23
    24. 24. Unencrypted Cookies over HTTP in Instagram iOS App 24
    25. 25. 26
    26. 26. Demo 4: Insecure Server Configuration Tools: MITM Proxy, Reflection Insecure Server Configuration / Authentication Bypass 27
    27. 27. 28
    28. 28. TOC Mobile Platform Risks Mobile Apps Top 3 Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures Mobility in Data Center 29
    29. 29. 3. Insecure Data Storage Locally stored data both on native and browser based apps that includes • SQLite • Cache files • Keychain – Is this really secure? 30
    30. 30. Demo 5: SQLite / Cache files Tools: iExplore, Reflection SQLite / Cache files If time permits… Hacking the Keychain Tools: Jailbroken device, SSH, keychain_dump 31
    31. 31. JackThreads stores personal + financial info in SQLite file 32
    32. 32. Unencrypted Cache with Master Password in Keeper 33
    33. 33. 34
    34. 34. TOC Mobile Platform Risks Mobile Apps Top 3 Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures Mobility in Data Center 35
    35. 35. 4. Privacy 36
    36. 36. Privacy Threat & Impact • UDID, Mac Address, Device ID • Location Training • Usage Tracking - Google, Flurry, Mobclix • Contacts Access & Sharing • Shares / Uploads Phone Number • 3rd Party Connections – Facebook, twitter 37
    37. 37. Path uploads your entire iPhone address book to its servers 38
    38. 38. 39 WhatsApp sends messages unencrypted over HTTP
    39. 39. 40
    40. 40. Risk & Impact: High Sensitive Data exposure • Username & password • PII, SSN, Health Information • Device ID, Application configuration • Account Number, Credit Card, Financial Information Loss of Data Confidentiality & Integrity Data Tempering, Impersonation Man-in-the-Middle (MITM attack) Unauthorized access to application data or functionality Privacy Violations / reputation damage Session replay, impersonation
    41. 41. Agenda Introduction Mobile Apps Top Risks Countermeasures 1. Disable side channel data leakage 2. Use HTTPS and secure IOS Safe methods 3. Insecure Data storage 4. Privacy Mobility in Data Center 42
    42. 42. Side Channel Data Leakage Start by identifying all potential side channel data which includes • Plist files • Snapshots • System / keystroke logs • Web caches • Cut-and-paste buffers Do not store sensitive data (e.g., credentials, tokens, PII) in property list files. Use iOS Keychain 43
    43. 43. Disable Snapshots (3 Options) Set the key window’s hidden property to YES [ UIApplication sharedApplication ].keyWindow.hidden = YES; Using the applicationWillResignActive delegate method (void)applicationWillResignActive:(UIApplication *)application{[ UIApplication sharedApplication ].keyWindow.hidden = YES;} Use the applicationDidEnterBackground method. (void)applicationDidEnterBackground:(UIApplication *)application {[ UIApplication sharedApplication ].keyWindow.hidden = YES;} 44
    44. 44. Disable Other Leakage Disable Cache - Set the autocorrectionType property to UITextAutocorrectionNo for UITestField Disable Logs – Disable NSLog and NSAssert Disable keystroke logging & cut-and-paste buffer for the most sensitive data, to prevent it from being stored in plaintext on the device. Disable Insecure HTTP - Use NSURLConnection along with canAuthenticateAgainstProtectionSpace 45
    45. 45. Use HTTPS and Secure IOS Methods Protect sensitive data leaving the device using secure HTTPS and SSL IOS: Do not only use NSURL or NSURLConnection . Use NSURLConnection along with canAuthenticateAgainstProtectionSpace Syntax: canAuthenticateAgainstProtectionSpace (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace: (NSURLProtectionSpace *)protectionSpace
    46. 46. Use Secure cookie flag Set-Cookie: AuthenticatedID=nNTzKhxV10bzwW1vMfZXhqVGxWX h4D8QrkynxV2QMqv2K032WS02!-2076712369; path=/; /secure In Java Servlet 3.0, use the following in web.xml <session-config> <cookie-config>
 <secure>true</secure>
 </cookie- config></session-config>
    47. 47. Use Secure Data Storage Store sensitive data on the server instead of the client-end device. Delete Programmatically - Incorporate an application-specific "data kill switch" into their products, to allow the per-app deletion of their application's sensitive data when needed Assume that shared storage is untrusted Only collect and disclose data which is required for business use of the application 48
    48. 48. Encrypt Sensitive Data Data Protection API - set the NSFileProtectionKey on an existing file Keychain – Sensitive data like passwords and keys should be stored in the Keychain and not in insecure locations like plist files CCCrypt & javax.crypto.* package for Android - provides access to AES, DES, 3DES SQLCipher (IOS & Android) - transparent 256- bit AES encryption of database files 49
    49. 49. Ensure Privacy 50
    50. 50. Strategic Recommendations • Establish common set of security requirements. Perform periodic security scans and audits • Invest in security education for all stakeholders • Perform server side data validation and canonicalization • Define and deploy secure configuration • Do not log credentials, PII and other sensitive data • Design and implement all apps under the assumption that the user’s device will be lost or stolen • Review all third party libraries before use 51
    51. 51. Agenda Mobile Platform Risks Mobile Apps Top 3 Risks Countermeasures Mobility in Data Center 52
    52. 52. Mobility in the Data Center Factoring the Data Center into the secure Mobility design equation
    53. 53. IT Cloud Security Stack
    54. 54. You Need to Know Your Data Center How secure and resilient are your applications?
    55. 55. Cloud Demand When you add the pressure of mobility, the data center becomes mission critical.
    56. 56. DCOS Capabilities Data Center needs visibility, intelligent control and security. Let’s consider a day in the life of our 9-digit friend.
    57. 57. DCOS Capabilities Rest-based API’s Dynamic Workload Shifting Easy SDDC Integration Complete Integration: Physical, Environmental and Logical Cloud Stack Layers
    58. 58. Challenge and Opportunity Mobility is challenging the Data Center, but the mobility tools have to be built with strong security design considerations: Proximity Location Context Remote Kill-Switch Multi-factor Authentication Encryption
    59. 59. Policy Drive Intelligent Control®
    60. 60. Demo
    61. 61. Thanks You! Questions? kartik@symosis.com / laboagye@io.com Ask us about FREE Mobile Apps Security Service & Training Eval!! 62

    ×