Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CYA: Mobile app security begins at the server

Don’t take the security of servers and services that support your app’s functionality for granted. Mobile apps are now the client, servers are no less juicy a target, and developers and security practitioners can’t ignore an app’s backend.

NowSecure VP of Risk and Privacy Ted Eull discusses how attackers can take advantage of an app’s remote infrastructure, and learn how to cover your apps.

  • Be the first to comment

CYA: Mobile app security begins at the server

  1. 1. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. CYA: MOBILE APP SECURITY Begins at the Server
  2. 2. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Connect with us Connect with us on Twitter @NowSecureMobile — Visit our website at https://www.nowsecure.com
  3. 3. Ted Eull VP, Risk and Privacy © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Built NowSecure’s mobile security and risk assessment practices ● 15+ years in development and information security ● Certified CRISC, GWAPT
  4. 4. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents ● The mobile backend ● Backend security challenges ● Backend security fundamentals ● A five-step plan ● Questions
  5. 5. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. The mobile backend
  6. 6. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. A simplified diagram
  7. 7. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Various implementations ● Proprietary / On-prem - you provision servers, configure OS, write APIs, etc. yourself and host the technology in a datacenter you control or access. Example: Your server room ● Infrastructure-as-a-Service (IaaS) - a third party provides physical or virtual servers, and essential resources such as network and block storage. You provision OS and software but don’t access or control the hosting environment. Example: VM instances in EC2, Rackspace ● Platform-as-a-Service (PaaS) - rather than build systems on third-party servers, you access a provided platform such as a database or app building platform and configure within that platform. Examples: Google App Engine, Force.com, Azure SQL DB ● Software-as-a-Service (SaaS) - complete software application you may access via REST APIs (typically) in addition to web based access. Examples: Zendesk, Stripe, Salesforce, etc. Normally a combination of these
  8. 8. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. One app, many APIs A single app can have many backend services
  9. 9. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Challenges in securing your mobile app’s backend
  10. 10. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Keeping up with the pace of mobile ● Demand for new features to compete ● Short cycles, frequent releases ● New technology with different/less security control - (NoSQL) ● Developers retooling skills to new technology quickly ● Numerous functions and libraries, incorporation of OSS ● Less time for infrastructure review ● Instituting security checkpoints with agile ● Proliferation of micro-services Consumers want the app yesterday
  11. 11. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Mobile API services are web services ● Common misconception that mobile services are more secure by default (false) ● Manipulating web traffic in-browser is easier, but mobile APIs can be attacked by injection, fuzzing, and brute force ● HTTPS (TLS) does not protect from attacks or ensure client is your app ● Proxies, web app firewalls and proper server config can help repel attacks hidden != secure
  12. 12. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Security responsibilities
  13. 13. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. MBaaS ● MBaaS is a form of PaaS providing API configuration/coding, data object management, data connectors, versioning, access control and more through custom hosted interfaces. ● Range from simpler API builder to fully-featured management system. ● e.g. Appcelerator Arrow, Parse, Firebase, AWS Mobile Hub, Azure Mobile Services ● Key issues ○ Assurance of security in infrastructure ○ Provider stability ○ Auditability ○ Granularity of control Faster, easier... but secure? It depends
  14. 14. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Real world examples ● API communications without HTTPS - Many apps fail to use TLS on some or all API calls, exposing sensitive data such as user location or personal info. (NFL Mobile app, CBS Sports app) ● Instagram bug (delete comments) - 10-year-old from Finland proved he could delete anyone’s comments (including Justin Bieber) and received a $10k bug bounty. ● Trusting input from the mobile app - NowSecure’s @0xroot responsibly disclosed that Evernote trusted the app to tell it whether the customer was “premium” or “free” enabling user to get elevated access without paying. ● Improper authentication / session management - Banking app (!!) function enabled user to change password without being authenticated. ● User data enumeration (no authentication required) - By knowing some user info we could rapidly query the API endpoint and ultimately access SSN for some accounts. ● Open API for credit card validation - We found an open API endpoint that would validate Credit Card numbers with no rate limiting and easily stolen credential. Involving insecure backend
  15. 15. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Security fundamentals for your mobile backend
  16. 16. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Proven security techniques Secure backend systems with these famous infosec techniques Limit access Harden servers Update software Monitor and log Develop securely* Hack yourself *Easier said than done, but you have to try.
  17. 17. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Limit access ● Require secure connections - VPN + SSH ● Use firewall rules to control connections ● Use strong multi-factor authentication ● No apps running as root ● Do your developers have access to production? ● Physical access still matters Least privilege for all!
  18. 18. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Harden servers + update software ● Use a standard, minimal build OS ○ Only services necessary to support the app(s) ○ Commercially supported - e.g. Windows, RHEL ○ IaaS-provided - e.g. Amazon Linux AMI ○ Security-optimized - BSD ● Watch for CVEs or alerts for high-risk vulns ○ Heartbleed, Shellshock, OpenSSL ○ Patch quickly, then fix what breaks ○ Don’t confuse antivirus for vulnerability protection Windows Server 2003 standard install? Not so much.
  19. 19. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Monitor and log ● Log and monitor access requests to all APIs ○ Monitor all access attempts for brute-force and lateral attacks ○ Deploy risk-based access controls to adapt and modify the app’s execution flow ● API Rate Limits (“throttling”) ○ Locks down services implemented and used by the app ○ Provides control over the assignment of server-side resources ○ Prevents brute force, account harvesting (user enumeration), and replay attacks ● Log and monitor all connected systems for suspicious activity Is anyone watching this API?
  20. 20. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Hack Yourself ● Perform vulnerability scanning and pen testing of backend infrastructure ● Automation for basic testing (e.g patch level, configuration) ● Red Team testing to emulate malicious actors ● 3rd party to avoid internal conflicts ○ Vet credentials and references ○ Require detailed reporting, replication steps and risk rating (CVSS) Before they do.
  21. 21. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Develop securely ● Hire, design, build, test, deploy and iterate with security in mind ● Evaluate threats, create “misuse cases” ● Build security-focused test cases for QA ● Test iteratively with builds/releases ● Pay special attention to authentication, session management, input validation and sensitive transactions ● Train architects, developers, and QA on security Agile and secure SDLC are not enemies
  22. 22. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Secure authentication + session management ● Secure Authentication (OWASP) ○ Avoid outmoded or custom implementations.; Limit attempts, add 2nd factor ○ Prevent use of API services by unknown/untrusted devices (device registration step) ● Use session-based authentication ○ Avoid storing passwords by using token-based (OpenID, OAuth2, SAML, JWT) ○ Use TLS (https) and ensure access tokens are stored securely ○ Use a session token via POST (not GET) or Use an API key (POST body argument or secure cookie) ○ DO NOT include sensitive information in the URL (can be compromised) ● Prevent CSRF, XSS and replay attacks ○ Proper authentication on all API endpoints ○ Server-side session termination ● Make security decisions on the server side (!) Welcome to our API, two forms of ID please.
  23. 23. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Input validation ● Treat calls from mobile app as untrusted ○ Validate content-types and response-types ○ Need to ensure the security of all content sources for the app ○ Assume malicious party could replace content going to server, including an authenticated session ○ Use message signatures for stronger validation ● Sanitize user input ○ Perform client-side for efficiency but still must check on server ○ Especially watch - files/images, URLs, XML, JSON, blobs ○ Implement secure parsing to avoid deserialization vulns Don’t trust your own app HTTP://XKCD.COM/327/
  24. 24. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. About agile + devops ● Expect upfront challenges introducing security controls in agile ● Devops process and tools can help with security checkpoints and standard environments ● Key change - breaking down walls between security and development Don’t hate the process, hate the flaw “I have seen productivity gains of 15% and greater when preventative and detective security controls are embedded in the development process” Jim Routh, CSO, Aetna SearchSecurity interview
  25. 25. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Resources CERT Top 10 Secure Coding Practices SAFECode Practical Security Stories and Tasks for Agile Dev Environments OWASP REST Security Cheat Sheet OWASP Application Security Verification Standard NowSecure Secure Mobile Development Best Practices View now
  26. 26. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. A five-step plan
  27. 27. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. There are far more complicated ones available, if you want... Five-step plan to secure the mobile backend 1 Establish ownership + key roles Document architecture Analyze risk + requirements Assess security Remediate + repeat 2 3 4 5
  28. 28. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Key steps and questions 1. Establish ownership + key roles a. Who represents business, security, network admin, dev b. Authority to test and mandate changes 2. Document architecture a. Include third-party systems b. GSD beats perfection 3. Analyze risk + requirements a. What data are we handling? b. What policies or regulations do we need to comply with? (PCI-DSS, FFIEC, FERC, HIPAA) The nitty gritty. 4. Assess security a. Begin with vulnerability scan at minimum b. Target higher-risk functions/features c. Rate issues for severity, prioritize 5. Remediate + repeat a. Add security into issue tracking b. Escalate where necessary c. Communicate results, metrics d. Automation for scanning, config checks e. Regular log/alert monitoring? f. Security training for dev team
  29. 29. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. On PaaS, IaaS and SaaS ● Advantages of more outsourced backend: ○ Dedicated infrastructure personnel ○ Purpose-built systems ○ Isolation from other business systems ○ DoS resistance, resiliency ● Disadvantages: XaaS may not protect you from: ○ Compromised admin credentials ○ Flawed API logic ○ Data flows to another system ○ Regulatory problem ○ All CVEs in server software ○ Reduced control and visibility It’s a cloud world, we’re just living in it
  30. 30. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Questions? teull@nowsecure.com +1 312.878.1100 @tedtalks2 Read more on securing your mobile apps’ backend, and secure mobile development in general, in our Secure Mobile Development Best Practices https://www. nowsecure.com/resources/secure-mobile-development/

    Be the first to comment

    Login to see the comments

  • BillChen12

    May. 16, 2017

Don’t take the security of servers and services that support your app’s functionality for granted. Mobile apps are now the client, servers are no less juicy a target, and developers and security practitioners can’t ignore an app’s backend. NowSecure VP of Risk and Privacy Ted Eull discusses how attackers can take advantage of an app’s remote infrastructure, and learn how to cover your apps.

Views

Total views

1,118

On Slideshare

0

From embeds

0

Number of embeds

203

Actions

Downloads

27

Shares

0

Comments

0

Likes

1

×