Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile Threats and Owasp Top 10 Risks


Published on

In this session, the focus will be on OWASP Top 10 mobile risks and prevention tips. Hackers’ exploitation of these most common mobile vulnerabilities will be demonstrated in the session.

Published in: Technology

Mobile Threats and Owasp Top 10 Risks

  1. 1. Mobile Threats andOWASP Mobile Top 10 Risks
  2. 2. About Me Founder & CEO of SecurBay Services Pvt. Ltd. • Past: MIEL, Opus Software, Digite, HDFC Bank, Standard Chartered Bank • Conferences: ISACA, c0c0n • Trainings/Workshop : Application Security Founder & Editor of SecurityCrunch • Online Daily Newsletter covering topics on Information Security • Free Subscription • Readership across 30+ countries • © SecurBay 2012 3
  3. 3. Agenda Introduction  Mobile Apps  Mobile Threatscape  OWASP Mobile Top 10 Risks  Mobile Controls  Questions © SecurBay 2012 4
  4. 4. Mobile = MeROTI, KAPDA, MAKAN … AND MOBILE DEVICE © SecurBay 2012 5
  5. 5. There is an App for that … © SecurBay 2012 6
  6. 6. There is an App for that … © SecurBay 2012 7
  7. 7. There is an App for that … © SecurBay 2012 8
  8. 8. There is an App for that … © SecurBay 2012 9
  9. 9. Rise of the Apps1 Million Mobile Apps$15 Billion of income from app sales in 2011*30 Billion app Downloads from App Market Place* Source: Gartner © SecurBay 2012 10
  10. 10. Types of Mobile Apps• Native apps • Objective C on the iPhone or Java on Android devices. • Use all the phone’s features, such as the mobile phone camera, geolocation, and the user’s address book. • E.g. Messaging, Telephony, Multimedia• Web apps • Web apps run in the phone’s browser • The same base code can be used to support all devices, including iPhone and Android. • E.g. Mobile Banking, Reservation Systems• Hybrid solutions • A hybrid app is a native app with embedded HTML • Facebook, Google Chat, Shopping © SecurBay 2012 11
  11. 11. Mobile Apps Vs Traditional Web Apps Web Apps Mobile AppsDistribution Direct Access MarketplaceDatabase Server Side Local StorageReverse Engineering Difficult Possible Limited Access to Direct Access to Personal DataPrivacy Issues Personal Data © SecurBay 2012 12
  12. 12. Mobile Threat Model• Mobile Threat Model is similar to WebApp Threat Model But.. • Platforms vary substantially • External dependencies completely out of your control • It’s more than just apps • Cloud/network integration • Device platform considerations © SecurBay 2012 13
  13. 13. Mobile Threat Model Backend Systems Trust Boundaries APPS OS Hardware © SecurBay 2012 14
  14. 14. Concern Areas Data Data at RestSpecific Data in Use Data in MotionPlatform Operating System PatchesSpecific Malware App Coding VulnerabilitiesSpecific © SecurBay 2012 15
  15. 15. Testing the Security of Mobile ApplicationsType of Analysis ActivitiesStatic Analysis Source Code Source Code Scanning Manual Source Code Review Binary Reverse EngineeringDynamic Analysis Debugger Execution Traffic Capture via ProxyForensic Analysis File Permission Analysis File Content Analysis © SecurBay 2012 16
  16. 16. Mobile Testing Mobile Emulators © SecurBay 2012 17
  17. 17. Testing Tools• Rooted device or Rooted Emulator• ADB(Android debug Bridge)• WireShark, BurpProxy• SQLite Editor, Droidsheep• APKTOOL, Agnitio, JD-GUI (utility that displays Java source codes of ".class" files) © SecurBay 2012 18
  18. 18. What is rooting? • Rooting is the term for gaining access to the root (admin) of a device • Rooting method depends on the make of the mobile device © SecurBay 2012 19
  19. 19. Testing AppsSource: OWASP Source: McAfee © SecurBay 2012 20
  20. 20. Rooting : Why shouldn’t I?• Rooting voids device warranty• If wrongly done, you may endup with bricked phone in your hand• Easy to get affected with viruses and malwares 21
  21. 21. OWASP Mobile Top 10 Risks OWASP Mobile Top 10 RiskM1 – Insecure Data Storage M6 – Improper Session HandlingM2 – Weak Server Side Controls M7 – Security Decisions Via Untrusted InputsM3 – Insufficient Transport M8 – Side Channel Data LeakageLayer ProtectionM4 – Client Side Injection M9 – Broken CryptographyM5 – Poor Authorization and M10 – Sensitive Information Authentication Disclosure Source: OWASP Demo © SecurBay 2012 22
  22. 22. M1 – Insecure Data Storage• Data stored unprotected which can be accessed by unauthorized application / person• Happens due to: •Data stored unencrypted •Caching of data •Global or weak permissions •Ignorance of platform specific best-practices © SecurBay 2012 23
  23. 23. DEMO
  24. 24. iPhone App – Path steps on Privacy LandminePath App was sending users contact details to its servers Path CEO: We screwed up by uploading your personal data, and we’ve erased it!!! © SecurBay 2012 25
  25. 25. M1 – Insecure Data Storage• Impact •Confidentiality of data lost •Credentials disclosed •Privacy violations •Non-compliance• Prevention Tips •Store ONLY what is absolutely required •Never use public storage areas (ie- SD card) •Leverage secure containers and platform provided file encryption APIs •Do not grant files world readable or world writeable permissions © SecurBay 2012 26
  26. 26. M2 – Weak Server Side Controls• Applies to the backend services• Happens due to: •Insecure backend API & platforms• Impact •Confidentially of data lost •Integrity of data not trusted © SecurBay 2012 27
  27. 27. M2 – Weak Server Side Controls• Prevention Tips •OWASP Web Top 10, Cloud Top 10, Web Services Top 10 •Cheat sheets, development guides, ESAPI © SecurBay 2012 28
  28. 28. M3 – Insufficient Transport Layer Protection• Lack of encryption for transmitted data• Happens due to: •Weakly encrypted data in transit •No encryption at all Remember This ? © SecurBay 2012 29
  29. 29. DEMO
  30. 30. M3 – Insufficient Transport Layer Protection• Impact •Man-in-the-middle attacks •Tampering wireless data in transit •Confidentiality of data lost• Prevention Tips •Ensure that all sensitive data leaving the device is encrypted •This includes data over carrier networks, WiFi, and even NFC (Near field communication) •Do not ignore security exceptions warnings © SecurBay 2012 31
  31. 31. M4 – Client Side Injection• Apps using browser libraries •Pure web apps •Hybrid web/native apps © SecurBay 2012 32
  32. 32. DEMO
  33. 33. M4 – Client Side Injection• Impact •Device compromise •Toll fraud •Privilege escalation• Prevention Tips •Sanitize or escape untrusted data before rendering or executing it •Use parameterized statements for database calls © SecurBay 2012 34
  34. 34. M5 – Poor Authorization and Authentication• Some apps rely solely on immutable, potentially compromised values (IMEI, IMSI, UUID)• Eg: Changing the application would no longer ask for authentication © SecurBay 2012 35
  35. 35. M5 – Poor Authorization and Authentication• Impact •Unauthorized access •Privilege escalation• Prevention Tips •Never use device ID or subscriber ID as sole authenticator •Contextual info can enhance things, but only as part of a multi-factor implementation © SecurBay 2012 36
  36. 36. M6 – Improper Session Handling• Mobile app session time is generally longer for convenience and usability• Apps maintain sessions via • HTTP cookies • OAuth tokens • SSO authentication services• Demo: Facebook session captured & browsed © SecurBay 2012 37
  37. 37. DEMO
  38. 38. M6 – Improper Session Handling• Impact •Privilege escalation •Unauthorized access •Circumvent licensing and payments• Prevention Tips •Re-authenticate users after fixed idle time •Ensure that tokens can be revoked quickly in the event of a lost/stolen device © SecurBay 2012 39
  39. 39. M7 – Security Decisions Via Untrusted Inputs• Change in application security permission set in AndroidManifest.xml file• May happen due to: • Malware • Client side injection © SecurBay 2012 40
  40. 40. DEMO
  41. 41. M7 – Security Decisions Via Untrusted Inputs• Impact •Can be leveraged to bypass permissions and security models• Prevention Tips •Check caller’s permissions at input boundaries •Prompt the user for additional authorization before allowing •In a situation when permission checks cannot be performed, ensure additional steps are required to launch sensitive actions © SecurBay 2012 42
  42. 42. M8 – Side Channel Data Leakage• Mix of not disabling platform features and programmatic flaws• Sensitive data resides at unintended places • Web caches • Keystroke logging • Screenshots (ie- iOS backgrounding) • Logs (system, crash) • Temp directories• Understand what 3rd party libraries are doing with user data (ad networks, analytics) © SecurBay 2012 43
  43. 43. M8 – Side Channel Data Leakage• Impact •Data retained indefinitely •Privacy violations• Prevention Tips •Never log credentials, or other sensitive data to system logs •Remove sensitive data before screenshots are taken •Carefully review any third party libraries you introduce and the data they consume •Test your applications across as many platform versions as possible © SecurBay 2012 44
  44. 44. M9 – Broken Cryptography• Two primary categories • Broken implementations using strong crypto libraries • Custom, easily defeated cryptography © SecurBay 2012 45
  45. 45. M9 – Broken Cryptography• Impact •Confidentiality of data lost •Privilege escalation •Circumvent business logic• Prevention Tips •Storing the key with the encrypted data defeats everything •Leverage battle-tested crypto libraries vice writing your own •Leverage platform features © SecurBay 2012 46
  46. 46. M10 – Sensitive Information Disclosure• Apps can be reverse engineered with relative ease• Application logging © SecurBay 2012 47
  47. 47. DEMO
  48. 48. M10 – Sensitive Information Disclosure• Impact •Credentials disclosed •Intellectual property exposed• Prevention Tips •Keep proprietary and sensitive business logic on the server •Never hardcode a password in application binary © SecurBay 2012 49
  49. 49. Best Practices 50
  50. 50. Top 10 mobile controls and design principles1. Identify and protect sensitive data on the mobile device2. Handle password credentials securely on the device3. Ensure sensitive data is protected in transit4. Implement user authentication/authorization and session management correctly5. Keep the backend APIs (services) and the platform (server) secure © SecurBay 2012 51
  51. 51. Top 10 mobile controls and design principles6. Perform data integration with third party services/applications securely7. Pay specific attention to the collection and storage of consent for the collection and use of the user’s data8. Implement controls to prevent unauthorised access to paid- for resources (wallet, SMS, phone calls etc...) Risks9. Ensure secure distribution/provisioning of mobile applications10. Carefully check any runtime interpretation of code for errors © SecurBay 2012 52
  52. 52. References• OWASP Mobile Top Ten Risks ect#Top_Ten_Mobile_Risks• OWASP - Top Ten Mobile Controls ect#Top_Ten_Mobile_Controls• OWASP GoatDroid Project ect#OWASP_GoatDroid_Project © SecurBay 2012 53
  53. 53. Questions© SecurBay 2012
  54. 54. Thank you, ISACA! @ satamsantosh © SecurBay 2012
  55. 55. > Innovative Solutions & Services 56