Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/o...
Outline
• About
• Mobile OS
• Android OS
• Android
Applications
• Top 10
Vulnerabilities
About OWASP
• The Open Web Application Security Project is an none profit
organization in the world wide focusing on Appli...
$WHOAMI
• Sina Manavi
• BSc Software Engineering, Azad University, Iran
• MSc of Computer Security, University Putra Malay...
Mobile OS
Source: http://www.idc.com/prodserv/smartphone-os-market-share.jsp
Why Android?
Android Application is not anymore just a
mobile application.
You can do many more than sending text ,
call or taking phot...
Android OS Architecture
Android Applications
When there is an App:
• There is an developer
• Therefore, there are
potential vulnerabilities
Do you Need Mobile Application For you
Business?
Mobile Apps can value a business
Mobile Apps can ruin a
business
Android Application Blocks
• Content Provider
• Services
• Activity
• Broadcast Receiver
Mobile App Security
• Static Analysis:
• Reverse Engineering Tools and
Techniques (dex2jar, JD-GUI)
• Dynamic Analysis:
• ...
Mobile App Security
• Code Context Analysis
• Forensics Analysis
• Time Line Analysis
• File Analysis: Database, Log Files...
Top 10 Risks
Top 10 Android Vulnerabilities
M1: Weak Server Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Pr...
M1: Weak Server Side Controls
• Developers should not trust server sides
control.
• Weak or lack of server side input
vali...
M7: Client Side Injection
• Executing Malicious codes on
application
• XSS, SQL Injection
• Path Traversal
M8: Security Decisions Via Untrusted Inputs
Proper Error Handling
Input Sanitizing (Client side and Server
side)
Similar t...
M2: Insecure Data Storage
• Storing sensitive information on device
• Storing information on plain text
• Shared preferenc...
M3: Insufficient Transport Layer Protection
• Transferring credential information in
plain text format over the network
• ...
M5: Poor Authorization and Authentication
• Reverse engineers and crackers can
easily convert the APK application into
sou...
M4: Unintended Data Leakage
• similar to M3 vulnerability, but easier to
exploit it.
• clipboards, browser cookies, or URL...
M6: Broken Cryptography
Storing/Transfering credential information
with weak encryption algorithm
Hardcoded encryption met...
M9: Improper Session Handling
• Session Handling is as important as User
Authentication and Validation.
• Set time expirat...
M10: Lack of Binary Protections
• Android Applications are open source
• Reverse Engineering (dex2jar, APKTOOL,
JD-GUI)
• ...
Wrap Up
In a Nutshell…
• Don’t not store important information on device unless it
is absolutely required.
• Recommend the user to...
In a Nutshell…
• Use standard and strong encryption algorithm. For
internal storage use “setStorageEncrytption” and to
enc...
Thanks You OWASP Contributors!
Q&A
Thanks for listening!
• Sina Manavi
•Manavi.Sina@Gmail.com
•Sina.Manavi@OWASP.org
•www.sinamanavi.wordpress.com
• @sin...
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Upcoming SlideShare
Loading in …5
×

Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015

2,189 views

Published on

this is a short awareness talk in one of OWASP MEETUP sessions in University Kuala Lumpur, Malaysia, discussing about Android application penetration testing and how to discover potential vulnerabilities

Published in: Education
  • Be the first to comment

Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015

  1. 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Meetup Q3 2015 University Kuala Lumpur Malaysia 14 Sep 2015 Top 10 Android Mobile Security Issues Sina Manavi, KAAPAGAM TECHNOLOGY
  2. 2. Outline • About • Mobile OS • Android OS • Android Applications • Top 10 Vulnerabilities
  3. 3. About OWASP • The Open Web Application Security Project is an none profit organization in the world wide focusing on Application security (Web/Mobile) • Why I like OWASP • Knowledge is free for everyone, Learn Together, Grow Together • INNOVATION you can share your knowledge and Idea and projects and contribute together. • Globally accessible to everyone. Its not limited to a specific country or region • Many expert participants and sharing their knowledge for free
  4. 4. $WHOAMI • Sina Manavi • BSc Software Engineering, Azad University, Iran • MSc of Computer Security, University Putra Malaysia • C|EH & C|HFI • Penetration Tester and Security Consultant in KAAPAGAM TECH • Professional Security Trainer worked with: • EC Council Malaysia • Condition Zebra • KAAPAGAM ACADEMY
  5. 5. Mobile OS Source: http://www.idc.com/prodserv/smartphone-os-market-share.jsp
  6. 6. Why Android?
  7. 7. Android Application is not anymore just a mobile application. You can do many more than sending text , call or taking photo.
  8. 8. Android OS Architecture
  9. 9. Android Applications
  10. 10. When there is an App: • There is an developer • Therefore, there are potential vulnerabilities
  11. 11. Do you Need Mobile Application For you Business?
  12. 12. Mobile Apps can value a business
  13. 13. Mobile Apps can ruin a business
  14. 14. Android Application Blocks • Content Provider • Services • Activity • Broadcast Receiver
  15. 15. Mobile App Security • Static Analysis: • Reverse Engineering Tools and Techniques (dex2jar, JD-GUI) • Dynamic Analysis: • Passive and Active network analysis • SSL Encryption • Tools: Wireshark and Burp Suite
  16. 16. Mobile App Security • Code Context Analysis • Forensics Analysis • Time Line Analysis • File Analysis: Database, Log Files, Shared preferences, Caches.
  17. 17. Top 10 Risks
  18. 18. Top 10 Android Vulnerabilities M1: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M6: Broken Cryptography M7: Client Side Injection M8: Security Decisions Via Untrusted Inputs M9: Improper Session Handling M10: Lack of Binary Protections
  19. 19. M1: Weak Server Side Controls • Developers should not trust server sides control. • Weak or lack of server side input validation • XSS, SQL Injection, unauthorized access to other resources.
  20. 20. M7: Client Side Injection • Executing Malicious codes on application • XSS, SQL Injection • Path Traversal
  21. 21. M8: Security Decisions Via Untrusted Inputs Proper Error Handling Input Sanitizing (Client side and Server side) Similar to the web application, weak error handling can cause data leakage.
  22. 22. M2: Insecure Data Storage • Storing sensitive information on device • Storing information on plain text • Shared preferences • Encryption using hardcoding • Higher risk in ROOTED phones.
  23. 23. M3: Insufficient Transport Layer Protection • Transferring credential information in plain text format over the network • Weak encryption algorithm • MITM Attack
  24. 24. M5: Poor Authorization and Authentication • Reverse engineers and crackers can easily convert the APK application into source code. • Checking the users authentication on the client side rather than server side o User can check the source code using reverse engineering techniques • Authentication mechanism should work from Server side.
  25. 25. M4: Unintended Data Leakage • similar to M3 vulnerability, but easier to exploit it. • clipboards, browser cookies, or URL caches. • Caching browser or sensitive information
  26. 26. M6: Broken Cryptography Storing/Transfering credential information with weak encryption algorithm Hardcoded encryption method.
  27. 27. M9: Improper Session Handling • Session Handling is as important as User Authentication and Validation. • Set time expiration for the session • Use Random generated Tokens • Perform the Session and Token validation on Server side. • Use Secure network • Use Encrypted Token and Session, difficult to guess
  28. 28. M10: Lack of Binary Protections • Android Applications are open source • Reverse Engineering (dex2jar, APKTOOL, JD-GUI) • Easy to Decompile • Secret mechanism and Algorithm can be retrieved easily • Encrypt Apps to avoid reverse engineering • Detect the rooted device/ Android Emulators
  29. 29. Wrap Up
  30. 30. In a Nutshell… • Don’t not store important information on device unless it is absolutely required. • Recommend the user to encrypt the mobile device’s storage as well as SD card. (All android devices have this setting). • Using hardcode encryption or decryption can be easily removed from the application using reverse engineering techniques.
  31. 31. In a Nutshell… • Use standard and strong encryption algorithm. For internal storage use “setStorageEncrytption” and to encrypt he ASD card storage use “javax.crypto” library. Additional security layer can be using master password and AES 128 as well. Keep in mind that once the device is rooted, it not impossible for the hacker to get access to the data. • If the mobile application doesn’t share data with any other applications, in the AndroidManisfest.xml file set the content providers attribute as false.
  32. 32. Thanks You OWASP Contributors!
  33. 33. Q&A Thanks for listening! • Sina Manavi •Manavi.Sina@Gmail.com •Sina.Manavi@OWASP.org •www.sinamanavi.wordpress.com • @sinamanavi

×