Slides from my talk at the Global Xamarin Summit, Singapore, September 2017 (http://monkeyfest.io)

1. Enterprise Mobile Security and OWASP
Compliance
Alec Tucker
White Clarke Group
@alecdtucker

2. Intro to Standards
How can you prove to an enterprise client that your apps are secure?
What boxes might a security conscious client require you to tick to
comply with policy?
What are the industry guidelines for app security?

3. The Open Web Application Security Project
OWASP Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP Top 10 for Mobile 2016
https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
OWASP Application Security Verification Standards (ASVS) v3.0.1
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
Chapter 17 covers mobile

4. OWASP Top 10 for Mobile 2014
M1 – Weak server side controls
M2 – Insecure data storage on the device
M3 – Insufficient transport layer protection
M4 – Unintended data leakage
M5 – Poor authentication and authorization
M6 – Broken cryptography
M7 – Client side injection
M8 – Security decisions via untrusted inputs
M9 – Improper session handling
M10 – Lack of binary protection

5. OWASP Top 10 for Mobile 2016
M1 – Improper Platform Usage
M2 – Insecure Data Storage
M3 – Insecure Communication
M4 – Insecure Authentication
M5 – Insufficient Cryptography
M6 – Insecure Authorization
M7 – Client Code Quality
M8 – Code Tampering
M9 – Reverse Engineering
M10 – Extraneous Functionality

6. 2014  2016
M1 – Weak server side controls
M2 – Insecure data storage on the device
M3 – Insufficient transport layer protection
M4 – Unintended data leakage
M5 – Poor authentication and authorization
M6 – Broken cryptography
M7 – Client side injection
M8 – Security decisions via untrusted inputs
M9 – Improper session handling
M10 – Lack of binary protection
M1 – Improper Platform Usage
M2 – Insecure Data Storage
M3 – Insecure Communication
M4 – Insecure Authentication
M5 – Insufficient Cryptography
M6 – Insecure Authorization
M7 – Client Code Quality
M8 – Code Tampering
M9 – Reverse Engineering
M10 – Extraneous Functionality

7. Substantive Risks
• Malware remains high among perceived risks
• 63% of organisations are not confident (or have no confidence) they
know all of the mobile and IoT apps used in the workplace
• End user convenience is often considered more important than
security
• Despite the known and will documented risks, there is still a lack of
urgency to address the threat
• 60% of companies categorise the risk that they have already
suffered a security incident due to an insecure mobile app as “likely”
or higher
2017 Study on Mobile IoT Application Security, Ponemon Institute

8. Reasons
• Testing of mobile apps is ad-hoc, if done at all
• Insecure coding practices
• Broken crypto and unintended data leakage are the difficult risks to
mitigate
• Lack of internal policies is STILL listed as a reason
• The main reason remains…rush to release
2017 Study on Mobile IoT Application Security, Ponemon Institute

9. M1 – Improper Platform Usage
Misuse of a platform feature or failure to use platform security controls
• Violation of published guidelines
• Violation of convention or common practice
• Unintentional misuse
• Includes requesting too many permissions, or the wrong permissions
Example
- usesClearTextTraffic on Android, API23+
NB: This is ignored on API24 and above if an Android Network Security Config is present

10. M1 – Improper Platform Usage

11. Exposing usesClearTextTraffic in Xamarin
using Services;
using Xamarin.Forms;
[assembly:Dependency(typeof(M1.Droid.NetworkSecurityPolicyService_Droid))]
namespace M1.Droid
{
public class NetworkSecurityPolicyService_Droid : INetworkPolicyService
{
public NetworkSecurityPolicyService_Droid()
{
}
public bool isClearTextTrafficPermitted()
{
return Android.Security.NetworkSecurityPolicy.Instance.IsCleartextTrafficPermitted;
}
}
}

12. Checking usesClearTextTraffic in Xamarin
public async Task<string> DownloadContentDishonour(string url)
{
WebClient client = new WebClient();
return await client.DownloadStringTaskAsync(url);
}

13. Checking usesClearTextTraffic in Xamarin
public async Task<string> DownloadContentHonour(string url)
{
if (networkPolicyService != null
&& url.StartsWith("http:")
&& !networkPolicyService.isClearTextTrafficPermitted)
{
throw new InvalidOperationException(
"Clear text network requests are not permitted");
}
WebClient client = new WebClient();
return await client.DownloadStringTaskAsync(url);
}

14. M1 – Improper Platform Usage - Components
…that honour usesClearTextTraffic
• DownloadManager
• MediaPlayer
• SocketHandler
• Java.* / Android.* HTTP, FTP, WebSockets,
XMPP, IMAP, SMTP network components
• Some third party libraries
• OkHttp
• ModernHttpClient
…that dishonour usesClearTextTraffic
• Android.WebKit.WebView
• Java.* / Android.* UDP and TCP connections
• Any related low-level network stacks
• All managed networking components

15. M2 – Insecure Data Storage
2014 M2 – Insecure Data Storage
• SQL databases
• Log files
• XML datastores / manifest files
• Binary data stores
• SD card
• Cloud sync’d folders
2014 M4 – Unintended Data Leakage
• Leaked without developer’s knowledge
• Cached data
• Images – e.g. task switcher
• Key presses
• Logging
• Buffers
This covers two of the 2014 top 10 risks:

16. Blurring the screen during auto-snapshot
public override void OnResignActivation(UIApplication uiApplication)
{
// 1. Take a screenshot
// 2. Blur it
// 3. Add the blurred view to the RootViewController.View
base.OnResignActivation(uiApplication);
}
public override void OnActivated(UIApplication uiApplication)
{
// 4. Remove the blurred view, if there is one
base.OnActivated(uiApplication);
}

17. Blurring the screen during auto-snapshot
// 1. Take a screenshot
UIView view = UIApplication.SharedApplication.KeyWindow.RootViewController.View;
UIGraphics.BeginImageContext(view.Frame.Size);
view.DrawViewHierarchy(view.Frame, true);
UIImage image = UIGraphics.GetImageFromCurrentImageContext();
UIGraphics.EndImageContext();

18. Blurring the screen during auto-snapshot
// 2. Blur it
UIImage newImage = null;
using(var inputImage = new CoreImage.CIImage(image)) {
using(var blur = new CoreImage.CIGaussianBlur()) {
blur.Image = inputImage;
blur.Radius = 25f;
using(var outputImage = blur.OutputImage) {
using(var context = CoreImage.CIContext.FromOptions(new CoreImage.CIContextOptions()
{ UseSoftwareRenderer = false })) {
using(var cgImage = context.CreateCGImage(outputImage,
new System.Drawing.RectangleF (
new System.Drawing.PointF(0,0),
new System.Drawing.SizeF((float)image.Size.Width, (float)image.Size.Height)))) {
newImage = UIImage.FromImage(cgImage);
}
}
}
}
}

19. Blurring the screen during auto-snapshot
// 3. Add the blurred view to the RootViewController.View
view.AddSubview(new UIImageView(newImage));
// 4. Remove the blurred view, if there is one
int lastIndex = UIApplication.SharedApplication.KeyWindow
.RootViewController.View.Subviews.GetUpperBound(0);
if (lastIndex > 0)
{
UIApplication.SharedApplication.KeyWindow
.RootViewController.View.Subviews[lastIndex]
.RemoveFromSuperview();
}

20. M2 – Insecure Data Storage
iOS Developer Cheat Sheet
- https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet
- Small amounts of sensitive data should go in the Keychain
- Recommends usage of a third party encryption API “not encumbered by
inherent weaknesses in Apple’s encryption”
- Singles out SQLCipher
- Key management then becomes critical ( M5)
- https://www.owasp.org/index.php/Key_Management_Cheat_Sheet
Windows Mobile 10 Security Guide
- https://technet.microsoft.com/en-us/library/mt674915(v=vs.85).aspx

21. M3 – Insecure Communication
This covers:
• Poor handshaking
• Incorrect SLL versions
• Weak negotiation
• Cleartext communication of sensitive assets *
• SSL certificate validity
* Sensitive assets can include things like the IMEI and other hardware addresses. Some
jurisdictions consider these to be private data that must be given the same privacy treatment as a
phone number or home address

22. Checking certificate validity – iOS / Android
System.Net.ServicePointManager.ServerCertificateValidationCallback +=
((sender, certificate, chain, sslPolicyErrors) =>
{
return sslPolicyErrors == System.Net.Security.SslPolicyErrors.None
&& validCertificates.Contains(certificate.GetCertHashString);
});

23. M4 – Insecure Authentication
In general, follow the same rules as a web app for authentication
i.e. if porting a web app, it should not be possible to authenticate with less auth factors than
the web browser
Never use a device identifier (UDID, IP, MAC address, IMEI) to identify
a user or a session
Remember that some jurisdictions treat these as personal data

24. M4 – Insecure Authentication
Avoid out-of-band authentication tokens being sent to the same
device as the user is using to login (e.g. SMS to phone)
http://www.smh.com.au/technology/consumer-security/malware-hijacks-big-four-
australian-banks-apps-steals-twofactor-sms-codes-20160309-gnf528.html

25. M5 – Insufficient Cryptography
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
• Only store sensitive data that you need
• Use strong approved authenticated encryption
• Store a one-way and salted value of passwords
• Ensure that the cryptographic protection remains secure even if
access controls fail
• Ensure that any secret key is protected from unauthorised access
• Follow applicable regulations on use of cryptography
• PCLCrypto component

26. M5 – Insufficient Cryptography
Use of hardware information in key:
SQLCipher advice
- What’s unacceptable is to use this in entirety and nothing else
- They propose it’s acceptable to use it as a portion of a key, but point
out that it’s critical that at least a portion of the key is both:
- Entered by the user
- Never stored on the device
https://discuss.zetetic.net/t/sqlcipher-database-key-material-and-selection/25

27. M6 – Insecure Authorization
App may restrict functions based on user’s authorization level
Web service endpoints cannot assume this is sufficient
Classic finding is a server implicitly trusting the mobile code to only
generate requests appropriate to the user’s privilege level
Of course this cannot be assumed of a compromised app

28. M7 – Client Code Quality
“Catch-all” for code level implementation problems where the solution is to rewrite
some of the mobile code.
Poor coding practices allow attackers to modify:
• Your app’s business logic
• Code to bypass security controls

29. M7 – Client Code Quality
Mitigations
• Developer education, coding standards, code reviews, check-in hooks
• Static code analysis tool (several available)
OWASP Guides:
• Secure Coding Pratices – Quick Reference Guide v2
• https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
• Secure Coding Cheat Sheet
• https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet

30. M8 – Code Tampering
private bool IsJailBroken()
{
return UIApplication.SharedApplication.CanOpenUrl(new NSUrl("cydia://package/com.example.package")));
}

31. M9 – Reverse Engineering
• Obfuscation using DotFuscator
• Community edition is available with Visual Studio
https://blog.xamarin.com/protecting-xamarin-apps-dotfuscator/

32. M10 – Extraneous Functionality
Inclusion of testing shortcuts never intended for Production
e.g. ignoring certificate errors, disabling two-factor authentication during testing
Inclusion of these could be the results of a CI/CD script error
Build/deployment issues far more likely if manual steps are involved
Also covers intentional inclusion of malicious code

33. Where to from here?
Source: 2017 Study on Mobile IoT Application Security, Ponemon Institute

34. Where to from here?
• OWASP ASVS
• PCI standards
• If you don’t have a security policy, reference these standards
• If you do have a security policy, check it against these standards
• If you’re writing or reviewing a security policy, check it against these standards
• Mobile dev is not web dev
• Establish and maintain a dedicated Mobile Center of Excellence
• A combination of the above

35. Thank you / Questions