SlideShare a Scribd company logo

Plug Mobile App Vulnerabilities

Download as PPTX, PDF
Appsecco
Appsecco

The document provides an overview of a discussion on mobile application security testing between Riddhi Shree and Riyaz Walikar of Appsecco. They discuss common weaknesses found during mobile app testing like trusting third parties, ignoring API authentication and authorization, and not implementing proper input validation. They also cover steps developers should take like verifying third party code, implementing layered defenses, and following secure development best practices around authentication, authorization, and least privilege. The discussion includes a bonus section on setting up a mobile security testing lab.

Mobile
1 of 46
Plug the Vulnerabilities! HasGeek – Fragments June 2020 AMA on Mobile Apps Security Riddhi Shree, Security Analyst, Appsecco Riyaz Walikar, Head of Research & Security Testing, Appsecco
About Us • Riddhi Shree • Security Analyst @Appsecco • Breaks mobile apps and web applications for a living • Built mobile apps for CTFs and to demonstrate weaknesses • Check out VyAPI (if you haven't already!)
About Us • Riyaz Walikar • Head of Research and Security Testing @Appsecco • GrayHat Hacker • Leads the team that breaks mobile, web apps, thick clients, Cloud servers and services • Not a developer but understands the pain that developers go through when dealing with security
• Define mobile app security from the point of view of attackers and developers • See some weaknesses that we commonly come across in Mobile Apps during our testing • Cover things that developers do but ideally should not • Things that attackers go after when testing mobile apps • Talk about things that developers can do to harden mobile apps and backend APIs • Bonus Content – Setting up a lab to get started with Mobile App Security Testing • Open the symbolic floor for Q&A What we will cover today
What is (mobile application) security?
https://communicrossings.com/safer-internet-browsing-use-https
• Security is freedom from, or resilience against, potential harm caused by others • In the digital world this "harm" corresponds to loss of either Confidentiality (C), Integrity (I) or Availability (A) of a system or data contained therein • Depending on how a (presumed) violation of CIA occurred, what was affected and what was the impact of the violation, we can calculate how severe the violation was (bug severity). • The most secure system would be completely unusable
https://www.treesolution.com/news-english/increase-success-of-security-awareness-campaigns
Obligatory Dilbert
• Your code runs in an untrusted environment • You want to do this to ensure you can utilise more client processing power • It's easier to create, store and manage data as and when required • Simplified and fast architecture, where APIs can be used for state control and mobile apps for the UI • Often business logic and decisions are made client side to increase efficiency • Examples would be file uploads from mobile apps • Multi form data stored in local caches etc. • Disconnect between developers and security testers • What kind of issues are more prevalent • Learnings from bug reports? Why is security hard with mobile apps?
• We are not mobile app or API developers, but we understand their security, how they can be attacked and what could an attacker do with the access or data • Most bugs covered here are from real world mobile application assessments that our team has performed in the last couple of years • We will try and skip the why these mistakes occur as that would be a subjective opinion Full disclosure
Things Developers Do (which they ideally should not)
1. (Don't) Trust 3rd Parties • Code • Libraries • APIs • Stack Overflow • etc.
Zero-Day! https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/
"Sign in with Apple"
Victim? • It affected those applications that used "Sign in with Apple" "Sign in with Apple" Damage? • A full account takeover of user accounts was possible on these applications irrespective of whether victim had a valid Apple ID or not
2. (Don't) Ignore API Authentication Request JWT for any Email ID Apple generated valid JWT (id_token) for arbitrary Email ID
3. (Don't) Ignore API Authorization
Feature: • "Amazon Cognito supports unauthenticated identities, allowing customers to use the application without logging in Amazon Cognito: Anonymous Sign-In Flaw? • If enabled, it can possibly allow its users unauthorized access to sensitive and private information stored in AWS services https://github.com/riddhi-shree/nullCommunity/blob/master/Android/amazon_cognito_authz_issue/
With new technology ...comes new responsibilities https://d2908q01vomqb2.cloudfront.net/0a57cb53ba59c46fc4b692527a38a87c78d84028/2017/07/19/CognitoDiagram.png
Sensitive AWS services accessible by unauthenticated users https://www.facebook.com/ncybersec/photos/a.1233210783516310/1257880004382721/
4. (Don't) Ignore API Rate Limiting EXPECTATION: • If rate limit is reached, requests should be blocked REALITY? • X-RateLimit-Remaining was reset to higher value repeatedly
https://developer.github.com/v3/#rate-limiting
Real World Examples Instagram Hack: Facebook Hack: https://www.scoopbyte.com/responsible-disclosure-how-i-could-have-hacked-all-facebook-accounts/ https://www.acunetix.com/blog/web-security-zone/instagram-usd-30000-bounty/
5. (Don't) Leave Sensitive Files in App Bundle https://4.bp.blogspot.com/-7rnDzueIqe8/XcMuixnIjLI/AAAAAAAANEs/jN09o4cklQ80uu91hUoGeFQ_9A-E8-VQgCLcBGAsYHQ/s1600/image3.png
It's easy to extract bundled resources from APK/IPA
Is it possible to find a configuration file? Takeaway: • Do not ship sensitive files in app bundles
6. (Don't) Hardcode Plaintext Secrets https://www.nowsecure.com/wp-content/uploads/2020/02/image1.pngVQgCLcBGAsYHQ/s1600/image3.png
7. (Don't) Save Unencrypted Data in Local Database https://1.bp.blogspot.com/-EiMyvr8QDU0/XWgt_XR8JMI/AAAAAAAANUM/51Iuf5acUNYgOkCSmR73-st9ZI_HWYZ1wCEwYBhgL/s1600/whatsapp%2BE2E.png
8. (Don't) Leave Leftovers in Cache Files
9. (Don't) Ignore Environment Checks Attacker's Motive? 1. Attempt to reverse-engineer target app 2. Intercept communication between server and the app https://www.veracode.com/sites/default/files/mobile-data-breach.gif
• Root and Jailbreak detection • Emulator detection • Obfuscation • Encryption • Certificate pinning • Tamper prevention • etc. Few things that go missing... https://4.bp.blogspot.com/-laatgMnq1ns/U1_nNKxOEnI/AAAAAAAAAbM/MJeSFZkTCFg/s1600/jd-gui.png
Things Developers Should Do
• Perform unit test cases, especially for complex apps • Ensures some level of business logic testing is achieved • Write modular code to ensure unit testing, bug fixes and feature updates are done smoothly • Verify third party sources that are going to become a part of your project • Usage of third-party code always increases the attack surface an app has • Third party code could be in the form of libraries, external binaries, resources and even code copied from Stack Overflow • Verify the source and be aware of the security state and known issues Things to do to improve security
Define your circle of trust. https://i1.wp.com/redandhowling.com/wp-content/uploads/2019/03/redandhowling_circle_of_trust.jpg?resize=580%2C580&ssl=1
• Implement environment detection routines and certificate pinning • This makes it difficult for novice hackers to perform runtime analysis • Tools available with out of the box scripts to bypass standard checks so add a layer of obfuscation to the functions • Improve detection rate by using a larger list of known files. For example,with checkra1n coming out, checking for “/Applications/Cydia.app” is no longer enough • Similarly the default example for implementing certificate pinning using CertificatePinner of OkHttp has been scripted and can be easily bypassed using tools like Frida and Objection Things to do to improve security
Incorporate Layered Defense https://www.researchgate.net/profile/Mehran_Jodavi/publication/279861980/figure/fig1/AS:648205335269377@1531555603371/An-example-of-data-obfuscation.png https://www.guardsquare.com/files/media/guardsquare2017/Regular_SSL.png https://i.redd.it/suj4swxenrj11.jpg
• Ensure local caches, files and SQL storages are cleared upon user logout • More people share devices then you know • When a user’s session is terminated on the server, the mobile app should ensure that web caches, temporary document locations for the app and any SQL storages are emptied to prevent a different user from accessing them • Although, access to the sandbox of the app requires root access, it may entirely be possible to invoke an insecure Activity or a file path traversal issue within the app to read the data of a different user Things to do to improve security
• Implement robust authentication and authorisation checks • Build authentication discussions into your app design • Questions like do we allow 2 users to be logged into the mobile app at the same time? • Or what happens if the user logs into the mobile app from a different device • Treat user input with caution as the same piece of data can have different meaning in different contexts • Offloading authentication to third party providers is great, but can have its own set of troubles • Ensure the authentication documentation by the provider is followed and unnecessary storage and transmission of tokens and keys is avoided • Authorisation can be tricky, especially for multi user multi role apps • Avoid passing direct references to objects on the server to clients • Use UUID identifiers to prevent attackers from doing guesswork • Create an authorisation matrix that shows exactly what a user and role is allowed access • Use the principle of default deny Things to do to improve security
Follow the least privilege principle. https://thycotic.com/wp-content/uploads/2018/11/what-is-least-privilege-and-how-does-it-work.png
• Treat all user input as evil (especially for APIs) • User data can originate in many places, including but not limited to forms, post body, request headers, file uploads, metadata of a file upload and even content coming in from non-human sources like databases and caches • Treat data contextually and validate user input to avoid the meaning of the data from changing • Fail safely when processing data, handle error conditions without providing too many internal details • Restrict the information that responses send. If the user doesn’t see it and the app does not operate on it, then ideally do not send it in the response Things to do to improve security
A Typical Mobile Hacker Lab (Bonus Content)
Items / Tool Platform Purpose Rooted Android device Android To install and run Android mobile apps for testing. Root to access memory, perform dynamic inspection and check file system for secrets. Jailbroken iOS device iOS To install and run iOS mobile apps for testing. JB to access memory, perform dynamic inspection and check file system for secrets. Android Studio Android Android Virtual Device (Emulator), Also to decompile APKs, to build code PoCs if needed XCode iOS Device logs and creating entitlements. iOS Simulator if required. MobSF Both Static and Dynamic App Security Analysis Burp / ZAP Both Interception Proxy, to test and attack the APIs Hopper / Ghidra Both Disassembly and function tracing, reverse engineering of apps jadx Android Decompile APK to java classes Frida + Objection Both Dynamic instrumentation, patch running binaries, evade JB/root detection, evade cert pinning 3uTools iOS Browse iOS file system, install IPA files, extract installed, upgrade versions Mobile Security Lab – Tools to get started
Mobile Security Lab – Getting Started • Mobile Security Testing Guide - https://github.com/OWASP/owasp-mstg • Check iOS JB version - http://canijailbreak.com/ • XDA Developers Android Forums - https://www.xda-developers.com/ • iOS App Hacking tutorials - http://highaltitudehacks.com/ • Guide to Building and Securing APIs - https://developer.okta.com/books/api-security/ • Vyapi – vulnerable Android App - https://blog.appsecco.com/vyapi-the-modern-cloud-based- vulnerable-hybrid-android-app-ee300a9d60ed • MobSF - https://mobsf.github.io/docs/#/ • OWASP API Security Top 10 RC - https://github.com/OWASP/API- Security/raw/master/2019/en/dist/owasp-api-security-top-10.pdf
Q&A Riyaz Walikar riyaz@appsecco.com @riyazwalikar https://appsecco.com Riddhi Shree riddhi@appsecco.com @_riddhishree https://appsecco.com Mobile apps security consultation with Appsecco 2nd July 2020 4 PM – 5:55 PM https://hasgeek.com/fragments/mobile-apps-security-consultation-with-appsecco/
Plug Mobile App Vulnerabilities

Recommended

Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
Faux Disk Encryption....by Drew Suarez & Daniel Mayer
Faux Disk Encryption....by Drew Suarez & Daniel MayerFaux Disk Encryption....by Drew Suarez & Daniel Mayer
Faux Disk Encryption....by Drew Suarez & Daniel MayerShakacon
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 

Recommended

Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
Faux Disk Encryption....by Drew Suarez & Daniel Mayer
Faux Disk Encryption....by Drew Suarez & Daniel MayerFaux Disk Encryption....by Drew Suarez & Daniel Mayer
Faux Disk Encryption....by Drew Suarez & Daniel MayerShakacon
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2Krisshhna Daasaarii
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Tomek Cejner
 
Check Point Threat emulation 2013
Check Point Threat emulation 2013Check Point Threat emulation 2013
Check Point Threat emulation 2013Group of company MUK
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00srini0x00
 
Whats different in android L, M, N and O
Whats different in android L, M, N and OWhats different in android L, M, N and O
Whats different in android L, M, N and OPietro F. Maggi
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays
 
Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.pptDrBasemMohamedElomda
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12Jim Kaplan CIA CFE
 

More Related Content

What's hot

YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Tomek Cejner
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00srini0x00
 
Whats different in android L, M, N and O
Whats different in android L, M, N and OWhats different in android L, M, N and O
Whats different in android L, M, N and OPietro F. Maggi
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays
 

What's hot (20)

YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
 
Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.
 
Check Point Threat emulation 2013
Check Point Threat emulation 2013Check Point Threat emulation 2013
Check Point Threat emulation 2013
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and Encryption
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00
 
Whats different in android L, M, N and O
Whats different in android L, M, N and OWhats different in android L, M, N and O
Whats different in android L, M, N and O
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By Nirmal
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
 

Similar to Plug Mobile App Vulnerabilities

Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!Shelly Megan
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfErikHof4
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-PracticesOctogence
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the EnterpriseWill Adams
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 

Similar to Plug Mobile App Vulnerabilities (20)

Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Web security
Web securityWeb security
Web security
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 

More from Appsecco

Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco
 
Appsecco case studies 2020
Appsecco case studies 2020Appsecco case studies 2020
Appsecco case studies 2020Appsecco
 
Appsecco case studies 2019
Appsecco case studies 2019Appsecco case studies 2019
Appsecco case studies 2019Appsecco
 
Appsecco Case Studies 2018
Appsecco Case Studies 2018Appsecco Case Studies 2018
Appsecco Case Studies 2018Appsecco
 
Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018Appsecco
 
Appsecco Procurement Support 2018
Appsecco Procurement Support 2018Appsecco Procurement Support 2018
Appsecco Procurement Support 2018Appsecco
 
Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018Appsecco
 

More from Appsecco (7)

Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation Slides
 
Appsecco case studies 2020
Appsecco case studies 2020Appsecco case studies 2020
Appsecco case studies 2020
 
Appsecco case studies 2019
Appsecco case studies 2019Appsecco case studies 2019
Appsecco case studies 2019
 
Appsecco Case Studies 2018
Appsecco Case Studies 2018Appsecco Case Studies 2018
Appsecco Case Studies 2018
 
Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018
 
Appsecco Procurement Support 2018
Appsecco Procurement Support 2018Appsecco Procurement Support 2018
Appsecco Procurement Support 2018
 
Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018
 

Plug Mobile App Vulnerabilities

  • 1. Plug the Vulnerabilities! HasGeek – Fragments June 2020 AMA on Mobile Apps Security Riddhi Shree, Security Analyst, Appsecco Riyaz Walikar, Head of Research & Security Testing, Appsecco
  • 2. About Us • Riddhi Shree • Security Analyst @Appsecco • Breaks mobile apps and web applications for a living • Built mobile apps for CTFs and to demonstrate weaknesses • Check out VyAPI (if you haven't already!)
  • 3. About Us • Riyaz Walikar • Head of Research and Security Testing @Appsecco • GrayHat Hacker • Leads the team that breaks mobile, web apps, thick clients, Cloud servers and services • Not a developer but understands the pain that developers go through when dealing with security
  • 4. • Define mobile app security from the point of view of attackers and developers • See some weaknesses that we commonly come across in Mobile Apps during our testing • Cover things that developers do but ideally should not • Things that attackers go after when testing mobile apps • Talk about things that developers can do to harden mobile apps and backend APIs • Bonus Content – Setting up a lab to get started with Mobile App Security Testing • Open the symbolic floor for Q&A What we will cover today
  • 7. • Security is freedom from, or resilience against, potential harm caused by others • In the digital world this "harm" corresponds to loss of either Confidentiality (C), Integrity (I) or Availability (A) of a system or data contained therein • Depending on how a (presumed) violation of CIA occurred, what was affected and what was the impact of the violation, we can calculate how severe the violation was (bug severity). • The most secure system would be completely unusable
  • 10. • Your code runs in an untrusted environment • You want to do this to ensure you can utilise more client processing power • It's easier to create, store and manage data as and when required • Simplified and fast architecture, where APIs can be used for state control and mobile apps for the UI • Often business logic and decisions are made client side to increase efficiency • Examples would be file uploads from mobile apps • Multi form data stored in local caches etc. • Disconnect between developers and security testers • What kind of issues are more prevalent • Learnings from bug reports? Why is security hard with mobile apps?
  • 11. • We are not mobile app or API developers, but we understand their security, how they can be attacked and what could an attacker do with the access or data • Most bugs covered here are from real world mobile application assessments that our team has performed in the last couple of years • We will try and skip the why these mistakes occur as that would be a subjective opinion Full disclosure
  • 12. Things Developers Do (which they ideally should not)
  • 13. 1. (Don't) Trust 3rd Parties • Code • Libraries • APIs • Stack Overflow • etc.
  • 15. "Sign in with Apple"
  • 16. Victim? • It affected those applications that used "Sign in with Apple" "Sign in with Apple" Damage? • A full account takeover of user accounts was possible on these applications irrespective of whether victim had a valid Apple ID or not
  • 17. 2. (Don't) Ignore API Authentication Request JWT for any Email ID Apple generated valid JWT (id_token) for arbitrary Email ID
  • 18. 3. (Don't) Ignore API Authorization
  • 19. Feature: • "Amazon Cognito supports unauthenticated identities, allowing customers to use the application without logging in Amazon Cognito: Anonymous Sign-In Flaw? • If enabled, it can possibly allow its users unauthorized access to sensitive and private information stored in AWS services https://github.com/riddhi-shree/nullCommunity/blob/master/Android/amazon_cognito_authz_issue/
  • 20. With new technology ...comes new responsibilities https://d2908q01vomqb2.cloudfront.net/0a57cb53ba59c46fc4b692527a38a87c78d84028/2017/07/19/CognitoDiagram.png
  • 21. Sensitive AWS services accessible by unauthenticated users https://www.facebook.com/ncybersec/photos/a.1233210783516310/1257880004382721/
  • 22. 4. (Don't) Ignore API Rate Limiting EXPECTATION: • If rate limit is reached, requests should be blocked REALITY? • X-RateLimit-Remaining was reset to higher value repeatedly
  • 24. Real World Examples Instagram Hack: Facebook Hack: https://www.scoopbyte.com/responsible-disclosure-how-i-could-have-hacked-all-facebook-accounts/ https://www.acunetix.com/blog/web-security-zone/instagram-usd-30000-bounty/
  • 25. 5. (Don't) Leave Sensitive Files in App Bundle https://4.bp.blogspot.com/-7rnDzueIqe8/XcMuixnIjLI/AAAAAAAANEs/jN09o4cklQ80uu91hUoGeFQ_9A-E8-VQgCLcBGAsYHQ/s1600/image3.png
  • 26. It's easy to extract bundled resources from APK/IPA
  • 27. Is it possible to find a configuration file? Takeaway: • Do not ship sensitive files in app bundles
  • 28. 6. (Don't) Hardcode Plaintext Secrets https://www.nowsecure.com/wp-content/uploads/2020/02/image1.pngVQgCLcBGAsYHQ/s1600/image3.png
  • 29. 7. (Don't) Save Unencrypted Data in Local Database https://1.bp.blogspot.com/-EiMyvr8QDU0/XWgt_XR8JMI/AAAAAAAANUM/51Iuf5acUNYgOkCSmR73-st9ZI_HWYZ1wCEwYBhgL/s1600/whatsapp%2BE2E.png
  • 30. 8. (Don't) Leave Leftovers in Cache Files
  • 31. 9. (Don't) Ignore Environment Checks Attacker's Motive? 1. Attempt to reverse-engineer target app 2. Intercept communication between server and the app https://www.veracode.com/sites/default/files/mobile-data-breach.gif
  • 32. • Root and Jailbreak detection • Emulator detection • Obfuscation • Encryption • Certificate pinning • Tamper prevention • etc. Few things that go missing... https://4.bp.blogspot.com/-laatgMnq1ns/U1_nNKxOEnI/AAAAAAAAAbM/MJeSFZkTCFg/s1600/jd-gui.png
  • 34. • Perform unit test cases, especially for complex apps • Ensures some level of business logic testing is achieved • Write modular code to ensure unit testing, bug fixes and feature updates are done smoothly • Verify third party sources that are going to become a part of your project • Usage of third-party code always increases the attack surface an app has • Third party code could be in the form of libraries, external binaries, resources and even code copied from Stack Overflow • Verify the source and be aware of the security state and known issues Things to do to improve security
  • 35. Define your circle of trust. https://i1.wp.com/redandhowling.com/wp-content/uploads/2019/03/redandhowling_circle_of_trust.jpg?resize=580%2C580&ssl=1
  • 36. • Implement environment detection routines and certificate pinning • This makes it difficult for novice hackers to perform runtime analysis • Tools available with out of the box scripts to bypass standard checks so add a layer of obfuscation to the functions • Improve detection rate by using a larger list of known files. For example,with checkra1n coming out, checking for “/Applications/Cydia.app” is no longer enough • Similarly the default example for implementing certificate pinning using CertificatePinner of OkHttp has been scripted and can be easily bypassed using tools like Frida and Objection Things to do to improve security
  • 38. • Ensure local caches, files and SQL storages are cleared upon user logout • More people share devices then you know • When a user’s session is terminated on the server, the mobile app should ensure that web caches, temporary document locations for the app and any SQL storages are emptied to prevent a different user from accessing them • Although, access to the sandbox of the app requires root access, it may entirely be possible to invoke an insecure Activity or a file path traversal issue within the app to read the data of a different user Things to do to improve security
  • 39. • Implement robust authentication and authorisation checks • Build authentication discussions into your app design • Questions like do we allow 2 users to be logged into the mobile app at the same time? • Or what happens if the user logs into the mobile app from a different device • Treat user input with caution as the same piece of data can have different meaning in different contexts • Offloading authentication to third party providers is great, but can have its own set of troubles • Ensure the authentication documentation by the provider is followed and unnecessary storage and transmission of tokens and keys is avoided • Authorisation can be tricky, especially for multi user multi role apps • Avoid passing direct references to objects on the server to clients • Use UUID identifiers to prevent attackers from doing guesswork • Create an authorisation matrix that shows exactly what a user and role is allowed access • Use the principle of default deny Things to do to improve security
  • 40. Follow the least privilege principle. https://thycotic.com/wp-content/uploads/2018/11/what-is-least-privilege-and-how-does-it-work.png
  • 41. • Treat all user input as evil (especially for APIs) • User data can originate in many places, including but not limited to forms, post body, request headers, file uploads, metadata of a file upload and even content coming in from non-human sources like databases and caches • Treat data contextually and validate user input to avoid the meaning of the data from changing • Fail safely when processing data, handle error conditions without providing too many internal details • Restrict the information that responses send. If the user doesn’t see it and the app does not operate on it, then ideally do not send it in the response Things to do to improve security
  • 43. Items / Tool Platform Purpose Rooted Android device Android To install and run Android mobile apps for testing. Root to access memory, perform dynamic inspection and check file system for secrets. Jailbroken iOS device iOS To install and run iOS mobile apps for testing. JB to access memory, perform dynamic inspection and check file system for secrets. Android Studio Android Android Virtual Device (Emulator), Also to decompile APKs, to build code PoCs if needed XCode iOS Device logs and creating entitlements. iOS Simulator if required. MobSF Both Static and Dynamic App Security Analysis Burp / ZAP Both Interception Proxy, to test and attack the APIs Hopper / Ghidra Both Disassembly and function tracing, reverse engineering of apps jadx Android Decompile APK to java classes Frida + Objection Both Dynamic instrumentation, patch running binaries, evade JB/root detection, evade cert pinning 3uTools iOS Browse iOS file system, install IPA files, extract installed, upgrade versions Mobile Security Lab – Tools to get started
  • 44. Mobile Security Lab – Getting Started • Mobile Security Testing Guide - https://github.com/OWASP/owasp-mstg • Check iOS JB version - http://canijailbreak.com/ • XDA Developers Android Forums - https://www.xda-developers.com/ • iOS App Hacking tutorials - http://highaltitudehacks.com/ • Guide to Building and Securing APIs - https://developer.okta.com/books/api-security/ • Vyapi – vulnerable Android App - https://blog.appsecco.com/vyapi-the-modern-cloud-based- vulnerable-hybrid-android-app-ee300a9d60ed • MobSF - https://mobsf.github.io/docs/#/ • OWASP API Security Top 10 RC - https://github.com/OWASP/API- Security/raw/master/2019/en/dist/owasp-api-security-top-10.pdf
  • 45. Q&A Riyaz Walikar riyaz@appsecco.com @riyazwalikar https://appsecco.com Riddhi Shree riddhi@appsecco.com @_riddhishree https://appsecco.com Mobile apps security consultation with Appsecco 2nd July 2020 4 PM – 5:55 PM https://hasgeek.com/fragments/mobile-apps-security-consultation-with-appsecco/