The document provides an overview of a discussion on mobile application security testing between Riddhi Shree and Riyaz Walikar of Appsecco. They discuss common weaknesses found during mobile app testing like trusting third parties, ignoring API authentication and authorization, and not implementing proper input validation. They also cover steps developers should take like verifying third party code, implementing layered defenses, and following secure development best practices around authentication, authorization, and least privilege. The discussion includes a bonus section on setting up a mobile security testing lab.
1. Plug the Vulnerabilities!
HasGeek – Fragments June 2020
AMA on Mobile Apps Security
Riddhi Shree, Security Analyst, Appsecco
Riyaz Walikar, Head of Research & Security Testing, Appsecco
2. About Us
• Riddhi Shree
• Security Analyst @Appsecco
• Breaks mobile apps and web
applications for a living
• Built mobile apps for CTFs and to
demonstrate weaknesses
• Check out VyAPI (if you haven't
already!)
3. About Us
• Riyaz Walikar
• Head of Research and Security
Testing @Appsecco
• GrayHat Hacker
• Leads the team that breaks mobile,
web apps, thick clients, Cloud
servers and services
• Not a developer but understands
the pain that developers go
through when dealing with security
4. • Define mobile app security from the point of view of attackers and developers
• See some weaknesses that we commonly come across in Mobile Apps during our
testing
• Cover things that developers do but ideally should not
• Things that attackers go after when testing mobile apps
• Talk about things that developers can do to harden mobile apps and backend APIs
• Bonus Content – Setting up a lab to get started with Mobile App Security Testing
• Open the symbolic floor for Q&A
What we will cover today
7. • Security is freedom from, or resilience against, potential harm caused by
others
• In the digital world this "harm" corresponds to loss of either Confidentiality
(C), Integrity (I) or Availability (A) of a system or data contained therein
• Depending on how a (presumed) violation of CIA occurred, what was
affected and what was the impact of the violation, we can calculate how
severe the violation was (bug severity).
• The most secure system would be completely unusable
10. • Your code runs in an untrusted environment
• You want to do this to ensure you can utilise more client processing power
• It's easier to create, store and manage data as and when required
• Simplified and fast architecture, where APIs can be used for state control and
mobile apps for the UI
• Often business logic and decisions are made client side to increase
efficiency
• Examples would be file uploads from mobile apps
• Multi form data stored in local caches etc.
• Disconnect between developers and security testers
• What kind of issues are more prevalent
• Learnings from bug reports?
Why is security hard with mobile apps?
11. • We are not mobile app or API developers, but we understand their
security, how they can be attacked and what could an attacker do with the
access or data
• Most bugs covered here are from real world mobile application
assessments that our team has performed in the last couple of years
• We will try and skip the why these mistakes occur as that would be a
subjective opinion
Full disclosure
16. Victim?
• It affected
those applications that
used "Sign in with Apple"
"Sign in with Apple"
Damage?
• A full account takeover
of user accounts was
possible on these
applications irrespective
of whether victim had a
valid Apple ID or not
17. 2. (Don't) Ignore API Authentication
Request JWT for any
Email ID
Apple generated valid
JWT (id_token) for
arbitrary Email ID
19. Feature:
• "Amazon Cognito
supports unauthenticated
identities, allowing
customers to use the
application without logging
in
Amazon Cognito: Anonymous Sign-In
Flaw?
• If enabled, it can possibly
allow its users
unauthorized access
to sensitive and private
information stored in
AWS services
https://github.com/riddhi-shree/nullCommunity/blob/master/Android/amazon_cognito_authz_issue/
20. With new technology ...comes new responsibilities
https://d2908q01vomqb2.cloudfront.net/0a57cb53ba59c46fc4b692527a38a87c78d84028/2017/07/19/CognitoDiagram.png
21. Sensitive AWS services accessible by unauthenticated users
https://www.facebook.com/ncybersec/photos/a.1233210783516310/1257880004382721/
22. 4. (Don't) Ignore API Rate Limiting
EXPECTATION:
• If rate limit is reached,
requests should be
blocked
REALITY?
• X-RateLimit-Remaining
was reset to higher value
repeatedly
24. Real World Examples
Instagram Hack:
Facebook Hack:
https://www.scoopbyte.com/responsible-disclosure-how-i-could-have-hacked-all-facebook-accounts/
https://www.acunetix.com/blog/web-security-zone/instagram-usd-30000-bounty/
25. 5. (Don't) Leave Sensitive Files in App Bundle
https://4.bp.blogspot.com/-7rnDzueIqe8/XcMuixnIjLI/AAAAAAAANEs/jN09o4cklQ80uu91hUoGeFQ_9A-E8-VQgCLcBGAsYHQ/s1600/image3.png
26. It's easy to extract bundled resources from APK/IPA
27. Is it possible to find a configuration file?
Takeaway:
• Do not ship
sensitive files in app
bundles
29. 7. (Don't) Save Unencrypted Data in Local Database
https://1.bp.blogspot.com/-EiMyvr8QDU0/XWgt_XR8JMI/AAAAAAAANUM/51Iuf5acUNYgOkCSmR73-st9ZI_HWYZ1wCEwYBhgL/s1600/whatsapp%2BE2E.png
31. 9. (Don't) Ignore Environment Checks
Attacker's Motive?
1. Attempt to reverse-engineer target app
2. Intercept communication between server and
the app
https://www.veracode.com/sites/default/files/mobile-data-breach.gif
32. • Root and Jailbreak detection
• Emulator detection
• Obfuscation
• Encryption
• Certificate pinning
• Tamper prevention
• etc.
Few things that go missing...
https://4.bp.blogspot.com/-laatgMnq1ns/U1_nNKxOEnI/AAAAAAAAAbM/MJeSFZkTCFg/s1600/jd-gui.png
34. • Perform unit test cases, especially for complex apps
• Ensures some level of business logic testing is achieved
• Write modular code to ensure unit testing, bug fixes and feature updates are
done smoothly
• Verify third party sources that are going to become a part of your project
• Usage of third-party code always increases the attack surface an app has
• Third party code could be in the form of libraries, external binaries,
resources and even code copied from Stack Overflow
• Verify the source and be aware of the security state and known issues
Things to do to improve security
35. Define your circle of trust.
https://i1.wp.com/redandhowling.com/wp-content/uploads/2019/03/redandhowling_circle_of_trust.jpg?resize=580%2C580&ssl=1
36. • Implement environment detection routines and certificate pinning
• This makes it difficult for novice hackers to perform runtime analysis
• Tools available with out of the box scripts to bypass standard checks so add a
layer of obfuscation to the functions
• Improve detection rate by using a larger list of known files. For example,with
checkra1n coming out, checking for “/Applications/Cydia.app” is no longer
enough
• Similarly the default example for implementing certificate pinning using
CertificatePinner of OkHttp has been scripted and can be easily bypassed using
tools like Frida and Objection
Things to do to improve security
38. • Ensure local caches, files and SQL storages are cleared upon user logout
• More people share devices then you know
• When a user’s session is terminated on the server, the mobile app should
ensure that web caches, temporary document locations for the app and any
SQL storages are emptied to prevent a different user from accessing them
• Although, access to the sandbox of the app requires root access, it may entirely
be possible to invoke an insecure Activity or a file path traversal issue within the
app to read the data of a different user
Things to do to improve security
39. • Implement robust authentication and authorisation checks
• Build authentication discussions into your app design
• Questions like do we allow 2 users to be logged into the mobile app at the same time?
• Or what happens if the user logs into the mobile app from a different device
• Treat user input with caution as the same piece of data can have different meaning in different
contexts
• Offloading authentication to third party providers is great, but can have its own set of
troubles
• Ensure the authentication documentation by the provider is followed and unnecessary storage and
transmission of tokens and keys is avoided
• Authorisation can be tricky, especially for multi user multi role apps
• Avoid passing direct references to objects on the server to clients
• Use UUID identifiers to prevent attackers from doing guesswork
• Create an authorisation matrix that shows exactly what a user and role is allowed access
• Use the principle of default deny
Things to do to improve security
40. Follow the least privilege principle.
https://thycotic.com/wp-content/uploads/2018/11/what-is-least-privilege-and-how-does-it-work.png
41. • Treat all user input as evil (especially for APIs)
• User data can originate in many places, including but not limited to forms, post
body, request headers, file uploads, metadata of a file upload and even content
coming in from non-human sources like databases and caches
• Treat data contextually and validate user input to avoid the meaning of the data
from changing
• Fail safely when processing data, handle error conditions without providing too
many internal details
• Restrict the information that responses send. If the user doesn’t see it and the
app does not operate on it, then ideally do not send it in the response
Things to do to improve security
43. Items / Tool Platform Purpose
Rooted Android device Android
To install and run Android mobile apps for testing. Root to access memory, perform dynamic
inspection and check file system for secrets.
Jailbroken iOS device iOS
To install and run iOS mobile apps for testing. JB to access memory, perform dynamic inspection
and check file system for secrets.
Android Studio Android Android Virtual Device (Emulator), Also to decompile APKs, to build code PoCs if needed
XCode iOS Device logs and creating entitlements. iOS Simulator if required.
MobSF Both Static and Dynamic App Security Analysis
Burp / ZAP Both Interception Proxy, to test and attack the APIs
Hopper / Ghidra Both Disassembly and function tracing, reverse engineering of apps
jadx Android Decompile APK to java classes
Frida + Objection Both Dynamic instrumentation, patch running binaries, evade JB/root detection, evade cert pinning
3uTools iOS Browse iOS file system, install IPA files, extract installed, upgrade versions
Mobile Security Lab – Tools to get started
44. Mobile Security Lab – Getting Started
• Mobile Security Testing Guide - https://github.com/OWASP/owasp-mstg
• Check iOS JB version - http://canijailbreak.com/
• XDA Developers Android Forums - https://www.xda-developers.com/
• iOS App Hacking tutorials - http://highaltitudehacks.com/
• Guide to Building and Securing APIs - https://developer.okta.com/books/api-security/
• Vyapi – vulnerable Android App - https://blog.appsecco.com/vyapi-the-modern-cloud-based-
vulnerable-hybrid-android-app-ee300a9d60ed
• MobSF - https://mobsf.github.io/docs/#/
• OWASP API Security Top 10 RC - https://github.com/OWASP/API-
Security/raw/master/2019/en/dist/owasp-api-security-top-10.pdf