Mobile applications are vulnerable to security threats due to tectonic shifts in mobile technology. A study of 55 mobile apps found many security issues, with unencrypted data in 99% of apps and SQL injection vulnerabilities in 35% of apps. The study also analyzed 55 backend servers and found vulnerabilities in all servers, including unencrypted data in 99% and unrestricted passwords in 74%. One app in particular was found to have over 200 code flaws and 40 backend vulnerabilities. The app stores do not conduct security analysis of apps and only check requested permissions. Automated static analysis of apps and backends is recommended to identify issues before deployment.

1. Session ID:
Session Classification:
Aaron Turner
President, IntegriCell
MBS-R35A
Intermediate
Mobile Aplications:
TheVulnerabilityTsunami is Coming

2. Presenter Logo
► Prior to modern Tsunami warning systems, these
a similar problem now
► Tectonic shifts in technologies due to
consumerization mobilification
► What is our warning system?
► Anti-virus? Firewalls? The App Stores?
►
correct precursor events or even at the
technological dependencies necessary;
Time to wake up!

3. Presenter Logo
Tsunami Root Cause Analysis
► The root cause of a tsunami is an
earthquake, a long ways away from
anyone and very hard to see with the
naked eye
► The result of the earthquake is a massive
wave which can wreak destruction at great
distances

4. Presenter Logo
►
application threats
► According to firms that sell Anti-Virus, we
need to install A/V on mobile devices to
protect ourselves (except for Apple which tells
should just trust them)
► What other messages are out there for mobile
application security?
► Carriers will protect us?
► Handset manufacturers will protect us?
Mobile ApplicationSecurityAnalysis

5. Presenter Logo
►
►
► What are the actual application threats how vulnerable are apps?
► Wait, the apps are just isolated executables
of n-tiered application architectures?
► What permissions have we given these apps?
Ooops

6. Presenter Logo
► Static analysis tools give us some insight into the overall
quality of an executable published to the app stores
► IntegriCell partnered with experts in static analysis to
evaluate iOS and Android applications
►
► Astounding number of security problems in even these very
small apps (average size was ~4 mb) connected to very
simple back-end platforms (mostly JSON)

7. Presenter Logo
► 55 applications reviewed
► All analysis performed
without permission of
application owner
► Application names withheld
► (We tried asking for
permission but none would
grant it)
► Significant numbers of false
positives in these numbers
due to de-compilers used to
begin analysis
ApplicationVulnerabilities
Vulnerability Type % of Occurrence
SQL Injection (client) 35%
AuthZ Weakness (client) 48%
CRLF Injection (client) 51%
XSite Scripting (client) 28%
Directory Traversal (client) 38%
Unencrypted Data (client) 99%
Crypto Material Errors (client) 14%
Reflected XSS (client) 28%
Clear-text Password (network) 72%
Unreleased Streams (client) 12%

8. Presenter Logo
► 55 back-ends
evaluated
with
and other tools
► Every application
tested had some sort
of back-end
component (API, ad-
server connection,
etc.)
► Predominantly Linux
back-end servers with
JSON installed
Vulnerabilities % of Occurrence
Unencrypted Data 99%
Unrestricted Passwords 74%
Session Termination Flaw (network) 82%
AuthN Bypass 79%
Default Permissions & ACL’s 99%
Directory Browsing 95%
Web Server Patch & Configuration 100%

9. Presenter Logo
► One application tested was just really, really bad
► 200+ code flaws (in 3 mb of compiled code!)
► 40+ unique web server vulnerabilities
(excluding 20+ critical updates that were not installed)
►
stores?
► The app stores do not perform any sort of static or dynamic analysis
of the applications; they ONLY assure that permissions are requested
and granted as stated in the application manifest.
TheWall of Shame

10. Presenter Logo
► Try to attack millions of smartphones and
tablets with unique drivers, unknown
patch levels, etc?
► Attack the back-ends and piggy back on
► Working with Marvin team we
discovered:
Permissions found among 2500+ apps % of Occurrence
READ_CONTACTS 31%
READ_SMS 9%
ACCESS_FINE_LOCATION 65%

11. Presenter Logo
► Automated static analysis tools are economical. REQUIRE
YOUR APP PROVIDERS TO GIVE YOU AN ANALYSIS BEFORE
ACCEPT DELIVERY!
►
worth it. Application back-ends will be the point of attack
for large-scale exploitation
► Understand how transitive trust models work on mobile
devices. Best option is to deploy a PIM container for
enterprise data.
The Bottom Line

12. Thanks for your attention!
AaronTurner
aaron.turner@integricell.com