The curious case of mobile app security.pptxAnkit Giri
A talk on the essence of Mobile app and mobile security. The agenda was as follows:
Why we need to secure the mobile apps!
What do you check when installing an app ?
Mobile app security assessment
Some interesting cases of vulnerabilities
Let’s takeover your account
My Research and reported vulnerabilities
The curious case of mobile app security.pptxAnkit Giri
A talk on the essence of Mobile app and mobile security. The agenda was as follows:
Why we need to secure the mobile apps!
What do you check when installing an app ?
Mobile app security assessment
Some interesting cases of vulnerabilities
Let’s takeover your account
My Research and reported vulnerabilities
Mobile Threats and Trends Changing Mobile App SecurityDevOps.com
Deploying your high-value mobile app to untrusted environments such as consumer mobile devices can be a risky proposition. Are some of your customers’ devices compromised? Do your users also download apps from untrusted sources? Is there malware residing on their devices that target apps such as yours?
Despite your best efforts to code secure apps, assess their security posture, and remediate any identified vulnerabilities – it’s not quite enough in today’s mobile threat landscape. Safeguarding mobile apps during runtime and empowering them to protect themselves in hostile environments is becoming a necessity in the face of ever-evolving mobile attack tactics and techniques.
During this webinar, we will:
Discuss today’s mobile app threat landscape
Explain how changing distribution models (e.g., Fortnite for Android) affect your app’s security
Illustrate the potential financial impact of mobile threats on a business’s bottom line
Demonstrate mobile overlay and other attacks
Reveal how mobile apps can protect themselves against these attacks with app shielding and runtime protection
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
This will be a brief discussion on Pen Testing Web Services in 2012, though OWASP have testing guides which describes various methods and tools for performing black box and white box security testing on web services but they’re all outdated. The key points of the presentation will revolve around how to pen test web services, what are the pre-requisites, methodology, tools used, etc.
VSEC’s source code review services help uncover unexpected and hidden vulnerabilities and design flaws in source codes. We use a mix of scanning tools and manual review to detect insecure coding practices, injection flaws, cross site scripting flaws, backdoors, weak cryptography, insecure handling of external resources, etc.
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)Sam Bowne
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
Application development has come a long way in last two decades, but it is puzzling to see that despite major security breaches, security testing takes a back seat as compared to other forms of quality testing measures such as usability or functional testing.
Mobile Threats and Trends Changing Mobile App SecurityDevOps.com
Deploying your high-value mobile app to untrusted environments such as consumer mobile devices can be a risky proposition. Are some of your customers’ devices compromised? Do your users also download apps from untrusted sources? Is there malware residing on their devices that target apps such as yours?
Despite your best efforts to code secure apps, assess their security posture, and remediate any identified vulnerabilities – it’s not quite enough in today’s mobile threat landscape. Safeguarding mobile apps during runtime and empowering them to protect themselves in hostile environments is becoming a necessity in the face of ever-evolving mobile attack tactics and techniques.
During this webinar, we will:
Discuss today’s mobile app threat landscape
Explain how changing distribution models (e.g., Fortnite for Android) affect your app’s security
Illustrate the potential financial impact of mobile threats on a business’s bottom line
Demonstrate mobile overlay and other attacks
Reveal how mobile apps can protect themselves against these attacks with app shielding and runtime protection
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
This will be a brief discussion on Pen Testing Web Services in 2012, though OWASP have testing guides which describes various methods and tools for performing black box and white box security testing on web services but they’re all outdated. The key points of the presentation will revolve around how to pen test web services, what are the pre-requisites, methodology, tools used, etc.
VSEC’s source code review services help uncover unexpected and hidden vulnerabilities and design flaws in source codes. We use a mix of scanning tools and manual review to detect insecure coding practices, injection flaws, cross site scripting flaws, backdoors, weak cryptography, insecure handling of external resources, etc.
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)Sam Bowne
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
Application development has come a long way in last two decades, but it is puzzling to see that despite major security breaches, security testing takes a back seat as compared to other forms of quality testing measures such as usability or functional testing.
How to scale mobile application security testingNowSecure
Mobile security testing during application development is difficult - but it doesn’t have to be. Director of Mobile Services Katie Strzempka highlights how you can incorporate automated mobile application security testing throughout every step of your app SDLC.
Do'd and Don'ts for mobile application testing, basic guide for learning mobile testing, covers different aspects for mobile testing includes android and iphone test methodology.
Also highlights different types of testing, mobile platforms, testing frameworks, emulator and simulator differences.
Talk feito no CocoaHeads RJ edição Novembro/2015 sobre Segurança no desenvolvimento de aplicativos iOS, considerando Persistência, Comunicação e Segurança do Código.
Mobile Banking Security: Challenges, SolutionsCognizant
With the proliferation of online mobile banking services, security is a key issue. We offer a primer on security challenges and applicable controls/remedies. This includes solutions such as Trusteer Mobile SDK, Arxon's EnsureIT and Dexguard.
Find out the four key trends for application architectures. This presentation looks at how mobility, software as a service, rich interactive applications and application integration are making an impact on the enterprise.
HTML5 and the dawn of rich mobile web applicationsJames Pearce
HTML5 and its related technologies are enabling new ways to build beautiful sites and applications for contemporary mobile devices. Native mobile developers can now use web technologies to surmount cross-platform headaches, and desktop web developers can reach mobile users in familiar, app-like ways. This session explores the state of the art in HTML5-based mobile web frameworks, and demonstrates the practical possibilities that this powerful and standards-based approach can bring.
Building Cloud-Based Cross-Platform Mobile Web AppsJames Pearce
As presented at http://www.meetup.com/MobileCloud/events/17159747/
The web is always evolving, but we're witnessing a significant architectural shift as services migrate to the cloud, business logic moves to ever-thicker clients, and the web escapes the desktop to become a beautifully mobile medium.
In this environment, web application frameworks like Sencha Touch offer a new way of building mobile services using HTML5, CSS3, and JavaScript. We'll explore the possibilities that this rich, standards-based approach can bring, how to develop mobile web apps that look and feel native on iPhone, Android, and BlackBerry touch devices, and how to leverage the power of cloud-based services to provide scalable and compelling applications in this new world.
Building and Managing Cloud Applications and InfrastructureDarren Cunningham
While service-based infrastructure can improve TCO and streamline IT management, it also presents some challenges that need to be met head-on. How do you ensure your data is secure in transit and available when you need it? How do you manage and communicate with your infrastructure? How do you enable service quality metrics and disaster recovery? And, how do you integrate data from legacy systems with data from web-based systems? Join AT&T and Informatica as they share their experience in building and managing cloud applications and infrastructure.
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...goodfriday
Learn how Microsoft is simplifying the traditional n-tier application pattern by bringing together ASP.NET and Silverlight. Learn about patterns for working with data, implementing reusable and independently testable application logic, and application services that readily scale with growing requirements.
Presentation of Vincent Desveronnieres, Oracle at the TMT.CloudComputing'11 Warsaw conference organized in Warsaw, Poland on February 10th, 2011 by New Europe Events
Understand the challenges of programming application for each mobile platform and Xoriant’s recommendations of porting your mobile apps for overcoming this challenge. Also learn more on why mobile testing is an integral part of a mobile app development project which incorporates testing applications across devices, networks and carriers.
Similar to Mobile application security – effective methodology, efficient testing! hemil shah (20)
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Epistemic Interaction - tuning interfaces to provide information for AI support
Mobile application security – effective methodology, efficient testing! hemil shah
1. Mobile Application Security – Effective
Methodology,
Effective Testing!
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
2. hemil@espheresecurity.net
http://www.espheresecurity.com
Who Am I?
• Hemil Shah – hemil@espheresecurity.net
• Past experience
– HBO, KPMG, IL&FS, Net Square
• Interest
– Application security research (Web & Mobile)
• Published research
– Articles / Papers – Packstroem, etc.
– Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
3. Past, Present and Future
Focus
2010
Cloud
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
4. Enterprise Technology Trend
• 2007. Web services would rocket from
$1.6 billion in 2004 to $34 billion. [IDC]
• 2008. Web Services or Service-Oriented
Architecture (SOA) would surge ahead.
[Gartner]
• 2009. Enterprise 2.0 in action and
penetrating deeper into the corporate
environment
• 2010. Flex/HTML5/Cloud/API/Mobile era.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
5. Mobile Infrastructure
Other
Office
s
Internet
Exchange
firewall
DMZ
Dial-up
router
VPN intranet
www mail
RAS
Database India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
OWASP InfoSec
6. Mobile App Environment
Internet DMZ Trusted
SOAP/JSON etc.
Mobile W
E
Scripted Application B
Web Web Servers S
Server Engine And E
Static pages only
Web Dynamic pages
(HTML,HTM, etc.) (ASP,DHTML, PHP, Integrated R
Client CGI, etc.) Framework V
X
I
ASP.NET on C
.Net Framework, E
J2EE App Server, S
Web Services,
DB etc.
Internal/Corporate
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
10. Mobile Changes
• Application Infrastructure
Changing dimension Web Mobile
(AI1) Protocols HTTP & HTTPS JSON, SOAP, REST etc. over
HTTP & HTTPS
(AI2) Information HTML transfer JSON, JS Objects, XML, etc.
structures
(AI3) Technology Java, DotNet, PHP, Cocoa, Java with Platform
Python and so on SDKs, HTML5
(AI4) Information Mainly on Server Side Client and Server Side
Store/Process
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
11. Mobile Changes
• Security Threats
Changing dimension Web Mobile
(T1) Entry points Structured Scattered and multiple
(T2) Dependencies Limited Multiple technologies
Information sources
Protocols
(T3) Vulnerabilities Server side [Typical Web services [Payloads]
injections] Client side [Local Storage]
(T4) Exploitation Server side exploitation Both server and client side
exploitation
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
12. Black Review flow
Mobile and Device Security
Architecture Review •Insecure storage
•Insecure network Communication - Carriers network security & WiFi network attacks
•Unauthorized dialing & SMS
Scoping •UI Impersonation/Spoofing
•Activity monitoring and data retrieval
Server Side Application Footprinting •Sensitive data leakage
•Hardcoded passwords/keys
•Language issues
Mobile Application Footprinting •Timely application update
•Jail breaking/Physical device theft
•KeyBoard cache/ClipBoard issue
Application Discovery •Reading information from SQLite database
•Insecure Protocol Handler implementation
•And few other loopholes
Application Threat Modeling
Application Deployment Assessment
Application Security – Authentication,
Access Controls/Authorization, API misuse, Path traversal,
Application Enumeration and Profiling Sensitive information leakage, Error handling, Session management,
Protocol abuse, Input validations, Cross Site Scripting (XSS),
Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto,
Vulnerability Assessment
Denial of Services, Malicious Code Injection, SQL injection,
XPATH and LDAP injections, OS command injection,
Mitigation Strategies Parameter manipulations, Bruteforce, Buffer Overflow,
Format string, HTTP response splitting, HTTP replay,
XML injection, Canonicalization, Logging and auditing.
Reporting
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
13. White Review flow
Mobile and Device Security
Architecture Review •Insecure storage
•Insecure network Communication - Carriers network security & WiFi network attacks
•Unauthorized dialing & SMS
Scoping •UI Impersonation/Spoofing
•Activity monitoring and data retrieval
•Sensitive data leakage
Threat Modeling •Hardcoded passwords/keys
•Language issues
Code Enumeration •Timely application update
•Jail breaking/Physical device theft
•KeyBoard cache/ClipBoard issue
Code Mapping and
•Reading information from SQLite database
Functionality •Insecure Protocol Handler implementation
•And few other loopholes
Security Controls & Cases
Sample Security Control Categories – Authentication,
Entry Point Discoveries
Access Controls/Authorization, API misuse, Path traversal,
Class, Function & Variable Sensitive information leakage, Error handling, Session management,
Tracing Protocol abuse, Input validations, Cross Site Scripting (XSS),
Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto,
Vulnerability Detection Denial of Services, Malicious Code Injection, SQL injection,
XPATH and LDAP injections, OS command injection,
Mitigation Controls Parameter manipulations, Bruteforce, Buffer Overflow,
Format string, HTTP response splitting, HTTP replay,
Reporting XML injection, Canonicalization, Logging and auditing.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
14. Mobile Top 10 - OWASP
• Insecure Data Storage
• Weak Server Side Controls
• Insufficient Transport Layer Protection
• Client Side Injection
• Poor Authorization and Authentication
• Improper Session Handling
• Security Decisions Via Untrusted Inputs
• Side Channel Data Leakage
• Broken Cryptography
• Sensitive Information Disclosure
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
16. Insecure Storage
• Why application needs to store data
– Ease of use for the user
– Popularity
– Competition
– Activity with single click
– Decrease Transaction time
– Post/Get information to/from Social Sites
• 9 out of 10 applications have this
vulnerability
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
17. Insecure Storage
• How attacker can gain access
– Wifi
– Default password after jail breaking (alpine)
– Physical Theft
– Temporary access to device
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
18. Insecure Storage
• What information we usually find
– Authentication Credentials
– Authorization tokens
– Financial Statements
– Credit card numbers
– Owner’s Information – Physical Address,
Name, Phone number
– Social Engineering Sites profile/habbits
– SQL Queries
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
20. Insecure Network
Communication
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
21. Insecure Network Channel
• Easy to perform MiM attacks as Mobile
devices uses untrusted network i.e
open/Public WiFi, HotSpot, Carrier’s
Network
• Application deals with sensitive data i.e.
– Authentication credentials
– Authorization token
– PII Information (Privacy Violation) (Owner
Name, Phone number, UDID)
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
22. Insecure Network Channel
• Can sniff the traffic to get an access to
sensitive data
• SSL is the best way to secure
communication channel
• Common Issues
– Does not deprecate HTTP requests
– Allowing invalid certificates
– Sensitive information in GET requests
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
25. Unauthorized Dialing/SMS
• Social Engineering using Mobile Devices
• Attacker plays with user’s mind
• User installs application
• Application sends premium rate SMS or a
premium rate phone call to unknown
number
• Used by Malware/Trojans
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
26. AndroidOS.FakePlayer
• August 2010
• Sends costly International SMS
• One SMS Costs – 25 USD (INR 1250)
• Application Sends SMS to –
– 3353 & 3354 numbers in Russia
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
27. GGTracker
• June 2010
• Another Application which sends
International SMS
• One SMS Costs – 40 USD (INR 2000)
• Application Sends Premium SMS to US
numbers
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
29. UI Impersonation
• Attack has been there since long
• On a mobile stack, known as UI
impersonation
• Other names are Phishing Attack,
ClickJacking
• Attacker plays with user’s mind and try to
impersonate as other user or other
application
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
30. UI Impersonation
• Victim looses credit card information or
authentication credentials or secret
• One application can create local PUSH
notification as it is created from apple
store
• Flow in review process of AppStore –
Anyone can name anything to their
application
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
31. NetFlix
• Oct -2011
• Steals users “netflix” account information
• Application shows error message to user
“Compatibility issues with the user’s
hardware” when user enters username
and password
• Once error message, application uninstalls
itself
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
33. Activity Monitoring
• Sending a blind carbon copy of each
email to attacker
• Listening all phone calls
• Email contact list, pictures to attacker
• Read all emails stored on the device
• Usual intension of Spyware/Trojans
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
34. Activity Monitoring
• Attacker can monitor –
– Audio Files
– Video
– Pictures
– Location
– Contact List
– Call/Browser/SMS History
– Data files
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
35. Android.Pjapps
• Early 2010
• Steal/Change users information
• Application –
– Send and monitor incoming SMS messages
– Read/write to the user's browsing history and
bookmarks
– Install packages and Open Sockets
– Write to external storage
– Read the phone's state
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
37. System Modification
• Application will attempt to modify system
configuration to hide itself (Historically this
is known as ROOTKIT)
• Configuration changes makes certain
attack possible i.e. –
– Modifying device proxy to get user’s activity
monitoring
– Configure BCC email sending to attacker
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
38. iKee – iPhone Worm
• “ikee” iPhone Worm
After infected by “ikee“
– Change root password iPhone look like this
– Change wallpaper to Ricky Martin.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
40. PII Information Leakage
• Application usually have access to user’s
private information i.e. Owner Name,
Location, Physical Address, AppID, Phone
Number
• This information needs to be handled very
carefully as per the law in some countries
• Storing this information in plain text is not
allowed in some countries
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
43. Hardcoded Secrets
• Easiest way for developer to solve
complex issues/functionality
• Attacker can get this information by either
reverse engineering application or by
checking local storage
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
46. Language Specific Issues
• Application in iOS are developed in
Objective-C language which is derived
from classic C language
• Along with this derivation, it also derives
security issues in C language i.e. overflow
attacks
• Using Dex2jar, source code of android
application can be accessed
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
47. dexdump
Convert dump .dex files:
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
48. SQL Injection in Local database
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
49. SQL Injection in Local database
• Most Mobile platforms uses SQLite as
database to store information on the
device
• Using any SQLite Database Browser, it is
possible to access database logs which
has queries and other sensitive database
information
• In case application is not filtering input,
SQL Injection on local database is
possible OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
51. Information in Common
Services
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
52. Common Services
• KeyBoard, Clipboard are shared amongst
all the applications.
• Information stored in clipboard can be
accessed by all the application
• Sensitive information should not be
allowed to copy/paste in the application
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
54. Server Side Issues
• Most Application makes server side calls
to either web services or some other
component. Security of server side
component is equally important as client
side
• Controls to be tested on the server side –
Security Control Categories for Server
Side Application– Authentication, Access
Controls/Authorization, API misuse, Path
traversal, Sensitive information leakage,
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
55. Server Side Issues
Error handling, Session management,
Protocol abuse, Input validations, XSS,
CSRF, Logic bypass, Insecure crypto, DoS,
Malicious Code Injection, SQL injection,
XPATH and LDAP injections, OS command
injection, Parameter manipulations,
BruteForce, Buffer Overflow, HTTP
response splitting, HTTP replay, XML
injection, Canonicalization, Logging and
auditing.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
58. Pen testing Check list
(iOS Applications)
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
59. Pen testing Check list
• Fuzz all possible Inputs to the application
and validate output (Query String, POST
data, external HTML, RSS Feed or
database feed)
• Audit traditional memory unsafe methods
(strcpy, memcpy)
• Watch out for format string vulnerabilities
• Look for hard coded credentials / secrets
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
60. Pen testing Check list
• Check network connection (grep for
NSURL, CFStream, NSStream)
• Check Database connection and queries
(grep SQL strings and SQLLite queries)
• Check only trusted certificate are allowed
(Look for setAllowsAnyHTTPSCertificate
and didReceiveAuthenticationChallenge)
• Check what is logged (grep NSLog)
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
61. Pen testing Check list
• Check implementation of URLSchemes in
handleOpenURL
• Check what is stored in keychain
(kSecAttrAccessibleWhenUnlocked or
kSecAttrAccessibleAfterFirstUnlock
attributes when calling SecItemAdd or
SecItemUpdate) and the file system
(NSDataWritingFileProtectionComplete).
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
62. Pen testing Check list
• Check how critical data is stored
(NSUserDefaults should not be used to
store critical data)
• Check Server Side controls
• Decrypt the binary and run strings to find
sensitive information
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
63. Pen testing Check list
• Check whether application uses
UIWebView (How application loads HTLM
and where it is rendered from? Is URL
visible?)
• Check whether copy-paste functionality is
enabled in sensitive fields (PII fields)
• Install your favorite proxy to monitor +
fuzz web traffic
• Run the app using disassemble to monitor
calls OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
64. Pen testing Check list
• Check whether critical data fields are
hidden in applicationWillTerminate and
applicationWillEnterBackground to
prevent screenshot caching
• Check how application handles PII
information
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
65. Thank you
Hemil Shah
hemil@espheresecurity.net
+91 99790 55100
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)