This talk discusses the attack methodology for mobile applications. It explores the Owasp Top 10 Mobile issues and links then to gaps in daily coding practices followed by Mobile app developers for iOS and Android. We also discuss mitigations for these prevalent issues, safe defaults and secure coding practices to rely on during development.

1. MOBILE RISKS &
MITIGATIONS
Neelu Tripathy

2. Agenda
The Mobile Attack Surface
Realms for Mobile Attacks
Case Studies
Prevalent Mobile Security Risks
Mitigations

3. Mobile Attack Surface
Physical / Network V/ App
Design Issues
Sandboxing and device OS security
models<image>
Source:
www.trendmicro.com

4. SHOOTING STARS
◦ Known Vulnerabilities(Side channel attacks, CVE Dirty COW
(CVE-2016-5195) and iovyroot (CVE-2015-1805), Janus
vulnerability (CVE-2017-13156)
◦ RAMpage attack, which exploits a vulnerability (CVE-2018-
9442)
◦ (CVE-2018-9375) in UserDictionaryProvider: Permission Based
Source: cl.cam.ac.uk

5. Motivation
◦ Crypto currency Mining malware (increased 450%)
◦ Mobile banking malware increased by 98%.
◦ Jailbreaking iOS
◦ CyberEspionage campaigns(RATs)
◦ Mobile Advertising
◦ ADB Miner(Monero Mining)
◦ Ad Fraud Campaigns
◦ Known Vulnerabilities(Side channel attacks, CVE Dirty COW and iovyroot, anus vulnerability
◦ Ransomware went down

6. CASE STUDIES

7. Vulnerable to local
file steal, JavaScript
Injection, Open
Redirect
TWITTERLITE(ANDROID)
Source: www.hackerone.com

8. Twitter : Broken
Authentication
INVALIDATING OAUTH2
BEARER TOKEN MAKES
TWEETDECK UNAVAILABLE
ACCESS CONTROL
PRIVILEGE
ESCALATION/AUTHORIZATION

9. OWASP on Mobile
Improper Platform Usage:
Platform based security
controls
Insecure data storage:
insecure data storage and
unintended data leakage.
Insecure Communication
Insecure Authentication:
Bad session management,
broken authentication and
weak identification
Insufficient Cryptography

10. OWASP on Mobile
Insecure Authorization: APIs
Client Code Quality:
Implementation Issues, Security
Decisions Via Untrusted Inputs,
Format String, Buffer Overflows,
etc. On Mobile Client
Code Tampering: binary
patching, local resource
modification, method hooking,
method swizzling, and dynamic
memory modification; mostly
local tampering
Reverse Engineering: Binary
analysis, libraries, code,
hardcoded values, algorithms,
information about back end
servers, cryptographic constants
and ciphers, and intellectual
property
Extraneous Functionality:
backdoors, unintended
functionality, disabling 2FA for
testing

11. Improper Platform Usage:
Platform based security
controls
Android
intents
Platform
Permissio
ns
Missing
use of the
Keychain

12. INSECURE
DATA
STORAGE IN
MOBILE APP
$980
Source: blog.attify.com

13. Insecure data storage:
insecure data storage and
unintended data leakage.
Insecure Communication
Insecure
Local
Storage
Data
Leakage
Cleartext
protocols
Poor
handshakes,
ciphers
SSL
versions

14. Insufficient Cryptography
Insecure Authentication:
Bad session management,
broken authentication
and weak identification
Failing to identify or
maintain identity
Improper session
management
Insufficient
encryption
Improper
encryption
Encryption,
hashing, encoding

15. Insecure Authorization:
APIs
Client Code
Quality:
Implementation
Issues, Security
Decisions Via
Untrusted Inputs,
Format String,
Buffer Overflows,
etc. On Mobile
Client
Implementat
ion Problem
Security
Decisions
Via
Untrusted
Inputs
Buffer
Overflows,
Format
string
vulnerabilitie
s

16. Code Tampering: binary patching,
local resource modification,
method hooking, method
swizzling, and dynamic memory
modification; mostly local
tampering
Extraneous Functionality:
backdoors, unintended
functionality, disabling 2FA for
testing
Method
Hooking,
Method
Swizzling,
And Dynamic
Local
Resource
Modification,
Memory
Modification.
Binary
Patching
Disabling Of 2-
FA During
Testing.
Meant For Test
But In Prod
Hidden
Backdoor,
Admin
Interfaces

17. Reverse Engineering: Binary
analysis, libraries, code,
hardcoded values, algorithms,
information about back end
servers, cryptographic constants
and ciphers, and intellectual
property
core binary to determine its source code,
libraries, algorithms, and other assets.
Back End Servers
Cryptographic Constants And Ciphers
Intellectual Property.

18. Client Side
Injection
Source: www.hackerone.com

19. Mobile App
Security
Testing
Java and JDK
Android studio to run emulated android devices and capture
debug information from apps
ADB and related libs for installing packages and running a shell on
android devices. Android Studio may install most of this for you.
apktool to unzip and decode android packages
dex2jar to convert apk files to standard jar files
JD-GUI to decompile jar files into readable java code
Wireshark for capturing and analysing network traffic

20. Mitigations
1
Certificate
Issues &
Pinning
2
Don’t rely
solely on
client-side
checks;
incorporat
e
behavioura
l and
context
checks
3
Code
Obfuscatio
n
4
Rooting
Detection
5
Crypto:
Use the
app
platforms’
native
keychain to
store any
sensitive
data
6
Enable use
of 2FA for
extra level
of auth
and access
control
7
Ensure
user data
passes
through a
parameteri
zed query
and
monitor
log files for
odd
behaviour
8
Avoid
passing
informatio
n over IPC
9
Do not use
device ID
as session
token since
they never
expire
10
Device
Storage &
Caching

21. ◦ https://hackerone.com/reports/210779
◦ https://hackerone.com/reports/499348
◦ http://labs.mwrinfosecurity.com/blog/2012/04/23/adven
tures-with-android-webviews/
◦ https://www.owasp.org/index.php/Mobile_Top_10_2016
-Top_10
◦ https://www.trendmicro.com/vinfo/se/security/research-
and-analysis/threat-reports/roundup/2018-mobile-
threat-landscape
◦ https://www.owasp.org/index.php/OWASP_Mobile_Secu
rity_Testing_Guide
◦ https://www.owasp.org/index.php/ASVS_V17_Mobile
◦ http://androidvulnerabilities.org/by/version/
◦ https://www.checkmarx.com/2016/06/10/owasp-
mobile-top-ten-avoiding-common-mobile-vulnerabilities/
◦ https://mobile-security.gitbook.io/mobile-security-
testing-guide/
References

22. THANK YOU!
Questions?
@NeeluTripathy