SlideShare a Scribd company logo

Owasp mobile top 10

Download as PPTX, PDF
Pawel Rzepa
Pawel Rzepa

A basic guide how to look for OWASP mobile top 10 risks in Android applications using AppUse and opesource tools.

Technology
1 of 56
OWASP top 10 mobile risks Paweł Rzepa
Important notes • The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications. • If you want to add anything important/interesting and related to the topic – feel free to interrupt me ;).
What are we going to talk about…
Before we start… the threat model
M2 - Insecure data storage
Insecure data storage – what it is? • Simple words definition: valuable pieces of data (e.g. passwords, cookies, personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format.
Insecure data storage – what to look for? • Look for any sensitive information in: – SQLite databases (local) – XML Data Stores – Plain text configuration files – Cookie stores – SD Card
Insecure data storage – how to find? • Install and run application for some time • Monitor changes in /sdcard before and after installing an application • Analyze package files on different stages: adb pull /data/data/<apk_package_name>
Insecure data storage - demo
Insecure data storage – real example • Outlook stored all attachements as unencrypted and world readable files on external storage.
Insecure data storage - mitigations • Don’t store data unless it’s absolutely necessarry. • Use encryption for local storage (use method setStorageEncryption). • For databases consider using SQLcipher for Sqlite data encryption. • Ensure any shared preferences properties are NOT MODE_WORLD_READABLE.
M3 - Insufficient transport layer protection
Insufficient transport layer protection – what it is? • Simple words definition: application does NOT implement TLS or it does incorrectly.
What do you mean „incorrectly”? • Insecure implementations are: – Using known weak ciphers / version (e.g. SSLv2/SSLv3, RC4) – Securing only part of the communication (e.g. only authentication) – Lack of certificate inspection
Certificate inspection in web applications – chain of trust. • In web applications the validation of certificate is on the side of a browser. • It is done by a „chain of trust”. • But how a mobile app can know if it is communicating with a proper server?
Cert Pinning - theory • Embedded in source code expected X509 certificate or public key. if (presented_cert == pinned_cert) Start_connection(); else Drop_connection();
Cert Pinning - reality • Guys from Leibniz Universität Hannover tested 100 apps and… • 21 apps trust all certificates • 20 apps accept all hostnames • And in the end they asked developers why it happened… More: https://www.owasp.org/images/7/77/Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl%2BMarian_Harbach%2BMathew_Smith.pdf
Insufficient transport layer protection- how to find? • Passive analysis with Wireshark/Burp (to check if all traffic is encrypted) • Use Mallodroid: ./mallodroid.py –f AppToCheck.apk –d ./javaout • Look for end point implementation flaws using SSLyze (or https://www.ssllabs.com/ssltest/ for public domain): sslyze --regular www.example.com:443
Insufficient transport layer protection- example
Insufficient transport layer protection- few facts from reality • According to the FireEye research from July 17 2014, among 1000 most-downloaded free applications in the Google Play store: Source: https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html
Insufficient transport layer protection- mitigations • Any sensitive data MUST be transfered over TLS • How to do it properly? Follow the rules: https://www.owasp.org/index.php/Transport_Layer_Protectio n_Cheat_Sheet
M4 - Unintended data leakage
Unintended data leakage – what it is? • Simple word definition: OS/frameworks puts sensitive information in an insecure location in the device. • Important note: insecure data storage talks about developer conscious efforts to store data in insecure manner, while unintended data leakage refers to OS/framework specific quirks which can cause data leakages.
Unintended data leakage – common leakage points • URL Caching • Copy/Paste buffer Caching • Logging • Analytics data sent to 3rd parties (e.g. ads sending GPS location)
Unintended data leakage – how to find? • Extract data from leaking content providers using Drozer: dz> run app.provider.finduri <package_name> • Use logcat to verify what is being logged using ADB: adb logcat [output filter] | grep cookie,username… • Use listener (Burp/Wireshark) to monitor what is being sent to 3rd parties. • Use Intent Sniffer to see if any confidential data is sent via Intents.
Unintended data leakage - demo
Unintended data leakage - mitigations • NEVER log any sensitive information (observe what you’re storing in crashlogs). • Disable copy/paste function for sensitive part of the application. • Disable debugging (android:debuggable="false").
M5 - Poor Authorization and Authentication
Poor Authorization and Authentication – what is it? • Simple words definition: if you’re able to bypass authentication and/or laverage your privileges then… your app has poor authorization and/or authentication.
Poor Authorization and Authentication – how to find? • Try to bypass authentication by accessing exported activities using Drozer: dz> run app.activity.start –component <component_name> • Intercept traffic with Burp and modify parameter to login as other user/see unauthorized content (e.g. by manipulating device ID). • Test account lockout policy • Test strong password policy
Poor Authorization and Authentication - demo
Poor Authorization and Authentication – real example • A flaw in application can become an entry point to compromise an operating system. • For example a Viber app: https://www.youtube.com/watch?time_continue=40&v=rScheIQDD0k
And always remember to… • …stay reasonable when you’re going to follow advices from the Internet…
Poor Authorization and Authentication - mitigations • Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible! • Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a user’s password on the device. It should be optional and not be enabled by default. • Do not allow for offline brute force attacks.
M6 - Broken Cryptography
Broken Cryptography – what it is? • Simple words definition: using insecure implementation or implementing it in a insecure way. • Few reminders (yeah I know you know it…): – encoding != encryption – obfuscation != encryption
Broken Cryptography – how to find? • Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI. • Look for decryption keys (in attacker-readable folder or hardcoded within binary). • Try to break encryption algorithm if an application uses custom encryption. • Look for usage of insecure and/or deprecated algorithms (e.g. RC4, MD4/5, SHA1 etc.).
Broken Cryptography - example • Encrypted db is definitely a good idea…
Broken Cryptography - example • …but not when you’re hardcoding passwords to decrypt it in code…
Broken Cryptography – real example • NQ Vault
Broken Cryptography - mitigations • Use known, strong cryptography implementations. • Do not hardcode keys/credentials/OAUTH tokens. • Do not store keys on a device. Use password based encryption instead.
M7 - Client side injection
Client side injection – what it is? • Simple words definition: malicious code can be provided as an input and executed by the application (on the client side). • The malicious code can come from: – Other application via intent/content provider – Shared file – Server response – Third party website
Client side injection – what to inject? • SQL injection to local db • XSS/WebView injection • Directory traversal • Intent injection
A new Android’s toy – the Intents • Android application can talk (Inter-Process- Communication) to any other component (e.g. other application, system service, running new activity etc.) via special objects called Intents. Intent i = new Intent(Intent.ACTION_VIEW,Uri.parse(„https://owasp.org”)); Intent i = new Intent(android.provider.MediaStore.Action_IMAGE_CAPTURE);
Client side injection – how to find? • SQL injections: dz> run scanner.provider.injection –a <package_name> • Data path traversal dz> run scanner.provider.traversal –a <package_name> • Intent injections dz> run app.package.manifest –a <package_name> dz> run app.activity.info –a <package_name> dz> run app.service.info --permission null –a <package_name> dz> run intents.fuzzinozer --package_name <package_name> -- fuzzing_intent
Client side injection - demo
Client side injection – real example • The UniversalMDMClient (built-in application Samsung KNOX – a security feature to seperate personal and professional activities). • Crafted URI with „smdm://” prefix allows for remote installation of ANY application, while a user thinks he’s installing an update for UniversalMDMClient. • How it works in practice? https://www.youtube.com/watch?time_continue=56&v=6O9OBmsv-CM
Client side injection - mitigations • Always validate on a server side any user input! • For internal communication use only explicit Intents. • Avoid using Intent-filter. Even if the Activity has atribute „exported=false” another application can define the same filter and a system displays a dialog, so the user can pick which app to use.
M9 - Improper session handling
Improper session handling – what it is? • Simple words definition: if your session token can be guessed, retrieved by third party or never expires then you have a problem.
Improper session handling – how to find? • Intercept requests with proxy (e.g. Burp) and verify if: – Verify if a session expires (copy a cookie and try to use it after 30 minutes) – Verify if a session is destroyed after authentication state changes (e.g. switching from any logged in user to another logged in user) – Verify if you are able to guess any other session (e.g. it’s easy to impersonate other user when application uses device ID as a session token)
Improper session handling – few facts from reality • What we know is that „sessions have to expire”… • …but how long should it REALLY last? • According to experiment* the average application session (counted from opening an app to closing it) lasts… 71.56 seconds. * - http://www.mendeley.com/research/falling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage/
Improper session handling - mitigations • Invalidate session on a server side. • Set session expiration time adjusted to your application. • Destroy all unused session tokens. • Use only high entropy, tested token generation resources.
Thank you!
References • https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks • https://github.com/ikust/hello-pinnedcerts • http://www.exploresecurity.com/testing-for-cipher-suite-preference/ • http://resources.infosecinstitute.com/android-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakage/ • http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • https://manifestsecurity.com/android-application-security/ • https://mobilesecuritywiki.com/ • http://androidcracking.blogspot.de/2014/02/zerdeis-luyten-worthwhile-jd-gui.html • https://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=111&type=3&OPENCONF=54jm3hh7l aelc19qq6ernql5m2 • https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Mobile_Threat_Model • https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Security_Testing • https://www.owasp.org/images/7/77/Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl%2BMarian_Harbach%2BMathew_Smith.pdf • https://www.ssllabs.com/ssltest/ • http://www.slideshare.net/ibmsecurity/overtaking-firefox-profiles-vulnerabilities-in-firefox-for-android • http://resources.infosecinstitute.com/cracking-nq-vault-step-by-step/ • http://www.slideshare.net/ibmsecurity/pinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystack • https://github.com/linkedin/qark • https://www.mendeley.com/catalog/falling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage/ • http://blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html • http://www.bkav.com/top-news/-/view_content/content/46264/critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock- screen • http://thehackernews.com/2014/05/microsoft-outlook-app-for-android.html • https://drive.google.com/file/d/0BxOPagp1jPHWVnlzWGNVbFBMTW8/view?pref=2&pli=1

Recommended

OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
NowSecure
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
6 Security Tips for Using Public WiFi
6 Security Tips for Using Public WiFi6 Security Tips for Using Public WiFi
6 Security Tips for Using Public WiFi
Quick Heal Technologies Ltd.
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
Sina Manavi
 

Recommended

OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
NowSecure
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
6 Security Tips for Using Public WiFi
6 Security Tips for Using Public WiFi6 Security Tips for Using Public WiFi
6 Security Tips for Using Public WiFi
Quick Heal Technologies Ltd.
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
Sina Manavi
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
Michel Bitter
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
davidcurriecia
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
mobile application security
mobile application securitymobile application security
mobile application security
-jyothish kumar sirigidi
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
VipinYadav257
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigations
Olakanmi Oluwole
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
Megan DeBlois
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
Ahmed Musaad
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
Dinesh582831
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
anupriti
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
Cybersecurity Awareness Training Presentation v1.2
Cybersecurity Awareness Training Presentation v1.2Cybersecurity Awareness Training Presentation v1.2
Cybersecurity Awareness Training Presentation v1.2
DallasHaselhorst
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepal
ICT Frame Magazine Pvt. Ltd.
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
Jerod Brennen
 

More Related Content

What's hot

Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
Michel Bitter
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
davidcurriecia
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
mobile application security
mobile application securitymobile application security
mobile application security
-jyothish kumar sirigidi
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
VipinYadav257
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigations
Olakanmi Oluwole
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
Megan DeBlois
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
Ahmed Musaad
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
Dinesh582831
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
anupriti
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
Cybersecurity Awareness Training Presentation v1.2
Cybersecurity Awareness Training Presentation v1.2Cybersecurity Awareness Training Presentation v1.2
Cybersecurity Awareness Training Presentation v1.2
DallasHaselhorst
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepal
ICT Frame Magazine Pvt. Ltd.
 

What's hot (20)

Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
 
Android Security
Android SecurityAndroid Security
Android Security
 
mobile application security
mobile application securitymobile application security
mobile application security
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
 
Android security
Android securityAndroid security
Android security
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigations
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Cybersecurity Awareness Training Presentation v1.2
Cybersecurity Awareness Training Presentation v1.2Cybersecurity Awareness Training Presentation v1.2
Cybersecurity Awareness Training Presentation v1.2
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepal
 

Similar to Owasp mobile top 10

Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
Jerod Brennen
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
kunwaratul hax0r
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
Ravi Aggarwal
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
Judy Ngure
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
Herman Duarte
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
iphonepentest
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
isc2-hellenic
 
FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptx
AvinashRanjan80
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
mgianarakis
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
PaloAltoNetworks
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
Seth Law
 

Similar to Owasp mobile top 10 (20)

Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptx
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
 

More from Pawel Rzepa

Attacking aws workshops - teaser
Attacking aws workshops - teaserAttacking aws workshops - teaser
Attacking aws workshops - teaser
Pawel Rzepa
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
Pawel Rzepa
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detail
Pawel Rzepa
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opd
Pawel Rzepa
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugs
Pawel Rzepa
 
Ataki po stronie klienta w publicznych punktach dostępowych
Ataki po stronie klienta w publicznych punktach dostępowychAtaki po stronie klienta w publicznych punktach dostępowych
Ataki po stronie klienta w publicznych punktach dostępowych
Pawel Rzepa
 

More from Pawel Rzepa (6)

Attacking aws workshops - teaser
Attacking aws workshops - teaserAttacking aws workshops - teaser
Attacking aws workshops - teaser
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detail
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opd
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugs
 
Ataki po stronie klienta w publicznych punktach dostępowych
Ataki po stronie klienta w publicznych punktach dostępowychAtaki po stronie klienta w publicznych punktach dostępowych
Ataki po stronie klienta w publicznych punktach dostępowych
 

Recently uploaded

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 

Recently uploaded (20)

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 

Owasp mobile top 10

  • 1. OWASP top 10 mobile risks Paweł Rzepa
  • 2. Important notes • The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications. • If you want to add anything important/interesting and related to the topic – feel free to interrupt me ;).
  • 3. What are we going to talk about…
  • 4. Before we start… the threat model
  • 5. M2 - Insecure data storage
  • 6. Insecure data storage – what it is? • Simple words definition: valuable pieces of data (e.g. passwords, cookies, personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format.
  • 7. Insecure data storage – what to look for? • Look for any sensitive information in: – SQLite databases (local) – XML Data Stores – Plain text configuration files – Cookie stores – SD Card
  • 8. Insecure data storage – how to find? • Install and run application for some time • Monitor changes in /sdcard before and after installing an application • Analyze package files on different stages: adb pull /data/data/<apk_package_name>
  • 10. Insecure data storage – real example • Outlook stored all attachements as unencrypted and world readable files on external storage.
  • 11. Insecure data storage - mitigations • Don’t store data unless it’s absolutely necessarry. • Use encryption for local storage (use method setStorageEncryption). • For databases consider using SQLcipher for Sqlite data encryption. • Ensure any shared preferences properties are NOT MODE_WORLD_READABLE.
  • 12. M3 - Insufficient transport layer protection
  • 13. Insufficient transport layer protection – what it is? • Simple words definition: application does NOT implement TLS or it does incorrectly.
  • 14. What do you mean „incorrectly”? • Insecure implementations are: – Using known weak ciphers / version (e.g. SSLv2/SSLv3, RC4) – Securing only part of the communication (e.g. only authentication) – Lack of certificate inspection
  • 15. Certificate inspection in web applications – chain of trust. • In web applications the validation of certificate is on the side of a browser. • It is done by a „chain of trust”. • But how a mobile app can know if it is communicating with a proper server?
  • 16. Cert Pinning - theory • Embedded in source code expected X509 certificate or public key. if (presented_cert == pinned_cert) Start_connection(); else Drop_connection();
  • 17. Cert Pinning - reality • Guys from Leibniz Universität Hannover tested 100 apps and… • 21 apps trust all certificates • 20 apps accept all hostnames • And in the end they asked developers why it happened… More: https://www.owasp.org/images/7/77/Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl%2BMarian_Harbach%2BMathew_Smith.pdf
  • 18. Insufficient transport layer protection- how to find? • Passive analysis with Wireshark/Burp (to check if all traffic is encrypted) • Use Mallodroid: ./mallodroid.py –f AppToCheck.apk –d ./javaout • Look for end point implementation flaws using SSLyze (or https://www.ssllabs.com/ssltest/ for public domain): sslyze --regular www.example.com:443
  • 19. Insufficient transport layer protection- example
  • 20. Insufficient transport layer protection- few facts from reality • According to the FireEye research from July 17 2014, among 1000 most-downloaded free applications in the Google Play store: Source: https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html
  • 21. Insufficient transport layer protection- mitigations • Any sensitive data MUST be transfered over TLS • How to do it properly? Follow the rules: https://www.owasp.org/index.php/Transport_Layer_Protectio n_Cheat_Sheet
  • 22. M4 - Unintended data leakage
  • 23. Unintended data leakage – what it is? • Simple word definition: OS/frameworks puts sensitive information in an insecure location in the device. • Important note: insecure data storage talks about developer conscious efforts to store data in insecure manner, while unintended data leakage refers to OS/framework specific quirks which can cause data leakages.
  • 24. Unintended data leakage – common leakage points • URL Caching • Copy/Paste buffer Caching • Logging • Analytics data sent to 3rd parties (e.g. ads sending GPS location)
  • 25. Unintended data leakage – how to find? • Extract data from leaking content providers using Drozer: dz> run app.provider.finduri <package_name> • Use logcat to verify what is being logged using ADB: adb logcat [output filter] | grep cookie,username… • Use listener (Burp/Wireshark) to monitor what is being sent to 3rd parties. • Use Intent Sniffer to see if any confidential data is sent via Intents.
  • 27. Unintended data leakage - mitigations • NEVER log any sensitive information (observe what you’re storing in crashlogs). • Disable copy/paste function for sensitive part of the application. • Disable debugging (android:debuggable="false").
  • 28. M5 - Poor Authorization and Authentication
  • 29. Poor Authorization and Authentication – what is it? • Simple words definition: if you’re able to bypass authentication and/or laverage your privileges then… your app has poor authorization and/or authentication.
  • 30. Poor Authorization and Authentication – how to find? • Try to bypass authentication by accessing exported activities using Drozer: dz> run app.activity.start –component <component_name> • Intercept traffic with Burp and modify parameter to login as other user/see unauthorized content (e.g. by manipulating device ID). • Test account lockout policy • Test strong password policy
  • 31. Poor Authorization and Authentication - demo
  • 32. Poor Authorization and Authentication – real example • A flaw in application can become an entry point to compromise an operating system. • For example a Viber app: https://www.youtube.com/watch?time_continue=40&v=rScheIQDD0k
  • 33. And always remember to… • …stay reasonable when you’re going to follow advices from the Internet…
  • 34. Poor Authorization and Authentication - mitigations • Assume that client-side authorization and authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible! • Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a user’s password on the device. It should be optional and not be enabled by default. • Do not allow for offline brute force attacks.
  • 35. M6 - Broken Cryptography
  • 36. Broken Cryptography – what it is? • Simple words definition: using insecure implementation or implementing it in a insecure way. • Few reminders (yeah I know you know it…): – encoding != encryption – obfuscation != encryption
  • 37. Broken Cryptography – how to find? • Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI. • Look for decryption keys (in attacker-readable folder or hardcoded within binary). • Try to break encryption algorithm if an application uses custom encryption. • Look for usage of insecure and/or deprecated algorithms (e.g. RC4, MD4/5, SHA1 etc.).
  • 38. Broken Cryptography - example • Encrypted db is definitely a good idea…
  • 39. Broken Cryptography - example • …but not when you’re hardcoding passwords to decrypt it in code…
  • 40. Broken Cryptography – real example • NQ Vault
  • 41. Broken Cryptography - mitigations • Use known, strong cryptography implementations. • Do not hardcode keys/credentials/OAUTH tokens. • Do not store keys on a device. Use password based encryption instead.
  • 42. M7 - Client side injection
  • 43. Client side injection – what it is? • Simple words definition: malicious code can be provided as an input and executed by the application (on the client side). • The malicious code can come from: – Other application via intent/content provider – Shared file – Server response – Third party website
  • 44. Client side injection – what to inject? • SQL injection to local db • XSS/WebView injection • Directory traversal • Intent injection
  • 45. A new Android’s toy – the Intents • Android application can talk (Inter-Process- Communication) to any other component (e.g. other application, system service, running new activity etc.) via special objects called Intents. Intent i = new Intent(Intent.ACTION_VIEW,Uri.parse(„https://owasp.org”)); Intent i = new Intent(android.provider.MediaStore.Action_IMAGE_CAPTURE);
  • 46. Client side injection – how to find? • SQL injections: dz> run scanner.provider.injection –a <package_name> • Data path traversal dz> run scanner.provider.traversal –a <package_name> • Intent injections dz> run app.package.manifest –a <package_name> dz> run app.activity.info –a <package_name> dz> run app.service.info --permission null –a <package_name> dz> run intents.fuzzinozer --package_name <package_name> -- fuzzing_intent
  • 48. Client side injection – real example • The UniversalMDMClient (built-in application Samsung KNOX – a security feature to seperate personal and professional activities). • Crafted URI with „smdm://” prefix allows for remote installation of ANY application, while a user thinks he’s installing an update for UniversalMDMClient. • How it works in practice? https://www.youtube.com/watch?time_continue=56&v=6O9OBmsv-CM
  • 49. Client side injection - mitigations • Always validate on a server side any user input! • For internal communication use only explicit Intents. • Avoid using Intent-filter. Even if the Activity has atribute „exported=false” another application can define the same filter and a system displays a dialog, so the user can pick which app to use.
  • 50. M9 - Improper session handling
  • 51. Improper session handling – what it is? • Simple words definition: if your session token can be guessed, retrieved by third party or never expires then you have a problem.
  • 52. Improper session handling – how to find? • Intercept requests with proxy (e.g. Burp) and verify if: – Verify if a session expires (copy a cookie and try to use it after 30 minutes) – Verify if a session is destroyed after authentication state changes (e.g. switching from any logged in user to another logged in user) – Verify if you are able to guess any other session (e.g. it’s easy to impersonate other user when application uses device ID as a session token)
  • 53. Improper session handling – few facts from reality • What we know is that „sessions have to expire”… • …but how long should it REALLY last? • According to experiment* the average application session (counted from opening an app to closing it) lasts… 71.56 seconds. * - http://www.mendeley.com/research/falling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage/
  • 54. Improper session handling - mitigations • Invalidate session on a server side. • Set session expiration time adjusted to your application. • Destroy all unused session tokens. • Use only high entropy, tested token generation resources.
  • 56. References • https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks • https://github.com/ikust/hello-pinnedcerts • http://www.exploresecurity.com/testing-for-cipher-suite-preference/ • http://resources.infosecinstitute.com/android-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakage/ • http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • https://manifestsecurity.com/android-application-security/ • https://mobilesecuritywiki.com/ • http://androidcracking.blogspot.de/2014/02/zerdeis-luyten-worthwhile-jd-gui.html • https://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=111&type=3&OPENCONF=54jm3hh7l aelc19qq6ernql5m2 • https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Mobile_Threat_Model • https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Security_Testing • https://www.owasp.org/images/7/77/Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl%2BMarian_Harbach%2BMathew_Smith.pdf • https://www.ssllabs.com/ssltest/ • http://www.slideshare.net/ibmsecurity/overtaking-firefox-profiles-vulnerabilities-in-firefox-for-android • http://resources.infosecinstitute.com/cracking-nq-vault-step-by-step/ • http://www.slideshare.net/ibmsecurity/pinpointing-vulnerabilities-in-android-applications-like-finding-a-needle-in-a-haystack • https://github.com/linkedin/qark • https://www.mendeley.com/catalog/falling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage/ • http://blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html • http://www.bkav.com/top-news/-/view_content/content/46264/critical-flaw-in-viber-allows-full-access-to-android-smartphones-bypassing-lock- screen • http://thehackernews.com/2014/05/microsoft-outlook-app-for-android.html • https://drive.google.com/file/d/0BxOPagp1jPHWVnlzWGNVbFBMTW8/view?pref=2&pli=1