Mobile technologies bring to life new capabilities and opportunities for consumers all around the world. However, the advent of mobile has also resulted in new points of attack for hackers. This presentation it's about how to assess security vulnerabilities in the development process, and how to deliver high-performing applications that provide functionality with security in mind.
10. HOW BAD IS IT?
Nissan LEAF
https://www.troyhunt.com/controlling-vehicle-features-of-nissan/
11. HOW BAD IS IT?
https://www.troyhunt.com/controlling-vehicle-features-of-nissan/
12. HOW BAD IS IT?
The Intel
Management
Engine (ME)
https://arstechnica.com/information-technology/2017/11/intel-warns-of-widespread-vulnerability-in-pc-server-device-firmware/
ME’s connection architecture showing communication
between network and host OS
13. HOW BAD IS IT?
https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-
8668
“Intel Management Engine is a proprietary technology that consists of a microcontroller
integrated into the Platform Controller Hub (PCH) microchip with a set of built-in
peripherals. The PCH carries almost all communication between the processor and
external devices; therefore Intel ME has access to almost all data on the computer,
and the ability to execute third-party code allows compromising the platform
completely.”
14. 14
“If builders built houses the way programmers build
programs, the first woodpecker to come along
would destroy civilization.”
— Weinberg's Second Law
15. EVERY PROGRAM IS A POTENTIAL TARGET
▪ LEGAL RESPONSIBILITY
▪ FINANCIAL DAMAGE
▪ REPUTATION RISKS
16. LEGAL RESPONSIBILITY
GDPR
(General Data Protection Regulation, Regulation (EU) 2016/679)
“Data protection by Design and by Default”
“Article 25. Data protection by Design and by Default requires that data protection is
designed into the development of business processes for products and services.”
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
17. LEGAL RESPONSIBILITY
Legea Nr. 133 din 08.07.2011
privind protecţia datelor cu caracter personal
“Articolul 30. Securitatea prelucrării datelor cu caracter pe
"La prelucrarea datelor cu caracter personal, operatorul este obligat să ia măsurile organizatorice şi tehnice
necesare pentru protecţia datelor cu caracter personal împotriva distrugerii, modificării, blocării, copierii,
răspîndirii, precum şi împotriva altor acţiuni ilicite, măsuri menite să asigure un nivel de securitate adecvat în
ceea ce priveşte riscurile prezentate de prelucrare şi caracterul datelor prelucrate."
http://lex.justice.md/viewdoc.php?action=view&view=doc&id=340495&lang=1
35. 35
MOST COMMON MOBILE APPS SECURITY
VULNERABILITIES
1. Improper Platform Usage
2. Insecure Data Storage
3. Insecure Communication
4. Insecure Authentication
5. Insufficient Cryptography
6. Insecure Authorization
7. Client Code Quality
8. Code Tampering
9. Reverse Engineering
10.Extraneous Functionality
Top 10 Mobile
Risks
- Final List 2016
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
36. 36
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
Improper Platform Usage
misuse of a platform feature or failure to use platform security controls
(Android intents, platform permissions, misuse of TouchID, the Keychain, other security control that is
part of the mobile operating system)
• SharedPreferences + MODE_PRIVATE
• Explicit intents
• Manifest android:exported="false"
• file.getCanonicalPath() - YES file.getAbsolutePath() - NO (ln -s filename maliciousfilename)
• webView.getSettings().setAllowFileAccess(false)
• store session tokens, passwords, cryptography secrets in Keychain
37. 37
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
There comes a time in most
men’s lives where they feel
the need to raise the Black
Flag.
40. 40
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
Insecure Data Storage
insecure data storage and unintended data leakage
• Secure-preferences
• Secure cache
• Secure DB (SQLCipher, Encrypted Core Data, Realm+encryptionKey)
• ! URL caching (both request and response)
• ! Logging
• ! Analytics data sent to 3rd parties
41. 41
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
Insecure Communication
(poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive
assets, etc)
44. 44
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
• SSL Pinning (TrustKit, OkHttp+CertificatePinner, and alert users through the UI if the mobile app
detects an invalid certificate)
• DNS Cache Poisoning Attacks
• Use strong, industry standard cipher suites with appropriate key lengths.
• Use certificates signed by a trusted CA provider.
OkHttp: https://github.com/square/okhttp/wiki/HTTPS
Alamofire: https://github.com/Alamofire/Alamofire#security
45. 45
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
Insecure Authentication
authenticating the end user or bad session management
• Failing to identify the user at all when that should be required
• Failure to maintain the user's identity when it is required
• Weaknesses in session management
46. 46
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
• If client-side storage of data is required, the data will need to be encrypted using an encryption key
that is securely derived from the user’s login credentials.
• Persistent authentication (Remember Me) functionality implemented within mobile applications
should never store a user’s password on the device.
• Mobile applications should utilize a device-specific authentication token that can be revoked within
the mobile application by the user.
• Authenticating a user locally can lead to client-side bypass vulnerabilities.
47. TIPS FOR IMPROVING SECURITY IN MOBILE APPS
Insufficient Cryptography
where cryptography was attempted, but it wasn't done correctly
• Poor Key Management Processes
• Creation and Use of Custom Encryption Protocols
• Use of Insecure and/or Deprecated Algorithms
51. TIPS FOR IMPROVING SECURITY IN MOBILE APPS
Insecure Authorization
(authorization decisions in the client side, forced browsing, etc.).
Distinct from authentication issues (e.g., device enrolment, user identification, etc.)
• Hidden Endpoints
• User Role or Permission Transmissions(mobile app is transmitting the user's roles or permissions to
a backend)
52. 52
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
Client Code Quality
security decisions via untrusted inputs
(catch-all for code-level implementation problems in the mobile client, things like buffer overflows,
format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite
some code that's running on the mobile device)
53. 53
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
Code Tampering
(binary patching, local resource modification, method hooking, method swizzling, and dynamic
memory modification)
• Android Root Detection (rootbeer)
• iOS Jailbreak Detection
56. 56
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
Reverse Engineering
(analysis of the final core binary to determine its source code, libraries, algorithms, and other assets)
A good obfuscator will have the following abilities:
• Narrow down what methods / code segments to obfuscate;
• Tune the degree of obfuscation to balance performance impact;
• Withstand de-obfuscation from tools like IDA Pro and Hopper;
• Obfuscate string tables as well as methods
59. 59
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
Extraneous Functionality
hidden backdoor functionality or other internal development security controls that
are not intended to be released into a production environment
(accidentally included password as a comment in a hybrid app, disabling of 2-factor authentication
during testing)
• Debug flag in configuration file
• Administrative endpoint exposed
• The backend description is written to the logs