Mobile Application Security

Transcription

1 Mobile Application Security Jack Mannino Anand Vemuri June 25, 2015

2 About Us Jack Mannino CEO at nvisium UI and UX development impaired Enjoys: Scala, Elixir Tolerates: Java Allergic To: Cats, Pollen,.NET Anand Vemuri AppSec Consultant at nvisium Tech Junkie, JavaScript Ninja Wannabe Software Dev-turned-Hacker Bamboo Flute Player

3 Disclaimer: Mobile device management (MDM) is not mobile application security.

4 What is Mobile Security? Access Privacy Safety Apps are built for users, so as developers we must ensure that users are not compromised

5 What s the big deal? Integration with many other services IoT Wearables Payments Other API s

6 Mobile Architectures and Attack Surface

7 Mobile Architectures and Attack Surface

8 Mobile Architectures and Attack Surface

9 Secure Communications Not Just HTTP Other protocols NFC Bluetooth/Bluetooth LE Issues related to Ignoring certificate exceptions Trusting all certificates Fallback to plain text Improper key exchange Weak algorithms/ciphers

10 Public Key Infrastructure Registration Authorities validate user identity Certificate Authority verifies and issues certificate Validation Authority validates certificate

11 Self-Signed Certs User can sign the cert by themselves. If apps accept selfsigned certs then attackers can execute SSL MITM attacks.

12 Demo: MITM

13 Certificate Pinning Pin the client-certificate known to be used to the server Removes CA from the equation Prevents against Self-Signed Cert attacks Significantly reduces threat of rogue certs *Note: If you are pentesting apps with cert pinning you can use ios Kill Switch or Android s SSL bypass tool. Use at your own risk!

14 Securing Communications Disable HTTP endpoints and avoid falling back to plain-text If a request over TLS fails, kill the socket, don t default back to HTTP. Don t use self-signed certs just because it s easier Use Certificate Pinning Perfect Forward Secrecy Use HSTS, use TLS, avoid SSL

15 Data Storage and Privacy Sensitive Info Shared Preferences SQLite Storage Access Framework Logs, caches, temp files, etc. Privacy What to collect Who to share it with Ask for consent

16 Storing Sensitive Information Avoid storing sensitive information in SQLite or Shared Preferences Attackers can trivially dump these databases If sensitive data must be stored on a client device, then the data store should be properly encrypted External Storage has weaker permissions. net/sqlcipher/

17 Privacy Collect only whatever data is needed for the app Do you know what gets sent to your ad and analytics services? Children s online privacy protection act coppa.org/

18 Privacy

19 Privacy

20 Demo: Insecure Data Storage

21 Encryption Encryption Symmetric/Asymmetric Encryption weak hashing weak algorithms and ciphers (ECB etc) Key Storage Keystore ephemeral (bad) hardcode or store Hardware-Backed Storage

22 Encryption

23 Authentication To a device pin/password biometrics, Smart Unlock To the local application local passcode To a remote service username/password certificates 3rd party provider/api

24 Remote Authentication Correct: Users should properly authenticate to the application and be granted a session token. Incorrect: Your imagination is the limit. Identity management is complicated

25 Authorization : Insecure Direct Object Reference Common Web Vulnerability OWASP A4 Backend service does not restrict references to restricted resources.

26 App-To-App Authorization Permissions - required to use certain APIs or components Intent filter - Specifies the criteria for Intents it accepts based on the intent s action, data, category etc. Exported By Default - Android Studio exports Services and Broadcast Receivers by default Malicious apps can leverage misconfigured permissions to abuse components within other apps

27 Demo: Abusing Broadcast Receivers

28 Conclusions Secure all communications! Certificate Pinning Store your data securely Encrypt any sensitive data on client. Respect User Privacy AuthN & AuthZ Permissions & Identity Don t trust users!

29 Thank You Jack Mannino, CEO of nvisium Linkedin: Blog: Anand Vemuri, AppSec Consultant at nvisium Linkedin: Blog: