Security Evaluation of Mobile Applications using 'App Report Cards': Android By Raul Siles October 2015
|
|
- Sybil Baker
- 8 years ago
- Views:
Transcription
1 Security Evaluation of Mobile Applications using 'App Report Cards': Android By Raul Siles October 2015 This article introduces the SANS SEC575 mobile 'App Report Cards' project and provides details on some of the analysis techniques used to scrutinize Android mobile applications (or apps) when searching for security vulnerabilities and exploitation opportunities. It offers as well suggestions for app developers to implement the desired security features, including some code examples and references. The corresponding SANS webcast by the author Raul Siles is available to watch here: evaluation- mobile- applications- app- report- cards The mobile 'App Report Cards' is a scoring and reporting system, distributed as Microsoft Excel spreadsheets in the form of card templates, for a consistent and thorough security analysis and evaluation of Android and ios mobile applications. Although the two most common mobile platforms worldwide Android and ios are part of the project, the details of the ios mobile report card won't be covered in this article, focusing just on some relevant Android checks. After taking an in- depth look at both reports cards, it is trivial to realize that some of the analysis items for evaluating Android apps do not differ from the items for analyzing ios apps. The reason is there are multiple common security features in both platforms, notably the evaluation of network traffic, TLS validation, and certificate checks. Additionally, there are similar checks in both platforms although these have to be evaluated using different tools and techniques, such as the detection and mitigation of bypass techniques of rooted or jailbroken devices, the suppression of system log messages, the protection of sensitive data at rest, or the detection and/or prevention of a debugger attached to the app at runtime. Finally, other items only apply to one platform or the other, notably mitigations for custom Intent handling misuse in Android or for URL handler misuse in ios. Therefore, the mobile 'App Report Cards', specifically designed as part of the "SANS SEC575: Mobile Device Security and Ethical Hacking" training ( provides penetration testers and mobile security analyst with a new guided security testing workflow to leverage the multiple tools and common techniques covered along the course to evaluate ios and Android mobile applications. These techniques cover various aspects that influence the security posture of mobile apps, including storage and file system usage inspection, and network activity monitoring, interception and manipulation. This information is complemented with application static and automated analysis and reverse engineering techniques, combining app code and behavior analysis for effective app penetration testing. Additionally, opportunities to manipulate application behavior are identified as part of the analysis process by inspecting and modifying the app code, inspecting critical app definitions and interacting with its interfaces and components at runtime.
2 Complementary, the mobile 'App Report Cards' provides a significant benefit to mobile application developers. The report helps them to review and apply the recommended countermeasures and protections to resolve identified flaws and meet the security expectations of each report card, while the scoring allows them to evaluate and track how the app security capabilities progress and mature over time throughout different app versions. As a result, each of the individual testing items reflected within the mobile 'App Report Cards' implicitly has one or multiple recommended evaluation techniques associated with them. These have to be applied by mobile security analyst to identify security flaws. Similarly, each of the test items implicitly has one or multiple suggested security recommendations associated with them, sometimes in the form of source code that implements the required fix or a switch that enables the desired security feature. These can be applied by mobile app developers to improve the security posture of the app and address the identified threats. As a professional penetration tester, I'm aware that the end goal of my security assessments is not just the identification and exploitation of vulnerabilities that expose the customer environment, but to provide practical and actionable recommendations to be able to fix those findings and improve the overall security posture of the target environment, in this article, the target mobile app. The mobile 'App Report Cards' is an effective and easy to use tool that facilitates this goal by complementing the penetration test report with a list of checks that can be tracked by the main target audience, the developers. The developers, in collaboration with the security team, are the ones that will ultimately be in charge of fixing the discovered flaws. The following mobile application security considerations are a reduced subset of some of the analysis techniques and mitigations behind the mobile 'App Report Cards'. Evaluating App Traffic Encryption Requirements One of the most significant security problems in mobile apps is the use of unencrypted network traffic. Multiple mobile studies in the past have emphasized the lack of proper transport encryption for all or some of the sensitive traffic exchanged by mobile apps, both in apps from small developer shops as well as large- scale official apps. Even when the app relies on HTTPS (TLS), the validation of certificates can fail. In this author's experience when assessing the security of mobile apps, sometimes developers forget to restore back the original validation code, leaving in place the relaxed certificate verification practices used during development, and ending up with a vulnerable official app in Google Play that accepts any certificate as valid. In other cases, the app validates the certificate properly, but provides the user the option to continue despite displaying a certificate warning or error (e.g. a very common scenario in the traditional web browser world, unless using HSTS).
3 The most common scenario is when the app accepts as valid any trusted certificate, using a criteria based on the current list of trusted Certification Authorities (CAs) available in the Android device. Thus, as a pen- tester, the only requirement to be able to bypass the default certificate validation process is to import in the Android credential storage of the device the root CA associated to the interception proxy being used. Security conscious developers, instead of relying on potentially untrustworthy root and intermediate authority chains, or end- user trust decisions, leverage certificate pinning in their Android apps through a custom X509TrustManager ( Certificate pinning implements the validation of the TLS server identity by matching the public key (rather than the server digital certificate) embedded in the Android app. From a pen- tester perspective, bypassing certificate pinning requires manipulating the Android app Dalvik bytecode or using low- level hooking functions from inside the device, trying to disable certificate validations. The usage of this advanced analysis techniques requires having root access in the Android device. Two of the most common Android tools used for this purpose make use of two completely different hooking frameworks, Android SSL TrustKiller ( SSL- TrustKiller) based on Cydia Substrate, and JustTrustMe ( based on Xposed. Additionally, Android apps might become vulnerable by implementing their own custom crypto functions or using known vulnerable crypto libraries, such as old versions of the OpenSSL library. In order to mitigate this risk, Google provides a default Dynamic Security Provider (named GmsCore_OpenSSL, Play- Services- Dynamic- Security- Provider), via Google Play Services (GPS), to provide secure network communications. Apps simply need to call the corresponding Google Play Services methods to ensure that they are running on a device that has the latest provider (or library). The provider is automatically updated to protect against known SSL/TLS exploits, such as those targeting the CVE vulnerability. This OpenSSL vulnerability leaves apps open to MitM (Man- in- the- Middle) attacks that can decrypt the TLS traffic and was fixed in GPS version 5.0 ( gms- provider.html). Developers can benefit from these capabilities by using high- level methods for interacting with encrypted network communications, like HttpsURLConnection. Complementary, developers can update a device's security provider by using the ProviderInstaller class, and specifically do it synchronously or asynchronously by calling the installifneeded() or installifneededasync() methods, respectively. The following asynchronous code sample checks if the provider is up to date, and updates it if necessary, when the app's is launched (main activity oncreate() method). It also implements the appropriate methods to manage different scenarios, such as when the
4 provider was already up- to- date or has been properly updated (onproviderinstalled(), proceeding to execute the secure network calls), or if the update process failed (onproviderinstallfailed()), although potentially it can be recovered by the user: public class MainActivity extends Activity implements ProviderInstaller.ProviderInstallListener { //Update the security provider when the activity is protected void oncreate(bundle savedinstancestate) { super.oncreate(savedinstancestate); ProviderInstaller.installIfNeededAsync(this, this); /** * This method is only called if the provider is * successfully updated (or is already up-to-date). protected void onproviderinstalled() { // Provider is up-to-date, app can make secure network calls. /** * This method is called if updating fails; the error code * indicates whether the error is recoverable. protected void onproviderinstallfailed(int errcode, Intent recoveryintent) { if (GooglePlayServicesUtil.isUserRecoverableError(errCode)) { // Recoverable error. Show a dialog prompting the user to // install/update/enable Google Play services. else { // Google Play services is not available. onproviderinstallernotavailable(); private void onproviderinstallernotavailable() { // This is reached if the provider cannot be updated for some // reason. App should consider all HTTP communication to be // vulnerable, and take appropriate action. In certain scenarios, even when the developer has taken the proper precautions to encrypt the app's traffic and validate certificates adequately, other third- party components used by
5 the app, such as ad libraries, can weaken the overall security posture of the app due to the exchange of unencrypted traffic. In ios 9.0, Apple introduced the Apple Transport Security (ATS) feature, expecting all apps to use TLS 1.2 by default and forcing app developers to specify exceptions if they need to use unencrypted network traffic. Similarly, in Android 6.0, Marshmallow, there is a new AndroidManifest.xml flag, usescleartexttraffic, that might require all network traffic to be TLS encrypted. Unfortunately this feature is set to "true" implicitly, not requiring encryption by default. Security- aware Android developers can switch it to "false" and prevent (on a best effort basis) an otherwise well- intentioned app from accidently using plaintext network traffic: <manifest <application android:usescleartexttraffic="false"> </application> Additionally, the new NetworkSecurityPolicy class associated to the app, in relation to StrictMode, allows the app developer to detect places where the app is inadvertently sending clear- text data across the network via the detectcleartextnetwork() method ( m- and- the- war- on- cleartext- traffic). The developer has the option to log the raw contents of the packet that triggered the violation or block further traffic on that socket to prevent accidental data leakage (and crash the app). Although for most Android apps, switching from plaintext HTTP to encrypted HTTPS is a simple code change, it is a complex infrastructure change that affects most of, if not all, the back- end servers the app communicates with. However, the recent transport security features promoted in the main mobile platforms make this a necessary step. Today is the right time for mobile developers to jump in! Expanding the mobile 'App Report Cards' The benefit of the 'App Report Cards' is that they can be easily expanded in two very specific but different ways when new features and security mechanisms are made available in the mobile platforms, like in Android Marshmallow (or Android 6.0, API level 23). On the one hand, current checks already available in the 'App Report Cards', such as the first one ("Does the app declare the minimum number of permissions necessary?"), can be extended with more in- depth analysis focused on the evaluation of the permissions requested by the app and the new runtime permission model introduced in Android 6.0. On the other hand, new checks can be included in the 'App Report Cards' to extend the assessment to cutting- edge topics, such as the new auto app backup feature available in Android 6.0. The next two sections cover in detail these two features. Evaluating App Permissions Requirements Android developers must declare the permissions required by the app in the AndroidManifest.xml file. In the traditional Android permission model, users are prompted to accept all app declared permissions at install time.
6 Unfortunately, developers frequently add more permissions than what is needed for the functionality implemented in the current app version. An assessment of the current app version might not disclose serious concerns regarding the requested permissions and associated functionality. However, future app updates might add extra capabilities that take advantage of permissions granted in the current version of the app, introducing new security or privacy threats. Additionally, closed- source third- party libraries used within the app could leverage extra features associated to those extra permissions and increase the exposure of sensitive information about the app, the device, or the user. The app permissions can be easily evaluated by inspecting the AndroidManifest.xml file, after converting it to the ASCII format using the axmlprinter tool ( a refactor of the original AXMLPrinter2 tool: $ java -jar./tools/axmlprinter/axmlprinter jar \ AndroidManifest.xml > AndroidManifest.txt.xml Alternatively, the permissions can be assessed as part of a broader evaluation focused on minimizing the permission and component exposure of Android apps. The excellent Drozer tool by MWR InfoSecurity ( allows the analyst to quickly identify the app permissions as well as the accessible app components (although this last topic is out of the scope of this article): dz> run app.package.info -a com.zillow.android.zillowmap Package: com.zillow.android.zillowmap Application Label: Zillow Process Name: com.zillow.android.zillowmap Version: Uses Permissions: - android.permission.internet - android.permission.access_wifi_state - android.permission.access_fine_location - android.permission.access_coarse_location - android.permission.read_phone_state - android.permission.get_accounts - android.permission.write_external_storage dz> run app.package.attacksurface com.zillow.android.zillowmap 5 activities exported 5 broadcast receivers exported 0 content providers exported 2 services exported Android 6.0 introduces a new runtime permission model ( where the user does not need to grant permissions at install or upgrade time. Instead, at runtime, the first time the app needs to invoke functionality that requires a particular permission, it presents the user a system dialog box requesting that specific permission.
7 Android permissions are divided into several protection levels, being the two most relevant ones normal and dangerous. Unfortunately, permissions belonging to the normal protection level are automatically granted at install time, as it is assumed by Google there is very little risk to the user's privacy or security. Besides that, the new runtime permission model does not provide a revoke option for normal permissions (PROTECTION_NORMAL). Normal permissions ( rmal- permissions.html) include, between others, network and Internet access, perform operations over NFC or Bluetooth (including discovery and pairing), request the installation of packages, kill background processes or set the system time zone. Additionally, in mid 2014 Google introduced the concept of simplified permissions in Android, currently known as permission groups. All Android dangerous permissions belong to a specific group based on their nature and purpose, such as for example capabilities to read and write the user's contacts (Contacts group), or to read, send or receive SMS messages (SMS group): CONTACTS permission group: READ_CONTACTS WRITE_CONTACTS GET_ACCOUNTS SMS permission group: SEND_SMS RECEIVE_SMS READ_SMS RECEIVE_WAP_PUSH RECEIVE_MMS If an app requests a dangerous permission listed in its manifest file, but the app has already obtained another dangerous permission in the same permission group (because the user has already approved it previously), the system immediately grants the new permission to the app without any interaction with the user. Developers should apply best programming and security practices ( practices.html) and minimize the number of permissions their app requests, only asking for permissions strictly needed. They can also even try to have their app use an Intent to request another app to perform a task, instead of have their app ask for permission to perform the operation itself. Copyright: Raul Siles for T he ESCAL I nstitute Of Advanced T echnology I nc., SANS Institute, 8120 Woodmont Avenue, Bethesda, , MD, USA
8 With the new Android runtime permission model, it is crucial for developers to explain to the user why their app requests a specific permission before calling requestpermissions(), the method used to show the permissions dialog box. On the one hand, the developer can inform the user incorporating these requests into an app tutorial. On the other hand, the developer can inform the user programmatically through the shouldshowrequestpermissionrationale() method ( This method returns true, in order to show the user an explanation, if the app has requested that specific permission previously and the user denied the request. The method returns false if the user turned down the permission request in the past and chose the "Don't ask again" option in the permission request system dialog, or if a device policy prohibits the app from having that permission (trying not to disturb the user). The following code sample checks if the app has the RECORD_AUDIO permission to get access to the device's microphone. If it does not have it, it first explains the user why the permission is required, and then shows the dialog to request that specific permission: if (ContextCompat.checkSelfPermission(thisActivity, Manifest.permission.RECORD_AUDIO)!= PackageManager.PERMISSION_GRANTED) { // Show an explanation if (ActivityCompat.shouldShowRequestPermissionRationale( thisactivity, Manifest.permission.RECORD_AUDIO)) { // Show an expanation to the user *asynchronously* else { // No explanation needed, we can request the permission. ActivityCompat.requestPermissions(thisActivity, new String[]{Manifest.permission.RECORD_AUDIO, MY_PERMISSIONS_REQUEST_RECORD_AUDIO); // MY_PERMISSIONS_REQUEST_RECORD_AUDIO is an // app-defined int constant. The callback method gets the // result of the request. Once the user interacts with the system dialog box and approves or denies the requested permission, the app onrequestpermissionsresult() callback method will be invoked. The developer needs to carefully implement tasks for both scenarios, as the permission might have been turned up or down by the user, enabling or disabling the functionality that depends on this permission, and for each permission requested, identified by the MY_PERMISSIONS_REQUEST_RECORD_AUDIO constant in the previous code sample.
9 Finally, during the transition period, developers should manage and test for both permissions models. Their recently updated app targeting devices running Android 6.0, that takes advantage of the new runtime permission model, can also be installed in devices running previous versions of Android, and still using the traditional permission model. Evaluating the App's Backup Policy Android 6.0 implements new auto app backup capabilities to automatically backup the apps private data in Google Drive. This feature is available by default for all apps. The app's private data is supposed to be stored in the cloud in an encrypted format. Although the user has the option to opt- out globally via the Settings app (unfortunately, this is an all or nothing proposition, where it is not possible to opt- out individually per app), security conscious app developers managing sensitive data can disable it. App developers can disable the auto app backup feature completely, with the associated drawback that this action will disable ADB backups too, or they can define a selective backup policy through a backup scheme configuration XML file, that determines the data that will be included or excluded from backups. The following element from the app's AndroidManifest.xml file completely prevents automatic backups of any of the app's data and files: <manifest <application android:allowbackup="false"> </application> The following attribute from the app's AndroidManifest.xml specifies an XML file located at "res/xml/backupscheme.xml" that contains the automatic backup rules for the app's data: <manifest <application android:fullbackupcontent="@xml/backupscheme"> </application> The syntax of the backup scheme configuration XML file specifying what files to include or exclude from backups is available at The following "backupscheme.xml" file sample defines a backup scheme that allows backing up all app files (the default is to backup everything) except a shared preferences file named "profile.xml" and a database file called "sessions.db": <full-backup-content> <exclude domain="sharedpref" path="profile.xml" /> <exclude domain="database" path="sessions.db" /> </full-backup-content>
10 Android developers need to be aware of these new features and their security implications ( developers.blogspot.com.es/2015/07/auto- backup- for- apps- made- simple.html), because as soon as their app targets the latest Android 6.0 version, API level 23, throughout the following manifest file directive, the device will automatically backup all the app data in Google Drive: <manifest <uses-sdk android:targetsdkversion="23"/> <application </application> Conclusion The process of thoroughly evaluating and analyzing the security of mobile applications can be a daunting and complex task. Sometimes, in the process of performing consistent testing by the analysts or applying all the recommendations by the developers, critical steps can be miss evaluated or miss implemented and leave applications exposed. To address these shortcomings, the 'App Report Cards' goal is to consistently apply a testing process and use specific techniques to identify and remediate common vulnerabilities in mobile applications. The 'App Report Cards' project, available at includes a couple of completed app analysis samples: E.g. oovoo for ios and Zillow for Android. The format, scoring, and outline of these cards are open for feedback from the community. If you want to learn how to apply, evaluate and mitigate all the different items included in the mobile 'App Report Cards' leveraging specific tools and techniques, consider taking the SANS SEC575 course! Raul Siles will be teaching "SANS SEC575: Mobile Device Security and Ethical Hacking" at the end of this year in Dubai (Oct 17-22, 2015), region- 2015/course/mobile- device- security- ethical- hacking, and London (Nov 16-21, 2015), /course/mobile- device- security- ethical- hacking. About the author Raul Siles is founder and senior security analyst at DinoSec. For over a decade, he has applied his expertise performing advanced technical security services and innovating offensive and defensive solutions for large enterprises and organisations in various industries worldwide. He has been involved in security architecture design and reviews, penetration tests, incident handling, intrusion and forensic analysis, security assessments and vulnerability disclosure, web applications, mobile and wireless environments, and security research in new technologies. Throughout his career, starting with a strong technical background in networks, systems and applications in mission critical environments, he has worked as an information security expert, engineer, researcher and
11 penetration tester at Hewlett Packard, as an independent consultant, and on his own companies, Taddong and DinoSec. Raul is a certified instructor for the SANS Institute, regularly teaching penetration testing courses. He is an active speaker at international security conferences and events, such as RootedCON, Black Hat, OWASP, BruCON, etc. Mr. Siles is author of security training courses, blogs, books, articles, and tools, and actively contributes to community and open- source projects. He loves security challenges, and has been a member of international organisations, such as the Honeynet Project or the SANS Internet Storm Center. Raul is one of the few individuals worldwide who have earned the GIAC Security Expert (GSE) designation, as well as many other certifications. Raul holds a master's degree in computer science from UPM (Spain) and a postgraduate in security and e- commerce. More information at (@raulsiles) and (@dinosec).
WebView addjavascriptinterface Remote Code Execution 23/09/2013
MWR InfoSecurity Advisory WebView addjavascriptinterface Remote Code Execution 23/09/2013 Package Name Date Affected Versions Google Android Webkit WebView 23/09/2013 All Android applications built with
More informationABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications
Reverse Engineering ios Applications Drew Branch, Independent Security Evaluators, Associate Security Analyst ABSTRACT' Mobile applications are a part of nearly everyone s life, and most use multiple mobile
More informationBest Practice Guide (SSL Implementation) for Mobile App Development 最 佳 行 事 指 引. Jointly published by. Publication version 1.
Best Practice Guide (SSL Implementation) for Mobile App Development 流 動 應 用 程 式 (SSL 實 施 ) 最 佳 行 事 指 引 香 港 電 腦 事 故 協 調 中 心 ] Jointly published by [ 專 業 資 訊 保 安 協 會 ] Hong Kong Computer Emergency Response
More informationBYPASSING THE ios GATEKEEPER
BYPASSING THE ios GATEKEEPER AVI BASHAN Technology Leader Check Point Software Technologies, Ltd. OHAD BOBROV Director, Mobile Threat Prevention Check Point Software Technologies, Ltd. EXECUTIVE SUMMARY
More informationMobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus
Mobile Application Hacking for ios 3-Day Hands-On Course Syllabus Course description ios Mobile Application Hacking 3-Day Hands-On Course This course will focus on the techniques and tools for testing
More informationInstallation and usage of SSL certificates: Your guide to getting it right
Installation and usage of SSL certificates: Your guide to getting it right So, you ve bought your SSL Certificate(s). Buying your certificate is only the first of many steps involved in securing your website.
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationHow To Test For Security On A Network Without Being Hacked
A Simple Guide to Successful Penetration Testing Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few
More informationUNITED STATES OF AMERICA FEDERAL TRADE COMMISSION
UNITED STATES OF AMERICA FEDERAL TRADE COMMISSION 132 3091 COMMISSIONERS: Edith Ramirez, Chairwoman Julie Brill Maureen K. Ohlhausen Joshua D. Wright ) In the Matter of ) DOCKET NO. ) Credit Karma, Inc.,
More informationSecurity Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationThreat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437. Specialist Security Training Catalogue
Threat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437 Specialist Security Training Catalogue Did you know that the faster you detect a security breach, the lesser the impact to the organisation?
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationANDROID APPS DEVELOPMENT FOR MOBILE AND TABLET DEVICE (LEVEL I)
ANDROID APPS DEVELOPMENT FOR MOBILE AND TABLET DEVICE (LEVEL I) Who am I? Lo Chi Wing, Peter Lecture 1: Introduction to Android Development Email: Peter@Peter-Lo.com Facebook: http://www.facebook.com/peterlo111
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationEnterprise Apps: Bypassing the Gatekeeper
Enterprise Apps: Bypassing the Gatekeeper By Avi Bashan and Ohad Bobrov Executive Summary The Apple App Store is a major part of the ios security paradigm, offering a central distribution process that
More informationMobile Application Security Study
Report Mobile Application Security Study 2013 report Table of contents 3 Report Findings 4 Research Findings 4 Privacy Issues 5 Lack of Binary Protection 5 Insecure Data Storage 5 Transport Security 6
More informationBlackBerry Enterprise Service 10. Universal Device Service Version: 10.2. Administration Guide
BlackBerry Enterprise Service 10 Universal Service Version: 10.2 Administration Guide Published: 2015-02-24 SWD-20150223125016631 Contents 1 Introduction...9 About this guide...10 What is BlackBerry
More information1 0 0 V i l l a g e C o u r t H a z l e t, N J 0 7 7 3 0, U S A Tel: +1 (732) 416-7722 w w w. p a l i n d r o m e t e c h. c o m.
Impart Assurance Instill Trust Inspire Confidence Mike Stauffer Advanced mobile data networks and the promise of accessing mission critical apps anytime from anywhere are two reasons behind the increase
More informationAdministration Guide. BlackBerry Enterprise Service 12. Version 12.0
Administration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2015-01-16 SWD-20150116150104141 Contents Introduction... 9 About this guide...10 What is BES12?...11 Key features of BES12...
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationIs Your SSL Website and Mobile App Really Secure?
Is Your SSL Website and Mobile App Really Secure? Agenda What is SSL / TLS SSL Vulnerabilities PC/Server Mobile Advice to the Public Hong Kong Computer Emergency Response Team Coordination Centre 香 港 電
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL TRADE COMMISSION. Julie Brill Maureen K. Ohlhausen Joshua D. Wright Terrell McSweeny
132 3089 UNITED STATES OF AMERICA BEFORE THE FEDERAL TRADE COMMISSION COMMISSIONERS: Edith Ramirez, Chairwoman Julie Brill Maureen K. Ohlhausen Joshua D. Wright Terrell McSweeny In the Matter of DOCKET
More informationSSL implementieren aber sicher!
SSL implementieren aber sicher! Karlsruher Entwicklertag 2014 21.05.2014 Dr. Yun Ding SSL in the news 2011 2012 2013 2014 BEAST CRIME Lucky 13 Compromised CAs RC4 biases BREACH DRBG Backdoor Apple goto
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationMcAfee Web Gateway Administration Intel Security Education Services Administration Course Training
McAfee Web Gateway Administration Intel Security Education Services Administration Course Training The McAfee Web Gateway Administration course from Education Services provides an in-depth introduction
More informationImplementation Vulnerabilities in SSL/TLS
Implementation Vulnerabilities in SSL/TLS Marián Novotný novotny@eset.sk ESET, spol. s r.o. Bratislava, Slovak Republic Abstract SSL/TLS protocol has become a standard way for establishing a secure communication
More informationCompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001
CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001 INTRODUCTION This exam will certify that the successful candidate has the knowledge and skills required
More informationThe Risks that Pen Tests don t Find. OWASP 13 April 2012. The OWASP Foundation http://www.owasp.org
The Risks that Pen Tests don t Find 13 April 2012 Gary Gaskell Infosec Services gaskell@infosecservices.com 0438 603 307 Copyright The Foundation Permission is granted to copy, distribute and/or modify
More informationSpecific recommendations
Background OpenSSL is an open source project which provides a Secure Socket Layer (SSL) V2/V3 and Transport Layer Security (TLS) V1 implementation along with a general purpose cryptographic library. It
More informationMobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus
Mobile Application Hacking for Android and iphone 4-Day Hands-On Course Syllabus Android and iphone Mobile Application Hacking 4-Day Hands-On Course Course description This course will focus on the techniques
More informationIAIK. Motivation 2. Advanced Computer Networks 2015/2016. Johannes Feichtner johannes.feichtner@iaik.tugraz.at IAIK
Motivation 2 Advanced Computer Networks 2015/2016 Johannes Feichtner johannes.feichtner@iaik.tugraz.at What you have heard last time Mobile devices: Short history, features Technical evolution, major OS,
More informationInternet Banking System Web Application Penetration Test Report
Internet Banking System Web Application Penetration Test Report Kiev - 2014 1. Executive Summary This report represents the results of the Bank (hereinafter the Client) Internet Banking Web Application
More informationSecuring ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH
Securing ios Applications Dr. Bruce Sams, OPTIMAbit GmbH About Me President of OPTIMAbit GmbH Responsible for > 200 Pentests per Year Ca 50 ios Pentests and code reviews in the last two years. Overview
More informationIntroduction to Mobile Access Gateway Installation
Introduction to Mobile Access Gateway Installation This document describes the installation process for the Mobile Access Gateway (MAG), which is an enterprise integration component that provides a secure
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationSSL Interception Proxies. Jeff Jarmoc Sr. Security Researcher Dell SecureWorks. and Transitive Trust
SSL Interception Proxies Jeff Jarmoc Sr. Security Researcher Dell SecureWorks and Transitive Trust About this talk History & brief overview of SSL/TLS Interception proxies How and Why Risks introduced
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationBYOD Guidance: BlackBerry Secure Work Space
GOV.UK Guidance BYOD Guidance: BlackBerry Secure Work Space Published 17 February 2015 Contents 1. About this guidance 2. Summary of key risks 3. Secure Work Space components 4. Technical assessment 5.
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationSSL/TLS: The Ugly Truth
SSL/TLS: The Ugly Truth Examining the flaws in SSL/TLS protocols, and the use of certificate authorities. Adrian Hayter CNS Hut 3 Team adrian.hayter@cnsuk.co.uk Contents Introduction to SSL/TLS Cryptography
More informationHTTPS Inspection with Cisco CWS
White Paper HTTPS Inspection with Cisco CWS What is HTTPS? Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the Hyper Text Transfer Protocol (HTTP). It is a combination of HTTP and a
More informationPentesting Android Apps. Sneha Rajguru (@Sneharajguru)
Pentesting Android Apps Sneha Rajguru (@Sneharajguru) About Me Penetration Tester Web, Mobile and Infrastructure applications, Secure coding ( part time do secure code analysis), CTF challenge writer (at
More informationSYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules
Must have skills in any penetration tester's arsenal. MASPT at a glance: 10 highly practical modules 4 hours of video material 1200+ interactive slides 20 Applications to practice with Leads to emapt certification
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationIndependent Security. Prepared for:
Independent Security Report (isr) Prepared for: isec Partners Final Report Independent Security Report (isr) Page 2 of 10 2014, isec Partners, Inc. Prepared by isec Partners, Inc. for Wickr. Portions of
More informationContents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationPenetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015
For the Financial Industry in Singapore 31 July 2015 TABLE OF CONTENT 1. EXECUTIVE SUMMARY 3 2. INTRODUCTION 4 2.1 Audience 4 2.2 Purpose and Scope 4 2.3 Definitions 4 3. REQUIREMENTS 6 3.1 Overview 6
More informationAPPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK
APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK John T Lounsbury Vice President Professional Services, Asia Pacific INTEGRALIS Session ID: MBS-W01 Session Classification: Advanced
More informationCourse Descriptions November 2014
Master of Science In Information Security Management Course Descriptions November 2014 Master of Science in Information Security Management The Master of Science in Information Security Management (MSISM)
More informationThis session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.
The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit www.tracesecurity.com
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationMobile Application Security Report 2015
Mobile Application Security Report 2015 BY Author : James Greenberg 1 P a g e Executive Summary Mobile Application Security Report 2015 The mobile application industry is growing exponentially at an explosive
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationConfiguration Guide BES12. Version 12.3
Configuration Guide BES12 Version 12.3 Published: 2016-01-19 SWD-20160119132230232 Contents About this guide... 7 Getting started... 8 Configuring BES12 for the first time...8 Configuration tasks for managing
More information10 Quick Tips to Mobile Security
10 Quick Tips to Mobile Security 10 Quick Tips to Mobile Security contents 03 Introduction 05 Mobile Threats and Consequences 06 Important Mobile Statistics 07 Top 10 Mobile Safety Tips 19 Resources 22
More informationUsing EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience
Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience Applied Technology Abstract The Web-based approach to system management taken by EMC Unisphere
More informationMobile Application Security
Mobile Application Security Jack Mannino Anand Vemuri June 25, 2015 About Us Jack Mannino CEO at nvisium UI and UX development impaired Enjoys: Scala, Elixir Tolerates: Java Allergic To: Cats, Pollen,.NET
More informationSecurity and Vulnerability Testing How critical it is?
Security and Vulnerability Testing How critical it is? It begins and ends with your willingness and drive to change the way you perform testing today Security and Vulnerability Testing - Challenges and
More informationBUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations
BUILDING SECURITY IN Analyzing Mobile Single Sign-On Implementations Analyzing Mobile Single Sign-On Implementations 1 Introduction Single sign-on, (SSO) is a common requirement for business-to-employee
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationQualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015
QualysGuard WAS Getting Started Guide Version 4.1 April 24, 2015 Copyright 2011-2015 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc.
More informationAndroid & ios Application Vulnerability Assessment & Penetration Testing Training. 2-Day hands on workshop on VAPT of Android & ios Applications
Android & ios Application Vulnerability Assessment & Penetration Testing Training 2-Day hands on workshop on VAPT of Android & ios Applications Course Title Workshop on VAPT of Android & ios Applications
More informationWhen Security Gets in the Way. PenTesting Mobile Apps That Use Certificate Pinning
When Security Gets in the Way PenTesting Mobile Apps That Use Certificate Pinning Justine Osborne Alban Diquet Outline What is Certificate Pinning? Definition and Background Consequences for Mobile Blackbox
More informationAGENDA. Background. The Attack Surface. Case Studies. Binary Protections. Bypasses. Conclusions
MOBILE APPLICATIONS AGENDA Background The Attack Surface Case Studies Binary Protections Bypasses Conclusions BACKGROUND Mobile apps for everything == lots of interesting data Banking financial Social
More informationWPAD TECHNOLOGY WEAKNESSES. Sergey Rublev Expert in information security, "Positive Technologies" (srublev@ptsecurity.ru)
WPAD TECHNOLOGY WEAKNESSES Sergey Rublev Expert in information security, "Positive Technologies" (srublev@ptsecurity.ru) MOSCOW 2009 CONTENTS 1 INTRODUCTION... 3 2 WPAD REVIEW... 4 2.1 PROXY AUTO CONFIGURATION
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationPresented by Evan Sylvester, CISSP
Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information
More informationthe cross platform mobile apps dream Click to edit Master title style Click to edit Master text styles Third level Fourth level» Fifth level
Click to edit Master title style Click to edit Master text styles The Second nightmare level behind Third level the cross platform Fourth level» Fifth level mobile apps dream Marco Grassi @marcograss MGrassi@nowsecure.com
More informationTutorial on Smartphone Security
Tutorial on Smartphone Security Wenliang (Kevin) Du Professor wedu@syr.edu Smartphone Usage Smartphone Applications Overview» Built-in Protections (ios and Android)» Jailbreaking and Rooting» Security
More informationBuilding a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved
Building a Mobile App Security Risk Management Program Your Presenters Who Are We? Chris Salerno, Consultant, Security Risk Advisors Lead consultant for mobile, network, web application penetration testing
More informationInformation Security Engineering
Master of Science In Information Security Engineering Course Descriptions November 2014 Master of Science in Information Security Engineering The program of study for the Master of Science in Information
More informationPenetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box
Penetration Testing Penetration Testing Types Black Box oless productive, more difficult White Box oopen, team supported, typically internal osource available Gray Box (Grey Box) omixture of the two Methods
More informationEnd User Devices Security Guidance: Apple ios 8
GOV.UK Guidance End User Devices Security Guidance: Apple ios 8 Published Contents 1. Changes since previous guidance 2. Usage scenario 3. Summary of platform security 4. How the platform can best satisfy
More informationService Manager and the Heartbleed Vulnerability (CVE-2014-0160)
Service Manager and the Heartbleed Vulnerability (CVE-2014-0160) Revision 1.0 As of: April 15, 2014 Table of Contents Situation Overview 2 Clarification on the vulnerability applicability 2 Recommended
More informationInspection of Encrypted HTTPS Traffic
Technical Note Inspection of Encrypted HTTPS Traffic StoneGate version 5.0 SSL/TLS Inspection T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 1 Table of Contents
More informationCYBERTRON NETWORK SOLUTIONS
CYBERTRON NETWORK SOLUTIONS CybertTron Certified Ethical Hacker (CT-CEH) CT-CEH a Certification offered by CyberTron @Copyright 2015 CyberTron Network Solutions All Rights Reserved CyberTron Certified
More informationSecurity-as-a-Service (Sec-aaS) Framework. Service Introduction
Security-as-a-Service (Sec-aaS) Framework Service Introduction Need of Information Security Program In current high-tech environment, we are getting more dependent on information systems. This dependency
More information2015 Vulnerability Statistics Report
2015 Vulnerability Statistics Report Introduction or bugs in software may enable cyber criminals to exploit both Internet facing and internal systems. Fraud, theft (financial, identity or data) and denial-of-service
More informationGetting Started Guide
BlackBerry Web Services For Microsoft.NET developers Version: 10.2 Getting Started Guide Published: 2013-12-02 SWD-20131202165812789 Contents 1 Overview: BlackBerry Enterprise Service 10... 5 2 Overview:
More informationAndroid Security. Giovanni Russello g.russello@auckland.ac.nz
Android Security Giovanni Russello g.russello@auckland.ac.nz N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional
More informationABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST
ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST Performed Between Testing start date and end date By SSL247 Limited SSL247 Limited 63, Lisson Street Marylebone London
More informationSecurity Testing Guidelines for mobile Apps
The OWASP Foundation http://www.owasp.org Security Testing Guidelines for mobile Apps Florian Stahl Johannes Ströher AppSec Research EU 2013 Who we are Florian Stahl Johannes Ströher Lead Consultant for
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationConfiguration Guide BES12. Version 12.1
Configuration Guide BES12 Version 12.1 Published: 2015-04-22 SWD-20150422113638568 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12... 8 Product documentation...
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationConfiguration Guide BES12. Version 12.2
Configuration Guide BES12 Version 12.2 Published: 2015-07-07 SWD-20150630131852557 Contents About this guide... 8 Getting started... 9 Administrator permissions you need to configure BES12... 9 Obtaining
More informationMobile Device Management for CFAES
Mobile Device Management for CFAES What is Mobile Device Management? As smartphones and other mobile computing devices grow in popularity, management challenges related to device and data security are
More informationREDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance
REDSEAL NETWORKS SOLUTION BRIEF Proactive Network Intelligence Solutions For PCI DSS Compliance Overview PCI DSS has become a global requirement for all entities handling cardholder data. A company processing,
More informationConfiguration Guide. BlackBerry Enterprise Service 12. Version 12.0
Configuration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2014-12-19 SWD-20141219132902639 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12...
More informationAdobe Flash Player and Adobe AIR security
Adobe Flash Player and Adobe AIR security Both Adobe Flash Platform runtimes Flash Player and AIR include built-in security and privacy features to provide strong protection for your data and privacy,
More informationGuidance End User Devices Security Guidance: Apple ios 7
GOV.UK Guidance End User Devices Security Guidance: Apple ios 7 Updated 10 June 2014 Contents 1. Changes since previous guidance 2. Usage Scenario 3. Summary of Platform Security 4. How the Platform Can
More informationSmartwatch Security Research
Smartwatch Security Research Overview This report commissioned by Trend Micro in partnership with First Base Technologies reveals the security flaws of six popular smartwatches. The research involved stress
More informationExcellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited
Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running
More information