How Security Testing can ensure Your Mobile Application Security Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant
Once More
Consulting & Advisory Services IT Governance IT Strategic Plan Information Security IT Service Management IT Risk
Information Security Services Vulnerability Assessment ISMS Implementation Penetration Test PCI DSS Compliance Security Assessment Test Source Code Review Information Security Risk Assessment Information Security Assurance Local Regulation (PBI 9/15, PTK008 SKK Migas) Secure SDLC Ethical Hacking and Fundamental Information Security Services Incident Response Incident Handler Digital Forensic Secure Programming Cloud Security ISO 27001 Information Security Training Managed Security Services Log Analysis Security Incident Management Security Event Management
Layer of Protection Business & Process Strategic People Data & Information Application Infrastructure Operational Analysis and Reporting
End to end Security Solution and Consulting Services Business & Process People Data & Information Application Infrastructure Information Security Assurance Information Security Risk Assessment Information Security Assurance Secure SDLC Information Security Risk Assessment ISMS (ISO 27001) Implementation PCI DSS Compliance PBI 9/5, PTK 008 SKK Migas & other Regulation Business Continuity Information Security Training and Awareness Data Encryption Data Backup Data Masking Mail Protection Data Leak Prevention Encrypted Communication Two Factor Authentication Two Step Verification Next Generation IPS / IDS Mobile Security Management Endpoint Protection Next Generation Firewall Cloud Security Anti Virus / Anti Malware Secure Identity Management Web Application Firewall Vulnerability and Patch Management Network Access Control Security Incident and Event Management Unified Threat Management (UTM) Anti DDoS & DoS Protection Managed Security Services Incident Response
Information Security at a Glance
Information Security Information Security Defined Ensures that information is readily available (availability) when required, and protected against disclosure to unauthorized users (confidentiality), and improper modification (integrity) Source from: Information Systems Audit and Control Association (ISACA)
WHY WE NEED IT? * REMINDER Left: Howard F. Lipson, Ph.D. Tracking and Tracing Cyber- Attacks: Technical Challenges and Global Policy Issues. 2002 Right : Secunia Advisory Source from : Carnegie Mellon University, copyright 1998-2003
Sample Cases Around the World
Triangle of Security Security Functionality Ease of Use
Threat Source and Motivation (NIST sp800-30) Threat Source Motivation Threat Actions Hacker, Cracker Challenge, Ego, Rebellion Hacking, Social Engineering, System Intrusion, UnauthorizedSystem Access Computer Criminal Terrorist Industry Espionage Insiders Destruction of Information, Illegal Information Disclosure, Monetary Gain, Unauthorized Data Alteration Blackmail, Destruction, Exploitation, Revenge Competitive Advantage, Economic Advantage Curiosity, Ego, Intelligence, Monetary Gain, Revenge Computer Crime, Fraud, Spoofing, System Intrusion Bomb, Information Warfare, System Attack, Economic Exploitation, Information Theft, Intrusion to Personal Privacy, Social Engineering, System Penetration, Unauthorized System Access Assault on employee, Blackmail, Computer Abuse, Fraud and Theft, Interception, Malicious Code, System Bug, System Intrusion, System Sabotage, Social Engineering, System Penetration Unauthorized System Access
Mobile Application Security Study
HP SAYS: TOP 4 VULNERABILITIES MOBILE APPLICATION Simple Binary Hardening - Failed Insecure Storage (Doesn t use encryption when storing data) Username and Password are sent over HTTP Vulnerability on Web Server Source From: Mobile Application Security Study HP (more than 2.000 Apps)
OWASP SAYS M1 Weak Server Side Control M10 Lack of Binary Protection M9 Improper Session Handling M2 Insecure Data Storage M3 Insufficient Transport Layer Protection Top 10 Mobile Risks - 2014 M8 Security Decision via Untrusted Input M7 Client Side Injection M4 Unintended Data Leakage M5 Poor Authorization and Authentication M6 Broken Cryptography Source From: OWASP Mobile Security Project - Top Ten Mobile Risks - 2014
And, Ponemon Institute Says.. Potential Security Risk Within IT Environment 2010-2014 Source From: 2014 User-Centric Risk - Ponemon Institute with Lumension
Concept of Security Testing
IN INSTANT Security Testing: Threat and Vulnerability
MOBILE APPLICATION SECURITY ASSESSMENT Information Gathering Extraction & Reverse Engineering Decryption and De- obfuscation Process Static Analysis (Reverse Engineering Compiled Application) Dynamic Analysis (Memory and File System Analysis) Misc. Check Other Web App Issue, Server Side, & 3 rd Party Support Transmission Process Session Management Access Control
ios Application Security Testing System Security à ios itself Encryption and Data Protection à Still on the ios such as NSFileProtection.. Application Security à here we are! Network Security à you could see from the name. Source From: SANS Institute InfoSec Reading Room
ios Application Security Testing Information Gathering Application Traffic Analysis Insecure Data Storage Runtime Analysis Source From: ios Application Security Testing Cheat Sheet
Demonstration
OWASP SAYS M1 Weak Server Side Control M10 Lack of Binary Protection M9 Improper Session Handling M2 Insecure Data Storage M3 Insufficient Transport Layer Protection Top 10 Mobile Risks - 2014 M8 Security Decision via Untrusted Input M7 Client Side Injection M4 Unintended Data Leakage M5 Poor Authorization and Authentication M6 Broken Cryptography Source From: OWASP Mobile Security Project - Top Ten Mobile Risks - 2014
STUDY CASE #1 WEAK SERVER SIDE CONTROL Battle Camp (#17 App Store Role Playing Games) Logic Manipulation on Request to Servers Parameter. Scenario
STUDY CASE #1 HOW TO? Install the fake digital certificate; Intercept every traffic that you got (such as request / response); Read every request and response parameter; Learn the logic; Manipulate the parameter s value.
STUDY CASE #2 BROKEN VALIDATION WhatsApp Messenger (#3 App Store Social Networking) Broken Validation of idevices Identity. Scenario
STUDY CASE #2 HOW TO? No Jailbroken idevices Needed (for ios < 8.3); Install the Data Path Application for ios 8.3 until 8.4; Copy all the contents in Application s Sandbox from Victim idevices; Paste the contents into the Attacker idevice; Run the Application normally.
STUDY CASE #3 INSECURE DATA STORAGE Twitter (#7 App Store Social Networking) Insecure User s DM Storage even the user logout already. Scenario
STUDY CASE #3 HOW TO? No Jailbroken idevices Needed (for ios < 8.3); Install the Data Path Application for ios 8.3 until 8.4; Read Every sensitive content in Application s Sandbox.
And many more and then, the latest one is: STUDY CASE #4 - #6 LACK OF BINARY PROTECTIONS RUNTIME ANALYSIS
Study case #4 Bypassing Line s Passcode Mistake: Passcode s Class. Nicely Response: We cannot guarantee whether LINE or any other integrated apps will work correctly if your device is modified in such a way that it is unavailable to receive official OS Support. Demo
Study case #5 Bypassing ipassword s Passcode Mistake: Passcode s Class (at logincontroller). Response: no response. The Problem
Study case #6 Bypassing Telegram s Passcode Mistake: - Unrestricted Menu could be Called from Passcode Display - Collision on Turn Passcode On Feature Nicely Response: Data Protection should Enable. Zimperium VS Telegram The Problem
STUDY CASE #4 - #6 HOW TO? Jailbroken idevice is needed (Many kind of tools until ios 8.4); Decrypt the Application s Binary (Clutch); Dump the Application s Binary into the Readable Class (Class- Dump- Z); Read the class manually (textedit, notepad, etc or using snoop- it); Push the interesting things directly into memory (Cycript).
IS IT A SECURITY ISSUE? Business Point of View (Transactional VS Social Media / Instant Messaging) - RISK Data Protection? Agree. But, Simple VS Complex Passcode Jailbroken idevices Needed! Agree! But, Range between JB tools and Patch: 7.0 Series to 7.1 ; 8.0 Series to 8.1 8.1 Series to 8.2 ; 8.2 Series to 8.3, IP Box US$297 Up to 111 Hours
MORE INFO Preventing / Avoiding (maybe) the Runtime Analysis: Debugger checker with "SEC_IS_BEING_DEBUGGED_RETURN_NIL(); Using PTrace Function to prevent the Attacker to attaching the application from debugger. (PT_DENY_ATTACH); Change the method to "unreadable" method; The process to configure the password, lock, unlock, and anything that related to these process should be not accessible from the login screen. So the Attacker couldn't call it from keywindow or delegate object directly.
QUOTES J Given enough man hours, an exploit will be found (Sebastian Anthony) As a developer: Make the hacker s job as difficult as possible. (Prateek) Mitra Integrasi Informatika, PT APL Tower 37 th floor * Web & Mobile Apps, Infrastructures, EDC, and many more.
The End