(In-)Security of Backend-as-a-Service

Similar documents
(In)Security of Backend-as-a-Service

All Your Code Belongs To Us Dismantling Android Secrets With CodeInspect. Steven Arzt Secure Software Engineering Group Steven Arzt 1

Harvesting Developer Credentials in Android Apps

Smartphone Security for Android Applications

Chapter 9 PUBLIC CLOUD LABORATORY. Sucha Smanchat, PhD. Faculty of Information Technology. King Mongkut s University of Technology North Bangkok

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Cloud Computing. Adam Barker

Threat Modeling Cloud Applications

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

ITP 342 Mobile App Development. APIs

Assignment # 1 (Cloud Computing Security)

Cloud-Security: Show-Stopper or Enabling Technology?

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Addressing Security for Hybrid Cloud

Building Cloud-powered Mobile Apps

CLOUD TECHNOLOGY IMPLEMENTATION/SECURITY

ITP 140 Mobile Technologies. Mobile Topics

An Introduction to Cloud Computing Concepts

SAP Mobile - Webinar Series SAP Mobile Platform 3.0 Security Concepts and Features

Cloud Models and Platforms

Salesforce Mobile Push Notifications Implementation Guide

Amazon WorkDocs. Administration Guide Version 1.0

Cloud computing - Architecting in the cloud

Background on Elastic Compute Cloud (EC2) AMI s to choose from including servers hosted on different Linux distros

Configuring user provisioning for Amazon Web Services (Amazon Specific)

Security Issues In Cloud Computing and Countermeasures

Best Practices for Using MySQL in the Cloud

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Creating a DUO MFA Service in AWS

IBM Cloud Academy Conference ICACON 2015

NCTA Cloud Architecture

Using the Push Notifications Extension Part 1: Certificates and Setup

Aneka Dynamic Provisioning

Building Secure Applications. James Tedrick

The Android Developers Guide to 3 rd -Party SDK Assessment and Security

Discovering passwords in the memory

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

How to Grow and Transform your Security Program into the Cloud

AWS Account Management Guidance

Secure Your Mobile Workplace

Security Issues in Cloud Computing

ur skills.com

Choosing the Best Mobile Backend

Hyperoo 2.0 A (Very) Quick Start

How To Use Titanium Studio

Introduction to Oracle Mobile Application Framework Raghu Srinivasan, Director Development Mobile and Cloud Development Tools Oracle

Service Product: IBM Cloud Automated Modular Management (AMM) for SAP HANA One

Applying Cryptography as a Service to Mobile Applications

Administering Jive Mobile Apps

1 What is Cloud Computing? Cloud Infrastructures OpenStack Amazon EC CAMF Cloud Application Management

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Defending Behind The Device Mobile Application Risks

AWS Lambda. Developer Guide

Improve your mobile application security with IBM Worklight

Cloud Security:Threats & Mitgations

SECURING SELF-SERVICE PASSWORD RESET

AGENDA. Background. The Attack Surface. Case Studies. Binary Protections. Bypasses. Conclusions

Web Application Deployment in the Cloud Using Amazon Web Services From Infancy to Maturity

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Cloud Powered Mobile Apps with Azure

Cloud Storage Security

Intrusion Detection in the Cloud

The full setup includes the server itself, the server control panel, Firebird Database Server, and three sample applications with source code.

Cloud Computing and Attacks

Dynamic Query Updation for User Authentication in cloud Environment

AWS Import/Export. Developer Guide API Version

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Jordan Jozwiak November 13, 2011

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

Where every interaction matters.

Securing the Cloud infrastructure with IBM Dynamic Cloud Security

FACING SECURITY CHALLENGES

Securing Platform as a Service: A Technical Whitepaper on Security Practices at CloudBees

SERVER CLOUD DISASTER RECOVERY. User Manual

Cloud Computing Trends

Secure Messaging Server Console... 2

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

1 Overview Configuration on MACH Web Portal 1

WebView addjavascriptinterface Remote Code Execution 23/09/2013

Deploy Remote Desktop Gateway on the AWS Cloud

What Do You Mean My Cloud Data Isn t Secure?

Top 10 Cloud Risks That Will Keep You Awake at Night

Elastic Detector on Amazon Web Services (AWS) User Guide v5

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Transcription:

(In-)Security of Backend-as-a-Service Siegfried Rasthofer (TU Darmstadt / CASED) Steven Arzt (TU Darmstadt / CASED) Robert Hahn (TU Darmstadt) Max Kolhagen (TU Darmstadt) Eric Bodden (Fraunhofer SIT / TU Darmstadt) 13.11.15 BlackHat Europe 2015 1

#Whoami Siegfried Rasthofer 3rd year PhD-Student at TU Darmstadt Research interest in static-/dynamic code analyses AOSP exploits, App security vulnerabilities Talks at academic as well as industry conferences Steven Arzt 3rd year PhD-Student at TU Darmstadt Maintainer of the Soot and FlowDroid frameworks Works on static program analysis Likes to look for vulnerabilities 13.11.15 BlackHat Europe 2015 2

Access to 56 Mio non-public records... Remote code execution... Full VM control...... with ease 13.11.15 BlackHat Europe 2015 3

IaaS PaaS?? SaaS 13.11.15 BlackHat Europe 2015 4

BaaS 13.11.15 BlackHat Europe 2015 5

13.11.15 BlackHat Europe 2015 6 Security?

13.11.15 BlackHat Europe 2015 7

Agenda Introducing BaaS Security Analysis Findings Countermeasures The Wishlist Conclusion 13.11.15 BlackHat Europe 2015 8

Backend-as-a-Service (1) APP BaaS SDK Cloud 13.11.15 BlackHat Europe 2015 9

Backend-as-a-Service (2) Android ios BaaS JavaScript... 13.11.15 BlackHat Europe 2015 10

Backend-as-a-Service (3) Push Notifications Data Storage User Administration... Social Network 13.11.15 BlackHat Europe 2015 11

BaaS SDK Amazon Tutorial DB connection AmazonS3Client s3client = new AmazonS3Client( new BasicAWSCredentials( ACCESS_KEY_ID, SECRET_KEY ) ); 13.11.15 BlackHat Europe 2015 12

BaaS SDK Amazon Tutorial DB connection AmazonS3Client s3client = new AmazonS3Client( new BasicAWSCredentials( ACCESS_KEY_ID, SECRET_KEY ) ); When you access AWS programmatically, you use an access key to verify your identity and the identity of your applications. An access key consists of an access key ID and a secret access key. Anyone who has your access key has the same level of access to your AWS resources that you do. Source: http://docs.aws.amazon.com/ 13.11.15 BlackHat Europe 2015 13

BaaS SDK Amazon Tutorial DB connection AmazonS3Client s3client = new AmazonS3Client( new BasicAWSCredentials( ACCESS_KEY_ID, SECRET_KEY ) ); (username) (password) The AWS SDKs use your access keys to sign requests for you so that you don't have to handle the signing process http://docs.aws.amazon.com/ Secret access keys are, as the name implies, secrets, like your password Jim Scharf Director, AWS Identity and Access Management 13.11.15 BlackHat Europe 2015 14

IT Security 101 Peter Identification Hi, I am Peter Server Authentication My password is Secret123 Authorization "I am allowed to access foo.txt 13.11.15 BlackHat Europe 2015 15

App Authentication Model App Identification Hi, I am app <Application ID> Server Authentication My <Secret Key> is in the app??? Identification?? = Authentication 13.11.15 BlackHat Europe 2015 16

App Authentication Model Peter Server Howard 13.11.15 BlackHat Europe 2015 17

Developer Opinion Q: [...] The App-Secret key should be kept private - but when releasing the app they can be reversed by some guys. I want to know what is the best thing to encrypt, obfuscate or whatever to make this secure. [...] (Source: stackoverflow.com) NO!!!! R: Few ideas, in my opinion only first one gives some guarantee: 1. Keep your secrets on some server on internet, and when needed just grab them and use. 2. Put your secrets in jni code 3. use obfuscator 4. Put your secret key as last pixels of one of your image in assets (Source: stackoverflow.com) 13.11.15 BlackHat Europe 2015 18

Let s go for it SECURITY ANALYSIS 13.11.15 BlackHat Europe 2015 19

Pre-Analysis (Parse example) + public void oncreate() { java.lang.string $S1, $S2; $S1 = 34lI1wgISkIUpTunWRAzXei20H3NAL7W6buKTe7e"; $S2 = pb7olni0jsep3fpjfq9wvhboowgaoqcsw98bf7e3"; staticinvoke <Parse: void initialize(context, String, String)>(this, $S1, $S2); } User Table 13.11.15 BlackHat Europe 2015 20

Pre-Analysis result: All records were accessible Few developers used obfuscation techniques ( security by obscurity ) 13.11.15 BlackHat Europe 2015 21

let s get ready for a mass-analysis 13.11.15 BlackHat Europe 2015 22

Mass Analysis Pre-Analysis Apk 1 Apk 2... Library- Detection Key- Extraction Tablename Extraction Apk n Exploit Information Concrete Database Information Exploit-Generator 13.11.15 BlackHat Europe 2015 23

Pre-Analysis Apk 1 Apk 2... Library- Detection Key- Extraction Tablename Extraction Apk n Exploit Information How can we extract specific information (e.g. strings) from Apks? Concrete Database Information Exploit-Generator 13.11.15 BlackHat Europe 2015 24

APK Information Extraction $S1 = 34lI1wgISkIUpTunWRAzXei20H3NAL7W6buKTe7e"; $S2 = pb7olni0jsep3fpjfq9wvhboowgaoqcsw98bf7e3"; staticinvoke <Parse: void initialize(context, String, String)>(this, $S1, $S2); 1. API Identification 2. Information Extraction: Static Dynamic Hybrid 13.11.15 BlackHat Europe 2015 25

HARVESTER (Hybrid Data Extraction) Hybrid Harvesting Runtime Data in Android Applications for Identifying Malware and Enhancing Code Analysis Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden Technical Report, February 2015. 13.11.15 BlackHat Europe 2015 26

Apk 1 Data Pre-Analysis Access Apk 2... Apk n Library- Detection Key- Extraction Tablename Extraction 34lI1wgISkIUpTunWRAzXei20H3N AL7W6buKTe7e" pb7olni0jsep3fpjfq9wvhboowgaoq CSW98BF7e3" Exploit Information CreditCardDataTable" ContactDataTable"... Concrete Database Information Exploit-Generator BaaS API 13.11.15 BlackHat Europe 2015 27

So how bad is it? OUR FINDINGS 13.11.15 BlackHat Europe 2015 28

Findings Parse Precise car accident Information Pictures User-centric location data Birthday Information Contact data Facebook Information - User s friends - User s blocked friends Phone numbers Purchase data Valid email addresses 13.11.15 BlackHat Europe 2015 29

Findings Parse (2) Intercepted SMS messages C&C tasks Leaked data C&C commands We know what you did this summer: Android Banking Trojan exposing its sins in the cloud Siegfried Rasthofer, Eric Bodden, Carlos Castillo, Alex Hinchliffe VirusBulletin 2015, AVAR 2015 13.11.15 BlackHat Europe 2015 30

Responsible Disclosure Process Parse (Facebook) Full access to 100 tables Partial access to 32 tables ( ~56 Mio Data) 28th April 2015 5th Mai 2015 18th Mai 2015 Contacted Facebook with a few samples Facebook verified it and asked for more data We provided all information 20th Mai 2015 12th Nov 2015 Facebook forwarded everything to Parse (we assume they contacted the developers) Full access to 99 tables Partial access to 33 tables 13.11.15 BlackHat Europe 2015 31

Findings Amazon (3) Server Backups Baby Growth Data Photos 13.11.15 BlackHat Europe 2015 32

Findings Amazon (4) Private Messages Lottery Data Web Page Content 13.11.15 BlackHat Europe 2015 33

How can we get it right? COUNTERMEASURES 13.11.15 BlackHat Europe 2015 34

IT Security 101: ACLs Peter X X Peter s stuff Howard Howard s stuff 13.11.15 BlackHat Europe 2015 35

Recall: App Authentication Model Peter Server Howard 13.11.15 BlackHat Europe 2015 36

Two BaaS Usage Scenarios Authenticated User Anonymous Users 13.11.15 BlackHat Europe 2015 37

Two BaaS Usage Scenarios ACL Authenticated User ACL Anonymous Users 13.11.15 BlackHat Europe 2015 38

ACLs in The App Security Model Peter Peter s stuff Howard X X Howard s stuff Anonymous Users Public stuff 13.11.15 BlackHat Europe 2015 39

Amazon Key Hierarchy (1) 13.11.15 BlackHat Europe 2015 40

Amazon Key Hierarchy (2) Root Account (AWS Account) App1 Account App2 Account Peter s Account Howard s Account 13.11.15 BlackHat Europe 2015 41

Amazon Token Vending Machine (1) Sample available, final implementation is on you Needs hosting. Tomcat, Elasticbeanstalk anyone? 13.11.15 BlackHat Europe 2015 42

Amazon Token Vending Machine (2) Although you will need to use your AWS account credentials to deploy the TVM, we recommend that you do not run the TVM under your AWS account. Instead, create an IAM user and configure the TVM to use the credentials of this IAM user, which we will call the TVM user. So, we have S3, TVM, IAM, Elastic Beanstalk 13.11.15 BlackHat Europe 2015 43

Amazon Token Vending Machine (3) What if I want ACLs? Identity TVM samples do exist, but You would need to modify the provided samples in order to implement these user-specific policy objects. For more information about policy objects, see the Identity and Access Management (IAM) documentation 13.11.15 BlackHat Europe 2015 44

Amazon Cognito (1) Provides Identity Management Real users Anonymous identities Rather New Service Not commonly used yet 13.11.15 BlackHat Europe 2015 45

Amazon Cognito (2) Note: If you created your identity pool before February 2015, you will need to reassociate your roles with your identity pool in order to use this constructor without the roles as parameters. To do so, open the Amazon Cognito Console, select your identity pool, click Edit Identity Pool, specify your authenticated and unauthenticated roles, and save the changes. 13.11.15 BlackHat Europe 2015 46

Amazon Cognito (5) AWS Credentials 13.11.15 BlackHat Europe 2015 47

Amazon Cognito (6) (1) User credentials or nothing (2) Temporary AWS credentials Amazon Cognito (3) Temporary AWS credentials S3 13.11.15 BlackHat Europe 2015 48

Parse.com ACLs (1) Source: http://blog.parse.com/learn/engineering/parsesecurity-ii-class-hysteria/ 13.11.15 BlackHat Europe 2015 49

Parse.com ACLs (2)? 0x1238409 Cloud http://blog.parse.com/announcements/protect-userdata-with-new-parse-features/ 13.11.15 BlackHat Europe 2015 50

Parse.com ACLs (3) Anonymous users are special, however, in that once logged out, the user cannot be recovered a new user will need to be created, and the original user (and its associated data) will be orphaned. Double-check your cloud storage space! 13.11.15 BlackHat Europe 2015 51

Parse.com Global Settings Get this wrong and offer free disk space to anyone! Source: http://blog.parse.com/learn/engineering/parsesecurity-ii-class-hysteria/ 13.11.15 BlackHat Europe 2015 52

What now? THE WISHLIST 13.11.15 BlackHat Europe 2015 53

What shall change? Improved Documentation Checks and Alerts Legal Framework 13.11.15 BlackHat Europe 2015 54

Takeaway Messages Security in the cloud doesn t come for free Attacks are free, effortless, and simple Mitigation techniques exist Ø People must care about them Ø Secure your apps now we re there! 13.11.15 BlackHat Europe 2015 55

Siegfried Rasthofer Secure Software Engineering Group Email: siegfried.rasthofer@cased.de Twitter: @CodeInspect Steven Arzt Secure Software Engineering Group Email: steven.arzt@cased.de Blog: http://sse-blog.ec-spride.de Website: http://sse.ec-spride.de 13.11.15 BlackHat Europe 2015 56

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information