MOBILE APPLICATION SECURITY

Similar documents
Advanced ANDROID & ios Hands-on Exploitation

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

OWASP Mobile Top Ten 2014 Meet the New Addition

Security Testing Guidelines for mobile Apps

Where every interaction matters.

Android & ios Application Vulnerability Assessment & Penetration Testing Training. 2-Day hands on workshop on VAPT of Android & ios Applications

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

ABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications

SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

Mobile Application Security and Penetration Testing Syllabus

Enterprise Application Security Workshop Series

elearning for Secure Application Development

ios Testing Tools David Lindner Director of Mobile and IoT Security

BYOD: End-to-End Security

Web App Security Audit Services

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Pentesting Android Apps. Sneha Rajguru

Mobile Application Security

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Network Test Labs (NTL) Software Testing Services for igaming

Mobile & Security? Brice Mees Security Services Operations Manager

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Data Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.

Defending Behind The Device Mobile Application Risks

Blackbox Android. Breaking Enterprise Class Applications and Secure Containers. Marc Blanchou Mathew Solnik 10/13/

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001

Pentesting Mobile Applications

Research on Situation and Key Issues of Smart Mobile Terminal Security

Mobile Application Security Testing ASSESSMENT & CODE REVIEW

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Table of Contents 7 8

SECURING MOBILE APPLICATIONS

Workday Mobile Security FAQ

SOOKASA WHITEPAPER SECURITY SOOKASA.COM

PCI Security Standards Council

Elevation of Mobile Security Risks in the Enterprise Threat Landscape

Cloud Security:Threats & Mitgations

Mobile Application Security

Penetration Testing for iphone Applications Part 1

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Hacking your Droid ADITYA GUPTA

Consolidated Edition. 5th Annual State of Application Security Report Perception vs. Reality

SENSE Security overview 2014

Mobile Device Penetration Testing Framework and Platform for the Mobile Device Security Course

Rational AppScan & Ounce Products

Pentesting iphone Applications. Satishb3

SERENA SOFTWARE Serena Service Manager Security

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

5th Annual State of Application Security Report Perception vs. Reality

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

User Guide FOR TOSHIBA STORAGE PLACE

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Learning Course Curriculum

Testing the OWASP Top 10 Security Issues

The OWASP Foundation

MASTER'S THESIS. Android Application Security with OWASP Mobile Top James King 2014

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Sitefinity Security and Best Practices

Information Security Services

The Security Behind Sticky Password

Is Your SSL Website and Mobile App Really Secure?

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

Web Application Report

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Bad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up

What is Web Security? Motivation

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

End User Devices Security Guidance: Apple ios 8

The Misuse of RC4 in Microsoft Word and Excel

How To Test For Security On A Mobile Device

Gold Lock Desktop White Paper

WHITEPAPER MOBILE REMOTE PATIENT MONITORING. Author: Arif Nasim Head of Mobility Practice

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Reducing Application Vulnerabilities by Security Engineering

Mobile Application Security Report 2015

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

Password Management Evaluation Guide for Businesses

BYOzzzz: Focusing on the Unsolved Challenges of Mobility, An Industry Perspective

Concierge SIEM Reporting Overview

Mobility, Security Concerns, and Avoidance

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

CS5008: Internet Computing

OWASP Top Ten Tools and Tactics

Samsung SDS. Enterprise Mobility Management

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

SSL A discussion of the Secure Socket Layer

The Behavioral Analysis of Android Malware

Mobile Application Security Study

An Aujas White Paper MITIGATING SECURITY RISKS IN USSD-BASED MOBILE PAYMENT APPLICATIONS. By Suhas Desai

Transcription:

Innovate, Integrate, Transform MOBILE APPLICATION SECURITY By Ramkumar Murugadoss and Arif Nasim WHITEPAPER www.altencalsoftlabs.com

Objective The objective of this paper is to help the developer community across organizations apply necessary security mechanisms while building their mobile applications. The exponential growth in the number of mobile devices and solutions has led to vulnerability in mobile applications being more common especially for applications that deal with personal and sensitive data transactions. Attackers target these applications to steal sensitive user data. Although many mobile applications do provide high security mechanisms, there is still room to provide improved security. Key factors driving mobile application vulnerability include the following. Sensitive information storage in mobile The hard coded values Application binary reversing/decompiling Sensitive data transport between mobile application and server Key Challenges and Threats Mobile applications face multitude of challenges and threats, extending across areas including operating system, database and networks. Few prominent ones are given below. The attacker who can crack the application may interrupt the server as well Applications may leak data, when it is connected to vulnerable networks Using constant keys and values inside the application makes it vulnerable to the de-compilation tools Data stored inside the application using preferences/sqlite can be easily dumped The key threats and trends have been cited as OS manageability and updates, security policies and malware attacks targeting the customer applications that use value transactions. The Risk analysis According to OWASP (Open Web Application Security Project) the following are the top 10 risks on mobile application security Insecure Data Storage Weak Server Side Controls Insufficient Transport Layer Protection Client Side Injection Poor Authorization and Authentication Improper Session Handling Security Decisions Via Untrusted Inputs Side Channel Data Leakage Broken Cryptography Sensitive Information Disclosure

Listed above are the risks that mainly deal with user s data. In addition to these, the applications also face risks like de-compilation of the app s binaries using tools that leads to sensitive data leakage and might give a chance to attack the server if the API details are exposed. The image below covers the most common tools that can be used to de-compile/reverse engineer the Android & ios binaries. ApkTool Dex2Jar Smali Bytecode-Viewer Android loadble Kernal Modules CodeInspect JEB Androguard Reverse Engineering Arsenals dexdisassembler Fern Flower JD-Gui Fino APK Studio Figure 1: Android tools Introspy-Android SleuthKit Mac-robber ios SSL Kill Switch inalyzer idb snoop-it Introspy XSecurity Dynamic Analysis Tools ios Arsenal Forensic Tools Oxygen Forensics Suite Mobilyze Paraben Device Seizure iphone Analyzer Mobile Sync Browser iphone Backup Broswer Class Dump Z ispy Logify iret cycript ios Reverse Engineering Figure 2: ios tools Disassemblers Tools IDA Pro Hopper App otool strings nm

Common Security Vulnerabilities 1. Storing sensitive data on Mobile Most of the mobile applications have the need to store the data (it may be user specific or some sensitive data which the server requires to sync with the mobile app) on the mobile app. The possible ways of storing data in the mobile app are SQLite (Database), App s Preferences or File storage. Storing the sensitive data using anyone of these options makes it hackable. For example, if the information is stored using SQLite, the SQLite files can be easily copied and it can be viewed through any SQLite browser available. The data stored in preferences can be easily dumped using few commands and as we all know very well, the files can easily be copied from a device. 2. Data on Transport layer Any information from server to the mobile app will have to go through the network. There are packet sniffer tools available which the attackers can use to view the data packets and trace the requests and the responses, thereby exposing user s sensitive information. Apart from this the attacker can also override the responses to the mobile apps by manipulating the firewall policies. 3. App de-compilation/reverse engineering There are tools available to de-compile the app s binary, shown in figures 1 & 2. In this case the app s business logic can be traced and it will enable easy access for the attackers to play with the mobile app. By de-compilation, the app s code/data becomes visible and vulnerable for manipulation. Preventing the Security Vulnerabilities With the above stated vulnerabilities, following are the approaches that can be taken to secure the mobile app and the data. Encryption & Decryption of data Storing any sensitive data on the mobile is vulnerable. On the other hand, storing the encrypted data on the mobile reduces the chance of vulnerability. There various encryption & decryption algorithms like AES, DES, RSA, etc. that help in securing the code and storing the encrypted data in the preference or SQLite. SQLChiper SQLChiper is an encrypted database, which is an open source library and provides AES-256 bit encryption for the SQLite database files. In general the SQLite files are exposable and can be viewed through SQLite browsers, so storing sensitive data on SQLite can be dangerous. The SQLChiper provides a mechanism where the database files can be encrypted hiding the complete table structure of the SQLite.

Using Native Objects (.so files) Another method to hide the sensitive information and the confidential business logic can be done by linking the native objects (.so) files with the application. The de-compilation of shared objects is complicated and to get the information from those files may be possible but is definitely not so easy. The native objects linked with the mobile application can be called only by that application and the complete application logic can be hidden inside the native objects. Obfuscation Obfuscation is a method to make the source code difficult for understanding. If the app binary is de-compiled, the complete source code will be visible to the attackers. In order to confuse attackers, the source code can be obfuscated. In general, obfuscation will complicate the source to understand by restructuring the classes and methods. Apart from this few obfuscators also provide features like byte code which makes it an extremely hard task to de-compile and use. Focus areas for mobile application security testing From a security perspective, following are 4 major areas to concentrate while doing mobile app testing. File System Testing the data that the app is writing to the device s file system and also how this data is being stored. Application layer Testing the app s communication with the web-services, if it is HTTP or SSL, and verifying the communication layer security. Transport layer Application reversing Testing how the app is communicating over the network and the data security of the app over network. Testing how the app is exposing the source code when decompiling the app s binary. Conclusion References While mobile applications certainly bring enormous opportunities for businesses on the go, the potential risks are increasing day by day. Need of the hour is to implement adequate security measures for the mobile applications to secure their users and data. The insights outlined in this whitepaper shall provide much needed insight into the mobile security, threat analysis and a checklist for http://www.gartner.com/newsroom/id/3127418 http://www.decompilingandroid.com/mobile-app-security/ top-10-mobile-security-risks/ https://www.owasp.org/images/9/95/ ASDC12-Smart_Bombs_Mobile_Vulnerability_and_Exploitation.pdf https://www.owasp.org/index.php/owasp_mobile_security_project https://www.owasp.org/index.php/owasp_mobile_security_project#tab=m-tools evaluation of various security threats before they can cause harm. http://sqlcipher.net ABOUT ALTEN CALSOFT LABS ALTEN Calsoft Labs is a next gen digital transformation, enterprise IT and product engineering services provider. The company enables clients innovate, integrate, and transform their business by leveraging disruptive technologies like mobility, big data, analytics, cloud, IoT and software-defined networking (SDN/NFV). ALTEN Calsoft Labs provides concept to market offerings for industry verticals like education, healthcare, networking & telecom, hi- tech, ISV and retail. Headquartered in Bangalore, India, the company has offices in US, Europe and Singapore. ALTEN Calsoft Labs is a part of ALTEN group, a leader in technology consulting and engineering services. www.altencalsoftlabs.com business@altencalsoftlabs.com ALTEN Calsoft Labs. All rights Reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information