Mobile Application Security

Similar documents

Best Practice Guide (SSL Implementation) for Mobile App Development 最佳行事指引. Jointly published by. Publication version 1.

SSL implementieren aber sicher!

SSL BEST PRACTICES OVERVIEW

How the Barracuda Web Application Firewall Secures Your Mobile and IoT Services. Whitepaper

Penetration Testing for iphone Applications Part 1

Secure Coding in Node.js

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

Is Your SSL Website and Mobile App Really Secure?

SECURING MOBILE APPLICATIONS

SSL and Browsers: The Pillars of Broken Security

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

SSL: Paved With Good Intentions. Richard Moore

Implementation Vulnerabilities in SSL/TLS

Workday Mobile Security FAQ

Security Testing Guidelines for mobile Apps

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Project X Mass interception of encrypted connections

Criteria for web application security check. Version

SSL Interception Proxies. Jeff Jarmoc Sr. Security Researcher Dell SecureWorks. and Transitive Trust

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001

TLS/SSL in distributed systems. Eugen Babinciuc

Mobile Security Framework

Using Foundstone CookieDigger to Analyze Web Session Management

Mobile Application Threat Analysis

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001

Dashlane Security Whitepaper

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

When Security Gets in the Way. PenTesting Mobile Apps That Use Certificate Pinning

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

Criminal charges are not pursued: Hacking PKI

A Study of What Really Breaks SSL HITB Amsterdam 2011

Westcon Presentation on Security Innovation, Opportunity, and Compromise

The Seven Habits of State-of-the-Art Mobile App Security

Sascha Fahl, Marian Harbach, Matthew Smith. Usable Security and Privacy Lab Leibniz Universität Hannover

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

BUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

SSL Server Rating Guide

Security Protocols/Standards

Pentesting Android Apps. Sneha Rajguru

Thick Client Application Security

Spirent Abacus. SIP over TLS Test 编号版本修改时间说明

A brief on Two-Factor Authentication

What is Web Security? Motivation

PowerChute TM Network Shutdown Security Features & Deployment

SSL Report: ebfl.srpskabanka.rs ( )

Salesforce1 Mobile Security Guide

DEF CON 19: Getting SSLizzard. Nicholas J. Percoco Trustwave SpiderLabs Paul Kehrer Trustwave SSL

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved

Security Guide vcenter Operations Manager for Horizon View 1.5 TECHNICAL WHITE PAPER

Internet Banking System Web Application Penetration Test Report

Magento Security and Vulnerabilities. Roman Stepanov

Sitefinity Security and Best Practices

Pentesting Mobile Applications

BYOD Guidance: BlackBerry Secure Work Space

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

The increasing popularity of mobile devices is rapidly changing how and where we

Pentesting iphone Applications. Satishb3

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

TACKYDROID. Pentesting Android Applications in Style

White Paper: Multi-Factor Authentication Platform

Security Goals Services

Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs

Whitepaper on identity solutions for mobile devices

Web Application Security

Topics in Network Security

Introduction to Mobile Access Gateway Installation

Auditing the Security of an SAP HANA Implementation

Mobile Applications: The True Potential Risks Where to look for information when performing a Pentest on a Mobile Application

Device-Centric Authentication and WebCrypto

Threat Model for Mobile Applications Security & Privacy

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

VMware vrealize Operations for Horizon Security

Testing the OWASP Top 10 Security Issues

Key & Data Storage on Mobile Devices

Apache Milagro (incubating) An Introduction ApacheCon North America

Resco Mobile CRM Security

SAS Mobile BI Security and the Mobile Device

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Introduction to the EIS Guide

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Proto Balance SSL TLS Off-Loading, Load Balancing. User Manual - SSL.

API Architecture. for the Data Interoperability at OSU initiative

CTS2134 Introduction to Networking. Module Network Security

Transcription:

Mobile Application Security Jack Mannino Anand Vemuri June 25, 2015

About Us Jack Mannino CEO at nvisium UI and UX development impaired Enjoys: Scala, Elixir Tolerates: Java Allergic To: Cats, Pollen,.NET Anand Vemuri AppSec Consultant at nvisium Tech Junkie, JavaScript Ninja Wannabe Software Dev-turned-Hacker Bamboo Flute Player

Disclaimer: Mobile device management (MDM) is not mobile application security.

What is Mobile Security? Access Privacy Safety Apps are built for users, so as developers we must ensure that users are not compromised

What s the big deal? Integration with many other services IoT Wearables Payments Other API s

Mobile Architectures and Attack Surface

Mobile Architectures and Attack Surface

Mobile Architectures and Attack Surface

Secure Communications Not Just HTTP Other protocols NFC Bluetooth/Bluetooth LE Issues related to Ignoring certificate exceptions Trusting all certificates Fallback to plain text Improper key exchange Weak algorithms/ciphers

Public Key Infrastructure Registration Authorities validate user identity Certificate Authority verifies and issues certificate Validation Authority validates certificate

Self-Signed Certs User can sign the cert by themselves. If apps accept selfsigned certs then attackers can execute SSL MITM attacks.

Demo: MITM

Certificate Pinning Pin the client-certificate known to be used to the server Removes CA from the equation Prevents against Self-Signed Cert attacks Significantly reduces threat of rogue certs *Note: If you are pentesting apps with cert pinning you can use ios Kill Switch or Android s SSL bypass tool. Use at your own risk! https://github.com/isecpartners/ios-ssl-kill-switch https://github.com/isecpartners/android-ssl-bypass

Securing Communications Disable HTTP endpoints and avoid falling back to plain-text If a request over TLS fails, kill the socket, don t default back to HTTP. Don t use self-signed certs just because it s easier Use Certificate Pinning Perfect Forward Secrecy Use HSTS, use TLS, avoid SSL

Data Storage and Privacy Sensitive Info Shared Preferences SQLite Storage Access Framework Logs, caches, temp files, etc. Privacy What to collect Who to share it with Ask for consent http://www.coppa.org/ https://www.ftc.gov/reports/mobile-privacy-disclosuresbuilding-trust-through-transparency-federal-tradecommission

Storing Sensitive Information Avoid storing sensitive information in SQLite or Shared Preferences Attackers can trivially dump these databases If sensitive data must be stored on a client device, then the data store should be properly encrypted External Storage has weaker permissions. https://www.zetetic. net/sqlcipher/

Privacy Collect only whatever data is needed for the app Do you know what gets sent to your ad and analytics services? Children s online privacy protection act http://www. coppa.org/

Privacy

Privacy

Demo: Insecure Data Storage

Encryption Encryption Symmetric/Asymmetric Encryption weak hashing weak algorithms and ciphers (ECB etc) Key Storage Keystore ephemeral (bad) hardcode or store Hardware-Backed Storage

Encryption

Authentication To a device pin/password biometrics, Smart Unlock To the local application local passcode To a remote service username/password certificates 3rd party provider/api

Remote Authentication Correct: Users should properly authenticate to the application and be granted a session token. Incorrect: Your imagination is the limit. Identity management is complicated

Authorization : Insecure Direct Object Reference Common Web Vulnerability OWASP A4 Backend service does not restrict references to restricted resources.

App-To-App Authorization Permissions - required to use certain APIs or components Intent filter - Specifies the criteria for Intents it accepts based on the intent s action, data, category etc. Exported By Default - Android Studio exports Services and Broadcast Receivers by default Malicious apps can leverage misconfigured permissions to abuse components within other apps

Demo: Abusing Broadcast Receivers

Conclusions Secure all communications! Certificate Pinning Store your data securely Encrypt any sensitive data on client. Respect User Privacy AuthN & AuthZ Permissions & Identity Don t trust users!

Thank You Jack Mannino, CEO of nvisium Twitter: @jack_mannino Linkedin:https://www.linkedin.com/pub/jackmannino/7/2b7/562 Blog: https://blog.nvisium.com/ Anand Vemuri, AppSec Consultant at nvisium Linkedin:https://www.linkedin.com/pub/anandvemuri/58/15/348 Twitter: @brownhat57 Blog: http://brownhat57.blogspot.com