SAP MOBILE: ATTACK & DEFENSE

Similar documents
SAP Mobile Platform 3.0 Overview. Jeff Gebo Customer Experience Group June 10th, 2014

SAP Business Objects Attacks: Espionage and Poisoning of BI Platforms

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

SAP Mobile Platform Intro

SAP Mobile - Webinar Series SAP Mobile Platform 3.0 Security Concepts and Features

The SAProuter An Internet Window to your SAP Platform (and beyond)

What s New in SAP Mobile Platform 3.0

SAP Fiori - Architecture

CYBER-ATTACKS & SAP SYSTEMS Is our business-critical infrastructure exposed?

Business-Driven, Compliant Identity Management

How Oracle MAF & Oracle Mobile Cloud can Accelerate Mobile App Development

ORACLE MOBILE APPLICATION FRAMEWORK DATA SHEET

SAP Mobile Strategy June 2012

ATTACKS TO SAP WEB APPLICATIONS

SAP Mobile Platform rapid-deployment solution

Five Strategies Small and Medium Enterprises Can Use to Successfully Implement High Value Business Mobility

Certification Guide Network Connectivity for SAP on Premise and Cloud Solutions Integration

ORACLE ADF MOBILE DATA SHEET

Customer Master Presentation - Contents

SAP Mobile Documents. December, 2015

BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT

SAP BusinessObjects Business Intelligence 4 Innovation and Implementation

ENTERPRISE MOBILITY STRATEGY. We work for you, not your technology vendors.

Fiori Frequently Asked Technical Questions

SAP Fiori Design rapid-deployment solution

Solution Guide. Sybase Mobile Sales for SAP CRM 1.2

Mobility for SAP CRM. Features. Highlights

Introduction to Oracle Mobile Application Framework Raghu Srinivasan, Director Development Mobile and Cloud Development Tools Oracle

Securely. Mobilize Any Business Application. Rapidly. The Challenge KEY BENEFITS

LVS Troubleshooting Common issues and solutions

SAP Mobile Platform Apple of the Enterprise

Sybase Unwired Platform 2.0

SAP Work Manager 6.0 Mobile App Extended Feature List

R/3 and J2EE Setup for Digital Signature on Form 16 in HR Systems

POINT-TO-POINT vs. MEAP THE RIGHT APPROACH FOR AN INTEGRATED MOBILITY SOLUTION

SAP BusinessObjects SOLUTIONS FOR ORACLE ENVIRONMENTS

How To Be Successful

Auditing the Security of an SAP HANA Implementation

UI Framework Simple Search in CRM WebClient based on NetWeaver Enterprise Search (ABAP) SAP Enhancement Package 1 for SAP CRM 7.0

... Introduction Acknowledgments... 19

Build your own Fiori hybrid mobile app rapidly using SAP Web IDE Marc Anderegg, SAP SESSION CODE: BT404

Mobile Access Software Blade

IT Self Service and BYOD Markku A Suistola

SAP. Penetration Testing. with Onapsis Bizploit. Mariano Nuñez. Di Croce. HITB Security Conference, Dubai. April 22,

Compliant, Business-Driven Identity Management using. SAP NetWeaver Identity Management and SBOP Access Control. February 2010

SAP Business One OnDemand. SAP Business One OnDemand Solution Overview

CHANNEL PARTNER (VAR) Technical Support Network. SAP Global Service & Support March 2011

Securing Enterprise Mobility for Greater Competitive Advantage

SAP BusinessObjects Edge BI, Preferred Business Intelligence. SAP BusinessObjects Portfolio SAP Solutions for Small Businesses and Midsize Companies

SAP Document Center. May Public

Ariba Network Integration to SAP ECC

SAP Solution in Detail SAP NetWeaver SAP NetWeaver Identity Management. Business-Driven, Compliant Identity Management

How to Extend a Fiori Application: Purchase Order Approval

The Next Wave in Mobility for Enterprise Asset Management Karsten Hauschild, LoB EAM, SAP Labs Bill Padula, VP Business Solutions, Syclo

IBM Cognos Mobile Overview

Introducing the SAP Business One starter package. A Great Start to help you to Streamline Your Small Business

SAP Business One mobile app for Android Version 1.0.x November 2013

SAP Learning Hub: Learning Rooms. List of available and upcoming learning rooms as of March 2015

Mobility Strategy Update. Julie Tregurtha Head of Mobility Sales: SAP Africa

Improve your mobile application security with IBM Worklight

Customer Centric Banking. June 2014, IBU Banking, SAP

HANA Cloud Platform mobile services. SAP FORUM, SLOVAKIA May 2015 Peter Vanicek SAP UX/Mobile Services EMEA

RUN BETTER Become a Best-Run Business with Remote Support Platform for SAP Business One

Gateway Apps - Security Summary SECURITY SUMMARY

SAP Mobile Platform 3.0

The increasing popularity of mobile devices is rapidly changing how and where we

Agentry and SMP Metadata Performance Testing Guidelines for executing performance testing with Agentry and SAP Mobile Platform Metadata based

Extending Oracle Applications on Mobile Using Oracle MAF and Oracle Mobile Security

2015 Vulnerability Statistics Report

Creating a Fiori Starter Application for sales order tracking

ENTERPRISE SYSTEMS. ERP Architecture through 3 eras 9/5/2010. Fall Information Systems Implementation

SAP CRM Service Manager 3.1 Mobile App Extended Feature List An extended list of all the features included in the default delivery of the SAP CRM

Learn how to build a Mobility Roadmap in 3 simple steps. Piyush Bhandari, VP - ERP Services NA Systech, a Softtek Company

Extend the SAP FIORI app HCM Timesheet Approval

SAP Work Manager. Opinion Piece. Introduction to SAP Work Manager. How It Works

SAP Fiori Infrastructure rapid-deployment solution: Software and Delivery Requirements

ERP Quotation and Sales Order in CRM WebClient UI Detailed View. SAP Enhancement Package 1 for SAP CRM 7.0 CRM Sales - SFA

Ten Reasons to Choose SAP for Enterprise Mobility. Copyright/Trademark

SAP Sybase SQL Anywhere New Features Improve Performance, Increase Security, and Ensure 24/7 Availability

Middleware- Driven Mobile Applications

B2B E-COMMERCE. B2B concepts

SAP HANA Cloud Platform Mobile Services

Landscape Design and Integration. SAP Mobile Platform 3.0 SP02

Mobile app for Android Version 1.0.x, January 2014

SAP Security Recommendations December Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.

New Features for Sybase Mobile SDK and Runtime. Sybase Unwired Platform 2.1 ESD #2

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Ensuring the security of your mobile business intelligence

SRM User Interface Add-On 1.0 Overview. Michael Jud March 2013

SAP BusinessObjects Dashboarding Strategy and Statement of Direction

BUSINESS STRUCTURE: FUNCTIONS AND PROCESSES

Take Your Rocket U2 Apps Mobile with Rocket LegaSuite. Greg Mummah, Product Manager Rocket Software

Release Bulletin. Sybase Mobile Sales for SAP CRM 1.2.1

Transcription:

SAP MOBILE: ATTACK & DEFENSE Title goes here Julian Rapisardi jrapisardi@onapsis.com Fernando Russ fruss@onapsis.com 1

Disclaimer This presentation contains references to the products of SAP AG. SAP, R/3, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.

Onapsis Inc. Overview Company mission is to secure business-critical applications. Transforming how organizations protect the applications that manage their businesscritical processes and information. Founded: 2009 Locations: Buenos Aires, AR Boston, MA Munich, DE Lyon, FR Research: 200+ SAP security advisories and presentations published What does Onapsis do? Innovative business-critical applications security software Trainings and presentations on business-critical infrastructure security

Who are we? Julian Rapisardi SAP Security Specialist @ Onapsis Background on SAP Security Assessments Has been involved in several SAP GRC projects Fernando Russ Senior Researcher @ Onapsis Background on Penetration Testing and Vulnerabilities Research Reported vulnerabilities in different SAP and Oracle Products Both Authors/Contributors on diverse posts and publications Speakers and Trainers at Information Security Conferences

Agenda Introduction Context History SAP Mobile SMP (SAP Mobile Platform) SAP Fiori Attack surface Architecture Overview Security challenges while building our application Conclusions

Introduction

Introduction So what is SAP? SAP (Systems, Applications and Products in Data Processing) is a German company devoted to the development of business solutions. Founded in 1972 75.000 employees More than 291.000 customers in 190 countries Working with Global Fortune-500 companies and large governmental organizations

SAP and the Business-Critical Information SAP systems store and process the most critical business information. If the SAP platform is breached, an intruder would be able to perform: ESPIONAGE Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. SABOTAGE Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc. FRAUD Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.

SAP Mobile Context As part of the industry's push towards remotely accessible business functions, SAP has been evolving their business critical applications to this trend. Going mobile brings some security challenges, such as: Choosing adequate authentication mechanisms Securing communications Defining proper data encryption requirements

SAP Mobile History SAP Mobile Platforms have travelled several miles in SAP history. 2010 2011 2012 2013 2014 SAP buys Sybase Sybase is SAP's largest acquisition ever. Sybase Unwired Platform (SUP) Supports integration with SAP NetWeaver Gateway via OData. SAP buys Syclo Syclo s Agentry, another mobile product (supporting Online and Offline Capabilities). Mobile Analytics Kit SAP Mobile Platform 3.0 (SMP3) unifies SUP, Syclo Agentry and SAP's mobile technologies into one mobile platform.

SAP Mobile

SAP Mobile SAP Financial Fact Sheet NY/NJ SBHC Volunteers SAP Mobile Platform SAP System Monitoring SAP Retail Execution Hybrid Web Container SAP Fiori Client SAP Support Desk SAP CRM Sales SAP Transport Notification and Status SAP Sales Manager SAP Travel Expense Report SAP Sales OnDemand SAP EMR Unwired SAP Cart Approval SAP Inventory Manager SAP Direct Store Delivery SAP Learning Assistant SAP Mobile Utilities SAP Learn Now SAP Sales Companion SAP IT Incident Management SAP Retail Execution Mobile SAP Rounds Manager SAP Business One SAP Job Progress Monitor SAP Business Objects Mobile SAP Visual Enterprise Viewer SAP Cloud for Travel & Expense SAP RealSpend SAP TM Notifier Sybase Mobile Workflow 2.1 SAP Sales Pipeline Simulator SAP Customer Financial Fact Sheet SAP Authenticator SAP Work Manager for Maximo SAP CRM SERVICE MANAGER SAP Cloud for Customer SAP GRC Access Approver SAP Manager Insight SAP Commissions Check SAP Mobile Documents SAP Collections Insight SAP HR Approvals SAP Utilities Customer Engage SAP Customer Loyalty SAP IT Change Approval SAP Business ByDesign SAP BusinessObjects Mobile Visual Enterprise MOB SAP FIORI SAP Work Manager SAP Travel Receipt Capture SAP User Experience Monitor SAP Patient Management SAP CRM SALES Sybase Data Provider 2.1.1 SAP Solution Manager Mobile Apps SAP Receivables Manager SAP End User Experience Monitoring SAP Enterprise Support Academy SAP CRM Service Manager SAP Customer Briefing SAP Shopper Experience

SAP Mobile SAP s mobile enterprise solutions are various. Most used ones today are SAP Fiori and SAP Mobile Platform (SMP). SAP Fiori is a collection of pre-built mobile applications, delivered via the SAP Store. SMP is used to build and deploy mobile applications across a range of mobile devices. It is a middleware platform, which enables users to connect the existing enterprise systems or applications with the mobile devices. Let s get a deeper look at them..

SAP Fiori Lines of business

SAP Fiori SAP Fiori is a collection of apps for frequently used SAP functions (Finance, HR, Sales & Marketing, Procurement, Manufacturing, Supply Chain etc.) that work across devices desktop, tablet, or smartphone. SAP Fiori landscape includes: SAP backend systems SAP NetWeaver Gateway SAP UI5 (UI development toolkit for HTML5) for NetWeaver No mobile platform is required

SAP Mobile Platform Sybase Unwired Platform and the Syclo Agentry development platform have been integrated, and the product rebranded to SAP Mobile Platform (SMP). SMP landscape includes: SAP backend systems SAP ERP (Enterprise Resource Planning) SAP CRM (Customer Relationship Management) SAP SCM (Supply Chain Management) SAP SRM (Supplier Relationship Management) NetWeaver Gateway for providing interfaces to business logic SMP to store and pass data between NetWeaver Gateway and mobile devices Afaria assists managing and securing mobile devices, across platforms.

Attack surface

About our research app.. The App lets you browse the bookings of a series of airline carriers, based on the flight connection available in certain periods of time. (as enhancement is planned to show the receipt as a Fiori plug in). Rotten by design :) Implemented using... Apache Cordova 4.3.0 + Kapsel (using SMP 3.0 SP08) SAP Fiori Wave 1 SP02 SAP Netweaver Gateway (SAP EHP 2 for SAP NetWeaver 7.0) SAP IDES (EHP6 FOR SAP ERP 6.0)

Architecture Overview

Our Architechture SAP Business Suite Backend systems

Apache Cordova Apache Cordova is a platform for building native mobile applications using HTML, CSS and JavaScript. Open source technology Supports ~ 15 Platforms Android IOS Windows Phone... https://cordova.apache.org/

Kapsel Framework A serie of Apache Cordova plugins that enhance it allowing interactions with SAP Javascript + Native Code AppUpdate Logon AuthProxy Logger Push Encrypted Storage Settings ClientHub

Security challenges while building our application

1. Login mechanisms SAP Business Suite Backend systems

1. Login mechanisms Anonymous Authentication No user/password needed No role mapping (generic users) Use for public content HTTP Basic Authentication Defined at RFC7235 User and password in plaintext (base64 encoded) Without using SSL / TLS this method is totally useless

1. Login mechanisms Token-based Authentication Uses SAP Single Sing-On tokens In general it is used as an opaque value (as an HTTP Header) Using SSL/TLS helps avoiding security issues Certificate-based Authentication Uses X.509 certificates Mutual authentication is assured Not frequently used, due to it s complicated configuration

DEMO

2. Securing data in transit SAP Business Suite Backend systems

2. Securing data in transit Use HTTPS as communication channel..or a VPN network (or per app vpn) It MUST be used for every requested resource DON T use Self Signed Certificates or suppress TLS error messages Using Mutual Authentication is highly recommended

2. Securing data in transit Stay tuned with security updates related on securing communications. Notable SSL / TLS vulnerabilities recently found: Heartbleed (CVE-2014-0160) SMACKTLS FREAK (CVE-2015-0204) SKIP-TLS (CVE-2015-0205, CVE-2014-6593,...) LogJam (CVE-2015-4000) Also affects some VPN implementations

3. Securing data at rest SAP Business Suite Backend systems

3. Securing data at rest Defining the proper data encryption requirements Avoid custom "obfuscation"/encryption techniques DON T EVER use hardcoded cryptographic keys in the app Use the System Keyring if available Use SAP ClientHub or similar Kapsel provides a plugin: EncryptedStorage Sqlite / AES256 API based on the W3C Web Storage proposal Or use SQLCipher...(https://www.zetetic.net/sqlcipher/)

DEMO

4. Patch Management Componet SAP Note Short Title Release Date SAP Afaria 2153690 Multiple vulnerabilities in SAP Afaria Server 12.05.2015 2155690 Missing authentication check in SAP Afaria 12.05.2015 2132584 Buffer overflow in SAP Afaria 7 XcListener 10.03.2015 Apache Cordova 2116121 Hybrid Web Container 2.3.4.7320 vulnerable to XAS attack 10.03.2015 SAP Mobile Platform Sybase Unwired Platform 2125513 XXE vulnerability in SAP Mobile Platform 10.03.2015 2114316 Unauthorized use of application functions in SMP 3.0 10.02.2015 2125358 SAP Mobile Platform XXE vulnarability 10.02.2015 2094830 Potential information disclosure relating to mobile onboarding 14.04.2015 2036547 Security mitigation instructions for Agentry 6.1.3 09.09.2014 Agentry 2105793 Fixing Poodle SSLv3 vulnerability for Agentry 09.12.2014 2038190 Potential information disclosure relating to the Agentry 6.1.3 ios Client 09.12.2014

4. Patch Management Componet SAP Note Short Title Release Date SAP Afaria 2153690 Multiple vulnerabilities in SAP Afaria Server 12.05.2015 2155690 Missing authentication check in SAP Afaria 12.05.2015 2132584 Buffer overflow in SAP Afaria 7 XcListener 10.03.2015 Apache Cordova 2116121 Hybrid Web Container 2.3.4.7320 vulnerable to XAS attack 10.03.2015 SAP Mobile Platform Sybase Unwired Platform 2125513 XXE vulnerability in SAP Mobile Platform 10.03.2015 2114316 Unauthorized use of application functions in SMP 3.0 10.02.2015 2125358 SAP Mobile Platform XXE vulnarability 10.02.2015 2094830 Potential information disclosure relating to mobile onboarding 14.04.2015 2036547 Security mitigation instructions for Agentry 6.1.3 09.09.2014 Agentry 2105793 Fixing Poodle SSLv3 vulnerability for Agentry 09.12.2014 2038190 Potential information disclosure relating to the Agentry 6.1.3 ios Client 09.12.2014

4. Patch Management Componet SAP Note Short Title Release Date SAP Afaria 2153690 Multiple vulnerabilities in SAP Afaria Server 12.05.2015 2155690 Missing authentication check in SAP Afaria 12.05.2015 Since September 2132584 2010, Buffer security overflow notes in are SAP released Afaria 7 XcListener the 2nd Tuesday of every 10.03.2015 Apache Cordova month 2116121 (SAP Security Hybrid Patch Web Day) Container 2.3.4.7320 vulnerable to XAS attack 10.03.2015 SAP Mobile Platform Sybase Unwired Platform Agentry The notes 2125513 information XXE is vulnerability only accessible in SAP to SAP Mobile customers Platform 10.03.2015 https://service.sap.com/notes 2114316 Unauthorized use of application functions in SMP 3.0 10.02.2015 Many security 2125358 notes SAP need Mobile to be Platform applied manually XXE vulnarability 10.02.2015 Only the implementation of some Security Notes can be automatically Potential information disclosure relating to mobile analyzed 2094830 using the transaction onboarding RSECNOTE (CVE-2015-3978) 14.04.2015 2036547 Security mitigation instructions for Agentry 6.1.3 09.09.2014 2105793 Fixing Poodle SSLv3 vulnerability for Agentry 09.12.2014 2038190 Potential information disclosure relating to the Agentry 6.1.3 ios Client 09.12.2014

Security challenges summary 1. Login mechanisms 1. Securing data in transit 1. Securing data at rest 1. Patch Management

Conclusions

Conclusions Bring your own device (BYOD) is here to stay. Building mobile applications integrated with SAP is challenging itself. SAP is a huge Use the environment Secure Sockets + Mobile Layer devices (SSL/TLS) are protocol complex in + Security the SAP NetWeaver is hard Gateway host to In our mobile secure communication devices our in your business landscape. critical data coexists with other usually suspect applications Use Secure - from Network angrybirds Communications to sudoku.. (SNC) connections between the SAP NetWeaver Gateway host and the SAP systems. Our business critical information is now being carried in many unsuspected places, The security guidelines described in the SAP NetWeaver Security Guide also apply to SAP such as pubs, nightclubs.. and this is a user trend behaviour that will not change.. at NetWeaver Gateway components (as they are based on the same topology). least for a while.. In order to protect our business information, we need to protect ALL the systems and products within the landscape.

Questions? Title goes here Julian Rapisardi jrapisardi@onapsis.com Fernando Russ fruss@onapsis.com 40

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information