View
1.032
Download
0
Category
Tags:
Preview:
DESCRIPTION
Presentation by EY infosec experts Kristof Dewulf and Yannick Scheelen about mobile applications security. Agoria Alliance WG Meeting 20/11/13
Citation preview
Mobile application security
App Alliance WG Meeting
20 November 2013
Kristof Dewulf
Yannick Scheelen
Page 2
Security weaknesses and vulnerabilitiesMobile devices
► Malware goes mobile
EY - App Alliance WG meeting – 20 November
2012
August►Weakness in SSL cert
handling exposes data to interception (iOS)
2013
September ►HTC phone vulnerability
leaks personal data (Android)
2014
April►NotCompatible gains
access to local network preferences (Andriod)
February►Lock screen of
iPhone can be circumvented (iOS)
July►LuckyCat opens a
backdoor that allows remote acces (Android)
May►FakeInst SMS Trojan
cost end-users 30 Miljon dollars (Android)
July►SMSzombie that
abuses china’s SMS payment (Android)
April►Apparent security
certificate turns out to be Android malware
July►The Android “Master
Key” Exploit
September►Banking Trojans
disguise attack targets in the cloud
► Security threats and malware are constantly present
► Smartphone sales are increasing
Android iOS Microsoft Blackberry0
20
40
60
8081.9
12.13.6 1.8
72.6
14.3
2.3 5.2
3Q13 3Q12Source: Gartner.com
TrojanSMS.Agent
TrojanSMS.Boxer
DroidKungFu
FakePlayer
0 20 40 60 80 100 120 140 160
Variants in 2010 Variants in 2011 Variants in 2012
Source: Eset.com
September►iOS 7 Lock Screen
Vulnerability Discovered
%
Page 3
Application weaknesses and vulnerabilitiesMore than meets the eye
EY - App Alliance WG meeting – 20 November
► Most tests stop here…
► ...or here
Application code review
Insecure data
storage
SSL/TLS
Bypass authentication or
authorization controls
Bypass validations or manipulate application
business logic
► What about injection attacks?
► Session management?
► Side channel data leakage?
► Sensitive information disclosure?
► Phishing attacks?
► Application and library permissions?
Page 4
Mobile Application SecurityMost common issues
EY - App Alliance WG meeting – 20 November
1. There is too much business logic in the application► The mobile devices hold the actual application binary► It’s safer to perform business logic validation on central systems (e.g.
web service/web server)
2. SSL/TLS not/not properly implemented► Certificates’ validity are not often checked► Consider certificate pinning – works perfect for mobile apps!
3. Insecure local data storage► Passwords stored in databases► Personal information is stored without consent of the user (re Privacy
legislation)
Page 5
Mobile Application Security TestingOur approach
EY - App Alliance WG meeting – 20 November
Mobile Device
Objective: Identify vulnerabilities on the applications - Android, iOS or Windows.
► Reverse engineer the binary using tools such as:
► Clang (static code)► GDB► IDA (Pro)► Class-dump-z► …
and investigate the source code for passwords, server-side keys, … but also learn how the application works!
► Perform data analysis by looking for sensitive data in databases, logs, back-ups, cached files, debug messages, …
► Verify application’s permissions.
► Analyze application’s business logic.
► Perform security tests similar to other web applications tests (e.g. session management, authentication management, …).
Server-side controls
Objective: Identify vulnerabilities on the server side of the mobile application.
► Perform an in-depth penetration test of the server-side application.
► Perform an in-depth penetration test of the web services or API services.
► Use the information found on the local device to leverage our success.
Communication channel
Objective: Identify vulnerabilities on the data communication channel.
► Mobile applications are highly likely to operate on insecure wireless networks.
► It is essential to review the network protocols the application uses to communicate with the server-side application.
► The use of SSL/TLS is confirmed both though code review and the Burp Suite proxy tool.
Page 6
EYOur recommendations
► Developers: start with security in mind!► Understand the threats:
► On the application► On the channel► On the server side
► Don’t store sensitive data on the device► without consent of the user and without the ability for the user to remove
his/her personal information
► Understand the mobile platform of your application► Understand your audience
► Assess your application
EY - App Alliance WG meeting – 20 November
Page 7
Contact details
Recommended