OWASP Birmingham - Mobile Application Security

David Rook

Mobile Application Security

OWASP Birmingham

Friday, 9 December 2011

if (slide == introduction)System.out.println("I’m David Rook");

• Application Security Lead, Realex Payments, Dublin CISSP, CISA, GCIH and many other acronyms

• Security Ninja (@securityninja)

• Speaker at developer and security conferences

• Microsoft Developer Security MVP

• Developed and released Agnitio


• The mobile applosion!

• Android and iOS app analysis

Agenda


There’s an app for that

• There’s an app for that......

• Apps allow users to do more than send SMS and play Snake• Completely changed the way people view and use phones• Businesses love apps, if they don’t have one they want one• Innovative apps for customers using mobile functionality

Friday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng tasks such as mobile boarding passes, mobile banking and check share prices.

Business can be created or rapidly grow because of mobile appsRovio is probably the most famous example but certainly not the only or last one.
























• Mobile apps can create value for a business

• Businesses can benefit from having a mobile presence

• Most developers have not been trained to write secure code• Innovative apps for customers using mobile functionality

Friday, 9 December 2011What could possibly go wrong? Well we need to understand how many apps/downloads/smartphones first




• Most developers have not been trained to write secure code• Not trained to write secure code, new to mobile development......

• Innovative apps for customers using mobile functionality





• Most developers have not been trained to write secure code• Not trained to write secure code, new to mobile development......• What could possibly go wrong?

• Innovative apps for customers using mobile functionality



Friday, 9 December 2011Over 1 million apps in all of the app stores, pre<y much all of the million plus are in the App Store or Market Place (500,000 Apple and 600,000 Android ‐ all other app stores about 50,000 at the most)

EsCmated $15 billion of income from app sales in 2011 (hLp://www.gartner.com/it/page.jsp?id=1529214)

About 30 BILLION app downloads from App Store and Android Market Place (18bn for app store hLp://en.wikipedia.org/wiki/App_Store_(iOS) and about 7bn for the Market Place hLp://en.wikipedia.org/wiki/Android_Market)

since the Apple App Store was launched on the 11th July 2008

115m smartphones sold in Q3 2011 (hLp://www.gartner.com/it/page.jsp?id=1848514)


1Apps







1Apps

15Income







1Apps

15Income

30Downloads







1Apps

15Income

30Downloads

115Phones







Friday, 9 December 2011Android market place has about 600,000 apps now (December 2011 hLp://www.androlib.com/appstats.aspx)Apple App Store has over 500,000 apps now (October hLp://en.wikipedia.org/wiki/App_Store_(iOS)#cite_note‐18billion‐52)Nokia OviStore is now around 50,000 apps (hLp://en.wikipedia.org/wiki/Ovi_(Nokia)#Ovi_Store)BlackBerry App World also around 50,000 apps (hLp://en.wikipedia.org/wiki/BlackBerry_App_World)Windows Phone Marketplace has round 40,000 apps (hLp://en.wikipedia.org/wiki/Windows_Phone_Marketplace)


• The predicted growth happened

• 1,000,000+ apps by the end of 2011

• The answer isn’t “none” but it won’t be many, ≤1%?• How many have been developed with security in mind?




• 1,000,000+ apps by the end of 2011

• The answer isn’t “none” but it won’t be many, ≤1%?• But none of us are surprised by this are we?

• How many have been developed with security in mind?




• 1,000,000+ apps by the end of 2011

• The answer isn’t “none” but it won’t be many, ≤1%?• But none of us are surprised by this are we?• I want us to try and find the insecure apps with Agnitio

• How many have been developed with security in mind?


Mobile payments

• Payments made using a mobile

• I’m not talking about NFC or in app payments

• Based on analysis of Realex hosted payment page hits• I want to share some real world payment stats with you


Mobile payments

0

150000

300000

450000

600000

750000

900000

1050000

1200000

1350000

1500000

Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov

Total Hits Mobile Hits

Friday, 9 December 2011This shows hits to our hosted payment page so it isn’t showing transac9ons but it’s a decent guide.Total hits grew from 675,853 in January to 1,039,725 in November. Mobile hits grew from 9887 (1.5%) in January to 38738 (3.7%) in NovemberThis is a 9ny amount of our overall transac9ons as well, about 3.5m transac9ons in Q3 on this chart but overall we did 16.2m

Mobile payments

0

4000

8000

12000

16000

20000

24000

28000

32000

36000

40000

Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov

Mobile Hits iOS Android BlackBerry

Friday, 9 December 2011iOS way out in front, about 6 9mes as many hits from iOS devices as Android devices.Doesn’t really show an increase in transac9ons from mobiles (as it’s based on hits) but it does show the increase in the use of mobiles for sensi9ve ac9ons such as credit card payments. Roughly a 4 9mes increase from January to November

Mobile App Threat Modeling

• Like a web app threat model but scarier

• External dependencies completely out of your control

• Phones not owned or maintained by you (or anyone!)• No longer a server maintained by your operations team

• What are your external dependencies for a mobile app?


Mobile App Threat Modeling


Friday, 9 December 2011hLp://theunderstatement.com/post/11982112928/android‐orphans‐visualizing‐a‐sad‐history‐of‐support

■ 7 of the 18 Android phones never ran a current version of the OS.■ 12 of 18 only ran a current version of the OS for a maLer of weeks or less.■ 10 of 18 were at least two major versions behind well within their two year contract period.■ 11 of 18 stopped gefng any support updates less than a year ager release.■ 13 of 18 stopped gefng any support updates before they even stopped selling the device or very shortly thereager.■ 15 of 18 don’t run Gingerbread, which shipped in December 2010.■ At least 16 of 18 will almost certainly never get Ice Cream Sandwich.

Mobile app security issues

• Data in transit and at rest

• Dangerous inputs

Friday, 9 December 2011Data in transit and at rest: Local Data Storage (Files, Caches and SQLite databases) ‐ you need to acknowledge that the data isn’t really secure when its on the users device. Be careful what you store on the device and where you store it. If you encrypt the data on the device where are you going to put the encryp9on key? When reviewing code for these type of issues you will be looking for func9ons such as Context.openFileOutput() and Context.openFileInput() as well as file permissions. You can use things like the keychain on iOS to secure files and data on the device.

Consuming 3rd party web services ‐ interes9ng apps need to talk to something else. You have to treat the data from these services as “dangerous” and validate it like you would any other data. You also need to consider the fact that you don’t know where the data is going or how it’s handled/stored etc When reviewing code you will be looking for func9ons that open network connec9ons, receive input etc

iOS Image caching problem: In iOS when an applica9on moves to the background the system takes a screen shot of the applica9on's main window. This screen shot is used to animate transi9ons when the app is reopened. What if sensi9ve info was on the screen?

hLp://sogware‐security.sans.org/blog/2011/01/14/whats‐in‐your‐ios‐image‐cache‐backgrounding‐snapshot/

General Input: Of course you need to keep an eye on SQL query related methods. Things like query() and rawQuery() in Android and sqlite3_exec() in iOS and data received via intent messages for your data to receive and process.

Android and iOS

Friday, 9 December 2011AndroidLinux based OSApplica9ons wriLen in JavaJava is compiled to DEX bytecode

iOSUnix based OSApplica9ons wriLen in Objec9ve‐C

Android Source Code

package com.denimgroup.android.training.pandemobium.stocktrader;

import android.app.Activity;import android.os.Bundle;import android.util.Log;import android.webkit.WebView;

public class TipsActivity extends Activity {

private WebView wvTips;

/** Called when the activity is first created. */ @Override public void onCreate(Bundle savedInstanceState) { Log.i("TipsActivity", " Loading up browser page to display stock tips"); super.onCreate(savedInstanceState); setContentView(R.layout.tips); wvTips = (WebView)findViewById(R.id.wv_tips); wvTips.loadUrl(getString(R.string.tip_list)); }}

Friday, 9 December 2011How do we analyse Android code now? If you have the source code it’s preLy simple, just like a normal Java code review with some Android specific checks of course. Otherwise you need to do the following:

download the .apk onto an AVD or a rooted phoneUnpack this and run a tool like apktool to make the AndroidManifest.xml file into a human readable formatThen you will need to convert the .DEX file into a jar file with another tool like dex2jar

You will then need to unzip the jar file and then decompile the class files into the original source code

AndroidManifest.xml

• A good place to start your security code reviews!

• Applications and System code have an AndroidManifest file

• Defines the permissions needed by the application• Defines app activities and intents• Compressed XML file in the .apk

• Declares the package name, a unique identifier for the app

Friday, 9 December 2011AcCviCes ‐ is an applica9on component that provides a screen with which users can interact in order to do something, such as dial the phone, take a photo, send an email, or view a map.

Intent ‐ ac9vi9es are ac9vated through messages, called intents. You can “call” your own ac9vi9es or let Android pick the right one for you ‐ opening a URL for example. Let’s say there is an applica9on that finds hotels and would like to use another applica9on to book it. For that it creates an implicit “Intent” where it says: “hey android, I intent to book this hotel, please find an applica9on that is capable of booking it, and pass the data to do the booking” They have Ac9ons, Data and Categories.

"A different strategy is needed for implicit intents. In the absence of a designated target, the Android system must find the best component (or components) to handle the intent" <‐‐ do you know what the target (i.e. other app) is going to do with your data?

Intent is basically a message that is passed between components (such as AcCviCes, Services, Broadcast Receivers, and Content Providers).

One component that wants to invoke another has to express its' intent to do a job. And any other component that exists and has claimed that it can do such a job through intent‐filters, is invoked by the android plavorm to accomplish the job. This means, both the components are not aware of each other's existence and can s9ll work together to give the desired result for the end‐user.

hLp://developer.android.com/guide/topics/manifest/manifest‐intro.html

Agnitio hands on

• AndroidManifest.xml - before and after

Friday, 9 December 2011Show Pandora applica9on AndroidManifest.xml:

Show SDK versions:<uses‐sdk android:minSdkVersion="3" android:targetSdkVersion="8" />

Permissions:<uses‐permission android:name="android.permission.INTERNET" /><uses‐permission android:name="android.permission.ACCESS_NETWORK_STATE" />

Ac9on = ACTION_MAIN Start up as the ini9al ac9vity of a task, with no data input and no returned output.

Category = CATEGORY_LAUNCHER The ac9vity can be the ini9al ac9vity of a task and is listed in the top‐level applica9on launcher.

Android Static Analysis

• Context.openFileOutput()• Context.openOrCreateDatabase()• rawQuery()• URLConnection()• HttpResponse()• MODE_PRIVATE• MODE_WORLD_READABLE• MODE_WORLD_WRITABLE

Friday, 9 December 2011Context.openFileOutput() creates a local file on the device.Context.openOrCreateDatabase() creates a local file on the device containing a SQLite database.rawQuery Untrusted inputs should not be used to create SQL statements. It is preferable to compile queries using Database.compileStatement() and then put untrusted values into parameters passed to that statement. Also note that untrusted values should not be used to build up the strings passed to Database.compileStatement()URLConnecCon() Mobile devices communicate across a variety of networks ‐ both trusted and untrusted. Therefore it is important that communica9ons be encrypted ‐ typically using HTTPS.H<pResponse() Mobile devices communicate across a variety of networks ‐ both trusted and untrusted. Therefore it is important that communica9ons be encrypted ‐ typically using HTTPS. Data returned in a method like this must be validated before being used in sinks.Context.MODE_PRIVATE ‐ This is the most secure sefng because the resource will only be readable by the applica9on that created itContext.MODE_WORLD_READABLE ‐ This allows other applica9ons who know the name and loca9on of the resource to read itContext.MODE_WORLD_WRITEABLE ‐ This allows other applica9ons who know the name and loca9on of the resource to write to it.

Agnitio hands on

• Analyse the Android Pandemobium app

Friday, 9 December 2011Browse to PreferencesAc9vity.java, select the Java rules and click scan on this file.

openFileOutput method highlighted shows that the username and password is being wriLen in the clear to the device file system. Explain whilst MODE_PRIVATE is being used it’s limited.

accountServiceURL is also highlighted, we need to open res\values\strings.xml to see what this URL is ‐ it’s a non SSL URL.

Go back to PreferencesAc9vity.java and show how we submit the username and password to this no SSL URL on the “actualURL” line.

Next openFileOutput highlighted writes a value called accountId to a file in the clear with MODE_WORLD_READABLE and MODE_WORLD_WRITABLE set. Why is this important? Well let’s see how accountId is used!

Browse to TradeAc9vity.java, select the Java rules and click scan on this file.

Scroll down un9l you see URL highlighted on the end of tradeServiceURL, we need to open res\values\strings.xml to see what this URL is ‐ it’s a non SSL URL.

Go back to TradeAc9vity.java and show how we submit the accountId (retrieved using retrieveAccountId in \u9l\AccountU9ls.java) as part of stock purchase request on the “actualURL” line. Any malicious app on the phone could retrieve our WORLD_READABLE accountId value and submit trade requests as us. Two lines down (Try { Log.d) we also write the request URL to a log file including the accountId again.

iOS Source Code

#import "TipViewController.h"#import "StockDatabase.h"#import "/usr/include/sqlite3.h"#import "ASIHTTPRequest.h"#import "ASIFormDataRequest.h"

@implementation TipViewController

@synthesize keyboardToolbar;

- (id)initWithNibName:(NSString *)nibNameOrNil bundle:(NSBundle *)nibBundleOrNil{ self = [super initWithNibName:nibNameOrNil bundle:nibBundleOrNil]; if (self) { // Custom initialization stockDB = [[StockDatabase alloc] init]; } return self;}

Friday, 9 December 2011How do we analyse iOS code now? If you have the source code it’s preLy simple, just like a normal Objec9ve‐C code review, you almost need to treat this like an old C/C++ style code review and look for things like Buffer Overflows ‐ like the world of fashion, what is old is new again.

It isn’t impossible to get the source code from an app (i.e. decompiling it) but it is very hard, certainly not as easy as it is with Android apps.

iOS Static Analysis

• writeToFile()• openURL()• sqlite3_prepare()• NSFILE

Friday, 9 December 2011writeToFile() writes data to a local file on the device.openURL() Mobile devices communicate across a variety of networks ‐ both trusted and untrusted. Therefore it is important that communica9ons be encrypted ‐ typically using HTTPS.sqlite3_prepare() Untrusted inputs should not be used to create SQL statements. It is preferable to compile queries using sqlite_prepare_v2 or sqlite_prepare16_v2 and then put untrusted values into parameters passed to that statement.NSFILE Data files on iOS receive some protec9on from other processes, but care should be taken when storing data in case the device is lost and jailbroken by an aLacker.

Agnitio hands on

• Analyse the iOS Pandemobium app

Friday, 9 December 2011CD "C:\Users\David Rook\Desktop"

adb pull /data/app/com.pandora.android.apk

My USB key........

• I have some things on my USB key you might want

• .apk files of popular and “suspicious” Android apps• System.img file for v2.2 emulator to enable the marketplace• You have to trust my USB key is safe to use ;-)


www.securityninja.co.uk

@securityninja

/realexninja

/securityninja

/realexninja

http://sourceforge.net/projects/agnitiotool/


www.securityninja.co.uk

@securityninja

QUESTIONS?

/realexninja

/securityninja

/realexninja

http://sourceforge.net/projects/agnitiotool/


Technology

OWASP Birmingham - Mobile Application Security