Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Mobile security differences

advertisement 
6 Ways to Build an Insecure
Mobile Application
How to avoid the most common mobile vulnerabilities
Daniel Miessler
Principal Security Architect, HP Fortify
November 2013
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Agenda
• Introduction
• Why mobile security matters
• Mobile security differences
• Common developer mistakes
• Takeaways
• Questions
2
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Introductions
Daniel Miessler, CISSP, CISA, GCIA
Principal Security Architect, HP Application Security
-
Work on Fortify on Demand Team
Cloud-based Application Security
Penetration Testing Background
Enterprise Security Architecture
Application Security Program Development
daniel.miessler@hp.com
3
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Why mobile security matters
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Considerations: Mobile traffic increases
•
Global mobile data traffic will increase 26-fold
between 2010 and 2015
•
There will be nearly one mobile device per
capita by 2015 (~7 billion)
•
Mobile payments will exceed 984 Billion
by 2014
Data from Smart Insights, Yankee Group 2012
5
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Considerations: Mobile ubiquity
•
Mobile performance is becoming
extraordinary
•
Using a non-mobile computer will become
increasingly rare
•
“Home computer” will come to mean better
input and display options for your mobile
system
•
6
Apple replacing desktop with mobile?
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Considerations: Mobile ubiquity II
•
2014 is considered the year that mobile web
traffic will surpass non-mobile web traffic
•
Mobile computing will soon be known as
“computing”
•
Computing somewhere other than your
mobile device will be the activity that
requires a name
•
7
Attackers follow the users
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Considerations: Mobile insecurity
•
Mobile development is the hottest type of
development right now. New surface area equals
dangerous surface area
•
If anyone’s going to put features over security to get
the product out the door, it’s likely to be a mobile team
•
Many enterprise mobile developers haven’t had the
security training that other types of developers have
had
•
Many assume that because mobile back ends aren’t
visited directly they are more secure (obscurity
assumption)
8
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Mobile security differences
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Mobile security differences
Q: What’s the difference between
“regular” security and mobile
security?
10
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Mobile security differences: Thick-client testing
Client
Network
•
•
•
•
•
•
•
•
•
•
11
ABAP
C/C++
Java
Objective C
Python
VB6
COBOL
Cold Fusion
XML
SQL
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Server
•
•
•
•
•
•
•
•
•
•
ASP.NET
VB.NET
C#
Classic ASP
HTML
Flex
JavaScript/AJAX
JSP
PHP
VBScript
Mobile security differences: Thick-client testing
Client
•
•
•
•
12
Credentials in memory
Credentials on filesystem
Data stored on filesystem
Poor cert management
Network
•
•
•
•
•
•
•
•
•
•
ABAP
C/C++
Java
Objective C
Python
VB6
COBOL
Cold Fusion
XML
SQL
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Server
•
•
•
•
•
•
•
•
•
•
ASP.NET
VB.NET
C#
Classic ASP
HTML
Flex
JavaScript/AJAX
JSP
PHP
VBScript
Mobile security differences: Thick-client testing
Client
•
•
•
•
13
Credentials in memory
Credentials on filesystem
Data stored on filesystem
Poor cert management
Network
•
•
•
•
•
•
•
•
•
•
ABAP
C/C++
Java
Objective C
Python
VB6
COBOL
Cold Fusion
XML
SQL
•
•
•
•
Cleartext credentials
Cleartext data
Backdoor data
Data leakage
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Server
•
•
•
•
•
•
•
•
•
•
ASP.NET
VB.NET
C#
Classic ASP
HTML
Flex
JavaScript/AJAX
JSP
PHP
VBScript
Mobile security differences: Thick-client testing
Client
•
•
•
•
14
Credentials in memory
Credentials on filesystem
Data stored on filesystem
Poor cert management
Network
•
•
•
•
•
•
•
•
•
•
ABAP
C/C++
Java
Objective C
Python
VB6
COBOL
Cold Fusion
XML
SQL
•
•
•
•
Cleartext credentials
Cleartext data
Backdoor data
Data leakage
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Server
•
•
•
•
•
•
•
•
•
•
ASP.NET
VB.NET
C#
Classic ASP
HTML
Flex
JavaScript/AJAX
JSP
PHP
VBScript
•
•
•
•
•
Injection flaws
Authentication
Session management
Access control
Logic flaws
Mobile security differences
Q: What’s the difference
between this and mobile?
15
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Mobile security differences: Mobile security
Client
•
•
•
•
16
Credentials in memory
Credentials on filesystem
Data stored on filesystem
Poor cert management
Network
•
•
•
•
•
•
•
•
•
•
ABAP
C/C++
Java
Objective C
Python
VB6
COBOL
Cold Fusion
XML
SQL
•
•
•
•
Cleartext credentials
Cleartext data
Backdoor data
Data leakage
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Server
•
•
•
•
•
•
•
•
•
•
ASP.NET
VB.NET
C#
Classic ASP
HTML
Flex
JavaScript/AJAX
JSP
PHP
VBScript
•
•
•
•
•
Injection flaws
Authentication
Session management
Access control
Logic flaws
Mobile security differences: Expanded mobile risk
Two key differences
17
Magnified network vulnerability
Your network traffic is more likely
to be visible to others with a
mobile device than at work or
home
Magnified physical vulnerability
As with most other types of
computer, once the attacker has
physical access, it’s over
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common mobile vulnerabilities
2013 edition
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: Most apps are vulnerable
Most high-scrutiny (see: previously
hacked) mobile apps are decently secure
now, but the next tier down still have
many issues
• Evaluating any given application is
likely to yield significant vulnerabilities
• The newer, more eager the shop– the
higher the chance of issues
19
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: OWASP
Open Web Application Security Project
•
•
•
•
•
•
20
Thought leader in web security
Runs many projects designed to help
industry security their applications
OWASP Top 10
Risk Rating Methodology
Vulnerability Prevention Cheat sheets
Our team is heading up the Mobile Top 10
2013
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
http://www.owasp.org/
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage
M6 – Improper Session Handling
M2 – Weak Server Side Controls
M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection
M8 – Side Channel Data Leakage
M4 – Client Side Injection
M9 – Broken Cryptography
M5 – Poor Authorization and Authentication
M10 – Sensitive Information Disclosure
21
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: Real-world perspective
• Definitely check out the OWASP Top 10,
but this is more about what we’re
seeing in the wild
• We constantly test mobile applications
from the top companies in the world,
and these are the top categories of
issue we find in those applications
22
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: Real-world results
•
66%
23
•
Case study of 120 Mobile applications
for a single enterprise customer (results
are typical)
66% of applications contained a critical
or high vulnerability that either:
•
Disclosed 1 or more users’ personal data
•
Compromised the backend system
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: Logic flaws
Logic flaws are due to faulty developer
assumptions, i.e. not thinking like an
attacker
•
•
•
•
•
•
24
Changing an arbitrary user’s password
Bypassing multi-step authentication
Free product by skipping payment step
Product + refund by submitting negative
number
Defeating a business limit by entering a
high negative number
Getting a bulk discount on only one item by
modifying the cart manually afterwards
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: Logic flaw defense
Logic flaws are avoided by performing
exhaustive vulnerability assessments
before going to production
•
•
•
•
•
25
Fully understand the anticipated flow of
the application
Assume the mind of the attacker
Identify places that developers likely made
assumptions
Attempt to take advantage of those
assumptions
As a developer, think in terms of abuse vs.
just regular use
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: Poor TLS implementations
Many mobile developers are allowing SSL
communication with any host
•
•
•
•
•
26
Trusting any certificate it sees
Allows expired certificates
Allows trivial MiTM attacks
Can connect to HTTPS once, and then fall
back
Once in the middle, attackers can model
your app’s functionality enroute to
breaking it
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: Poor TLS implementation
TLS protection has multiple levels of
security
•
•
•
•
•
27
Ensure HTTPS is always enabled
Attempt to match the name of the remote
certificate
Certificate pinning*
Recognize that nothing is fool-proof, and
adjust according to your app’s specific
needs
Remember that pinning was a defense
against compromised CAs, not against
MiTM
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities:
Promiscuous client-side storage
Perhaps the most abused functionality is
client-side storage
•
•
•
•
•
28
Storage of credentials in plist files, SQLite
databases
Failure to use KeyChain to store credentials
Storage of sensitive application data on
filesystem
Apps (e.g.: banks) storing their images in
the public folder rather than in their
sandbox
Applications logging to the system log, but
sending sensitive app data along with it
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities:
Promiscuous client-side storage
Abuse case
29
•
Application protected by voice password
•
Password checked server side
•
File was stored locally
•
Retrieved the file from the file system
•
Played the file back to itself
•
Gained access
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities:
Promiscuous client-side storage
Be cautious of anything you save—
anywhere—including on the client-side
•
•
•
•
•
30
Ensure you’re using the platform-recommended
solution to store credentials
Ensure you use the Data Protection API to store
any sensitive data; it will not be protected by
default: (See: NSFileProtectionComplete in
developer documentation)
Ensure you are storing everything from your app
into the app sandbox so it cannot be read by
other applications
Check all logging functionality and note what
you’re sending
Observe your log files within the XCode log
viewer and ensure you are not storing anything
sensitive
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: Failure to harden binaries
There are a number of binary defenses
that developers are not implementing
31
• ASLR PIE (memory randomization)
• Stack Smashing Protection Enabled
(Canary-based)
• Automatic Reference Counting
(memory resources)
• Binary debug not disabled – User path
information disclosure
• Developers are often contractors, and
have customer names in paths
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: Failure to harden binaries
There are a number of binary defenses
that developers are not implementing
Abuse case
32
•
•
•
•
•
•
Found developer name in path
Was no longer with company
Checked Github
Had all source available for apps
Mobile and backend
Lead to complete compromise of server
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: Failure to harden binaries
Use all defenses possible to harden your
binaries before release
• Ensure binary protections are in place
• Some are not security-specific, but
improve the overall quality of your
applications
• Ensure no information disclosure is
present
33
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: Privacy violations
Many applications violate privacy without
developers being aware
•
•
•
•
•
•
34
Does the application access GeoLocation
data?
Does the application access the Address
Book?
Does the application access your Photos?
If so, what is your app doing with this data?
Does your application use analytics
engines?
If so, what does it send there? (UUID, app
data?)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: Privacy violations
Go with an absolute least-privilege
approach
•
•
35
Don’t access any data that could be
considered private if you don’t need it
There are applications out there that
can evaluate what a given binary
accesses (Appthority, HP Risker)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: Assumption of web obscurity
A massive number of applications we see
and compromise are compromised due to
backend vulnerabilities
•
•
•
•
•
•
36
Promiscuous web services
Full SQL statements right in web service
calls (saved money on MSSQL Server
Manager)
Blatant SQLi, XSS, CSRF, File Includes,
etc.
Many developers assume “who’s
coming here?”
The data stores are often shared!
Shared hosting means compromise of
multiple customers
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common vulnerabilities: Assumption of web obscurity
Harden your web backend as if the
mobile app didn’t even exist
•
•
•
•
•
37
Remember how easy it is to MiTM a
mobile app
Assume everyone can see your traffic
This means they can see all the paths
and parameters for your backend
Assume attackers will come knocking
Consider the risks of shared hosting, as
others might not be taking these
steps—even if you did
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Takeaways
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Takeaways
Security as an enabler vs. obstacle
39
•
Formula 1 cars have brakes to allow
them to go faster, not slower
•
The business is able to move faster
because security enables that flexibility
to happen safely
•
Try to frame your conversations around
enabling safe agility vs. placing
restrictions on it
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Takeaways
It’s an interesting time for mobile
security
•
•
•
40
Everyone’s heading to mobile, and the
attackers are following
Mobile is on the leading edge of
development, so mobile projects are
especially susceptible to security
shortcuts
Most applications have major
vulnerabilities that are easily found
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Takeaways
•
Adopt the attacker mindset
•
•
•
•
41
Don’t be afraid to look at your own apps
using SCA and WebInspect. Classic security
fundamentals apply!
Think like an attacker and follow some basic
steps to help you evaluate your own
applications without much cost
Assume the attacker has access to the device
and visibility of all traffic going to and from
the server, and code accordingly (learn from
cryptography)
As part of a threat modeling step, track your
sensitive data through your app, from user to
device to network to server; see where it’s
vulnerable
Don’t store PII if you don’t have to
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify on Demand
•
•
•
•
•
•
42
Cloud-based application security testing
Both static and dynamic testing, using
automated and manual techniques
Integrates with your SDLC and build
environment to provide critical security
checkpoint
Single portal for code uploads and
reviewing results
Always hiring
Test your apps for free at:
https://fortifymyapp.com
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Takeaways
Resources
iOS Security Guide
http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf
Android Security Guide
http://source.android.com/tech/security/
OWASP Mobile Top 10
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
OWASP SecLists Project
https://www.owasp.org/index.php/OWASP_SecLists_Project
43
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Reach out
Daniel.Miessler@hp.com
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Questions
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Related documents
HP ProLiant Scale-up Server Portfolio
HP ProLiant Scale-up Server Portfolio
Title (46 pt. HP Simplified bold)
Title (46 pt. HP Simplified bold)
HP Pro X2-410G1 Specifications.ppt
HP Pro X2-410G1 Specifications.ppt
HP Way Now in Brazil
HP Way Now in Brazil
HP Security Services
HP Security Services
Title (46 pt. HP Simplified bold)
Title (46 pt. HP Simplified bold)
HP Enterprise Group SLED Strategy & Programs
HP Enterprise Group SLED Strategy & Programs
Download
advertisement