Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

September 22, 2015 Bill Cerniuk 810 Vermont Ave, NW Washington

advertisement 
Booz Allen Hamilton Inc.
8283 Greensboro Drive
McLean, VA 22102
www.boozallen.com
September 22, 2015
Bill Cerniuk
810 Vermont Ave, NW
Washington, DC 20420
Re: PTGenie AppCritique Security Report Findings
This letter and attached report are intended to address the Pass rating that was assigned to the above
mentioned app by Booz Allen Hamilton on the Analytics and Project Coordination Support contract as assessed
by AppCritique v2.7.3 on 21 September, 2015.
Based on a technical evaluation of the software an overall evaluation of Pass for PTGenie has been assessed for
the following reasons:
•
•
Stores as little sensitive information as possible to achieve the functionality of the app
Does not obscure sensitive information from screenshots
We recommend that the VA contact the vendor in question to provide feedback that the two PDF files used to
print documents from this app should be raised to a higher file protection level, and deleted immediately upon
print completion. We will be happy to provide additional details upon the VA’s request.
Specific details around the findings can be found in the subsequent report.
Regards,
Travis Hoffmann
Booz Allen Hamilton
1
AppCritique Security Report
PTGenie
Ver: 1.5
App Metadata
Version
Developer
Package Name
Platform
iTunes App Store Link
1.5
PTGENIE,
Inc
com.ptgenie.PTGenie
iOS
https://itunes.apple.com/us/app/id49371070
7
Executive Summary and Overall Security
Overall Evaluation for Use Recommendation: Pass
PTGenie is designed to be used by physical therapists during therapy sessions and to send exercise instructions
to patients between visits. The patient information that this app stores is limited to the last patient report
printed. In rare scenarios this stored information could lead to the exposure of the latest evaluation report if a
determined attacker were able to gain trust to the device, or gain a backup of the device.
The more red there is, the more security risk present in the app. Each peak indicates a Not Present, Warn, or Present
value for a specific check.
1
Potential Attack Vectors
Here the checks are categorized into common mobile attack vectors.
Overall Evaluation Results
Area of Concern
Code
Vulnerability
Data Storage
Networking
Risk Rating
Low Risk
Summary of Findings
• Contains C Functions that require input validation.
Medium
Risk
Low Risk
•
•
•
Stores the last written patient evaluation with low file protections
Does not obscure sensitive information from screenshots
Sends device fingerprinting information to the TestFlight analytics
network (now owned by Apple).
2
Functionality
Functionality Present
Name
Low Level System Calls
Explanation
This app includes a low-level system call that can be used to
monitor processes running on the device.
Functionality Not Found
Address Book, Apple Maps, Apple Pay, Background Modes, Beacon, Bluetooth, Calendar, Camera, Core Motion,
External Accessories, Geofencing, HealthKit, Home Automation, In-App Purchases, Keyboard Cache, Keychain,
Location, Microphone, Passbook, Photos, Private VPN, Remote Notifications, SMS, Social Networking,
Telephony, Touch ID, Visits, iCloud
3
Code Vulnerability
Findings
Analysis of PTGenie suggests a low level of risk is associated with code vulnerabilities. A low level of risk
indicates that no significant vulnerabilities were found. PTGenie contains C functions that require input
validation.
This app contains C functions that require input validation, such as printf, strcpy, strcat, and snprintf. These
function may be vulnerable to buffer overflow or string formatting attacks if their input is not properly validated.
This flaw does not significantly weaken the security of the app. If the input to the included C functions is not
properly validated, these functions are unlikely to lead to exploit. The low risk for the code vulnerability section
is justified based on these findings.
Checks Conducted
Check
Weak Access Control
Functions Require Input
Validation
Lacks Binary Protections
App Includes Unnecessary
Functionality
App Alters OS Permissions
Contains Known Malware
Result
Not
Present
Warn
Not
Present
Not
Present
Not
Present
Not
Present
Explanation
No weak access control was detected.
App uses C functions that require input validation. App may be
vulnerable to formatting or injection vulnerabilities.
App was compiled with binary protections.
No unnecessary code detected.
iOS apps cannot alter OS permissions.
App has been vetted by Apple's review process, and does not
contain any known malware.
4
Data Storage
Findings
Analysis of PTGenie suggests a medium level of risk associated with data storage. A medium level of risk
indicates that the app stores sensitive information that may be accessed by a determined attacker. PTGenie
stores documents and database files that potentially contain sensitive information stored with low file
protection values. It also does not obscure sensitive information from automatic OS screenshots.
PTGenie stores two PDF documents for printing purposes. These documents are stored with a low file protection
value. A low file protection value means that these files are unprotected after the first time the user unlocks the
device upon turning it on. One document stores evaluations filled out by the physical therapist, which include
the patient's name, insurance carrier, medical record number, date and time of the appointment, findings,
treatment assessment, and therapy plan. Depending upon the type of evaluation filled out, additional
information about the patient's condition could be included with the same identifying information. Only one of
these documents is stored by the app at a time, which limits the amount of information at risk from this app.
This information could then be accessible to a determined attacker. These issues can be avoided entirely if a
user either prints blank reports and fills them out by hand, or if they fill out either the PHI or the PII on each
form. Another option is that after printing a report the user can pick another blank file and navigate to the
printing page in order to clear this stored information.
PTGenie provides the option to save custom exercise instructions that can be given to the patient. Therapists
should be aware not to include any patient PII when filling out custom exercises as this information may be
accessible to a determined attacker.
This app does not scrub sensitive information from automatic OS screenshots. This means that if a user were to
leave an evaluation form up when they hit the home button, the information discussed above could be
accessible to a determined attacker.
These flaws may allow a determined attacker to gain access to the last filled out evaluation report, and any
custom exercises. While PTGenie limits the amount of information it stores at any time, this information should
be stored with a higher file protection value, and cleared as soon as the information is no longer useful
(immediately after printing). PTGenie should also scrub automatic OS screenshots of any sensitive information.
The medium risk for data storage is justified based on these findings.
Checks Conducted
Check
Security Information Found
Outside Keychain
Sensitive Information
Vulnerable
Result
Not
Present
Present
Uses MD5 Hashing Algorithm
Warn
Explanation
No security information was found outside the Keychain.
User PII, PHI, or other sensitive information is stored with
default or lower file protections. This information is more easily
accessible if the device were stolen.
App uses the MD5 hashing algorithm. MD5 is considered weak
if used for security purposes.
5
App Writes Sensitive
Information to Media
Directory
Sensitive Information Found
in App Artifacts
Not
Present
App does not write to the media directory.
Present
Sensitive information is stored in caches, screenshots, or logs.
These artifacts can reveal sensitive information.
Networking
Findings
Analysis of PTGenie suggests a low level of risk associated with Networking. A low level of risk indicates that an
app does not communicate sensitive information over the network, of that the sensitive information is
protected in transit. PTGenie sends device fingerprinting and app usage information to the TestFlight and Bug
analytics network. During testing this information appeared to be for device identification and app use times.
This information was sent over https to the analytics network servers.
Analytics Network
PTGenie uses the TestFlight analytics network. The information sent includes device model, OS version, mobile
carrier, app use times, and if the device is jailbroken. This information appears to be used for device
identification purposes and app usage statistics. This information is sent over HTTPS.
PTGenie also uses the BugSense Analytics network. The information sent includes device model, os version,
language setting, and time. This information is sent over HTTPS.
Checks Conducted
Check
Sensitive Information
Vulnerable in Transit
Sensitive Cookies Insecure
Non-Standard Protocol Use
Sensitive Information
Transmitted To Third Parties
Unnecessary Sensitive
Information Transmitted
Sensitive Data Synchronized to
Cloud
Downloads Executable Code
Result
Not
Present
Not
Present
Not
Present
Not
Present
Not
Present
Not
Present
Not
Present
Explanation
No vulnerable sensitive information was detected in transit.
All cookies use secure flags, or no cookie was found.
No unusual port or protocol activity was detected.
No sensitive information was detected in transit to a third
party.
No unnecessary sensitive information was detected in transit.
No sensitive information was detected synchronizing to the
cloud.
App does not download executable code.
6
Connection Summary
Ad Networks
Analytics Networks
Social Networks
BugSense
TestFlight
Cloud Networks
Distribution Networks
Web Connections
Code Libraries
Country Code
* If country code is not provided it could not be determined.
This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com.
Hard-Coded Strings Found
Embedded IPs
Country Code
Embedded URLs
Country Code
http://alt.bugsense.com
http://testflightapp.com
http://www.documill.com
https://sdk.testflightapp.com
https://testflightapp.com
https://www.bugsense.com
www.testflightapp.com
US
AU
FI
*
AU
US
AU
Embedded Emails
support@testflightapp.com
* If country code is not provided it could not be determined.
This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com.
7
Recommendations and Remediation
The following are suggested changed that would be required for this app to pass a DISA Review, a standard DISA
review (not based on the assumptions outlined in the App Testing Working Assumptions Doc), or to improve
security.
Action #
1
2
Explanation
The evaluationForm.pdf and printPreview.pdf should be stored with
file protection value of at least NSFileProtectionCompleteUnlessOpen
value, as this will assist in protecting the information contained within
these files. These files should also be deleted as soon as the printing
of the documents is confirmed. This will ensure the patient data
entered into these documents will not be accessible after the printing
of the document is complete.
iOS automatically takes a screenshot each time the app is sent from
the foreground to the background. To obscure sensitive informations
from these screenshots, register a callback to
UIApplicationWillResignActiveNotification that hides the sensitive
information on the screen.
8
Screenshots
9
10
Standards Mapping
Check Categories
Check Name
Result
MAPP-SRG
App Alters OS Permissions
App Alters Operating System Permissions
Not Present
SRG-APP-000033-MAPP-00010
App Includes Unnecessary
Functionality
App Writes Sensitive
Information to Media
Directory
Found Linked Frameworks not Directly Used by
App
Not Present
SRG-APP-000033-MAPP-00012, SRG-APP-000141-MAPP00031
M10
Sensitive Information Found in Media
Directory
Not Present
SRG-APP-000243-MAPP-00049
M4
Contains Known Malware
App Contains Known Malware
Not Present
SRG-APP-999999-MAPP-00077
Downloads Executable Code
Downloads and Executes JavaScript Without
User Permission
Uses C Functions That Require Input Validation
Not Present
SRG-APP-000022-MAPP-00009
M7
Warn
SRG-APP-000251-MAPP-00054, SRG-APP-999999-MAPP00069
M7
App is not Compiled with Automatic Reference
Counting
App is not Compiled With PIE (Position
Independent Executable) Protection
App is not Compiled with Stack Smashing
Protection
Sensitive Data Found on Non-Standard
Port/Protocol
Files Contain Sensitive Information
Not Present
SRG-APP-999999-MAPP-00069
M10
Not Present
SRG-APP-999999-MAPP-00069
M10
Not Present
SRG-APP-999999-MAPP-00069
M10
Present
SRG-APP-000196-MAPP-00042
M2, M5
Social Networking Token Found
Not Present
M2
Sensitive Cookies Insecure
Sensitive Cookies Lack Security Attributes
Not Present
SRG-APP-000129-MAPP-00029, SRG-APP-999999-MAPP00066
SRG-APP-999999-MAPP-00066
Sensitive Data Synchronized
to Cloud
Sensitive Data Synchronized to Cloud Without
User Consent
Not Present
Functions Require Input
Validation
Lacks Binary Protections
Non-Standard Protocol Use
Security Information Found
Outside Keychain
Not Present
OWASP Mobile Top 10 2014
M3
HIPAA
164.312(c)(2)
164.312(c)(2)
M4
M4
Sensitive Information Found in NSLog
Not Present
Sensitive Information Found
in App Artifacts
Sensitive Information not Obscured in
Screenshots
Sensitive Information Found in URL Cache
Present
M4
Not Present
M4
Sensitive Information
Transmitted To Third Parties
Sensitive Information is Transmitted to a Third
Party
Not Present
SRG-APP-999999-MAPP-00075
M4
No or Insufficient Default File Protection is
Specified
Sensitive Information Contained in Files with
Low Protection Levels
Files Contain Sensitive Information
Present
SRG-APP-000196-MAPP-00042
M5
164.312(a)(2)(iv)
Present
SRG-APP-000196-MAPP-00042
M2
164.312(c)(2)
Present
SRG-APP-000196-MAPP-00042
M2, M5
PList Files Contain Sensitive Information
Not Present
SRG-APP-000196-MAPP-00042
M4
SQLite Files Contain Sensitive Information
Warn
SRG-APP-000196-MAPP-00042
M2
UIPasteBoard Leaks Sensitive Information
Sensitive Data Found on Non-Standard
Port/Protocol
Sensitive Data is Unencrypted in Transit
Weak Authentication of SSL Certificates
Unnecessary Sensitive Information
Transmitted
Present
Not Present
SRG-APP-000243-MAPP-00049
M7
M3
164.312(c)(2)
164.312(c)(2)
Not Present
Not Present
Not Present
SRG-APP-000264-MAPP-00057
SRG-APP-000264-MAPP-00057
SRG-APP-999999-MAPP-00075
M3
M3
M4
164.312(a)(2)(iv), 164.312(e)(2)(ii)
164.312(a)(2)(iv), 164.312(e)(2)(ii)
Uses MD5 Hashing Algorithm
Warn
M6
164.312(a)(2)(iv), 164.312(e)(2)(ii)
Files from Different Users are Encrypted
Separately (Applies When App is Intended for
Use by Multiple Users)
Not Present
SRG-APP-000192-MAPP-00038, SRG-APP-000193-MAPP00039, SRG-APP-000194-MAPP-00040, SRG-APP-000195MAPP-00041
SRG-APP-000129-MAPP-00029
M5
164.312(a)(2)(iv), 164.312(c)(2), 164.312(d), 164.312(e)(2)(i)
Sensitive Information
Vulnerable
Sensitive Information
Vulnerable in Transit
Unnecessary Sensitive
Information Transmitted
Uses MD5 Hashing
Algorithm
Weak Access Control
SRG-APP-000266-MAPP-00059
M4
11
Check Categories
Check Name
Result
“Remember Me” Sessions Enabled by Default
Not Present
Social Networking Token Found
Not Present
Uses Falsifiable Values for Authentication
Not Present
MAPP-SRG
SRG-APP-000129-MAPP-00029, SRG-APP-999999-MAPP00066
SRG-APP-999999-MAPP-00070
OWASP Mobile Top 10 2014
HIPAA
M5
164.312(a)(2)(iii), 164.312(e)(2)(i)
M2
M5
164.312(a)(2)(i), 164.312(d), 164.312(e)(2)(i)
12
Related documents
Is there an app for that? Presented by Dan Collins
Is there an app for that? Presented by Dan Collins
Big Brain Quiz
Big Brain Quiz
Attachment E Student Competition Interview Questions Undergraduate Library Student/Library Collaborative
Attachment E Student Competition Interview Questions Undergraduate Library Student/Library Collaborative
Appendix G CS Student Interview Questions Undergraduate Library Student/Library Collaborative
Appendix G CS Student Interview Questions Undergraduate Library Student/Library Collaborative
Download
advertisement