The Mobile Threat Landscape

Slides:



Advertisements
Similar presentations
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Advertisements

Innovation Towards a next generation secure internet Private Application Ecosystems Sanjay Deshpande CEO and Chief Innovation Officer Center.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mobile Application Security.
OWASP Mobile Top 10 Beau Woods
OWASP Secure Coding Practices Quick Reference Guide
OWASP Top 10 Mobile Risks Appsec USA Minneapolis, MN
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Man-In-The-Front Ray Kelly.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6 Ways to Build an Insecure.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Server-Side vs. Client-Side Scripting Languages
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Computer Security and Penetration Testing
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Metro (down the Tube) Security Testing Windows Store Apps Marion McCune – ScotSTS Ltd.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Presentation By Deepak Katta
Online Search Marketing OMI Certification Course – Discovery Documentation.
Introduction to Application Penetration Testing
SEC835 Database and Web application security Information Security Architecture.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
OWASP Zed Attack Proxy Project Lead
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
An Inside Look at Mobile Security Android & iOS Zachary Hance & Andrew Phifer Dr Harold Grossman.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Building Secure Web Applications With ASP.Net MVC.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Wireless and Mobile Security
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
FriendFinder Location-aware social networking on mobile phones.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CSCE 201 Identification and Authentication Fall 2015.
James F. Fox MENA Cyber Security Practice Lead Presenters Cyber Security in a Mobile and “Always-on” World Booz | Allen | Hamilton.
Canberra OWASP Chapter meeting
Web Application Security
NSE4-5.4 Dumps
Security.
AppExchange Security Certification
Lecture 2 - SQL Injection
Security.
Technical Integration Guide
Designing IIS Security (IIS – Internet Information Service)
6. Application Software Security
Presentation transcript:

The Mobile Threat Landscape Daniel Miessler Principal Security Architect, HP Fortify June 2013 My name is [Name]. I work at HP as a [Title] in the Enterprise Security Products group. Today, we’ll talk about application security; what it is, why its needed, how to do it and what benefits you will see. HP Confidential 1 April 2017

6 Ways to Build an Insecure Mobile Application Daniel Miessler Principal Security Architect, HP Fortify June 2013 My name is [Name]. I work at HP as a [Title] in the Enterprise Security Products group. Today, we’ll talk about application security; what it is, why its needed, how to do it and what benefits you will see. HP Confidential 1 April 2017

Agenda Introduction Why Mobile Security Matters Mobile Security Differences Attacker Perspective Common Mobile Vulnerabilities Takeaways Questions

Introduction Daniel Miessler, CISSP, CISA, GCIA Principal Security Architect, HP Fortify 10 years experience doing security testing 5 years experience doing appsec testing Web Application Vulnerability Assessments Mobile Application Vulnerability Assessments Application Security Process Development Enterprise Security Consulting daniel.miessler@hp.com

Why Mobile Security Matters Why is there a problem, and why do you need application security? Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets. Your networks are protected – firewalls are in nearly every devices that connects to a network. Your servers are protected, thanks to advances in intrusion prevention systems. But your software applications are still largely unprotected and vulnerable. Companies believed that if you protect the perimeter (network and server), the software will be unreachable and therefore not breachable. However, that has not proven to be the case: software is the New Entry Point. Let’s take a look at how… HP Confidential 1 April 2017

Considerations | Mobile Traffic Increases Global mobile data traffic will increase 26-fold between 2010 and 2015 There will be nearly one mobile device per capita by 2015 (~7 billion) Mobile payments will exceed 984 Billion by 2014 Data from Smart Insights, Yankee Group 2012

Considerations | Mobile Ubiquity Mobile performance is becoming extraordinary Using a desktop (static) computer will become increasingly rare “Home computer” will come to mean better input and display options

Considerations | Mobile Ubiquity II Mobile computing will soon be known as “computing” Computing somewhere other than your mobile device will be the activity that requires a name Attackers follow the users

Considerations | Mobile Insecurity Mobile development is the hottest type of development right now. New surface area equals dangerous surface area If anyone’s going to put features over security to get the product out the door, it’s likely to be a mobile team Many enterprise mobile developers haven’t had the security training that other types of developers have had Many assume that because mobile back ends aren’t visited directly they are more secure (obscurity assumption) HP Confidential 1 April 2017

Mobile Security Differences HP Confidential 1 April 2017

Mobile Security Differences Q: What’s the difference between “regular” security and mobile security?

Mobile Security Differences | Thick-client Testing Network Server ABAP C/C++ Java Objective C Python VB6 COBOL Cold Fusion XML SQL ASP.NET VB.NET C# Classic ASP HTML Flex JavaScript/AJAX JSP PHP VBScript

Mobile Security Differences | Thick-client Testing: Client Network Server ABAP C/C++ Java Objective C Python VB6 COBOL Cold Fusion XML SQL ASP.NET VB.NET C# Classic ASP HTML Flex JavaScript/AJAX JSP PHP VBScript Credentials in memory Credentials on filesystem Data stored on filesystem Poor cert management

Mobile Security Differences | Thick-client Testing: Network Server ABAP C/C++ Java Objective C Python VB6 COBOL Cold Fusion XML SQL Cleartext credentials Cleartext data Backdoor data Data leakage ASP.NET VB.NET C# Classic ASP HTML Flex JavaScript/AJAX JSP PHP VBScript Credentials in memory Credentials on filesystem Data stored on filesystem Poor cert management

Mobile Security Differences | Thick-client Testing: Server Network Server ABAP C/C++ Java Objective C Python VB6 COBOL Cold Fusion XML SQL ASP.NET VB.NET C# Classic ASP HTML Flex JavaScript/AJAX JSP PHP VBScript Credentials in memory Credentials on filesystem Data stored on filesystem Poor cert management Cleartext credentials Cleartext data Backdoor data Data leakage Injection Flaws Authentication Session Management Access Control Logic Flaws

Mobile Security Differences Q: What’s the difference between this and mobile?

Mobile Security Differences | Mobile Security Client Network Server ABAP C/C++ Java Objective C Python VB6 COBOL Cold Fusion XML SQL ASP.NET VB.NET C# Classic ASP HTML Flex JavaScript/AJAX JSP PHP VBScript Credentials in memory Credentials on filesystem Data stored on filesystem Poor cert management Cleartext credentials Cleartext data Backdoor data Data leakage Injection Flaws Authentication Session Management Access Control Logic Flaws

Mobile Security Differences A: Not much.

Mobile Security Differences | Expanded Mobile Risk Two key differences Magnified network vulnerability Your network traffic is more likely to be visible to others with a mobile device than at work or home Magnified physical vulnerability As with most other types of computer, once the attacker has physical access, it’s over

Attacker Perspective HP Confidential 1 April 2017

Attacker Perspective Much of security comes down to seeing things from a different perspective, and mobile is no different

Attacker Perspective | What Users See Get Sales Data Get the username Get the password Edit my account Remember the User Generate Reports

Attacker Perspective | What Attackers See Insufficient Data Storage SQL Injection Data Leakage Cross Site Scripting Sensitive Information Disclosure Improper Session Handling Weak Server Side Controls Client Side Injection

Attacker Perspective | What Users See

Attacker Perspective | What Attackers See

Common Mobile Vulnerabilities 2013 Edition ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? What problem are we solving? HP Confidential 1 April 2017

Common Vulnerabilities | Most Apps Are Vulnerable Most high-scrutiny (see: previously hacked) mobile apps are decently secure now, but the next tier down still have many issues Evaluating any given application is likely to yield significant vulnerabilities The younger, more eager the shop– the higher the chance of issues

Common Vulnerabilities | OWASP Open Web Application Security Project Thought leader in web security Runs many projects designed to help industry security their applications OWASP Top 10 Risk Rating Methodology Vulnerability Prevention Cheat sheets Our team is heading up the Mobile Top 10 2013 http://www.owasp.org/

OWASP Mobile Top 10 Risks M1 – Insecure Data Storage M6 – Improper Session Handling M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage M4 – Client Side Injection M9 – Broken Cryptography M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure

Common Vulnerabilities | Real-world Perspective Definitely check out the OWASP Top 10, but this is more about what we’re seeing in the wild We constantly test mobile applications from the top companies in the world, and these are the top categories of issue we find in those applications HP Confidential 1 April 2017

66% Common Vulnerabilities | Real-world Results Case study of 120 Mobile applications for a single enterprise customer (results are typical) 66% of applications contained a critical or high vulnerability that either: Disclosed 1 or more users’ personal data Compromised the backend system 66%

Common Vulnerabilities | Logic Flaws Logic flaws are due to faulty developer assumptions, i.e. not thinking like an attacker Changing an arbitrary user’s password Bypassing multi-step authentication Free product by skipping payment step Product + refund by submitting negative number Defeating a business limit by entering a high negative number Getting a bulk discount on only one item by modifying the cart manually afterwards

Common Vulnerabilities | Logic Flaw Defense Logic flaws are avoided by performing exhaustive vulnerability assessments before going to production Fully understand the anticipated flow of the application Assume the mind of the attacker Identify places that developers likely made assumptions Attempt to take advantage of those assumptions As a developer, think in terms of abuse vs. just regular use

Common Vulnerabilities | Poor TLS Implementations Many mobile developers are allowing SSL communication with any host Trusting any certificate it sees Allows expired certificates Allows trivial MiTM attacks Can connect to HTTPS once, and then fall back Once in the middle, attackers can model your app’s functionality enroute to breaking it

Common Vulnerabilities | Poor TLS Implementation TLS protection has multiple levels of security Ensure HTTPS is always enabled Attempt to match the name of the remote certificate Certificate pinning* Recognize that nothing is fool-proof, and adjust according to your app’s specific needs Remember that pinning was a defense against compromised CAs, not against MiTM

Common Vulnerabilities | Promiscuous Client-side Storage Perhaps the most abused functionality is client-side storage Storage of credentials in plist files, SQLite databases Failure to use KeyChain to store credentials Storage of sensitive application data on filesystem Apps (e.g.: banks) storing their images in the public folder rather than in their sandbox Applications logging to the system log, but sending sensitive app data along with it

Common Vulnerabilities | Promiscuous Client-side Storage Be cautious of anything you save—anywhere—including on the client-side Ensure you’re using the platform-recommended solution to store credentials Ensure you are storing everything from your app into the app sandbox so it cannot be read by other applications Check all logging functionality and note what you’re sending Observe your log files within the XCode log viewer and ensure you are not storing anything sensitive

Common Vulnerabilities | Promiscuous Client-side Storage Q: What data on your iOS device is protected by the built-in encryption, i.e. the passcode?

Common Vulnerabilities | Promiscuous Client-side Storage A: By default, only email and texts. In other words, most application data being stored on an iOS device is available to anyone who steals your phone—even if it is locked and has a passcode.

DEMO Common Vulnerabilities | Promiscuous Client-side Storage Corporate issued iPhone Latest software (6.1.4) Not jailbroken Locked With passcode DEMO

Common Vulnerabilities | Promiscuous Client-side Storage Be cautious of anything you save—anywhere—including on the client-side Ensure you’re using the platform-recommended solution to store credentials Ensure you use the Data Protection API to store any sensitive data; it will not be protected by default: (See: NSFileProtectionComplete in developer documenetation) Ensure you are storing everything from your app into the app sandbox so it cannot be read by other applications Check all logging functionality and note what you’re sending Observe your log files within the XCode log viewer and ensure you are not storing anything sensitive

Common Vulnerabilities | Failure to Harden Binaries There are a number of binary defenses that developers are not implementing ASLR PIE (memory randomization) Stack Smashing Protection Enabled (Canary-based) Automatic Reference Counting (memory resources) Binary debug not disabled  User path information disclosure

Common Vulnerabilities | Failure to Harden Binaries Use all defenses possible to harden your binaries before release While some are not critical security issues, they still can have an impact on the overall quality of your application

Common Vulnerabilities | Privacy Violations Many applications violate privacy without developers being aware Does the application access GeoLocation data? Does the application access your Address Book? Does the application access your Photos? If so, what is your app doing with this data? Does your application use analytics engines? If so, what does it send there? (UUID, app data?)

Common Vulnerabilities | Privacy Violations Go with an absolute least-privilege approach Don’t access any data that could be considered private if you don’t need it There are applications out there that can evaluate what a given binary accesses (AppAuthority, HP Risker)

Common Vulnerabilities | Assumption of Web Obscurity A massive number of applications we see and compromise are compromised due to backend vulnerabilities Promiscuous web services Full SQL statements right in web service calls (saved money on MSSQL Server Manager) Blatant SQLi, XSS, CSRF, File Includes, etc. Many developers assume “who’s coming here?” The datastores are often shared! Shared hosting means compromise of multiple customers

Common Vulnerabilities | Assumption of Web Obscurity Harden your web backend as if the mobile app didn’t even exist Remember how easy it is to MiTM a mobile app Assume everyone can see your traffic This means they can see all the paths and parameters for your backend Assume attackers will come knocking Consider the risks of shared hosting, as others might not be taking these steps—even if you did

Takeaways HP Confidential 1 April 2017

Takeaways It’s an interesting time for mobile security Everyone’s heading to mobile, and the attackers are following Mobile is on the leading edge of development, so mobile projects are especially susceptible to security shortcuts Most non-scrutinized applications have major vulnerabilities that are easily found

Takeaways Think like an attacker and follow some basic steps to help you evaluate your own applications without much cost Assume the attacker has access to the device and visibility of all traffic going to and from the server, and code accordingly (learn from cryptography) As part of a threat modeling step, track your sensitive data through your app, from user to device to network to server; see where it’s vulnerable Don’t store PII if you don’t have to

Takeaways Remember that you must explicitly use the Data Protection APIs otherwise your data will still be available to a thief Don’t be intimidated by “mobile” security; the fundamentals are the same Use industry-tested methods for implementing security; be extremely weary of DIY solutions for input validation, encryption, authentication, etc. Take advantage of the resources available to help you, e.g.: platform secure coding guides, OWASP, etc.

Takeaways | Resources iOS Security Guide http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf Android Security Guide http://source.android.com/tech/security/ OWASP Mobile Top 10 https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP iOS Developer Cheat sheet https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet

Thank You daniel.miessler@hp.com HP Confidential 1 April 2017