Top 10 ways attackers target your mobile apps · OWASP Mobile Top 10 Risks . M1 – Insecure data...
Transcript of Top 10 ways attackers target your mobile apps · OWASP Mobile Top 10 Risks . M1 – Insecure data...
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Top 10 ways attackers target your mobile apps Presented from the Bad Guy Lair
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
Get the username
Get the password
Remember the user
Get sales data
Edit my account
Generate reports
How mobile developers see the mobile world
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
How an attacker sees the mobile world
SQL injection
Cross site scripting
Improper session handling
Data leakage
Sensitive information disclosure
Weak server-side controls Client-side injection
Insufficient data storage
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
OWASP Mobile Top 10 Risks
OWASP Mobile Top 10 Risks
M1 – Insecure data storage M6 – Improper session handling
M2 – Weak server side controls M7 – Security decisions via untrusted inputs
M3 – Insufficient transport layer protection M8 – Side channel data leakage
M4 – Client-side injection M9 – Broken cryptography
M5 – Poor authorization and authentication M10 – Sensitive information disclosure
OWASP Mobile Top 10 Risks
M1 – Insecure data storage M6 – Improper session handling
M2 – Weak server side controls M7 – Security decisions via untrusted inputs
M3 – Insufficient transport layer protection M8 – Side channel data leakage
M4 – Client-side injection M9 – Broken cryptography
M5 – Poor authorization and authentication M10 – Sensitive information disclosure
SQLite Logging
Plist files Manifest files
Binary data stores SD card storage
Everything in the OWASP Top 10
Insecure SSL encryption
Unsigned and Unforced Certificate Validation
SQLite Injection
XSS via Webview
LFI Poor password complexity
Account disclosure via Login or
Forgot Password
OWASP Mobile Top 10 Risks
M1 – Insecure data storage M6 – Improper session handling
M2 – Weak server side controls M7 – Security decisions via untrusted inputs
M3 – Insufficient transport layer protection M8 – Side channel data leakage
M4 – Client-side injection M9 – Broken cryptography
M5 – Poor authorization and authentication M10 – Sensitive information disclosure
Indefinite sessions
Weak cookie “hashing”
Home rolled session management
Using phone ID as part of session
Inter-process communication
Android intents
iOS URL schemes
Keystroke logging
Screenshot caching
Logs
Temp files
Bad crypto
Encoding/obfuscation/ serialization != encryption
Hardcoded secrets!
API keys, server-side database passwords, etc
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What’s the real world perspective? OWASP Mobile Top 10 is important, but are these seen in the wild?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
Case study
• 234 unique vulnerabilities
• 66% of apps contained a critical or high vulnerability that either: – Disclosed 1 or more users’
personal data – Compromised the backend
system
120 mobile applications tested for a single enterprise customer
0
10
20
30
40
50
60
70
80
90
Critical High Medium Low Informational
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Two more scary case studies
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
Automotive case study
1. Found developer name during binary analysis 2. Was no longer with company 3. Checked Github
4. Had all source available for apps 5. Mobile and backend 6. Lead to complete compromise of server
Client
attacks Critical info disclosure
Binary analysis
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
Industrial case study
1. Application protected by voice password 2. Password checked server side 3. File was stored locally 4. Retrieved the file from the file system 5. Played the file back to itself 6. Gained access Client
attacks
Security bypass
Runtime attacks
Sensitive file artifact
File system analysis
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Some ways to avoid the mistakes
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
Some secure mobile development advice
• Remember that mobile sites face the Internet as well; obscurity != security • Start with risk profiling and exposure (deployed apps) • Give developers guidance and resources • Don’t store it (PII) at all if you don’t need to • Deploy a contract that enforces coding based on secure mobile dev standards when using 3rd
party dev teams • Mobile Device Management (MDM) is not a substitute for secure code • Finally, don’t be intimidated by “mobile;” the same fundamentals are still in play
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Test all the things!
Client • Credentials in memory • Credentials on filesystem • Data stored on filesystem • Poor cert management
Network
• Cleartext credentials • Cleartext data • Backdoor data • Data leakage
Server
• SQLi • XSS • LFI • Authentication • Session Management • Logic Flaws
Hit all 3 mobile tiers
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Get your resources here!
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
• Fortify’s 7 Ways to Hang Yourself with Android Presentation • Fortify on Demand’s iOS Penetration Testing Presentation • Fortify VulnCat (next slide)
Resources for QA, Security Managers, and devs
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
For more information
Visit these demos
• Mobile Device Hacking, DEMO354 • HP Fortify
After the event
• Visit www.hp.com/go/fortify
Your feedback is important to us. Please take a few minutes to complete the session survey.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session BGL3621 Speaker HP Bad Guy Lair staff
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.