© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Top 10 ways attackers target your mobile apps Presented from the Bad Guy Lair

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

Get the username

Get the password

Remember the user

Get sales data

Edit my account

Generate reports

How mobile developers see the mobile world

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3

How an attacker sees the mobile world

SQL injection

Cross site scripting

Improper session handling

Data leakage

Sensitive information disclosure

Weak server-side controls Client-side injection

Insufficient data storage

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

OWASP Mobile Top 10 Risks

OWASP Mobile Top 10 Risks

M1 – Insecure data storage M6 – Improper session handling

M2 – Weak server side controls M7 – Security decisions via untrusted inputs

M3 – Insufficient transport layer protection M8 – Side channel data leakage

M4 – Client-side injection M9 – Broken cryptography

M5 – Poor authorization and authentication M10 – Sensitive information disclosure

OWASP Mobile Top 10 Risks

M1 – Insecure data storage M6 – Improper session handling

M2 – Weak server side controls M7 – Security decisions via untrusted inputs

M3 – Insufficient transport layer protection M8 – Side channel data leakage

M4 – Client-side injection M9 – Broken cryptography

M5 – Poor authorization and authentication M10 – Sensitive information disclosure

SQLite Logging

Plist files Manifest files

Binary data stores SD card storage

Everything in the OWASP Top 10

Insecure SSL encryption

Unsigned and Unforced Certificate Validation

SQLite Injection

XSS via Webview

LFI Poor password complexity

Account disclosure via Login or

Forgot Password

OWASP Mobile Top 10 Risks

M1 – Insecure data storage M6 – Improper session handling

M2 – Weak server side controls M7 – Security decisions via untrusted inputs

M3 – Insufficient transport layer protection M8 – Side channel data leakage

M4 – Client-side injection M9 – Broken cryptography

M5 – Poor authorization and authentication M10 – Sensitive information disclosure

Indefinite sessions

Weak cookie “hashing”

Home rolled session management

Using phone ID as part of session

Inter-process communication

Android intents

iOS URL schemes

Keystroke logging

Screenshot caching

Logs

Temp files

Bad crypto

Encoding/obfuscation/ serialization != encryption

Hardcoded secrets!

API keys, server-side database passwords, etc

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

What’s the real world perspective? OWASP Mobile Top 10 is important, but are these seen in the wild?

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9

Case study

• 234 unique vulnerabilities

• 66% of apps contained a critical or high vulnerability that either: – Disclosed 1 or more users’

personal data – Compromised the backend

system

120 mobile applications tested for a single enterprise customer

0

10

20

30

40

50

60

70

80

90

Critical High Medium Low Informational

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Two more scary case studies

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11

Automotive case study

1. Found developer name during binary analysis 2. Was no longer with company 3. Checked Github

4. Had all source available for apps 5. Mobile and backend 6. Lead to complete compromise of server

Client

attacks Critical info disclosure

Binary analysis

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12

Industrial case study

1. Application protected by voice password 2. Password checked server side 3. File was stored locally 4. Retrieved the file from the file system 5. Played the file back to itself 6. Gained access Client

attacks

Security bypass

Runtime attacks

Sensitive file artifact

File system analysis

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Some ways to avoid the mistakes

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14

Some secure mobile development advice

• Remember that mobile sites face the Internet as well; obscurity != security • Start with risk profiling and exposure (deployed apps) • Give developers guidance and resources • Don’t store it (PII) at all if you don’t need to • Deploy a contract that enforces coding based on secure mobile dev standards when using 3rd

party dev teams • Mobile Device Management (MDM) is not a substitute for secure code • Finally, don’t be intimidated by “mobile;” the same fundamentals are still in play

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15

Test all the things!

Client • Credentials in memory • Credentials on filesystem • Data stored on filesystem • Poor cert management

Network

• Cleartext credentials • Cleartext data • Backdoor data • Data leakage

Server

• SQLi • XSS • LFI • Authentication • Session Management • Logic Flaws

Hit all 3 mobile tiers

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Get your resources here!

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17

• Fortify’s 7 Ways to Hang Yourself with Android Presentation • Fortify on Demand’s iOS Penetration Testing Presentation • Fortify VulnCat (next slide)

Resources for QA, Security Managers, and devs

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19

For more information

Visit these demos

• Mobile Device Hacking, DEMO354 • HP Fortify

After the event

• Visit www.hp.com/go/fortify

Your feedback is important to us. Please take a few minutes to complete the session survey.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20

Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session BGL3621 Speaker HP Bad Guy Lair staff

Please give me your feedback

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.