Top 7 Mobile App Attacks and How to Prevent Them
-
Upload
cenzic -
Category
Technology
-
view
1.389 -
download
0
description
Transcript of Top 7 Mobile App Attacks and How to Prevent Them
Top 7 Mobile App Attacks and How To Prevent Them
Chris Harget - Product Marketing
Sameer Dixit - Managed Services
2
Agenda
Cenzic, Inc. - Confidential, All Rights Reserved.
Enterprise Mobile App Trends
Top Mobile App Attacks
How To Be Safer
~14 Billion tablet-app downloads in 20131
~82 Billion smartphone-app downloads in 20132
Average US smartphone user has 41 apps and spends 39 minutes/day using them3
91% of apps free, only 9% paid for – Gartner 2012
1. ABI Research March 2013 prediction
2. Portio Research March 2013 forecast
3. Nielsen,http://www.nielsen.com/us/en/newswire/2012/state-of-the-appnation-%C3%A2%C2%80%C2%93-a-year-of-change-and-growth-in-u-s-smartphones.html
Mobile App Factoids
Mobile User Service Options
HTML5 gives some cross-platform capability
No install, convenient for low-usage apps
Works with standard vulnerability scanning
Mobile-Optimized Web Sites Native Mobile Apps
Native container => tighter integration
More user commitment required to begin
Requires mobile-specific vulnerability scanning
Mobile App Space Less Mature
Fewer security experts than on Web apps
Development practices often leave out security
New kinds of data to secure (GPS, camera, Microphone, Texts, International calling)
Mobile App Security Is Harder
Mobile devices are less physically secure
Mobile traffic more likely to be visible to others
– Through the air
Mobile Apps For Customers
Shopping App
Rewards Programs, Coupons
Games/Marketing
Account Management
Mobile Apps For Employees
Email, Calendar, Contacts, Tasks
Salesforce.com
Order Entry
Quoting Tool
Field Support
Inventory Tracking
Point of Sale
Field Enablement
Approvals
Collaboration
Mobile Apps For Partners
Order Entry
Order Tracking
Technical Support
Inventory Availability
Lead Referral
Product Catalogue
Price List
Enterprise Mobile Apps Trends
Give free apps to prospects/customers for acquisition/retention
– The share of app revenue from in-app purchases will grow from 10% in 2011 to 41% in 2016 - Gartner
By 2016, 25% of enterprises will have private app stores – Gartner, April 2013
– Reduce risk from BYOD (Bring Your Own Device)
Mobile Apps often funded/developed by business units, not IT
11 Cenzic, Inc. - Confidential, All Rights Reserved.
Enterprise Mobile App Dev. Costs
54% of apps cost $25K-$100K.
12 Cenzic, Inc. - Confidential, All Rights Reserved.
Enterprise Mobile App Update Frequency
80% of Respondents update mobile apps at least 2x/year. – http://www.anypresence.com/Mobile_Readiness_Report_2013.php
Summing Up Trends
Enterprises developing apps for many reasons
Data and brand exposure increasing rapidly
Mobile app security practices generally inadequate
14 Cenzic, Inc. - Confidential, All Rights Reserved.
Top 7 Mobile App Attacks
15
1. Exploiting Unencrypted Data
Cenzic, Inc. - Confidential, All Rights Reserved.
Sensitive plist, xml and sqlite files
E.g., Last logged in user, address,
usernames, GPS coordinates,
photos, videos etc.
Stored passwords
16
2. Excessive Access Privileges
Cenzic, Inc. - Confidential, All Rights Reserved.
• Some apps unnecessarily grant access to user’s…
• …Phone Directory, Calendar, GPS,
Camera, Microphone, etc.
• =>Theft of corporate info, fraud,
and violation of privacy
17
3. Exploiting Inputs That Are Not Validated
Cenzic, Inc. - Confidential, All Rights Reserved.
• SQL Injection
• XML Bombs
• Cross-Site Scripting
18
4. Session Left Active When App Exited
Cenzic, Inc. - Confidential, All Rights Reserved.
• Poor Session Management
• User closes app, but is not logged out of server
• Attacker may pick up session and steal data, funds or merchandise
19
5. Insecure Transmission
Cenzic, Inc. - Confidential, All Rights Reserved.
• GET request for:
• Username, Account Number, GPS
coordinates, Device UDID, User Info, etc.
• …Sent In The Clear!
• Mobile traffic more likely to be visible to
others than wired traffic
20
6. Parameter Manipulation in Mobile Web Services
Cenzic, Inc. - Confidential, All Rights Reserved.
“Parameter Manipulation in REST
Services”
• E.g., …/id/1234
• change to …/id/3456/
• Gives access to another ID’s account
21
7. Lack of Automated Lockouts
Cenzic, Inc. - Confidential, All Rights Reserved.
• Unlike Web apps, most mobile apps don’t implement lockout capability after 3, or 5 or 10 failed login attempts.
• PIN or password is often cached on the mobile device
• If someone gets control of your phone or tablet, they may be able to brute-force hack your app passwords without the server ever knowing
Mobile App Attacks In Action…
LIVE HACK I – Unencrypted Data Storage
23 Cenzic, Inc. - Confidential, All Rights Reserved.
LIVE HACK II - Insecure Data Transmission
24 Cenzic, Inc. - Confidential, All Rights Reserved.
25
A Few…
Cenzic, Inc. - Confidential, All Rights Reserved.
26
1. Encrypt Data Storage
Cenzic, Inc. - Confidential, All Rights Reserved.
• Encrypt…sensitive plist, xml and sqlite files that contains information such as
• …last logged in user, address, usernames, GPS coordinates, photos and videos etc.
27
2. Restrict Access Privileges
Cenzic, Inc. - Confidential, All Rights Reserved.
Restrict granting excess
permissions and privileges to the
application on the device.
Example: Disallow Update
Access to user’s phone Directory,
Calendar, GPS, Camera,
Microphone etc.
28 Cenzic, Inc. - Confidential, All Rights Reserved.
3. Validate Inputs
Ensure that application
validates all inputs…
…both at client and server
side…
…to avoid issues such as
XSS, SQL, XML Bomb,
information disclosure etc.
29
4. Manage Sessions Assertively
Cenzic, Inc. - Confidential, All Rights Reserved.
In a native client server mobile
application, always invalidate the
session after logout…
…both at the client and at the
server side.
30
5. Use POST Request For Sensitive Data
Cenzic, Inc. - Confidential, All Rights Reserved.
Use an encrypted POST
request rather than GET for
sensitive information such as…
…Username, Account Number,
GPS coordinates, Device UDID,
and Address etc.
31
6. Encrypt REST Parameters
Cenzic, Inc. - Confidential, All Rights Reserved.
• Obfuscate session-related info
• Use strict session management policies with tighter authorization boundary and privileges
32
7. Use Automated Lockouts
Cenzic, Inc. - Confidential, All Rights Reserved.
• If a mobile app login fails 5-10x in a row, lockout in some fashion, flag activity in app and server logs, etc.
• Lock the application for a period of time to avoid brute-force hacks
33
Cenzic Can Help
Cenzic, Inc. - Confidential, All Rights Reserved.
• Cenzic is a leading provider of Mobile Application Scanning Services. • 10+ Years • Leverages patented Hailstorm™
engine for more consistently accurate and efficient results
• Cenzic experts conduct business logic
and forensic analysis of mobile apps
34
Customers Rate Cenzic Higher
Cenzic, Inc. - Confidential, All Rights Reserved.
• 2013 Gartner surveyed App Security Testing Customers
• ONLY Cenzic scored high marks from customers in Accuracy, Service, Support and Overall Satisfaction
• Cenzic provides the best services!
35 Cenzic, Inc. - Confidential, All Rights Reserved.
Pre-production &
App Development Production
Partner /
Supply Chain
Enterprise Application Security
Complete Enterprise Security by Cenzic
36
Application Security for Web, Web Services & Mobile
+1.408.429-7400