Addressing the OWASP Mobile Security Threats using XamarinAlec TuckerWhite Clarke Group@alecdtucker

Intro to StandardsHow can you prove to an enterprise client that your apps are secure?

What boxes might a security conscious client require you to tick to comply with policy?

What are the industry guidelines for app security?

The Open Web Application Security ProjectOWASP Top 10https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

OWASP Top 10 for Mobile 2014 / 2016https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

OWASP Application Security Verification Standards (ASVS) v3.0https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdfChapter 17 covers mobile

OWASP Top 10 for Mobile 2014M1 – Weak server side controls

M2 – Insecure data storage on the device

M3 – Insufficient transport layer protection

M4 – Unintended data leakage

M5 – Poor authentication and authorization

M6 – Broken cryptography

M7 – Client side injection

M8 – Security decisions via untrusted inputs

M9 – Improper session handling

M10 – Lack of binary protection

OWASP Top 10 for Mobile 2016 RC

M1 – Improper Platform Usage

M2 – Insecure Data Storage

M3 – Insecure Communication

M4 – Insecure Authentication

M5 – Insufficient Cryptography

M6 – Insecure Authorization

M7 – Client Code Quality

M8 – Code Tampering

M9 – Reverse Engineering

M10 – Extraneous Functionality

2014 2016 RCM1 – Weak server side controls

M2 – Insecure data storage on the device

M3 – Insufficient transport layer protection

M4 – Unintended data leakage

M5 – Poor authentication and authorization

M6 – Broken cryptography

M7 – Client side injection

M8 – Security decisions via untrusted inputs

M9 – Improper session handling

M10 – Lack of binary protection

M1 – Improper Platform Usage

M2 – Insecure Data Storage

M3 – Insecure Communication

M4 – Insecure Authentication

M5 – Insufficient Cryptography

M6 – Insecure Authorization

M7 – Client Code Quality

M8 – Code Tampering

M9 – Reverse Engineering

M10 – Extraneous Functionality

Why do common breaches still occur?• Rush to release• Insufficient testing• Malware-infected apps and devices• Lower security budgets for mobile apps• Lack of expertise• Lack of policies

Ponemon Institute: https://www.ponemon.org/news-2/64• Assumption that the OS covers all security requirements• Weaknesses due to cross-platform development and compilation

OWASP docs

M1 – Improper Platform UsageMisuse of a platform feature or failure to use platform security controls

• Violation of published guidelines• Violation of convention or common practice• Unintentional misuse• Includes requesting too many permissions, or the wrong

permissions

Example- usesClearTextTraffic on Android, API23+

M1 – Improper Platform Usage

Exposing usesClearTextTraffic in Xamarinusing Services;using Xamarin.Forms;

[assembly:Dependency(typeof(M1.Droid.NetworkSecurityPolicyService_Droid))]namespace M1.Droid{ public class NetworkSecurityPolicyService_Droid : INetworkPolicyService { public NetworkSecurityPolicyService_Droid() { }

public bool isClearTextTrafficPermitted() { return Android.Security.NetworkSecurityPolicy.Instance.IsCleartextTrafficPermitted; } }}

Checking usesClearTextTraffic in Xamarinpublic async Task<string> DownloadContentDishonour(string url){ WebClient client = new WebClient(); return await client.DownloadStringTaskAsync(url);}

Checking usesClearTextTraffic in Xamarinpublic async Task<string> DownloadContentHonour(string url){ if (networkPolicyService != null && url.StartsWith("http:") && !networkPolicyService.isClearTextTrafficPermitted) { throw new InvalidOperationException( "Clear text network requests are not permitted"); }

WebClient client = new WebClient(); return await client.DownloadStringTaskAsync(url);}

M1 – Improper Platform Usage - Components…that honour usesClearTextTraffic• DownloadManager• MediaPlayer• SocketHandler• Java.* / Android.* HTTP, FTP,

WebSockets, XMPP, IMAP, SMTP network components

• Some third party libraries• OkHttp• ModernHttpClient

…that dishonour usesClearTextTraffic• Android.WebKit.WebView• Java.* / Android.* UDP and TCP

connections• Any related low-level network stacks• All managed networking components

Sydney Mobile .Net (Xamarin) Developershttp://www.meetup.com/SydneyMobileDotNetDevelopers/

M2 – Insecure Data Storage

2014 M2 – Insecure Data Storage• SQL databases• Log files• XML datastores / manifest files• Binary data stores• SD card• Cloud sync’d folders

2014 M4 – Unintended Data Leakage• Leaked without developer’s

knowledge• Cached data• Images – e.g. task switcher• Key presses• Logging• Buffers

This covers two of the 2014 top 10 risks:

Blurring the screen during auto-snapshotpublic override void OnResignActivation(UIApplication uiApplication){ // 1. Take a screenshot // 2. Blur it // 3. Add the blurred view to the RootViewController.View base.OnResignActivation(uiApplication);}

public override void OnActivated(UIApplication uiApplication){ // 4. Remove the blurred view, if there is one base.OnActivated(uiApplication);}

Blurring the screen during auto-snapshot// 1. Take a screenshotUIView view = UIApplication.SharedApplication.KeyWindow.RootViewController.View;UIGraphics.BeginImageContext(view.Frame.Size);view.DrawViewHierarchy(view.Frame, true);UIImage image = UIGraphics.GetImageFromCurrentImageContext();UIGraphics.EndImageContext();

Blurring the screen during auto-snapshot// 2. Blur itUIImage newImage = null;using(var inputImage = new CoreImage.CIImage(image)) { using(var blur = new CoreImage.CIGaussianBlur()) { blur.Image = inputImage; blur.Radius = 25f;

using(var outputImage = blur.OutputImage) { using(var context = CoreImage.CIContext.FromOptions(new CoreImage.CIContextOptions() { UseSoftwareRenderer = false })) { using(var cgImage = context.CreateCGImage(outputImage, new System.Drawing.RectangleF ( new System.Drawing.PointF(0,0), new System.Drawing.SizeF((float)image.Size.Width, (float)image.Size.Height)))) { newImage = UIImage.FromImage(cgImage); } } } }}

Blurring the screen during auto-snapshot// 3. Add the blurred view to the RootViewController.Viewview.AddSubview(new UIImageView(newImage));

// 4. Remove the blurred view, if there is oneint lastIndex = UIApplication.SharedApplication.KeyWindow .RootViewController.View.Subviews.GetUpperBound(0);if (lastIndex > 0){ UIApplication.SharedApplication.KeyWindow .RootViewController.View.Subviews[lastIndex] .RemoveFromSuperview();}

M2 – Insecure Data StorageiOS Developer Cheat Sheet- https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet- Small amounts of sensitive data should go in the Keychain- Recommends usage of a third party encryption API “not

encumbered by inherent weaknesses in Apple’s encryption”- Singles out SQLCipher- Key management then becomes critical ( M5)

- https://www.owasp.org/index.php/Key_Management_Cheat_SheetWindows Mobile 10 Security Guide- https://technet.microsoft.com/en-us/library/

mt674915(v=vs.85).aspx

M3 – Insecure CommunicationThis covers:• Poor handshaking• Incorrect SLL versions• Weak negotiation• Cleartext communication of sensitive assets *• SSL certificate validity

* Sensitive assets can include things like the IMEI and other hardware addresses. Some jurisdictions consider these to be private data that must be given the same privacy treatment as a phone number or home address

Checking certificate validity – iOS / AndroidSystem.Net.ServicePointManager.ServerCertificateValidationCallback += ((sender, certificate, chain, sslPolicyErrors) =>{ return sslPolicyErrors == System.Net.Security.SslPolicyErrors.None && validCertificates.Contains(certificate.GetCertHashString);});

M4 – Insecure AuthenticationIn general, follow the same rules as a web app for authenticationi.e. if porting a web app, it should not be possible to authenticate with less auth factors than the web browserNever use a device identifier (UDID, IP, MAC address, IMEI) to identify a user or a sessionRemember that some jurisdictions treat these as personal data

M4 – Insecure AuthenticationAvoid out-of-band authentication tokens being sent to the same device as the user is using to login (e.g. SMS to phone)http://www.smh.com.au/technology/consumer-security/malware-hijacks-big-four-australian-banks-apps-steals-twofactor-sms-codes-20160309-gnf528.html

M5 – Insufficient Cryptographyhttps://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet

• Only store sensitive data that you need• Use strong approved authenticated encryption• Store a one-way and salted value of passwords• Ensure that the cryptographic protection remains secure

even if access controls fail• Ensure that any secret key is protected from unauthorised

access• Follow applicable regulations on use of cryptography• PCLCrypto component

M5 – Insufficient CryptographyUse of hardware information in key:

SQLCipher advice- What’s unacceptable is to use this in entirety and nothing else- They propose it’s acceptable to use it as a portion of a key, but

point out that it’s critical that at least a portion of the key is both:- Entered by the user- Never stored on the device

https://discuss.zetetic.net/t/sqlcipher-database-key-material-and-selection/25

M6 – Insecure AuthorizationApp may restrict functions based on user’s authorization levelWeb service endpoints cannot assume this is sufficientClassic finding is a server implicitly trusting the mobile code to only generate requests appropriate to the user’s privilege levelOf course this cannot be assumed of a compromised app

M7 – Client Code QualityIs Your App Secure?- Kerry Lothrop, Thursday

Think Like a Hacker- Sam Rehman & Lou Crocker, Wednesday

M8 – Code Tampering private bool IsJailBroken() { return UIApplication.SharedApplication.CanOpenUrl(new NSUrl("cydia://package/com.example.package"))); }

M9 – Reverse Engineering

M10 – Extraneous Functionality

Where to from here?

Source: Arxan State of Application Security 2016 – Financial Services Report

2014 M3 2016 M3Insecure Communication

2014 M10 2016 M9Reverse Engineering

Remembering…

Where to from here?• OWASP ASVS

• PCI standards

• If you don’t have a security policy, reference these standards

• If you do have a security policy, check it against these standards

• If you’re writing or reviewing a security policy, check it against these standards

• Awareness and further research

• Build in house expertise, outsource, bring in specialised security products / consultants

• A combination of the abovehttp://www.amazon.com/Xamarin-Unleashed-Alec-Tucker/dp/0672337509

Thank you / Questions