Date post: | 12-Jul-2015 |
Category: |
Technology |
Upload: | matt-lacey |
View: | 571 times |
Download: | 3 times |
Cross promotion
network for Windows
Phone and Windows
Store apps and games.
Advertise before you monetize
Register using
promo code
NDCL14
OWASP
(The Open Web Application Security Project) Organisation, formed in 2001, with the core aim to “Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.”
OWASP Mobile Security Project - Top 10 Mobile Risks
Threat of what?
∙ Identity theft∙ Fraud∙ Reputation damage∙ External Policy Violation (e.g. PCI compliance)∙ Losses (IP or money/business)
https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html
http://blog.trendmicro.com/trendlabs-security-intelligence/the-severe-flaw-found-in-certain-file-locker-apps/
http://www.mobileindustryreview.com/2014/08/finextra-ibm-uncovers-android-banking-vulnerability-consumers-turned-off-by-security-fears.html
http://arstechnica.com/security/2014/09/android-browser-flaw-a-privacy-disaster-for-half-of-android-users/
http://www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more/
http://blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/
Hack Yourself First
“… advocates building up our cyber-offense skills, and focusing these skills inward at ourselves, to find and fix security issues before the bad guys find and exploit them.”
M1 - Weak Server Side Controls
Exploitability Impact
EASY SEVERE
Prevalence Detectability
COMMON AVERAGE
Weak Server Side Controls
Issues
- Biggest threat surface
- Underpins everything
Actions
- Prioritize
- Review
What data?
• Usernames
• Authentication tokens
• Passwords
• Cookies
• Location data
• UDID/EMEI, Device Name, Network Connection Name
• Personal Information: DoB, Address, Social, Credit Card Data
• Application Data: • Stored application logs • Debug information • Cached application messages • Transaction histories• Tokens or secrets
Where stored?
• SQLite databases
• Log Files
• Plist Files
• XML Data Stores or Manifest Files
• Binary data stores
• Cookie stores
• SD Card
• Cloud synced
• Temp files
• Cache
Insecure Data Storage
Issues
- Easy access to [potentially] sensitive information
Actions
- Don’t store what isn’t absolutely necessary
- Secure what you store: ProtectedData, CommonCrypto, SQLCipher, !NSUserDefaults, !NSManagedObjects, setStorageEncryption, javax.crypto
M3 - Insufficient Transport Layer Protection
Exploitability Impact
DIFFICULT MODERATE
Prevalence Detectability
COMMON EASY
https://developer.apple.com/library/ios/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/SecureNetworking/SecureNetworking.html
Insufficient Transport Layer Protection
Issues
- Eavesdropping > data loss, impersonation, privacy issues, etc.
- Reverse engineering of API / IP
Actions
- Always SSL: trusted CA; long keys
- All connections: your servers and other peoples
- Verify the signature
- Encrypt sensitive information before sending
- setAllowsAnyHttpCertificate + connection:willSendRequestForAuthenticationChallenge
- Say NO to org.apache.http.conn.ssl.AllowAllHostnameVerifier or SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER
Ad providers
http://REDACTED.com/LogAdClick?hostAppId=22099&installationId=4d52233531d145859d0943a70cc428da&controlVersion=2.7.0.2.beta&isTest=False&deviceManufacturer=NOKIA&deviceName=RM-821_eu_euro1_276&deviceFirmwareVersion=1232.2109.1242.10 01&deviceHardwareVersion=1.0.0.0&osPlatform=WinCE&osVersion=8.0.9903.0&devPlatform=XAML&deviceId=&userId=&culture=en-GB&uiCulture=en-GB&mobileOperator=EE&connectionType=&scaleFactor=100&adType=&textAdId=0
On device too
•Temp files
•Cached request
•Key press caches
•Clipboard
•Memory buffers
•Html/browser caches
•Error report logs in emails
Unintended Data Leakage
Issues
- Data loss and privacy issues
Actions
- Check 3rd party controls and services
- Check what you put on disk
M5 - Poor Authorization and Authentication
Exploitability Impact
EASY SEVERE
Prevalence Detectability
COMMON EASY
“The value provided for the new password does not meet the length complexity or history requirements of the domain”
REQUEST
POST http://www.naughtybank.com/p/logon HTTP/1.1
device-id: 094618F99-036C5B8A3-064CF990B
device-type: HP Z220 SFF Workstation-OS8.1
encrypt: N
Content-Type: application/json; charset=utf-8
Content-Length: 45
{"username":"mrlacey","password":"P4ssw0rd!"}
RESPONSE
HTTP/1.1 200 OK
Content-Length: 164
Set-Cookie: value1=REDACTED; Expires=Wed, 08-Dec-15 14:07:03 GMT; Path=/
Set-Cookie: Value2=REDACTED; Expires=Wed, 08-Dec-15 14:07:03 GMT; Path=/
Set-Cookie: JSESSIONID=0000F22fVkgbL9uis1Xh0N539uY:17XXX4XXXX; Path=/; Secure; HttpOnly
Content-Type: application/json; charset=UTF-8
{"logonInfo":{"mail":"[email protected]","givenName":"Matt","lastName":"Lacey","username":"mrlacey","moduleList":[],"applicationAllowedFlg":true,"ldapPassFlg":true}}
Some modifications made - to protect the guilty!
REQUEST
POST http://www.naughtybank.com/p/logon HTTP/1.1
device-id: 094618F99-036C5B8A3-064CF990B
device-type: HP Z220 SFF Workstation-OS8.1
encrypt: N
Content-Type: application/json; charset=utf-8
Content-Length: 45
{"username":"mrlacey","password":"P4ssw0rd!"}
RESPONSE
HTTP/1.1 200 OK
Content-Length: 164
Set-Cookie: value1=REDACTED; Expires=Wed, 08-Dec-15 14:07:03 GMT; Path=/
Set-Cookie: Value2=REDACTED; Expires=Wed, 08-Dec-15 14:07:03 GMT; Path=/
Set-Cookie: JSESSIONID=0000F22fVkgbL9uis1Xh0N539uY:17XXX4XXXX; Path=/; Secure;
HttpOnly
Content-Type: application/json; charset=UTF-8
{"logonInfo":{"mail":"[email protected]","givenName":"Matt","lastName":"Lacey","username":"mrlacey
","moduleList":[],"applicationAllowedFlg":true,"ldapPassFlg":true}}
REQUEST
POST http://www.naughtybank.com/p/logon HTTP/1.1device-id: 094618F99-036C5B8A3-064CF990B
device-type: HP Z220 SFF Workstation-OS8.1
encrypt: N
Content-Type: application/json; charset=utf-8
Content-Length: 45
{"username":"mrlacey","password":"P4ssw0rd!"}
REQUEST
POST http://www.naughtybank.com/p/logon HTTP/1.1
device-id: 094618F99-036C5B8A3-064CF990B
device-type: HP Z220 SFF Workstation-OS8.1
encrypt: N
Content-Type: application/json; charset=utf-8
Content-Length: 45
{"username":"mrlacey","password":"P4ssw0rd!"}
RESPONSE
HTTP/1.1 200 OK
Content-Length: 164
Set-Cookie: value1=REDACTED; Expires=Wed, 08-Dec-15 14:07:03 GMT; Path=/
Set-Cookie: Value2=REDACTED; Expires=Wed, 08-Dec-15 14:07:03 GMT; Path=/
Set-Cookie: JSESSIONID=0000F22fVkgbL9uis1Xh0N539uY:17XXX4XXXX; Path=/; Secure; HttpOnly
Content-Type: application/json; charset=UTF-8
{"logonInfo":{"mail":"[email protected]","givenName":"Matt","lastName":"Lac
ey",
"username":"mrlacey","moduleList":[],"applicationAllowedFl
g":true,"ldapPassFlg":true}}
Poor Authorization and Authentication
Issues
- User privacy; unauthorised access; fraud; data theft
Actions
- Ensure doing on server AND device
- Don’t store on devices - Device specific
- Limit attempts - As complex as backend
- Beware replay attempts - Beware persistence
- Use server for really sensitive data
Broken Cryptography
Issues
- Privacy Violations; - Information Theft;
- Code Theft; - Intellectual Property Theft;
- Reputational Damage
Actions
- Don’t write own - Salt hashes
- Check not using something deemed broken
- Don’t rely on built in device encryption of code
Client Side Injection
Issues- Data loss - Reputation damage
- System stability
Actions- Parameterize queries - Validate input
- Use browser, not embedded if can
- NSFileManager webview.getSettings().setAllowFileAccess(false);
- NSLog, [NSString stringWithFormat:], [NSString initWithFormat:], [NSMutableString appendFormat:], [NSAlert informativeTextWithFormat:], [NSPredicate predicateWithFormat:], [NSException format:], NSRunAlertPanel
- strcat, strcpy, strncat, strncpy, sprint, vsprintf, gets, etc.
M8 - Security Decisions Via Untrusted Inputs
Exploitability Impact
EASY SEVERE
Prevalence Detectability
COMMON EASY
Security Decisions Via Untrusted Inputs
Issues
- User privacy - Unauthorised access
- Fraud - Information Theft - Business Interruption
Actions
- ! handleOpenURL openURL:sourceApplication:annotation
- White list callers and actions
M9 - Improper Session Handling
Exploitability Impact
EASY SEVERE
Prevalence Detectability
COMMON EASY
Recommended
timeout guidelines
• 15 mins for high security applications
•30 mins for medium security applications
• 1 hour for low security applications
Improper Session Handling
Issues
- Data loss - User privacy - Unauthorised access
- Fraud - Information Theft - Business Interruption
Actions
- Invalidate on server - Timeout
- Don’t reuse tokens - Rotate cookies
- Generate tokens securely - Detect attacks
M10 - Lack of Binary Protections
Exploitability Impact
MEDIUM SEVERE
Prevalence Detectability
COMMON EASY
Lack of Binary Protections
Issues
- Loss of IP - Loss of secrets
Actions
- Consider obfuscation - ProGuard
- Sign and strong name
- Tamper detectection