Mobile App Security and Payments

Overview of mobile app security issues and mitigation strategies

 © 2012 viaForensics viaForensics Proprietary 2

 

Key  security  challenges  for  mobile  devices    

!   App  runs  na)vely  on  consumer  device  which,  unlike  corporate  desktops  or  webservers,  is  out  of  your  control    

!   There  is  an  increased  likelihood  that  an  a;acker  has  physical  access  to  a  customer's  device  and  data  making  previously  low  risks  much  higher    

!   You  are  now  responsible  for  patching  and  deploying  updates  to  customers  (vs.  browser-­‐based  apps)    

!   Tradi)onal  security  techniques  useful  but  more  advanced  ones  are  needed  to  secure  mobile  

 

What’s different about mobile?

 © 2012 viaForensics viaForensics Proprietary 3

 

Key  security  challenges  for  mobile  devices    

!   App  runs  na)vely  on  consumer  device  which,  unlike  corporate  desktops  or  webservers,  is  out  of  your  control    

!   There  is  an  increased  likelihood  that  an  a;acker  has  physical  access  to  a  customer's  device  and  data  making  previously  low  risks  much  higher    

!   You  are  now  responsible  for  patching  and  deploying  updates  to  customers  (vs.  browser-­‐based  apps)    

!   Tradi)onal  security  techniques  useful  but  more  advanced  ones  are  needed  to  secure  mobile  

 

What’s different about mobile?

 © 2012 viaForensics viaForensics Proprietary 4

 

Our  recent  security  study  of  100  mobile  app  found  a  high  number  of  issues  in  current  mobile  apps  

appWatchdog findings (July 2011)

appWatchdog only uses about 10% of our appSecure techniques

Not  found  (24)

Found  (76)

Usernames

Pass  (90)

Fail  (10)

Passwords

Pass  (31)

Warn  (38)

Fail  (31)

App  data

 © 2012 viaForensics viaForensics Proprietary 5

 

First  widely  available  mobile  NFC  device  in  US    

!   Google  took  security  seriously  but  there  are  shortcomings    

!   Analysis  of  device  aEer  usage  revealed  nearly  all  data  except  the  full  16-­‐digit  CC  number  and  CCV  !   Balance,  limits,  amount  due,  due  date,  transac)on  dates/loca)ons  !   Name,  expira)on  date,  last  4  digits  and  email  account  !  When  GW  is  reset  by  user,  data  remained    

!   Follow-­‐up  research  has  shown  the  PIN  is  recoverable  

!   We  haven’t  really  even  tested  the  NFC  implementa)on  yet  

 

Case study: Google Wallet

 © 2012 viaForensics viaForensics Proprietary 6

 

MoAvaAon  and  approach  for  cyber  criminals    

!   Highly  skilled  a;ackers  !   Sophis)cated  tools  available  to  them  !   Your  app,  by  defini)on,  must  be  publically  available  !   They  can  download  and  test  your  app  extensively  !   A  few  days  of  work  can  yields  millions  or  more  in  return  !   They  only  have  to  succeed  once  

Cyber criminals - overview

 © 2012 viaForensics viaForensics Proprietary 7

 

Espionage  

•  Goal:  compromise  classified  materials  

•  Approach:  highly  sophis)cated  and  targeted  

•  Impact:  Severe,  threat  to  security  

•  Preven)on:  Complex,  expensive  

Corporate  TheD  

•  Goal:  Steal  trade  secrets,  IP  and  more  

•  Approach:  Sophis)cated,  some)mes  targeted  

•  Impact:  High,  financial  or  R&D  loss  

•  Preven)on:  Strong  security  &  policies  

Consumer/IdenAty  TheD  

•  Goal:  Financial  theE,  iden)ty  theE  

•  Approach:  Trivial  to  sophis)cated,  rarely  targeted  

•  Impact:  Individual,  large  groups  

•  Preven)on:  secure  mobile  development  

Three types of cyber attacks / crimes

 © 2012 viaForensics viaForensics Proprietary 9

 

Mobile  website  

•  Deploys  on  many  pla\orms  

•  Most  challenging  to  secure    

•  Overall,  least  expensive  to  develop  

Wrapper  app  

•  Quickest  “na)ve”  app  to  develop  

•  Some  challenging  security  issues  

•  Hybrid  approach,  inherits  good  and  bad  traits  

NaAve  apps  

•  Offers  greatest  security  

•  Poten)al  to  provide  highest  usability  

•  Most  expensive  to  develop  

Three types of mobile apps (+1 emerging)

* HTML5 is an emerging standard but too early to evaluate security and usability

 © 2012 viaForensics viaForensics Proprietary 10

 

Advice  from  the  trenches    

!   Train  your  developers  for  secure  mobile  development    

!   Consider  strategies  which  eliminate  (or    at  least  limit)  poor  choices  users  might  make  

!   Avoid  caching  data,  if  needed  use  encryp)on  

!   Audit  your  mobile  apps  

How to secure mobile apps?

44  Best  PracAces  and  counAng    1.  Storing  sensi)ve  data  on  the  device  should  be  avoided  2.  Caching  app  data  on  the  device  should  be  avoided  3.  Avoid  use  of  query  string  for  sensi)ve  data  4.  Input  from  client  5.  Code  obfusca)ons  6.  Address  Space  Layout  Randomiza)on  7.  Avoid  simple  logic  8.  Beware  of  keyboard  cache  9.  Fully  validate  SSL/TLS  10.  Thoroughly  test  third-­‐party  libraries  11.  Crash  logs  12.  Geoloca)on  13.  Avoid  cached  applica)on  snapshots  14.  Keychain  15.  Secure  data  storage  16.  Copy/Paste  17.  Debug  Logs  18.  UUID  19.  Tamper  checking  20.  Implement  enhanced  /  2-­‐factor  auth  21.  Protect  applica)on  senngs  22.  Hide  Account  Numbers  23.  Prevent  caching  of  username  but  s)ll  provide  saved  username  24.  Use  SECURE  senng  for  Cookies  25.  Prevent  decryp)on  of  encrypted  app  data  26.  Ins)tute  Local  Session  Timeout  27.  Difficul)es  in  secure  dele)on  of  data  28.  Avoid  use  of  MEID  as  user  iden)fier  29.  Android  File  Permissions  30.  Android  Intents  31.  Android  Ac)vi)es  32.  Android  Broadcasts  33.  Android  Pending  Intents  34.  Android  Services  35.  Android  Intent  Sniffing  36.  Android  Content  Providers  37.  Avoid  storing  cached  camera  images  (i.e.  check  deposits)  –  Android  solu)on  38.  Protect  against  SSLStrip  39.  Webserver:  check  session  senngs  40.  Prevent  Framing  and  Clickjacking  41.  Webserver  configura)on  42.  SSL  Configura)on  43.  Protect  from  XSRF  with  a  form  token  44.  Protect  and  pen  test  web  services    

 © 2012 viaForensics viaForensics Proprietary 11

 

What  if  development  team  says,  “We’re  on  it”  

§  How  do  you  ensure  and  validate  that  no  sensi)ve  data  is    stored  on  the  mobile  device?  

§  What  steps  do  you  take  to  validate  that  SSL  and    authen)ca)on  implementa)on  are  secure  against  MITM    exploits?  

§  What  is  in  your  code  when  it  gets  released  to  the  public?  §  How  do  you  ensure  that  host  valida)on  works,  to    

protect  clients  from  phishing  via  host  spoofing?  §  How  much  )me  is  spent  security  regression  tes)ng    

applica)ons,  compared  to  func)onal  tes)ng?    

Thoughtful questions for dev team

 © 2012 viaForensics viaForensics Proprietary 12

 

The  responsibility  for  mobile  security    is  shared  between    

!   Mobile operating system developers !   Users/consumers

!   Enterprises/App Developers (YOU) (but don’t trust the users to make the correct choice or the OS developers to get it correct out of the box)

Who is responsible for mobile security?

Contact Us

Andrew Hoog, CIO ahoog@viaforensics.com http://viaforensics.com Main Office: 1000 Lake St, Suite 203 Oak Park, IL 60301 Tel: 312-878-1100 | Fax: 312-268-7281