www.nvisium.com
Jack ManninoAnand Vemuri
Mobile Application Security
June 25, 2015
www.nvisium.com
About Us• Jack Mannino
• CEO at nVisium
• UI and UX development impaired
• Enjoys: Scala, Elixir
• Tolerates: Java
• Allergic To: Cats, Pollen, .NET
• Anand Vemuri• AppSec Consultant at nVisium
• Tech Junkie, JavaScript Ninja Wannabe
• Software Dev-turned-Hacker
• Bamboo Flute Player
www.nvisium.com
Disclaimer: Mobile device management (MDM) is not mobile application security.
www.nvisium.com
What is Mobile Security?
• Access
• Privacy
• Safety
“Apps are built for users, so as developers we must ensure that users are not compromised…”
www.nvisium.com
What’s the big deal?
• Integration with many other services• IoT
• Wearables
• Payments
• Other API’s
www.nvisium.com
Mobile Architectures and Attack Surface
www.nvisium.com
Mobile Architectures and Attack Surface
www.nvisium.com
Mobile Architectures and Attack Surface
www.nvisium.com
Secure Communications
• Not Just HTTP• Other protocols
• NFC
• Bluetooth/Bluetooth LE
• Issues related to• Ignoring certificate
exceptions
• Trusting all certificates
• Fallback to plain text
• Improper key exchange
• Weak algorithms/ciphers
www.nvisium.com
• Registration Authorities validate user identity
• Certificate Authority verifies and issues certificate
• Validation Authority validates certificate
Public Key Infrastructure
www.nvisium.com
Self-Signed Certs• User can sign the cert
by themselves.• If apps accept self-
signed certs then attackers can execute SSL MITM attacks.
www.nvisium.com
Demo: MITM
www.nvisium.com
Certificate Pinning• “Pin” the client-certificate known to be used to the server• Removes CA from the equation• Prevents against Self-Signed Cert attacks• Significantly reduces threat of rogue certs
*Note: If you are pentesting apps with cert pinning you can use iOS Kill Switch or Android’s SSL bypass tool. Use at your own risk! https://github.com/iSECPartners/ios-ssl-kill-switchhttps://github.com/iSECPartners/android-ssl-bypass
www.nvisium.com
Securing Communications
• Disable HTTP endpoints and avoid falling back to plain-text• If a request over TLS fails,
kill the socket, don’t default back to HTTP.
• Don’t use self-signed certs just because “it’s easier”
• Use Certificate Pinning• Perfect Forward Secrecy• Use HSTS, use TLS, avoid SSL
www.nvisium.com
Data Storage and Privacy• Sensitive Info
○ Shared Preferences○ SQLite○ Storage Access Framework○ Logs, caches, temp files, etc.
• Privacy○ What to collect
○ Who to share it with
○ Ask for consent■ http://www.coppa.org/
■ https://www.ftc.gov/reports/mobile-privacy-disclosures-building-trust-through-transparency-federal-trade-commission
www.nvisium.com
Storing Sensitive Information• Avoid storing sensitive
information in SQLite or Shared Preferences
• Attackers can trivially dump these databases
• If sensitive data must be stored on a client device, then the data store should be properly encrypted
• External Storage has weaker permissions.
https://www.zetetic.net/sqlcipher/
www.nvisium.com
Privacy• Collect only whatever
data is needed for the app• Do you know what gets
sent to your ad and analytics services?
• Children’s online privacy protection act http://www.coppa.org/
www.nvisium.com
Privacy
www.nvisium.com
Privacy
www.nvisium.com
Demo: Insecure Data Storage
www.nvisium.com
Encryption• Encryption
○ Symmetric/Asymmetric Encryption
■ weak hashing
■ weak algorithms and ciphers (ECB etc)
○ Key Storage
■ Keystore
■ ephemeral
■ (bad) hardcode or store
○ Hardware-Backed Storage
•
•
www.nvisium.com
Encryption
www.nvisium.com
Authentication• To a device
○ pin/password
○ biometrics, Smart Unlock
• To the local application○ local passcode
• To a remote service○ username/password
○ certificates
○ 3rd party provider/API
www.nvisium.com
Remote Authentication• Correct: Users should
properly authenticate to the application and be granted a session token.
• Incorrect: Your imagination is the limit.
• Identity management is complicated
www.nvisium.com
Authorization : Insecure Direct Object Reference
• Common Web Vulnerability
• OWASP A4
• Backend service does not restrict references to restricted resources.
www.nvisium.com
App-To-App Authorization
• Permissions - required to use certain APIs or components
• Intent filter - Specifies the criteria for Intents it accepts based on the intent’s action, data, category etc.
• Exported By Default - Android Studio exports Services and Broadcast Receivers by default
• Malicious apps can leverage misconfigured permissions to abuse components within other apps
www.nvisium.com
Demo: Abusing Broadcast Receivers
www.nvisium.com
Conclusions
• Secure all communications!○ Certificate Pinning
• Store your data securely○ Encrypt any sensitive data on client.
• Respect User Privacy• AuthN & AuthZ
○ Permissions & Identity
• “Don’t trust users!”
www.nvisium.com
Thank You
Jack Mannino, CEO of nVisium○ Twitter: @jack_mannino○ Linkedin:https://www.linkedin.com/pub/jack-
mannino/7/2b7/562
○ Blog: https://blog.nvisium.com/
Anand Vemuri, AppSec Consultant at nVisium○ Linkedin:https://www.linkedin.com/pub/anand-
vemuri/58/15/348
○ Twitter: @brownhat57○ Blog: http://brownhat57.blogspot.com