Mobile Application Security Sharing Session
May 2013
PwC
Agenda
Introduction of speakers
Mobile Application Security – Trends and Challenges
5 Key Focus Areas for an mobile application assessment
May 20132
PwC
Introduction of speakers
May 2013
Felix Kan (Senior Consultant, PwC)
• PwC Global Mobile Core Team
• Certified Ethical Hacker (CEH)
3
PwC
Mobile application security
Trends and Challenges
4
PwC
Trends and ChallengesOverall
May 2013
Applications Device Network
• Security features
• Mobile device management
• Use case in business contexts
• Communication security
• Protocols
• Cellular carriers’ offerings
• Security design
• Secure coding
• Data protection
• Mobile application protection
5
We should stay succinct in this section…
PwC
Trends and ChallengesApplications
May 2013
• Offline access to data
• Anti-virus / malware
• Device compromise detections
• Social media apps
• Hidden (premium) features
6
PwC
Trends and ChallengesApplications
May 2013
Offline storage – Why?
The Challenges
Trends
Business applications enable business intelligence reports – store corporate data and credentials
Presentations Edit offline
Remote wipe?
IdentitytheftsData leakage
7
PwC
Trends and ChallengesApplications
May 2013
Why anti-malware?
Why malware?
Is it working?
Bouncer, an in-house malware discovery tool of Google, could be bypassed by malwares that “play dead” for 5 min.
Security
Code signature
Approval process
Compensation
Sandbox design
8
PwC
Trends and ChallengesApplications
May 2013
JB detection - Why?
The Challenges
Trends
Hacking tools can be downloaded to go around theJB detection and other validation logic (e.g., in-app purchase)
Reduce attack surface
Application integrity
9
PwC
Trends and ChallengesApplications
May 2013
Self destructed media
The Challenges
Trends
More sophisticated options are available for self destructed communications (e.g., encryptions)
For fun
Traceability Data leakage
Private communications
10
PwC
Trends and ChallengesApplications
May 2013
Hidden features – Why?
The Challenges
Trends
Back doors are not uncommon in mobile;Premium features are locked unless users have paid.
RevenueHacking activities
IdentitytheftsData leakage
11
PwC
Challenges
12
A Chicago-based digital forensics company performed a 2010-2011 assessment and discovered the following mobile statistics:
76%
10%
http://www.digitaltrends.com/mobile/viaforensics-10-pct-of-ios-android-apps-store-clear-text-passwords/Based on a sample size of 100 mobile apps.
— 76% of Android and iOS apps store Usernames in clear text on mobile devices
—10% of Android and iOS apps store Passwords in clear text on mobile devices
May 2013
PwC
The Importance of Application Security
13
“SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of breaches attributed to hacking or network intrusion. It is no secret that attackers are moving up the stack and targeting the application layer. Why don’t our defences follow suit?”
39%
23%
18%
5%
15%
Application/Service LayerOS/Platform LayerExploits Know Vulnerability
Verizon DataBreach Report 2011 May 2013
PwC
Trends and ChallengesDevice
May 2013
• Enhanced security features on device
• QR reader
• Device tracking
• Data forensics
14
PwC
Trends and ChallengesDevice
May 2013
Jailbreak: Why?
Identity theftsData leakage
Jailbreak: So?Free Apps Awesome utilities
And the Demand:
JB tool was installed for 4Mdevices – by US and China users
15
PwC
Trends and ChallengesDevice
May 2013
Similarly…
Additionally…Free Apps Awesome utilities
Fundamentally…
PerformanceSecurity features
Bloatware
580% increase of malware in 2012.
Data on SD card can be stolen
Full disk encryption is not available
16
PwC
Trends and ChallengesDevice
May 2013
• Enhanced security features on device
• QR reader
• Device tracking
• Finger print detection (rumo
“QRishing”: Phishing with QR code
17
PwC
Trends and ChallengesDevice
May 2013
iOS 6
• more granular privacy controls
• From UDID to IDFA (Identifier for Advertising)
Mobile device management
• GPS tracking
Apps gathering your PII
PwC
Trends and ChallengesDevice
May 2013
Android
• Multiple tools available: XTC clip
• File extractions in recovery mode (yes, bypassing the device passcode)
• Boot into “HBOOT” mode and run “fastboot” command
iOS
• Data recovery for deleted files (passcode required)
Forensic on smart phones
19
PwC
Mobile application security
5 Key Focus Areas for an mobile application assessment
20
PwC
5 Key Focus Areas
Security strategy
Defined mobile security platform
architecture
Software development
life cycleApplication provisioning
Application security
assessment
21May 2013
PwC
Security across mobility requires an examination of the various layers across the mobile ecosystem
Security strategy and governance
Policies, standards, and procedures
Mobile security platform architecture
* Mobile Devices include Smartphones, tablets and supporting devices
Mobile Devices*Mobile
Devices*UsersUsers NetworkNetworkChannels / ApplicationsChannels /
Applications
Browser(WAP /
HTML 5)
Browser(WAP /
HTML 5)
SMSSMS
Email clientEmail client
Native clients(App)
Native clients(App)
VoiceVoice
IMIM
EnterpriseEnterprise
Application servers
Email /domainservers
DataApplications
USSDUSSD
MDM / MEAP servers
Content management
servers
Web services
OTA sync
CRM
Financial
Inventory management
( g )
Core back-office platforms (e.g. ERP)
Directoryservers
Sales
P2P
Business services &
integration
Secure API
Secure SOA
Other content
SSL / TLS
SSL / TLS
RFID /NFC
RFID /NFC
WPAWPA
802.22802.22
802.1x802.1x
Protocols
Web
Pu
blis
hing
Serv
er
MD
M
Gat
eway
Serv
er
DMZ
Publ
ic A
PI
LAN connectivity
BluetoothBluetooth
WIFIWIFI
2G /3G /4G /LTE
2G /3G /4G /LTE
WAN connectivity
Mob
ileM
iddl
ewar
e
RIARIA
Java MEJava ME
Mobile virtualization
solution
22May 2013
PwC
Pain points of secure application development process
23
In order to satisfy market demand and reap the benefits of mobile technology, organizations are often pushing these applications to production without considering security imperatives. The questions to the right are often present in client environments as they implement mobile solutions.
Data Classification
• What is the sensitivity of the data that will be accessed by the mobile applications?
Sufficient Risk Assessments
• What are the potential consequences that an application data breach may have on the organization?
Aligning Security Controls with Risk Appetite
• What regulatory requirements exist for relevant sensitive data?
• What security controls should be implemented in accordance with regulations and risk appetite?
While many traditional web application vulnerabilities remain present in the mobile environment, mobile-specific challenges must also be addressed.
Insecure Data Storage
• Does the business case require storage of data on the device?
• Can the application function locally and without server connectivity?
• Is all stored data sufficiently encrypted?
Application Reverse Engineering
• Can attackers access the application flow and create duplicates?
• Can attackers reverse engineer the application to circumnavigate security controls?
Via OWASP Top 10 Mobile Risks v1.0 May 2013
PwC
Considerations–Summary
24
Developers Architecture
Security Management Infrastructure
Mobile Application SDLC
Components
Mobile Application Security Considerations:
• Mobile security controls should be considered throughout every step of the SDLC to enhance secure development.
• Mobile application developers along with Infrastructure and Information Security personnel should consider implementing controls of the following domains as deemed appropriate by risk.
May 2013
PwC
Considerations–Developers
25
Developers Architecture
Security Management Infrastructure
Mobile Application SDLC Components
May 2013
Storage Authentication Authorization
Session Management
Audit / Logging Memory
Miscellaneous
PwC
Considerations–Architecture
26
Developers Architecture
Security Management Infrastructure
Mobile Application SDLC Components
May 2013
Security Maintainability
Scalability Availability
PwC
Considerations–Infrastructure
27
Developers Architecture
Security Management Infrastructure
Mobile Application SDLC Components
May 2013
Access to Network
ResourcesApplication
Behavior
Firewalls
PwC
Considerations–Security Management
28
Developers Architecture
Security Management Infrastructure
Mobile Application SDLC Components
May 2013
Privacy Policies
Risk Assessments
Application Behavior
PwC
Application provisioning
29January 2013
Mobile Device Management
Access Control
Apps Classifica
tion
PwC
Application security assessment
30
Model ThreatsTargeted
Automated Scanning
Advanced Manual Attacks
Remediation Validation
• Gather prerequisite information about the application and systems supporting the application to develop appropriate testing scenarios─Identify relevant
threats─Determine
applicable testing scenarios and attack vectors
• Perform targeted automated scanning against the mobile application’s web services and input fields for known vulnerabilities.
• Attempt to circumvent mobile application controls─OWASP top 10
mobile risks─Native application
and web-based attacks
─Network-based attacks
─Privilege escalation─Identify sensitive
data remaining on the device
• Conduct retesting of high and medium risk vulnerabilities to ensure defects have been adequately addressed
May 2013
PwC
Mobile Top Ten security risks
31
Common mobile application flaws published by industry groups, including the Open Web Application Security Project (OWASP) Mobile Top Ten security risks
May 2013
Insecure or unnecessary client-side data storage
Lack of data protection in transit
Personal data leakage
Failure to protect resources with strong authentication
Failure to implement least privilege authorization policy
Client-side injection
Client-side DOS
Malicious third-party code
Client-side buffer overflow
Failure to apply server-side controls
1
2
3
4
5
6
7
8
9
10
Questions?
This presentation has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2013 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.