Mobile pitfalls to avoid: The OWASP Top 10 Mobile Risks

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

Jon PorterSolutions architect

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Jordan ZotosProduct manager


Contents

● Background on NowSecure

● OWASP overview

● 10 mobile pitfalls

● Questions


NowSecure: Forged in mobile from day one

Top engineers and researchers

OSS authors of Radare, Frida,

Santoku Linux, and Android VTS

Disclosed Samsung keyboard vulnerability

Impacting 650M+ devices

worldwide

Regular speaking appearances

Black Hat USA, RSA Conference,

OWASP AppSec USA & more

Leading enterprise customers

From banking, healthcare, tech,

government & more

Founded in Oak Park, IL

With a strong background in

forensics & enterprise security

2009

http://www.radare.org/r/

http://www.frida.re/

https://santoku-linux.com/

https://info.nowsecure.com/VTS-for-Android.html

https://santoku-linux.com/

https://www.nowsecure.com/keyboard-vulnerability/


Our approach to security for mobile development teams:

1 Consistency in both process and testing environment

2 Speed: Provide results quickly you can easily understand

3 Automate and integrate


Share best practices for secure mobile development


Insecure mobile apps create business risk for enterprises

StarbucksThieves siphoned money out of users’

accounts using the mobile app

via USA Today

OlaIndia’s largest startup with $1.1B in funding

was hacked to allow unlimited free rides

via The Next Web

Hulu and TinderApp vulnerabilities offered access

to free premium accounts

via CNBC

http://www.usatoday.com/story/tech/2015/05/15/starbucks-gift-card-hack/27370491/

http://thenextweb.com/insider/2015/03/23/how-i-hacked-indias-biggest-startup/

http://www.cnbc.com/2016/02/12/hackers-target-paid-applications-bluebox.html


Teams are tasked with deploying apps more frequently

https://blog.newrelic.com/2016/02/04/data-culture-survey-results-faster-deployment/




OWASP backgroundAn international leader in application security


An open community

dedicated to enabling

organizations to conceive,

develop, acquire, operate,

and maintain applications

that can be trusted.


10MobilePitfalls toAvoid


1 ImproperPlatform Usage


Misuse of a platform feature or lack of platform security controls for the Android or iOS operating systems. Issues may include incorrect use of the keychain on iOS or Android intents.


Best practice:

Use the Keychain Carefully

iOS provides the keychain for secure data storage. However, in several scenarios, the keychain can be compromised and subsequently decrypted. Read Now

https://books.nowsecure.com/secure-mobile-development/en/ios/use-the-keychain-carefully.html




2 InsecureDataStorage


Vulnerabilities that leak personal information and provide access to hackers.


10.7% of mobile apps leak private, sensitive data like email, username, or password

NowSecure: 2016 NowSecure Mobile Security Report

Data from testing 400,000 mobile apps

https://www.nowsecure.com/resources/mobile-security-report/en/index.html


Best practices to securely store mobile data

Implement Secure Data Storage: Read Now

Transmit and display but do not persist to memory. This requires special attention as well, to ensure that an

analog leak does not present itself where screenshots of the data are written to disk. Store only in RAM (clear at

application close).

Securely Store Sensitive Data in Ram: Read Now

Do not keep sensitive data (e.g., encryption keys) in RAM longer than required.

https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/implement-secure-data-storage.html

https://books.nowsecure.com/secure-mobile-development/en/coding-practices/securely-store-sensitive-data-in-ram.html


3 InsecureCommunication


Insecure communication refers to communications being sent in cleartext as well as other insecure methods.


SwiftKey vulnerabilities(CVE-2015-4640 & CVE-2015-4641)

Best practice:

Fully validate SSL/TLS

An application not properly validating its

connection to the server is susceptible to a

man-in-the-middle attack by a privileged

network attacker.

Read Now

https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/fully-validate-ssl-tls.html




4 InsecureAuthentication


Mobile apps need to securely identify a user and maintain that user’s identify, especially when users are calling and sending sensitive data such as financial information.


Best practice:

Hide Account Numbers and Use Tokens

Given the widespread use of mobile apps in public places, displaying partial numbers (e.g. *9881) can help ensure maximum privacy for this information. Unless there is a need to store the complete number on the device, store the partially hidden numbers.

Read Now

https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/hide-account-numbers-and-use-tokens.html




5 InsufficientCryptography


The process behind encryption and decryption may allow a hacker to decrypt sensitive data.

The algorithm behind encryption and decryption may be weak in nature.


6 InsecureAuthorization


Insecure authorization refers to the failure of a server to properly enforce identity and permissions as stated by the mobile app.


Best practice:

Implement Proper Web Server Configuration

Certain settings on a web server can increase security. One commonly overlooked vulnerability on a web server is information disclosure. Information disclosure can lead to serious problems, because every piece of information attackers can gain from a server makes staging an attack easier.

Read Now

https://books.nowsecure.com/secure-mobile-development/en/servers/web-server-configuration.html

https://books.nowsecure.com/secure-mobile-development/en/servers/web-server-configuration.html


7ClientCodeQuality


Risks that come from vulnerabilities like buffer overflows, format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device.


Vulnerabilities in the Vitamio SDK

NowSecure: World Writable Code Is Bad, MMMMKAY

Test third party libraries

Third-party libraries can contain vulnerabilities

and weaknesses. Many developers assume

third-party libraries are well-developed and

tested, however, issues can and do exist in their

code.

Read Now

https://www.nowsecure.com/blog/2015/08/10/world-writable-code-is-bad-mmmmkay/

https://books.nowsecure.com/secure-mobile-development/en/coding-practices/test-third-party-libraries.html




8CodeTampering


When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious version to third-party app marketplaces.


● 50M downloads in 19 days on Android alone

● Within 3 days of initial release, malicious DroidJack software found on third-party app stores

● Remote Access Tool (RAT) can open a silent, backdoor for hackers

Source: The Hacker News

Let’s talk about PokemonGO

http://thehackernews.com/2016/07/download-pokemon-go-android-iphone.html


Best practice:

Implement Anti-Tampering Techniques

Employ anti-tamper and tamper-detection techniques to prevent illegitimate applications from executing. Use checksums, digital signatures and other validation mechanisms to help detect file tampering.

Read Now

https://books.nowsecure.com/secure-mobile-development/en/coding-practices/anti-tamper-techniques.html

https://books.nowsecure.com/secure-mobile-development/en/coding-practices/anti-tamper-techniques.html


9ReverseEngineering


Reverse engineering refers to the analysis of a final binary to determine its source code, libraries, algorithms, and more.


Best practice:

Increase Code Complexity and Use Obfuscation

Reverse engineering apps can provide valuable insight into how your app works. Making your app more complex internally makes it more difficult for attackers to see how the app operates, which can reduce the number of attack vectors.

Read Now

https://books.nowsecure.com/secure-mobile-development/en/coding-practices/code-complexity-and-obfuscation.html

https://books.nowsecure.com/secure-mobile-development/en/coding-practices/code-complexity-and-obfuscation.html


10ExtraneousFunctionality


Developers frequently include hidden backdoors or security controls they do not plan on releasing into production. This error creates risk when a feature is released to the wild that was never intended to be shared.


● Manufacturer of hardware chips and processors for mobile devices

● A debug tool, left open for carriers to test network connections, was left open on shipped devices

Source: The Hacker News

MediaTek example

http://thehackernews.com/2016/02/mediatek-hacking-mobile.html


Best practice:

Carefully Manage Debug Logs

Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack.

Read Now

https://books.nowsecure.com/secure-mobile-development/en/caching-logging/carefully-manage-debug-logs.html

https://books.nowsecure.com/secure-mobile-development/en/caching-logging/carefully-manage-debug-logs.html


Review the NowSecure Secure Mobile Development Best Practices in their entirety:

Read Now

https://books.nowsecure.com/secure-mobile-development/en/index.html




● You can view the repo on Github here:

https://github.com/nowsecure/secure-mobile-development

● Our team welcomes additions to benefit the mobile community

Contribute to our Github repo




Questions?

Connect any time:@NowSecureMobilewww.nowsecure.com

Learn more about developing secure Android and iOS apps with the NowSecure Secure Mobile Development Best Practices:

books.nowsecure.com/secure-mobile-development/

http://books.nowsecure.com/secure-mobile-development/



Date post:	19-Jan-2017
Category:	Technology
Upload:	nowsecure
View:	270 times
Download:	2 times

Mobile pitfalls to avoid: The OWASP Top 10 Mobile Risks

Technology