Mobile security and OWASP mobile

Nikola Miloševićnikola.milosevic@owasp.org

@dreadknight011

About OWASP

• The Open Web Application Security Project (OWASP) is a worldwide not-for-profit

organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.

• Values:• OPEN – transparent finances, open source code• INNOVATION - encourages experimenting• GLOBAL - everyone can contribute• INTEGRITY - honest and truthful, vendor neutral, global community

• Over 300 local chapters with at least quarterly meetings• Over 130 projects• OWASP chapter in Serbia since 2012

About Me

• My name is Nikola Milošević• OWASP Serbia local chapter founder• OWASP Manchester local chapter leader• OWASP Seraphimdroid project leader• 2014 Google Summer of Code mentor• OWASP anti-malware project contributor• Teaching assistant and PhD student at the University of Manchester• Research: Text mining, natural language processing, linked big data, semantic web (lot of buzzwords)

Going mobile

Internet of things

Security perspective

• Smart means vulnerable• Main motives: Money, processing power

Simple example

OWASP Mobile project

• Composed of several smaller project:•Top 10 mobile risks•Mobile Tools

•GoatDroid,iGoat•Seraphimdroid•Damn Vulnerable iOS Application•MobiSec•...

•Mobile Security testing•Mobile Application Threat Model

Mobile Top 10

• aa

1. Weak Server side controls

• Everything that a mobile application can do badly that does not take place on the phone• Unvalidated input affecting API, web service, web application • Injections (SQL, XSS, XXE...), Authentication flaws, Session Management flaws, Access control vulnerabilities, Local and Remote File Includes • Secure coding and configuration practices must be used on server-side

of the mobile application.

2. Insecure Data Storage

• Assumption that users or malware will not access file system• Sensitive and personal information stored in sensitive format• Identity Theft, Fraud, Reputation Damage, External Policy Violation (PCI) or Material Loss• SQLite databases, Log Files, Plist Files, XML Data Stores or Manifest Files, Binary data stores, Cookie stores, SD Card, Cloud synced• Do not save data, cryptography

3. Insufficient Transport layer protection

• Application may not use TLS for all client-server communication• Could be hard to exploit• Identity theft, reputation damage, fraud• Use TLS and SSL correctly, do not allow unsigned certificates, additional encryption, avoid mixed SSL sessions

4. Unintended data leakage

• Unintended data leakage occurs when a developer places sensitive information or data in a location on the mobile device that is easily accessible by other apps on the device.• Privacy Violations, PCI Violations, Reputational Damage; or Fraud.• The way the OS, frameworks caches data, images, key-presses, logging, and buffers.

5. Poor Authorization and Authentication

• Usually automated• Bypass application• Authorizes with back-end server• Poor or missing authentication schemes allow to execute functionality within the app or backend server used by the mobile app• Authentication failure exposes authorization• Re-enforce authentication on server-side• Local integrity checks (M10)

6. Broken Cryptography

• Weak encryption algorithms or flaws within the encryption process• Unauthorized retrieval of sensitive information• The best algorithms don't matter if you mishandle your keys.•Always use modern algorithms that are accepted as strong by the security community

7. Client Side Injection

• Results in the execution of malicious code on the mobile device via the mobile app.• Cross-Application Scripting Attacks• XML, SQL, code injection, XSS• Input validation

8. Security Decision via Unstructured Inputs

• Hidden fields and values or any hidden functionality to distinguish higher level users from lower level users• Weak implementation of such functionalities leads to improper behavior• Hooking functionality, IPC as an attack vector• White-list of trusted applications, value validation

9. Improper Session Handling

• Occurs when the session token is unintentionally shared with the adversary during the transaction

•Failure to Invalidate Sessions on the Backend•Lack of Adequate Timeout •Protection•Failure to Properly Rotate •Cookies•Insecure Token Creation

• Adversary can impersonate the user

10. Lack of Binary Protection

• A lack of binary protections results in a mobile app that can be analyzed, reverse-engineered, and modified by an adversary in rapid fashion

• Jailbreak Detection Controls;• Checksum Controls;• Certificate Pinning Controls;• Debugger Detection Controls.

• Protection only slows down the adversary

OWASP Seraphimdroid

• OWASP Seraphimdroid is an Android app• Features:

• Privacy protection• Anti-theft• Dynamic malicious action protection• Education and awareness

• Open source

OWASP Seraphimdroid

• Development started in 2013 as Lab project• First version published after Google Summer of Code 2014

• Furquan Ahmed•3 months full-time student coding• Google sponsored with $5500• Added 11 500+ lines of code

• Currently it is Incubator project• OWASP review board gave it trumps up

OWASP Seraphimdroid

Conclusion

• You cannot be 100% safe, but you can make it hard –Defense in Depth

• Avoid storing sensitive data on the device • If you have to, encrypt with PBE master key encryption• Use anti-debug and anti-reversing measures• Clear memory after use• Test on a Jailbroken or rooted device – see what the bad guys will see

• Know your data, know your platform, know your tools and use that knowledge to protect your apps

Thank you

http://inspiratron.orgnikola.milosevic@owasp.org

@dreadknight011