OWASPMobile Security Project

Murat Lostar

About me• Murat Lostar

• 1986 – Software development• 1992 – Network and systems • 1998 – Information security

• 2009 – ISACA-Istanbul Founding President• 2013 – Cloud Security Alliance – Turkey Founding

President• Have/had many certifications: Microsoft, Sun, IBM, Cisco, ISACA, ISC2

About my company• Lostar Information Security

• Established in 1998• Appx 15 pax. Two teams

• Technical: Pen tests, technical design, etc• Process: Focus on people and processes

• Based on ISO 27001, ISO 20000, ISO 22301, COBIT, etc• Services only (does not distribute, resell

products)

About OWASP• Open Web Application Security Project

(owasp.org)• Worldwide, not-for-profit• Mission: Make software security visible

• so that individuals and organizations worldwide can make informed decisions about true software security risks

• (All) Materials free and open software license• 36,000+ Participants (worldwide)• Has chapters! (Not yet in Malta)

Why this title?

http://www.cnet.com/news/snapchat-update-to-close-loophole-after-mass-hack/

OWASP Mobile Security Project• Branch of  OWASP• Focused on securing mobile applications• Compiled list of top ten mobile security

threats

• owasp.org/index.php/OWASP_Mobile_Security_Project

Overview (OWASP Mobile Security)

Focus: • Mobile Apps, Server

Side Infrastructures.

Purpose: • Taking precautions on

mobile platform and carrier inherent risks when threat modeling and building controls. Primarily at the application layer.

Target Profile: • Developers.

Scope (OWASP Mobile Security)• Top 10 Mobile Risks• Top 10 Mobile Controls• Mobile Tools• Mobile Cheat Sheet Series• Secure Mobile Development• Mobile Threat Model (BETA)

Top 10 Mobile Risks - Methodology• Exploitability : Taking advantage of a

situation• Prevalence : Commonness• Detectability : Ease of discovery• Impact : Potential effect

• owasp.org/index.php/OWASP_Risk_Rating_Methodology

Top 10 Mobile Risks Exploitabili

ty Prevalence Detectability Impact

10 Lack of Binary Protections Medium Common Easy Severe

10. Lack of Binary Protections• An adversary could use an automated tool to

reverse engineer the code of application and modify it.

• To prevent lack of binary:• Jailbreak Detection Controls• Checksum Controls• Certificate Pinning Controls• Debugger Detection Controls

Top 10 Mobile Risks Exploitabili

ty Prevalence Detectability Impact

10 Lack of Binary Protections Medium Common Easy Severe

9 Improper Session Handling Easy Common Easy Severe

9. Improper Session Handling• It’s similar to poor authentication. Once you are

authenticated and given a session, that session allows one access to the application. Therefore, sessions must be protected just as carefully as like authentication mechanism.

• To protect sessions:• Invalidate Sessions on the Backend• Timeout Protection• Properly Rotate Cookies• Secure Token Creation

Top 10 Mobile Risks Exploitabili

ty Prevalence Detectability Impact

10 Lack of Binary Protections Medium Common Easy Severe

9 Improper Session Handling Easy Common Easy Severe

8Security Decisions Via Untrusted Inputs

Easy Common Easy Severe

8. Security Decisions via Untrusted Inputs• In most cases, mobile applications accept data

from Inter Process Communication (IPC) mechanism.

• In general, should be adhered to the following design patterns:• Restrict access to a trusted applications.• Sensitive actions should require user interaction.• All IPC entries should be validated.• Do not pass any sensitive information through IPC.

Top 10 Mobile Risks Exploitabili

ty Prevalence Detectability Impact

10 Lack of Binary Protections Medium Common Easy Severe

9 Improper Session Handling Easy Common Easy Severe

8Security Decisions Via Untrusted Inputs

Easy Common Easy Severe

7 Client Side Injection Easy Common Easy Moderate

7. Client Side Injection• Client-side attacks and particularly code injection

at the client, might be the first thing a threat agent try.

• To prevent from injections, see below titles:• SQLite Injection• JavaScript Injection (XSS, etc)• Local File Inclusion• Intent Injection/Fuzzing(Android)

• XML Injection (iOS)

• Format String Injection(iOS)

• Classic C Attacks(iOS)

Top 10 Mobile Risks Exploitabili

ty Prevalence Detectability Impact

10 Lack of Binary Protections Medium Common Easy Severe

9 Improper Session Handling Easy Common Easy Severe

8Security Decisions Via Untrusted Inputs

Easy Common Easy Severe

7 Client Side Injection Easy Common Easy Moderate

6 Broken Cryptography Easy Common Easy Severe

6. Broken Cryptography• Insecure use of cryptography is common in most

any application that uses encryption. There are several mistakes in this area:• The Creation and Use of Custom Encryption Algorithms• Use of Insecure and/or Deprecated Algorithms• Poor Key Management

Top 10 Mobile Risks Exploitabili

ty Prevalence Detectability Impact

5Poor Authorization and Authentication

Easy Common Easy Severe

5. Poor AuthZ and AuthN• Authenticating a user locally can lead to client-

side bypass vulnerabilities.• Ensure all authentication requests are performed

server-side.• Persistent authentication should never be

implemented by storing password on the device.

Top 10 Mobile Risks Exploitabili

ty Prevalence Detectability Impact

5Poor Authorization and Authentication

Easy Common Easy Severe

4 Unintended Data Leakage Easy Common Easy Severe

4. Unintended Data Leakage• This includes all manner of vulnerabilities that

can be introduced by the OS, frameworks, compiler environment, new hardware, etc, all without a developers knowledge.

• It is especially important to discern what a given OS or framework does by default. By identifying this and applying mitigating controls, you can avoid unintended data leakage.

Top 10 Mobile Risks Exploitabili

ty Prevalence Detectability Impact

5Poor Authorization and Authentication

Easy Common Easy Severe

4 Unintended Data Leakage Easy Common Easy Severe

3Insufficient Transport Layer Protection

Difficult Common Easy Moderate

3. Insufficient Transport Layer Protection• When this data is exchanged it traverses both the

carrier network and the internet. For sensitive data, if the application is coded poorly, threat agents can use techniques to view this sensitive data while it's travelling across the wire.• Enforce the use of SSL/TLS for all transport channels for

sensitive data.• Use valid certificates signed by a trusted CA provider.• Do not send sensitive data over alternate channels, such

as SMS, MMS, or notifications.

Top 10 Mobile Risks Exploitabili

ty Prevalence Detectability Impact

5Poor Authorization and Authentication

Easy Common Easy Severe

4 Unintended Data Leakage Easy Common Easy Severe

3Insufficient Transport Layer Protection

Difficult Common Easy Moderate

2 Insecure Data Storage Easy Common Average Severe

2. Insecure Data Storage• Lost/stolen or exploit/malware involved phones threat for

this risk.• A malicious agent hooks up an unprotected device to a

computer with commonly available software, and can see sensitive information.

• Never store credentials on the phone file system. • Where storage or caching of information is necessary use

encryption library (CommonCrypto, javax.crypto, setStorageEncryption).

Top 10 Mobile Risks Exploitabili

ty Prevalence Detectability Impact

5Poor Authorization and Authentication

Easy Common Easy Severe

4 Unintended Data Leakage Easy Common Easy Severe

3Insufficient Transport Layer Protection

Difficult Common Easy Moderate

2 Insecure Data Storage Easy Common Average Severe

1 Weak Server Side Controls Easy Common Average Severe

1. Weak Server Side Controls • Including both the application and malicious users

could send insecure data to server.• Weak controls could cause several easy to exploit

vulnerabilities (like server side injection) that are high risk.

• Secure coding and configuration practices must be used on server-side of the mobile application.

Top 10 Mobile Controls10 Avoid / Safely Use

Interpreters 5 Secure Services and Server

9 Secure Application Distro / Update 4 Strong AuthN, AuthZ and

Session Management

8 Protect For Pay Services 3 Protect Data in Transit

7 Collect Consent for Use of User Data 2 Protect Authentication

Credentials

6 Secure 3rd Party Integration 1 ID & Protect Sensitive Data

1. ID & Protect Sensitive Data

Use ‘javax.crypto’ library.Use ‘setStorageEncryption’ API.Avoid using MODE_WORLD_READABLE shared preferences properties.

Use ‘CommonCrypto’ library.Use ‘Keychain’ API.Use SQLcipher for SQLite encryption.Avoid using NSUserDefaults.

• Unsafe sensitive data storage, attacks on decommissioned phones unintentional disclosure.

2. Protect Authentication Credentials• Use the latest versions of the authorization

standards.• Encrypt the tokens in transit (using SSL/TLS).• Be sure, authentication requests are performed

server-side.• If you save password on device, encrypt it and

use key-store mechanisms provided by the mobile OS.

• Ensure passwords and keys are not visible in cache or logs and dont store them inside the binary.

3. Protect Data in Transit• Sensitive data passing through insecure channels

could be intercepted.• Enforce the use of SSL/TLS• Avoid using mixed SSL sessions.• Use certificates signed by trusted CA providers.• Ensure certificates are valid.• SMS, MMS or notifications should not be used to send

sensitive data

4. Strong AuthN, AuthZ and Session Management• Require appropriate strength user authentication to the

application.• Ensure that the session management is handled correctly

after the initial authentication.• Use unpredictable session identifiers with high entropy.• Use context to add security to authentication (IP Location).• Where possible, use additional authentication factors for

giving access to sensitive data or interfaces (voice, fingerprint etc.). 

• Use authentication that ties back to the end user identity.

5. Secure Services and Server• Carry out a specific check for data transferred between the

mobile device and web-server back-ends and other external interfaces.

• Backend services for mobile apps should be tested for vulnerabilities periodically.

• Ensure that the backend platform is running with lastest security patches.

• Ensure adequate logs are retained on the backend.• Employ rate limiting and throttling on a per-user/IP basis.• Test for DoS vulnerabilities.

6. Secure 3rd Party Integration• Data leakage. Users may install applications that

may be malicious and can transmit personal data for malicious purposes.• Vet the security/authenticity of any third party

code/libraries used in your mobile application.• Track all third party frameworks/APIs used in the mobile

application for security patches.• Pay particular attention to validating all data received

from and sent to non-trusted third party apps before processing within the application.

7. Collect Consent for Use of User Data• Unintentional disclosure of personal or private

information, illegal data processing.• Create a privacy policy.• Check whether your application is collecting PII.• Audit communication mechanisms to check for

unintended leaks.• Keep a record of consent to the transfer of PII.

8. Protect For Pay Services• Logs should be protected from unauthorised

access.• Check for anomalous usage patterns in paid-for

resource usage and trigger re-authentication.• Consider using a white-list model by default for

paid-for resource addressing.• Authenticate all API calls to paid-for resources

8. Protect For Pay Services• Ensure that wallet API callbacks do not pass

cleartext account/pricing/ billing/item information.• Warn user and obtain consent for any cost

implications for app behaviour.• Implement best practices to minimize signalling

load on base stations.

9. Secure Application Distro / Update• Applications must be designed and provisioned to

allow updates for security patches.• Most app-stores monitor apps for insecure code

and are able to remotely remove apps at short notice in case of an incident.

• Provide feedback channels for users to report security problems with apps.

10. Avoid / Safely Use Interpreters• Run interpreters at minimal privilege levels.• Define comprehensive escape syntax as

appropriate.• Fuzz test interpreters.• Sandbox interpreters.

Mobile Tools• iMas: • Research project from the MITRE Corp.

Focused on open source iOS security controls.

• Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques.

• github.com/project-imas/about

Mobile Tools• iGoat: • Learning tool for iOS developers. It has a

similar conceptual flow to WebGoat.• Purpose is learning about security

weaknesses in iOS by breaking things as well as fixing them.

• code.google.com/p/owasp-igoat/

Mobile Tools• DVIA:• Damn Vulnerable iOS Application project

started by Prateek Gianchandani which gives mobile testers and developers an iOS application to practice attacking/defending skill sets. 

• damnvulnerableiosapp.com

Mobile Tools• GoatDroid: • A fully functional and self-contained

training environment for performing security testing against Android application.

• The Project has 2 application:• FourGoats• Herd Financial

• github.com/jackMannino/OWASP-GoatDroid-Project

Mobile Tools• Androick: • Research project from PHONESEC Ltd.

This tool allows any user to analyze an Android application.

• sourceforge.net/projects/androick

Mobile Tools• MobiSec: • Project is a live environment for

testing mobile environments, including devices, applications, and supporting infrastructure.

More on OWASP• Mobile Threat Model

More on OWASP…• Mobile Threat Model

• Mobile Application Architecture• Mobile Data• Threat Agent Identification• Methods of Attack• Controls

Thank You

References• Technical examples:

http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks

• www.owasp.org /index.php/OWASP_Mobile_Security_Project

OWASP Top 10 – 20131. Injection2. Broken Authentication and

Session Management3. Cross-Site Scripting (XSS)4. Insecure Direct Object

References5. Security Misconfiguration

6. Sensitive Data Exposure7. Missing Function Level

Access Control8. Cross-Site Request

Forgery (CSRF)9. Using Known Vulnerable

Components10. Unvalidated Redirects

and Forwards

Mobile Application Architecture• The mobile application architecture should, at the

very least, describe device specific features used by the application, wireless transmission protocols, data transmission medium, interaction with hardware components and other applications. Applications can be mapped to this architecture as a preliminary attack surface assessment.

Mobile Data• This section answers these basic two

question:• What data does the application store and

process? • What is the business purpose of this data and

what are the data workflows?

Threat Agent Identification• This section defines threats to the app and threat

agents. Also outlines the process for defining what threats apply to the app.

• Identifying process:• Take the list of all sensitive data.• Make a list of all the ways to access this data.• The medium used to access the same listed in S2

Methods of Attack• This section defines methods that an attacker can

use to reach the data (sensitive information or sensitive to the app itself).• Carrier Based Methods• Endpoints based methods• Wireless interfaces based methods• OS and application level methods• Miscellaneous Methods

Controls• This section asks questions to define controls to

prevent attacks.• What are the controls to prevent an attack? • What are the controls to detect an attack? • What are the controls to mitigate/minimize impact of an

attack?• What are the controls to protect users private

information?• What are the controls to based method of attacks?