Date post: | 16-Apr-2017 |
Category: |
Mobile |
Upload: | appvigil-mobile-app-security-scanner |
View: | 1,023 times |
Download: | 0 times |
Mobile App Security Meet
OWASP Mobile Top 10
Mobile App Security Meet
Recap
History
● Open Web Application Security Project
● Started in 2001 as an online community
● De facto standard for Application security
● Mandated standard by Compliances
● 42000+ Strong
Mobile App Security Meet
Famous Projects
● Top 10 Issues (Documentation)
● Security tools
● Damn Vulnerable Apps (WebGoat)
● Code Review Guidelines
Mobile App Security Meet
Why Top10 for Mobile?
● Started in 2010
● Essential : Mobile >>> PC/Laptop
● Attack Landscape
● More Targets
● 6.1B by 2018
Mobile App Security Meet
What Mobile App Security boils down to?
Mobile App Security Meet
Securing assets on the device
Mobile App Security Meet
Principles
➢ Do not store/leak data ➢ Do not Drive
Mobile App Security Meet
Principles
➢ Do not store/leak data
➢ Do not store/leak sensitive data
➢ Do not Drive
➢ Do not Drink and Drive
Mobile App Security Meet
Principles
➢ Do not store/leak data
➢ Do not store/leak sensitive data
➢ Do not store/leak sensitive data in plain
➢ Do not Drive
➢ Do not Drink and Drive
➢ Do not Drink and Drive in a F1 race
Mobile App Security Meet
Relevant OWASP Sections
● M2 – Insecure Data Storage
● M4 – Unintended Data Leakage
● M7 – Client Side Injection
● M10 – Lack of Binary Protection
Mobile App Security Meet
M2 – Insecure Data Storage
● Adversary got physical access to phone
● Presence of Malware which accesses file system
● Your app runs on a rooted or jailbroken device
Mobile App Security Meet
M2 : Whats stored?
● Unames
● Authtokens
● Passwords
● UDID/EMEI **
● SSN
● Credit card Numbers
● Appdata – Cache, Log,
Mobile App Security Meet
M2 : Locations
● SQLite Dbs
● Log Files
● PlistFiles
● XML Files
● SD Card
● CloudSynced
● Shared Preferences
Mobile App Security Meet
M4 : Unintended Data Leakage
● Placing sensitive information in insecure location
● Overlap with M2
Mobile App Security Meet
M4 : Threat Model Locations
● Application Backgrounding
● Logging
● Clipboard
● URL Caching
● CrashLogs
● LocalStorage
● Analytics Data sent
Mobile App Security Meet
M7 Client Side Injections
● Execution of malicious code in the context and scope of mobile app
● Sometimes with privileged scope
Mobile App Security Meet
M7 : Locations
● Sqlite Injection
● Local file Inclusions
● XSS (WebView)
● Intent Injections
Mobile App Security Meet
M10 : lack of Binary Protection
● A Binary at a client side cannot be trusted for its integrity
● Execution of a Binary can be monitored and altered
● IP can be decoded and used elsewhere
Mobile App Security Meet
M10 : Results in
● Repackaging to insert Malware or Adware
● Bypass security Control
● Runtime Code Injection
● Method Swizzling
Mobile App Security Meet
M10 : Best Practices
● JailBreak Detection Controls
● Checksum Controls
● Debug Detection controls
● Android Root Detection
Mobile App Security Meet
Securing assets on the wire and at server
Mobile App Security Meet
● M1 – Weak Server Side Controls
● M3 – Insufficient Transport Layer Protection
● M5 – Poor Authentication and Authorisation
● M6 – Broken Cryptography
● M8 - Security Decisions via Untrusted Inputs
● M9 – Improper Session Handling
Mobile App Security Meet
M1 : Weak Server Side Controls
● Traditions SQL Injection
● XSS
● CSRF
● Other OWASP Top 10 (Web)
Mobile App Security Meet
M3 : Insufficient Transport Layer Protection
● Results in MITM
● SSL Certificates
● Strong enough Ciphers
● HTTP/HTTPS
● SSL Pinning
Mobile App Security Meet
M5 : Poor Authentication and Authorisation
All client-side authorization and authentication controls will be bypassed
”
Mobile App Security Meet
M5 : Poor Authentication and Authorisation
Authorization and authentication controls must be re-enforced on the server-side
Mobile App Security Meet
M9 : Improper Session Handling
● Results are same as M5
● Have a good time out
● Rotate cookies
● Switching access levels
● Creation of secure tokens
Mobile App Security Meet
M6 : Broken Cryptography
● Still using MD5, RC2 ?
● Move on!
● Use strong Algos
● White Box Crypto (WBC)!!
Mobile App Security Meet
M8 : Security Decisions Via Untrusted Inputs
● Threat model all your app inputs
● IPC??
● Hidden fields
● Parameters to determine access level
Mobile App Security Meet
Conclusion
● Mobile App Security is critical and maturing at a faster pace
● Refer to OWASP guidelines to build accepted level of security within the mobile applications