Top 7 Mobile App Attacks and How To Prevent Them

Chris Harget - Product Marketing

Sameer Dixit - Managed Services

2

Agenda

Cenzic, Inc. - Confidential, All Rights Reserved.

Enterprise Mobile App Trends

Top Mobile App Attacks

How To Be Safer

~14 Billion tablet-app downloads in 20131

~82 Billion smartphone-app downloads in 20132

Average US smartphone user has 41 apps and spends 39 minutes/day using them3

91% of apps free, only 9% paid for – Gartner 2012

1. ABI Research March 2013 prediction

2. Portio Research March 2013 forecast

3. Nielsen,http://www.nielsen.com/us/en/newswire/2012/state-of-the-appnation-%C3%A2%C2%80%C2%93-a-year-of-change-and-growth-in-u-s-smartphones.html

Mobile App Factoids

Mobile User Service Options

HTML5 gives some cross-platform capability

No install, convenient for low-usage apps

Works with standard vulnerability scanning

Mobile-Optimized Web Sites Native Mobile Apps

Native container => tighter integration

More user commitment required to begin

Requires mobile-specific vulnerability scanning

Mobile App Space Less Mature

Fewer security experts than on Web apps

Development practices often leave out security

New kinds of data to secure (GPS, camera, Microphone, Texts, International calling)

Mobile App Security Is Harder

Mobile devices are less physically secure

Mobile traffic more likely to be visible to others

– Through the air

Mobile Apps For Customers

Shopping App

Rewards Programs, Coupons

Games/Marketing

Account Management

Mobile Apps For Employees

Email, Calendar, Contacts, Tasks

Salesforce.com

Order Entry

Quoting Tool

Field Support

Inventory Tracking

Point of Sale

Field Enablement

Approvals

Collaboration

Mobile Apps For Partners

Order Entry

Order Tracking

Technical Support

Inventory Availability

Lead Referral

Product Catalogue

Price List

Enterprise Mobile Apps Trends

Give free apps to prospects/customers for acquisition/retention

– The share of app revenue from in-app purchases will grow from 10% in 2011 to 41% in 2016 - Gartner

By 2016, 25% of enterprises will have private app stores – Gartner, April 2013

– Reduce risk from BYOD (Bring Your Own Device)

Mobile Apps often funded/developed by business units, not IT

11 Cenzic, Inc. - Confidential, All Rights Reserved.

Enterprise Mobile App Dev. Costs

54% of apps cost $25K-$100K.

12 Cenzic, Inc. - Confidential, All Rights Reserved.

Enterprise Mobile App Update Frequency

80% of Respondents update mobile apps at least 2x/year. – http://www.anypresence.com/Mobile_Readiness_Report_2013.php

Summing Up Trends

Enterprises developing apps for many reasons

Data and brand exposure increasing rapidly

Mobile app security practices generally inadequate

14 Cenzic, Inc. - Confidential, All Rights Reserved.

Top 7 Mobile App Attacks

15

1. Exploiting Unencrypted Data

Cenzic, Inc. - Confidential, All Rights Reserved.

Sensitive plist, xml and sqlite files

E.g., Last logged in user, address,

usernames, GPS coordinates,

photos, videos etc.

Stored passwords

16

2. Excessive Access Privileges

Cenzic, Inc. - Confidential, All Rights Reserved.

• Some apps unnecessarily grant access to user’s…

• …Phone Directory, Calendar, GPS,

Camera, Microphone, etc.

• =>Theft of corporate info, fraud,

and violation of privacy

17

3. Exploiting Inputs That Are Not Validated

Cenzic, Inc. - Confidential, All Rights Reserved.

• SQL Injection

• XML Bombs

• Cross-Site Scripting

18

4. Session Left Active When App Exited

Cenzic, Inc. - Confidential, All Rights Reserved.

• Poor Session Management

• User closes app, but is not logged out of server

• Attacker may pick up session and steal data, funds or merchandise

19

5. Insecure Transmission

Cenzic, Inc. - Confidential, All Rights Reserved.

• GET request for:

• Username, Account Number, GPS

coordinates, Device UDID, User Info, etc.

• …Sent In The Clear!

• Mobile traffic more likely to be visible to

others than wired traffic

20

6. Parameter Manipulation in Mobile Web Services

Cenzic, Inc. - Confidential, All Rights Reserved.

“Parameter Manipulation in REST

Services”

• E.g., …/id/1234

• change to …/id/3456/

• Gives access to another ID’s account

21

7. Lack of Automated Lockouts

Cenzic, Inc. - Confidential, All Rights Reserved.

• Unlike Web apps, most mobile apps don’t implement lockout capability after 3, or 5 or 10 failed login attempts.

• PIN or password is often cached on the mobile device

• If someone gets control of your phone or tablet, they may be able to brute-force hack your app passwords without the server ever knowing

Mobile App Attacks In Action…

LIVE HACK I – Unencrypted Data Storage

23 Cenzic, Inc. - Confidential, All Rights Reserved.

LIVE HACK II - Insecure Data Transmission

24 Cenzic, Inc. - Confidential, All Rights Reserved.

25

A Few…

Cenzic, Inc. - Confidential, All Rights Reserved.

26

1. Encrypt Data Storage

Cenzic, Inc. - Confidential, All Rights Reserved.

• Encrypt…sensitive plist, xml and sqlite files that contains information such as

• …last logged in user, address, usernames, GPS coordinates, photos and videos etc.

27

2. Restrict Access Privileges

Cenzic, Inc. - Confidential, All Rights Reserved.

Restrict granting excess

permissions and privileges to the

application on the device.

Example: Disallow Update

Access to user’s phone Directory,

Calendar, GPS, Camera,

Microphone etc.

28 Cenzic, Inc. - Confidential, All Rights Reserved.

3. Validate Inputs

Ensure that application

validates all inputs…

…both at client and server

side…

…to avoid issues such as

XSS, SQL, XML Bomb,

information disclosure etc.

29

4. Manage Sessions Assertively

Cenzic, Inc. - Confidential, All Rights Reserved.

In a native client server mobile

application, always invalidate the

session after logout…

…both at the client and at the

server side.

30

5. Use POST Request For Sensitive Data

Cenzic, Inc. - Confidential, All Rights Reserved.

Use an encrypted POST

request rather than GET for

sensitive information such as…

…Username, Account Number,

GPS coordinates, Device UDID,

and Address etc.

31

6. Encrypt REST Parameters

Cenzic, Inc. - Confidential, All Rights Reserved.

• Obfuscate session-related info

• Use strict session management policies with tighter authorization boundary and privileges

32

7. Use Automated Lockouts

Cenzic, Inc. - Confidential, All Rights Reserved.

• If a mobile app login fails 5-10x in a row, lockout in some fashion, flag activity in app and server logs, etc.

• Lock the application for a period of time to avoid brute-force hacks

33

Cenzic Can Help

Cenzic, Inc. - Confidential, All Rights Reserved.

• Cenzic is a leading provider of Mobile Application Scanning Services. • 10+ Years • Leverages patented Hailstorm™

engine for more consistently accurate and efficient results

• Cenzic experts conduct business logic

and forensic analysis of mobile apps

34

Customers Rate Cenzic Higher

Cenzic, Inc. - Confidential, All Rights Reserved.

• 2013 Gartner surveyed App Security Testing Customers

• ONLY Cenzic scored high marks from customers in Accuracy, Service, Support and Overall Satisfaction

• Cenzic provides the best services!

35 Cenzic, Inc. - Confidential, All Rights Reserved.

Pre-production &

App Development Production

Partner /

Supply Chain

Enterprise Application Security

Complete Enterprise Security by Cenzic

36

Application Security for Web, Web Services & Mobile

+1.408.429-7400