appsec usa 2014 denver, colorado 10 secrets to secure mobile apps from contributors of the owasp...

AppSec USA 2014

Denver, Colorado

10 Secrets To Secure Mobile Apps

From contributors of the OWASP Mobile Top Ten & the iOS Developer Cheat sheet

Introductions

Jason Haddix Researcher, HP Fortify on Demand

- OWASP Mobile Top Ten Project Lead- Pentest Leader- iOS Developer Cheatsheet contributor- Research and Development

jason.haddix@hp.com

Twitter: @jhaddix

Introduction

Daniel MiesslerPractice Principal, HP Fortify on Demand

- Research and Development- OWASP Mobile Top Ten Project Participant- OWASP IoT Top 10 Project Lead- Web and Mobile Security Assessments- Penetration Testing Background

daniel@hp.com

Twitter: @danielmiessler

Data from Smart Insights, Yankee Group 2012

• Global mobile data traffic will

increase 26-fold between 2010

and 2015

• There will be nearly one mobile

device per capita by 2015 (~7

billion)

• Mobile payments will exceed 984

Billion

by 2014

Considerations: Mobile traffic increases

Considerations: Mobile ubiquity

• Mobile performance is

becoming extraordinary

• Using a non-mobile computer

will become increasingly rare

• “Home computer” will come to

mean better input and display

options for your mobile system

• Apple replacing desktop with

mobile?

• 2014 is considered the year

that mobile web traffic will

surpass non-mobile web traffic

• Mobile computing will soon be

known as “computing”

• Computing somewhere other

than your mobile device will be

the activity that requires a

name

• Attackers follow the users

Considerations: Mobile ubiquity

• Mobile development is the hottest type of development right now. New surface area equals dangerous surface area

• If anyone’s going to put features over security to get the product out the door, it’s likely to be a mobile team

• Many enterprise mobile developers haven’t had the security training that other types of developers have had

• Many assume that because mobile back ends aren’t visited directly they are more secure (obscurity assumption)

Considerations: Mobile insecurity

OWASP Mobile Top 10

Top Ten Ways To Secure Mobile Apps

(more than ten, actually)

Data Storage

If at all possible, don’t store passwords or PII.

There are several storage mechanisms for each platform. Some are safer than others.

iOS: When storage is necessary for small data fragments, use the iOS keychain. In addition store all strings in encrypted format, even in the keychain. Never use plists for data storage (NSUserDefaults)

iOS: For larger data-sets, files, and databases (coredata or sqlite), utilize Apple’s Data Protection API with a minimum of the designation NSFileProtectionCompleteUnlessOpen 

Android: Use the Andriod Keystore (crypted values) for keys and avoid saving to the external storage (Sdcard) as it is a shared storage mechanism.

Don’t Store or Store Securely

Don’t Store or Store Securely

It’s also important that any IPC files (content providers) don’t have the MODE_WORLD_WRITABLE or MODE_WORLD_READABLE permissions. This is designated in the AndroidManifest.xml file

Don’t Store or Store Securely

Resources

iOS: Data Protection Classes iOS: Encrypted Core Data Both: SQLCipher Android: CERT Secure Coding Practices fo

r Android

Don’t Store or Store Securely

That last link…

Server Side Protections

The server side is the most often overlooked piece of the mobile application, and therefore usually yields the most critical vulnerabilities.

Validate all input, use whitelisting approach for special/control characters.

While not a silver bullet, there are several open source WAF’s and libraries depending on platform (modsecurity, OWASP ESAPI, IIS Sec modules)

Require authentication on all API requests.

Keep webserver software and framework updated. (this includes XML parsers ;)

If the backend is WS based, return the proper content type.

Use POST instead of GET where possible.

 "Cache-Control : no-cache, no-store“ is VERY important

Protect the Server (highlights)

1. Parameterize Queries

2. Encode Data

3. Validate All Inputs

4. Implement Appropriate Access Controls

5. Establish Identity and Authentication Controls

6. Protect Data and Privacy

7. Implement Logging, Error Handling and Intrusion Detection

8. Leverage Security Features of Frameworks and Security Libraries

9. Include Security-Specific Requirements

10.Design and Architect Security In

OWASP ProActive Controls

Project Lead: Jim Manico

Encrypt and Protect Traffic

Always use HTTPS, disable HTTP endpoints.

Set appropriate cookies: secure, HTTPonly

Use appropriate cipher strength and algorithms for SSL

Use appropriate certificate management calls Use Certificate pinning where possible

https://github.com/iSECPartners/ssl-conservatory

Over the Wire

• Trusting any certificate it sees (self-signed or any root)

• Allows expired certificates• These allow trivial MiTM attacks• Can connect to HTTPS once, and then fall back

(mixed mode)• ++

SSL Checklist for Penetration Testers

Poor TLS Implementations

Poor TLS Implementations

Know the OS(Unintended Data Leakage)

iOS Logging (NSLog in

production) Application Background

Screenshot URL Caching Keyboard Press Caching Copy/Paste buffer Caching Photo Sharing

Android URL Caching (Both request and response) Logging (log.d) Exported Content Providers (Improper

permissions) Storage outside of application sandbox,

External storage (MODE_WORLD_READ/WRITE default)

Improper use of Webviews (CVE-2014-6041, CVE-2012-6636 are good examples)

Insecure Inter-process Communication (Services and Broadcast Receivers)

Unencrypted sensitive data stored in the application heap.

Unintended Data Leakage

Take a look at your target OS and ensure that that none of the operating systems features leak private data.

Android:

URL Caching (Both request and response) Logging

Unintended Data Leakage

iOS Sensitive Data Stored Word Readable

Unintended Data Leakage

http://s3jensen.blogspot.com/2014/02/credit-karma-ios-vulnerability.html

Unintended Data Leakage

Know Your Libraries

Audit any baked in Ad or Analytic Libraries for unnecessary transmission of private data:

• Your Name• Your Address• Your Location• Your usage or purchasing patterns• Your device’s names• Your email• Your phone’s number• Contacts phone numbers, emails, etc.• Your photos• Application data• The Phone’s system logs• ++

Know Your Libraries

Proxy the application during QA testing to audit for data leakage:

http://codewithchris.com/tutorial-using-charles-proxy-with-your-ios-development-and-http-debugging/

Know Your Libraries

Know Your Libraries

Case in Point:

- Women’s health mobile application- Captured all manner of sensitive

data- Communication with the app was

solid- But…

Analyzing Mobile Network Traffic

Developers often assume the best of their apps

• Mobile apps are often chatty• Devs aren’t usually aware of everything their apps are talking to• There are tools for this

Mobile Network Traffic

Using pcaps and tshark you can see what’s really going on• Use tcpdump and tshark to see what’s up• Capture a pcap of a full mobile session

tshark -r sample.pcap -T fields -e ip.dst ip.src | sort | uniq | cut -d ',' -f1

23.21.45.8989.11.128.2165.76.219.9234.23.56.7843.556.78.21398.21.234.12

Mobile Network Traffic

Break the master pcap into pieces using tcpdump

for host in $host_file_from_tsharkdo/usr/sbin/tcpdump -r $APPDIR/sample.pcap host $host -w $APPDIR/$host.pcap &> /dev/nulldone

• Now you have one pcap per host

• What can you do with that?

Mobile Network Traffic

Search for real data in the network traffic

• You have credentials and application data, right?• Start by transforming your data in multiple ways• Then grep each file for any of those variations• Oh, you got a hit?• What host was it on?

Hint: works on the filesystem as well !

Mobile Network Traffic

Bonus

• What’s the reputation rating for those endpoints?• Think malicious Android apps• What about IDS?

• Find your data (in many formats) on both the network and the filesystem

• Break your mobile traffic into discrete pcaps• Inspect each pcap for malicious traffic (IDS)• Inspect each for endpoint reputation (multiple options)• Alert if you see your data at all (no encryption)• Really alert if you see it going to a malicious host

Mobile Network Traffic

Make it hard for the Attacker

There are a number of easy and free binary defenses that developers are not implementing:

iOS: ASLR PIE (memory randomization) Stack Smashing Protection Enabled (Canary-

based) Automatic Reference Counting (memory) Jailbreak detection Llvm obsfucator iMAS Stripping usernames and paths OWASP Reverse Engineering and Code Modificatio

n Prevention Project

Anti-debugger code

Android: Proguard (free) Dexguard (paid) Integrity hashing

checks Facebook’s SQLite

encryption Conceal Project

Root detection

Make it hard for the attacker

** Also, SSL pinning **

http://codewithchris.com/tutorial-using-charles-proxy-with-your-ios-development-and-http-debugging/

Make it hard for the attacker

http://codewithchris.com/tutorial-using-charles-proxy-with-your-ios-development-and-http-debugging/

Make it hard for the attacker

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Takeaways

• Mobile is computing• Don’t store data if you don’t have to• Use the APIs that are available• Know what you’re adding to your app• Take a look at your network traffic• Search for your sensitive data• Harden your binaries• Don’t forget the server side• Help us with data for the 2015 Mobile

Top 10• The more data the better, don’t be

shy

iOS 8 Security

• Apple is opening up (a little)• Third-party extensibility presents new

surface area• Cross-app communication• Keyboards• Sharing interfaces• Notification widgets• TouchID

• CloudKit integration• Always-on VPN

Swift

• People are scrambling to figure out Swift• Runs alongside Obj-C in same runtime

• We build a swift app and tested it• We found many of the same things• APIs very similar

• Don’t expect sea-change any time soon

Android ART

• No more Dalvik vm• Still being investigated

We need help!

A Call for Action: We need help!

OWASP Mobile Top Ten 2015

OWASP iOS Security Cheat Sheet

OWASP iOS Developer Cheat Sheet

Android, Windows, Blackberry?

• iOS Security Guidehttp://images.apple.com/iphone/business/docs/iOS_Security_Oct13.pdf

• Android Security Guidehttp://source.android.com/tech/security/

• OWASP Mobile Top 10https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

• MobileToolshttps://github.com/danielmiessler.com/mobiletools/

• OWASP iOS Security Testing Cheat Sheet

• OWASP iOS Developer Cheat Sheet• OWASP iMAS Security Project• OWASP Proactive Controls• OWASP Reverse Engineering and C

ode Modification Prevention Project• SQLCipher• Dawn Isabell: What Your Binary say

s about you• Jason Haddix: NSURL Cacheing• Daniel Miessler: Mobile Certificate p

inning • Fortify Vulncat• Secure coding practices for iOS

development• OWASP XSecurity Project

Additional References/Resources

HP Fortify on Demand

• Cloud-based Application Security Testing

• Dynamic and Static Testing of Web, Mobile, and Thick-client applications

• Manual-first approach

• Experienced pentesters behind the scenes

• Significant focus on testing methodology

• Let us show you

http://hp.com/go/fortifyondemand

James FittsDawn IsabelBrad WolfeGreg PattonBrent MorrisKevin Lynn

Thanks

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Reach out! Questions?

daniel@hp.com

jason.haddix@hp.com