appsec usa 2014 denver, colorado 10 secrets to secure mobile apps from contributors of the owasp...
TRANSCRIPT
AppSec USA 2014
Denver, Colorado
10 Secrets To Secure Mobile Apps
From contributors of the OWASP Mobile Top Ten & the iOS Developer Cheat sheet
Introductions
Jason Haddix Researcher, HP Fortify on Demand
- OWASP Mobile Top Ten Project Lead- Pentest Leader- iOS Developer Cheatsheet contributor- Research and Development
Twitter: @jhaddix
Introduction
Daniel MiesslerPractice Principal, HP Fortify on Demand
- Research and Development- OWASP Mobile Top Ten Project Participant- OWASP IoT Top 10 Project Lead- Web and Mobile Security Assessments- Penetration Testing Background
Twitter: @danielmiessler
Data from Smart Insights, Yankee Group 2012
• Global mobile data traffic will
increase 26-fold between 2010
and 2015
• There will be nearly one mobile
device per capita by 2015 (~7
billion)
• Mobile payments will exceed 984
Billion
by 2014
Considerations: Mobile traffic increases
Considerations: Mobile ubiquity
• Mobile performance is
becoming extraordinary
• Using a non-mobile computer
will become increasingly rare
• “Home computer” will come to
mean better input and display
options for your mobile system
• Apple replacing desktop with
mobile?
• 2014 is considered the year
that mobile web traffic will
surpass non-mobile web traffic
• Mobile computing will soon be
known as “computing”
• Computing somewhere other
than your mobile device will be
the activity that requires a
name
• Attackers follow the users
Considerations: Mobile ubiquity
• Mobile development is the hottest type of development right now. New surface area equals dangerous surface area
• If anyone’s going to put features over security to get the product out the door, it’s likely to be a mobile team
• Many enterprise mobile developers haven’t had the security training that other types of developers have had
• Many assume that because mobile back ends aren’t visited directly they are more secure (obscurity assumption)
Considerations: Mobile insecurity
OWASP Mobile Top 10
Top Ten Ways To Secure Mobile Apps
(more than ten, actually)
Data Storage
If at all possible, don’t store passwords or PII.
There are several storage mechanisms for each platform. Some are safer than others.
iOS: When storage is necessary for small data fragments, use the iOS keychain. In addition store all strings in encrypted format, even in the keychain. Never use plists for data storage (NSUserDefaults)
iOS: For larger data-sets, files, and databases (coredata or sqlite), utilize Apple’s Data Protection API with a minimum of the designation NSFileProtectionCompleteUnlessOpen
Android: Use the Andriod Keystore (crypted values) for keys and avoid saving to the external storage (Sdcard) as it is a shared storage mechanism.
Don’t Store or Store Securely
Don’t Store or Store Securely
It’s also important that any IPC files (content providers) don’t have the MODE_WORLD_WRITABLE or MODE_WORLD_READABLE permissions. This is designated in the AndroidManifest.xml file
Don’t Store or Store Securely
Resources
iOS: Data Protection Classes iOS: Encrypted Core Data Both: SQLCipher Android: CERT Secure Coding Practices fo
r Android
Don’t Store or Store Securely
That last link…
Server Side Protections
The server side is the most often overlooked piece of the mobile application, and therefore usually yields the most critical vulnerabilities.
Validate all input, use whitelisting approach for special/control characters.
While not a silver bullet, there are several open source WAF’s and libraries depending on platform (modsecurity, OWASP ESAPI, IIS Sec modules)
Require authentication on all API requests.
Keep webserver software and framework updated. (this includes XML parsers ;)
If the backend is WS based, return the proper content type.
Use POST instead of GET where possible.
"Cache-Control : no-cache, no-store“ is VERY important
Protect the Server (highlights)
1. Parameterize Queries
2. Encode Data
3. Validate All Inputs
4. Implement Appropriate Access Controls
5. Establish Identity and Authentication Controls
6. Protect Data and Privacy
7. Implement Logging, Error Handling and Intrusion Detection
8. Leverage Security Features of Frameworks and Security Libraries
9. Include Security-Specific Requirements
10.Design and Architect Security In
OWASP ProActive Controls
Project Lead: Jim Manico
Encrypt and Protect Traffic
Always use HTTPS, disable HTTP endpoints.
Set appropriate cookies: secure, HTTPonly
Use appropriate cipher strength and algorithms for SSL
Use appropriate certificate management calls Use Certificate pinning where possible
https://github.com/iSECPartners/ssl-conservatory
Over the Wire
• Trusting any certificate it sees (self-signed or any root)
• Allows expired certificates• These allow trivial MiTM attacks• Can connect to HTTPS once, and then fall back
(mixed mode)• ++
SSL Checklist for Penetration Testers
Poor TLS Implementations
Poor TLS Implementations
Know the OS(Unintended Data Leakage)
iOS Logging (NSLog in
production) Application Background
Screenshot URL Caching Keyboard Press Caching Copy/Paste buffer Caching Photo Sharing
Android URL Caching (Both request and response) Logging (log.d) Exported Content Providers (Improper
permissions) Storage outside of application sandbox,
External storage (MODE_WORLD_READ/WRITE default)
Improper use of Webviews (CVE-2014-6041, CVE-2012-6636 are good examples)
Insecure Inter-process Communication (Services and Broadcast Receivers)
Unencrypted sensitive data stored in the application heap.
Unintended Data Leakage
Take a look at your target OS and ensure that that none of the operating systems features leak private data.
Android:
URL Caching (Both request and response) Logging
Unintended Data Leakage
iOS Sensitive Data Stored Word Readable
Unintended Data Leakage
http://s3jensen.blogspot.com/2014/02/credit-karma-ios-vulnerability.html
Unintended Data Leakage
Know Your Libraries
Audit any baked in Ad or Analytic Libraries for unnecessary transmission of private data:
• Your Name• Your Address• Your Location• Your usage or purchasing patterns• Your device’s names• Your email• Your phone’s number• Contacts phone numbers, emails, etc.• Your photos• Application data• The Phone’s system logs• ++
Know Your Libraries
Proxy the application during QA testing to audit for data leakage:
http://codewithchris.com/tutorial-using-charles-proxy-with-your-ios-development-and-http-debugging/
Know Your Libraries
Know Your Libraries
Case in Point:
- Women’s health mobile application- Captured all manner of sensitive
data- Communication with the app was
solid- But…
Analyzing Mobile Network Traffic
Developers often assume the best of their apps
• Mobile apps are often chatty• Devs aren’t usually aware of everything their apps are talking to• There are tools for this
Mobile Network Traffic
Using pcaps and tshark you can see what’s really going on• Use tcpdump and tshark to see what’s up• Capture a pcap of a full mobile session
tshark -r sample.pcap -T fields -e ip.dst ip.src | sort | uniq | cut -d ',' -f1
23.21.45.8989.11.128.2165.76.219.9234.23.56.7843.556.78.21398.21.234.12
Mobile Network Traffic
Break the master pcap into pieces using tcpdump
for host in $host_file_from_tsharkdo/usr/sbin/tcpdump -r $APPDIR/sample.pcap host $host -w $APPDIR/$host.pcap &> /dev/nulldone
• Now you have one pcap per host
• What can you do with that?
Mobile Network Traffic
Search for real data in the network traffic
• You have credentials and application data, right?• Start by transforming your data in multiple ways• Then grep each file for any of those variations• Oh, you got a hit?• What host was it on?
Hint: works on the filesystem as well !
Mobile Network Traffic
Bonus
• What’s the reputation rating for those endpoints?• Think malicious Android apps• What about IDS?
• Find your data (in many formats) on both the network and the filesystem
• Break your mobile traffic into discrete pcaps• Inspect each pcap for malicious traffic (IDS)• Inspect each for endpoint reputation (multiple options)• Alert if you see your data at all (no encryption)• Really alert if you see it going to a malicious host
Mobile Network Traffic
Make it hard for the Attacker
There are a number of easy and free binary defenses that developers are not implementing:
iOS: ASLR PIE (memory randomization) Stack Smashing Protection Enabled (Canary-
based) Automatic Reference Counting (memory) Jailbreak detection Llvm obsfucator iMAS Stripping usernames and paths OWASP Reverse Engineering and Code Modificatio
n Prevention Project
Anti-debugger code
Android: Proguard (free) Dexguard (paid) Integrity hashing
checks Facebook’s SQLite
encryption Conceal Project
Root detection
Make it hard for the attacker
** Also, SSL pinning **
http://codewithchris.com/tutorial-using-charles-proxy-with-your-ios-development-and-http-debugging/
Make it hard for the attacker
http://codewithchris.com/tutorial-using-charles-proxy-with-your-ios-development-and-http-debugging/
Make it hard for the attacker
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Takeaways
• Mobile is computing• Don’t store data if you don’t have to• Use the APIs that are available• Know what you’re adding to your app• Take a look at your network traffic• Search for your sensitive data• Harden your binaries• Don’t forget the server side• Help us with data for the 2015 Mobile
Top 10• The more data the better, don’t be
shy
iOS 8 Security
• Apple is opening up (a little)• Third-party extensibility presents new
surface area• Cross-app communication• Keyboards• Sharing interfaces• Notification widgets• TouchID
• CloudKit integration• Always-on VPN
Swift
• People are scrambling to figure out Swift• Runs alongside Obj-C in same runtime
• We build a swift app and tested it• We found many of the same things• APIs very similar
• Don’t expect sea-change any time soon
Android ART
• No more Dalvik vm• Still being investigated
We need help!
A Call for Action: We need help!
OWASP Mobile Top Ten 2015
OWASP iOS Security Cheat Sheet
OWASP iOS Developer Cheat Sheet
Android, Windows, Blackberry?
• iOS Security Guidehttp://images.apple.com/iphone/business/docs/iOS_Security_Oct13.pdf
• Android Security Guidehttp://source.android.com/tech/security/
• OWASP Mobile Top 10https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
• MobileToolshttps://github.com/danielmiessler.com/mobiletools/
• OWASP iOS Security Testing Cheat Sheet
• OWASP iOS Developer Cheat Sheet• OWASP iMAS Security Project• OWASP Proactive Controls• OWASP Reverse Engineering and C
ode Modification Prevention Project• SQLCipher• Dawn Isabell: What Your Binary say
s about you• Jason Haddix: NSURL Cacheing• Daniel Miessler: Mobile Certificate p
inning • Fortify Vulncat• Secure coding practices for iOS
development• OWASP XSecurity Project
Additional References/Resources
HP Fortify on Demand
• Cloud-based Application Security Testing
• Dynamic and Static Testing of Web, Mobile, and Thick-client applications
• Manual-first approach
• Experienced pentesters behind the scenes
• Significant focus on testing methodology
• Let us show you
http://hp.com/go/fortifyondemand
James FittsDawn IsabelBrad WolfeGreg PattonBrent MorrisKevin Lynn
Thanks
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Reach out! Questions?