mobile application security
TRANSCRIPT
Mobile Apps Security Risk Assessment
Kartik Trivedi / Lenin Aboagye
2
For the Demo…please download and install the following apps on your mobile device and create an
account
3
Who are we?
• Kartik Trivedi– Co-founder of Symosis– Author / Speaker / Interviews - Forbes, Security Focus,
Tech world, Security News, etc – Golfer (Advanced Amateur? )
• Lenin Aboagye– Security Architect Apollo group– Cloud / Mobile security expert– Media & Television, Education, Health, Real Estate and
Energy industries experience
4
Agenda
IntroductionGrowth / RevenueSecurity Concerns
Mobile Apps Top 3 RisksCountermeasures & Risk Management
5
There is an App for that!
6
There is an App for that!• Pay bills• File income taxes• Pay property tax• Scan & Shop • Deposit checks• Transfer money • Store medical records• Refill prescription• Manage health information• Remember your meds• Book flight / hotel• Medscape / pharmacopia
• Small Business Payroll• Pay invoice • Location based check in• Personal finance• Investments & 401k• Health & Fitness• Productivity• Facebook / twitter• Place bets on sports • Utilities• Store passwords• Document storage
7
8
53% of Fortune 500 companies have mobile apps
9
Business Case for Mobile Presence
• Networking / communication - unprecedented level of connectivity between employees, vendors, and/or customers
• Instant Feedback - sharing information through this medium allows businesses to get immediate feedback on products and services from customers.
• Marketing - SMS (text) messaging, mobile websites, mobile applications, banner ads, QR codes, IVR messaging and more.
• Commerce – Mobile ticketing, vouchers, coupons, loyalty cards, content purchase, delivery, location based services, Information services, mobile banking, mobile brokerage, mobile purchase
10
Security Concerns• Side Channel Data Leakage• Insufficient Transport Layer Protection• Weak Server Side Controls• Insecure Data Storage• Client Side Injection• Poor Authorization and Authentication• Improper Session Handling• Security Decisions Via Untrusted
Inputs• Broken Cryptography• Sensitive Information Disclosure• Hardcoded password/keys• Privacy compliance• Identity exposure
• Activity monitoring and data retrieval• Unauthorized dialing, SMS, and payments• Unauthorized network connectivity (data
exfiltration or command & control)• UI (unique identifier) impersonation• System modification (rootkit, APN proxy
configuration)• Mobile Malware• Criminals Target and Infect App Stores• Social-Engineering • Geolocation compromise• Security Regulatory Compliance• Device Risk• BYOD / MDM • Application management• Installation of un-verified / unsigned 3rd
party apps
11
Agenda
IntroductionGrowth / RevenueSecurity Concerns
Mobile Apps Top 3 RisksSide Channel LeakageInsecure Transport / Server Controls Insecure Data Storage
Countermeasures & Risk Management
Side Channel Data Leakage
Data leakage via platform defaults, use of third party libraries, logging, etc• SnapShot (ie- iOS backgrounding)• Plist files
Sometimes result of programmatic flaws
13
Demo
14
15
16
Agenda
Mobile Platform RisksMobile Apps Top 3 Risks
Side Channel LeakageInsecure Transport / Server Controls Insecure Data Storage
Countermeasures & Risk Management
Insecure Transport/Server Controls
Failing to encrypt sensitive network traffic consisting of sensitive data
Insecure server controls - web, application and backend API - can lead to security compromise
18
Demo
Android Authtoken over HTTP
20
Address Book / UDID over HTTP
21
TOC
Mobile Platform RisksMobile Apps Top 3 Risks
Side Channel LeakageInsecure Transport / Server Controls Insecure Data Storage
Countermeasures & Risk Management
22
Insecure Data Storage
Locally stored data both on native and browser based apps that includes• SQLite / Cache files• Keychain – Is this really secure?
23
Demo
24
Oauth in Cache
Risk & Impact: HighSensitive Data exposure • Username & password• PII, SSN, Health Information• Device ID, Application configuration• Account Number, Credit Card, Financial InformationLoss of Data Confidentiality & IntegrityData TemperingMan-in-the-Middle (MITM attack)ImpersonationUnauthorized access to application data or functionalityPrivacy Violations / reputation damage
You Don’t w
ant to be in WSJ!
26
Agenda
IntroductionMobile Apps Top 3 Risks
Insecure Data StorageInsecure Transport / Server Controls Side Channel Leakage
Countermeasures & Risk ManagementTacticalStrategic
27
Secure Programming / Education
Disable Cache - Set the autocorrectionType property to UITextAutocorrectionNo for UITestField
Disable Snapshot – Use applicationWillResignActive delegate method
Disable Logs – Disable NSLog and NSAssert
Disable Insecure HTTP - Use NSURLConnection along with canAuthenticateAgainstProtectionSpace
28
Encrypt Data
Data Protection API - set the NSFileProtectionKey on an existing file
Keychain – Apple recommends storing Sensitive data like passwords and keys in the Keychain
CCCrypt - provides access to AES, DES, 3DES
SQLCipher (IOS & Android) - transparent 256-bit AES encryption of database files
29
Secure Design / Architecture
• Do not trust the client. Store sensitive data on the server• Perform server side data validation and canonicalization• Only collect and disclose data which is required for
business use of the application• Define and deploy secure configuration • Establish common set of security requirements• Perform periodic security scans and audits• Protect sensitive data using HTTPS & SSL• Do not log credentials, PII and other sensitive data• Review all third party libraries before use
30
Agenda
Mobile Platform RisksMobile Apps Top 3 RisksSecurity Controls & Risk Management
TacticalStrategic
31
Mobile Strategy & Challenges
• The are 3 major components of a mobile strategy that most organizations have to apply– Mobile Information Management(MIM)
– Mobile Application Management(MAM)
– Mobile Device Management(MDM)
32
MIM• MIM refers to cloud-based services that syncs
files and documents across different devices• MIM allows for sharing data of varying security
classification across devices with varying degrees of trust
• MIM intersects Cloud and Mobile Security• Public MIM services are Dropbox, Box, Microsoft
SkyDrive, GoogleDrive• Corporate MIM solutions include Monodesk,
WatchDox, Citrix ShareFile, Vmware Octopus• NFC technologies could be classified as MIM
33
Security Challenges -MIM• BYOD in corporate environments• Potential synching of corporate data across both corporate
and non-corporate issued endpoints• Sensitive bi-directional data leakage from user’s private
and personal data into corporate and vice-versa• Access and Identity Management • Data classification , identification and protection• Difficult to apply and enforce any corporate security
configurations across mobile devices• No existing virtual segregation capabilities for
corporate/user components to allow for different security policies to be applied based on risk
34
MDM• MDM involves downloading software that
allows users/organizations to lock down• MDM allows controls like monitoring,
encryption, policy enforcement , remote wiping etc..
• Addresses security at the device level as opposed to the application level
• Especially challenging in BYOD era• One policy regardless of varying classification
levels of applications on device– Policies like remote wiping could adversely affect
user personal /private data
35
Security Issues-MDM• Addresses security of device only• Has little insight into security health of
applications• Treats all applications and all data at the same
classification level• Difficulties in adoption in corporate
environments that allows BYOD • Does not affect or improve the security of
applications
36
MAM• MAM solutions allow users and organizations to
control the security of specific applications that are deployed on mobile endpoints
• MAM can allow an organization to deliver applications like secure email, calendar, expense reporting
• Allows security policies to be applied exclusively on specific applications based on their security classification– Encryption, remote wipe, remote application kill
etc..
37
Security Issues-MAM• MAM seems to have the answer for MIM’s security
challenges• MAM should solve the BYOD challenges since it
allows for security policies to be applied to corporate applications and their data and allows for non-visibility into personal user information
• MAM solutions have several challenges:– Rewrite secure versions of vendor
applications(functionality challenges)– Allow vendors plug into their security platform– Currently works only an a few apps – Create a wrapper around vendor applications(most vendors will not provide original packaged files to wrap with MAM tools)
38
Mobile Security Convergence
MDM
MIM
MAM
Mobile Application Security
All mobile security strategies converge on these approaches
39
Thanks for listening…
[email protected] / [email protected]
Email [email protected] for a free seat to the Mobile Apps Top 10 Security Risk Training Course