Mobile Apps Security Risk Assessment

Kartik Trivedi / Lenin Aboagye

2

For the Demo…please download and install the following apps on your mobile device and create an

account

3

Who are we?

• Kartik Trivedi– Co-founder of Symosis– Author / Speaker / Interviews - Forbes, Security Focus,

Tech world, Security News, etc – Golfer (Advanced Amateur? )

• Lenin Aboagye– Security Architect Apollo group– Cloud / Mobile security expert– Media & Television, Education, Health, Real Estate and

Energy industries experience

4

Agenda

IntroductionGrowth / RevenueSecurity Concerns

Mobile Apps Top 3 RisksCountermeasures & Risk Management

5

There is an App for that!

6

There is an App for that!• Pay bills• File income taxes• Pay property tax• Scan & Shop • Deposit checks• Transfer money • Store medical records• Refill prescription• Manage health information• Remember your meds• Book flight / hotel• Medscape / pharmacopia

• Small Business Payroll• Pay invoice • Location based check in• Personal finance• Investments & 401k• Health & Fitness• Productivity• Facebook / twitter• Place bets on sports • Utilities• Store passwords• Document storage

7

8

53% of Fortune 500 companies have mobile apps

9

Business Case for Mobile Presence

• Networking / communication - unprecedented level of connectivity between employees, vendors, and/or customers

• Instant Feedback - sharing information through this medium allows businesses to get immediate feedback on products and services from customers.

• Marketing - SMS (text) messaging, mobile websites, mobile applications, banner ads, QR codes, IVR messaging and more.

• Commerce – Mobile ticketing, vouchers, coupons, loyalty cards, content purchase, delivery, location based services, Information services, mobile banking, mobile brokerage, mobile purchase

10

Security Concerns• Side Channel Data Leakage• Insufficient Transport Layer Protection• Weak Server Side Controls• Insecure Data Storage• Client Side Injection• Poor Authorization and Authentication• Improper Session Handling• Security Decisions Via Untrusted

Inputs• Broken Cryptography• Sensitive Information Disclosure• Hardcoded password/keys• Privacy compliance• Identity exposure

• Activity monitoring and data retrieval• Unauthorized dialing, SMS, and payments• Unauthorized network connectivity (data

exfiltration or command & control)• UI (unique identifier) impersonation• System modification (rootkit, APN proxy

configuration)• Mobile Malware• Criminals Target and Infect App Stores• Social-Engineering • Geolocation compromise• Security Regulatory Compliance• Device Risk• BYOD / MDM • Application management• Installation of un-verified / unsigned 3rd

party apps

11

Agenda

IntroductionGrowth / RevenueSecurity Concerns

Mobile Apps Top 3 RisksSide Channel LeakageInsecure Transport / Server Controls Insecure Data Storage

Countermeasures & Risk Management

Side Channel Data Leakage

Data leakage via platform defaults, use of third party libraries, logging, etc• SnapShot (ie- iOS backgrounding)• Plist files

Sometimes result of programmatic flaws

13

Demo

14

15

16

Agenda

Mobile Platform RisksMobile Apps Top 3 Risks

Side Channel LeakageInsecure Transport / Server Controls Insecure Data Storage

Countermeasures & Risk Management

Insecure Transport/Server Controls

Failing to encrypt sensitive network traffic consisting of sensitive data

Insecure server controls - web, application and backend API - can lead to security compromise

18

Demo

Android Authtoken over HTTP

20

Address Book / UDID over HTTP

21

TOC

Mobile Platform RisksMobile Apps Top 3 Risks

Side Channel LeakageInsecure Transport / Server Controls Insecure Data Storage

Countermeasures & Risk Management

22

Insecure Data Storage

Locally stored data both on native and browser based apps that includes• SQLite / Cache files• Keychain – Is this really secure?

23

Demo

24

Oauth in Cache

Risk & Impact: HighSensitive Data exposure • Username & password• PII, SSN, Health Information• Device ID, Application configuration• Account Number, Credit Card, Financial InformationLoss of Data Confidentiality & IntegrityData TemperingMan-in-the-Middle (MITM attack)ImpersonationUnauthorized access to application data or functionalityPrivacy Violations / reputation damage

You Don’t w

ant to be in WSJ!

26

Agenda

IntroductionMobile Apps Top 3 Risks

Insecure Data StorageInsecure Transport / Server Controls Side Channel Leakage

Countermeasures & Risk ManagementTacticalStrategic

27

Secure Programming / Education

Disable Cache - Set the autocorrectionType property to UITextAutocorrectionNo for UITestField

Disable Snapshot – Use applicationWillResignActive delegate method

Disable Logs – Disable NSLog and NSAssert

Disable Insecure HTTP - Use NSURLConnection along with canAuthenticateAgainstProtectionSpace

28

Encrypt Data

Data Protection API - set the NSFileProtectionKey on an existing file

Keychain – Apple recommends storing Sensitive data like passwords and keys in the Keychain

CCCrypt - provides access to AES, DES, 3DES

SQLCipher (IOS & Android) - transparent 256-bit AES encryption of database files

29

Secure Design / Architecture

• Do not trust the client. Store sensitive data on the server• Perform server side data validation and canonicalization• Only collect and disclose data which is required for

business use of the application• Define and deploy secure configuration • Establish common set of security requirements• Perform periodic security scans and audits• Protect sensitive data using HTTPS & SSL• Do not log credentials, PII and other sensitive data• Review all third party libraries before use

30

Agenda

Mobile Platform RisksMobile Apps Top 3 RisksSecurity Controls & Risk Management

TacticalStrategic

31

Mobile Strategy & Challenges

• The are 3 major components of a mobile strategy that most organizations have to apply– Mobile Information Management(MIM)

– Mobile Application Management(MAM)

– Mobile Device Management(MDM)

32

MIM• MIM refers to cloud-based services that syncs

files and documents across different devices• MIM allows for sharing data of varying security

classification across devices with varying degrees of trust

• MIM intersects Cloud and Mobile Security• Public MIM services are Dropbox, Box, Microsoft

SkyDrive, GoogleDrive• Corporate MIM solutions include Monodesk,

WatchDox, Citrix ShareFile, Vmware Octopus• NFC technologies could be classified as MIM

33

Security Challenges -MIM• BYOD in corporate environments• Potential synching of corporate data across both corporate

and non-corporate issued endpoints• Sensitive bi-directional data leakage from user’s private

and personal data into corporate and vice-versa• Access and Identity Management • Data classification , identification and protection• Difficult to apply and enforce any corporate security

configurations across mobile devices• No existing virtual segregation capabilities for

corporate/user components to allow for different security policies to be applied based on risk

34

MDM• MDM involves downloading software that

allows users/organizations to lock down• MDM allows controls like monitoring,

encryption, policy enforcement , remote wiping etc..

• Addresses security at the device level as opposed to the application level

• Especially challenging in BYOD era• One policy regardless of varying classification

levels of applications on device– Policies like remote wiping could adversely affect

user personal /private data

35

Security Issues-MDM• Addresses security of device only• Has little insight into security health of

applications• Treats all applications and all data at the same

classification level• Difficulties in adoption in corporate

environments that allows BYOD • Does not affect or improve the security of

applications

36

MAM• MAM solutions allow users and organizations to

control the security of specific applications that are deployed on mobile endpoints

• MAM can allow an organization to deliver applications like secure email, calendar, expense reporting

• Allows security policies to be applied exclusively on specific applications based on their security classification– Encryption, remote wipe, remote application kill

etc..

37

Security Issues-MAM• MAM seems to have the answer for MIM’s security

challenges• MAM should solve the BYOD challenges since it

allows for security policies to be applied to corporate applications and their data and allows for non-visibility into personal user information

• MAM solutions have several challenges:– Rewrite secure versions of vendor

applications(functionality challenges)– Allow vendors plug into their security platform– Currently works only an a few apps – Create a wrapper around vendor applications(most vendors will not provide original packaged files to wrap with MAM tools)

38

Mobile Security Convergence

MDM

MIM

MAM

Mobile Application Security

All mobile security strategies converge on these approaches

39

Thanks for listening…

kartik@symosis.com / Lenin.Aboagye@apollogrp.edu

Email info@symosis.com for a free seat to the Mobile Apps Top 10 Security Risk Training Course