Securing your

Mobile Applications

a Holistic Approach Mr. Joseph Au-Yeung

VP, Cloud & Cyber-security

PCCW Solutions Limited

Mr. Saket Modi CEO, Lucideus

The mobile platform – are they safe?

What if they are jail-break or rooted?

– analysis (“Arxan 2014 State of Mobile App Security”) of the top 100 paid and top 20 most popular free apps reveals that a majority have been hacked •97% of top paid android apps have been hacked

•87% of top paid iOS apps have been hacked •80% of the most popular free Android apps have been hacked

•75% of the most popular free iOS apps have been hacked

Mobile app safety – a reality check

Mobile app safety – it’s easier than you think

from Arxan 2014 State of Mobile App Security

– Credentials • To your device • To external services (email, e-payment, etc)

– Personal Data • Contacts

– Cardholder Data • Card Numbers, Expiration, CVV

– Access to your device • Sniff your connections • Use your device (malware, spamming)

What attackers want?

What to protect?

Data on device • Key strokes

•Application file system/ database •Caches

•Configuration files

Mobile platform •Function hooking •Malware, Spybot

•Platform architecture weakness

Application Binary •Reverse engineering to look for vulnerabilities • Find embedded credentials •Identify weak encryption/ decryption algorithms

Android – Reversing engineering • Android apps are written in Java -Like Java apps, they can be easily reversed with the right tools

•http://code.google.com/p/dex2jar/ Dex2Jar – converts dex (Dalvik bytecode) to a jar (java bytecode) •http://code.google.com/p/android4me/downloads/list AXMLPrinter2 - a tool for converting Android binary xml format to regular xml. •http://java.decompiler.free.fr/ JD – a GUI tool for decompiling Java bytecode back to java source (see above) •http://code.google.com/p/smali/ Smali and baksmali - assembler/ disassembler for the dex format

- With Android, bytecode can even be altered and apps repackaged

iOS – Reversing engineering

-Apps are native ARM, unless built for the Simulator (x86),.ipa are ARM and can only run on the device -In general more difficult tha Android, needs more complex tools and/or Ability to understand ARM v7 assembly, but still can be done to some extent - Sample tools:

•Hexrays IDA disassembler/debugger •Demo otool •class-dump-z

Most common threats

Excessive Permissions

and Privileges

One of the most serious and

common vulnerability. Excessive access privileges and permissions such as access to contact list, receiving and sending messages, update rights, location and access to other devices such as microphone, camera etc.

App developers should restrict granting privileges and permissions to applications.

Ineffective Session

Termination

When the user logout , the session gets terminated only locally on the client side without terminating the

session at the server end. This coding

flaw makes the server susceptible to

unauthorized access

After logout, always invalidate the

session at the server and client side. If

session has not been active for more

than 15-20 minutes, terminate the

session. Long sessions must be re-authenticated.

Buffer Overflow The attacker sends carefully crafted

input to the application, and causes it to execute arbitrary code which can take over the device. The attack relies on writing data to particular memory

address, or have the OS mishandle data types.

Detecting buffer overflows on stack-allocated variables

as soon after they occur, and prevent

them from becoming serious security

vulnerabilities

Bad Data Storage Practice Insecure or bad data storage occurs when developers assume that users will not have access to the device file system, and hence they store sensitive information in data-stores in the devices. SQLite databases, Plist files, Log files, Binary data stores, XML data stores, SD card, cookies and cloud synced are the places where data is stored most insecurely.

Do not store data unless absolutely necessary. Scrutinize the data security API’s of the platform, and ensure that they are being called appropriately. Do not store credentials on the device file system.

Getting Smarter – help yourself

-OWASP Mobile Security Project https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Home

Getting Smarter – Let experts help you Mobile Application Vulnerability Assessment (MAVA)

Getting Smarter – Let experts help you MAVA (con’t)