SlideShare ist ein Scribd-Unternehmen logo

CNS - Hut3 - Mobile Application (In)Security

CNS Group
CNS Group

Explaining common mobile application security weaknesses and how to mitigate them. Presentation by Adrian Hayter and Andy Swift at the CNS Security Chapter event series.

Technologie
1 von 26
Downloaden Sie, um offline zu lesen
. Mobile Application (In)security Explaining common mobile application security weaknesses and how to mitigate them. Adrian Hayter & Andy Swift CNS Hut 3 Team adrian.hayter@hut3.net / andy.swift@hut3.net
. Attack Vectors When penetration testing a mobile application, CNS Hut3 focuses on four distinct areas: • The Mobile Application • The Mobile Device – iPhone, Android, Windows Mobile, etc. • The Network – everything between the device and the server! • The Server – most mobile applications interface with one. Adrian Hayter & Andy Swift Page: 2/25
. Apps World CNS Hut3 went to Apps World... ...and met some random American guy (Steve Wozniak). Adrian Hayter & Andy Swift Page: 3/25
. How much do developers know about security? Which of these counts as confidential data? (a) Usernames & Passwords. (b) Documents obtained after successful authentication. (c) Session tokens. (d) All of the above. Adrian Hayter & Andy Swift Page: 4/25
. How much do developers know about security? Which of these counts as confidential data? (a) Usernames & Passwords. (8%) (b) Documents obtained after successful authentication. (4%) (c) Session tokens. (0%) (d) All of the above. (88%) Adrian Hayter & Andy Swift Page: 5/25
. How much do developers know about security? Which of the following is best practice for data sent to web servers? (a) Send login credentials over HTTPS. Use regular HTTP for everything else. (b) Force everything to be sent over HTTPS. (c) Provide both HTTP and HTTPS and let the user choose. (d) Allow HTTP but redirect immediately to HTTPS. Adrian Hayter & Andy Swift Page: 6/25
. How much do developers know about security? Which of the following is best practice for data sent to web servers? (a) Send login credentials over HTTPS. Use regular HTTP for everything else. (8%) (b) Force everything to be sent over HTTPS. (76%) (c) Provide both HTTP and HTTPS and let the user choose. (4%) (d) Allow HTTP but redirect immediately to HTTPS. (12%) Adrian Hayter & Andy Swift Page: 7/25
. How much do developers know about security? How should passwords be stored? (a) In plaintext. (b) Encoded using Base64. (c) Salted and then hashed. (d) Hashed and then salted. Adrian Hayter & Andy Swift Page: 8/25
. How much do developers know about security? How should passwords be stored? (a) In plaintext. (0%) (b) Encoded using Base64. (20%) (c) Salted and then hashed. (56%) (d) Hashed and then salted. (24%) Adrian Hayter & Andy Swift Page: 9/25
. How much do developers know about security? Which of these is the best choice for encrypting sensitive files? (a) SHA-3 (b) Develop our own (secret) in-house encryption mechanism. (c) AES-256 (d) 3DES Adrian Hayter & Andy Swift Page: 10/25
. How much do developers know about security? Which of these is the best choice for encrypting sensitive files? (a) SHA-3 (16%) (b) Develop our own (secret) in-house encryption mechanism. (4%) (c) AES-256 (76%) (d) 3DES (4%) Adrian Hayter & Andy Swift Page: 11/25
. How much do developers know about security? Which is the correct attitude to have towards server-side security? (a) We should put more focus on server-side security. (b) We should put equal focus on both server-side and app-side security. (c) We don’t need to focus on server-side security because the app is secure. (d) We should put more focus on app-side security but be aware of server-side security issues. Adrian Hayter & Andy Swift Page: 12/25
. How much do developers know about security? Which is the correct attitude to have towards server-side security? (a) We should put more focus on server-side security. (20%) (b) We should put equal focus on both server-side and app-side security. (68%) (c) We don’t need to focus on server-side security because the app is secure. (0%) (d) We should put more focus on app-side security but be aware of server-side security issues. (12%) Adrian Hayter & Andy Swift Page: 13/25
. Sensitive Data Storage As an application developer, you have (almost) no control over the user’s device. Presume the device is already compromised. If at all possible, don’t store sensitive data on the device. Sensitive Data includes: • Credentials (e.g. passwords, keys, etc.) • Session tokens (e.g. cookies) • Files containing user information. Mitigation: If you handle sensitive data, encrypt it before saving it to the device. Use a strong encryption algorithm like AES-256. Adrian Hayter & Andy Swift Page: 14/25
. Device Caches Many devices keep caches of user input and other data relating to the application. • Temporary Files – Downloads, Documents, etc. • User Dictionary – Depending on input type. • Application Snapshots (iOS) Mitigation: Remove files once they are no longer needed. Specify correct input types. Disable caches if possible. Adrian Hayter & Andy Swift Page: 15/25
. Device Caches: iOS Dictionary Accessible via jailbreaking: • /private/var/mobile/Library/Keyboard/dynamic-text.dat • /private/var/mobile/Library/Keyboard/en_GB-dynamic- text.dat The iOS “DynamicDictionary” keeps a record of everything typed into text boxes (Google searches, Facebook messages, SMS, email, etc.) Adrian Hayter & Andy Swift Page: 16/25
. Insecure Data Transmission If data is sent over an unencrypted channel, it can be intercepted and modified. You can’t control which networks a user connects to. How many people can resist free WiFi networks at coffee shops? Even trusted networks can’t be relied on due to Evil-twin attacks. Mitigation: Transmit data over an SSL / TLS connection at all times. Adrian Hayter & Andy Swift Page: 17/25
. SSL / TLS SSL / TLS misconfigurations are some of the most common security weaknesses. Application side: • Weak cipher selection. • Accepting invalid certificates. Server side: • Supporting old protocols, weak ciphers. • Renegotiation Denial of Service, BEAST, CRIME, BREACH Mitigation: Mostly configuration file changes! Adrian Hayter & Andy Swift Page: 18/25
. Jailbreaking / Rooting People are always going to jailbreak / root their phones. They will be able to access your application files, and possibly decompile the application. There is no point trying to perform “jailbreak detection” techniques. Your application runs with low privileges. A jailbroken / rooted device will always be able to evade this detection. Mitigation: Focus more on security of your application that trying to prevent people reading your code. If you have code in your application that you don’t want people to see, you shouldn’t be letting people put it on their devices in the first place! Adrian Hayter & Andy Swift Page: 19/25
. Android “Master Key” Exploits A vulnerability found in early 2013 effectively allowed an attacker to embed malicious code within a trusted and signed application without invalidating the signature. Despite its name, the “Master Key” exploits don’t actually expose any Android keys. Instead, a vulnerability in the handling of the ZIP-based APK files allows code modification. Mitigation: Upgrade to Android 4.4. All previous versions are vulnerable (approximately 99% of all Android devices). Adrian Hayter & Andy Swift Page: 20/25
. User Stupidity Adrian Hayter & Andy Swift Page: 21/25
. User Stupidity Mitigation: None Known. Adrian Hayter & Andy Swift Page: 21/25
. Vulnerabilities vs. Malware Number of vulnerabilities per mobile OS iOS vulnerabilities are by far the most common. Jailbreak exploits, lock screen bypasses, numerous native application related bugs. Android on the other hand has less vulnerabilities overall (open source code). Adrian Hayter & Andy Swift Page: 22/25
. Vulnerabilities vs. Malware Number of malware families per mobile OS Number of vulnerabilities is not necessarily an indication of the amount of malware a system suffers from. iOS vulnerabilities are often more complex, require a lot of user interaction. Apple have a rigorous vetting process for apps. Android’s app store has almost no protection whatsoever. Adrian Hayter & Andy Swift Page: 23/25
. Demos Adrian Hayter & Andy Swift Page: 24/25
. Questions? Ask away, or email: adrian.hayter@hut.net / andy.swift@hut3.net Adrian Hayter & Andy Swift Page: 25/25

Empfohlen

Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsInvincea, Inc.
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Mobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsMobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsSkycure
 
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityOpen Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityBlack Duck by Synopsys
 
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesOpen Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesBlack Duck by Synopsys
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 

Empfohlen

Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsInvincea, Inc.
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Mobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsMobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsSkycure
 
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityOpen Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityBlack Duck by Synopsys
 
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesOpen Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesBlack Duck by Synopsys
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysBryson Bort
 
Threat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsThreat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsBlack Duck by Synopsys
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSubho Halder
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EClare Nelson, CISSP, CIPP-E
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeDevSecCon
 
Attack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsAttack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsClare Nelson, CISSP, CIPP-E
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowNowSecure
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonClare Nelson, CISSP, CIPP-E
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 

Weitere ähnliche Inhalte

Was ist angesagt?

NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysBryson Bort
 
Threat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsThreat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsBlack Duck by Synopsys
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSubho Halder
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EClare Nelson, CISSP, CIPP-E
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeDevSecCon
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowNowSecure
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonClare Nelson, CISSP, CIPP-E
 

Was ist angesagt? (20)

NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeaways
 
Threat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsThreat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates News
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 
Mobile security
Mobile securityMobile security
Mobile security
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Android Security
Android SecurityAndroid Security
Android Security
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node Code
 
Attack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsAttack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition Systems
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to know
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
 

Ähnlich wie CNS - Hut3 - Mobile Application (In)Security

Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptxsundar110567
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSTobias Koprowski
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistJignesh Solanki
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013Petr Dvorak
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primeramiable_indian
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 

Ähnlich wie CNS - Hut3 - Mobile Application (In)Security (20)

Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptx
 
Android security
Android securityAndroid security
Android security
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Top Application Security Threats
Top Application Security Threats Top Application Security Threats
Top Application Security Threats
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 

Kürzlich hochgeladen

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 

Kürzlich hochgeladen (20)

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 

CNS - Hut3 - Mobile Application (In)Security

  • 1. . Mobile Application (In)security Explaining common mobile application security weaknesses and how to mitigate them. Adrian Hayter & Andy Swift CNS Hut 3 Team adrian.hayter@hut3.net / andy.swift@hut3.net
  • 2. . Attack Vectors When penetration testing a mobile application, CNS Hut3 focuses on four distinct areas: • The Mobile Application • The Mobile Device – iPhone, Android, Windows Mobile, etc. • The Network – everything between the device and the server! • The Server – most mobile applications interface with one. Adrian Hayter & Andy Swift Page: 2/25
  • 3. . Apps World CNS Hut3 went to Apps World... ...and met some random American guy (Steve Wozniak). Adrian Hayter & Andy Swift Page: 3/25
  • 4. . How much do developers know about security? Which of these counts as confidential data? (a) Usernames & Passwords. (b) Documents obtained after successful authentication. (c) Session tokens. (d) All of the above. Adrian Hayter & Andy Swift Page: 4/25
  • 5. . How much do developers know about security? Which of these counts as confidential data? (a) Usernames & Passwords. (8%) (b) Documents obtained after successful authentication. (4%) (c) Session tokens. (0%) (d) All of the above. (88%) Adrian Hayter & Andy Swift Page: 5/25
  • 6. . How much do developers know about security? Which of the following is best practice for data sent to web servers? (a) Send login credentials over HTTPS. Use regular HTTP for everything else. (b) Force everything to be sent over HTTPS. (c) Provide both HTTP and HTTPS and let the user choose. (d) Allow HTTP but redirect immediately to HTTPS. Adrian Hayter & Andy Swift Page: 6/25
  • 7. . How much do developers know about security? Which of the following is best practice for data sent to web servers? (a) Send login credentials over HTTPS. Use regular HTTP for everything else. (8%) (b) Force everything to be sent over HTTPS. (76%) (c) Provide both HTTP and HTTPS and let the user choose. (4%) (d) Allow HTTP but redirect immediately to HTTPS. (12%) Adrian Hayter & Andy Swift Page: 7/25
  • 8. . How much do developers know about security? How should passwords be stored? (a) In plaintext. (b) Encoded using Base64. (c) Salted and then hashed. (d) Hashed and then salted. Adrian Hayter & Andy Swift Page: 8/25
  • 9. . How much do developers know about security? How should passwords be stored? (a) In plaintext. (0%) (b) Encoded using Base64. (20%) (c) Salted and then hashed. (56%) (d) Hashed and then salted. (24%) Adrian Hayter & Andy Swift Page: 9/25
  • 10. . How much do developers know about security? Which of these is the best choice for encrypting sensitive files? (a) SHA-3 (b) Develop our own (secret) in-house encryption mechanism. (c) AES-256 (d) 3DES Adrian Hayter & Andy Swift Page: 10/25
  • 11. . How much do developers know about security? Which of these is the best choice for encrypting sensitive files? (a) SHA-3 (16%) (b) Develop our own (secret) in-house encryption mechanism. (4%) (c) AES-256 (76%) (d) 3DES (4%) Adrian Hayter & Andy Swift Page: 11/25
  • 12. . How much do developers know about security? Which is the correct attitude to have towards server-side security? (a) We should put more focus on server-side security. (b) We should put equal focus on both server-side and app-side security. (c) We don’t need to focus on server-side security because the app is secure. (d) We should put more focus on app-side security but be aware of server-side security issues. Adrian Hayter & Andy Swift Page: 12/25
  • 13. . How much do developers know about security? Which is the correct attitude to have towards server-side security? (a) We should put more focus on server-side security. (20%) (b) We should put equal focus on both server-side and app-side security. (68%) (c) We don’t need to focus on server-side security because the app is secure. (0%) (d) We should put more focus on app-side security but be aware of server-side security issues. (12%) Adrian Hayter & Andy Swift Page: 13/25
  • 14. . Sensitive Data Storage As an application developer, you have (almost) no control over the user’s device. Presume the device is already compromised. If at all possible, don’t store sensitive data on the device. Sensitive Data includes: • Credentials (e.g. passwords, keys, etc.) • Session tokens (e.g. cookies) • Files containing user information. Mitigation: If you handle sensitive data, encrypt it before saving it to the device. Use a strong encryption algorithm like AES-256. Adrian Hayter & Andy Swift Page: 14/25
  • 15. . Device Caches Many devices keep caches of user input and other data relating to the application. • Temporary Files – Downloads, Documents, etc. • User Dictionary – Depending on input type. • Application Snapshots (iOS) Mitigation: Remove files once they are no longer needed. Specify correct input types. Disable caches if possible. Adrian Hayter & Andy Swift Page: 15/25
  • 16. . Device Caches: iOS Dictionary Accessible via jailbreaking: • /private/var/mobile/Library/Keyboard/dynamic-text.dat • /private/var/mobile/Library/Keyboard/en_GB-dynamic- text.dat The iOS “DynamicDictionary” keeps a record of everything typed into text boxes (Google searches, Facebook messages, SMS, email, etc.) Adrian Hayter & Andy Swift Page: 16/25
  • 17. . Insecure Data Transmission If data is sent over an unencrypted channel, it can be intercepted and modified. You can’t control which networks a user connects to. How many people can resist free WiFi networks at coffee shops? Even trusted networks can’t be relied on due to Evil-twin attacks. Mitigation: Transmit data over an SSL / TLS connection at all times. Adrian Hayter & Andy Swift Page: 17/25
  • 18. . SSL / TLS SSL / TLS misconfigurations are some of the most common security weaknesses. Application side: • Weak cipher selection. • Accepting invalid certificates. Server side: • Supporting old protocols, weak ciphers. • Renegotiation Denial of Service, BEAST, CRIME, BREACH Mitigation: Mostly configuration file changes! Adrian Hayter & Andy Swift Page: 18/25
  • 19. . Jailbreaking / Rooting People are always going to jailbreak / root their phones. They will be able to access your application files, and possibly decompile the application. There is no point trying to perform “jailbreak detection” techniques. Your application runs with low privileges. A jailbroken / rooted device will always be able to evade this detection. Mitigation: Focus more on security of your application that trying to prevent people reading your code. If you have code in your application that you don’t want people to see, you shouldn’t be letting people put it on their devices in the first place! Adrian Hayter & Andy Swift Page: 19/25
  • 20. . Android “Master Key” Exploits A vulnerability found in early 2013 effectively allowed an attacker to embed malicious code within a trusted and signed application without invalidating the signature. Despite its name, the “Master Key” exploits don’t actually expose any Android keys. Instead, a vulnerability in the handling of the ZIP-based APK files allows code modification. Mitigation: Upgrade to Android 4.4. All previous versions are vulnerable (approximately 99% of all Android devices). Adrian Hayter & Andy Swift Page: 20/25
  • 21. . User Stupidity Adrian Hayter & Andy Swift Page: 21/25
  • 22. . User Stupidity Mitigation: None Known. Adrian Hayter & Andy Swift Page: 21/25
  • 23. . Vulnerabilities vs. Malware Number of vulnerabilities per mobile OS iOS vulnerabilities are by far the most common. Jailbreak exploits, lock screen bypasses, numerous native application related bugs. Android on the other hand has less vulnerabilities overall (open source code). Adrian Hayter & Andy Swift Page: 22/25
  • 24. . Vulnerabilities vs. Malware Number of malware families per mobile OS Number of vulnerabilities is not necessarily an indication of the amount of malware a system suffers from. iOS vulnerabilities are often more complex, require a lot of user interaction. Apple have a rigorous vetting process for apps. Android’s app store has almost no protection whatsoever. Adrian Hayter & Andy Swift Page: 23/25
  • 25. . Demos Adrian Hayter & Andy Swift Page: 24/25
  • 26. . Questions? Ask away, or email: adrian.hayter@hut.net / andy.swift@hut3.net Adrian Hayter & Andy Swift Page: 25/25