2. Introduction
About Me
• Michael Gianarakis
• Senior Security Consultant
• Working in application security for seven years
• Focus on mobile application security
5. Overview
Mobile platforms have presented many
opportunities for businesses and online
retailers….
BUT
It’s also created a lucrative target for
hackers.
15. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
16. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
18. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
19. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
20. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
21. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
22. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
23. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
24. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
27. Identify the Threats
• Focus on the most prevalent risks
and how they can be exploited
• Insecure data storage
• Insufficient transport layer protection
(communication security)
• Client side injection
28. Identify the Threats – Insecure
Data Storage
• Improperly secured data stored
on the device is very common
• I have come across all kinds of
sensitive information stored in
clear text including:
• Usernames and passwords
• Encryption keys
• Personal information
• Location data
29. Identify the Threats – Insecure
Data Storage
• Two main types of insecure data
storage:
1. Sensitive data stored on the device by
the application that was not secured
appropriately by the developer
2. Data stored by the operating system
automatically
30. Identify the Threats – Insecure
Data Storage
• Sensitive data not appropriately
secured by the developer
includes:
• Unencrypted databases
• Storing sensitive information in
preference files
• Encrypting data but storing the
encryption key in a clear text file
• Logging sensitive information to the
device logs
35. Identify the Threats – Insecure
Data Storage
• Sensitive data stored by the
operating system
• Back grounding screenshots (iOS)
• Caches (browser caching, autocorrect
etc.)
• Pasteboard
• Oftentimes developers do not
realise that the OS is storing
this information
38. Identify the Threats – Insufficient
Transport Layer Security
• Most users will connect their
devices to untrusted networks
• It is common to find insecurely
implemented communication
security:
• Lack of SSL validation
• Unencrypted communications
40. Identify the Threats – Client Side
Injection
• In web applications injection
issues such as XSS and SQL
Injection are a big problem
• Still found in mobile
applications
• Can be worse in mobile
application - runtime
manipulation can lead to
significant security issues
44. Defending Mobile Applications
• Challenges
• Devices are easily lost, stolen or
compromised
• Multiple attack vectors outside of your
control
• Once the security of the device is
compromised ‘all bets are off’
• Platform is constantly evolving
• Customer expectation of rapid
iteration
• Developer inexperience with
platforms (although this is improving)
45. Defending Mobile Applications
• First of all focus on the basics
• Define the risk profile of the application
• Secure development practices
• Thorough security testing
• Monitoring and review
• Effective information security is a
process for managing business risk,
not a product. Beware of “silver
bullet” solutions.
• The security of your application is
your responsibility - not Apple, or
Google or Microsoft
46. Defending Mobile Applications
• Mobile application security
design principles
• Assume the client is
compromised
• Assume the application will
connect to untrusted networks
• Assume that the underlying
operating system is
compromised
47. Defending Mobile Applications
• Assume the client is
compromised
• Do not store sensitive
information on the device
• Do not implement sensitive
functionality in the client –
always implement on the server
• Do not trust user input
48. Defending Mobile Applications
• Assume the application will
connect to untrusted
networks
• Do not transmit sensitive
information unencrypted
• Do not use weak encryption
• Establish and validate certificate
chain
49. Defending Mobile Applications
• Assume the underlying
operating system is
compromised
• Genuine users will jailbreak their
devices
• Attackers will jailbreak target
devices
• Do not assume that physical access
to the device is necessary for an
attacker to compromise the device
50. Defending Mobile Applications
• Assume the underlying
operating system is
compromised
• Genuine users will jailbreak their
devices
• Attackers will jailbreak target
devices
• Do not assume that physical access
to the device is necessary for an
attacker to compromise the device
51. Defending Mobile Applications
• Data Security
• Preference is to not store sensitive
data
• Be realistic about requirements to
actually store data (remember these
devices are always connected)
• Be conscious of inadvertent data
leakage by the operating system
• If storing sensitive data – encyrpt but
be aware of key management
difficulties
52. Defending Mobile Applications
• Communication Security
• Encrypt all traffic
• ALWAYS validate certificates
• Certificate pinning
• Be aware of lax controls in
development environments filtering
through to production
• Do not use weak protocols (SSLv2,
BEAST, CRIME etc)
53. Defending Mobile Applications
• Injection and Runtime Security
• Don’t trust user input
• Although hard to implement consider
runtime security mechanisms
• Anti-debugging
• Jailbreak detection
• Tamper response
54. Defending Mobile Applications
• Unfortunately it is impossible to
completely secure mobile
applications
• Anybody with a copy of the application and
a debugger can compromise the security of
the application
• The aim is to make it significantly
harder for the attacker such that
the economic benefits of
attacking the application are
outweighed by the difficulty of
the attack.