SlideShare ist ein Scribd-Unternehmen logo

Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Case Studies

eightbit
eightbit

Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Case Studies

Mobil
1 von 55
Downloaden Sie, um offline zu lesen
Hacking Mobile Applications – Industry Case Studies Michael Gianarakis Securus Global
Introduction About Me •  Michael Gianarakis •  Senior Security Consultant •  Working in application security for seven years •  Focus on mobile application security
Overview Mobile platforms have presented many opportunities for businesses and online retailers….
Overview Mobile platforms have presented many opportunities for businesses and online retailers…. BUT
Overview Mobile platforms have presented many opportunities for businesses and online retailers…. BUT It’s also created a lucrative target for hackers.
Key Takeaways Understand Identify Defend
Key Takeaways Understand Identify Defend
Key Takeaways Understand Identify Defend
Before we get started….
Understanding the Risks – Mobile Threat Model Mobile   Applica,on  
Understanding the Risks – Mobile Threat Model Mobile   Applica,on  
Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on  
Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   User  
Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   User   Back  End   Web  Service  
Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service  
Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
Understanding the Risks – Mobile Threat Model So what are the threats?
Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
Understanding the Risks
Understanding the Risks
Identify the Threats •  Focus on the most prevalent risks and how they can be exploited •  Insecure data storage •  Insufficient transport layer protection (communication security) •  Client side injection
Identify the Threats – Insecure Data Storage •  Improperly secured data stored on the device is very common •  I have come across all kinds of sensitive information stored in clear text including: •  Usernames and passwords •  Encryption keys •  Personal information •  Location data
Identify the Threats – Insecure Data Storage •  Two main types of insecure data storage: 1.  Sensitive data stored on the device by the application that was not secured appropriately by the developer 2.  Data stored by the operating system automatically
Identify the Threats – Insecure Data Storage •  Sensitive data not appropriately secured by the developer includes: •  Unencrypted databases •  Storing sensitive information in preference files •  Encrypting data but storing the encryption key in a clear text file •  Logging sensitive information to the device logs
Identify the Threats – Insecure Data Storage
Identify the Threats – Insecure Data Storage
Identify the Threats – Insecure Data Storage
Identify the Threats – Insecure Data Storage This  was  in  a  banking  app!  
Identify the Threats – Insecure Data Storage •  Sensitive data stored by the operating system •  Back grounding screenshots (iOS) •  Caches (browser caching, autocorrect etc.) •  Pasteboard •  Oftentimes developers do not realise that the OS is storing this information
Identify the Threats – Insecure Data Storage
Identify the Threats – Insecure Data Storage
Identify the Threats – Insufficient Transport Layer Security •  Most users will connect their devices to untrusted networks •  It is common to find insecurely implemented communication security: •  Lack of SSL validation •  Unencrypted communications
Identify the Threats – Insufficient Transport Layer Security
Identify the Threats – Client Side Injection •  In web applications injection issues such as XSS and SQL Injection are a big problem •  Still found in mobile applications •  Can be worse in mobile application - runtime manipulation can lead to significant security issues
Identify the Threats – Client Side Injection
Identify the Threats – Client Side Injection
Identify the Threats – Client Side Injection
Defending Mobile Applications •  Challenges •  Devices are easily lost, stolen or compromised •  Multiple attack vectors outside of your control •  Once the security of the device is compromised ‘all bets are off’ •  Platform is constantly evolving •  Customer expectation of rapid iteration •  Developer inexperience with platforms (although this is improving)
Defending Mobile Applications •  First of all focus on the basics •  Define the risk profile of the application •  Secure development practices •  Thorough security testing •  Monitoring and review •  Effective information security is a process for managing business risk, not a product. Beware of “silver bullet” solutions. •  The security of your application is your responsibility - not Apple, or Google or Microsoft
Defending Mobile Applications •  Mobile application security design principles •  Assume the client is compromised •  Assume the application will connect to untrusted networks •  Assume that the underlying operating system is compromised
Defending Mobile Applications •  Assume the client is compromised •  Do not store sensitive information on the device •  Do not implement sensitive functionality in the client – always implement on the server •  Do not trust user input
Defending Mobile Applications •  Assume the application will connect to untrusted networks •  Do not transmit sensitive information unencrypted •  Do not use weak encryption •  Establish and validate certificate chain
Defending Mobile Applications •  Assume the underlying operating system is compromised •  Genuine users will jailbreak their devices •  Attackers will jailbreak target devices •  Do not assume that physical access to the device is necessary for an attacker to compromise the device
Defending Mobile Applications •  Assume the underlying operating system is compromised •  Genuine users will jailbreak their devices •  Attackers will jailbreak target devices •  Do not assume that physical access to the device is necessary for an attacker to compromise the device
Defending Mobile Applications •  Data Security •  Preference is to not store sensitive data •  Be realistic about requirements to actually store data (remember these devices are always connected) •  Be conscious of inadvertent data leakage by the operating system •  If storing sensitive data – encyrpt but be aware of key management difficulties
Defending Mobile Applications •  Communication Security •  Encrypt all traffic •  ALWAYS validate certificates •  Certificate pinning •  Be aware of lax controls in development environments filtering through to production •  Do not use weak protocols (SSLv2, BEAST, CRIME etc)
Defending Mobile Applications •  Injection and Runtime Security •  Don’t trust user input •  Although hard to implement consider runtime security mechanisms •  Anti-debugging •  Jailbreak detection •  Tamper response
Defending Mobile Applications •  Unfortunately it is impossible to completely secure mobile applications •  Anybody with a copy of the application and a debugger can compromise the security of the application •  The aim is to make it significantly harder for the attacker such that the economic benefits of attacking the application are outweighed by the difficulty of the attack.
Questions?

Empfohlen

Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
eightbit
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
mgianarakis
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
wireharbor
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Tom Eston
 

Empfohlen

Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
eightbit
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
mgianarakis
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
wireharbor
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Tom Eston
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
Satish b
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOS
Kai Aras
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
Salesforce Developers
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09
Gonzalo Parra
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
Jason Haddix
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and Encryption
Urvashi Kataria
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
Tom Eston
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]
Kuba Břečka
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
n|u - The Open Security Community
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
SecureState
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
History of social media infographic
History of social media infographicHistory of social media infographic
History of social media infographic
Digital Marketing
 
Ici presentation
Ici presentationIci presentation
Ici presentation
Goshen College
 

Weitere ähnliche Inhalte

Was ist angesagt?

Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
Salesforce Developers
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 

Was ist angesagt? (20)

Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOS
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and Encryption
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 

Andere mochten auch

презентация!\
презентация!\презентация!\
презентация!\
ozimovska
 
Areas of housekeeping department responsbilities
Areas of housekeeping department responsbilitiesAreas of housekeeping department responsbilities
Areas of housekeeping department responsbilities
Shahira Karim
 
дармостук таланты\
дармостук таланты\дармостук таланты\
дармостук таланты\
ozimovska
 

Andere mochten auch (19)

History of social media infographic
History of social media infographicHistory of social media infographic
History of social media infographic
 
Ici presentation
Ici presentationIci presentation
Ici presentation
 
Let us c++ yeshwant kanetkar
Let us c++ yeshwant kanetkarLet us c++ yeshwant kanetkar
Let us c++ yeshwant kanetkar
 
Non veg-choice-menu-diamond a4
Non veg-choice-menu-diamond a4Non veg-choice-menu-diamond a4
Non veg-choice-menu-diamond a4
 
Membaikpulih pc
Membaikpulih pcMembaikpulih pc
Membaikpulih pc
 
Kenali cpu
Kenali cpuKenali cpu
Kenali cpu
 
презентация!\
презентация!\презентация!\
презентация!\
 
Tong quan google adwords
Tong quan google adwordsTong quan google adwords
Tong quan google adwords
 
GDG Montréal - Account Manager Basics and Use Case
GDG Montréal - Account Manager Basics and Use CaseGDG Montréal - Account Manager Basics and Use Case
GDG Montréal - Account Manager Basics and Use Case
 
Technology
TechnologyTechnology
Technology
 
OTA : Mettre à jour un device Android, ok mais comment ça marche ?
OTA : Mettre à jour un device Android, ok mais comment ça marche ? OTA : Mettre à jour un device Android, ok mais comment ça marche ?
OTA : Mettre à jour un device Android, ok mais comment ça marche ?
 
Bible Verses About Grace
Bible Verses About GraceBible Verses About Grace
Bible Verses About Grace
 
Privacy and Security
Privacy and SecurityPrivacy and Security
Privacy and Security
 
Veg choice-menu-gold a4
Veg choice-menu-gold a4Veg choice-menu-gold a4
Veg choice-menu-gold a4
 
Google 3rd party independant hotel
Google 3rd party independant hotelGoogle 3rd party independant hotel
Google 3rd party independant hotel
 
Areas of housekeeping department responsbilities
Areas of housekeeping department responsbilitiesAreas of housekeeping department responsbilities
Areas of housekeeping department responsbilities
 
Non veg-choice-menu-standard a4
Non veg-choice-menu-standard a4Non veg-choice-menu-standard a4
Non veg-choice-menu-standard a4
 
дармостук таланты\
дармостук таланты\дармостук таланты\
дармостук таланты\
 
Google 3rd party brand hotels
Google 3rd party brand hotelsGoogle 3rd party brand hotels
Google 3rd party brand hotels
 

Ähnlich wie Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Case Studies

Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Lenin Aboagye
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurity
Venkat Alagarsamy
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
GTestClub
 

Ähnlich wie Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Case Studies (20)

ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Application security
Application securityApplication security
Application security
 
Enterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurityEnterprise mobileapplicationsecurity
Enterprise mobileapplicationsecurity
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Information Risk and Protection
Information Risk and ProtectionInformation Risk and Protection
Information Risk and Protection
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
 
Transforming any apps into self-defending apps
Transforming any apps into self-defending apps Transforming any apps into self-defending apps
Transforming any apps into self-defending apps
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganised
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptx
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Mobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An IntroductionMobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An Introduction
 

Mehr von eightbit

Mehr von eightbit (6)

Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly ExaggeratedCrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
 
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications
Hack in the Box GSEC 2016 - Reverse Engineering Swift ApplicationsHack in the Box GSEC 2016 - Reverse Engineering Swift Applications
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications
 
Rootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift ApplicationsRootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift Applications
 
Wahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash CourseWahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash Course
 

Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Case Studies

  • 1. Hacking Mobile Applications – Industry Case Studies Michael Gianarakis Securus Global
  • 2. Introduction About Me •  Michael Gianarakis •  Senior Security Consultant •  Working in application security for seven years •  Focus on mobile application security
  • 3. Overview Mobile platforms have presented many opportunities for businesses and online retailers….
  • 4. Overview Mobile platforms have presented many opportunities for businesses and online retailers…. BUT
  • 5. Overview Mobile platforms have presented many opportunities for businesses and online retailers…. BUT It’s also created a lucrative target for hackers.
  • 10. Understanding the Risks – Mobile Threat Model Mobile   Applica,on  
  • 11. Understanding the Risks – Mobile Threat Model Mobile   Applica,on  
  • 12. Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on  
  • 13. Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   User  
  • 14. Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   User   Back  End   Web  Service  
  • 15. Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service  
  • 16. Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
  • 17. Understanding the Risks – Mobile Threat Model So what are the threats?
  • 18. Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
  • 19. Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
  • 20. Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
  • 21. Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
  • 22. Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
  • 23. Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
  • 24. Mobile  Device   Understanding the Risks – Mobile Threat Model Mobile   Applica,on   3rd  Party   Applica,ons   User   Back  End   Web  Service   3rd  Party   Web  Service  
  • 27. Identify the Threats •  Focus on the most prevalent risks and how they can be exploited •  Insecure data storage •  Insufficient transport layer protection (communication security) •  Client side injection
  • 28. Identify the Threats – Insecure Data Storage •  Improperly secured data stored on the device is very common •  I have come across all kinds of sensitive information stored in clear text including: •  Usernames and passwords •  Encryption keys •  Personal information •  Location data
  • 29. Identify the Threats – Insecure Data Storage •  Two main types of insecure data storage: 1.  Sensitive data stored on the device by the application that was not secured appropriately by the developer 2.  Data stored by the operating system automatically
  • 30. Identify the Threats – Insecure Data Storage •  Sensitive data not appropriately secured by the developer includes: •  Unencrypted databases •  Storing sensitive information in preference files •  Encrypting data but storing the encryption key in a clear text file •  Logging sensitive information to the device logs
  • 31. Identify the Threats – Insecure Data Storage
  • 32. Identify the Threats – Insecure Data Storage
  • 33. Identify the Threats – Insecure Data Storage
  • 34. Identify the Threats – Insecure Data Storage This  was  in  a  banking  app!  
  • 35. Identify the Threats – Insecure Data Storage •  Sensitive data stored by the operating system •  Back grounding screenshots (iOS) •  Caches (browser caching, autocorrect etc.) •  Pasteboard •  Oftentimes developers do not realise that the OS is storing this information
  • 36. Identify the Threats – Insecure Data Storage
  • 37. Identify the Threats – Insecure Data Storage
  • 38. Identify the Threats – Insufficient Transport Layer Security •  Most users will connect their devices to untrusted networks •  It is common to find insecurely implemented communication security: •  Lack of SSL validation •  Unencrypted communications
  • 39. Identify the Threats – Insufficient Transport Layer Security
  • 40. Identify the Threats – Client Side Injection •  In web applications injection issues such as XSS and SQL Injection are a big problem •  Still found in mobile applications •  Can be worse in mobile application - runtime manipulation can lead to significant security issues
  • 41. Identify the Threats – Client Side Injection
  • 42. Identify the Threats – Client Side Injection
  • 43. Identify the Threats – Client Side Injection
  • 44. Defending Mobile Applications •  Challenges •  Devices are easily lost, stolen or compromised •  Multiple attack vectors outside of your control •  Once the security of the device is compromised ‘all bets are off’ •  Platform is constantly evolving •  Customer expectation of rapid iteration •  Developer inexperience with platforms (although this is improving)
  • 45. Defending Mobile Applications •  First of all focus on the basics •  Define the risk profile of the application •  Secure development practices •  Thorough security testing •  Monitoring and review •  Effective information security is a process for managing business risk, not a product. Beware of “silver bullet” solutions. •  The security of your application is your responsibility - not Apple, or Google or Microsoft
  • 46. Defending Mobile Applications •  Mobile application security design principles •  Assume the client is compromised •  Assume the application will connect to untrusted networks •  Assume that the underlying operating system is compromised
  • 47. Defending Mobile Applications •  Assume the client is compromised •  Do not store sensitive information on the device •  Do not implement sensitive functionality in the client – always implement on the server •  Do not trust user input
  • 48. Defending Mobile Applications •  Assume the application will connect to untrusted networks •  Do not transmit sensitive information unencrypted •  Do not use weak encryption •  Establish and validate certificate chain
  • 49. Defending Mobile Applications •  Assume the underlying operating system is compromised •  Genuine users will jailbreak their devices •  Attackers will jailbreak target devices •  Do not assume that physical access to the device is necessary for an attacker to compromise the device
  • 50. Defending Mobile Applications •  Assume the underlying operating system is compromised •  Genuine users will jailbreak their devices •  Attackers will jailbreak target devices •  Do not assume that physical access to the device is necessary for an attacker to compromise the device
  • 51. Defending Mobile Applications •  Data Security •  Preference is to not store sensitive data •  Be realistic about requirements to actually store data (remember these devices are always connected) •  Be conscious of inadvertent data leakage by the operating system •  If storing sensitive data – encyrpt but be aware of key management difficulties
  • 52. Defending Mobile Applications •  Communication Security •  Encrypt all traffic •  ALWAYS validate certificates •  Certificate pinning •  Be aware of lax controls in development environments filtering through to production •  Do not use weak protocols (SSLv2, BEAST, CRIME etc)
  • 53. Defending Mobile Applications •  Injection and Runtime Security •  Don’t trust user input •  Although hard to implement consider runtime security mechanisms •  Anti-debugging •  Jailbreak detection •  Tamper response
  • 54. Defending Mobile Applications •  Unfortunately it is impossible to completely secure mobile applications •  Anybody with a copy of the application and a debugger can compromise the security of the application •  The aim is to make it significantly harder for the attacker such that the economic benefits of attacking the application are outweighed by the difficulty of the attack.