More Related Content Similar to InfoSec World 2014 Security Imperatives for IOS and Android (20) InfoSec World 2014 Security Imperatives for IOS and Android2. Copyright 2014 RBS Citizens
Distributed by MIS Training Institute with permission of owner.
All rights reserved. Printed in the United States of America. No part of this publication may be reproduced,
photocopied, stored in a retrieval system, or transmitted by electronic, mechanical or any other means
without the prior written permission of MIS Training Institute and the respective owner of the copyright.
Trademarked product and company names mentioned in this publication are the property of their respective owners.
ISW14040714
3. MIS Training Institute Session A5 - Slide 3
© Symosis Security
Who are we?
Clinton Mugge
Application and Network Security Providers
20 Years in Info Sec – Security Assessments, Penetration Testing,
Compliance & Training, Investigations, Incident Response
Free Mobile App Security / Training Evaluations
Gary Bahadur
20 Years in Info Sec – Compliance & Training, Security Assessments,
Risk Assessments
Author of “Securing the Clicks” Network Security in the Age of
Social Media
Free Risk Assessment Software “Razient”
4. MIS Training Institute Session A5 - Slide 4
© Symosis Security
Agenda
Introduction
iOS / Android Apps Top Risks
Countermeasures
5. MIS Training Institute Session A5 - Slide 5
© Symosis Security
Audience Poll
• What mobile OS do you mostly
use?
• How many of you are involved
with mobile security, privacy,
audits?
• Any mobile developers /
architects?
• Does your employer have
mobile presence?
7. MIS Training Institute Session A5 - Slide 7
© Symosis Security
What do Attackers Want?
Credentials - To your
device, To external
services (email, banking,
etc)
Access to your device
Use your device
(botnets, spamming),
Steal trade secrets or
other sensitive data
Personal Data - Full Name,
SINSSN, address book
data, location data
Cardholder Data - Card
Numbers, Expiration, CVV
Health Data - Prescription
information, medical
records, procedure
summary
Corporate Data - IP, Design
Docs
8. MIS Training Institute Session A5 - Slide 8
© Symosis Security
Security and Privacy Concerns
Side Channel Data Leakage
Insufficient Transport Layer Protection
Weak Server Side Controls
Insecure Data Storage
Client Side Injection
Poor Authorization and Authentication
Improper Session Handling
Security Decisions Via Untrusted Inputs
Broken Cryptography
Sensitive Information Disclosure
Hardcoded password/keys
Privacy compliance
Identity exposure
Activity monitoring and data retrieval
Unauthorized dialing, SMS, and payments
Unauthorized network connectivity (data
exfiltration or command & control)
UI (unique identifier) impersonation
System modification (rootkit, APN proxy
configuration)
Mobile Malware
Criminals Target and Infect App Stores
Social-Engineering
Geolocation compromise
Security Regulatory Compliance
Device Risk
Application management
Installation of un-verified / unsigned 3rd
party apps
9. MIS Training Institute Session A5 - Slide 9
© Symosis Security
Agenda
Introduction
Mobile Apps Top Risks
1. Side Channel Leakage
2. Insecure Transport / Server Controls
3. Insecure Data Storage
4. Privacy
Countermeasures
10. MIS Training Institute Session A5 - Slide 10
© Symosis Security
1. Side Channel Data Leakage
Data leakage via platform defaults, use of third party
libraries, logging, etc
Property List Files
SnapShot (ie- iOS Backgrounding)
iOS logs
Sometimes result of programmatic flaws
11. MIS Training Institute Session A5 - Slide 11
© Symosis Security
Demo 1: Snapshot File
Tools: iExplore, Reflection
Device: iPhone 5, IOS 6 latest version, iPhone 4, IOS 5
Snapshot –
TaxAct Mobile
TaxSlayer
17. MIS Training Institute Session A5 - Slide 17
© Symosis Security
Agenda
Introduction
Mobile Apps Top 3 Risks
1. Side Channel Leakage
2. Insecure Transport / Server Controls
3. Insecure Data Storage
4. Privacy
Countermeasures
18. MIS Training Institute Session A5 - Slide 18
© Symosis Security
2. Insecure Transport/Server Controls
Failing to encrypt sensitive
network traffic consisting of
sensitive data
Insecure server controls - web,
application and backend API - can
lead to security compromise
19. MIS Training Institute Session A5 - Slide 19
© Symosis Security
Demo 2: Insecure Transport
Tools: MITM Proxy, Reflection, Flixster
Insecure Transport – User ID, Movies Browsing, Home
Area, Purchase Intent
21. MIS Training Institute Session A5 - Slide 21
© Symosis Security
Unencrypted Cookies over HTTP
Instagram iOS App
22. MIS Training Institute Session A5 - Slide 22
© Symosis Security
TOC
Mobile Platform Risks
Mobile Apps Top 3 Risks
1. Side Channel Leakage
2. Insecure Transport / Server Controls
3. Insecure Data Storage
4. Privacy
Countermeasures
23. MIS Training Institute Session A5 - Slide 23
© Symosis Security
3. Insecure Data Storage
Locally stored data both on native and browser based
apps that includes
SQLite
Sensitive Files
Cache Files
24. MIS Training Institute Session A5 - Slide 24
© Symosis Security
Demo 3: local files
Tools: iExplore, Reflection
SQLite files – Runtastic, TaxSlayer, TaxAct, JacksonHewitt
Flat Files – Jackson Hewitt
Jackson Hewitt #JacksonHewitt /TaxSlayer #TaxSlayer
Tools: iExplorer
25. MIS Training Institute Session A5 - Slide 25
© Symosis Security
Cached Credentials and tax data in the clear
28. MIS Training Institute Session A5 - Slide 28
© Symosis Security
Unencrypted Cache with Master Password in
Keeper
29. MIS Training Institute Session A5 - Slide 29
© Symosis Security
TOC
Mobile Platform Risks
Mobile Apps Top 3 Risks
1. Side Channel Leakage
2. Insecure Transport / Server Controls
3. Insecure Data Storage
4. Privacy
Countermeasures
31. MIS Training Institute Session A5 - Slide 31
© Symosis Security
Privacy Threat & Impact
UDID, Mac Address, Device ID
Location Training
Usage Tracking - Google, Flurry, Mobclix
Contacts Access & Sharing
Shares / Uploads Phone Number
3rd Party Connections – Facebook, twitter
32. MIS Training Institute Session A5 - Slide 32
© Symosis Security
Path uploads your entire iPhone address
book to its servers
33. MIS Training Institute Session A5 - Slide 33
© Symosis Security
WhatsApp sends messages unencrypted
over HTTP
34. MIS Training Institute Session A5 - Slide 34
© Symosis Security
LinkedIn transmits confidential info
insecurely
35. MIS Training Institute Session A5 - Slide 35
© Symosis Security
Agenda
Introduction
Mobile Apps Top Risks
Countermeasures
1. Disable side channel data leakage
2. Use HTTPS and secure IOS Safe methods
3. Insecure Data storage
4. Privacy
36. MIS Training Institute Session A5 - Slide 36
© Symosis Security
Side Channel Data Leakage
Start by identifying all potential side channel data which
includes
Plist files – Ensure no sensitive data is written
Disable Snapshots
Disable System / keystroke logs
Disable Web caches
Disable Cut-and-paste buffers
Clean up Core Data
Do not store sensitive data (e.g., credentials, tokens, PII) in
property list files. Use iOS Keychain
37. MIS Training Institute Session A5 - Slide 37
© Symosis Security
Encrypt Sensitive Data
Data Protection API - set the NSFileProtectionKey on an
existing file
Keychain – Sensitive data like passwords and keys should be
stored in the Keychain and not in insecure locations like plist
files
CCCrypt & javax.crypto.* package for Android - provides access
to AES, DES, 3DES
SQLCipher (IOS & Android) - transparent 256-
bit AES encryption of database files
38. MIS Training Institute Session A5 - Slide 38
© Symosis Security
Strategic Recommendations
Establish common set of security requirements. Perform
periodic security scans and audits
Invest in security education for all stakeholders
Perform server side data validation and canonicalization
Define and deploy secure configuration
Do not log credentials, PII and other sensitive data
Design and implement all apps under the assumption
that the user’s device will be lost or stolen
Review all third party libraries before use