Security Imeprative for iOS and Android Apps

For the Demo…
please download and install the following
apps on your mobile device
1

Security
Imperative for
iOS / Android
Apps
ISACA Sacramento
July 2013

Who are we?
• Kartik Trivedi (kartik@symosis.com)
– Co-founder of Symosis – Application & Mobile security
– 13 Years in Info Sec – Security Assessments, Penetration
testing, Compliance & Training
– Free Mobile App Security / Training Eval
• Lenin Aboagye (laboagye@io.com)
– Director, Information Security & Compliance, IO
– Cloud / Mobile security expert
– Media & Television, Education, Health, Real Estate and
Energy industries experience
3

Agenda
Introduction
iOS / Android Apps Top Risks
Countermeasures
Mobility in Data Center
4

Audience Poll
5
• What mobile OS do
you mostly use?
• How many of you are
involved with mobile
security, privacy,
audits?
• Any mobile developers
/ architects?
• Does your employer
have mobile presence?

There is an App for that!
• Pay bills
• File income taxes
• Pay property tax
• Scan & Shop
• Deposit checks
• Transfer money
• Store medical records
• Refill prescription
• Manage health information
• Remember your meds
• Book flight / hotel
• Medscape / pharmacopia
7
• Small Business Payroll
• Pay invoice
• Location based check in
• Personal finance
• Investments & 401k
• Health & Fitness
• Productivity
• Facebook / twitter
• Place bets on sports
• Utilities
• Store passwords
• Document storage

From 2013-2017, the app economy will
double from $72B USD to $151B USD
8

What do Attackers Want?
• Credentials - To your
device, To external
services (email, banking,
etc)
• Access to your device •
Sniff your connections,
Use your device (botnets,
spamming), Steal trade
secrets or other sensitive
data
9
• Personal Data - Full Name,
SINSSN, Address book data •
Location data
• Cardholder Data - Card
Numbers, Expiration, CVV
• Health Data - Prescription
information, medical records,
procedure summary
• Corporate Data - IP, Design
Docs

Security Concerns
• Side Channel Data Leakage
• Insufficient Transport Layer Protection
• Weak Server Side Controls
• Insecure Data Storage
• Client Side Injection
• Poor Authorization and
Authentication
• Improper Session Handling
• Security Decisions Via Untrusted
Inputs
• Broken Cryptography
• Sensitive Information Disclosure
• Hardcoded password/keys
• Privacy compliance
• Identity exposure
10
• Activity monitoring and data retrieval
• Unauthorized dialing, SMS, and payments
• Unauthorized network connectivity (data
exfiltration or command & control)
• UI (unique identifier) impersonation
• System modification (rootkit, APN proxy
configuration)
• Mobile Malware
• Criminals Target and Infect App Stores
• Social-Engineering
• Geolocation compromise
• Security Regulatory Compliance
• Device Risk
• Application management
• Installation of un-verified / unsigned 3rd
party apps

Agenda
Introduction
Mobile Apps Top Risks
1. Side Channel Leakage
2. Insecure Transport / Server Controls
3. Insecure Data Storage
4. Privacy
Countermeasures
11

1. Side Channel Data Leakage
Data leakage via platform defaults, use of third
party libraries, logging, etc
• Property List Files
• SnapShot (ie- iOS backgrounding)
Sometimes result of programmatic flaws

Demo 1: Plist File
Tools: iExplore, Reflection
Device: iPhone 5, IOS 6 latest version, iPhone 4,
IOS 5
13

15
Facebook Plist Mobile Security Hole
Allows Identity Theft

LinkedIn Plist identity theft
16

DropBox Plist Security hole
17

Demo 2: Snapshots
Device: iPhone 5, IOS 6 latest version, iPhone 4,
IOS 5
18

Agenda
Introduction
Mobile Apps Top 3 Risks
4. Privacy
Countermeasures
19

2. Insecure Transport/Server Controls
Failing to encrypt sensitive
network traffic consisting of
sensitive data
Insecure server controls -
web, application and
backend API - can lead to
security compromise

Demo 3: Insecure Transport
Tools: MITM Proxy, Reflection
Insecure Transport
21

Tumblr – Password sent unencrypted
22

Unencrypted Cookies over HTTP in Instagram iOS App
24

Demo 4: Insecure Server Configuration
Tools: MITM Proxy, Reflection
Insecure Server Configuration / Authentication
Bypass
27

TOC
Mobile Platform Risks
4. Privacy
Countermeasures
29

Locally stored data both on native and browser
based apps that includes
• SQLite
• Cache files
• Keychain – Is this really secure?
30

Demo 5: SQLite / Cache files
SQLite / Cache files
If time permits…
Hacking the Keychain
Tools: Jailbroken device, SSH, keychain_dump
31

JackThreads stores personal + financial
info in SQLite file
32

Unencrypted Cache with Master
Password in Keeper
33

TOC
4. Privacy
Countermeasures
35

Privacy Threat & Impact
• UDID, Mac Address, Device ID
• Location Training
• Usage Tracking - Google, Flurry, Mobclix
• Contacts Access & Sharing
• Shares / Uploads Phone Number
• 3rd Party Connections – Facebook, twitter
37

Path uploads your entire iPhone address book to
its servers
38

39
WhatsApp sends messages
unencrypted over HTTP

Risk & Impact: High
Sensitive Data exposure
• Username & password
• PII, SSN, Health Information
• Device ID, Application configuration
• Account Number, Credit Card, Financial Information
Loss of Data Confidentiality & Integrity
Data Tempering, Impersonation
Man-in-the-Middle (MITM attack)
Unauthorized access to application data or functionality
Privacy Violations / reputation damage
Session replay, impersonation

Agenda
Introduction
Mobile Apps Top Risks
Countermeasures
1. Disable side channel data leakage
2. Use HTTPS and secure IOS Safe methods
3. Insecure Data storage
4. Privacy
42

Side Channel Data Leakage
Start by identifying all potential side channel data
which includes
• Plist files
• Snapshots
• System / keystroke logs
• Web caches
• Cut-and-paste buffers
Do not store sensitive data (e.g., credentials,
tokens, PII) in property list files. Use iOS Keychain
43

Disable Snapshots (3 Options)
Set the key window’s hidden property to YES
[ UIApplication sharedApplication ].keyWindow.hidden = YES;
Using the applicationWillResignActive delegate method
(void)applicationWillResignActive:(UIApplication *)application{[
UIApplication sharedApplication ].keyWindow.hidden = YES;}
Use the applicationDidEnterBackground method.
(void)applicationDidEnterBackground:(UIApplication *)application
{[ UIApplication sharedApplication ].keyWindow.hidden = YES;}
44

Disable Other Leakage
Disable Cache - Set the autocorrectionType property to
UITextAutocorrectionNo for UITestField
Disable Logs – Disable NSLog and NSAssert
Disable keystroke logging & cut-and-paste buffer for the
most sensitive data, to prevent it from being stored in
plaintext on the device.
Disable Insecure HTTP - Use NSURLConnection along with
canAuthenticateAgainstProtectionSpace
45

Use HTTPS and Secure IOS Methods
Protect sensitive data leaving the device using secure
HTTPS and SSL
IOS: Do not only use NSURL or NSURLConnection . Use
NSURLConnection along with
Syntax:
(BOOL)connection:(NSURLConnection
*)connection
canAuthenticateAgainstProtectionSpace:
(NSURLProtectionSpace
*)protectionSpace

Use Secure cookie flag
Set-Cookie:
AuthenticatedID=nNTzKhxV10bzwW1vMfZXhqVGxWX
h4D8QrkynxV2QMqv2K032WS02!-2076712369;
path=/; /secure
In Java Servlet 3.0, use the following in web.xml
<session-config> <cookie-config> 
<secure>true</secure>  </cookie-
config></session-config>

Use Secure Data Storage
Store sensitive data on the server instead of the client-end
device.
Delete Programmatically - Incorporate an application-specific
"data kill switch" into their products, to allow the per-app
deletion of their application's sensitive data when needed
Assume that shared storage is untrusted
Only collect and disclose data which is required for business
use of the application
48

Encrypt Sensitive Data
Data Protection API - set the NSFileProtectionKey on an
existing file
Keychain – Sensitive data like passwords and keys should be
stored in the Keychain and not in insecure locations like plist
files
CCCrypt & javax.crypto.* package for Android - provides
access to AES, DES, 3DES
SQLCipher (IOS & Android) - transparent 256-
bit AES encryption of database files
49

Strategic Recommendations
• Establish common set of security requirements.
Perform periodic security scans and audits
• Invest in security education for all stakeholders
• Perform server side data validation and
canonicalization
• Define and deploy secure configuration
• Do not log credentials, PII and other sensitive data
• Design and implement all apps under the assumption
that the user’s device will be lost or stolen
• Review all third party libraries before use
51

Agenda
Countermeasures
52

Mobility in the Data Center
Factoring the Data Center into the secure
Mobility design equation

You Need to Know Your Data Center
How secure and resilient are your applications?

Cloud Demand
When you add the pressure of mobility,
the data center becomes mission critical.

DCOS Capabilities
Data Center needs visibility, intelligent control and security.
Let’s consider a day in the life of our 9-digit friend.

DCOS Capabilities
Rest-based API’s
Dynamic Workload Shifting
Easy SDDC Integration
Complete Integration:
Physical, Environmental and
Logical Cloud Stack Layers

Challenge and Opportunity
Mobility is challenging the Data Center, but the mobility tools have to
be built with strong security design considerations:
Proximity
Location
Context
Remote Kill-Switch
Multi-factor Authentication
Encryption

Policy Drive Intelligent Control®

Thanks You!
Questions?
kartik@symosis.com / laboagye@io.com
Ask us about FREE Mobile Apps Security Service &
Training Eval!!
62

Security Imeprative for iOS and Android Apps

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Security Imeprative for iOS and Android Apps

Ähnlich wie Security Imeprative for iOS and Android Apps (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Security Imeprative for iOS and Android Apps

Hinweis der Redaktion