3. Who are we?
• Kartik Trivedi (kartik@symosis.com)
– Co-founder of Symosis – Application & Mobile security
– 13 Years in Info Sec – Security Assessments, Penetration
testing, Compliance & Training
– Free Mobile App Security / Training Eval
• Lenin Aboagye (laboagye@io.com)
– Director, Information Security & Compliance, IO
– Cloud / Mobile security expert
– Media & Television, Education, Health, Real Estate and
Energy industries experience
3
5. Audience Poll
5
• What mobile OS do
you mostly use?
• How many of you are
involved with mobile
security, privacy,
audits?
• Any mobile developers
/ architects?
• Does your employer
have mobile presence?
7. There is an App for that!
• Pay bills
• File income taxes
• Pay property tax
• Scan & Shop
• Deposit checks
• Transfer money
• Store medical records
• Refill prescription
• Manage health information
• Remember your meds
• Book flight / hotel
• Medscape / pharmacopia
7
• Small Business Payroll
• Pay invoice
• Location based check in
• Personal finance
• Investments & 401k
• Health & Fitness
• Productivity
• Facebook / twitter
• Place bets on sports
• Utilities
• Store passwords
• Document storage
9. What do Attackers Want?
• Credentials - To your
device, To external
services (email, banking,
etc)
• Access to your device •
Sniff your connections,
Use your device (botnets,
spamming), Steal trade
secrets or other sensitive
data
9
• Personal Data - Full Name,
SINSSN, Address book data •
Location data
• Cardholder Data - Card
Numbers, Expiration, CVV
• Health Data - Prescription
information, medical records,
procedure summary
• Corporate Data - IP, Design
Docs
10. Security Concerns
• Side Channel Data Leakage
• Insufficient Transport Layer Protection
• Weak Server Side Controls
• Insecure Data Storage
• Client Side Injection
• Poor Authorization and
Authentication
• Improper Session Handling
• Security Decisions Via Untrusted
Inputs
• Broken Cryptography
• Sensitive Information Disclosure
• Hardcoded password/keys
• Privacy compliance
• Identity exposure
10
• Activity monitoring and data retrieval
• Unauthorized dialing, SMS, and payments
• Unauthorized network connectivity (data
exfiltration or command & control)
• UI (unique identifier) impersonation
• System modification (rootkit, APN proxy
configuration)
• Mobile Malware
• Criminals Target and Infect App Stores
• Social-Engineering
• Geolocation compromise
• Security Regulatory Compliance
• Device Risk
• Application management
• Installation of un-verified / unsigned 3rd
party apps
11. Agenda
Introduction
Mobile Apps Top Risks
1. Side Channel Leakage
2. Insecure Transport / Server Controls
3. Insecure Data Storage
4. Privacy
Countermeasures
Mobility in Data Center
11
12. 1. Side Channel Data Leakage
Data leakage via platform defaults, use of third
party libraries, logging, etc
• Property List Files
• SnapShot (ie- iOS backgrounding)
Sometimes result of programmatic flaws
19. Agenda
Introduction
Mobile Apps Top 3 Risks
1. Side Channel Leakage
2. Insecure Transport / Server Controls
3. Insecure Data Storage
4. Privacy
Countermeasures
Mobility in Data Center
19
20. 2. Insecure Transport/Server Controls
Failing to encrypt sensitive
network traffic consisting of
sensitive data
Insecure server controls -
web, application and
backend API - can lead to
security compromise
21. Demo 3: Insecure Transport
Tools: MITM Proxy, Reflection
Insecure Transport
21
29. TOC
Mobile Platform Risks
Mobile Apps Top 3 Risks
1. Side Channel Leakage
2. Insecure Transport / Server Controls
3. Insecure Data Storage
4. Privacy
Countermeasures
Mobility in Data Center
29
30. 3. Insecure Data Storage
Locally stored data both on native and browser
based apps that includes
• SQLite
• Cache files
• Keychain – Is this really secure?
30
31. Demo 5: SQLite / Cache files
Tools: iExplore, Reflection
SQLite / Cache files
If time permits…
Hacking the Keychain
Tools: Jailbroken device, SSH, keychain_dump
31
35. TOC
Mobile Platform Risks
Mobile Apps Top 3 Risks
1. Side Channel Leakage
2. Insecure Transport / Server Controls
3. Insecure Data Storage
4. Privacy
Countermeasures
Mobility in Data Center
35
41. Risk & Impact: High
Sensitive Data exposure
• Username & password
• PII, SSN, Health Information
• Device ID, Application configuration
• Account Number, Credit Card, Financial Information
Loss of Data Confidentiality & Integrity
Data Tempering, Impersonation
Man-in-the-Middle (MITM attack)
Unauthorized access to application data or functionality
Privacy Violations / reputation damage
Session replay, impersonation
42. Agenda
Introduction
Mobile Apps Top Risks
Countermeasures
1. Disable side channel data leakage
2. Use HTTPS and secure IOS Safe methods
3. Insecure Data storage
4. Privacy
Mobility in Data Center
42
43. Side Channel Data Leakage
Start by identifying all potential side channel data
which includes
• Plist files
• Snapshots
• System / keystroke logs
• Web caches
• Cut-and-paste buffers
Do not store sensitive data (e.g., credentials,
tokens, PII) in property list files. Use iOS Keychain
43
44. Disable Snapshots (3 Options)
Set the key window’s hidden property to YES
[ UIApplication sharedApplication ].keyWindow.hidden = YES;
Using the applicationWillResignActive delegate method
(void)applicationWillResignActive:(UIApplication *)application{[
UIApplication sharedApplication ].keyWindow.hidden = YES;}
Use the applicationDidEnterBackground method.
(void)applicationDidEnterBackground:(UIApplication *)application
{[ UIApplication sharedApplication ].keyWindow.hidden = YES;}
44
45. Disable Other Leakage
Disable Cache - Set the autocorrectionType property to
UITextAutocorrectionNo for UITestField
Disable Logs – Disable NSLog and NSAssert
Disable keystroke logging & cut-and-paste buffer for the
most sensitive data, to prevent it from being stored in
plaintext on the device.
Disable Insecure HTTP - Use NSURLConnection along with
canAuthenticateAgainstProtectionSpace
45
46. Use HTTPS and Secure IOS Methods
Protect sensitive data leaving the device using secure
HTTPS and SSL
IOS: Do not only use NSURL or NSURLConnection . Use
NSURLConnection along with
canAuthenticateAgainstProtectionSpace
Syntax:
canAuthenticateAgainstProtectionSpace
(BOOL)connection:(NSURLConnection
*)connection
canAuthenticateAgainstProtectionSpace:
(NSURLProtectionSpace
*)protectionSpace
47. Use Secure cookie flag
Set-Cookie:
AuthenticatedID=nNTzKhxV10bzwW1vMfZXhqVGxWX
h4D8QrkynxV2QMqv2K032WS02!-2076712369;
path=/; /secure
In Java Servlet 3.0, use the following in web.xml
<session-config> <cookie-config>
<secure>true</secure> </cookie-
config></session-config>
48. Use Secure Data Storage
Store sensitive data on the server instead of the client-end
device.
Delete Programmatically - Incorporate an application-specific
"data kill switch" into their products, to allow the per-app
deletion of their application's sensitive data when needed
Assume that shared storage is untrusted
Only collect and disclose data which is required for business
use of the application
48
49. Encrypt Sensitive Data
Data Protection API - set the NSFileProtectionKey on an
existing file
Keychain – Sensitive data like passwords and keys should be
stored in the Keychain and not in insecure locations like plist
files
CCCrypt & javax.crypto.* package for Android - provides
access to AES, DES, 3DES
SQLCipher (IOS & Android) - transparent 256-
bit AES encryption of database files
49
51. Strategic Recommendations
• Establish common set of security requirements.
Perform periodic security scans and audits
• Invest in security education for all stakeholders
• Perform server side data validation and
canonicalization
• Define and deploy secure configuration
• Do not log credentials, PII and other sensitive data
• Design and implement all apps under the assumption
that the user’s device will be lost or stolen
• Review all third party libraries before use
51
59. Challenge and Opportunity
Mobility is challenging the Data Center, but the mobility tools have to
be built with strong security design considerations:
Proximity
Location
Context
Remote Kill-Switch
Multi-factor Authentication
Encryption
What mobile OS do you mostly use?How many of you are responsible for mobile security?Any iOS or Android developers / architects?Tech management? Auditors?Security testers / QA?How many are involved with mobile device management, policy development and/or security?When you hear mobile security, what do you think of first? MDM/BYOD/MAM?
Mobile App Growth
http://appnationconference.com/main/research/By far, the largest contributor to this number will be app-enabled commerce, supplemented by forecasted revenue from downloads, in-advertising and virtual goods
Please make a selection by clicking on the
Side channel data leakage applies to data leakage via platform defaults, use of third party libraries, logging, etc. In order to provide the visual iOS has been proven to capture and store snapshots.This occurs when a device suspends (rather than terminates), when either the home button is pressed, or a phone call or other event temporarily suspends the applicationPlist is a structured text file that contains essential configuration information for a bundled executable
H&R blockCheck Images Cached
A PLIST (Property List) file is an XML file that holds application properties. Some applications store sensitive information in the plist files including authentication credentials, PIN and oAUTH tokensPlist files can be found in several location in the application directory . An example location and plist file content storing sensitive authentication credentials are shown on the screen
Web sites and servers sometimes have improperly configured SSL certificates. This causes warning messages which are often ignored by the users. This results in users Phishing attacks where users end up providing personal information and private data to malicious websites that look like legitimate applicationsApplications that fall back or can be forced out of an encrypting mode can also be abused by attackers resulting in insecure communication. This is common on sites that operate on both HTTP and HTTPS services, or by the implementation of older versions of SSL on the web server that are vulnerable to downgrade attacks.
In 2011, it was discovered that Android devices transmitted data and AuthToken session cookie via insecure HTTP. AuthToken is not bound to any session or device and thus would allow an adversary to access any personal data which is made available through the service API. This includes Google calendar, picasa and contact information for that user. For more Reference: http://www.uni-ulm.de/in/mi/mitarbeiter/koenings/catching-authtokens.htmlThe issue here is the use of insecure HTTP channel which allows network eavesdropping of the authToken and user data
InsecureData Storage applies to the locally stored data by the mobile applications. There are two types of mobiles apps - native apps and browser based apps. Native apps are apps that is installed in the handset, processes data locally and may connect to the internet for updates or sending user specific information to the server. Example: Gaming apps, News apps, etc. Browser based apps are apps that are accessible via mobile browser. This vulnerability applies to both categories of apps.Most apps stores user specific information on mobile devices. This data may be stored in clear text and may includeUsername and passwordPII, SSN, Health InformationDevice ID, Application configurationAccount Number, Credit Card, Financial Information
Insecure transport layer protection is considered a high risk security vulnerabilityThe impact could includeLoss of Data Confidentiality & Integrity when sensitive information is revealed to the attackerData Tampering when attacker modifies application traffic and force user accept itMan-in-the-Middle (MITM attack) if an attacker diverts all traffic through an insecure channelImpersonation if the attacker hijacks user account
Please make a selection by clicking on the
To disable snapshots, use one of the 3 solutions provided1. Set the key window’s hidden property to YES. This will cause whatever content is currently displayed on the screen to be hidden, resulting in a blank screenshot where any content would normally reside. [ UIApplicationsharedApplication ].keyWindow.hidden = YES;Bear in mind that, if you have any other views behind the current view, these may become visible when the key window is hidden. Ensure that you are adequately hiding any other windows when performing this action.
Disable the auto-correct feature for any sensitive information, not just for password fields. Since the keyboard caches sensitive information, it may be recoverable. For UITextField, look into setting the autocorrectionType property to UITextAutocorrectionNo to disable caching. Set UITextField to OFF to prevent caching altogetherAdd an enterprise policy to clear the keyboard dictionary at regular intervals. This can be done by the end user by simply going to the Settings application, General > Reset > Reset Keyboard Dictionary
It is recommended to use NSURLConnection along with canAuthenticateAgainstProtectionSpace. The syntax is shown on the screen
To protect the authorization token when set in a cookie the application should be specifying the /secure directive. This will result in the application sending that specific cookie only over an HTTPS connection. In Java Servlet 3.0 or newer environment, secure cookie flag is enforced using a the web.xml configuration setting shown on screen
Avoid local storage on the device.If local storage is required, encrypt data securelyData is encrypted on IOS and Android platform using several ways includingData Protection API (iOS)Keychain (iOS)Common Crypto (iOS)Sqlite (iOS & Android)Java Crypto (Android)
Please make a selection by clicking on the
How well do you know your Data Center?How secure and resilient are your applications?Visibility TransparencyMeasurabilityControl AwarenessProactive
How well do you know your Data Center?How secure and resilient are your applications?Visibility TransparencyMeasurabilityControl AwarenessProactive
Rest-based API’s that provides feeds on power, cooling, physical security, etc..Ability to shift workloads to different geographical locations on physical security breachesEasy integration with SDDC softwareComplete Integration of the physical, environmental & logical layers of cloud stack
With great power comes great responsibility: Design considerations for mobile ApplicationProximity-based access controlMulti-factor authentication Location-aware access controlContext-based accessRemote app and data kill-switchSensitive credentials stored server sideConfigurable TTLSensitive cached data stored in encrypted volume(e.g keychain for IO.OS)