Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Case Studies

Hacking Mobile Applications – Industry Case Studies

Michael Gianarakis Securus Global

Introduction

About Me • Michael Gianarakis • Senior Security Consultant • Working in application security for seven years •  Focus on mobile application security

Overview

Mobile platforms have presented many opportunities for businesses and online retailers….

Overview

Mobile platforms have presented many opportunities for businesses and online retailers…. BUT

Overview

Mobile platforms have presented many opportunities for businesses and online retailers…. BUT It’s also created a lucrative target for hackers.

Key Takeaways

Understand

Identify

Defend

Key Takeaways

Understand

Identify

Defend

Key Takeaways

Understand

Identify

Defend

Before we get

started….

Understanding the Risks – Mobile Threat Model

Mobile Applica,on


Mobile Applica,on

Mobile Device


Mobile Applica,on

Mobile Device


Mobile Applica,on

User

Mobile Device


Mobile Applica,on

User

Back End Web Service

Mobile Device


Mobile Applica,on

3rd Party Applica,ons

User


Mobile Device


Mobile Applica,on


User


3rd Party Web Service


So what are the

threats?

Mobile Device


Mobile Applica,on


User



Mobile Device


Mobile Applica,on


User



Mobile Device


Mobile Applica,on


User



Mobile Device


Mobile Applica,on


User



Mobile Device


Mobile Applica,on


User



Mobile Device


Mobile Applica,on


User



Mobile Device


Mobile Applica,on


User



Understanding the Risks

Understanding the Risks

Identify the Threats

•  Focus on the most prevalent risks and how they can be exploited

•  Insecure data storage •  Insufficient transport layer protection

(communication security) •  Client side injection

Identify the Threats – Insecure Data Storage

•  Improperly secured data stored on the device is very common

•  I have come across all kinds of sensitive information stored in clear text including:

•  Usernames and passwords •  Encryption keys •  Personal information •  Location data


•  Two main types of insecure data storage:

1.  Sensitive data stored on the device by the application that was not secured appropriately by the developer

2.  Data stored by the operating system automatically


•  Sensitive data not appropriately secured by the developer includes:

•  Unencrypted databases •  Storing sensitive information in

preference files •  Encrypting data but storing the

encryption key in a clear text file •  Logging sensitive information to the

device logs





This was in a banking app!


•  Sensitive data stored by the operating system

•  Back grounding screenshots (iOS) •  Caches (browser caching, autocorrect

etc.) •  Pasteboard

•  Oftentimes developers do not realise that the OS is storing this information



Identify the Threats – Insufficient Transport Layer Security

•  Most users will connect their devices to untrusted networks

•  It is common to find insecurely implemented communication security:

•  Lack of SSL validation •  Unencrypted communications

Identify the Threats – Insufficient Transport Layer Security

Identify the Threats – Client Side Injection

•  In web applications injection issues such as XSS and SQL Injection are a big problem

•  Still found in mobile applications

•  Can be worse in mobile application - runtime manipulation can lead to significant security issues




Defending Mobile Applications

•  Challenges •  Devices are easily lost, stolen or

compromised •  Multiple attack vectors outside of your

control •  Once the security of the device is

compromised ‘all bets are off’ •  Platform is constantly evolving •  Customer expectation of rapid

iteration •  Developer inexperience with

platforms (although this is improving)


•  First of all focus on the basics •  Define the risk profile of the application •  Secure development practices •  Thorough security testing •  Monitoring and review

•  Effective information security is a process for managing business risk, not a product. Beware of “silver bullet” solutions.

•  The security of your application is your responsibility - not Apple, or Google or Microsoft


•  Mobile application security design principles

•  Assume the client is compromised

•  Assume the application will connect to untrusted networks

•  Assume that the underlying operating system is compromised


•  Assume the client is compromised

•  Do not store sensitive information on the device

•  Do not implement sensitive functionality in the client – always implement on the server

•  Do not trust user input


•  Assume the application will connect to untrusted networks

•  Do not transmit sensitive information unencrypted

•  Do not use weak encryption •  Establish and validate certificate

chain


•  Assume the underlying operating system is compromised

•  Genuine users will jailbreak their devices

•  Attackers will jailbreak target devices

•  Do not assume that physical access to the device is necessary for an attacker to compromise the device


•  Assume the underlying operating system is compromised

•  Genuine users will jailbreak their devices

•  Attackers will jailbreak target devices

•  Do not assume that physical access to the device is necessary for an attacker to compromise the device


•  Data Security •  Preference is to not store sensitive

data •  Be realistic about requirements to

actually store data (remember these devices are always connected)

•  Be conscious of inadvertent data leakage by the operating system

•  If storing sensitive data – encyrpt but be aware of key management difficulties


•  Communication Security •  Encrypt all traffic •  ALWAYS validate certificates •  Certificate pinning •  Be aware of lax controls in

development environments filtering through to production

•  Do not use weak protocols (SSLv2, BEAST, CRIME etc)


•  Injection and Runtime Security •  Don’t trust user input •  Although hard to implement consider

runtime security mechanisms •  Anti-debugging •  Jailbreak detection •  Tamper response


•  Unfortunately it is impossible to completely secure mobile applications

•  Anybody with a copy of the application and a debugger can compromise the security of the application

•  The aim is to make it significantly harder for the attacker such that the economic benefits of attacking the application are outweighed by the difficulty of the attack.

Questions?

Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Case Studies

Mobile

user mobile device

end web service mobile

party applica

ons user

prevalent risks

threats insecure data

sensitive data

secured data