SlideShare une entreprise Scribd logo

Top 7 Mobile App Attacks and How to Prevent Them

Cenzic
Cenzic

Here's your chance to learn about the most common mobile threats and how to protect your organization from malicious attack. The slides: > DESCRIBE why mobile apps are uniquely vulnerable > SURVEY the 7 most common mobile attacks > HIGHLIGHT ways to find mobile app vulnerabilities

Technologie
1  sur  36
Télécharger pour lire hors ligne
Top 7 Mobile App Attacks and How To Prevent Them Sameer Dixit Managed Services Chris Harget Product Marketing
Agenda Enterprise Mobile App Trends Top Mobile App Attacks How To Be Safer 2 Cenzic, Inc. - Confidential, All Rights Reserved.
Mobile App Factoids  ~14 Billion tablet-app downloads in 20131  ~82 Billion smartphone-app downloads in 20132  Average US smartphone user has 41 apps and spends 39 minutes/day using them3  91% of apps free, only 9% paid for – Gartner 2012  1. ABI Research March 2013 prediction  2. Portio Research March 2013 forecast  3. Nielsen,http://www.nielsen.com/us/en/newswire/2012/state-of-the-appnation%C3%A2%C2%80%C2%93-a-year-of-change-and-growth-in-u-s-smartphones.html
Mobile User Service Options Mobile-Optimized Web Sites Native Mobile Apps  HTML5 gives some cross-platform capability  Native container => tighter integration  No install, convenient for low-usage apps  More user commitment required to begin  Works with standard vulnerability scanning  Requires mobilespecific vulnerability scanning
Mobile App Space Less Mature  Fewer security experts than on Web apps  Development practices often leave out security  New kinds of data to secure (GPS, camera, Microphone, Texts, International calling)
Mobile App Security Is Harder  Mobile devices are less physically secure  Mobile traffic more likely to be visible to others – Through the air
Mobile Apps For Customers  Shopping App  Rewards Programs, Coupons  Games/Marketing  Account Management
Mobile Apps For Employees  Email, Calendar, Contacts, Tasks  Salesforce.com  Order Entry  Quoting Tool  Field Support  Inventory Tracking  Point of Sale  Field Enablement  Approvals  Collaboration
Mobile Apps For Partners  Order Entry  Order Tracking  Technical Support  Inventory Availability  Lead Referral  Product Catalogue  Price List
Enterprise Mobile Apps Trends  Give free apps to prospects/customers for acquisition/retention – The share of app revenue from in-app purchases will grow from 10% in 2011 to 41% in 2016 - Gartner  By 2016, 25% of enterprises will have private app stores – Gartner, April 2013 – Reduce risk from BYOD (Bring Your Own Device)  Mobile Apps often funded/developed by business units, not IT
Enterprise Mobile App Dev. Costs  54% of apps cost $25K-$100K. 11 Cenzic, Inc. - Confidential, All Rights Reserved.
Enterprise Mobile App Update Frequency  80% of Respondents update mobile apps at least 2x/year. – 12 http://www.anypresence.com/Mobile_Readiness_Report_2013.php Cenzic, Inc. - Confidential, All Rights Reserved.
Summing Up Trends  Enterprises developing apps for many reasons  Data and brand exposure increasing rapidly  Mobile app security practices generally inadequate
Top 7 Mobile App Attacks 14 Cenzic, Inc. - Confidential, All Rights Reserved.
1. Exploiting Unencrypted Data Sensitive plist, xml and sqlite files E.g., Last logged in user, address, usernames, GPS coordinates, photos, videos etc. Stored passwords 15 Cenzic, Inc. - Confidential, All Rights Reserved.
2. Excessive Access Privileges • Some apps unnecessarily grant access to user’s… • …Phone Directory, Calendar, GPS, Camera, Microphone, etc. • =>Theft of corporate info, fraud, and violation of privacy 16 Cenzic, Inc. - Confidential, All Rights Reserved.
3. Exploiting Inputs That Are Not Validated • SQL Injection • XML Bombs • Cross-Site Scripting 17 Cenzic, Inc. - Confidential, All Rights Reserved.
4. Session Left Active When App Exited • Poor Session Management • User closes app, but is not logged out of server • Attacker may pick up session and steal data, funds or merchandise 18 Cenzic, Inc. - Confidential, All Rights Reserved.
5. Insecure Transmission • GET request for: • Username, Account Number, GPS coordinates, Device UDID, User Info, etc. • • …Sent In The Clear! Mobile traffic more likely to be visible to others than wired traffic 19 Cenzic, Inc. - Confidential, All Rights Reserved.
6. Parameter Manipulation in Mobile Web Services “Parameter Manipulation in REST Services” • E.g., …/id/1234 • change to …/id/3456/ • Gives access to another ID’s account 20 Cenzic, Inc. - Confidential, All Rights Reserved.
7. Lack of Automated Lockouts • Unlike Web apps, most mobile apps don’t implement lockout capability after 3, or 5 or 10 failed login attempts. • PIN or password is often cached on the mobile device • If someone gets control of your phone or tablet, they may be able to bruteforce hack your app passwords without the server ever knowing 21 Cenzic, Inc. - Confidential, All Rights Reserved.
Mobile App Attacks In Action…
LIVE HACK I – Unencrypted Data Storage 23 Cenzic, Inc. - Confidential, All Rights Reserved.
LIVE HACK II - Insecure Data Transmission 24 Cenzic, Inc. - Confidential, All Rights Reserved.
A Few… 25 Cenzic, Inc. - Confidential, All Rights Reserved.
1. Encrypt Data Storage • Encrypt…sensitive plist, xml and sqlite files that contains information such as • …last logged in user, address, usernames, GPS coordinates, photos and videos etc. 26 Cenzic, Inc. - Confidential, All Rights Reserved.
2. Restrict Access Privileges Restrict granting excess permissions and privileges to the application on the device. Example: Disallow Update Access to user’s phone Directory, Calendar, GPS, Camera, Microphone etc. 27 Cenzic, Inc. - Confidential, All Rights Reserved.
3. Validate Inputs Ensure that application validates all inputs… …both at client and server side… …to avoid issues such as XSS, SQL, XML Bomb, information disclosure etc. 28 Cenzic, Inc. - Confidential, All Rights Reserved.
4. Manage Sessions Assertively In a native client server mobile application, always invalidate the session after logout… …both at the client and at the server side. 29 Cenzic, Inc. - Confidential, All Rights Reserved.
5. Use POST Request For Sensitive Data Use an encrypted POST request rather than GET for sensitive information such as… …Username, Account Number, GPS coordinates, Device UDID, and Address etc. 30 Cenzic, Inc. - Confidential, All Rights Reserved.
6. Encrypt REST Parameters • Obfuscate session-related info • Use strict session management policies with tighter authorization boundary and privileges 31 Cenzic, Inc. - Confidential, All Rights Reserved.
7. Use Automated Lockouts • If a mobile app login fails 5-10x in a row, lockout in some fashion, flag activity in app and server logs, etc. • Lock the application for a period of time to avoid brute-force hacks 32 Cenzic, Inc. - Confidential, All Rights Reserved.
Cenzic Can Help • Cenzic is a leading provider of Mobile Application Scanning Services. • 10+ Years • Leverages patented Hailstorm™ engine for more consistently accurate and efficient results • Cenzic experts conduct business logic and forensic analysis of mobile apps 33 Cenzic, Inc. - Confidential, All Rights Reserved.
Customers Rate Cenzic Higher • 2013 Gartner surveyed App Security Testing Customers • ONLY Cenzic scored high marks from customers in Accuracy, Service, Support and Overall Satisfaction • Cenzic provides the best services! 34 Cenzic, Inc. - Confidential, All Rights Reserved.
Complete Enterprise Security by Cenzic Enterprise Application Security Pre-production & App Development 35 Cenzic, Inc. - Confidential, All Rights Reserved. Production Partner / Supply Chain
Application Security for Web, Web Services & Mobile +1.408.429-7400 36

Recommandé

Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
Jerod Brennen
 
The Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerThe Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a Hacker
Peter Wood
 
FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO, PKI & beyond: Where Authentication Meets Identification FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO Alliance
 
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Alliance
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...
Christoph Matthies
 
Smartphone & Security
Smartphone & SecuritySmartphone & Security
Smartphone & Security
15215822
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorial
Landice Fu
 
Top 12 skills for career success
Top 12 skills for career successTop 12 skills for career success
Top 12 skills for career success
jobguide247
 

Recommandé

Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
Jerod Brennen
 
The Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerThe Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a Hacker
Peter Wood
 
FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO, PKI & beyond: Where Authentication Meets Identification FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO Alliance
 
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Alliance
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...
Christoph Matthies
 
Smartphone & Security
Smartphone & SecuritySmartphone & Security
Smartphone & Security
15215822
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorial
Landice Fu
 
Top 12 skills for career success
Top 12 skills for career successTop 12 skills for career success
Top 12 skills for career success
jobguide247
 
Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
Cenzic
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security Testing
Cenzic
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinar
Cenzic
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Cenzic
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Cenzic
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsHARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
Cenzic
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
Cenzic
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Rustici Software
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Nanddeep Nachan
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
 

Contenu connexe

Plus de Cenzic

Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
Cenzic
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinar
Cenzic
 

Plus de Cenzic (9)

Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security Testing
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinar
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsHARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
 

Dernier

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Dernier (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Top 7 Mobile App Attacks and How to Prevent Them

  • 1. Top 7 Mobile App Attacks and How To Prevent Them Sameer Dixit Managed Services Chris Harget Product Marketing
  • 2. Agenda Enterprise Mobile App Trends Top Mobile App Attacks How To Be Safer 2 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 3. Mobile App Factoids  ~14 Billion tablet-app downloads in 20131  ~82 Billion smartphone-app downloads in 20132  Average US smartphone user has 41 apps and spends 39 minutes/day using them3  91% of apps free, only 9% paid for – Gartner 2012  1. ABI Research March 2013 prediction  2. Portio Research March 2013 forecast  3. Nielsen,http://www.nielsen.com/us/en/newswire/2012/state-of-the-appnation%C3%A2%C2%80%C2%93-a-year-of-change-and-growth-in-u-s-smartphones.html
  • 4. Mobile User Service Options Mobile-Optimized Web Sites Native Mobile Apps  HTML5 gives some cross-platform capability  Native container => tighter integration  No install, convenient for low-usage apps  More user commitment required to begin  Works with standard vulnerability scanning  Requires mobilespecific vulnerability scanning
  • 5. Mobile App Space Less Mature  Fewer security experts than on Web apps  Development practices often leave out security  New kinds of data to secure (GPS, camera, Microphone, Texts, International calling)
  • 6. Mobile App Security Is Harder  Mobile devices are less physically secure  Mobile traffic more likely to be visible to others – Through the air
  • 7. Mobile Apps For Customers  Shopping App  Rewards Programs, Coupons  Games/Marketing  Account Management
  • 8. Mobile Apps For Employees  Email, Calendar, Contacts, Tasks  Salesforce.com  Order Entry  Quoting Tool  Field Support  Inventory Tracking  Point of Sale  Field Enablement  Approvals  Collaboration
  • 9. Mobile Apps For Partners  Order Entry  Order Tracking  Technical Support  Inventory Availability  Lead Referral  Product Catalogue  Price List
  • 10. Enterprise Mobile Apps Trends  Give free apps to prospects/customers for acquisition/retention – The share of app revenue from in-app purchases will grow from 10% in 2011 to 41% in 2016 - Gartner  By 2016, 25% of enterprises will have private app stores – Gartner, April 2013 – Reduce risk from BYOD (Bring Your Own Device)  Mobile Apps often funded/developed by business units, not IT
  • 11. Enterprise Mobile App Dev. Costs  54% of apps cost $25K-$100K. 11 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 12. Enterprise Mobile App Update Frequency  80% of Respondents update mobile apps at least 2x/year. – 12 http://www.anypresence.com/Mobile_Readiness_Report_2013.php Cenzic, Inc. - Confidential, All Rights Reserved.
  • 13. Summing Up Trends  Enterprises developing apps for many reasons  Data and brand exposure increasing rapidly  Mobile app security practices generally inadequate
  • 14. Top 7 Mobile App Attacks 14 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 15. 1. Exploiting Unencrypted Data Sensitive plist, xml and sqlite files E.g., Last logged in user, address, usernames, GPS coordinates, photos, videos etc. Stored passwords 15 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 16. 2. Excessive Access Privileges • Some apps unnecessarily grant access to user’s… • …Phone Directory, Calendar, GPS, Camera, Microphone, etc. • =>Theft of corporate info, fraud, and violation of privacy 16 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 17. 3. Exploiting Inputs That Are Not Validated • SQL Injection • XML Bombs • Cross-Site Scripting 17 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 18. 4. Session Left Active When App Exited • Poor Session Management • User closes app, but is not logged out of server • Attacker may pick up session and steal data, funds or merchandise 18 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 19. 5. Insecure Transmission • GET request for: • Username, Account Number, GPS coordinates, Device UDID, User Info, etc. • • …Sent In The Clear! Mobile traffic more likely to be visible to others than wired traffic 19 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 20. 6. Parameter Manipulation in Mobile Web Services “Parameter Manipulation in REST Services” • E.g., …/id/1234 • change to …/id/3456/ • Gives access to another ID’s account 20 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 21. 7. Lack of Automated Lockouts • Unlike Web apps, most mobile apps don’t implement lockout capability after 3, or 5 or 10 failed login attempts. • PIN or password is often cached on the mobile device • If someone gets control of your phone or tablet, they may be able to bruteforce hack your app passwords without the server ever knowing 21 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 22. Mobile App Attacks In Action…
  • 23. LIVE HACK I – Unencrypted Data Storage 23 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 24. LIVE HACK II - Insecure Data Transmission 24 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 25. A Few… 25 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 26. 1. Encrypt Data Storage • Encrypt…sensitive plist, xml and sqlite files that contains information such as • …last logged in user, address, usernames, GPS coordinates, photos and videos etc. 26 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 27. 2. Restrict Access Privileges Restrict granting excess permissions and privileges to the application on the device. Example: Disallow Update Access to user’s phone Directory, Calendar, GPS, Camera, Microphone etc. 27 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 28. 3. Validate Inputs Ensure that application validates all inputs… …both at client and server side… …to avoid issues such as XSS, SQL, XML Bomb, information disclosure etc. 28 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 29. 4. Manage Sessions Assertively In a native client server mobile application, always invalidate the session after logout… …both at the client and at the server side. 29 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 30. 5. Use POST Request For Sensitive Data Use an encrypted POST request rather than GET for sensitive information such as… …Username, Account Number, GPS coordinates, Device UDID, and Address etc. 30 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 31. 6. Encrypt REST Parameters • Obfuscate session-related info • Use strict session management policies with tighter authorization boundary and privileges 31 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 32. 7. Use Automated Lockouts • If a mobile app login fails 5-10x in a row, lockout in some fashion, flag activity in app and server logs, etc. • Lock the application for a period of time to avoid brute-force hacks 32 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 33. Cenzic Can Help • Cenzic is a leading provider of Mobile Application Scanning Services. • 10+ Years • Leverages patented Hailstorm™ engine for more consistently accurate and efficient results • Cenzic experts conduct business logic and forensic analysis of mobile apps 33 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 34. Customers Rate Cenzic Higher • 2013 Gartner surveyed App Security Testing Customers • ONLY Cenzic scored high marks from customers in Accuracy, Service, Support and Overall Satisfaction • Cenzic provides the best services! 34 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 35. Complete Enterprise Security by Cenzic Enterprise Application Security Pre-production & App Development 35 Cenzic, Inc. - Confidential, All Rights Reserved. Production Partner / Supply Chain
  • 36. Application Security for Web, Web Services & Mobile +1.408.429-7400 36