Here's your chance to learn about the most common mobile threats and how to protect your organization from malicious attack. The slides:
> DESCRIBE why mobile apps are uniquely vulnerable
> SURVEY the 7 most common mobile attacks
> HIGHLIGHT ways to find mobile app vulnerabilities
1. Top 7 Mobile App Attacks and
How To Prevent Them
Sameer Dixit Managed Services
Chris Harget Product Marketing
2. Agenda
Enterprise Mobile App Trends
Top Mobile App Attacks
How To Be Safer
2
Cenzic, Inc. - Confidential, All Rights Reserved.
3. Mobile App Factoids
~14 Billion tablet-app downloads in 20131
~82 Billion smartphone-app downloads in 20132
Average US smartphone user has 41 apps and
spends 39 minutes/day using them3
91% of apps free, only 9% paid for – Gartner 2012
1. ABI Research March 2013 prediction
2. Portio Research March 2013 forecast
3. Nielsen,http://www.nielsen.com/us/en/newswire/2012/state-of-the-appnation%C3%A2%C2%80%C2%93-a-year-of-change-and-growth-in-u-s-smartphones.html
4. Mobile User Service Options
Mobile-Optimized Web Sites
Native Mobile Apps
HTML5 gives some
cross-platform capability
Native container =>
tighter integration
No install, convenient
for low-usage apps
More user commitment
required to begin
Works with standard
vulnerability scanning
Requires mobilespecific vulnerability
scanning
5. Mobile App Space Less Mature
Fewer security experts than on Web apps
Development practices often leave out security
New kinds of data to secure (GPS, camera,
Microphone, Texts, International calling)
6. Mobile App Security Is Harder
Mobile devices are less physically secure
Mobile traffic more likely to be visible to others
– Through the air
7. Mobile Apps For Customers
Shopping App
Rewards Programs, Coupons
Games/Marketing
Account Management
8. Mobile Apps For Employees
Email, Calendar, Contacts, Tasks
Salesforce.com
Order Entry
Quoting Tool
Field Support
Inventory Tracking
Point of Sale
Field Enablement
Approvals
Collaboration
9. Mobile Apps For Partners
Order Entry
Order Tracking
Technical Support
Inventory Availability
Lead Referral
Product Catalogue
Price List
10. Enterprise Mobile Apps Trends
Give free apps to prospects/customers for
acquisition/retention
– The share of app revenue from in-app purchases will
grow from 10% in 2011 to 41% in 2016 - Gartner
By 2016, 25% of enterprises will have private app
stores – Gartner, April 2013
– Reduce risk from BYOD (Bring Your Own Device)
Mobile Apps often funded/developed by business
units, not IT
11. Enterprise Mobile App Dev. Costs
54% of apps cost $25K-$100K.
11
Cenzic, Inc. - Confidential, All Rights Reserved.
12. Enterprise Mobile App Update Frequency
80% of Respondents update mobile apps at least 2x/year.
–
12
http://www.anypresence.com/Mobile_Readiness_Report_2013.php
Cenzic, Inc. - Confidential, All Rights Reserved.
13. Summing Up Trends
Enterprises developing apps for many reasons
Data and brand exposure increasing rapidly
Mobile app security practices generally inadequate
14. Top 7 Mobile App Attacks
14
Cenzic, Inc. - Confidential, All Rights Reserved.
15. 1. Exploiting Unencrypted Data
Sensitive plist, xml and sqlite files
E.g., Last logged in user, address,
usernames, GPS coordinates,
photos, videos etc.
Stored passwords
15
Cenzic, Inc. - Confidential, All Rights Reserved.
16. 2. Excessive Access Privileges
• Some apps unnecessarily grant
access to user’s…
• …Phone Directory, Calendar, GPS,
Camera, Microphone, etc.
• =>Theft of corporate info, fraud,
and violation of privacy
16
Cenzic, Inc. - Confidential, All Rights Reserved.
17. 3. Exploiting Inputs That Are Not Validated
• SQL Injection
• XML Bombs
• Cross-Site Scripting
17
Cenzic, Inc. - Confidential, All Rights Reserved.
18. 4. Session Left Active When App Exited
• Poor Session Management
• User closes app, but is not logged out
of server
• Attacker may pick up session and
steal data, funds or merchandise
18
Cenzic, Inc. - Confidential, All Rights Reserved.
19. 5. Insecure Transmission
• GET request for:
•
Username, Account Number, GPS
coordinates, Device UDID, User Info, etc.
•
•
…Sent In The Clear!
Mobile traffic more likely to be visible to
others than wired traffic
19
Cenzic, Inc. - Confidential, All Rights Reserved.
20. 6. Parameter Manipulation in Mobile Web Services
“Parameter Manipulation in REST
Services”
• E.g.,
…/id/1234
• change to
…/id/3456/
• Gives access to another ID’s account
20
Cenzic, Inc. - Confidential, All Rights Reserved.
21. 7. Lack of Automated Lockouts
• Unlike Web apps, most mobile apps
don’t implement lockout capability
after 3, or 5 or 10 failed login attempts.
• PIN or password is often cached on
the mobile device
• If someone gets control of your phone
or tablet, they may be able to bruteforce hack your app passwords
without the server ever knowing
21
Cenzic, Inc. - Confidential, All Rights Reserved.
26. 1. Encrypt Data Storage
• Encrypt…sensitive
plist, xml and
sqlite files that contains
information such as
• …last logged in user, address,
usernames, GPS coordinates,
photos and videos etc.
26
Cenzic, Inc. - Confidential, All Rights Reserved.
27. 2. Restrict Access Privileges
Restrict granting excess
permissions and privileges to the
application on the device.
Example: Disallow Update
Access to user’s phone Directory,
Calendar, GPS, Camera,
Microphone etc.
27
Cenzic, Inc. - Confidential, All Rights Reserved.
28. 3. Validate Inputs
Ensure that application
validates all inputs…
…both at client and server
side…
…to avoid issues such as
XSS, SQL, XML Bomb,
information disclosure etc.
28
Cenzic, Inc. - Confidential, All Rights Reserved.
29. 4. Manage Sessions Assertively
In a native client server mobile
application, always invalidate the
session after logout…
…both at the client and at the
server side.
29
Cenzic, Inc. - Confidential, All Rights Reserved.
30. 5. Use POST Request For Sensitive Data
Use an encrypted POST
request rather than GET for
sensitive information such as…
…Username, Account Number,
GPS coordinates, Device UDID,
and Address etc.
30
Cenzic, Inc. - Confidential, All Rights Reserved.
31. 6. Encrypt REST Parameters
• Obfuscate session-related info
• Use strict session management policies
with tighter authorization boundary and
privileges
31
Cenzic, Inc. - Confidential, All Rights Reserved.
32. 7. Use Automated Lockouts
• If a mobile app login fails 5-10x in a row,
lockout in some fashion, flag activity in app
and server logs, etc.
• Lock the application for a period of time to
avoid brute-force hacks
32
Cenzic, Inc. - Confidential, All Rights Reserved.
33. Cenzic Can Help
• Cenzic is a leading provider of Mobile
Application Scanning Services.
• 10+ Years
• Leverages patented Hailstorm™
engine for more consistently accurate
and efficient results
• Cenzic experts conduct business logic
and forensic analysis of mobile apps
33
Cenzic, Inc. - Confidential, All Rights Reserved.
34. Customers Rate Cenzic Higher
• 2013 Gartner surveyed App
Security Testing Customers
• ONLY Cenzic scored high marks
from customers in Accuracy,
Service, Support and Overall
Satisfaction
• Cenzic provides the best services!
34
Cenzic, Inc. - Confidential, All Rights Reserved.
35. Complete Enterprise Security by Cenzic
Enterprise Application Security
Pre-production &
App Development
35
Cenzic, Inc. - Confidential, All Rights Reserved.
Production
Partner /
Supply Chain