The document discusses 7 ways that Android applications can be vulnerable, including intent hijacking, intent spoofing, sticky broadcast tampering, insecure storage of data, insecure network communication, SQL injection, and allowing applications to have promiscuous privileges. It provides descriptions and examples of each vulnerability and recommends ways to address the security issues, such as using explicit intents that require permissions, securing data storage, and limiting application privileges. The goal is to help developers avoid introducing vulnerabilities that could allow attackers to compromise user data or alter application behavior.

1. HP Fortify
Mobile Application
Security
Name
Title
Enterprise Security
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

2. The motivation
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

3. Rise of the mobile machines
700,000
Q4: Inflection Point
Smartphones + Tablets > PCs
600,000
Global Shipments (MM)
500,000
400,000
300,000
200,000
2005 2006 2007 2008 2009 2010 2011 2012E 2013E
100,000 Desktop PCs Notebook PCs Smartphones Tablets
Source: Morgan Stanley Research
3 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

4. The smartphones as pocket PCs
81% 77% 68% 48%
Browsed the Used a Used Watch
internet search engine an app videos
Smartphone activities within past week (excluding calls)
Desktop Pocket PCs
Source: The Mobile Movement Study, Google, April 2011
4 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

5. The Swiss army knife of computing
Rolodex Game console
Camera
Television Calculator
Laptop
Email
Book Internet
GPS
5 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

6. The evolution of the modern enterprise
1990s 2000s 2010s
Webpage era Ecommerce era Mobile era
6 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

7. Mobile represents a huge business opportunity
Please select the most important benefit that your organization ultimately expects to gain from current or
future mobile solutions deployments (whether or not you are currently receiving those benefits)
Improve/enhance worker productivity
Increased sales/revenue
Improve field service response time
Improve competitive advantage/market share
Provide ease of information access
Improve customer service
Decreased costs
Offer employees more flexibility
Enhance portability within the office or work environment
Eliminate paperwork
Speed the sales process
Provide perception of an advanced company to…
0 5 10 15 20 25 30
N = 600, Source: IDC’s mobile enterprise software survey, 2011
7 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

8. But security is a huge concern
Which of the following technologies have resulted in an increase in IT security management spending at
your organization within past 12 months?
Mobility
Virtualization
Social Networking
VoIP
Unified Communications
Green IT
0% 10% 20% 30% 40% 50% 60% 70%
IDC Web Conference, 12 April 2012
Source: IDC Security as a Service Survey n-47
8 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

9. A treasure trove of private information
Your smartphone knows
you better than you know
yourself … and cyber attackers are
• Pins & passwords
after your personal records
• Contacts
• Call history
• Messages
• Social networking
• Visited web sites
• Mobile banking
• Personal videos
• Family photos
$
• Documents
9 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

10. Threats at all points
Client Network Server
• Insecure storage of • Insecure data transfer • Authentication
credentials during installation or • Session Management
• Improper use of execution of the • Cross-site Scripting
configuration files application
• SQL Injection
• Use of insecure • Insecure transmission of
data across the network. • Command Injection
development libraries
10 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

11. Types of mobile threats
Data Communication Exploitation and
Malware Loss and Theft Direct Attacks
Interception Misconduct
Spyware, viruses, Data lost due to Eavesdropping on The inappropriate use Short message
trojans, and worms misplaced or stolen communications, of a mobile device for service (SMS) and
mobile devices including emails, texts, personal amusement browser exploits
voice calls, etc., or monetary gain
originating from or
being sent to a mobile
device
11 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

12. The solution
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

13. What is mobile?
Devices Connection Servers
13 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

14. Same old client server model
Client
Network Server
browser
14 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

15. Mobile application concerns
Does it work? Does it perform? Is it secure?
• Does the application function • Will the application perform for • Is the application securely
as the business intends? all users? coded?
• Are all features there and • Does it meet SLAs in • Has the application been
working? production? assessed for known threats?
15 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

16. What you need to be concerned about
Know where you are using credentials
Know what sensitive data is in play
Track these through the device, network, and backend server
Test all those components
16 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

17. HP Fortify mobile application security
End to end mobile security: from the device, to the network to the backend
Features: Benefits:
server. Why it matters:
• Secure the entire mobile • Ensure your Android and Apple iOS mobile devices • The mobile market is huge; global
stack, from the mobile device to are always safe and secure mobile data traffic will increase 26-fold
the server to the communications • Protect Android and iOS applications from between 2010 and 2015, and over 50%
between the two advanced attacks by removing security of all Americans currently have a
• Pinpoint with line of code precision vulnerabilities at the source, from software on the mobile phone (Arc Worldwide)
the root cause of potential mobile device or backend server • Mobile applications are in their infancy
vulnerabilities for any application • Increase development productivity by enabling in terms of security awareness
developed for Apple iOS and security to be built into mobile applications, rather • Mobile payments will reach $240 Billion
Google Android this year. Fraud becomes a concern if
than added on after it is deployed into production
• Complete static language support Mobile Security is not addressed
• Spend valuable development resources and time
for Objective C (any Apple mobile • In Q4 2011, iOS has 43% of the mobile
innovating, instead of firefighting, troubleshooting,
device, such as the iPhone or the market share, second to Android at
iPad) and Java, the programming and fixing vulnerabilities 47% (NPD)
language of Android
17 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

18. Mobile product support
Comprehensive mobile support
• Four mobile platforms and operating systems
• Mobile assessment services for the
device, network and server
• Mobile security research group to stay abreast
of the latest mobile security threats
18 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

19. Mobile assessments
Type What’s Included: Why Use
Full • Server – All, Auto/Manual/Source Initial releases and
(Hybrid Assessment) • Client – All, Auto/Manual/Source annual/periodic/compliance
• Network – All, Auto/Manual assessments.
Mini Hybrid • Client – Filesystem Analysis, no source code analysis, Minor releases. Supplemental to
(1 Day Assessment) no malware analysis previous full assessment.
• Network – Basic Traffic Analysis, no data obfuscation
analysis
• Server – Basic Automated Scan, no source code
review, no logic testing, no advanced injection
Malware Assessment Malware Only Assessment – Check for malicious code on Internal commercial applications
client-side as well as for suspicious network traffic, e.g. developed by third-parties outside
data transmitting to unknown hosts corporate control. E.g. Pandora,
WSJ
19 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

20. Process integration
Integrating security into your established SDLC process
Security Foundations – Mobile Applications
Architecture
Plan Requirements Build Test Production
& Design
Mobile Security Application Specific Threat Modeling and Mobile Secure Mobile Application Security Assessment
Development Analysis Coding Training (Static, Dynamic, Server, Network, Client)
Standards
Threat Modeling CBT for Developers Mobile Secure Mobile Firewall
Mobile Application Coding Standards
Security Process Wiki
Mobile Risk Dictionary
Design
Static Analysis
Mobile Security
Policies
20 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

21. Summary: mobile application security
Comprehensive mobile application security solutions
That proactively identifies and eliminates risk in any mobile
1 application, built for any platform or operating system: Apple
iOS, Google Android, Microsoft Windows Phone and RIM Blackberry
2 To ensure that all mobile applications are trustworthy, in compliance with
any security mandates and safe for consumers and enterprises to use
Securing the whole mobile technology stack: from the user and device
3 to the network communications to the backend servers
4 Available on-premise or on-demand, and with professional services
21 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

22. 7 Ways to Hang Yourself with
Android
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

23. Google Android Vulnerabilities
1 Intent hijacking
2 Intent spoofing
3 Sticky broadcast tampering
4 Insecure storage
5 Insecure network communication
6 SQL injection
7 Promiscuous privileges
23 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

24. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
Description: Malicious app intercepts an intent bound for another app, which can
compromise data or alter behavior
Cause: Implicit intents (do not require strong permissions to receive)
Fix: Explicit intents and require special receiver permissions
24 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

25. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
IMDb App
Showtime Handles Actions:
Results UI
Search willUpdateShowtimes,
showtimesNoLocationError
Implicit Intent
Action: willUpdateShowtimes
25 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

26. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
26 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

27. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
IMDb App
Showtime Handles Actions:
Results UI
Search willUpdateShowtimes,
showtimesNoLocationError
Implicit Intent
Action: willUpdateShowtimes
Eavesdropping App
Malicious
Handles Actions:
Receiver
willUpdateShowtimes,
showtimesNoLocationError
27 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

28. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
Description: Malicious app spoofs a legitimate intent, which can inject data or alter
behavior
Cause: Public components (necessary to receive implicit intents)
Fix: Use explicit intents and receiver permissions
Only perform sensitive operations in private components
28 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

29. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
Spoofing App
Results UI
Action: showtimesNoLocationError
IMDb App
Showtime Results UI Handles Actions:
Search willUpdateShowtimes,
showtimesNoLocationError
29 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

30. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
30 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

31. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
Description: Persistent intents used by legitimate apps can be accessed and removed
by malicious apps
Cause: BROADCAST_STICKY allows to full access to any sticky broadcasts
Fix: Use explicit, non-sticky broadcasts protected by receiver
permissions
31 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

32. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
Sticky broadcasts Malicious App
(intents): Requests
SB BROADCAST_STIC
1 KY Permission
SB
2
? Victim App
Receiver
(expects SB2)
SB
3
32 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

33. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
Description: Local storage is accessible to attackers, which can compromise sensitive
data
Cause: Local files are world-readable and persist
Fix: SQLite or internal storage for private data
Encrypt the data (keep keys off the SD)
33 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

34. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
Kindle app saves e-books (.mbp and .prc) in a folder on the SD card
• Depending on DRM, accessible to other apps
• Saves covers of books (privacy violation)
• Folder is retained after uninstall of app
34 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

35. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
Description: Data sent over unencrypted channels can be intercepted by attackers
sniffing network
Cause: Non-HTTPS WebView connections
Fix: Ensure sensitive data only sent over encrypted channels
35 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

36. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
Twitter: Tweets are sent in the clear
https://freedom-to-tinker.com/blog/dwallach/things-overheard-wifi-my-android-smartphone
36 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

37. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
Facebook: Despite ‘fully encrypted’ option on the Web, mobile app sends
in the clear
37 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

38. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
Description: Allows malicious users to alter or view (query string injection) database
records
Cause: Untrusted data used to construct a SQL query or clause
Fix: Parameterized queries
38 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

39. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
c = invoicesDB.query(
Uri.parse(invoices),
columns,
"productCategory = '" +
productCategory + "' and
customerID = '" + customerID + "'",
null, null, null,
"'" + sortColumn + "'",
null
);
39 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

40. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
productCategory = Fax Machines
customerID = 12345678
sortColumn = price
Select * from invoices
where productCategory = ‘ Fax Machines'
and customerID = '12345678'
order by 'price'
40 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

41. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
productCategory = Fax Machines' or productCategory = "
customerID = 12345678
sortColumn = " order by ‘price
select * from invoices
where productCategory = 'Fax Machines'
or productCategory = “ ‘
and customerID = ‘ 12345678 ' order by ‘ "
order by 'price'
41 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

42. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
c = invoicesDB.query(
Uri.parse(invoices),
columns,
"productCategory = ? and customerID = ?",
{productCategory, customerID},
null,
null,
"sortColumn = ?",
sortColumn
);
42 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

43. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
Description: Requesting unneeded permits privilege escalation attacks and
desensitize users
Cause: Deputies,
Artifacts from testing,
Confusion (inaccurate/incomplete resources)
Fix: Identify unnecessary permissions
43 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

44. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
User App Camera App
Does NOT need CAMERA Needs CAMERA
permission permission
Takes
Wants Picture Picture
Implicit Intent Handles Action:
Action: IMAGE_CAPTURE
IMAGE_CAPTURE
44 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

45. Google Android Vulnerabilities
Sticky Insecure
Insecure Promiscuous
Intent hijacking Intent spoofing broadcast network SQL injection
storage privileges
tampering communication
Third hit on Google search
Not true for android.net.wifi.STATE_CHANGE
http://stackoverflow.com/questions/2676044/broadcast-intent-when-network-state-has-changend
45 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

46. Empirical Results: DEFCON ‘11
Vulnerability Type % of apps with > 1
1. Intent Hijacking 50%
2. Intent Spoofing 40%
3. Sticky Broadcast Tampering 6%
4. Insecure Storage 28%
5. Insecure Communication N/A
6. SQL Injection 17%
7. Promiscuous Privileges 31%
46 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

47. Thank You
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.