Here's your chance to learn about the most common mobile threats and how to protect your organization from malicious attack. The slides: > DESCRIBE why mobile apps are uniquely vulnerable > SURVEY the 7 most common mobile attacks > HIGHLIGHT ways to find mobile app vulnerabilities

1. Top 7 Mobile App Attacks and
How To Prevent Them
Sameer Dixit Managed Services
Chris Harget Product Marketing

2. Agenda
Enterprise Mobile App Trends
Top Mobile App Attacks
How To Be Safer
2
Cenzic, Inc. - Confidential, All Rights Reserved.

3. Mobile App Factoids
 ~14 Billion tablet-app downloads in 20131
 ~82 Billion smartphone-app downloads in 20132
 Average US smartphone user has 41 apps and
spends 39 minutes/day using them3
 91% of apps free, only 9% paid for – Gartner 2012
 1. ABI Research March 2013 prediction
 2. Portio Research March 2013 forecast
 3. Nielsen,http://www.nielsen.com/us/en/newswire/2012/state-of-the-appnation%C3%A2%C2%80%C2%93-a-year-of-change-and-growth-in-u-s-smartphones.html

4. Mobile User Service Options
Mobile-Optimized Web Sites
Native Mobile Apps
 HTML5 gives some
cross-platform capability
 Native container =>
tighter integration
 No install, convenient
for low-usage apps
 More user commitment
required to begin
 Works with standard
vulnerability scanning
 Requires mobilespecific vulnerability
scanning

5. Mobile App Space Less Mature
 Fewer security experts than on Web apps
 Development practices often leave out security
 New kinds of data to secure (GPS, camera,
Microphone, Texts, International calling)

6. Mobile App Security Is Harder
 Mobile devices are less physically secure
 Mobile traffic more likely to be visible to others
– Through the air

7. Mobile Apps For Customers
 Shopping App
 Rewards Programs, Coupons
 Games/Marketing
 Account Management

8. Mobile Apps For Employees
 Email, Calendar, Contacts, Tasks
 Salesforce.com
 Order Entry
 Quoting Tool
 Field Support
 Inventory Tracking
 Point of Sale
 Field Enablement
 Approvals
 Collaboration

9. Mobile Apps For Partners
 Order Entry
 Order Tracking
 Technical Support
 Inventory Availability
 Lead Referral
 Product Catalogue
 Price List

10. Enterprise Mobile Apps Trends
 Give free apps to prospects/customers for
acquisition/retention
– The share of app revenue from in-app purchases will
grow from 10% in 2011 to 41% in 2016 - Gartner
 By 2016, 25% of enterprises will have private app
stores – Gartner, April 2013
– Reduce risk from BYOD (Bring Your Own Device)
 Mobile Apps often funded/developed by business
units, not IT

11. Enterprise Mobile App Dev. Costs
 54% of apps cost $25K-$100K.
11
Cenzic, Inc. - Confidential, All Rights Reserved.

12. Enterprise Mobile App Update Frequency
 80% of Respondents update mobile apps at least 2x/year.
–
12
http://www.anypresence.com/Mobile_Readiness_Report_2013.php
Cenzic, Inc. - Confidential, All Rights Reserved.

13. Summing Up Trends
 Enterprises developing apps for many reasons
 Data and brand exposure increasing rapidly
 Mobile app security practices generally inadequate

14. Top 7 Mobile App Attacks
14
Cenzic, Inc. - Confidential, All Rights Reserved.

15. 1. Exploiting Unencrypted Data
Sensitive plist, xml and sqlite files
E.g., Last logged in user, address,
usernames, GPS coordinates,
photos, videos etc.
Stored passwords
15
Cenzic, Inc. - Confidential, All Rights Reserved.

16. 2. Excessive Access Privileges
• Some apps unnecessarily grant
access to user’s…
• …Phone Directory, Calendar, GPS,
Camera, Microphone, etc.
• =>Theft of corporate info, fraud,
and violation of privacy
16
Cenzic, Inc. - Confidential, All Rights Reserved.

17. 3. Exploiting Inputs That Are Not Validated
• SQL Injection
• XML Bombs
• Cross-Site Scripting
17
Cenzic, Inc. - Confidential, All Rights Reserved.

18. 4. Session Left Active When App Exited
• Poor Session Management
• User closes app, but is not logged out
of server
• Attacker may pick up session and
steal data, funds or merchandise
18
Cenzic, Inc. - Confidential, All Rights Reserved.

19. 5. Insecure Transmission
• GET request for:
•
Username, Account Number, GPS
coordinates, Device UDID, User Info, etc.
•
•
…Sent In The Clear!
Mobile traffic more likely to be visible to
others than wired traffic
19
Cenzic, Inc. - Confidential, All Rights Reserved.

20. 6. Parameter Manipulation in Mobile Web Services
“Parameter Manipulation in REST
Services”
• E.g.,
…/id/1234
• change to
…/id/3456/
• Gives access to another ID’s account
20
Cenzic, Inc. - Confidential, All Rights Reserved.

21. 7. Lack of Automated Lockouts
• Unlike Web apps, most mobile apps
don’t implement lockout capability
after 3, or 5 or 10 failed login attempts.
• PIN or password is often cached on
the mobile device
• If someone gets control of your phone
or tablet, they may be able to bruteforce hack your app passwords
without the server ever knowing
21
Cenzic, Inc. - Confidential, All Rights Reserved.

22. Mobile App Attacks In Action…

23. LIVE HACK I – Unencrypted Data
Storage
23
Cenzic, Inc. - Confidential, All Rights Reserved.

24. LIVE HACK II - Insecure Data
Transmission
24
Cenzic, Inc. - Confidential, All Rights Reserved.

25. A Few…
25
Cenzic, Inc. - Confidential, All Rights Reserved.

26. 1. Encrypt Data Storage
• Encrypt…sensitive
plist, xml and
sqlite files that contains
information such as
• …last logged in user, address,
usernames, GPS coordinates,
photos and videos etc.
26
Cenzic, Inc. - Confidential, All Rights Reserved.

27. 2. Restrict Access Privileges
Restrict granting excess
permissions and privileges to the
application on the device.
Example: Disallow Update
Access to user’s phone Directory,
Calendar, GPS, Camera,
Microphone etc.
27
Cenzic, Inc. - Confidential, All Rights Reserved.

28. 3. Validate Inputs
Ensure that application
validates all inputs…
…both at client and server
side…
…to avoid issues such as
XSS, SQL, XML Bomb,
information disclosure etc.
28
Cenzic, Inc. - Confidential, All Rights Reserved.

29. 4. Manage Sessions Assertively
In a native client server mobile
application, always invalidate the
session after logout…
…both at the client and at the
server side.
29
Cenzic, Inc. - Confidential, All Rights Reserved.

30. 5. Use POST Request For Sensitive Data
Use an encrypted POST
request rather than GET for
sensitive information such as…
…Username, Account Number,
GPS coordinates, Device UDID,
and Address etc.
30
Cenzic, Inc. - Confidential, All Rights Reserved.

31. 6. Encrypt REST Parameters
• Obfuscate session-related info
• Use strict session management policies
with tighter authorization boundary and
privileges
31
Cenzic, Inc. - Confidential, All Rights Reserved.

32. 7. Use Automated Lockouts
• If a mobile app login fails 5-10x in a row,
lockout in some fashion, flag activity in app
and server logs, etc.
• Lock the application for a period of time to
avoid brute-force hacks
32
Cenzic, Inc. - Confidential, All Rights Reserved.

33. Cenzic Can Help
• Cenzic is a leading provider of Mobile
Application Scanning Services.
• 10+ Years
• Leverages patented Hailstorm™
engine for more consistently accurate
and efficient results
• Cenzic experts conduct business logic
and forensic analysis of mobile apps
33
Cenzic, Inc. - Confidential, All Rights Reserved.

34. Customers Rate Cenzic Higher
• 2013 Gartner surveyed App
Security Testing Customers
• ONLY Cenzic scored high marks
from customers in Accuracy,
Service, Support and Overall
Satisfaction
• Cenzic provides the best services!
34
Cenzic, Inc. - Confidential, All Rights Reserved.

35. Complete Enterprise Security by Cenzic
Enterprise Application Security
Pre-production &
App Development
35
Cenzic, Inc. - Confidential, All Rights Reserved.
Production
Partner /
Supply Chain

36. Application Security for
Web, Web Services & Mobile
+1.408.429-7400
36