Common Security Pitfalls for Mobile Apps in the Enterprise2. Watch the video with slide
synchronization on InfoQ.com!
http://www.infoq.com/presentations
/mobile-enterprise-security
InfoQ.com: News & Community Site
• 750,000 unique visitors/month
• Published in 4 languages (English, Chinese, Japanese and Brazilian
Portuguese)
• Post content from our QCon conferences
• News 15-20 / week
• Articles 3-4 / week
• Presentations (videos) 12-15 / week
• Interviews 2-3 / week
• Books 1 / month
3. Presented at QCon San Francisco
www.qconsf.com
Purpose of QCon
- to empower software development by facilitating the spread of
knowledge and innovation
Strategy
- practitioner-driven conference designed for YOU: influencers of
change and innovation in your teams
- speakers and topics driving the evolution and innovation
- connecting and catalyzing the influencers and innovators
Highlights
- attended by more than 12,000 delegates since 2007
- held in 9 cities worldwide
4. Overview
App Reputation Report: Market Overview
- Current app ecosystem
Consequences of risky apps
- How risky apps affect end users and corporations
Epic Fails in Top Applications
- Mistakes made by popular applications
Top 5 app developer mistakes and solutions
© 2013 Appthority, Inc.
2
7. Risky Application Impact
• Each application can affect the end user
• If an app is unsafe or risky, device can be wiped
or unregistered from the MDM
• Poorly developed apps risk the user’s productivity
and data.
• Impact is broad
• Banned from MDM means loss of sales volume
and developer revenue
• Lowers developer reputation
• Potential lifetime ban from enterprises
© 2013 Appthority, Inc.
5
8. Appthority Top 5 Fails
1. Using Risky SDKs
Adware/Analytic/3rd party libs
2. Permissions and Bypassing User Consent
accessing device features without user
consent, under/over privileged apps
3. Dirty Laundry
4. Improper Handling of Private App Data
5. Bad Cryptography
weak or no algorithms, predictable seeds
© 2013 Appthority, Inc.
6
9. Fail #1: Adware/Analytic SDK
Ad networks introduce external risk!
Permissions added to app by a popular Adware
SDK:
-
INTERNET, ACCESS_NETWORK_STATE, READ_PHONE_STATE,
RECEIVE_BOOT_COMPLETED, LAUNCHER.INSTALL_SHORTCUT,
WRITE_EXTERNAL_STORAGE, ACCESS_WIFI_STATE, ACCESS_FINE_LOCATION,
ACCESS_COARSE_LOCATION, GET_ACCOUNTS,
BROWSER.READ_HISTORY_BOOKMARKS
These break COPPA, corporate data privacy
policies
Developers may add many Adware SDKs
- Potentially aggressive: Apperhand, Vulna/Applovin
© 2013 Appthority, Inc.
7
10. Fail #1: Adware/Analytic SDK (Cont.)
Private data sent by these SDKs...
APIKEY
TIMESTAMP LAT
IMEI
APP ID
LONG
PHONE
LAT
COUNTRY
LONG CITY STATE
© 2013 Appthority, Inc.
ZIP
AGE
8
11. Which Ad networks to use?
Evaluating an ad network
Ad network reputation
1. Evaluate end-users and developers opinion about a library with
2.
respect to potential privacy and security impacts.
Do they treat their developers well? Are their customer complaints?
Type of Data Collected
1. Discover what kinds of data the network is known to collect.
2. Is it private, potentially sensitive or does it uniquely identify the
3.
user?
Does it collect the data in a clandestine manner?
© 2013 Appthority, Inc.
9
12. Which Ad networks to use?
Evaluating an ad network
Tactics and Methodology
1. Evaluate the methodology used by the ad network to collect data.
2. Does a network collect too much data or use aggressive tactics in
3.
exchange for higher click through payouts? Is the payout
abnormally high or higher than popular competitors?
Is the ad network dynamically updatable? Does it receive
commands from a C&C network?
Long term impact
1. Decide if short term gains are worth potentially hurting long
2.
term
reputation.
Combining all the questions above, are you willing to stake your
reputation on a questionable ad network?
© 2013 Appthority, Inc.
10
13. Fail #2 Permission Abuse & Bypassing
Consent
Potential problems with permissions
1. Underprivileged Application Sidesteps permission
system to obtain same behavioral results.
2. Overprivileged Application Requests permissions
that are unneeded.
3. The Confused Deputy Perform actions on behalf
of another agent. Like sending SMS messages.
© 2013 Appthority, Inc.
11
14. Fail #2 Permissions and Bypassing Consent
App behavior must adhere to permissions requested
Application is underprivileged, side-steps permission
system yet is still able to track user
Yet...
ACCESS_COURSE_LOCATION not in manifest
- Doesn’t request any permissions to geo-track the app
user
© 2013 Appthority, Inc.
Good way to get kicked out
of Enterprises, E*trade!
12
15. Fail #2 Permissions and Bypassing Consent
Application should request the minimal set of
permissions necessary to operate correctly.
Frequently unneeded yet requested permissions.
Actions can be accomplished with Intents to the
target application.
CAMERA – Take picture using default capture.
INTERNET – Open URL in Browser.
CALL_PHONE – Open default phone dialer.
However, autoupdate encourages overprovisioning
to make dev lifecycle smoother!
Adrienne Porter Felt, Erika Chin, Steven Hanna, Dawn Song, and David Wagner. Android Permissions Demystified. ACM CCS 2011.
© 2013 Appthority, Inc.
13
16. Fail #2 Permissions and Bypassing
Consent
Apps must check intent permissions and guard its
Broadcast Receivers!
Potential for abuse, the confused deputy performs actions on behalf of another agent.
Example: Application A has 2 components: MainA main application
component, RecA broadcast receiver, it has permission SEND_SMS.
Application B has no permissions.
The Confused Deputy
Application A
Application B
Intent
Main
Rec
NO
PERMISSIONS
SEND_SMS
SMS
Message
© 2013 Appthority, Inc.
Who sent the SMS message?
14
18. 50 requested permissions!
com.lge.launcher.permission.READ_SETTINGS
android.permission.ACCESS_COARSE_LOCATION
com.lge.launcher.permission.WRITE_SETTINGS
android.permission.ACCESS_FINE_LOCATION
android.permission.ACCESS_LOCATION_EXTRA_COMMANDS com.motorola.dlauncher.permission.INSTALL_SHORTCUT
com.motorola.dlauncher.permission.READ_SETTINGS
android.permission.ACCESS_NETWORK_STATE
com.motorola.dlauncher.permission.WRITE_SETTINGS
android.permission.ACCESS_WIFI_STATE
com.motorola.launcher.permission.INSTALL_SHORTCUT
android.permission.BROADCAST_STICKY
com.motorola.launcher.permission.READ_SETTINGS
android.permission.CAMERA
com.motorola.launcher.permission.WRITE_SETTINGS
android.permission.GET_ACCOUNTS
com.teslacoilsw.launcher.permission.READ_SETTINGS
android.permission.GET_TASKS
com.teslacoilsw.launcher.permission.WRITE_SETTINGS
android.permission.INTERNET
org.adw.launcher.permission.READ_SETTINGS
android.permission.MODIFY_AUDIO_SETTINGS
com.android.browser.permission.READ_HISTORY_BOOKMARKS org.adw.launcher.permission.WRITE_SETTINGS
com.android.browser.permission.WRITE_HISTORY_BOOKMARK android.permission.READ_CONTACTS
android.permission.READ_PHONE_STATE
S
android.permission.RECEIVE_BOOT_COMPLETED
com.android.launcher.permission.INSTALL_SHORTCUT
android.permission.RECEIVE_SMS
com.android.launcher.permission.READ_SETTINGS
android.permission.RECORD_AUDIO
com.android.launcher.permission.UNINSTALL_SHORTCUT
android.permission.RECORD_VIDEO
com.android.launcher.permission.WRITE_SETTINGS
android.permission.SYSTEM_ALERT_WINDOW
com.fede.launcher.permission.READ_SETTINGS
android.permission.VIBRATE
com.fede.launcher.permission.WRITE_SETTINGS
android.permission.WAKE_LOCK
com.htc.launcher.permission.READ_SETTINGS
android.permission.WRITE_CONTACTS
com.htc.launcher.permission.WRITE_SETTINGS
android.permission.WRITE_EXTERNAL_STORAGE
com.lge.launcher.permission.INSTALL_SHORTCUT
com.anddoes.launcher.permission.READ_SETTINGS
com.anddoes.launcher.permission.WRITE_SETTINGS
Including vendor permissions!
© 2013 Appthority, Inc.
16
19. More permission abuse!
Extreme permission abuse!
Joke Screen Melt Wallpaper
STILL ON MARKET
Requests 45 permissions!
Including:
Aggressive
adware!
© 2013 Appthority, Inc.
android.permission.INSTALL_PACKAGES
android.permission.DELETE_PACKAGES
android.permission.RECORD_AUDIO
android.permission.MOUNT_FORMAT_FILESYSTEM
S
android.permission.GET_ACCOUNTS
android.permission.SET_WALLPAPER
17
20. Fail #3 Dirty Laundry & Pandora for iOS
App includes debugging information, giving
as a view into the development environment
(and developer/s)
© 2013 Appthority, Inc.
18
21. Fail #4 Improper Handling of Private Data: Tinder
What we Found in the Tinder App...
Our analysis engines alerted us that the App was sending
exact geo-location information over the network
We found much more was being sent over the network –
including the full name of all matches, exact birth-date/age,
and Facebook ID profile ID
© 2013 Appthority, Inc.
19
22. Fail #4 Improper Handling of Private Data: Tinder
© 2013 Appthority, Inc.
20
23. Fail #4 Improper Handling of Private Data: Tinder
© 2013 Appthority, Inc.
21
24. Fail #4 Improper Handling of Private Data: Tinder
We made the Tinder report public ...
© 2013 Appthority, Inc.
22
25. Fail #4 Improper Handling of Private Data: Tinder
The Tinder API “profile” returns a target profile information, including the
“distance_mi” away and they did remove the “pos”:
STILL A FAIL!
Knowing the Tinder API “ping” sets the geographical position:
How would you use the profile (to get the distance_mi) + ping API (to
set the lon, lat) and obtain the exact geo-location of target?
Hint:
Shortest path....
© 2013 Appthority, Inc.
23
26. Fail #4 Improper Handling of Private Data: Tinder
Not limited to just Tinder...
500,000+ Installs
+
Skout, 10,000,000+ installs
© 2013 Appthority, Inc.
Swoon, 500,000 + installs
Cheeky, 100,000+ installs
24
27. Fail #5 Using Bad or No Cryptography
What we Found in the Postogram App...
Our analysis engines alerted us that the App was
uploading private photos
We found Postogram was sending all private photos to an
unprotected server with filenames that were predictable
(deterministic)
© 2013 Appthority, Inc.
25
28. Fail #5 Using Bad or No Cryptography
© 2013 Appthority, Inc.
26
29. Fail #5 Bad Cryptography
Use Best Practices and PROTECT PRIVATE DATA
1. Not using SSL/Encryption for private data
2. Storing passwords/oauth tokens in plaintext
3. Not expiring oauth tokens properly (open to replay
attacks)
© 2013 Appthority, Inc.
27
30. The Reality is...
These mistakes are easily avoidable
Best practice guidelines for storing private
information do exist
Tools to help do exist (for bigger dev shops,
adding these tools into the SLDC)
Having a mindset of "What if this was my
private information?”
Have an accurate & current privacy policy:
Don’t make us call you out
© 2013 Appthority, Inc.
28
32. Watch the video with slide synchronization on
InfoQ.com!
http://www.infoq.com/presentations/mobileenterprise-security