Contenu connexe


Similaire à Mobile Application Security(20)


Mobile Application Security

  1. Mobile Apps Security Risk Assessment Kartik Trivedi / Lenin Aboagye
  2. For the Demo… please download and install the following apps on your mobile device and create an account 2
  3. Who are we? • Kartik Trivedi – Co-founder of Symosis – Author / Speaker / Interviews - Forbes, Security Focus, Tech world, Security News, etc – Golfer (Advanced Amateur? ) • Lenin Aboagye – Security Architect Apollo group – Cloud / Mobile security expert – Media & Television, Education, Health, Real Estate and Energy industries experience 3
  4. Agenda Introduction Growth / Revenue Security Concerns Mobile Apps Top 3 Risks Countermeasures & Risk Management 4
  5. There is an App for that! 5
  6. There is an App for that! • Pay bills • Small Business Payroll • File income taxes • Pay invoice • Pay property tax • Location based check in • Scan & Shop • Personal finance • Deposit checks • Investments & 401k • Transfer money • Health & Fitness • Store medical records • Productivity • Refill prescription • Facebook / twitter • Manage health information • Place bets on sports • Remember your meds • Utilities • Book flight / hotel • Store passwords • Medscape / pharmacopia • Document storage 6
  7. 7
  8. 53% of Fortune 500 companies have mobile apps 8
  9. Business Case for Mobile Presence • Networking / communication - unprecedented level of connectivity between employees, vendors, and/or customers • Instant Feedback - sharing information through this medium allows businesses to get immediate feedback on products and services from customers. • Marketing - SMS (text) messaging, mobile websites, mobile applications, banner ads, QR codes, IVR messaging and more. • Commerce – Mobile ticketing, vouchers, coupons, loyalty cards, content purchase, delivery, location based services, Information services, mobile banking, mobile brokerage, mobile purchase 9
  10. Security Concerns • Side Channel Data Leakage • Activity monitoring and data retrieval • Insufficient Transport Layer Protection • Unauthorized dialing, SMS, and payments • Weak Server Side Controls • Unauthorized network connectivity (data exfiltration or command & control) • Insecure Data Storage • UI (unique identifier) impersonation • Client Side Injection • System modification (rootkit, APN proxy • Poor Authorization and configuration) Authentication • Mobile Malware • Improper Session Handling • Criminals Target and Infect App Stores • Security Decisions Via Untrusted Inputs • Social-Engineering • Geolocation compromise • Broken Cryptography • Security Regulatory Compliance • Sensitive Information Disclosure • Device Risk • Hardcoded password/keys • BYOD / MDM • Privacy compliance • Application management • Identity exposure • Installation of un-verified / unsigned 3rd party apps 10
  11. Agenda Introduction Growth / Revenue Security Concerns Mobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data Storage Countermeasures & Risk Management 11
  12. Side Channel Data Leakage Data leakage via platform defaults, use of third party libraries, logging, etc • SnapShot (ie- iOS backgrounding) • Plist files Sometimes result of programmatic flaws
  13. Demo 13
  14. 14
  15. 15
  16. Agenda Mobile Platform Risks Mobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data Storage Countermeasures & Risk Management 16
  17. Insecure Transport/Server Controls Failing to encrypt sensitive network traffic consisting of sensitive data Insecure server controls - web, application and backend API - can lead to security compromise
  18. Demo 18
  19. 20
  20. TOC Mobile Platform Risks Mobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data Storage Countermeasures & Risk Management 21
  21. Insecure Data Storage Locally stored data both on native and browser based apps that includes • SQLite / Cache files • Keychain – Is this really secure? 22
  22. Demo 23
  23. 24
  24. Risk & Impact: High Sensitive Data exposure • Username & password • PII, SSN, Health Information • Device ID, Application configuration • Account Number, Credit Card, Financial Information Loss of Data Confidentiality & Integrity Data Tempering Man-in-the-Middle (MITM attack) Impersonation Unauthorized access to application data or functionality Privacy Violations / reputation damage
  25. Agenda Introduction Mobile Apps Top 3 Risks Insecure Data Storage Insecure Transport / Server Controls Side Channel Leakage Countermeasures & Risk Management Tactical Strategic 26
  26. Secure Programming / Education Disable Cache - Set the autocorrectionType property to UITextAutocorrectionNo for UITestField Disable Snapshot – Use applicationWillResignActive delegate method Disable Logs – Disable NSLog and NSAssert Disable Insecure HTTP - Use NSURLConnection along with canAuthenticateAgainstProtectionSpace 27
  27. Encrypt Data Data Protection API - set the NSFileProtectionKey on an existing file Keychain – Apple recommends storing Sensitive data like passwords and keys in the Keychain CCCrypt - provides access to AES, DES, 3DES SQLCipher (IOS & Android) - transparent 256- bit AES encryption of database files 28
  28. Secure Design / Architecture • Do not trust the client. Store sensitive data on the server • Perform server side data validation and canonicalization • Only collect and disclose data which is required for business use of the application • Define and deploy secure configuration • Establish common set of security requirements • Perform periodic security scans and audits • Protect sensitive data using HTTPS & SSL • Do not log credentials, PII and other sensitive data • Review all third party libraries before use 29
  29. Agenda Mobile Platform Risks Mobile Apps Top 3 Risks Security Controls & Risk Management Tactical Strategic 30
  30. Mobile Strategy & Challenges • The are 3 major components of a mobile strategy that most organizations have to apply – Mobile Information Management(MIM) – Mobile Application Management(MAM) – Mobile Device Management(MDM) 31
  31. MIM • MIM refers to cloud-based services that syncs files and documents across different devices • MIM allows for sharing data of varying security classification across devices with varying degrees of trust • MIM intersects Cloud and Mobile Security • Public MIM services are Dropbox, Box, Microsoft SkyDrive, GoogleDrive • Corporate MIM solutions include Monodesk, WatchDox, Citrix ShareFile, Vmware Octopus • NFC technologies could be classified as MIM 32
  32. Security Challenges -MIM • BYOD in corporate environments • Potential synching of corporate data across both corporate and non-corporate issued endpoints • Sensitive bi-directional data leakage from user’s private and personal data into corporate and vice-versa • Access and Identity Management • Data classification , identification and protection • Difficult to apply and enforce any corporate security configurations across mobile devices • No existing virtual segregation capabilities for corporate/user components to allow for different security policies to be applied based on risk 33
  33. MDM • MDM involves downloading software that allows users/organizations to lock down • MDM allows controls like monitoring, encryption, policy enforcement , remote wiping etc.. • Addresses security at the device level as opposed to the application level • Especially challenging in BYOD era • One policy regardless of varying classification levels of applications on device – Policies like remote wiping could adversely affect user personal /private data 34
  34. Security Issues-MDM • Addresses security of device only • Has little insight into security health of applications • Treats all applications and all data at the same classification level • Difficulties in adoption in corporate environments that allows BYOD • Does not affect or improve the security of applications 35
  35. MAM • MAM solutions allow users and organizations to control the security of specific applications that are deployed on mobile endpoints • MAM can allow an organization to deliver applications like secure email, calendar, expense reporting • Allows security policies to be applied exclusively on specific applications based on their security classification – Encryption, remote wipe, remote application kill etc.. 36
  36. Security Issues-MAM • MAM seems to have the answer for MIM’s security challenges • MAM should solve the BYOD challenges since it allows for security policies to be applied to corporate applications and their data and allows for non-visibility into personal user information • MAM solutions have several challenges: – Rewrite secure versions of vendor applications(functionality challenges) – Allow vendors plug into their security platform – Currently works only an a few apps – Create a wrapper around vendor applications (most vendors will not provide original packaged files to wrap with MAM tools) 37
  37. Mobile Security Convergence MDM All mobile security strategies converge on these MIM approaches MAM Mobile Application Security 38
  38. Thanks for listening… / Email for a free seat to the Mobile Apps Top 10 Security Risk Training Course 39

Notes de l'éditeur

  1. Please make a selection by clicking on the
  2. Mobile App Growth
  3. How consumers are evolving and changing their mobile behavior
  4. Mobile AppGrowth - / TXT MarketingNews AlertsTake a picture QR codes
  6. Please make a selection by clicking on the
  7. Side channel data leakage applies to data leakage via platform defaults, use of third party libraries, logging, etc. In order to provide the visual iOS has been proven to capture and store snapshots.This occurs when a device suspends (rather than terminates), when either the home button is pressed, or a phone call or other event temporarily suspends the applicationPlist is a structured text file that contains essential configuration information for a bundled executable
  8. A PLIST (Property List) file is an XML file that holds application properties. Some applications store sensitive information in the plist files including authentication credentials, PIN and oAUTH tokensPlist files can be found in several location in the application directory . An example location and plist file content storing sensitive authentication credentials are shown on the screen
  10. Please make a selection by clicking on the
  11. Web sites and servers sometimes have improperly configured SSL certificates. This causes warning messages which are often ignored by the users. This results in users Phishing attacks where users end up providing personal information and private data to malicious websites that look like legitimate applicationsApplications that fall back or can be forced out of an encrypting mode can also be abused by attackers resulting in insecure communication. This is common on sites that operate on both HTTP and HTTPS services, or by the implementation of older versions of SSL on the web server that are vulnerable to downgrade attacks.
  12. In 2011, it was discovered that Android devices transmitted data and AuthToken session cookie via insecure HTTP. AuthToken is not bound to any session or device and thus would allow an adversary to access any personal data which is made available through the service API. This includes Google calendar, picasa and contact information for that user. For more Reference: issue here is the use of insecure HTTP channel which allows network eavesdropping of the authToken and user data
  14. Please make a selection by clicking on the
  15. InsecureData Storage applies to the locally stored data by the mobile applications. There are two types of mobiles apps - native apps and browser based apps. Native apps are apps that is installed in the handset, processes data locally and may connect to the internet for updates or sending user specific information to the server. Example: Gaming apps, News apps, etc. Browser based apps are apps that are accessible via mobile browser. This vulnerability applies to both categories of apps.Most apps stores user specific information on mobile devices. This data may be stored in clear text and may includeUsername and passwordPII, SSN, Health InformationDevice ID, Application configurationAccount Number, Credit Card, Financial Information
  17. Insecure transport layer protection is considered a high risk security vulnerabilityThe impact could includeLoss of Data Confidentiality & Integrity when sensitive information is revealed to the attackerData Tampering when attacker modifies application traffic and force user accept itMan-in-the-Middle (MITM attack) if an attacker diverts all traffic through an insecure channelImpersonation if the attacker hijacks user account
  18. Please make a selection by clicking on the
  19. Disable the auto-correct feature for any sensitive information, not just for password fields. Since the keyboard caches sensitive information, it may be recoverable. For UITextField, look into setting the autocorrectionType property to UITextAutocorrectionNo to disable caching. Set UITextField to OFF to prevent caching altogetherAdd an enterprise policy to clear the keyboard dictionary at regular intervals. This can be done by the end user by simply going to the Settings application, General > Reset > Reset Keyboard Dictionary
  20. Please make a selection by clicking on the