Mobile Apps Security Risk Assessment
Kartik Trivedi / Lenin Aboagye

For the Demo…
please download and install the following
apps on your mobile device and create an
account
2

Who are we?
• Kartik Trivedi
– Co-founder of Symosis
– Author / Speaker / Interviews - Forbes, Security
Focus, Tech world, Security News, etc
– Golfer (Advanced Amateur? )
• Lenin Aboagye
– Security Architect Apollo group
– Cloud / Mobile security expert
– Media & Television, Education, Health, Real Estate and
Energy industries experience
3

Agenda
Introduction
Growth / Revenue
Security Concerns
Mobile Apps Top 3 Risks
Countermeasures & Risk Management
4

There is an App for that!
5

There is an App for that!
• Pay bills • Small Business Payroll
• File income taxes • Pay invoice
• Pay property tax • Location based check in
• Scan & Shop • Personal finance
• Deposit checks • Investments & 401k
• Transfer money • Health & Fitness
• Store medical records • Productivity
• Refill prescription • Facebook / twitter
• Manage health information • Place bets on sports
• Remember your meds • Utilities
• Book flight / hotel • Store passwords
• Medscape / pharmacopia • Document storage
6

7

53% of Fortune 500 companies
have mobile apps
8

Business Case for Mobile Presence
• Networking / communication - unprecedented level of
connectivity between employees, vendors, and/or
customers
• Instant Feedback - sharing information through this
medium allows businesses to get immediate feedback on
products and services from customers.
• Marketing - SMS (text) messaging, mobile websites, mobile
applications, banner ads, QR codes, IVR messaging and
more.
• Commerce – Mobile ticketing, vouchers, coupons, loyalty
cards, content purchase, delivery, location based
services, Information services, mobile banking, mobile
brokerage, mobile purchase
9

Security Concerns
• Side Channel Data Leakage • Activity monitoring and data retrieval
• Insufficient Transport Layer Protection • Unauthorized dialing, SMS, and payments
• Weak Server Side Controls • Unauthorized network connectivity (data
exfiltration or command & control)
• Insecure Data Storage
• UI (unique identifier) impersonation
• Client Side Injection
• System modification (rootkit, APN proxy
• Poor Authorization and
configuration)
Authentication
• Mobile Malware
• Improper Session Handling
• Criminals Target and Infect App Stores
• Security Decisions Via Untrusted
Inputs • Social-Engineering
• Geolocation compromise
• Broken Cryptography
• Security Regulatory Compliance
• Sensitive Information Disclosure
• Device Risk
• Hardcoded password/keys
• BYOD / MDM
• Privacy compliance
• Application management
• Identity exposure
• Installation of un-verified / unsigned 3rd
party apps
10

Agenda
Introduction
Growth / Revenue
Security Concerns
Mobile Apps Top 3 Risks
Side Channel Leakage
Insecure Transport / Server Controls
Insecure Data Storage
Countermeasures & Risk Management
11

Side Channel Data Leakage
Data leakage via platform defaults, use of third
party libraries, logging, etc
• SnapShot (ie- iOS backgrounding)
• Plist files
Sometimes result of programmatic flaws

Demo
13

14

15

Agenda
Mobile Platform Risks
Mobile Apps Top 3 Risks
Side Channel Leakage
Insecure Transport / Server Controls
Insecure Data Storage
Countermeasures & Risk Management
16

Insecure Transport/Server Controls
Failing to encrypt sensitive
network traffic consisting of
sensitive data
Insecure server controls -
web, application and
backend API - can lead to
security compromise

Demo
18

20

TOC
Mobile Platform Risks
Mobile Apps Top 3 Risks
Side Channel Leakage
Insecure Transport / Server Controls
Insecure Data Storage
Countermeasures & Risk Management
21

Insecure Data Storage
Locally stored data both on native and browser
based apps that includes
• SQLite / Cache files
• Keychain – Is this really secure?
22

Demo
23

24

Risk & Impact: High
Sensitive Data exposure
• Username & password
• PII, SSN, Health Information
• Device ID, Application configuration
• Account Number, Credit Card, Financial Information
Loss of Data Confidentiality & Integrity
Data Tempering
Man-in-the-Middle (MITM attack)
Impersonation
Unauthorized access to application data or
functionality
Privacy Violations / reputation damage

Agenda
Introduction
Mobile Apps Top 3 Risks
Insecure Data Storage
Insecure Transport / Server Controls
Side Channel Leakage
Countermeasures & Risk Management
Tactical
Strategic
26

Secure Programming / Education
Disable Cache - Set the autocorrectionType property to
UITextAutocorrectionNo for UITestField
Disable Snapshot – Use applicationWillResignActive
delegate method
Disable Logs – Disable NSLog and NSAssert
Disable Insecure HTTP - Use NSURLConnection along with
canAuthenticateAgainstProtectionSpace
27

Encrypt Data
Data Protection API - set the NSFileProtectionKey
on an existing file
Keychain – Apple recommends storing Sensitive
data like passwords and keys in the Keychain
CCCrypt - provides access to AES, DES, 3DES
SQLCipher (IOS & Android) - transparent 256-
bit AES encryption of database files
28

Secure Design / Architecture
• Do not trust the client. Store sensitive data on the server
• Perform server side data validation and canonicalization
• Only collect and disclose data which is required for business
use of the application
• Define and deploy secure configuration
• Establish common set of security requirements
• Perform periodic security scans and audits
• Protect sensitive data using HTTPS & SSL
• Do not log credentials, PII and other sensitive data
• Review all third party libraries before use
29

Agenda
Mobile Platform Risks
Mobile Apps Top 3 Risks
Security Controls & Risk Management
Tactical
Strategic
30

Mobile Strategy & Challenges
• The are 3 major components of a mobile
strategy that most organizations have to apply
– Mobile Information Management(MIM)
– Mobile Application Management(MAM)
– Mobile Device Management(MDM)
31

MIM
• MIM refers to cloud-based services that syncs
files and documents across different devices
• MIM allows for sharing data of varying security
classification across devices with varying degrees
of trust
• MIM intersects Cloud and Mobile Security
• Public MIM services are Dropbox, Box, Microsoft
SkyDrive, GoogleDrive
• Corporate MIM solutions include
Monodesk, WatchDox, Citrix ShareFile, Vmware
Octopus
• NFC technologies could be classified as MIM 32

Security Challenges -MIM
• BYOD in corporate environments
• Potential synching of corporate data across both
corporate and non-corporate issued endpoints
• Sensitive bi-directional data leakage from user’s private
and personal data into corporate and vice-versa
• Access and Identity Management
• Data classification , identification and protection
• Difficult to apply and enforce any corporate security
configurations across mobile devices
• No existing virtual segregation capabilities for
corporate/user components to allow for different
security policies to be applied based on risk
33

MDM
• MDM involves downloading software that
allows users/organizations to lock down
• MDM allows controls like
monitoring, encryption, policy enforcement
, remote wiping etc..
• Addresses security at the device level as
opposed to the application level
• Especially challenging in BYOD era
• One policy regardless of varying classification
levels of applications on device
– Policies like remote wiping could adversely affect
user personal /private data
34

Security Issues-MDM
• Addresses security of device only
• Has little insight into security health of
applications
• Treats all applications and all data at the same
classification level
• Difficulties in adoption in corporate
environments that allows BYOD
• Does not affect or improve the security of
applications
35

MAM
• MAM solutions allow users and organizations
to control the security of specific applications
that are deployed on mobile endpoints
• MAM can allow an organization to deliver
applications like secure
email, calendar, expense reporting
• Allows security policies to be applied
exclusively on specific applications based on
their security classification
– Encryption, remote wipe, remote application kill
etc..
36

Security Issues-MAM
• MAM seems to have the answer for MIM’s
security challenges
• MAM should solve the BYOD challenges since it
allows for security policies to be applied to
corporate applications and their data and allows
for non-visibility into personal user information
• MAM solutions have several challenges:
– Rewrite secure versions of vendor
applications(functionality challenges)
– Allow vendors plug into their security platform
– Currently works only an a few apps
– Create a wrapper around vendor applications
(most vendors will not provide original packaged files to
wrap with MAM tools)
37

Mobile Security Convergence
MDM
All mobile security
strategies converge
on these
MIM approaches
MAM
Mobile Application Security
38

Thanks for listening…
kartik@symosis.com / Lenin.Aboagye@apollogrp.edu
Email info@symosis.com for a free seat to the Mobile
Apps Top 10 Security Risk Training Course
39