Security Testing Mobile Applications2. Jeff Payne
Coveros, Inc
Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds
secure software applications using agile methods. Since its inception in 2008, Coveros
has become a market leader in secure agile principles and has been recognized by Inc.
magazine as one of the fastest growing private US companies. Prior to founding
Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a
market leader in software security consulting. Jeff has published more than thirty
papers on software development and testing, and testified before Congress on issues
of national importance, including intellectual property rights, cyber terrorism, and
software quality.
3. 2/24/2014
1
Security Testing Mobile Applications
Jeffery Payne
Chief Executive Officer
Coveros, Inc.
jeff.payne@coveros.com
www.coveros.com
1© Copyright 2013 Coveros, Inc.. All rights reserved.
Bio
Jeffery Payne
Jeffery Payne is CEO and founder of Coveros, Inc., a software company that
helps organizations accelerate the delivery of secure, reliable software. Coveros
uses agile development methods and a proven software assurance framework to
build security and quality into software from the ground up. Prior to founding
Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc.
Under his direction, Cigital became a leader in software security and software
quality solutions, helping clients mitigate the risk of software failure. Jeffery is a
i d ft t d l k t b th b i d t h l
2© Copyright 2013 Coveros, Inc.. All rights reserved.
recognized software expert and popular speaker at both business and technology
conferences on a variety of software quality, security, and agile development
topics. He has also testified before Congress on issues of national importance,
including intellectual property rights, cyber-terrorism, software research funding,
and software quality.
4. 2/24/2014
2
Coveros helps organizations accelerate the delivery of
secure, reliable software
About Coveros
Our consulting services:
– Agile software development
– Application security
– Software quality assurance
Agile services
Areas of Expertise
3© Copyright 2013 Coveros, Inc.. All rights reserved.
Agile services
– Agility assessments
– Process improvement
– Hands-on agile software development
– Agile project management
– Agile testing and automation
– Agile training by role
Wh t thi t lk iWhat this talk is
NOT about
4© Copyright 2013 Coveros, Inc.. All rights reserved.
Penetration testing
Testing tools
Test cases
5. 2/24/2014
3
Wh t thi t lkWhat this talk
IS about
5© Copyright 2013 Coveros, Inc.. All rights reserved.
Mobile threats
Mobile risks
Test strategy based on these
Agenda
Mobile applications: the perfect security stormMobile applications: the perfect security storm
– Typical architecture(s)
– A changing threat model
Mobile risks and test strategies
– Local storage
– Session management
– Untrusted clients
6© Copyright 2013 Coveros, Inc.. All rights reserved.
– Native code
– Mobile platforms
– Traditional risks
Getting more help
6. 2/24/2014
4
Mobile Apps: The Perfect Security Storm
Fat client
concerns
Traditional
sw security
concernsconcerns
7© Copyright 2013 Coveros, Inc.. All rights reserved.
Untrusted
apps
Untrusted
users
Traditional
web security
concerns
A Changing Threat Model
New Attack Profiles
Mobile Apps: The Perfect Security Storm
New Attack Profiles
– Increased access by malicious users
– Malicious 3rd party applications
– Increased information for attacking application back-ends
Fluid Trust Boundaries
– Level of trust necessary to use 3rd party applications
8© Copyright 2013 Coveros, Inc.. All rights reserved.
– Local access to sensitive data
Nuances of Mobile Platforms
– Differing security models
– Different vulnerabilities due to programming languages
7. 2/24/2014
5
Mobile Risks
Local storage – Storage of data (implicitly or explicitly) on a device
Mobile App Security
g g ( p y p y)
Session management – Managing the on-going interactions between a
mobile app user and the rest of a distributed environment
Untrusted clients – Client requests might not be legitimate
Nati e Code Nati e code is still pre alent in mobile applications
9© Copyright 2013 Coveros, Inc.. All rights reserved.
Native Code – Native code is still prevalent in mobile applications
Mobile Platforms – How the device (and OS) configures and controls apps
Traditional Risks – Other risks we already know about
Do Not Allow Storage of Sensitive Data on Devices
Why?
Devices use flash memory for local storage
Mobile App Security: Best Practices
– Devices use flash memory for local storage
– External devices have global data permissions
– Data encryption libraries and key management functions are often
misused by developers
– UI screens are captured and stored in “temporary” storage
What to test/check for
10© Copyright 2013 Coveros, Inc.. All rights reserved.
– Sensitive data is properly stored on back-end servers behind a
firewall
– Sensitive data is replaced on UI with replacement tokens or partial
data when it doesn’t need to be fully viewable
– Encryption routines for any local data uses a computational key
derivation function for keys
8. 2/24/2014
6
Make Sure Sessions are Managed Carefully
Why?
– Mobile application sessions tend to be left open longer on mobile
Mobile App Security: Best Practices
pp p g
devices to support mobile app use cases
– Untrusted applications that are malicious can compromise your
applications if session management isn’t secure
– People often leave their phones laying around …
What to test/check for
– Idle sessions after automatically terminated after no more than 5
11© Copyright 2013 Coveros, Inc.. All rights reserved.
y
minutes
– Device identifier / MEID is not used as a session token
– Token revocation is supported and works remotely
– Session keys are temporary (to thwart ‘replay attacks’)
Assume No Client (or App) is Trustworthy
Why?
– The increased threat of mobile device compromise means no client
Mobile App Security: Best Practices
p
/ App requesting information can be trusted
– Trusted apps may have been misconfigured to allow easy
compromise
What to test/check for
– Lower levels of encryption (export grade) have been disabled on the
backend servers
12© Copyright 2013 Coveros, Inc.. All rights reserved.
– Test the integrity of all data received from a client or other
application
– Test that all data received from a user or client has been sanitized
– Test that only the minimum amount of info is returned to clients
when there is an error
– Move all default directories on all servers
9. 2/24/2014
7
Test Native Code for Known Vulnerabilities
Why?
– Mobile platforms often support the development of native code
Mobile App Security: Best Practices
p pp p
applications that are vulnerable to traditional attacks
– Software written for Apple devices are written in Objective-C, Java
can call native code
– VM’s often include vulnerabilities!
What to test/check for
– Check that Address Space Layout Randomization (ASLR) is being
13© Copyright 2013 Coveros, Inc.. All rights reserved.
p y ( ) g
used to combat overflow attacks
– Perform traditional secure code scanning on all native code
– Recommend avoiding native code if possible
Understand Your Mobile Platform
Why?
– Each platform uses a different security model
Mobile App Security: Best Practices
p y
– Each platform manages applications differently
What to understand
– Learn how applications store data, protect it from access, and when
data is physically deleted from the device
– Understand the default configurations for applications, browsers,
and communication protocols
14© Copyright 2013 Coveros, Inc.. All rights reserved.
p
– Learn how and when information is cached, keyboard keys are
logged, and screenshots are saved
– Understand how libraries are loaded and run (and in what order)
10. 2/24/2014
8
Don’t Forget About Traditional Risks
Why?
– Mobile applications are often just mobile front-ends for our
Mobile App Security: Best Practices
pp j
traditional systems (banking, e-commerce, etc.)
– Mysql often ships with devices and are susceptible to SQL injection
– Web vulnerabilities exist in thin client mobile apps
What to test/check for
– SQL injections
Web application security issues (XSS CRSF etc )
15© Copyright 2013 Coveros, Inc.. All rights reserved.
– Web application security issues (XSS, CRSF, etc.)
Getting Smarter
OWASP Mobile Security Project
– https://www.owasp.org/index.php/OWASP Mobile Security Project
Mobile App Security
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Coveros Labs – R&D in:
– Secure mobile development
– Malicious code analysis
– Cloud security
http://www coveros com/content/coveros labs
16© Copyright 2013 Coveros, Inc.. All rights reserved.
– http://www.coveros.com/content/coveros-labs