In this session, the focus will be on OWASP Top 10 mobile risks and prevention tips. Hackers’ exploitation of these most common mobile vulnerabilities will be demonstrated in the session.

2. Mobile Threats
and
OWASP Mobile Top 10 Risks

3. About Me
Founder & CEO of SecurBay Services Pvt. Ltd.
• Past: MIEL, Opus Software, Digite, HDFC Bank,
Standard Chartered Bank
• Conferences: ISACA, c0c0n
• Trainings/Workshop : Application Security
Founder & Editor of SecurityCrunch
• Online Daily Newsletter covering topics on
Information Security
• Free Subscription
• Readership across 30+ countries
• www.securitycrunch.in
© SecurBay 2012 3

4. Agenda
 Introduction
 Mobile Apps
 Mobile Threatscape
 OWASP Mobile Top 10 Risks
 Mobile Controls
 Questions
© SecurBay 2012 4

5. Mobile = Me
ROTI, KAPDA, MAKAN … AND MOBILE DEVICE
© SecurBay 2012 5

6. There is an App for that …
© SecurBay 2012 6

7. There is an App for that …
© SecurBay 2012 7

8. There is an App for that …
© SecurBay 2012 8

9. There is an App for that …
© SecurBay 2012 9

10. Rise of the Apps
1 Million Mobile Apps
$15 Billion of income from app sales in 2011*
30 Billion app Downloads from App Market Place
* Source: Gartner
© SecurBay 2012 10

11. Types of Mobile Apps
• Native apps
• Objective C on the iPhone or Java on Android devices.
• Use all the phone’s features, such as the mobile phone camera,
geolocation, and the user’s address book.
• E.g. Messaging, Telephony, Multimedia
• Web apps
• Web apps run in the phone’s browser
• The same base code can be used to support all devices, including
iPhone and Android.
• E.g. Mobile Banking, Reservation Systems
• Hybrid solutions
• A hybrid app is a native app with embedded HTML
• Facebook, Google Chat, Shopping
© SecurBay 2012 11

12. Mobile Apps Vs Traditional Web Apps
Web Apps Mobile Apps
Distribution Direct Access Marketplace
Database Server Side Local Storage
Reverse Engineering Difficult Possible
Limited Access to
Direct Access to Personal Data
Privacy Issues Personal Data
© SecurBay 2012 12

13. Mobile Threat Model
• Mobile Threat Model is similar to WebApp
Threat Model But..
• Platforms vary substantially
• External dependencies completely out of your control
• It’s more than just apps
• Cloud/network integration
• Device platform considerations
© SecurBay 2012 13

14. Mobile Threat Model
Backend Systems
Trust Boundaries
APPS
OS
Hardware
© SecurBay 2012 14

15. Concern Areas
Data Data at Rest
Specific Data in Use
Data in Motion
Platform Operating System Patches
Specific Malware
App Coding Vulnerabilities
Specific
© SecurBay 2012 15

16. Testing the Security of Mobile Applications
Type of Analysis Activities
Static Analysis
Source Code Source Code Scanning
Manual Source Code Review
Binary Reverse Engineering
Dynamic Analysis Debugger Execution
Traffic Capture via Proxy
Forensic Analysis File Permission Analysis
File Content Analysis
© SecurBay 2012 16

17. Mobile Testing
Mobile Emulators
© SecurBay 2012 17

18. Testing Tools
• Rooted device or Rooted Emulator
• ADB(Android debug Bridge)
• WireShark, BurpProxy
• SQLite Editor, Droidsheep
• APKTOOL, Agnitio, JD-GUI (utility that displays
Java source codes of ".class" files)
© SecurBay 2012 18

19. What is rooting?
• Rooting is the term
for gaining access to
the root (admin) of a
device
• Rooting method
depends on the make
of the mobile device
© SecurBay 2012 19

20. Testing Apps
Source: OWASP Source: McAfee
© SecurBay 2012 20

21. Rooting : Why shouldn’t I?
• Rooting voids device warranty
• If wrongly done, you may endup with bricked
phone in your hand
• Easy to get affected with viruses and malwares
21

22. OWASP Mobile Top 10 Risks
OWASP Mobile Top 10 Risk
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions Via
Untrusted Inputs
M3 – Insufficient Transport M8 – Side Channel Data Leakage
Layer Protection
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and M10 – Sensitive Information
Authentication Disclosure
Source: OWASP
Demo
© SecurBay 2012 22

23. M1 – Insecure Data Storage
• Data stored unprotected which can be
accessed by unauthorized application /
person
• Happens due to:
•Data stored unencrypted
•Caching of data
•Global or weak permissions
•Ignorance of platform specific best-practices
© SecurBay 2012 23

24. DEMO

25. iPhone App – Path steps on Privacy Landmine
Path App was sending users contact details to its servers
Path CEO: We screwed up by uploading your
personal data, and we’ve erased it!!!
© SecurBay 2012 25

26. M1 – Insecure Data Storage
• Impact
•Confidentiality of data lost
•Credentials disclosed
•Privacy violations
•Non-compliance
• Prevention Tips
•Store ONLY what is absolutely required
•Never use public storage areas (ie- SD card)
•Leverage secure containers and platform provided
file encryption APIs
•Do not grant files world readable or world
writeable permissions
© SecurBay 2012 26

27. M2 – Weak Server Side Controls
• Applies to the backend services
• Happens due to:
•Insecure backend API & platforms
• Impact
•Confidentially of data lost
•Integrity of data not trusted
© SecurBay 2012 27

28. M2 – Weak Server Side Controls
• Prevention Tips
•OWASP Web Top 10, Cloud Top 10, Web Services
Top 10
•Cheat sheets, development guides, ESAPI
© SecurBay 2012 28

29. M3 – Insufficient Transport Layer Protection
• Lack of encryption for transmitted data
• Happens due to:
•Weakly encrypted data in transit
•No encryption at all
Remember This ?
© SecurBay 2012 29

30. DEMO

31. M3 – Insufficient Transport Layer Protection
• Impact
•Man-in-the-middle attacks
•Tampering wireless data in transit
•Confidentiality of data lost
• Prevention Tips
•Ensure that all sensitive data leaving the device is
encrypted
•This includes data over carrier networks, WiFi,
and even NFC (Near field communication)
•Do not ignore security exceptions warnings
© SecurBay 2012 31

32. M4 – Client Side Injection
• Apps using browser libraries
•Pure web apps
•Hybrid web/native apps
© SecurBay 2012 32

33. DEMO

34. M4 – Client Side Injection
• Impact
•Device compromise
•Toll fraud
•Privilege escalation
• Prevention Tips
•Sanitize or escape untrusted data before
rendering or executing it
•Use parameterized statements for database calls
© SecurBay 2012 34

35. M5 – Poor Authorization and Authentication
• Some apps rely solely on immutable,
potentially compromised values (IMEI, IMSI,
UUID)
• Eg: Changing the application would no
longer ask for authentication
© SecurBay 2012 35

36. M5 – Poor Authorization and Authentication
• Impact
•Unauthorized access
•Privilege escalation
• Prevention Tips
•Never use device ID or subscriber ID as sole
authenticator
•Contextual info can enhance things, but only as
part of a multi-factor implementation
© SecurBay 2012 36

37. M6 – Improper Session Handling
• Mobile app session time is generally longer
for convenience and usability
• Apps maintain sessions via
• HTTP cookies
• OAuth tokens
• SSO authentication services
• Demo: Facebook session captured &
browsed
© SecurBay 2012 37

38. DEMO

39. M6 – Improper Session Handling
• Impact
•Privilege escalation
•Unauthorized access
•Circumvent licensing and payments
• Prevention Tips
•Re-authenticate users after fixed idle time
•Ensure that tokens can be revoked quickly in the
event of a lost/stolen device
© SecurBay 2012 39

40. M7 – Security Decisions Via Untrusted Inputs
• Change in application security permission set
in AndroidManifest.xml file
• May happen due to:
• Malware
• Client side injection
© SecurBay 2012 40

41. DEMO

42. M7 – Security Decisions Via Untrusted Inputs
• Impact
•Can be leveraged to bypass permissions and security
models
• Prevention Tips
•Check caller’s permissions at input boundaries
•Prompt the user for additional authorization before
allowing
•In a situation when permission checks cannot be
performed, ensure additional steps are required to
launch sensitive actions
© SecurBay 2012 42

43. M8 – Side Channel Data Leakage
• Mix of not disabling platform features and
programmatic flaws
• Sensitive data resides at unintended places
• Web caches
• Keystroke logging
• Screenshots (ie- iOS backgrounding)
• Logs (system, crash)
• Temp directories
• Understand what 3rd party libraries are doing
with user data (ad networks, analytics)
© SecurBay 2012 43

44. M8 – Side Channel Data Leakage
• Impact
•Data retained indefinitely
•Privacy violations
• Prevention Tips
•Never log credentials, or other sensitive data to
system logs
•Remove sensitive data before screenshots are taken
•Carefully review any third party libraries you
introduce and the data they consume
•Test your applications across as many platform
versions as possible
© SecurBay 2012 44

45. M9 – Broken Cryptography
• Two primary categories
• Broken implementations using strong crypto
libraries
• Custom, easily defeated cryptography
© SecurBay 2012 45

46. M9 – Broken Cryptography
• Impact
•Confidentiality of data lost
•Privilege escalation
•Circumvent business logic
• Prevention Tips
•Storing the key with the encrypted data defeats
everything
•Leverage battle-tested crypto libraries vice writing
your own
•Leverage platform features
© SecurBay 2012 46

47. M10 – Sensitive Information Disclosure
• Apps can be reverse engineered with relative
ease
• Application logging
© SecurBay 2012 47

48. DEMO

49. M10 – Sensitive Information Disclosure
• Impact
•Credentials disclosed
•Intellectual property exposed
• Prevention Tips
•Keep proprietary and sensitive business logic on the
server
•Never hardcode a password in application binary
© SecurBay 2012 49

50. Best Practices
50

51. Top 10 mobile controls and design principles
1. Identify and protect sensitive data on the mobile
device
2. Handle password credentials securely on the device
3. Ensure sensitive data is protected in transit
4. Implement user authentication/authorization and
session management correctly
5. Keep the backend APIs (services) and the platform
(server) secure
© SecurBay 2012 51

52. Top 10 mobile controls and design principles
6. Perform data integration with third party services/applications
securely
7. Pay specific attention to the collection and storage of consent
for the collection and use of the user’s data
8. Implement controls to prevent unauthorised access to paid-
for resources (wallet, SMS, phone calls etc...) Risks
9. Ensure secure distribution/provisioning of mobile applications
10. Carefully check any runtime interpretation of code for errors
© SecurBay 2012 52

53. References
• OWASP Mobile Top Ten Risks
https://www.owasp.org/index.php/OWASP_Mobile_Security_Proj
ect#Top_Ten_Mobile_Risks
• OWASP - Top Ten Mobile Controls
https://www.owasp.org/index.php/OWASP_Mobile_Security_Proj
ect#Top_Ten_Mobile_Controls
• OWASP GoatDroid Project
https://www.owasp.org/index.php/OWASP_Mobile_Security_Proj
ect#OWASP_GoatDroid_Project
© SecurBay 2012 53

54. Questions
© SecurBay 2012

55. Thank you, ISACA!
santosh@securbay.com
@ satamsantosh
© SecurBay 2012

56. > Innovative
Solutions &
Services
56