By Ahmed SamaraInformation Security EngineerSecurity-Meter
• Definitions
• Why Mobile Security important ?
• How Secure Are You ?
• Mobile Malware History
• Mobile Security Components
• OWASP Overview
• OWASP Mobile Top 10 Risks
• Live Demo on Most Dangerous Vulnerabilities
• Security-Meter company started at 2009 it was established tohelp organizations to secure their journey, All our concern isyour security & Cyber security attacks prevention.
• Vulnerability• SQL Injection [embedding untrusted input into raw SQL statements]
• XSS [inject Java Script to untrusted input ]
• Exploit
• Threat [Anything that can exploit a vulnerability, intentionally oraccidentally, and obtain, damage, or destroy an asset]
• Risk = Asset * Threat * Vulnerability
Special One
Sticky Note
Vulnerability Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. Risk The potential for loss, damage
• [BYOD] Bring Your Own Device
• Refers to the policy of permitting employees to bring personallyowned mobile devices (laptops, tablets, and smart phones) totheir workplace
Special One
Sticky Note
The term BYOD first entered common use in 2009, courtesy of Intel exposed on me new risk The Middle East has one of the highest adoption rates (about 80%) of the practice worldwide in 2012 high-growth markets (including Brazil, Russia, India, UAE, and Malaysia) demonstrate a much higher propensity to use their own device at work. Almost 75% of users in these countries did so, compared to 44% in the more mature developed markets MDM provides organizations with the ability to control applications and content on the device
Special One
Sticky Note
Secure these devices in company network
Special One
Sticky Note
82% of the apps track you & they know: some of them Malware when you use Wi-Fi and data networks when you turn on your device your current and last location
Special One
Sticky Note
PermissionDog & Pocket Permissions
Special One
Sticky Note
According to the Q4 report from McAfee, there have been more than 2.47 million new mobile malware samples in 2013 it has been 11 years since the first mobile malware was created! The word malware (malicious software) describes any piece of code designed to infect your computer (or mobile device)
• The main Mobile components are:
• Device Hardware: smart phones, tablets, and set-top-boxes.
• Operating System: component that make use of All deviceresources, like camera functions, GPS data, Bluetoothfunctions, telephony functions, network connections, etc. areaccessed through the operating system.
• Mobile Application
Special One
Sticky Note
Countermeasure OS Rootkit Detectors Process isolation Android uses mechanisms of user process isolation inherited from Linux. Each application has a user associated with it, and a tuple (UID, GID). This approach serves as a sandbox: while applications can be malicious, they can not get out of the sandbox, For example, since it is impossible for a process to end the process of another user File permissions From the legacy of Linux, there are also filesystem permissions mechanisms. They help with sandboxing: a process can not edit any files it wants. Memory Protection In the same way as on a computer, memory protection prevents privilege escalation. Indeed, if a process managed to reach the area allocated to other processes
• The OWASP Foundation came online on December 1st 2001 itwas established as a not-for-profit organization in the UnitedStates
Special One
Sticky Note
OWASP's projects cover many aspects of application security. We build documents, tools, teaching environments, guidelines, checklists, and other materials to help organizations improve their capability to produce secure code focused on improving the security of software. Its mission is to make software security visible,
Special One
Sticky Note
Security project maintained by OWASP. Currently mainly focuses on iOS and Android mobile platforms.
• Insecure coding practices
• Attack vectors generally leading to traditional OWASP Top-10• Poor Web Services Hardening: Weak Authentication, Weak or no
session management, Default content
• SQL Injection, CSRF, XSS etc.
• Use the mobile APP to attack the server
• Main Rule of Mobile Apps• Not to store Data
• Local files on device :• SQLite DB files
• Plist files – iOS
• XML files
• Log files
• Insecure data permissions :• Example: Skype Contact data permissions
Tls or ssl are cryptographic protocols that provide communication security over the Internet: Encrypting the transport layer Authentication the server side Any request sent without HTTPS is vulnerable to.. Information disclosure, Data tampering & Server spoofing
• Unintended data leakage occurs when a developer accidentallyplaces sensitive data in a location on the mobile device that canbe accessed by other apps or physical access
Special One
Sticky Note
Another case is during sensitive data processing can results in that information being placed into an insecure location URL Caching (Both request and response) Keyboard Press Caching Copy/Paste buffer Caching Logging
• Example - Insecure Log : Some apps store their own logs insidethe local folder Logs can contain info such as Important events(user login details, credit cards, passwords)
• The server code does not verify that the incoming request isassociated with a known user so Anonymously Attacker executerequests.
• Strong passwords are hard to enter on a mobile device Shortpasswords (4-digit PINs) are often used
Special One
Sticky Note
Due to usability requirements, mobile apps allow for passwords that are 4 digits long. Server code correctly stores a hashed version of the password, attacker can brute force the original passwords using rainbow hash tables
• Usage of a broken or risky cryptographic algorithm (RC2, MD4,SHA1, Base64)
• Encoding != Encryption
Special One
Sticky Note
Configuration files or databases belonging to the app may contain key Many times the app does bad encryption Hard-coded key is stored in the source code Same key for all users Key can be stolen by other apps due to bad permissions Key is stored right next the encrypted data Custom, Easily defeated crypto implementations (“encraption”) Encrypting some data while storing the encryption key at the client side does not help that much
• what’s wrong with this code?
• Mobile malware or other malicious apps may perform a binaryattack
• SQL Injection, XSS
Special One
Sticky Note
JavaScript Injection (XSS): Usually the mobile browser has access to the mobile applications cookie, which can lead to session theft.
• Inter Process Communication (IPC) mechanism: A uniqueaspect of the Android system design is that any application canstart another application’s component Apps
Special One
Sticky Note
DOS ,,,, CSRF,,, client injection,,,malicious app In general try and adhere to the following IPC design: the mobile application should restrict access to a white-list of trusted applications Sensitive actions which are triggered through IPC entry points should require user interaction before performing the action Do not pass any sensitive information through IPC mechanisms
• IOS – bypass URL Schemes
• Example: Skype IOS Schema Handling Issue:
• Ensure that all session invalidation events are executed on theserver side.
• Any mobile app you create must have timeout protection on thebackend components.
Special One
Sticky Note
Many developers invalidate sessions on the mobile app and not on the server side, leaving a major window of opportunity for attackers who are using HTTP manipulation tools This helps prevent malicious potential for an unauthorized user to gain access Client authenticates with the backend server gets a session cookie in response Cookie is added to all requests sent to the server
• Any mobile app can be analyzed, reverse-engineered, andmodified It is extremely common for apps to be deployedwithout binary protection.