Security Imperatives
for iOS and Android
Session #A5
8, April 2014
8:30am
Clinton Mugge and Gary Bahadur
Symosis Security
Copyright 2014 RBS CitizensDistributed by MIS Training Institute with permission of owner.
All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted by electronic, mechanical or any other means
without the prior written permission of MIS Training Institute and the respective owner of the copyright.
Trademarked product and company names mentioned in this publication are the property of their respective owners.ISW14040714
MIS Training Institute Session A5 - Slide 3© Symosis Security
Who are we?
Clinton Mugge
Application and Network Security Providers
20 Years in Info Sec – Security Assessments, Penetration Testing, Compliance & Training, Investigations, Incident Response
Free Mobile App Security / Training Evaluations
Gary Bahadur
20 Years in Info Sec – Compliance & Training, Security Assessments, Risk Assessments
Author of “Securing the Clicks” Network Security in the Age of Social Media
Free Risk Assessment Software “Razient”
MIS Training Institute Session A5 - Slide 4© Symosis Security
Agenda
Introduction
iOS / Android Apps Top Risks
Countermeasures
MIS Training Institute Session A5 - Slide 5© Symosis Security
Audience Poll
• What mobile OS do you mostly use?
• How many of you are involved with mobile security, privacy, audits?
• Any mobile developers / architects?
• Does your employer have mobile presence?
MIS Training Institute Session A5 - Slide 7© Symosis Security
What do Attackers Want?
Credentials - To your device, To external services (email, banking, etc)
Access to your device
Use your device (botnets, spamming), Steal trade secrets or other sensitive data
Personal Data - Full Name, SIN\SSN, address book data, location data
Cardholder Data - Card Numbers, Expiration, CVV
Health Data - Prescription information, medical records, procedure summary
Corporate Data - IP, Design Docs
MIS Training Institute Session A5 - Slide 8© Symosis Security
Security and Privacy Concerns
Side Channel Data Leakage
Insufficient Transport Layer Protection
Weak Server Side Controls
Insecure Data Storage
Client Side Injection
Poor Authorization and Authentication
Improper Session Handling
Security Decisions Via Untrusted Inputs
Broken Cryptography
Sensitive Information Disclosure
Hardcoded password/keys
Privacy compliance
Identity exposure
Activity monitoring and data retrieval
Unauthorized dialing, SMS, and payments
Unauthorized network connectivity (data exfiltration or command & control)
UI (unique identifier) impersonation
System modification (rootkit, APN proxy configuration)
Mobile Malware
Criminals Target and Infect App Stores
Social-Engineering
Geolocation compromise
Security Regulatory Compliance
Device Risk
Application management
Installation of un-verified / unsigned 3rd
party apps
MIS Training Institute Session A5 - Slide 9© Symosis Security
Agenda
Introduction
Mobile Apps Top Risks
1. Side Channel Leakage
2. Insecure Transport / Server Controls
3. Insecure Data Storage
4. Privacy
Countermeasures
MIS Training Institute Session A5 - Slide 10© Symosis Security
1. Side Channel Data Leakage
Data leakage via platform defaults, use of third party libraries, logging, etc
Property List Files
SnapShot (ie- iOS Backgrounding)
iOS logs
Sometimes result of programmatic flaws
MIS Training Institute Session A5 - Slide 11© Symosis Security
Demo 1: Snapshot File
Tools: iExplore, Reflection
Device: iPhone 5, IOS 6 latest version, iPhone 4, IOS 5
Snapshot –
TaxAct Mobile
TaxSlayer
MIS Training Institute Session A5 - Slide 13© Symosis Security
TaxSlayer Mobile Security Hole Snapshot
MIS Training Institute Session A5 - Slide 17© Symosis Security
Agenda
Introduction
Mobile Apps Top 3 Risks
1. Side Channel Leakage
2. Insecure Transport / Server Controls
3. Insecure Data Storage
4. Privacy
Countermeasures
MIS Training Institute Session A5 - Slide 18© Symosis Security
2. Insecure Transport/Server Controls
Failing to encrypt sensitive network traffic consisting of sensitive data
Insecure server controls - web, application and backend API - can lead to security compromise
MIS Training Institute Session A5 - Slide 19© Symosis Security
Demo 2: Insecure Transport
Tools: MITM Proxy, Reflection, Flixster
Insecure Transport – User ID, Movies Browsing, Home Area, Purchase Intent
MIS Training Institute Session A5 - Slide 21© Symosis Security
Unencrypted Cookies over HTTP Instagram iOS App
MIS Training Institute Session A5 - Slide 22© Symosis Security
TOC
Mobile Platform Risks
Mobile Apps Top 3 Risks
1. Side Channel Leakage
2. Insecure Transport / Server Controls
3. Insecure Data Storage
4. Privacy
Countermeasures
MIS Training Institute Session A5 - Slide 23© Symosis Security
3. Insecure Data Storage
Locally stored data both on native and browser based apps that includes
SQLite
Sensitive Files
Cache Files
MIS Training Institute Session A5 - Slide 24© Symosis Security
Demo 3: local files
Tools: iExplore, Reflection
SQLite files – Runtastic, TaxSlayer, TaxAct, JacksonHewitt
Flat Files – Jackson Hewitt
Jackson Hewitt #JacksonHewitt /TaxSlayer #TaxSlayer
Tools: iExplorer
MIS Training Institute Session A5 - Slide 25© Symosis Security
Cached Credentials and tax data in the clear
MIS Training Institute Session A5 - Slide 26© Symosis Security
JacksonHewitt Tax Documents in the Clear
MIS Training Institute Session A5 - Slide 28© Symosis Security
Unencrypted Cache with Master Password in Keeper
MIS Training Institute Session A5 - Slide 29© Symosis Security
TOC
Mobile Platform Risks
Mobile Apps Top 3 Risks
1. Side Channel Leakage
2. Insecure Transport / Server Controls
3. Insecure Data Storage
4. Privacy
Countermeasures
MIS Training Institute Session A5 - Slide 31© Symosis Security
Privacy Threat & Impact
UDID, Mac Address, Device ID
Location Training
Usage Tracking - Google, Flurry, Mobclix
Contacts Access & Sharing
Shares / Uploads Phone Number
3rd Party Connections – Facebook, twitter
MIS Training Institute Session A5 - Slide 32© Symosis Security
Path uploads your entire iPhone address book to its servers
MIS Training Institute Session A5 - Slide 33© Symosis Security
WhatsApp sends messages unencrypted over HTTP
MIS Training Institute Session A5 - Slide 34© Symosis Security
LinkedIn transmits confidential info insecurely
MIS Training Institute Session A5 - Slide 35© Symosis Security
Agenda
Introduction
Mobile Apps Top Risks
Countermeasures
1. Disable side channel data leakage
2. Use HTTPS and secure IOS Safe methods
3. Insecure Data storage
4. Privacy
MIS Training Institute Session A5 - Slide 36© Symosis Security
Side Channel Data Leakage
Start by identifying all potential side channel data which includes
Plist files – Ensure no sensitive data is written
Disable Snapshots
Disable System / keystroke logs
Disable Web caches
Disable Cut-and-paste buffers
Clean up Core Data
Do not store sensitive data (e.g., credentials, tokens, PII) in property list files. Use iOS Keychain
MIS Training Institute Session A5 - Slide 37© Symosis Security
Encrypt Sensitive Data
Data Protection API - set the NSFileProtectionKey on an existing file
Keychain – Sensitive data like passwords and keys should be stored in the Keychain and not in insecure locations like plistfiles
CCCrypt & javax.crypto.* package for Android - provides access to AES, DES, 3DES
SQLCipher (IOS & Android) - transparent 256-bit AES encryption of database files
MIS Training Institute Session A5 - Slide 38© Symosis Security
Strategic Recommendations
Establish common set of security requirements. Perform periodic security scans and audits
Invest in security education for all stakeholders
Perform server side data validation and canonicalization
Define and deploy secure configuration
Do not log credentials, PII and other sensitive data
Design and implement all apps under the assumption that the user’s device will be lost or stolen
Review all third party libraries before use