InfoSec World 2014 Security Imperatives for IOS and Android

Security Imperatives

for iOS and Android

Session #A5

8, April 2014

8:30am

Clinton Mugge and Gary Bahadur

Symosis Security

Copyright 2014 RBS CitizensDistributed by MIS Training Institute with permission of owner.

All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted by electronic, mechanical or any other means

without the prior written permission of MIS Training Institute and the respective owner of the copyright.

Trademarked product and company names mentioned in this publication are the property of their respective owners.ISW14040714

MIS Training Institute Session A5 - Slide 3© Symosis Security

Who are we?

Clinton Mugge

Application and Network Security Providers

20 Years in Info Sec – Security Assessments, Penetration Testing, Compliance & Training, Investigations, Incident Response

Free Mobile App Security / Training Evaluations

Gary Bahadur

20 Years in Info Sec – Compliance & Training, Security Assessments, Risk Assessments

Author of “Securing the Clicks” Network Security in the Age of Social Media

Free Risk Assessment Software “Razient”


Agenda

Introduction

iOS / Android Apps Top Risks

Countermeasures


Audience Poll

• What mobile OS do you mostly use?

• How many of you are involved with mobile security, privacy, audits?

• Any mobile developers / architects?

• Does your employer have mobile presence?


There is an App for that!


What do Attackers Want?

Credentials - To your device, To external services (email, banking, etc)

Access to your device

Use your device (botnets, spamming), Steal trade secrets or other sensitive data

Personal Data - Full Name, SIN\SSN, address book data, location data

Cardholder Data - Card Numbers, Expiration, CVV

Health Data - Prescription information, medical records, procedure summary

Corporate Data - IP, Design Docs


Security and Privacy Concerns

Side Channel Data Leakage

Insufficient Transport Layer Protection

Weak Server Side Controls

Insecure Data Storage

Client Side Injection

Poor Authorization and Authentication

Improper Session Handling

Security Decisions Via Untrusted Inputs

Broken Cryptography

Sensitive Information Disclosure

Hardcoded password/keys

Privacy compliance

Identity exposure

Activity monitoring and data retrieval

Unauthorized dialing, SMS, and payments

Unauthorized network connectivity (data exfiltration or command & control)

UI (unique identifier) impersonation

System modification (rootkit, APN proxy configuration)

Mobile Malware

Criminals Target and Infect App Stores

Social-Engineering

Geolocation compromise

Security Regulatory Compliance

Device Risk

Application management

Installation of un-verified / unsigned 3rd

party apps


Agenda

Introduction

Mobile Apps Top Risks

1. Side Channel Leakage

2. Insecure Transport / Server Controls

3. Insecure Data Storage

4. Privacy

Countermeasures


1. Side Channel Data Leakage

Data leakage via platform defaults, use of third party libraries, logging, etc

Property List Files

SnapShot (ie- iOS Backgrounding)

iOS logs

Sometimes result of programmatic flaws


Demo 1: Snapshot File

Tools: iExplore, Reflection

Device: iPhone 5, IOS 6 latest version, iPhone 4, IOS 5

Snapshot –

TaxAct Mobile

TaxSlayer


TaxAct Mobile Security Hole Snapshot


TaxSlayer Mobile Security Hole Snapshot


TaxAct Response



LinkedIn Plist identity theft


Agenda

Introduction

Mobile Apps Top 3 Risks




4. Privacy

Countermeasures


2. Insecure Transport/Server Controls

Failing to encrypt sensitive network traffic consisting of sensitive data

Insecure server controls - web, application and backend API - can lead to security compromise


Demo 2: Insecure Transport

Tools: MITM Proxy, Reflection, Flixster

Insecure Transport – User ID, Movies Browsing, Home Area, Purchase Intent


Credentials sent over HTTP iOS App


Unencrypted Cookies over HTTP Instagram iOS App


TOC

Mobile Platform Risks





4. Privacy

Countermeasures



Locally stored data both on native and browser based apps that includes

SQLite

Sensitive Files

Cache Files


Demo 3: local files

Tools: iExplore, Reflection

SQLite files – Runtastic, TaxSlayer, TaxAct, JacksonHewitt

Flat Files – Jackson Hewitt

Jackson Hewitt #JacksonHewitt /TaxSlayer #TaxSlayer

Tools: iExplorer


Cached Credentials and tax data in the clear


JacksonHewitt Tax Documents in the Clear


JacksonHewitt Responses


Unencrypted Cache with Master Password in Keeper


TOC

Mobile Platform Risks





4. Privacy

Countermeasures


4. Privacy


Privacy Threat & Impact

UDID, Mac Address, Device ID

Location Training

Usage Tracking - Google, Flurry, Mobclix

Contacts Access & Sharing

Shares / Uploads Phone Number

3rd Party Connections – Facebook, twitter


Path uploads your entire iPhone address book to its servers


WhatsApp sends messages unencrypted over HTTP


LinkedIn transmits confidential info insecurely


Agenda

Introduction

Mobile Apps Top Risks

Countermeasures

1. Disable side channel data leakage

2. Use HTTPS and secure IOS Safe methods

3. Insecure Data storage

4. Privacy


Side Channel Data Leakage

Start by identifying all potential side channel data which includes

Plist files – Ensure no sensitive data is written

Disable Snapshots

Disable System / keystroke logs

Disable Web caches

Disable Cut-and-paste buffers

Clean up Core Data

Do not store sensitive data (e.g., credentials, tokens, PII) in property list files. Use iOS Keychain


Encrypt Sensitive Data

Data Protection API - set the NSFileProtectionKey on an existing file

Keychain – Sensitive data like passwords and keys should be stored in the Keychain and not in insecure locations like plistfiles

CCCrypt & javax.crypto.* package for Android - provides access to AES, DES, 3DES

SQLCipher (IOS & Android) - transparent 256-bit AES encryption of database files


Strategic Recommendations

Establish common set of security requirements. Perform periodic security scans and audits

Invest in security education for all stakeholders

Perform server side data validation and canonicalization

Define and deploy secure configuration

Do not log credentials, PII and other sensitive data

Design and implement all apps under the assumption that the user’s device will be lost or stolen

Review all third party libraries before use

PLEASE

REMEMBER TO FILL OUT THE

SESSION EVALUATIONS.

THANK YOU!

Presentations & Public Speaking

InfoSec World 2014 Security Imperatives for IOS and Android