Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
101 views29 pages

Mobile OWASP

Mobile OWASP

Uploaded by

ca ca
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
101 views29 pages

Mobile OWASP

Mobile OWASP

Uploaded by

ca ca
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

85% of App Store Apps

Fail OWASP Mobile Top 10:


Are you exposed?

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.


AGENDA & SPEAKERS

▪ Introduction
▪ Inside OWASP Mobile Top 10
▪ Large Scale Analysis of 3rd
Party Apps
▪ Recommendations
▪ Q&A

Tony Ramirez
Mobile Security Analyst

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
MOBILE APPS ARE TRACKING YOU

HARVESTED DATA OF HARVESTED DATA OF


APP USERS GEO MILITARY GEO

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
DEEP MOBILE SECURITY EXPERTISE
Books & Speaking Mobile threat research is in our DNA
▪ Dream team of security researchers
▪ Every waking moment spent:
– Discovering critical vulns
– Identifying novel attack vectors
– Creating/maintaining renowned
open-source mobile security tools/projects

Open source
The NowSecure Mission
▪ Save the world from unsafe mobile apps
▪ Educate enterprises on the latest mobile threats
▪ Maximize the security of apps enterprises
develop, purchase and use

4 © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
INSIDE THE MOBILE APP ATTACK SURFACE
▪Data caching ▪OS data caching
▪Data stored in application ▪Passwords & data accessible
directory ▪No/Weak encryption ▪Wi-Fi (no/weak encryption) ▪HTTP Proxies
▪Decryption of keychain ▪TEE/Secure Enclave Processor ▪Rogue access point ▪VPNs
▪Data stored in log files ▪Side channel leak ▪Packet sniffing ▪Weak/No Local authentication
▪Data cached in memory/RAM ▪SQLite database ▪Man-in-the-middle ▪App transport security
▪Data stored in SD card ▪Emulator variance ▪Session hijacking ▪Transmitted to insecure server
▪DNS poisoning ▪ Zip files in transit
▪TLS Downgrade
DATA AT REST ▪Fake TLS certificate
▪Cookie “httpOnly” flag
▪Cookie “secure” flag
▪Improper TLS validation

CODE FUNCTIONALITY DATA IN MOTION


▪GPS spoofing ▪URL schemes
▪Buffer overflow ▪GPS spoofing
▪allowBackup Flag ▪Integrity/tampering/repacking API BACKEND
▪allowDebug Flag ▪Side channel attacks
▪App signing key unprotected ▪Platform vulnerabilities ▪SQL injection
▪Code Obfuscation
▪JSON-RPC ▪Server misconfiguration ▪Privilege escalation
▪Configuration manipulation
▪Automatic Reference Counting LEGACY ▪Cross-site scripting ▪Data dumping
▪Escalated privileges
▪Cross-site request forgery ▪OS command execution
▪Android rooting/iOS jailbreak ▪Dynamic runtime injection
▪User-initiated code ▪Unintended permissions
WAST ▪Cross origin resource sharing ▪Weak input validation
▪Brute force attacks ▪Hypervisor attack
▪Confused deputy attack ▪UI overlay/pin stealing
▪Side channel attacks ▪VPN
▪Multimedia/file format parsers ▪Intent hijacking
▪Insecure 3rd party libraries ▪Zip directory traversal
▪World Writable Files ▪Clipboard data
▪World Writable Executables ▪World Readable Files

5 © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Inside OWASP &
OWASP Mobile Top 10

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.


OWASP MOBILE TOP 10
2011 OWASP Group determined Mobile is Different
• Mobile OS Platforms vary widely
• Mobile apps very different from traditional web
app model due to wildly varying use cases and
usage patterns
Must consider more than the “Apps”
• Remote web services
• Platform integration (iCloud, GCM)
• Device (in)security considerations
Intended to be platform-agnostic
• Focused on areas of risk rather than individual
vulnerabilities
• Weighted utilizing the OWASP Risk Rating
Methodology

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OWASP MOBILE TOP 10
M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain

M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls

M3 - Insecure Communication Poor handshake, SSL/TLS/Cert issues, transfer in clear text

M4 - Insecure Authentication Improper identity mgmt, weak session mgmt

M5 - Insufficient Cryptography Lack of crypto, improper crypto use

M6 - Insecure Authorization Improper local auth, forced browsing

M7 - Client Code Quality Code mistakes eg. Buffer overflows, format string vulns

M8 - Code Tampering Binary patching, method hooking/swizzling, memory mods

M9 - Reverse Engineering Exposure to attacker reversing tools

M10 - Extraneous Functionality Dev/QA inadvertent disabling security, hidden backdoors

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Analysis of Mobile App Store Apps
for OWASP Mobile Top 10

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.


NOWSECURE APP STORE ANALYSIS ENGINE

NowSecure
NowSecure Automated Test Engine Test Rigs
NS STATIC DYNAMIC BEHAVIORAL
DB Analysis Analysis Analysis

NowSecure AUTOMATION Platform


Continuous
Monitoring

Web GUI API EMM

NowSecure INTEL
AlwaysOn AppStore Cloud Analysis
for EMM & Security teams

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.


INSIDE MOBILE APP RISK SCORING

INDUSTRY STANDARD CVSS SCORES INDUSTRY REGULATORY COMPLIANCE

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NOWSECURE APP STORE ANALYSIS PROJECT
● 45,000 public apps posted to Apple App Store and Google Play store
● Broad distribution of categories

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
RISKY APPS THAT YOU MIGHT BE USING
POPULAR POPULAR
BUSINESS EMAIL BUSINESS CRM

POPULAR TEAM CHAT

POPULAR POPULAR BUSINESS


BUSINESS CHAT APP TRAVEL APP

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OWASP MOBILE TOP 10 - 3rd PARTY ANALYSIS [TOP 7]
M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain

M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls 50% Fail

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- DATA AT REST
Android iOS Total

M2-Insecure Data Storage 85% 16% 50%

▪ Local log/file data


• Account Credentials
• PII
• Email
• Geolocation
• IMEI/Serial Number
• WiFi
▪ World Writable Executables
• 52% of Android Apps
▪ External storage
• Risk depends on your policy

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OWASP MOBILE TOP 10 - 3rd PARTY ANALYSIS [TOP 7]
M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain

M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls 50% Fail

M3 - Insecure Communication Poor handshake, SSL/TLS/Cert issues, transfer in clear text 48% Fail

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- DATA IN MOTION
Android iOS Total

M2-Insecure Communication 20% 76% 48%

▪ Assume that the network layer is not


secure and is susceptible to
eavesdropping
▪ Frequent lack of proper iOS ATS and
cross-platform SSL implementations
▪ Unencrypted data OTA
• Account Credentials
• PII
• Email
• Geolocation
• IMEI/Serial Number
▪ 30% of iOS apps use HTTP (not
HTTPS)

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OWASP MOBILE TOP 10 - 3rd PARTY ANALYSIS [TOP 7]
M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain

M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls 50% Fail

M3 - Insecure Communication Poor handshake, SSL/TLS/Cert issues, transfer in clear text 48% Fail

M4 - Insecure Authentication Improper identity mgmt, weak session mgmt 5% Fail

M5 - Insufficient Cryptography Lack of crypto, improper crypto use

M6 - Insecure Authorization Improper local auth, forced browsing 2% Fail

M7 - Client Code Quality Code mistakes eg. Buffer overflows, format string vulns, 3rd Party 32% Fail

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- CODE & 3rd PARTY
Android iOS Total

M7-Client Code Quality 59% 4% 32%

▪ iOS clearly has strong code


quality practices
▪ Nearly all apps have 3rd
party/OSS libraries
• Open source often
untested/unvetted
• Inconsistent pattern of
upgrading to latest more secure
library versions
▪ Android app challenges
• 1465 arbitrary code injection
1133 SQL injection
• 112 Debug flag on

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OWASP MOBILE TOP 10 - 3rd PARTY ANALYSIS [TOP 7]
M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain

M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls 50% Fail

M3 - Insecure Communication Poor handshake, SSL/TLS/Cert issues, transfer in clear text 48% Fail

M4 - Insecure Authentication Improper identity mgmt, weak session mgmt 5% fail

M5 - Insufficient Cryptography Lack of crypto, mproper crypto use

M6 - Insecure Authorization Improper local auth, forced browsing 2% Fail

M7 - Client Code Quality Code mistakes eg. Buffer overflows, format string vulns 32% Fail

M8 - Code Tampering Binary patching, method hooking/swizzling, memory mods

M9 - Reverse Engineering Exposure to attacker reversing tools 32% Fail

M10 - Extraneous Functionality Dev/QA inadvertent disabling security, hidden backdoors 47% Fail

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- TAMPERING
Android iOS Total

M9-Reverse Engineering 64% 0% 32%

M10- Extraneous 92% 2% 47%


Functionality

▪ Obfuscation insufficiently
used by Android developers
▪ 90% of Android apps allow
backup of data
▪ 1465 Android apps allow
arbitrary code execution

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK --
PERMISSIONS & ENTITLEMENTS

▪ Risk Dependent on your


corporate policies

▪ Sample potentially risky


permissions
• Contact list access
• Write external storage
• Calendar
• Send SMS
• NFC

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- IP ADDRESSES

▪ Risk Dependent on your


corporate policies

▪ 3rd party libraries, SDKs


are common culprits
Ad networks frequently uniquely identify
users and geo-locate them insecurely

▪ Apps frequently have


100s of connections
(this one had 250)

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OWASP MOBILE TOP 10
M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain

M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls 50% Fail

M3 - Insecure Communication Poor handshake, SSL/TLS/Cert issues, transfer in clear text 48% Fail

M4 - Insecure Authentication Improper identity mgmt, weak session mgmt 5% Fail

M5 - Insufficient Cryptography Lack of crypto, mproper crypto use

M6 - Insecure Authorization Improper local auth, forced browsing 2% Fail

M7 - Client Code Quality Code mistakes eg. Buffer overflows, format string vulns 32% Fail

M8 - Code Tampering Binary patching, method hooking/swizzling, memory mods

M9 - Reverse Engineering Exposure to attacker reversing tools 32% Fail

M10 - Extraneous Functionality Dev/QA inadvertent disabling security, hidden backdoors 47% Fail

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Recommendations
& Next Steps

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.


BEST PRACTICES RECOMMENDATIONS
FOR ENTERPRISES FOR APP DEVELOPERS
1. Recognize the risks of 3rd party apps on 1. Train developers on secure coding best
BYOD and COPE devices practices & fully vet 3rd party libraries
■ Assume all are untrusted until validated, ■ Leverage the NowSecure Guide to Secure
no matter who the developer Mobile App Development Best Practices
2. Put controls and processes in place to 2. Ensure all mobile app releases are
analyze and monitor 3rd party app risk properly security pen tested
■ Inventory & analyze your existing mobile ■ Leverage automated mobile appsec
apps leveraging EMM/MDM testing tools in SDLC lifecycle
■ Adapt processes to review and approve all ■ Leverage 3rd party expert mobile app Pen
new mobile apps before introduction Testing
■ Leverage automated tools for in depth
testing and continuous monitoring

3. Find a reputable source to stay up to date on the latest threats


■ Sign up for Nowsecure #MobSec5 at www.nowsecure.com/go/subscribe
■ Read our blog at www.nowsecure.com/blog

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
GET A FREE MOBILE APP SECURITY REPORT
▪ Free for OWASP Members

▪ Delivered by NowSecure
Mobile App Security Experts

▪ Choose a 3rd Party Mobile


app used in your business

▪ Surf to request:
http://bit.ly/2BB8sAk

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NOWSECURE COMING ATTRACTIONS

WEBINAR: “Top OSS for Mobile AppSec Testing: The


Latest on R2 & FRIDA”
Delivered by the creators of R2 & FRIDA from NowSecure
Research Team
Tomorrow: Weds Feb 21, 2019
Register Now: https://www.nowsecure.com/events/

RSA 2018
April 16-20, 2018
Meet us at booth 3229 (North Expo)
in San Francisco, CA!

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.


28
Open Q&A
Tony Ramirez, Security Analyst

NowSecure
+1 312.878.1100
@NowSecureMobile
www.nowsecure.com

Subscribe to #MobSec5
A digest of the week’s mobile security news that matters

https://www.nowsecure.com/go/subscribe

You might also like