Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

70
(LEAKED) MOBILE APPLICATION DATA PRIVACY YURY CHEMERKIN SECURITY EXPERT RESEARCHER

Transcript of Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

Page 1: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

(LEAKED) MOBILE APPLICATION DATA PRIVACY 

YURY CHEMERKINSECURITY EXPERT RESEARCHER

Page 2: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

[ AGENDA ]

• Intro• Similar public researchers• Related/Previous work• Current results• Final thoughts

Page 3: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

UNTRUSTED PLACES

• Untrusted chargeable places. • When you connect your device to them you will see a

notification you plugged to PC/Mac

• Untrusted network places.• When you connect your device to them

• You will see nothing• You will see a question about untrusted certificate. You

accept or decline it• Someone make you to install trusted certificate

Page 4: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

UNTRUSTED PLACES

Look hereFree WiFi NetworkLook here

Prepaid WiFi Network

Page 5: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Page 6: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Page 7: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

PROBLEM. WHAT/WHO MAKES US INSECURE?

• Are we revealing everything about ourselves everywhere?

• Perhaps• Don’t we know anything about security and privacy?

• Perhaps• Aren’t app developers responsible for security fails?

• Who said they’re not? They are! • They prefer not to tell about it only

Page 8: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

https://www.itr.co.uk/mobile-app/

Look Here

ITR RESEARCH RESULTS.WHY CONSUMER UNINSTALLED MOBILE APPS

Page 9: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

HOW MUCH DOES YOUR SECURITY COST?• Non-Special ‘Home’ Software

• Macroplant Software - $35-70 (home), $200-2500 (enterprise). • XK72 Software - $50 per license or $400-700 per bundle• PortSwigger - $300 per year• … and so on• Also, cracked edition is available (no difference pirate or buy )

• Special ‘Forensics’ Software• Elcomsoft Breakers - $80 (home, you have to know your password), $200 (pro

– you don’t have to know it), $800 – bundle• Elcomsoft Bundles - $1 500 – 2 500• Oxygen Software – more expensive in twice at least• … and so on• Also, cracked edition is available for some old editions (better buy new

edition)

Page 10: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

OXYGEN FORENSIC® DETECTIVE• Oxygen Forensic® Detective introduces offline maps and

new physical approach for Samsung Android devices!• The updated version offers a new physical method for

Samsung Android OS devices via customer forensic recovery. This innovative approach allows to bypass screen lock and extract a full physical image of supported Samsung devices.• This innovative approach = root, steal data, deroot

• http://www.oxygen-forensic.com/en/events/news/666-oxygen-forensic-detective-introduces-offline-maps-and-new-physical-approach-for-samsung-android-devices

Page 11: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

FACTS ABOUT APP INSECURITY• At first glance, the VK Music app only displayed legitimate

functionality – it played audio files uploaded to the social network. But further study showed that it also contained malicious code designed to steal VKontakte user accounts and promote certain groups on the social network.• https://securelist.com/blog/incidents/72458/stealing-to-the-

sound-of-music/• “In Russia will be kept of phone numbers, logins and passwords

of users. Messages we do not store, they are on the devices of users,” Moscow representative of the company Viber said. According to the company’s lawyers, messengers also fall under the law which requires to store personal data of Russians on servers located on the territory of the country.

• http://appleapple.top/viber-moved-their-servers-to-russia/

Page 12: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

FACTS ABOUT APP INSECURITY• InstaAgent, an app that connects to Instagram and promises

to track the people that have visited a user's Instagram account, appears to be storing the usernames and passwords of Instagram users, sending them to a suspicious remote server.

• An app developer from Peppersoft downloaded InstaAgent -- full name "Who Viewed Your Profile - InstaAgent" -- and discovered it's reading Instagram account usernames and passwords, sending them via clear text to a remote server - instagram.zunamedia.com. • http://www.macrumors.com/2015/11/10/malicious-instaagent-

instagram-app/

Page 13: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

FACTS ABOUT APP INSECURITY

• Researchers find data leaks in Instagram, Grindr, OoVoo and more. The problems include storing images and videos in unencrypted form on Web sites, storing chat logs in plaintext on the device, sending passwords in plaintext…• http://www.cnet.com/news/researchers-find-data-leaks-in-instagram-

grindr-oovoo-and-more

• Another Popular Android Application, Another Leak. We have found that another popular Google play app, “Camera360 Ultimate,” not only enhances the users’ photos but also inadvertently leaks sensitive data, which gives malicious parties unauthorized access to users’ Camera360 Cloud accounts and photos.

• https://www.fireeye.com/blog/threat-research/2015/08/another_popular_andr.html

Page 14: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

WHAT COMPANIES THINK ABOUT ‘QUOTES’ AND INSECURITY

• Instagram said it's moving to encrypted communications for its images by moving to HTTPS, the secure version of the standard used to transfer Web data over the Internet.

• They did it but it’s still affected to MITM attacks

• "Message data is stored in an unencrypted format because the operating systems (both iOS and Android) provide data isolation that prevents apps from having their storage read by other apps. This is considered standard in the industry, and is completely safe," the Kik said.• Standard… it’s safe… just ROFL… and did you know there is way to root

device without owner knowledge?

Page 15: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

WHAT COMPANIES THINK ABOUT ‘QUOTES’ AND INSECURITY• SECURITY is core at 4Talk. Starting from secure phone number

registration, to interaction only with confirmed personal contacts, to fully managing your account from any device you use.

• Y2014 wasn’t protected at all• Y2015: Protected for Windows in-rest & transit, prevent MITM

• Y2015-2016: Protected for Android in-transit only, prevent MITM• This app hasn’t PROXY FEATURE (!) So fun protection

• Y2015: Not protected at all for Mac• Y2016: Network is protected (thanks Apple) for Mac• Y2015-2016: Not protected for iOS and Mac OS at all

• Data Leakage is data that becomes available when you perform typical activities. Instead, Vulnerability is a weakness of program. Thus, Vulnerability ≠ Data Leakage, because no weakness in normal activities…• Average security support answer in regards of fail. Just spend

small amount of money ($$) to steal the user data with fake networks in public places!

Page 16: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

WHAT COMPANIES THINK ABOUT ‘QUOTES’ AND INSECURITY

• In its defense, AgileBits insisted that AgileKeychain was still secure, and noted that the format dates back to 2008 when the company was concerned about speed and battery drain problems caused by encryption.•http://appleinsider.com/articles/15/10/20/1password-to-change-file-formats-after-key-file-found-to-contain-unencrypted-data

• If you browse to your .agilekeychain “file” on disk, you find that it is actually a directory. Inside this directory is a file named “1Password.html”.•http://timedoctor.org/2015/10/misleading-headlines-popularity-rises-200/

Page 17: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

PREVIOUS RESEARCH• I did many researches on mobile and app security.• First of them were about something average between OS and

Apps – BlackBerry, Android. It was published and present around the world

• 2013-2015 Researches• Cross OS apps - protection concepts, OS specifics per concept,

outlines & remediation, EMM specifics• “We know Twitter & Dropbox are better secured than bank

apps!”• http://www.slideshare.net/EC-Council/hh-yury-chemerkin • http://defcamp.ro/dc14/Yury_Chemerkin.pdf

• In 2014 presented results cover ~700 apps• Also in 2015

• http://def.camp/wp-content/uploads/dc2015/Chemerkin_Yury_DefCamp_2015.pdf

• In 2015 presented results cover ~700 apps• 2016 Current results: most interested cases (all up-to-dated

prior the event)

Page 18: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

SPECIAL PART FOR DEFCAMP 2015. LAST MINUTE RESEARCH• Everyone got a booklet-guide. Here was a short info

about trusted taxi companies. • Meridian – no in-app payment features, store & transmitting

everything in plaintext• Account, Local’n’Maps, and Device Information

• SpeedTaxi – no in-app payment features, store & transmitting everything in plaintext. Some issues with a server• Account, Local’n’Maps, Device and Message Information

• Cobalcescu – no in-app payment features, store & transmitting everything in plaintext. Some issues with a server• Account and Travel Information

Page 19: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

PRETTY INTERESTING SECURITY AND PRIVACY FAILSHOW TO FAIL WITH HTTPS• Be any app like [ AirCanada ] and send information about device and

environment• Be news/social app like [ Anews/Flipboard ] and send everything in

plaintext via http• Be storage app like [ Asus WebStorage ] and send credentials in

plaintext • (also fail with old hash algorithm, see next slides)

• Be travel app like [ AviaSales / Momondo], send everything in plaintext and rely on 3rd party server MITM protection

• Be storage app like [ Box ], prevent MITM but fail and reveal credentials to MITM tool

• Be taxi app like [ Gett / MaximTaxi ] and send everything in plaintext, also fail with MITM protect of my credit card

• Be hotel app like [ Hotels.ru ] and fail everywhere even with sending a password in mail body in plaintext

Page 20: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

UNTRUSTED PLACES. KINVEY IS A BACKEND FOR STORING FILES & USER ACCOUNTS

We’re already MITMing the network

1 2

Page 21: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

UNTRUSTED PLACES. KINVEY.ADMIN IS LOGGING IN TO KINVEY CONSOLE

Page 22: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

UNTRUSTED PLACES. KINVEY.APP IS LOGGING IN & DOWNLOADING FILES

Here we know about downloads URLs

App is logging in to console

Page 23: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

PROTECTION LEVELS.

• Some of 10 levels we’re using (0…9)• 0 – plaintext (stored as and with 777 access or transferred as

is)• 2 – weak (shared w/o dev.perm, MITM w/o root-fake cert)• 4 – medium (shared w dev.perm, MITM w root-fake cert)• 5 – cached data• 6 – protected (looks good but can be patched)• 7 – strong protected (can’t be patched or bypassed or at least

incredible hard)

Page 24: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

APP INSECURITY. DISCLAIMER• Everything presented further contains information for educational

purposes and only with using only your data & licenses. Moreover, to each app presented here was not applied any techniques and actions such as:• modifying, decompiling, disassembling, decrypting and other actions with

the object code of any Program, aimed at obtaining source codes of any Program

• Also, as known, • the User may make a modification of the Software solely for his or hers own

use and reverse engineering for debugging such modifications.

• All app results are up-to-date and test on up-to-date OS (iOS 9, Android 5). • Important note. In fact, no app has been changed at all and if you’re on old

Android OS < 5 or iOS < 9 than your data can be stolen without or with fake root certificate depend on case, otherwise, NO

Page 25: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

WE GUARANTEE THE CONFIDENTIALITY OF YOUR DATA

• Confidentiality - In information security, confidentiality "is the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes" (Excerpt ISO27000).• https://en.wikipedia.org/wiki/

Information_security#Confidentiality

Page 26: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

WE GUARANTEE THE CONFIDENTIALITY OF YOUR DATA

Look Here

__________

Page 27: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

HOTELS.RU

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• Token, Cached Data, Screenshot (iOS only)

• Network data [Android: Plaintext], [iOS: Medium]• Geo Location, Token, Passwords, IDs, Room

Details, Address• Reveal

2013 2014 2015 2016Plaintext Plaintext Plaintext

Android: Plaintext

iOS - Medium

Page 28: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

HOTELS.COM

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• Cached data

• Network data [Android: Medium], [iOS: Medium]• Geo Location, Device Data, Room Details

2013 2014 2015 2016N/A N/A Medium Medium

Page 29: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

HOTELS.COM. EULA/PRIVACY

• How we protect your information• We want you to feel confident about using this website and our Apps to make

travel arrangements, and we are committed to protecting the information we collect. While no website or App can guarantee security, we have implemented appropriate administrative, technical, and physical security procedures to help protect the personal information you provide to us. For example, only authorized employees are permitted to access personal information, and they may only do so for permitted business functions. In addition, we use encryption when transmitting your sensitive personal information between your system and ours, and we employ firewalls and intrusion detection systems to help prevent unauthorized persons from gaining access to your information.

• https://ru.hotels.com/customer_care/privacy.html#protect

Page 30: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

AEROEXPRESS

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• Tickets + QR code, Email, Phone, Password, Screenshot of any app windows (iOS only)

• Network data [Weak]• Email, Phone, Password, Unique UserID, Last Login Time, email & phone confirmed, DeviceID,• OrderID, Base64(hash of Order), Order URL, Order date, Trip date, cost of order, • TicketID, Route Info, ticket GUID, token, ticket QR Code• Bank Card info (number, cvv, name, expiration), tokens, *aeroexpress.ru, *ruru, *bank

(AlfaBank)

• According to release notes & PCI DSS, App doesn’t store bank card info (payment data). You can’t input that data type manually. However,• iOS: Doesn’t store data after successful payment• Android: Stores data after successful payment• Both: Continue stores data after update - if previous version wasn’t removed and data not wiped

2013 2014 2015 2016Weak Weak Weak

Weak, Expect to remove local

card info but fail

Page 31: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

AEROEXPRESS. EULA/PRIVACY

• Certified by the PCI DSS on a yearly basis. The certificate confirms the site's compliance with the standards of the following international payment systems: Visa/MasterCard, American Express, JCB, and Discover.

• To obtain the certificate, all the systems that receive, transmit, and encrypt card information together with the overall structure of the company must meet the minimum of 288 requirements stated in the PCI SAQ (Self-Assessment Questionnaire D and Attestation of Compliance).

• The Thawte 128-bit SSL Certificate is a technology of data encryption. The confidential information about your card number, CVV2 code, and other details are submitted to our site through encryption. To exchange information, a standard SSL-encryption is applied; the length of the key is 128 bit. Encrypted, it is further redirected to the bank's processing center through the payment gateway.

• https://aeroexpress.tickets.ru/en/content/safety_payments.html

Page 32: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

AEROEXPRESS.PASSES PCI DSS CERTIFICATION• Aeroexpress has passed its PCI DSS certification. Now it is even safer for

passengers to pay for online services provided by this express carrier.

• In early February, Aeroexpress passed its PCI DSS (Payment Card Industry Data Security Standard) certification, which is aimed at ensuring the secure processing, storage and transfer of data about Visa and MasterCard holders. Given the PCI DSS certified security level, Aeroexpress passengers can pay for tickets via the website or the company’s mobile app using bank cards and can be confident that their personal data and funds are safely secured. PCI DSS provides for a comprehensive approach that ensures information security and unites the payment system programmes of VISA Account Information Security (AIS), Visa Cardholder Information Security Program (CISP), and MasterCard Site Data Protection. We would like to remind you that you can receive a discount of RUB 50 and RUB 100 when purchasing Standard and Return tickets on the website or via the company’s mobile app.

• https://aeroexpress.ru/en/press_releases/news20090589.html

Page 33: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

PCI DSS. DATE: MARCH 2015

•6.2 Penetration Test Case Study

….•Main vulnerabilities ….•Man in the middle

https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf

Page 34: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

PLATIUS

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• Same like network data

• Network data [Android: Weak], [iOS: Medium]• Email, Birthday, Full Name, Phone, Gender,

Activation code,• Bank Card info (number, cvv, name, expiration),

tokens, *platius, *ruru, *bank (Sberbank)

2013 2014 2015 2016

Android - WeakiOS - Weak

Android - WeakiOS - Weak

Android - WeakiOS - Weak

Android - No changesiOS - Medium

Page 35: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

PLATIUS. EULA/PRIVACY

• 6.4 The administration doesn't guarantee ensuring confidentiality of information and data on the Participant and doesn't bear any responsibility as transfer of the specified data is carried out by means of open communication channels for disclosure of such information.

• https://platius.ru/en-GB/Information/Agreement

Page 36: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

ROCKETBANK

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• Email, Full Name, Phone, bank code word, Geo Location

• Network data [Android: Weak], [iOS: Medium]• Email, Full Name, Phone, Activation code, bank code word,• Passport : Details Data (All Info)

• Full Name, Full Address, Document ID, Birthday, Owner Image

• https://rocketbank.ru/api/v5/emails/..../form• tariff": "i-am-vip-bitch-9-percent"

• Bitch, please © How I met your mother

2013 2014 2015 2016Weak Weak Weak

Android - Weak

iOS - Medium

Page 37: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

ROCKETBANK. EULA/PRIVACY• Клиент соглашается, что использование Аутентификационных данных, в том числе

сгенерированных Исполнителем уникальных кодов, направляемых Клиенту на контактный номер телефона, является надлежащей и достаточной Идентификацией/ Аутентификацией Клиента, в целях совершения операций через Удаленные каналы обслуживания.• Unique codes and phone number are 2 params are

enough to perform authenticated actions over internet • Исполнитель не несет рисков, связанных с неправомерным использованием

третьими лицами информации, указанной в п. I.19 Условий (above)• Rocketbank Team doesn’t give a shit about risks

• Клиент принимает на себя риски, связанные с возможным нарушением конфиденциальности, возникающие вследствие использования системы телефонной связи и сети Интернет. • The client is only responsible for everything happened

with him and his data over internet. Team is again doesn’t give a shit about any kind of protection

• https://rocketbank.ru/rules

Page 38: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

RBK MONEY

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• Credentials…

• Network data [Android: Medium], [iOS: Medium]• Credentials…

2013 2014 2015 2016Medium Medium Medium Medium

Page 39: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

RBK MONEY. EULA/PRIVACY

• This is a question of common sense and caution. The more careful you are the less chance to be deceived by scammers and other fraudsters. The main protection from them is your unique password. To ensure security make password not shorter than 8 symbols (use combination of random letters and numbers) Don’t enter it anywhere except for the RBK Money website and do not reveal it to other people. Use modern antivirus programs where possible.

• Information about your card is stored, encrypted and shown only to you. The payment is considered processed after card activation. RBK Money reserves the right to make additional payment confirmation by phone.

• http://www.rbkmoney.com/en/support#safety • http://www.rbkmoney.com/en/support#cards

Page 40: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

DELIVERY CLUB

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• Token, address, geo location, password, ID, full

name, phone, short card info

• Network data [Android: Medium], [iOS: Medium]• Token, secret, deviceID, Full Name, phone, email,

password, Card Info (short, w/o cvv), address, geo location, Loyalty Account Info

2013 2014 2015 2016

Plaintext/ Medium (card)

Plaintext/ Medium (card)

Plaintext/ Medium (card) Medium

Page 41: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

DELIVERY CLUB. EULA/PRIVACY

• We implement a variety of security measures to maintain the safety of your personal information when you place an order

• We offer the use of a secure server. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our Payment gateway providers database only to be accessible by those authorized with special access rights to such systems, and are required to keep the information confidential.

• After a transaction, your private information will be kept on file for more than 60 days in order to show your actions history and simplify future orders creation.

• http://www.delivery-club.ru/google_privacy.html

Page 42: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

ROSINTER

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• Account info, tokens

• Network data [Android: Weak], [iOS: Weak]• Email, Birthday, Full Name, token, apn-token,

Loyalty Account Info, Device Info, Geo, Phone, Stream

2013 2014 2015 2016Weak Weak Weak Weak

Page 43: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

ANYWAYANYDAY

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• Passenger Info, Passport Info, Loyalty Info, Birthday,

Order/Ticket Info, Trip Info, Credentials Info

• Network data [Android: Medium], [iOS: Protected]• Passenger Info, Passport Info, Loyalty Info, Birthday,

Order/Ticket Info, Trip Info, Credentials InfoImportant note. In fact, app wasn’t changed at all and if you’re on old iOS < 9 than your data can be stolen with fake root certificate, otherwise, NO

2013 2014 2015 2016Medium Medium Medium Android: Medium

iOS: Protected?

Page 44: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

ANYWAY. EULA/PRIVACY

• Для защиты персональных данных пользователей от неправомерного или случайного доступа, уничтожения, изменения, блокирования, копирования, распространения, а также иных неправомерных действий с ними третьих лиц применяются необходимые и достаточные организационные и технические меры.

• To protect users' personal data against unauthorized or accidental access, destruction, modification, blocking, copying, distribution, and other illegal actions of third parties to them we apply the necessary and sufficient organizational and technical measures.

•https://www.anywayanyday.com/avia/privacypolicy/

Page 45: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

ALFABANK

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• Token (Alfa-Ally-Chat), Screenshot - Protected

• Network data [Android: Medium], [iOS: Medium]• Name, Device Info, Token (Alfa-Ally-Chat),

Password, Login, Account Info, Payment Info, Short Card Info, Transaction Info

2013 2014 2015 2016Medium Medium Medium Medium

Page 46: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

AMAZON CLOUD, PHOTOS

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• Cached, Sync Documents

• Network data [Android: Protected Failed], [iOS: Protected Failed]• Reveal credentials and drop connection

2013 2014 2015 2016Weak/Medium Weak/Medium Protected Failed Protected Failed

Page 47: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

AMAZON APP MARKET, GOOGLE PLAY, MOBOMARKET• Network data [Android: Medium]• Amazon & Google reveal all data

including APK data (can be replaced with another)

• Network data [Android: Plaintext]• MoboMarket reveal all data including

APK data (can be replaced with another)

2013 2014 2015 2016

Amazon – Weak, Google – Medium, Mobomarket -

Plaintext

Amazon – Weak, Google – Medium, Mobomarket -

Plaintext

Amazon – Weak, Google – Medium, Mobomarket -

Plaintext

Amazon – Weak, Google – Medium, Mobomarket -

Plaintext

Page 48: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

MOBOMARKET. EULA/PRIVACY

• We encrypt our services and data transmission using SSL. We strive at all times to ensure that your personal data will be protected against unauthorized or accidental access, processing, correction or deletion. We implement appropriate security measures to safeguard and secure your personal data. Please note, however, that no security measures are 100% effective. We encourage you to take measures to protect your personal data.

• You are responsible for maintaining the privacy and the confidentiality of Information. Please keep yourself informed when accessing the internet and to always read and review the policy / privacy statement on the site that you are accessing. Please ensure that you do the following: (i) not to disclose your password, (ii) not to provide any personal information to anyone, including their names, (iii) never fill online forms without your prior authorization. Please use complex passwords with long enough combinations of letters and numbers that require unusual keyboard combinations whereas; simple passwords are easy to be broken. Please never give your password to anyone online. In any event, please change your password periodically.

• http://www.mobomarket.net/policy.html

Page 49: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

GOOGLEPLAY. EULA/PRIVACY

• We work hard to protect Google and our users from unauthorised access to or unauthorised alteration, disclosure or destruction of information that we hold. In particular:

• We encrypt many of our services using SSL.• We offer you two-step verification when you access your Google Account and a 

Safe Browsing feature in Google Chrome.• We review our information collection, storage and processing practices, including

physical security measures, to guard against unauthorised access to systems.• We restrict access to personal information to Google employees, contractors and

agents who need to know that information in order to process it for us and who are subject to strict contractual confidentiality obligations. They may be disciplined or their contract terminated if they fail to meet these obligations.

• http://www.google.com/intl/en-GB_ru/policies/privacy/

Page 50: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

APP IN THE AIR

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• Loyalty Info, Order/Ticket Info, Trip Info, Full Info,

Trip Info (Media Data), Stats, UserID, Work Info (from Facebook)

• Network data [Android: Medium], [iOS: Protected]• Loyalty Info, Order/Ticket Info, Trip Info, Full Info,

Trip Info (Media Data), Stats, UserID, Work Info (from Facebook), Tokens

2013 2014 2015 2016Plaintext Plaintext Weak Medium Medium

Page 51: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

APP IN THE AIR. EULA/PRIVACY• The security of your personal information is important to us. We do not hold any liability for any personal

data or any sensitive information you provided.• We follow generally accepted industry standards to protect the personal information submitted, both during

transmission and once we receive it. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while our goal to use commercially acceptable ways to protect your personal information, we cannot guarantee it is absolutely secure. Please keep it in mind before submitting any information about yourself. Please note that information that you voluntarily make public in your user profile, or which you disclose by posting comments or inserting of the Content will be publicly available and viewable by others. We do not hold any liability for any information that you voluntarily choose to be public through such and/or other explicit actions.

• We only use personal information collected through the APPINTHEAIR project and our Services for the purposes described in the Terms http://i.appintheair.mobi/termsofuse. For example, we may use information we collect:

• provide our Services or information you request, and to process and complete any transactions;• to your emails, submissions, questions, comments, requests, and complaints and provide customer service;• http://www.appintheair.mobi/privacypolicy

Page 52: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

ASUS WEBSTORAGE

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• MD5(Password.ToLowerString())

• Network data [Android: Medium], [iOS: Medium]• Login, Email, Encryption Key(?), Tokens, Device

Settings, Sync Documents, File Details• MD5(Password.ToLowerString())

2013 2014 2015 2016Medium Medium Medium Medium

Page 53: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

ASUS WEBSTORAGE. EULA/PRIVACY• We take precautions to protect your personal information against unauthorized access or

unauthorized alteration, disclosure or destruction. These include internal reviews of our personal information collection, storage and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store your personal information. Transmission of personal information between different locations of ASUS Cloud affiliated companies is performed through our secured wide area network. When you submit personal information via the service, your information is protected both online and offline. However, ASUS Cloud cannot guarantee a perfect security on the internet. When using the internet, we recommended that you use alphanumerical usernames and passwords and change your passwords on a regular basis, as well as keep your computer up to date by applying the latest available security updates for your software and using such tools as virus/spyware scanners.

• If you have any questions regarding the security of our web site, please refer to our security web page.• ISO27001, SSL, AES, RAID, https://www.asuswebstorage.com/navigate/security/ https://service.asuswebstorage.com/privacy/

Page 54: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

SKYPE

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• Media data (attachments), Message (or last

messages), friend list, Email/Login, Snapshot

• Network data [Android: Weak/Strong], [iOS: Weak/Strong]• Media data (attachments), Message (or last

messages), Email/Login, Device Data, UserID, MS Live password, no skype password

2013 2014 2015 2016Weak/Strong Weak/Strong Weak/Strong Weak/Strong

Page 55: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

EVERNOTE

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• Tokens, UserID, Syc Documents (notes), cached data,

SnapShot (iOS only)

• Network data [Android: Medium], [iOS: Protected]• Sync Documents (notes), Full name, Account Details,

Credentials, tokens, etc.

• Important note. In fact, app wasn’t changed at all and if you’re on old iOS < 9 than your data can be stolen with fake root certificate, otherwise, NO

2013 2014 2015 2016Medium Medium Medium Android – Medium

iOS - Protected

Page 56: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

EVERNOTE. EULA/PRIVACY

• Evernote is committed to protecting the security of your information and takes reasonable precautions to protect it. We use industry standard encryption to protect your data in transit. This is commonly referred to as transport layer security (“TLS”) or secure socket layer (“SSL”) technology. However, internet data transmissions, cannot be guaranteed to be 100% secure, and as a result, we cannot ensure the security of information during its transmission between you and us; accordingly, you acknowledge that you do so at your own risk.• https://evernote.com/legal/privacy.php?noredirect

Page 57: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

CYBER GHOST

• Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]• tokens

• Network data [Android: Medium/Strong Protected], [iOS: Medium/Strong Protected]• Login, oauth consumer_key, token, token_secret,

radius_password, geo location, ip, country, account details, license key, license expiration

2013 2014 2015 2016N/A N/A Medium/Strong

ProtectedMedium/Strong

Protected

Page 58: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

CYBERGHOST. EULA/PRIVACY• Personal data: CyberGhost collects and uses no personal data, such

as e-mail addresses, name, domicile address and payment information.

• If you register for the Premium-Service of CyberGhost VPN, we store a fully anonymous User ID, an encoded password and your pay scale information (activation key, start and end). The stored e-mail addresses are not linked to a User ID.

• Log data: CyberGhost keeps no logs which enable interference with your IP address, the moment or content of your data traffic. We make express reference to the fact that we do not record in logs communication contents or data regarding the accessed websites or the IP addresses.

• In March 2012, CyberGhost had successfully passed an audit and verification conducted by QSCert for the implemented Information Safety Management System (ISMS) according to the international industrial standards ISO27001 and ISO9001. The certification confirms the high quality of the internal safety processes and is renewed yearly ever since.

• http://www.cyberghostvpn.com/en/privacypolicy

Page 59: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

ISO 27001, ISMS, ETC.

• ISO27001 (and similar standards for non-IT areas) explicitly do not require "have you taken every sensible precaution to ensure it is", it is sufficient to have a policy that acknowledges that you haven't taken a bunch of very sensible precautions and that you simply accept the risks caused by that• If a company with a proper ISMS only accepts file uploads

with unsecure FTP, it means they thought about this and decided either it's not their problem or they don't care

Page 60: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

RESPONSIBLE DEVELOPER VS LAZY ONE• Apple (!) & Google (!)• QIWI – best app with own

cryptography and has implemented all security features

• Dropbox - has implemented all security features

• App in the Air (network, in progress)

• CyberGhost (network, in progress)• Asus Web Storage (pwd, in

progress)

• Sberbank (background fixing)• Hotels.Ru (network, in progress)• DeliveryClub (network, in progress)• AnywayAnyday (network, having

fun with hardcoded ‘anyway’ 192bit 256bit key)

• Evernote (network)• … everyone you saw in this slide

or among my researches

Page 61: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

PANDA SM MANAGER IOS APPLICATION - MITM SSL CERTIFICATE VULNERABILITY• "Panda Systems Management is the new way to manage and monitor IT systems."

"Inventory, monitoring, management, remote control and reporting... All from a single Web-based console"(https://itunes.apple.com/us/app/panda-sm-manager/id672205099)

• Timeline – Almost 1 Year (!)• July 19, 2015 - Notified Panda Security via [email protected], e-mail bounced

July 20, 2015 - Resent vulnerability report to [email protected] & [email protected] July 20, 2015 - Panda Security responded stating they will investigateJuly 31, 2015 - Asked for an update on their investigationAugust 3, 2015 - Panda Security responded stating that the issue has been escalated and is still being reviewedAugust 14, 2015 - Asked for an update on their investigationOctober 16, 2015 - Asked for an update on their investigation

• … NO ANSWER …March 1, 2016 - Panda Security released version 2.6.0 which resolves this vulnerability

Page 62: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

ADVICES.YOU’RE DEVELOPER? DON’T CARE ABOUT SECURITY/PRIVACY? THEN YOUR CHOICE IS …

• BlackBerry. Protects everything locally stored except public folders & external storage. Also it’s hardly to MITM except plain http traffic. Even for Android (!)

• Windows Modern 10 apps. Anti-MITM protection on OS level by default (still researching it, also can’t confirm it for Android app support – Project Astoria)

• iOS. Ok. Easy way to make user to install trusted fake certificate to MITM. Upgrade! Local app files on iOS < 8.3 could be accessed without jailbreak

• Android. Fail. Easy way to make user to install trusted fake certificate to MITM. Some vendors prevent unlocking bootloader without user interaction to avoid root without his asking. But some doesn’t (!)

• Windows Desktop. Fail. Easy way to change access permissions. MITM depends on certain app only

• Mac OS. Fail. Easy way to access app files. MITM depends on certain app only

Page 63: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

REMEDIATION: ANDROID

• Follow security programming guide from Google• Call ‘setStorageEncryption’ API for locally stored files (new Android

OS v5+)• Encrypt externally stored files on SD Card or Cloud (any OS)• Define when encryption signature doesn’t matter, else avoid it• Reduce using of ‘MODE_WORLD_READABLE ’ unless it really needs• Avoid hardcoded and debug tracks as much as possible (it’s easy

to decompile)• Add extra protect beyond OS (encryption, wiping, etc.)

Page 64: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

REMEDIATION : IOS• Follow security programming guide from Apple• Never store credentials on the phone file system. Use API or

web scheme instead• Define when encryption signature doesn’t matter, else avoid it• Use implemented protection mechanism in iOS…• But … add extra protection layer beyond OS protection in case

of jailbreak• Use any API and protection mechanisms properly but never

default settings• Don’t forget to encrypt SQL databases

Page 65: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

REMEDIATION : BLACKBERRY• Follow security programming guide from BlackBerry• Don’t store credentials in shared folders• Encrypt data stored in shared folders• Use implemented protection mechanism in BlackBerry…• But … add extra protection layer beyond just in case• Don’t forget to encrypt SQL databases• Don’t develop Android app-ports• Try to avoid using ported or Android native app under BlackBerry• Develop more and use native apps for BlackBerry

Page 66: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

REMEDIATION: WINMOBILE 10

• Credentials stored or transferred in plaintext locally. • Data usually stored or transferred structured file type that

simplify an analysis• Signature-based encryption helps quickly decrypt data

(depends on dynamically linked libraries)• Data stored in SQLite databases usually not encrypted• Keys may be hardcoded or put in data folder• Applications could be analyzed on Windows 10 Desktop via

known methods like a desktop applications

Page 67: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

REMEDIATION: WIN 10

• Credentials stored or transferred in plaintext locally. • Data usually stored or transferred structured file type

that simplify an analysis• Signature-based encryption helps quickly decrypt data

(depends on dynamically linked libraries)• Data stored in SQLite databases usually not encrypted• Keys may be hardcoded or put in data folder• Application data folder is access without any restrictions

Page 68: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

REMEDIATION: MAC OS X

• Credentials stored/ transferred in plaintext locally. • Data stored in a keychain without additional protection or encryption• Data usually stored or transferred structured file type that simplify an

analysis• Signature-based encryption that helps to quickly decrypt data• Avoiding protection mechanism in iOS that leads to pure protection

eventually• Data stored in SQLite databases usually not encrypted• Keys may be hardcoded• Application data folder is access without any restrictions

Page 69: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

[ YURY CHEMERKIN ]

• MULTISKILLED SECURITY EXPERT• WORK FOR ADVANCED MONITORING• EXPERIENCED IN:• REVERSE ENGINEERING & AV, DEVELOPMENT (PAST)• MOBILE SECURITY, & CLOUD SECURITY• IAM, COMPLIANCE, FORENSICS• PARTICIPATION & SPEAKING AT MANY SECURITY

CONFERENCES

Page 70: Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016

(LEAKED) MOBILE APPLICATION DATA PRIVACY

HOW TO CONTACT ME ?ADD ME IN LINKEDIN: HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN

YURY CHEMERKINSEND A MAIL TO: [email protected]