RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT ... · JSON-RPC Automatic Reference Counting...
Transcript of RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT ... · JSON-RPC Automatic Reference Counting...
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© ©©© CoCoCooCopypyyrightt 20200201818 NowwSeSecuc re, Inc. All Rights Reserved. Proprietary information. DDoo not didiststtririibbubub teteee...
RISKS HIDING IN PLAIN SIGHT:MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS
BRIAN LAWRENCESENIOR SECURITY [email protected]
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NOWSECURE – DELIVERING SECURE MOBILE APPS FFASTER
2
MOBILE THREAT RESEARCH IS IN OUR DNADream team of security researchersEvery waking moment spent:• Discovering critical vulns• Identifying novel attack vectors• Creating/maintaining renowned open-source mobile
security tools/projects
THE NOWSECURE MISSIONSave the world from unsafe mobile appsEducate enterprises on the latest mobile threats
Open source
Books & Speaking
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.3
TRAFFIC IS MOVING FROM WEB TO MOBILE APPS
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.4
85% of Mobile Apps
In AppStores Have Security Vulnerabilities
49% of Mobile Apps
In AppStores Leak Data to Violate GDPR
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
INSIDE THE MOBILE ATTACK SURFACE
iOSAPPS
iOS FRAMEWORKS
iOS NATIVE LIBRARIES
iOS Mach/XNU KERNEL
iOS HAL
HARDWARE
CODE FUNCTIONALITY
DATA AT REST DATA IN MOTION
Data Center& App Backend
Network &Cloud Services
TESTAPP
▪ GPS spoofing▪ Buffer overflow▪ allowBackup Flag▪ allowDebug Flag▪ Code Obfuscation▪ Configuration manipulation▪ Escalated privileges
▪ URL schemes▪ GPS Leaking▪ Integrity/tampering/repacking▪ Side channel attacks▪ App signing key unprotected▪ JSON-RPC▪ Automatic Reference Counting
▪ Dynamic runtime injection▪ Unintended permissions▪ UI overlay/pin stealing▪ Intent hijacking▪ Zip directory traversal▪ Clipboard data▪ World Readable Files
▪ Data caching▪ Data stored in application directory▪ Decryption of keychain▪ Data stored in log files▪ Data cached in memory/RAM▪ Data stored in SD card
▪ OS data caching▪ Passwords & data accessible▪ No/Weak encryption▪ TEE/Secure Enclave Processor▪ Side channel leak▪ SQLite database▪ Emulator variance
▪ Wi-Fi (no/weak encryption)▪ Rogue access point▪ Packet sniffing▪ Man-in-the-middle▪ Session hijacking▪ DNS poisoning▪ TLS Downgrade▪ Fake TLS certificate▪ Improper TLS validation
▪ HTTP Proxies▪ VPNs▪ Weak/No Local authentication▪ App transport security▪ Transmitted to insecure server▪ Zip files in transit▪ Cookie “httpOnly” flag▪ Cookie “secure” flag
5
▪ Android rooting/iOS jailbreak▪ User-initiated code▪ Confused deputy attack▪ Media/file format parsers▪ Insecure 3rd party libraries▪ World Writable Files▪ World Writable Executables
WEB + SAST VENDORS
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NOWSECURE BROADEST COVERAGE, HIGHEST ACCURACY
analyzes the binary post-compilation to discover vulnerabilities including those in third-party libraries
STATIC TESTINGattacks the binary & network environment to discover vulnerabilities within the appwith near zero false positives
BEHAVIORAL TESTINGobserves the binary at runtime to discover vulnerabilities withinthe app
DYNAMIC TESTING
AUTOMATED MOBILE APP SECURITY TESTING PLATFORM
Data Center& App Backend
Network &Cloud Services
iOSAPPS
iOS FRAMEWORKS
iOS NATIVE LIBRARIES
iOS Mach/XNU KERNEL
iOS HAL
HARDWARE
TESTAPP
6
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ENABLING DIGITAL BUSINESS VALUE - SAFELY
AUTOMATION + INTEGRATION
BUSINESS VELOCITY
SLOW
TARGET
LEGACYAPPROACHES
FAST
LOW
HIG
H
SEC
UR
ITY
CO
VER
AG
E
...Is the only way to get from here to there“ “
SPEED
COVERAGE
ACCURACY
CONSISTENCY
PREDICTABILITY
EFFICIENCIES
7
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
ANALYSIS OF MOBILE APP STORE APPSBY INDUSTRY
VIA CVSS SCORED FINDINGS
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Analysis of Mobile App Risk in Apple®
App Store® and the Google Play™ store via OWASP Mobile Top 10
Comprehensive Risk AnalysisSecurity vulnerabilitiesCompliance violationsPrivacy leakage
Rich ResultsIndustry Standard CVSS ScoresHigh AccuracyDetailed Results & Recommendations
BENCHMARKING 45,000 APPSTORE APPS
9
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
INSIDE NOWSECURE MOBILE APP RISK SCORING
10
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
INSIDE NOWSECURE MOBILE APP RISK SCORING
11
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NOWSECURE BENCHMARKS: BANKING & FINANCE TOP 50
0 59 60-69 70-79 80-89 90-100
*Scoring algorithm based on Industry Standard CVSS Scored findingsLow RiskHgh Risk Caution
A significant 10 of 100 Apps (10%) fail w/ critical & high risks
Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP
NowSecure Score Risk Range 46-100
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NOWSECURE BENCHMARKS: HEALTHCARE TOP 35
0 59 60-69 70-79 80-89 90-100
*Scoring algorithm based on Industry Standard CVSS Scored findingsLow RiskHgh Risk Caution
A significant 7 of 70 Apps (10%) fail w/ critical & high risks
Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP
NowSecure Score Risk Range 45-100
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NOWSECURE BENCHMARKS: RETAIL TOP 40
0 59 60-69 70-79 80-89 90-100
*Scoring algorithm based on Industry Standard CVSS Scored findingsLow RiskHgh Risk Caution
NowSecure Score Risk Range 6-100 A shocking 27 of 80 Apps (38%) fail w/ critical & high risks
Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NOWSECURE BENCHMARKS: FANTASY SPORTS TOP 30
0 59 60-69 70-79 80-89 90-100
*Scoring algorithm based on Industry Standard CVSS Scored findingsLow RiskHgh Risk Caution
A significant 23 of 60 Apps (38%)fail w/ critical & high risks
Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP
NowSecure Score Risk Range 44-100
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
APPSTORE SCORES INDUSTRY COMPARATIVE RESULTS
Analysis of Top 10 downloads in 11 Major Categories of apps used by employees
iOS Best Performing Scores■ Finance■ General■ Navigation
Android Best Performing Scores■ Finance ■ Medical■ Business
iOS 8 of 11 categories are 80-90 range
Android none are in 80-90 range, but 8 of 11 categories are 70-80 range
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
YOU ARE MOST LIKELY USING THESE
17
POPULAR BUSINESS NOTE TAKING
POPULAR BUSINESS INTELLIGENCE
POPULAR BUSINESS EMAIL
POPULAR BUSINESS CHAT APP
POPULAR BUSINESS CRM
POPULAR BUSINESS TRAVEL APP
POPULAR ERPWORKFORCE MGMT
POPULAR ERP FINANCIALS
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
ANALYSIS OF MOBILE APP STORE APPSALL INDUSTRIES
VIA OWASP MOBILE TOP 10
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OWASP MOBILE TOP 10 [2016]
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
OWASP initiated MOBILE TOP 10 in 2011Recognized Mobile OS Platforms vary widelyUnique from web app model
Must consider more than the “Apps” Remote web services Platform integration (iCloud, GCM) Device (in)security considerations
Intended to be platform-agnostic Focused on areas of risk rather than individual vulnerabilitiesWeighted utilizing the OWASP Risk Rating Methodology
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OWASP MOBILE TOP 10
M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain
M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls
M3 - Insecure Communication Poor handshake, SSL/TLS/Cert issues, transfer in clear text
M4 - Insecure Authentication Improper identity mgmt, weak session mgmt
M5 - Insufficient Cryptography Lack of crypto, improper crypto use
M6 - Insecure Authorization Improper local auth, forced browsing
M7 - Client Code Quality Code mistakes eg. Buffer overflows, format string vulns
M8 - Code Tampering Binary patching, method hooking/swizzling, memory mods
M9 - Reverse Engineering Exposure to attacker reversing tools
M10 - Extraneous Functionality Dev/QA inadvertent disabling security, hidden backdoors
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OWASP MOBILE TOP 10 - 3rd PARTY ANALYSIS
M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain
M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls 50% Fail
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- DATA AT REST
Local log/file dataAccount CredentialsPIIEmailGeolocationIMEI/Serial NumberWiFi
World Writable Executables
52% of Android Apps
Android iOS Total
M2-Insecure Data Storage 85% 16% 50%
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OWASP MOBILE TOP 10 - 3rd PARTY ANALYSIS
M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain
M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls 50% Fail
M3 - Insecure Communication Poor handshake, SSL/TLS/Cert issues, transfer in clear text 48% Fail
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- DATA IN TRANSIT
Assume that the network layer is not secure and is susceptible to intercept
Frequent lack of proper iOS ATS and cross-platform SSL implementations
Unencrypted data OTA
Account CredentialsPIIEmailGeolocationIMEI/Serial Number
30% of iOS apps use HTTP (not HTTPS)
Android iOS Total
M3-Insecure Communication 20% 76% 48%
24
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OWASP MOBILE TOP 10 - 3rd PARTY ANALYSIS
M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain
M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls 50% Fail
M3 - Insecure Communication Poor handshake, SSL/TLS/Cert issues, transfer in clear text 48% Fail
M4 - Insecure Authentication Improper identity mgmt, weak session mgmt 5% Fail
M5 - Insufficient Cryptography Lack of crypto, improper crypto use
M6 - Insecure Authorization Improper local auth, forced browsing 2% Fail
M7 - Client Code Quality Code mistakes eg. Buffer overflows, format string vulns, 3rd Party 32% Fail
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- CODE & 3rd PARTY
iOS enforces stronger code quality practices
Nearly all apps have 3rdparty/OSS libraries
Open source often unvettedInconsistent upgrading to latest patched library versions
Android app challenges
1465 arbitrary code injection 1133 SQL injection112 Debug flag on
Android iOS Total
M7-Client Code Quality 59% 4% 32%
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OWASP MOBILE TOP 10 - 3rd PARTY ANALYSIS
M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain
M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls 50% Fail
M3 - Insecure Communication Poor handshake, SSL/TLS/Cert issues, transfer in clear text 48% Fail
M4 - Insecure Authentication Improper identity mgmt, weak session mgmt 5% Fail
M5 - Insufficient Cryptography Lack of crypto, mproper crypto use
M6 - Insecure Authorization Improper local auth, forced browsing 2% Fail
M7 - Client Code Quality Code mistakes eg. Buffer overflows, format string vulns 32% Fail
M8 - Code Tampering Binary patching, method hooking/swizzling, memory mods
M9 - Reverse Engineering Exposure to attacker reversing tools 32% Fail
M10 - Extraneous Functionality Dev/QA inadvertent disabling security, hidden backdoors 47% Fail
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- TAMPERING
Obfuscation insufficiently used by Android developers
90% of Android apps allow backup of data
1465 Android apps allow arbitrary code execution
Android iOS Total
M9-Reverse Engineering 64% 0% 32%
M10- Extraneous Functionality
92% 2% 47%
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- PERMISSIONS & ENTITLEMENTS
Risk Dependent on your corporate policies
Sample potentially risky permissionsContact list accessWrite external storageCalendarSend SMSNFC
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- IP ADDRESSES
Risk Dependent on your corporate policies
3rd party libraries, SDKs are common culprits
Ad networks frequently uniquely identify users and geo-locate them insecurely
Apps frequently have hundreds of connections(this one had 250)
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
BEST PRACTICES RECOMMENDATIONS
1. Recognize the risks of 3rd party apps on all mobile devices
Assume all are untrusted until validated, no matter who the developer
2. Put controls and processes in place to analyze and monitor 3rd party app risk
Inventory & analyze your existing mobile apps leveraging EMM/MDMAdapt processes to review and approve all new mobile apps before introductionLeverage automated tools for in depth testing and continuous monitoring
1. Train developers on secure coding best practices & fully vet 3rd party libraries
Leverage the NowSecure Guide to Secure Mobile App Development Best Practices
2. Ensure all mobile app releases are properly security tested
Leverage automated mobile appsec testing tools in SDLC lifecycle Leverage 3rd party expert mobile app pen testing
3. Find reputable sources to stay up to date on the latest mobile threats and vulnerabilitiesNowsecure #MobSec5 at www.nowsecure.com/go/subscribe and blog www.nowsecure.com/blogTHN, ThreatPost, Krebs, bankinfosecurity, etc. https://blog.feedspot.com/cyber_security_news_websites/
FOR SECURITY TEAMS FOR APP DEVELOPERS
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
GET A FREE MOBILE APP SECURITY REPORT
Free for All Attendees
Delivered by NowSecure Mobile App Security Experts
Choose a 3rd Party Mobile app used in your business
Surf to request:http://bit.ly/2BB8sAk
BRIAN LAWRENCESENIOR SECURITY [email protected]
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.©© © CoCoopypypyrighghtt 2002 1818 NNowSecurere,, InIncc. AAlll RRigighhts s ReReseservrvedd. PPropppprirrietetaary y iinformation. Do not diiststtririribubuuuteetete.
RISKS HIDING IN PLAIN SIGHT:MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS
BRIAN LAWRENCESENIOR SECURITY [email protected]