Top 10 mobile security risks - Khổng Văn Cường

35
#SCB 2014 Presenter: Khong Van Cuong TOP 10 MOBILE SECURITY RISKS

description

Top 10 Security Risk

Transcript of Top 10 mobile security risks - Khổng Văn Cường

Page 1: Top 10 mobile security risks - Khổng Văn Cường

#SCB 2014

Presenter: Khong Van Cuong

TOP 10

MOBILE SECURITY RISKS

Page 2: Top 10 mobile security risks - Khổng Văn Cường

AGENDA

• Introductions

• Mobile Threat Model

• OWASP Top 10 Mobile Risks

• Demo

• We have Q&A

Page 3: Top 10 mobile security risks - Khổng Văn Cường

INTRODUCTIONS

• The OWASP Mobile Security Project:

• Give developers and security teams the resources to build

and maintain secure mobile applications.

• Classify mobile security risks and provide

developmental controls to reduce their impact or

likelihood of exploitation.

Page 4: Top 10 mobile security risks - Khổng Văn Cường

MOBILE THREAT MODEL

Page 5: Top 10 mobile security risks - Khổng Văn Cường

MOBILE THREAT MODEL

APPS

OS

Hardware

Web

Coporate Networks

Web Services

Websites

App Stores

Cloud Storage

SMS

Voice

Misc

- Carrie Network- Local Network(Wifi, VPN, etc)

Hardwareextensions

NFC NFC

Page 6: Top 10 mobile security risks - Khổng Văn Cường

Spoofing

Improper Session Handling

Social Engineering Weak Authorization

Weak Authentication

Malicious Application

Malicious QR code

Repudiation

Missing device Toll Fraud

Client side injectionMalware

Denial of Service

Crashing Apps Push notification Flooding

Excessive API Usage DDoS

Tampering

Carries network Breach

Modifying Local Data

Insecure Wifi network

InformationDisclosure Malware

Loss device

Reverse Engineering Apps

Backend Breach

Elevation ofPrivilege

Sandbox Escape

Rooted/Jailbroken

Compormised Devices

Rootkits

Weak Authorization

FlawedAuthentication

CompromisedCredentials

MasksUnauthorized

Purchases Puss AppsRemotely

6

Page 7: Top 10 mobile security risks - Khổng Văn Cường

TOP 10 RISKS

Page 8: Top 10 mobile security risks - Khổng Văn Cường

M1 – Weak Server Site Controls

M2 – Insecure Data Storage

M3 – Insufficient Tranport Layer

Proctection

M4 – Unitended Data Leakage

M5 – Poor Authorization and

Authentication

M6 – Broken Cryptography

M7 – Client Side Injection

M8 – Security Decisions via

Untrusted inputs

OWASP MOBILE TOP 10 RISKS

M9 – Improper Session Hijacking

M10 – Lack of Binary Protections

Top 10 Risks 2014 Updated

Page 9: Top 10 mobile security risks - Khổng Văn Cường

M1 - WEAK SERVER SIDE CONTROLS

• The attack vectors correspond to the same attack vectors

available through the traditional OWASP Top Ten.

• Existing controls may need to be re-evaluated.

• We still can’t trust the client.

Page 10: Top 10 mobile security risks - Khổng Văn Cường

M1 - WEAK SERVER SIDE CONTROLS

End user

BackendWeb Application

Attacker Attacker

Page 11: Top 10 mobile security risks - Khổng Văn Cường

M1 - WEAK SERVER SIDE CONTROLS

OWASP WEB TOP 10 - 2013 OWASP CLOUD TOP 10

Page 12: Top 10 mobile security risks - Khổng Văn Cường

M2 - INSECURE DATA STORAGE

• Confidentiality of data lost, credentials disclosed.

• Privacy violations, materials loss, Etc.

• Generally a result of:

• Lack of Data Protection method.

• Weak or global permissions.

• Not leveraging platform best-practices.

Page 13: Top 10 mobile security risks - Khổng Văn Cường

M2 - INSECURE DATA STORAGE (CONT)

Page 14: Top 10 mobile security risks - Khổng Văn Cường

M2 – PROOF OF CONCEPT

• Video.

Page 15: Top 10 mobile security risks - Khổng Văn Cường

M3 - INSUFFICIENT TRANSPORT LAYER PROTECTION

• Complete lack of encryption for transmitted data.

• Weakly encrypted data in transit.

• Strong encryption, but ignoring security warnings:

• Ignoring certificate validation errors.

• Falling back to plain text after failures.

Page 16: Top 10 mobile security risks - Khổng Văn Cường

M3 - INSUFFICIENT TRANSPORT LAYER PROTECTION

Page 17: Top 10 mobile security risks - Khổng Văn Cường

M3 - INSUFFICIENT TRANSPORT LAYER PROTECTION

Page 18: Top 10 mobile security risks - Khổng Văn Cường

M4 – UNINTENDED DATA LEAKAGE

• Sensitive data ends up in unintended places:

• Browser Cookie Object, URL Caching.

• Copy/Paste Buffer Caching, Keyboard Press.

• Application Backgrounding, Logging (System, Crash)

• Temp directories.

• HTML5 Data Storage.

• What 3rd party libraries are doing with user data.

Page 19: Top 10 mobile security risks - Khổng Văn Cường

M4 – UNINTENDED DATA LEAKAGE (CONT)

Application Backgrounding

App Logging

Page 20: Top 10 mobile security risks - Khổng Văn Cường

M4 – UNINTENDED DATA LEAKAGE (CONT)

Page 21: Top 10 mobile security risks - Khổng Văn Cường

M5 – POOR AUTHORIZATION AND AUTHENTICATION

• Device authentication based on IMEI, IMSI, UUID is not sufficient.

• Impact in wide range and depending on over-privileged functionality executed.

• Privilege Escalation.

• Unthorized Access.

• Etc.

Page 22: Top 10 mobile security risks - Khổng Văn Cường

M6 – BROKEN CRYTOGRAPHY

• Two primary categories:• Broken implementations using strong crypto libraries.

• Custom, easily defeated crypto implementations.

• Encoding != Encryption.

• Obfuscation != Encryption.

• Serialization != Encryption.

• Privilege escalation, circumvent business logic.

Page 23: Top 10 mobile security risks - Khổng Văn Cường

M6 – BROKEN CRYTOGRAPHY (CONT)

ldc literal_876:"TXlTM2NyM3RLM3k=” -> “MyS3cr3tK3y”

invokestatic byte[] decode( java.lang.String ) // Base 64

invokespecial_lib java.lang.String.<init> // pc=2

astore 8

private final byte[] com.picuploader.BizProcess.SendRequest.routine_12998

(com.picuploader.BizProcess.SendRequest, byte[], byte[] ); {

enter

new_lib net.rim.device.api.crypto.TripleDESKey

Page 24: Top 10 mobile security risks - Khổng Văn Cường

M7 – CLIENT SITE INJECTION

• Apps using browser libraries:• Pure web apps.

• Hybrid web/native apps.

• Some familiar faces:• XSS and HTML Injection.

• SQL Injection.

• New and exciting twists:• Abusing phone dialer + SMS.

• Abusing in-app payments.

24

Page 25: Top 10 mobile security risks - Khổng Văn Cường

M7 – CLIENT SITE INJECTION (CONT)

• I’m vuln to XSS, and you? Hmm, Not my mistake…

Page 26: Top 10 mobile security risks - Khổng Văn Cường

M7 – PROOF OF CONCEPT

• Mobile Trojan ??

4 Vietnamese Men Suspected of Installing SMS Trojans on 100,000 Phones Arrested

Once installed on smartphones, the apps sent out SMS

messages to premium rate numbers. For each message

that was sent, the device’s owner was charged with 15,000

Vietnam Dong ($0.70 / €0.51).

The suspects are said to have used websites like

soundfest.com.vn and clickdi.com to distribute

malicious mobile applications.

http://blog.hicubes.com/2014/05/4-vietnamese-men-suspected-of-installing-sms-trojans-on-100000-phones-arrested.html

Page 27: Top 10 mobile security risks - Khổng Văn Cường

M7 – PROOF OF CONCEPT

• Video.

Page 28: Top 10 mobile security risks - Khổng Văn Cường

M8 – SECURITY DECISIONS VIA UNTRUSTED INPUTS

• Can be leveraged to bypass permissions and security models.

• Similar but different depending on platform:• iOS - Abusing URL Schemes.

• Android - Abusing Intents.

• Several attack vectors:• Malicious apps.

• Client side injection.

Page 29: Top 10 mobile security risks - Khổng Văn Cường

M8 – SECURITY DECISIONS VIA UNTRUSTED INPUTS (CONT)

• Ex: Skype iOS URL Schema Handling Issue:

HTML or script injection via

app

Attacker embeds iframe

<iframe src="skype:123456?call"></if

rame>

Skype app handles this

URL Scheme

Phone call is initated without user consent

Page 30: Top 10 mobile security risks - Khổng Văn Cường

M9 – IMPROPER SESSION HANDLING

• Mobile app sessions are generally MUCH longer.

• Apps maintain sessions via:• HTTP cookies

• OAuth tokens

• SSO authentication services

• Bad idea = using a Device Identifier as a session token.

Page 31: Top 10 mobile security risks - Khổng Văn Cường

M10 – LACK OF BINARY PROTECTIONS

• Almost app deployed without binary protection.

• App can be analyzed, reverse-engineered, modified by Attacker.

• Attacker can modified, repacked and insert malware into binary.

• Bypass security controls via binary.

• Etc.

Page 32: Top 10 mobile security risks - Khổng Văn Cường

BEST PRACTICES

• Do not hardcode sensitive information

• Do not store sensitive information locally

• Don’t store at easily readable location like memory card

• Encrypt the stored data

• Implement SSL

Page 33: Top 10 mobile security risks - Khổng Văn Cường

BEST PRACTICES

• Protect the webserver against application layer attacks

• Sanitize inputs, use prepared statements (protection against client side injection)

• Implement Proper Authentication. Do not use UDID or other hardware IDs for auth.

• Prefer encryption over encoding or obfuscation

Page 34: Top 10 mobile security risks - Khổng Văn Cường
Page 35: Top 10 mobile security risks - Khổng Văn Cường

THANKS FOR LISTENING

Have a good day!