InfoSec World 2014 Security Imperatives for IOS and Android

Security Imperatives
for iOS and Android
Session #A5
8, April 2014
8:30am
Clinton Mugge and Gary Bahadur
Symosis Security

Copyright 2014 RBS Citizens
Distributed by MIS Training Institute with permission of owner.
All rights reserved. Printed in the United States of America. No part of this publication may be reproduced,
photocopied, stored in a retrieval system, or transmitted by electronic, mechanical or any other means
without the prior written permission of MIS Training Institute and the respective owner of the copyright.
Trademarked product and company names mentioned in this publication are the property of their respective owners.
ISW14040714

MIS Training Institute Session A5 - Slide 3
© Symosis Security
Who are we?
 Clinton Mugge
 Application and Network Security Providers
 20 Years in Info Sec – Security Assessments, Penetration Testing,
Compliance & Training, Investigations, Incident Response
 Free Mobile App Security / Training Evaluations
 Gary Bahadur
 20 Years in Info Sec – Compliance & Training, Security Assessments,
Risk Assessments
 Author of “Securing the Clicks” Network Security in the Age of
Social Media
 Free Risk Assessment Software “Razient”

© Symosis Security
Agenda
Introduction
iOS / Android Apps Top Risks
Countermeasures

© Symosis Security
Audience Poll
• What mobile OS do you mostly
use?
• How many of you are involved
with mobile security, privacy,
audits?
• Any mobile developers /
architects?
• Does your employer have
mobile presence?

© Symosis Security
There is an App for that!

© Symosis Security
What do Attackers Want?
 Credentials - To your
device, To external
services (email, banking,
etc)
 Access to your device
 Use your device
(botnets, spamming),
Steal trade secrets or
other sensitive data
 Personal Data - Full Name,
SINSSN, address book
data, location data
 Cardholder Data - Card
Numbers, Expiration, CVV
 Health Data - Prescription
information, medical
records, procedure
summary
 Corporate Data - IP, Design
Docs

© Symosis Security
Security and Privacy Concerns
 Side Channel Data Leakage
 Insufficient Transport Layer Protection
 Weak Server Side Controls
 Insecure Data Storage
 Client Side Injection
 Poor Authorization and Authentication
 Improper Session Handling
 Security Decisions Via Untrusted Inputs
 Broken Cryptography
 Sensitive Information Disclosure
 Hardcoded password/keys
 Privacy compliance
 Identity exposure
 Activity monitoring and data retrieval
 Unauthorized dialing, SMS, and payments
 Unauthorized network connectivity (data
exfiltration or command & control)
 UI (unique identifier) impersonation
 System modification (rootkit, APN proxy
configuration)
 Mobile Malware
 Criminals Target and Infect App Stores
 Social-Engineering
 Geolocation compromise
 Security Regulatory Compliance
 Device Risk
 Application management
 Installation of un-verified / unsigned 3rd
party apps

© Symosis Security
Agenda
Introduction
Mobile Apps Top Risks
1. Side Channel Leakage
2. Insecure Transport / Server Controls
3. Insecure Data Storage
4. Privacy
Countermeasures

© Symosis Security
1. Side Channel Data Leakage
Data leakage via platform defaults, use of third party
libraries, logging, etc
 Property List Files
 SnapShot (ie- iOS Backgrounding)
 iOS logs
Sometimes result of programmatic flaws

© Symosis Security
Demo 1: Snapshot File
Tools: iExplore, Reflection
Device: iPhone 5, IOS 6 latest version, iPhone 4, IOS 5
Snapshot –
 TaxAct Mobile
 TaxSlayer

© Symosis Security
TaxAct Mobile Security Hole
Snapshot

© Symosis Security
TaxSlayer Mobile Security Hole
Snapshot

© Symosis Security
TaxAct Response

© Symosis Security
LinkedIn Plist identity theft

© Symosis Security
Agenda
Introduction
Mobile Apps Top 3 Risks
4. Privacy
Countermeasures

© Symosis Security
2. Insecure Transport/Server Controls
Failing to encrypt sensitive
network traffic consisting of
sensitive data
Insecure server controls - web,
application and backend API - can
lead to security compromise

© Symosis Security
Demo 2: Insecure Transport
Tools: MITM Proxy, Reflection, Flixster
Insecure Transport – User ID, Movies Browsing, Home
Area, Purchase Intent

© Symosis Security
Credentials sent over HTTP iOS App

© Symosis Security
Unencrypted Cookies over HTTP
Instagram iOS App

© Symosis Security
TOC
Mobile Platform Risks
4. Privacy
Countermeasures

© Symosis Security
Locally stored data both on native and browser based
apps that includes
 SQLite
 Sensitive Files
 Cache Files

© Symosis Security
Demo 3: local files
Tools: iExplore, Reflection
SQLite files – Runtastic, TaxSlayer, TaxAct, JacksonHewitt
Flat Files – Jackson Hewitt
Jackson Hewitt #JacksonHewitt /TaxSlayer #TaxSlayer
Tools: iExplorer

© Symosis Security
Cached Credentials and tax data in the clear

© Symosis Security
JacksonHewitt Tax Documents in the Clear

© Symosis Security
JacksonHewitt Responses

© Symosis Security
Privacy Threat & Impact
 UDID, Mac Address, Device ID
 Location Training
 Usage Tracking - Google, Flurry, Mobclix
 Contacts Access & Sharing
 Shares / Uploads Phone Number
 3rd Party Connections – Facebook, twitter

© Symosis Security
Agenda
Introduction
Mobile Apps Top Risks
Countermeasures
1. Disable side channel data leakage
2. Use HTTPS and secure IOS Safe methods
3. Insecure Data storage
4. Privacy

© Symosis Security
Side Channel Data Leakage
Start by identifying all potential side channel data which
includes
 Plist files – Ensure no sensitive data is written
 Disable Snapshots
 Disable System / keystroke logs
 Disable Web caches
 Disable Cut-and-paste buffers
 Clean up Core Data
Do not store sensitive data (e.g., credentials, tokens, PII) in
property list files. Use iOS Keychain

© Symosis Security
Encrypt Sensitive Data
Data Protection API - set the NSFileProtectionKey on an
existing file
Keychain – Sensitive data like passwords and keys should be
stored in the Keychain and not in insecure locations like plist
files
CCCrypt & javax.crypto.* package for Android - provides access
to AES, DES, 3DES
SQLCipher (IOS & Android) - transparent 256-
bit AES encryption of database files

© Symosis Security
Strategic Recommendations
 Establish common set of security requirements. Perform
periodic security scans and audits
 Invest in security education for all stakeholders
 Perform server side data validation and canonicalization
 Define and deploy secure configuration
 Do not log credentials, PII and other sensitive data
 Design and implement all apps under the assumption
that the user’s device will be lost or stolen
 Review all third party libraries before use

PLEASE
REMEMBER TO FILL OUT THE
SESSION EVALUATIONS.
THANK YOU!

InfoSec World 2014 Security Imperatives for IOS and Android

More Related Content

What's hot (18)

Viewers also liked (7)

Similar to InfoSec World 2014 Security Imperatives for IOS and Android (20)

Recently uploaded (20)

InfoSec World 2014 Security Imperatives for IOS and Android