Securing your Mobile Applications

Karson Chan
Security Consultant

NTT Com Security

Threat can come from anywhere thats why we are everywhere
Our knowledge is your security

8,000+

20+
years
experience

Customers

1,000+
Staff

Risk and
Information
Security focus

Consulting,
managed and
technology
services

NTT Com Security

Offices across

Europe
America &
Asia-Pacific
Two decades of
deep technology
partnerships

Global
reach/local
engagement
Investing
for the
long term

Public-Approvedv05

Our Information Security Risk Service Offering

Governance, Risk Management and Compliance
Information Risk Management

Compliance and Governance

Business Continuity/ Disaster Recovery

Risk Insight (Risk Assessment)

Security Standards (ISO/IEC 27001/Cobit5)

Security Strategy/Policy

Security Control Framework / Standard /

Guidelines

Industry Best Practices (NIST, ISF, SANS,

CIS, OGCIO, AUS DOD, PII)

Business Continuity Plan

Development/Testing

Regulatory Standards (HKMA, SFC, MAS,

FISC, PDPO)

Disaster Recovery Plan

Development/Testing

Incident Response Plan

Development/Testing

Information Classification

Data Protection Assessment and Planning

Identity Management

PCI QSA Assessment and Compliance

Security Consulting Assessment Services

Security Assessment

Incident Response

Security Awareness/Training

PCI ASV Scan

Social Engineering

Gap Analysis / Security Audit

Incident Response

Penetration Testing Web Application,

Mobile Application, Wireless

Security Incident Drill Test

Source Code Review

Cloud Security Assessment

Security Awareness Training for General

Users and IT Users

Incident Response Training

Product and Technical Skill Transfer such

as Penetration Testing

Phishing Email Awareness

Security Implementation Services

Security Technology Integration Service

Quality Assurance

Project Management

Staging

Security Architecture Review

Infrastructure Change Management

Commissioning Support

Firewall Policy Review

Project Resourcing

Installation and Configuration Review

Technology Assessment

Upgrade

SIEM Rationalization

Emerging Technology Assessment

Security Operations
Managed Security Services

Device Management

Security
Analysis
NTT Com
Security

Security Enrichment advisory and remediation

Security Operating Center

Security Monitoring and Notification

Security Incident Management

Security Management Lifecycle

Agenda

1. What is Offensive Security

2. Recent Security Breaches
3. Application Security: Latest Trends
4. Mobile Application Threat Model
5. Mobile Application Attack Surface
6. Coffee Break
7. Demo
8. Q&A

NTT Com Security

Offensive Security
What is it?
Its largely proactive
To defend against ever changing threats, it helps to be able to think like the bad
guys do
Its not a replacement for reactive and defensive security. It complements them
You have already put defenses in place. How would they fare against a real attack?
Provides an indication of how secure you really are
Black Box, White Box, and hybrid penetration testing

People

Process

Technology

Offensive Security Testing

NTT Com Security

Offensive Security
The Approach

Penetration Testing

Web Application Assessment

Mobile App Assessment

Wireless (802.11)

Anything with in IP

Code Review

Threat Modeling

Code Analysis

Secure Coding Workshop

NTT Com Security

Automatic assessment
Reveals isolated
vulnerabilities
No human intelligence
Fast and efficient to identify
most of vulnerabilities
Not able to address logic
flaw
Vulnerabilities are possible
false positive

NTT Com Security

Penetration Test

Vulnerability Assessment

The Different between Vulnerability Assessment and

Penetration Test
Manual assessment
Human intelligence
Able to address logic flaw
Identifies what data was
actually compromised
Show how damaging a flaw
could be in a real attack
rather than find every flaw in
a system

Single Vector
Only identify
vulnerabilities for single
vector

Scenario Based

Traditional Testing

Penetration Testing

Testing multiple
disciplines
simultaneously
Shows potential
breaches through
combined
vulnerabilities

Simulate an APT threat in order to test if your APT defense is effective

NTT Com Security

Multiple Vectors
Network
Hacking

Web
Applications

Wireless

Mobile
Devices
Malicious USB

Email
Phishing

Physical Infiltration
NTT Com Security

Social Engineering

Web Application Security

Information Security Strategy
Risk Analysis, PCI DSS, Compliance

Governance

Standards &
Fundamentals
Guidelines and
Procedures Checklists
Concepts & Processes
Topology /
Infrastructure
Hardening /
Patch Management

Standards,
Guidelines and
Tools

Secure Application
Development

Software security
specifications
Secure Design
Secure coding
training
Coding guidelines
Tool based code
analysis

Secure Development
Life Cycle

Advanced-Security

Whitelist / Blacklist
Proxy
DOS Protection
Web Application
Firewall
SSL Termination/
Offload
XML/SOAP-Firewall
Authentication/SSO

Application Protection
Tools

Management

Security Management,
Operation and Services

VA, Code Review, Technical Audit & Pen Tests

NTT Com Security

Operating
Maintaining
Administration
Incident-Handling
Managed Services

Application Security:
Disruption from operation to business loss

Old Days -> Bugs, impact to business

operation and within company

Nowadays -> Cybercrime, business

and brand damage

NTT Com Security

11

Major Security Breaches

1. Home Depot (Sept 2014)
Criminals used unique, custom-built malware to steal
credit card numbers from Home Depots point-of-sale
systems, may have affected 56 million credit and debit
cards in Canada and the U.S.

2. Celebrity Photo Leakage (Aug 2014)

a collection of almost 200 private pictures of various
celebrities leaked

3. eBay (May 2014)

Possibly 112 million customers password has been stolen

NTT Com Security

12

Major Security Breaches - Mobile Application

1. Fake Flappy Bird App Planted by Hackers to Steal Photos
from Device

2. Instagrams Android users risk having their accounts hijacked

According to Gartner, over the next year and through the end of
2015, more than three-quarters of mobile apps will fail "basic
security tests.

NTT Com Security

13

Breaches Statictics

NTT Com Security

14
Source: Verizon DBIR 2013

Attack Methods

Source: Verizon DBIR 2013

NTT Com Security

15

Application Security:
Latest Trends
1. Single Vector to Multiple Vectors Attack

2. Mobile App Security

NTT Com Security

16

Latest Trend 1: A Multiple Vector Attack

An attacker will usually try the external vectors first (web applications,
network infrastructure) but may not be successful
If they are determined enough, then a multi-vector attack would come next

Target Company

NTT Com Security

17

A Multiple Vector Attack

Analysis of the Attack
In the previous example, the attacker combined 3 different attack vectors
together:

Web
Applications

Email
Phishing

Social Engineering

This is a real-world example, it happens more than you would think

Difficult to spot: Yes.
All it takes is one user to fall for it
Once reported and handled by incident response teams, the attacker may
already be connected to the VPN and carried out his deeds

NTT Com Security

18

Latest Trend 2: Mobile App Security

NTT Com Security

19

Mobile Applications - How many do you have?

With the ubiquitous usage of smart phones and PDAs the Web Application market has
exploded
What started primarily as games and productivity aids have developed into business and
corporate tools
> Evolving from static content to highly interactive user interfaces exchanging data and
information of all types
> The line between the personal world and the business world is almost non-existent
A lack of development standards, frameworks, and language have inadvertently opened
up a vast, new targeted threat landscape
These threats, and how to deal with them, represent one of todays single largest
information Security risks

NTT Com Security

Some Interesting Statistics

Android holds the current market share (around 84.7%)

There are other players:
> Apple 11.7%
> Windows 2.5%
> BlackBerry 0.5%
> Other 0.7%

73% of organizations have been hacked at least once in the past two
years through insecure web applications
On average, every web application has an average of 12 vulnerabilities

NTT Com Security

Differences with Web and Mobile Applications

A large number of web application security vulnerabilities are generally
associated with a lack of input validation (SQL Injection, XSS, Open Redirects,
Remote File Includes, etc)
With web applications, attackers generally attack from a pure black-box
methodology.
In general, greater skill and knowledge around reverse engineering is required
for assessing and attacking mobile applications because the code is already in
the hands of the attackers

NTT Com Security

22

Mobile Application Threat Model

Mobile Application

Android Vulnerabilities

Malicious Applications

Jailbreak / Rooting

File System

3rd Party
Libraries

Malicious
User

Web
Services

Mobile Phone

NTT Com Security

23

Mobile Application Attack Surfaces

The Application and Code
> Identification and manipulation of client side logic

Permissions
> Are application components sufficiently protected

Data-in-Transit
> Is the data protected as its sent to the server

Data-at-Rest
> Is the data stored on the device secured

The Server
> Does the server validate data from the mobile application

NTT Com Security

The Application and Code

Both Android and iOS applications can be extracted from the phone in
their binary format
> Android: Java compiled to DEX VM bytecode
> iOS: Obj-C compiled to ARM binaries

A mixture of techniques is then used to decompose the application:

> Analysis of the AndroidManifest.xml File
> Static Analysis
> File System Analysis
> Dynamic Analysis
> Reverse Engineering

NTT Com Security

The Application and Code

Its in the attackers hands

Compilation and de-obfuscation introduce a degree of difficulty for an attacker

attempting to retrieve the code in its original form, however its possible for
the determined and capable hacker
Dynamic analysis allows for an application to be extracted from a mobile device
and executed within an emulator
Execution within an emulator can highlight exactly what API calls are being
executed, and which files on the underlying file system are being accessed

NTT Com Security

The Application and Code

Getting back to the Source Code (Android)

classes.dex contains the Java bytecode in Dalvik compatible form

Continue to decompile it back into Java source code

NTT Com Security

The Application and Code

Getting back to the Source Code (Android)

NTT Com Security

The Application and Code

Getting back to the Source Code (Android)
Other applications havent been obfuscated at the compilation stage
The source code in this case is very close to the original

NTT Com Security

The Application and Code

Getting back to the Source Code (Android)
Developers who dont obfuscate their code prior to release are helping
the bad guys out
Simply by reading through the source code you can determine:
> How the application communicates to the server
> The types of requests sent to remote servers and their format
> If the application interacts with other components on the phone
> If the application is writing files to the underlying operating system
> Cryptographic Functions
> Third party libraries in use

All this helps in identifying potential attack surfaces of the application

One of the best ways to attack a client-server application is to write
your own client to communicate to the server

NTT Com Security

The Application and Code

Getting back to the Source Code (Android)
The RequestAuthorization class shows exactly how the authentication token is
created (along with the secret key)

NTT Com Security

The Mobile Application

Logical Flaws
We looked at a popular game which requires purchases of gold to
progress further it could probably get quite expensive
Upon decompiling the application and navigating through the obfuscated
code, we were drawn to this call to a file on the device itself:
The gold value is stored in this preferences file on the device

A simple edit and youre a millionaire within the game

> We had

gold but now we have

The server doesnt keep track of this value!

> Not stored on the server
> Not validates

NTT Com Security

The Mobile Application

Logical Flaws
Mobile application research, shows that developers are implementing
business logic into their applications
Developers are often under the impression that if their code is
obfuscated, it cannot be decompiled
> Thus they decide to implement logic into the applications which should be
done on the server side

An application that hasnt been obfuscated means that logic flaws can
usually be identified quickly!

NTT Com Security

Permissions

Mobile applications are installed with different privilege levels

A users mobile device will usually have applications from unknown
developers alongside applications they trust for everyday tasks
> For example, their mobile banking application and free games

Under the Android security model every application runs in its own
process and using a low-privileged user ID
Applications can only access their own files by default
With this isolation in place, applications are able to communicate via
different components
These communications between components are a critical area of
focus for assessing the security of a mobile application

NTT Com Security

Permissions
Android Applications are typically made up of multiple components:
>
>
>
>

Activities
Services
Content Providers
Broadcast Receivers

Permissions are granted to each component for as long as the application is

installed on the device
If these components are not properly secured, malicious or other rogue
programs can interact with them
Most applications that we have looked at recently do not have well
defined permissions
NTT Com Security

Permissions
What did we find?
Poorly protected components for a number of well known and popular
applications
> Poorly protected activities (GUI screens) can be launched instead of the intended Activity
> Exported Activities can be launched by other applications (think CSRF for mobile
applications)
> Broadcast messages vulnerable to eavesdropping or DoS (Denial of Service)

Our evaluation showed that most Android applications do not adequately

place permissions around their components
Some applications were found to contain the debug flag. Even though
this is removed by default within the Eclipse ID, it still managed to end up
in the production application!

NTT Com Security

Permissions

android:debuggable=true
If you find the above line in the AndroidManifest.xml file, the application
is debuggable and it can be exploited.

NTT Com Security

Data-In-Transit

Most applications will at some point communicate with a server endpoint

Confidentiality and strong authentication is a must
Authentication:
> Verify the entity that the application is communicating with

Confidentiality:
> Prevent snooping
> Man-in-the-middle attacks

NTT Com Security

Data-At-Rest

One of the largest challenges with mobile applications is how they secure
data on the device
Many popular applications use SQLite database files which are not
adequately protected
If the device is lost or stolen, it would be trivial for an attacker to pull these
databases and view the records
On both Android, and iOS its fairly easy to get root access and access
application data and configuration files
> These files contain usernames, passwords, encryption keys, and other sensitive
account information
NTT Com Security

The Server
History Repeats Itself
Through our analysis of popular mobile applications, we continued to find old web
application vulnerabilities:
> Username Enumeration
> SQL Injection
> Broken session management
> Information Disclosure

Does the server perform strong validation on these requests

Does the server allow the client to make logic decisions (this should be a big NONO, but happens all the time)
Does the server validate the mobile application
> A common tactic is to reverse engineer the mobile application and write a rogue client
that communicates with the server
> Are clients validated
NTT Com Security

The Server
Harvesting User Information
The mobile application communicates to the server over HTTPS (good) and using JSON
requests. It looks something like this:

The server would then respond to this request, with the users account information

What happens if we change the username parameter ?

NTT Com Security

The Server
Harvesting User Information
The server responds with the user information for that user
This isnt good. Theres obviously an authentication problem here
HTTP Request

HTTP Response

NTT Com Security

The Server
Harvesting User Information
This is a serious vulnerability but unfortunately it happens quite a lot
All an attacker needs to have is a valid username and by exploiting the
vulnerability, he is able to obtain:
> The users mobile phone number
> The users email address
Through social engineering he may further his attacks against the user
He could also write a script to enumerate valid users within the system and
obtain their information
This application has been downloaded millions of times!

NTT Com Security

BREAK

DEMO

Summary
> The threat surface of mobile applications differs significantly from that of web
applications
> Web application security has improved, but 5 year old vulnerabilities are still
common
> Development of mobile application development guidelines and assessment
capabilities are needed
> The risk of liability to corporations
> Organizations should have a framework for regular assessment and a solution for
assuring the security of applications

NTT Com Security

46

A Holistic Approach to Application Security

The ideal way to ensure your applications are secure
Design Stage
Threat Identify Attack Surfaces
Modeling Counter-measures
Writing Secure Code

Secure
Coding Tailored to development frameworks
Workshop

Combination of dynamic and static analysis

Assess the code
Code
Analysis Identify vulnerabilities and potential logical issues

NTT Com Security

Vulnerability
Assessment

Catch the low hanging fruit

Bi-Yearly / Quarterly
Manual Verification

Penetration
Testing

Attacks directed at the application

Enumerate attack surfaces
Attack each layer of the application architecture
47

Questions?

Thank You