Escolar Documentos
Profissional Documentos
Cultura Documentos
Application Security
2014-2015
Intro 3
How is Mobile Application Security Different Than Web and Desktop Applications? 4
Takeaways 14
Intro >
The mobile application industry is growing at an explosive pace, yet security issues of
mobile applications are lagging behind.
As hacking incidents become more public and the impact on businesses increases,
the evolution of mobile application hacking becomes more rapid both in numbers
and in techniques.
During 2014-15, Appsec Labs tested hundreds of mobile applications, of all types
including banking, utilities, retail, gaming and even security oriented applications.
This document addresses the findings of the research and summarizes concerns and
the approaches required to improve the state of mobile app security.
How is Mobile Application Security Different
Than Web and Desktop Applications?
Mobile malware can steal personal information; send SMS on your behalf, access private photos
and post in your name. These are only an example to the risk malicious apps can expose your
mobile device to.
Keeping data secure requires addressing issues like encryption/ decryption, authentication,
authorization and securing communication with the server side.
Unfortunately this research has proven to us that there is a long way to go.
After less than 7 years statistics show that the iOS platform (including tablets) offers users a
staggering 1.4 million different applications.
Apple reported in June 2014 that downloads have crossed the 75 billion mark!
Android applications which got off to a later start yet have caught up in the race, present similar
figures both in number of apps and in download figures.
The bottom line is that the explosion of the mobile application industry in the last 7 years has
created a whole new battle field in the race between hackers and security experts.
But the most important players in the game the developers, well, they are way behind..
Research Results and Targets
The following list consists of the high level goals of this research.
> Are mobile applications secure?
> How severe are the security issues in mobile applications?
> What are the main issues mobile app developers should be aware of?
> Are iOS applications more secure than Android applications?
> How can the development community take action in order to
improve application core security?
Critical
A security vulnerability that exposes a major security risk with a direct exploit (not needing user
involvement). If exploited, the security threat might cause major damage to the application and/or
have major impact on the company. The likelihood of such an attack occurring is high, considering
the architecture/business-logic/complexity of the exploit.
High
The weakness identified has the potential to directly compromise the confidentiality, integrity
and/or availability of the system or data, but the likelihood to occur is not high, considering the
architecture/business-logic/complexity of the exploit. The possible damage to the application or the
company is high, but not a total disaster.
In applications involving sensitive data, the risk might be considered high in case the weakness by
itself is against common regulations (e.g. PCI).
Medium
A medium security issue that imposes some affect/damage to the application. Often it cannot be
used directly, but can assist an attacker to launch further attacks.
Low
No direct threat exists. It is a risk much more rather than a threat and does not cause damage
by itself. The vulnerability may be leveraged with other vulnerabilities in order to launch further
attacks.
The risk reveals technical information which might assist an attacker in launching future attacks.
The presented above severity types serve as indicators to the application owner regarding how
acute the issues are? And in accordance decide what measures (if any at all) should be taken in
order to mitigate the issues reported.
< 7 Deadly App Development Sins />
Results of this research are based on pen tests run over a period of more than a year across
hundreds of different applications and application categories.
Naturally the results have to be distilled to provide useful information. This research
concentrates on the top 7 risks which were classified by Appsec Labs as the most critical security
issues across all applications.
1> Authentication / Authorization All security issues that result in performing actions or
accessing data without sufficient permissions (e.g. bypassing security pin code).
2> Availability - Issues resulting in denial of service from the application, or part of it (e.g.
crashing the application).
4> Weak Cryptography Breaches related to insecure way of data protection based on
cryptography.
5> Information Disclosure Technical information disclosure exposed to the client (e.g.
application logs.)
6> Input Validation Handling Results of mishandling data received from the user.
7> Personal / Sensitive Information Leakage Any exposure of personal data or other sensitive
data to the client (secret documents, credit card numbers, etc).
Mobile Application Security State
The results found during this research are no less than alarming. The average number of
vulnerabilities per application based analysis of hundreds of applications of all types, stands at
9.041 vulnerabilities per Application. This number consists of all severity levels.
13%
Critical 28%
High
25%
Medium
Low
34%
Result by Severity
7%
Authentication/Authorization 23%
Availbility 16%
Configuration Managment
Cryptography Weaknesses 8%
Information Disclosure
27%
Input Validation handling 14%
Personal/Sensitive information 5%
In order to get a clear breakdown per vulnerability type, each vulnerability category was broken
down into severity classification of all its instances reported.
This analysis enables us to determine which vulnerability categories are more likely to be of high
< Authentication /Authorization />
7%
Critical 20%
29% 32%
High
28%
20%
Medium
36%
Low 28%
7%
Critical
28%
29%
High
Medium
36%
Low
64% of all findings in this category pose a major threat to application owners and users.
57%
< InformationDisclosure/>
Any unwanted technical information exposed
to the client (e.g. application logs).
overlooked. Low
9%
Input validation handling is a major 18%
topic which organizations should Critical
The research results clearly indicate that Authentication and Authorization, Availability and
input validation handling require special attention. This section briefly summarizes mitigation
directives recommended to address these vulnerability types.
Availability
a> Perform Input validation on all received intents and ignore badly formatted intents.
b> Catch all exceptions, in order to block a DoS attack using system exceptions.
Authentication/Authorization
a> Never trust the client. Ensure the user who requests any page/action has the legitimate
permissions by validating the session permission in the server side.
b> Allow the system users 3-5 failed login attempts. If the user fails more times than the
allowed amount, deploy an active CAPTCHA mechanism or an alternative solutions.
c> Consider implementing two-factor authentication.
Cryptography Weaknesses
a> Due to the sensitivity of information (example user and pin code) the server must require
the transport layer to be over SSL/TLS.
b> It is recommended to use AES128/256 instead of RC4.
Information Disclosure
a> Use extreme obfuscation in order to prevent an attacker from retrieving useful data from
the APK file.
Configuration Management
a> Since configuration issues vary from application to application it is important to
implement a control mechanism which will assure adequate configuration management.
iOS vs Android Application Security
This document discusses vulnerabilities exposed as part of the Application code. It goes without
saying that vulnerabilities are exposed during building stages of the code. So what about iOS vs
Android?
It is a common myth that the iOS development platform is more secure than the Android equivalent
for several legitimate reasons:
a> iOS has more restrictive controls over what developers can do and tight application sandboxing.
b> iOS Applications are fully vetted before being released to customers - preventing malware from
entering the Apple App Store.
Yet, in the field of pure application security where vulnerabilities are built in the code or into the
application logic the story is quite different.
Our statistics show that the distribution of vulnerability exposed by severity is almost identical
between iOS and Android Applications with a slightly higher percentage of critical vulnerabilities in
iOS applications.
15%
40% of the detected Critical
28%
Critical
36% of the detected
11%
vulnerabilities on Android High
25%
39%
A Integrate secure coding best practices into the development life cycle.
C Get your application code tested before its too late or too expensive to make a change.
D Dont rely on external security mechanisms when you can develop your app to
have internal resilience at the core
Our Vision A Hacker-Free World!
Our mission is to guarantee that released software is free of technical and logical security
vulnerabilities. Our company is always in motion, listening and reacting to current and future
market needs. We inspire our partners to complement our products with the finest professional
services, and drive industry standards. We do this so that we could collectively deliver better
solutions with greater benefits.
About Us
Checkmarx is a leading developer of software solutions used to identify, fix and block security
vulnerabilities in web and mobile applications. It provides an easy and effective way for
organizations to introduce security into their Software Development Lifecycle (SDLC) which
systematically eliminates software risk before applications are released. The companys
customers include 5 of the worlds top 10 software vendors and many Fortune 500 and
government organizations, including SAP, Samsung, Salesforce.com, Coca Cola and the US Army.
For more information about Checkmarx, visit: https://www.checkmarx.com
or follow us on twitter: @Checkmarx
Contact us:
contact@checkmarx.com
www.checkmarx.com