SlideShare una empresa de Scribd logo

Common Security Pitfalls for Mobile Apps in the Enterprise

C4Media
C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1esK9BY. Watkins and Hanna discuss the top 5 security mistakes made by developers, examining them in detail by looking at the code and highlighting the risks from both the consumer and developer perspective. Filmed at qconsf.com. Kevin Watkins is the CTO and part of the founding team at Appthority, The Authority in App Security™. Prior to founding Appthority, he served as the Research Architect at McAfee Labs. Steve Hanna is the lead research scientist of Appthority. He received his Ph.D. and Master's Degree in Computer Science from University of California Berkeley.

Tecnología
1 de 32
Mobile App (in)Security Kevin Watkins Steve Hanna, PhD CTO, Co-Founder Lead Researcher kwatkins@appthority.com shanna@appthority.com
Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations /mobile-enterprise-security InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month
Presented at QCon San Francisco www.qconsf.com Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
Overview  App Reputation Report: Market Overview - Current app ecosystem  Consequences of risky apps - How risky apps affect end users and corporations  Epic Fails in Top Applications - Mistakes made by popular applications  Top 5 app developer mistakes and solutions © 2013 Appthority, Inc. 2
Reputation Report: Summer 2013 Breakdown the Most Popular Apps © 2013 Appthority, Inc. 3
Reputation Report: Summer 2013 Risky Applications: Paid Apps vs. Free Apps © 2013 Appthority, Inc. 4
Risky Application Impact • Each application can affect the end user • If an app is unsafe or risky, device can be wiped or unregistered from the MDM • Poorly developed apps risk the user’s productivity and data. • Impact is broad • Banned from MDM means loss of sales volume and developer revenue • Lowers developer reputation • Potential lifetime ban from enterprises © 2013 Appthority, Inc. 5
Appthority Top 5 Fails 1. Using Risky SDKs Adware/Analytic/3rd party libs 2. Permissions and Bypassing User Consent accessing device features without user consent, under/over privileged apps 3. Dirty Laundry 4. Improper Handling of Private App Data 5. Bad Cryptography weak or no algorithms, predictable seeds © 2013 Appthority, Inc. 6
Fail #1: Adware/Analytic SDK Ad networks introduce external risk!  Permissions added to app by a popular Adware SDK: - INTERNET, ACCESS_NETWORK_STATE, READ_PHONE_STATE, RECEIVE_BOOT_COMPLETED, LAUNCHER.INSTALL_SHORTCUT, WRITE_EXTERNAL_STORAGE, ACCESS_WIFI_STATE, ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, GET_ACCOUNTS, BROWSER.READ_HISTORY_BOOKMARKS  These break COPPA, corporate data privacy policies  Developers may add many Adware SDKs - Potentially aggressive: Apperhand, Vulna/Applovin © 2013 Appthority, Inc. 7
Fail #1: Adware/Analytic SDK (Cont.) Private data sent by these SDKs... APIKEY TIMESTAMP LAT IMEI APP ID LONG PHONE LAT COUNTRY LONG CITY STATE © 2013 Appthority, Inc. ZIP AGE 8
Which Ad networks to use? Evaluating an ad network  Ad network reputation 1. Evaluate end-users and developers opinion about a library with 2. respect to potential privacy and security impacts. Do they treat their developers well? Are their customer complaints?  Type of Data Collected 1. Discover what kinds of data the network is known to collect. 2. Is it private, potentially sensitive or does it uniquely identify the 3. user? Does it collect the data in a clandestine manner? © 2013 Appthority, Inc. 9
Which Ad networks to use? Evaluating an ad network  Tactics and Methodology 1. Evaluate the methodology used by the ad network to collect data. 2. Does a network collect too much data or use aggressive tactics in 3. exchange for higher click through payouts? Is the payout abnormally high or higher than popular competitors? Is the ad network dynamically updatable? Does it receive commands from a C&C network?  Long term impact 1. Decide if short term gains are worth potentially hurting long 2. term reputation. Combining all the questions above, are you willing to stake your reputation on a questionable ad network? © 2013 Appthority, Inc. 10
Fail #2 Permission Abuse & Bypassing Consent Potential problems with permissions 1. Underprivileged Application Sidesteps permission system to obtain same behavioral results. 2. Overprivileged Application Requests permissions that are unneeded. 3. The Confused Deputy Perform actions on behalf of another agent. Like sending SMS messages. © 2013 Appthority, Inc. 11
Fail #2 Permissions and Bypassing Consent App behavior must adhere to permissions requested  Application is underprivileged, side-steps permission system yet is still able to track user  Yet...  ACCESS_COURSE_LOCATION not in manifest - Doesn’t request any permissions to geo-track the app user © 2013 Appthority, Inc. Good way to get kicked out of Enterprises, E*trade! 12
Fail #2 Permissions and Bypassing Consent Application should request the minimal set of permissions necessary to operate correctly. Frequently unneeded yet requested permissions. Actions can be accomplished with Intents to the target application.  CAMERA – Take picture using default capture.  INTERNET – Open URL in Browser.  CALL_PHONE – Open default phone dialer. However, autoupdate encourages overprovisioning to make dev lifecycle smoother! Adrienne Porter Felt, Erika Chin, Steven Hanna, Dawn Song, and David Wagner. Android Permissions Demystified. ACM CCS 2011. © 2013 Appthority, Inc. 13
Fail #2 Permissions and Bypassing Consent Apps must check intent permissions and guard its Broadcast Receivers! Potential for abuse, the confused deputy performs actions on behalf of another agent. Example: Application A has 2 components: MainA main application component, RecA broadcast receiver, it has permission SEND_SMS. Application B has no permissions. The Confused Deputy Application A Application B Intent Main Rec NO PERMISSIONS SEND_SMS SMS Message © 2013 Appthority, Inc. Who sent the SMS message? 14
Permission abuse! Extreme permission abuse!  Grand Theft Auto Walkthrough Game  10k+ Downloads  Pulled from market  Requests 50 permissions! © 2013 Appthority, Inc. 15
50 requested permissions! com.lge.launcher.permission.READ_SETTINGS android.permission.ACCESS_COARSE_LOCATION com.lge.launcher.permission.WRITE_SETTINGS android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_LOCATION_EXTRA_COMMANDS com.motorola.dlauncher.permission.INSTALL_SHORTCUT com.motorola.dlauncher.permission.READ_SETTINGS android.permission.ACCESS_NETWORK_STATE com.motorola.dlauncher.permission.WRITE_SETTINGS android.permission.ACCESS_WIFI_STATE com.motorola.launcher.permission.INSTALL_SHORTCUT android.permission.BROADCAST_STICKY com.motorola.launcher.permission.READ_SETTINGS android.permission.CAMERA com.motorola.launcher.permission.WRITE_SETTINGS android.permission.GET_ACCOUNTS com.teslacoilsw.launcher.permission.READ_SETTINGS android.permission.GET_TASKS com.teslacoilsw.launcher.permission.WRITE_SETTINGS android.permission.INTERNET org.adw.launcher.permission.READ_SETTINGS android.permission.MODIFY_AUDIO_SETTINGS com.android.browser.permission.READ_HISTORY_BOOKMARKS org.adw.launcher.permission.WRITE_SETTINGS com.android.browser.permission.WRITE_HISTORY_BOOKMARK android.permission.READ_CONTACTS android.permission.READ_PHONE_STATE S android.permission.RECEIVE_BOOT_COMPLETED com.android.launcher.permission.INSTALL_SHORTCUT android.permission.RECEIVE_SMS com.android.launcher.permission.READ_SETTINGS android.permission.RECORD_AUDIO com.android.launcher.permission.UNINSTALL_SHORTCUT android.permission.RECORD_VIDEO com.android.launcher.permission.WRITE_SETTINGS android.permission.SYSTEM_ALERT_WINDOW com.fede.launcher.permission.READ_SETTINGS android.permission.VIBRATE com.fede.launcher.permission.WRITE_SETTINGS android.permission.WAKE_LOCK com.htc.launcher.permission.READ_SETTINGS android.permission.WRITE_CONTACTS com.htc.launcher.permission.WRITE_SETTINGS android.permission.WRITE_EXTERNAL_STORAGE com.lge.launcher.permission.INSTALL_SHORTCUT com.anddoes.launcher.permission.READ_SETTINGS com.anddoes.launcher.permission.WRITE_SETTINGS Including vendor permissions! © 2013 Appthority, Inc. 16
More permission abuse! Extreme permission abuse!  Joke Screen Melt Wallpaper  STILL ON MARKET  Requests 45 permissions!  Including: Aggressive adware! © 2013 Appthority, Inc. android.permission.INSTALL_PACKAGES android.permission.DELETE_PACKAGES android.permission.RECORD_AUDIO android.permission.MOUNT_FORMAT_FILESYSTEM S android.permission.GET_ACCOUNTS android.permission.SET_WALLPAPER 17
Fail #3 Dirty Laundry & Pandora for iOS App includes debugging information, giving as a view into the development environment (and developer/s) © 2013 Appthority, Inc. 18
Fail #4 Improper Handling of Private Data: Tinder What we Found in the Tinder App...  Our analysis engines alerted us that the App was sending exact geo-location information over the network  We found much more was being sent over the network – including the full name of all matches, exact birth-date/age, and Facebook ID profile ID © 2013 Appthority, Inc. 19
Fail #4 Improper Handling of Private Data: Tinder © 2013 Appthority, Inc. 20
Fail #4 Improper Handling of Private Data: Tinder © 2013 Appthority, Inc. 21
Fail #4 Improper Handling of Private Data: Tinder We made the Tinder report public ... © 2013 Appthority, Inc. 22
Fail #4 Improper Handling of Private Data: Tinder The Tinder API “profile” returns a target profile information, including the “distance_mi” away and they did remove the “pos”: STILL A FAIL! Knowing the Tinder API “ping” sets the geographical position: How would you use the profile (to get the distance_mi) + ping API (to set the lon, lat) and obtain the exact geo-location of target? Hint: Shortest path.... © 2013 Appthority, Inc. 23
Fail #4 Improper Handling of Private Data: Tinder Not limited to just Tinder... 500,000+ Installs + Skout, 10,000,000+ installs © 2013 Appthority, Inc. Swoon, 500,000 + installs Cheeky, 100,000+ installs 24
Fail #5 Using Bad or No Cryptography What we Found in the Postogram App...  Our analysis engines alerted us that the App was uploading private photos  We found Postogram was sending all private photos to an unprotected server with filenames that were predictable (deterministic) © 2013 Appthority, Inc. 25
Fail #5 Using Bad or No Cryptography © 2013 Appthority, Inc. 26
Fail #5 Bad Cryptography Use Best Practices and PROTECT PRIVATE DATA 1. Not using SSL/Encryption for private data 2. Storing passwords/oauth tokens in plaintext 3. Not expiring oauth tokens properly (open to replay attacks) © 2013 Appthority, Inc. 27
The Reality is... These mistakes are easily avoidable  Best practice guidelines for storing private information do exist  Tools to help do exist (for bigger dev shops, adding these tools into the SLDC)  Having a mindset of "What if this was my private information?”  Have an accurate & current privacy policy: Don’t make us call you out  © 2013 Appthority, Inc. 28
Questions? Thank you! Kevin Watkins Steve Hanna, PhD CTO & Co-Founder Lead Researcher kwatkins@appthority.com shanna@appthority.com
Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations/mobileenterprise-security

Recomendados

Group 6 Presentation: WebEx Meet
Group 6 Presentation: WebEx MeetGroup 6 Presentation: WebEx Meet
Group 6 Presentation: WebEx Meet
epiclysteve
 
Securing railway control systems
Securing railway control systemsSecuring railway control systems
Securing railway control systems
Infineon Technologies AG
 
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
C4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy Mobile
C4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020
C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java Applications
C4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No Keeper
C4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like Owners
C4Media
 

Recomendados

Group 6 Presentation: WebEx Meet
Group 6 Presentation: WebEx MeetGroup 6 Presentation: WebEx Meet
Group 6 Presentation: WebEx Meet
epiclysteve
 
Securing railway control systems
Securing railway control systemsSecuring railway control systems
Securing railway control systems
Infineon Technologies AG
 
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
C4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy Mobile
C4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020
C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java Applications
C4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No Keeper
C4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like Owners
C4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
C4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate Guide
C4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
C4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine Learning
C4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at Speed
C4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
C4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
C4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly Compiler
C4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix Scale
C4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
C4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home Everywhere
C4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing For
C4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data Engineering
C4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
C4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery Teams
C4Media
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in Adtech
C4Media
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/await
C4Media
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven Utopia
C4Media
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
C4Media
 
Are We Really Cloud-Native?
Are We Really Cloud-Native?Are We Really Cloud-Native?
Are We Really Cloud-Native?
C4Media
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
 

Más contenido relacionado

Más de C4Media

Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
C4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
C4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
C4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
C4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
C4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery Teams
C4Media
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in Adtech
C4Media
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
C4Media
 

Más de C4Media (20)

Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate Guide
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine Learning
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at Speed
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly Compiler
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix Scale
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home Everywhere
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing For
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data Engineering
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery Teams
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in Adtech
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/await
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven Utopia
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
 
Are We Really Cloud-Native?
Are We Really Cloud-Native?Are We Really Cloud-Native?
Are We Really Cloud-Native?
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Último (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Common Security Pitfalls for Mobile Apps in the Enterprise

  • 1. Mobile App (in)Security Kevin Watkins Steve Hanna, PhD CTO, Co-Founder Lead Researcher kwatkins@appthority.com shanna@appthority.com
  • 2. Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations /mobile-enterprise-security InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month
  • 3. Presented at QCon San Francisco www.qconsf.com Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
  • 4. Overview  App Reputation Report: Market Overview - Current app ecosystem  Consequences of risky apps - How risky apps affect end users and corporations  Epic Fails in Top Applications - Mistakes made by popular applications  Top 5 app developer mistakes and solutions © 2013 Appthority, Inc. 2
  • 5. Reputation Report: Summer 2013 Breakdown the Most Popular Apps © 2013 Appthority, Inc. 3
  • 6. Reputation Report: Summer 2013 Risky Applications: Paid Apps vs. Free Apps © 2013 Appthority, Inc. 4
  • 7. Risky Application Impact • Each application can affect the end user • If an app is unsafe or risky, device can be wiped or unregistered from the MDM • Poorly developed apps risk the user’s productivity and data. • Impact is broad • Banned from MDM means loss of sales volume and developer revenue • Lowers developer reputation • Potential lifetime ban from enterprises © 2013 Appthority, Inc. 5
  • 8. Appthority Top 5 Fails 1. Using Risky SDKs Adware/Analytic/3rd party libs 2. Permissions and Bypassing User Consent accessing device features without user consent, under/over privileged apps 3. Dirty Laundry 4. Improper Handling of Private App Data 5. Bad Cryptography weak or no algorithms, predictable seeds © 2013 Appthority, Inc. 6
  • 9. Fail #1: Adware/Analytic SDK Ad networks introduce external risk!  Permissions added to app by a popular Adware SDK: - INTERNET, ACCESS_NETWORK_STATE, READ_PHONE_STATE, RECEIVE_BOOT_COMPLETED, LAUNCHER.INSTALL_SHORTCUT, WRITE_EXTERNAL_STORAGE, ACCESS_WIFI_STATE, ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, GET_ACCOUNTS, BROWSER.READ_HISTORY_BOOKMARKS  These break COPPA, corporate data privacy policies  Developers may add many Adware SDKs - Potentially aggressive: Apperhand, Vulna/Applovin © 2013 Appthority, Inc. 7
  • 10. Fail #1: Adware/Analytic SDK (Cont.) Private data sent by these SDKs... APIKEY TIMESTAMP LAT IMEI APP ID LONG PHONE LAT COUNTRY LONG CITY STATE © 2013 Appthority, Inc. ZIP AGE 8
  • 11. Which Ad networks to use? Evaluating an ad network  Ad network reputation 1. Evaluate end-users and developers opinion about a library with 2. respect to potential privacy and security impacts. Do they treat their developers well? Are their customer complaints?  Type of Data Collected 1. Discover what kinds of data the network is known to collect. 2. Is it private, potentially sensitive or does it uniquely identify the 3. user? Does it collect the data in a clandestine manner? © 2013 Appthority, Inc. 9
  • 12. Which Ad networks to use? Evaluating an ad network  Tactics and Methodology 1. Evaluate the methodology used by the ad network to collect data. 2. Does a network collect too much data or use aggressive tactics in 3. exchange for higher click through payouts? Is the payout abnormally high or higher than popular competitors? Is the ad network dynamically updatable? Does it receive commands from a C&C network?  Long term impact 1. Decide if short term gains are worth potentially hurting long 2. term reputation. Combining all the questions above, are you willing to stake your reputation on a questionable ad network? © 2013 Appthority, Inc. 10
  • 13. Fail #2 Permission Abuse & Bypassing Consent Potential problems with permissions 1. Underprivileged Application Sidesteps permission system to obtain same behavioral results. 2. Overprivileged Application Requests permissions that are unneeded. 3. The Confused Deputy Perform actions on behalf of another agent. Like sending SMS messages. © 2013 Appthority, Inc. 11
  • 14. Fail #2 Permissions and Bypassing Consent App behavior must adhere to permissions requested  Application is underprivileged, side-steps permission system yet is still able to track user  Yet...  ACCESS_COURSE_LOCATION not in manifest - Doesn’t request any permissions to geo-track the app user © 2013 Appthority, Inc. Good way to get kicked out of Enterprises, E*trade! 12
  • 15. Fail #2 Permissions and Bypassing Consent Application should request the minimal set of permissions necessary to operate correctly. Frequently unneeded yet requested permissions. Actions can be accomplished with Intents to the target application.  CAMERA – Take picture using default capture.  INTERNET – Open URL in Browser.  CALL_PHONE – Open default phone dialer. However, autoupdate encourages overprovisioning to make dev lifecycle smoother! Adrienne Porter Felt, Erika Chin, Steven Hanna, Dawn Song, and David Wagner. Android Permissions Demystified. ACM CCS 2011. © 2013 Appthority, Inc. 13
  • 16. Fail #2 Permissions and Bypassing Consent Apps must check intent permissions and guard its Broadcast Receivers! Potential for abuse, the confused deputy performs actions on behalf of another agent. Example: Application A has 2 components: MainA main application component, RecA broadcast receiver, it has permission SEND_SMS. Application B has no permissions. The Confused Deputy Application A Application B Intent Main Rec NO PERMISSIONS SEND_SMS SMS Message © 2013 Appthority, Inc. Who sent the SMS message? 14
  • 17. Permission abuse! Extreme permission abuse!  Grand Theft Auto Walkthrough Game  10k+ Downloads  Pulled from market  Requests 50 permissions! © 2013 Appthority, Inc. 15
  • 18. 50 requested permissions! com.lge.launcher.permission.READ_SETTINGS android.permission.ACCESS_COARSE_LOCATION com.lge.launcher.permission.WRITE_SETTINGS android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_LOCATION_EXTRA_COMMANDS com.motorola.dlauncher.permission.INSTALL_SHORTCUT com.motorola.dlauncher.permission.READ_SETTINGS android.permission.ACCESS_NETWORK_STATE com.motorola.dlauncher.permission.WRITE_SETTINGS android.permission.ACCESS_WIFI_STATE com.motorola.launcher.permission.INSTALL_SHORTCUT android.permission.BROADCAST_STICKY com.motorola.launcher.permission.READ_SETTINGS android.permission.CAMERA com.motorola.launcher.permission.WRITE_SETTINGS android.permission.GET_ACCOUNTS com.teslacoilsw.launcher.permission.READ_SETTINGS android.permission.GET_TASKS com.teslacoilsw.launcher.permission.WRITE_SETTINGS android.permission.INTERNET org.adw.launcher.permission.READ_SETTINGS android.permission.MODIFY_AUDIO_SETTINGS com.android.browser.permission.READ_HISTORY_BOOKMARKS org.adw.launcher.permission.WRITE_SETTINGS com.android.browser.permission.WRITE_HISTORY_BOOKMARK android.permission.READ_CONTACTS android.permission.READ_PHONE_STATE S android.permission.RECEIVE_BOOT_COMPLETED com.android.launcher.permission.INSTALL_SHORTCUT android.permission.RECEIVE_SMS com.android.launcher.permission.READ_SETTINGS android.permission.RECORD_AUDIO com.android.launcher.permission.UNINSTALL_SHORTCUT android.permission.RECORD_VIDEO com.android.launcher.permission.WRITE_SETTINGS android.permission.SYSTEM_ALERT_WINDOW com.fede.launcher.permission.READ_SETTINGS android.permission.VIBRATE com.fede.launcher.permission.WRITE_SETTINGS android.permission.WAKE_LOCK com.htc.launcher.permission.READ_SETTINGS android.permission.WRITE_CONTACTS com.htc.launcher.permission.WRITE_SETTINGS android.permission.WRITE_EXTERNAL_STORAGE com.lge.launcher.permission.INSTALL_SHORTCUT com.anddoes.launcher.permission.READ_SETTINGS com.anddoes.launcher.permission.WRITE_SETTINGS Including vendor permissions! © 2013 Appthority, Inc. 16
  • 19. More permission abuse! Extreme permission abuse!  Joke Screen Melt Wallpaper  STILL ON MARKET  Requests 45 permissions!  Including: Aggressive adware! © 2013 Appthority, Inc. android.permission.INSTALL_PACKAGES android.permission.DELETE_PACKAGES android.permission.RECORD_AUDIO android.permission.MOUNT_FORMAT_FILESYSTEM S android.permission.GET_ACCOUNTS android.permission.SET_WALLPAPER 17
  • 20. Fail #3 Dirty Laundry & Pandora for iOS App includes debugging information, giving as a view into the development environment (and developer/s) © 2013 Appthority, Inc. 18
  • 21. Fail #4 Improper Handling of Private Data: Tinder What we Found in the Tinder App...  Our analysis engines alerted us that the App was sending exact geo-location information over the network  We found much more was being sent over the network – including the full name of all matches, exact birth-date/age, and Facebook ID profile ID © 2013 Appthority, Inc. 19
  • 22. Fail #4 Improper Handling of Private Data: Tinder © 2013 Appthority, Inc. 20
  • 23. Fail #4 Improper Handling of Private Data: Tinder © 2013 Appthority, Inc. 21
  • 24. Fail #4 Improper Handling of Private Data: Tinder We made the Tinder report public ... © 2013 Appthority, Inc. 22
  • 25. Fail #4 Improper Handling of Private Data: Tinder The Tinder API “profile” returns a target profile information, including the “distance_mi” away and they did remove the “pos”: STILL A FAIL! Knowing the Tinder API “ping” sets the geographical position: How would you use the profile (to get the distance_mi) + ping API (to set the lon, lat) and obtain the exact geo-location of target? Hint: Shortest path.... © 2013 Appthority, Inc. 23
  • 26. Fail #4 Improper Handling of Private Data: Tinder Not limited to just Tinder... 500,000+ Installs + Skout, 10,000,000+ installs © 2013 Appthority, Inc. Swoon, 500,000 + installs Cheeky, 100,000+ installs 24
  • 27. Fail #5 Using Bad or No Cryptography What we Found in the Postogram App...  Our analysis engines alerted us that the App was uploading private photos  We found Postogram was sending all private photos to an unprotected server with filenames that were predictable (deterministic) © 2013 Appthority, Inc. 25
  • 28. Fail #5 Using Bad or No Cryptography © 2013 Appthority, Inc. 26
  • 29. Fail #5 Bad Cryptography Use Best Practices and PROTECT PRIVATE DATA 1. Not using SSL/Encryption for private data 2. Storing passwords/oauth tokens in plaintext 3. Not expiring oauth tokens properly (open to replay attacks) © 2013 Appthority, Inc. 27
  • 30. The Reality is... These mistakes are easily avoidable  Best practice guidelines for storing private information do exist  Tools to help do exist (for bigger dev shops, adding these tools into the SLDC)  Having a mindset of "What if this was my private information?”  Have an accurate & current privacy policy: Don’t make us call you out  © 2013 Appthority, Inc. 28
  • 31. Questions? Thank you! Kevin Watkins Steve Hanna, PhD CTO & Co-Founder Lead Researcher kwatkins@appthority.com shanna@appthority.com
  • 32. Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations/mobileenterprise-security