SlideShare una empresa de Scribd logo

Danger! Danger! Your Mobile Applications Are Not Secure

T
TechWell

A new breed of mobile devices with sophisticated processors and ample storage has given rise to sophisticated applications that move more and more data and business logic to devices. The result is significant and potentially dangerous security challenges, especially for location-aware mobile applications and those storing sensitive or valuable data on devices. To counter these risks, Johannes Ullrich introduces and demonstrates design strategies you can use to mitigate these risks and make applications safer and less vulnerable. Johannes illustrates design patterns to: co-validate data on both the client and server; authenticate transactions on the server; and store only authenticated and access-controlled data on the client. Learn to apply these solutions without losing access to powerful HTML5 JavaScript APIs such as those required for location-based mobile applications. Johannes shares the source code of a location-based mobile application used to organize the cataloging of historic buildings.

Tecnología
1 de 20
Descargar para leer sin conexión
          BW8 Concurrent Session  11/7/2012 2:15 PM                "Danger! Danger! Your Mobile Applications Are Not Secure"       Presented by: Johannes Ullrich SANS Technology Institute                   Brought to you by:        340 Corporate Way, Suite 300, Orange Park, FL 32073  888‐268‐8770 ∙ 904‐278‐0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com
Johannes Ullrich SANS Technology Institute As chief research officer for the SANS Institute, Johannes Ullrich is responsible for the SANS Internet Storm Center (ISC) (isc.sans.edu) and the GIAC Gold program. He founded DShield.org, which is now the data collection engine behind the ISC. Widely recognized for his work with the ISC, in 2004 Network World named Johannes one of the fifty most powerful people in the networking industry, and SC Magazine named him one of the top five most influential IT security thinkers in 2005. Prior to working for SANS, Johannes held positions as a lead support engineer for a web development company and as a research physicist.
Danger! Danger! D !D ! Your Mobile Applications Are Not Secure Johannes B. Ullrich, Ph.D. SANS Technology Institute Outline • • • • • Challenge Example Application Proper Input Validation Business Logic Summary 1
Mobile Web Application Challenge • Limited Connectivity – 3G/4G/5G… it never works as advertised – Data caps – Device processing and storage Mobile Web Application Opportunities • HTML 5 provides for a rich coding environment i t • “like native app” web application development • Somewhat platform independent • Access to many sensors and other phone hardware features 2
Security Pitfalls • Relying on on-device storage and processing i • Trusting device to perform business logic (and access control) • Client side input validation • Trust in sensors (e g geo location) (e.g. Application Walkthrough • Application was developed for a nonprofit preservation group fit ti • Non-technical audience (easy of use) 3
Constraints • No budget • Focus on iPhone • Had to work reasonably well on iPhone • Integrate with undocumented city APIs “Inventory” • Volunteers enter information about houses as they walk past them h th lk t th • More then 1,000 houses cataloged in less then 1month • Has to be easy and fast • Protection against bad data entry (intentional or accidental) 4
“Data Retrieval” • Most data is considered public • But some data only available to specific groups (e.g. a “boarding group” that will board open houses. Don’t want to advertise open houses) • Integration with web services offered by city “Forum” • Off the shelf discussion forum • Used for authentication • Integrates with information about houses 5
Data Entry Challenge • Entering addresses on a phone is a pain. i • Two solutions: – Enter number first, then show a list of valid street names that have a house with that number – Use geo location to show list of close addresses Address Validation • Addresses need to be broken down into: i t – Number – Street Name – Direction – Type 6
Difficult Addresses • • • • 7th Street vs Seventh Str. Boulevard Street Pearl Place vs Pearl Street W 7th Street vs. 7th Street West Solutions • Google/Yahoo solved the issue, and offer web services for address ff b i f dd normalization • Requires internet access, can be too slow on mobile to compete with typing speed • Rely on outside feed. Or use (buggy) city data 7
On Device Storage • HTML 5 enables significant on device storage t • Mostly used to cache data to reduce network traffic • Cookies still primary source of authentication data On Device Storage Validation • Only data for which the client has access is stored on the device i t d th d i • Assumption: One user per device • Data associated with time-to-live (TTL) to avoid stale data • Most sessions < 30 minutes ( (= default TTL) 8
Problems with HTML 5 storage • No access control • Risk of cross-domain exposure via XSS • Data leakage of confidential data • Accepted risks: authentication cookie, cookie with limited lifetime controlled by server Image Acquisition • Main limitations of (current) HTML 5 web apps is no access to camera b i t • Workaround: submit images via email • Not easy, and needs to be revised once HTML5 Media Capture standard becomes more ubiquitous 9
Image Submission via e-mail • Parsing e-mail • Authentication based on “From” address (INSECURE!) • Extracting images • Address in Subject • Validating address using EXIF d ld dd data • Manual validation Validating Images • Verify basic constraints (size…) • Check MIME type in e-mail headers • Check MIME type on server using “file” library • Extract EXIF data • Resize image f web for b • Manual approval 10
Outstanding issues • Image feature is pretty much not used (t d (too complex to use) l t ) • Needs to switch to media capture API ASAP • Media capture API needs to use based “file upload checklist” file checklist User Authentication • User Authentication in mobile web apps i a significant problem is i ifi t bl • Typical username / password combination is not working well for mobile apps due to hardware limitations 11
Alternative User Authentication • Use persistent cookies: Risky. Can lead to l d t problems with poorly bl ith l protected devices • Use transaction authentication in addition to persistent cookies • Add behavior detection Authentication issue solution in sample app • Use “Single Sign on” by leveraging phpBB authentication ( h BB th ti ti (user needs to d t log in only once) • User persistent cookies for low risk transactions • Watch user behavior for abuse 12
Example Abuse Cases • Spam: user adds spam comments to site, or uploads spam i it l d images • Data Pollution: user adds wrong data into application skewing results • Data Harvesting: user harvests data from site Spam • • • • Simple “CAPTCHA” on first sign in Content validation on posts “speed limit” on posts Unauthenticate user once bad behaviour is detected. 13
Data Pollution • First layer: similar to spam. Check at what rate data i entered and h t t d t is t d d prevent bots from entering data via CAPTCHA • Second Layer: use duplicate entries (data entered by several users about the same property) to determine submitter quality Data Harvesting • Not a huge problem in our case as data is d t i considered public id d bli • But can have performance impact • Simple rate limiting works so far • Offer bulk data / API for more efficient access 14
Authentication Logic • User connects to website and reaches page that requires h th t i authentication • Redirect to PHPBB for login (if not already logged in) • Mobile app uses PHPBB cookie to authenticate user • Mobile app creates session for user Session content • Number of entries made • Time of session • For each submission: If applicable, quality score compared to prior submissions • Geoscore: use GPS to verify submission was made in vicinity 15
suspect criteria • More then 5 submissions in 5 minutes i t • More then 3 submissions that do not agree with prior data • More then 2 miles away from submitted location How to deal with “Suspects” • Initially silently marking data for review i • If behavior persists, log out the user and ask to re-authenticate 16
Mobile Web App Checklist • Do not store confidential data on the client li t • Do not send data to the client unless the client has access control (=access control on the server) • Verify authentication token timeout on server Mobile App Checklist • Sensible authentication: Take capabilities and limitation of d i biliti d li it ti f device into account • Keep all authentication related information on the server • Don’t trust sensors alone, but use Don t alone them as a backup. 17
Thank you! jullrich@sans.edu Twitter: johullrich http://isc.sans.edu Please Contribute Daily Updates * Daily Podcast * Live Data Feeds 35 18

Recomendados

Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations Damir Delija
 
DEF CON 27 - ZHANG XIANGQIAN AND LIU HULMING - your secret files are mine
DEF CON 27 - ZHANG XIANGQIAN AND LIU HULMING - your secret files are mineDEF CON 27 - ZHANG XIANGQIAN AND LIU HULMING - your secret files are mine
DEF CON 27 - ZHANG XIANGQIAN AND LIU HULMING - your secret files are mineFelipe Prado
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Shuvo Sarker
 
Taking Your Practice Into the Cloud (2011)
Taking Your Practice Into the Cloud (2011)Taking Your Practice Into the Cloud (2011)
Taking Your Practice Into the Cloud (2011)Antigone Peyton
 
Tableau your data! roadshow speech phoenix tug 02202014
Tableau your data! roadshow speech phoenix tug 02202014Tableau your data! roadshow speech phoenix tug 02202014
Tableau your data! roadshow speech phoenix tug 02202014Daniel Murray
 
Recent developments in data analytics and big data
Recent developments in data analytics and big dataRecent developments in data analytics and big data
Recent developments in data analytics and big dataDez Blanchfield
 
FNC Forensics Overview
FNC Forensics OverviewFNC Forensics Overview
FNC Forensics Overviewforensicsnation
 
00.fnc forensics overview new
00.fnc forensics overview new00.fnc forensics overview new
00.fnc forensics overview newforensicsnation
 

Recomendados

Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations Damir Delija
 
DEF CON 27 - ZHANG XIANGQIAN AND LIU HULMING - your secret files are mine
DEF CON 27 - ZHANG XIANGQIAN AND LIU HULMING - your secret files are mineDEF CON 27 - ZHANG XIANGQIAN AND LIU HULMING - your secret files are mine
DEF CON 27 - ZHANG XIANGQIAN AND LIU HULMING - your secret files are mineFelipe Prado
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Shuvo Sarker
 
Taking Your Practice Into the Cloud (2011)
Taking Your Practice Into the Cloud (2011)Taking Your Practice Into the Cloud (2011)
Taking Your Practice Into the Cloud (2011)Antigone Peyton
 
Tableau your data! roadshow speech phoenix tug 02202014
Tableau your data! roadshow speech phoenix tug 02202014Tableau your data! roadshow speech phoenix tug 02202014
Tableau your data! roadshow speech phoenix tug 02202014Daniel Murray
 
Recent developments in data analytics and big data
Recent developments in data analytics and big dataRecent developments in data analytics and big data
Recent developments in data analytics and big dataDez Blanchfield
 
FNC Forensics Overview
FNC Forensics OverviewFNC Forensics Overview
FNC Forensics Overviewforensicsnation
 
00.fnc forensics overview new
00.fnc forensics overview new00.fnc forensics overview new
00.fnc forensics overview newforensicsnation
 
Speed Grooming Requirements with SAFe
Speed Grooming Requirements with SAFeSpeed Grooming Requirements with SAFe
Speed Grooming Requirements with SAFeTechWell
 
Rapid Software Testing: Strategy
Rapid Software Testing: StrategyRapid Software Testing: Strategy
Rapid Software Testing: StrategyTechWell
 
Information Obfuscation: Protecting Corporate Data
Information Obfuscation: Protecting Corporate DataInformation Obfuscation: Protecting Corporate Data
Information Obfuscation: Protecting Corporate DataTechWell
 
Database Development: The Object-oriented and Test-driven Way
Database Development: The Object-oriented and Test-driven WayDatabase Development: The Object-oriented and Test-driven Way
Database Development: The Object-oriented and Test-driven WayTechWell
 
Better Test Designs to Drive Test Automation Excellence
Better Test Designs to Drive Test Automation ExcellenceBetter Test Designs to Drive Test Automation Excellence
Better Test Designs to Drive Test Automation ExcellenceTechWell
 
Estimating in Software Development: No Silver Bullets Allowed
Estimating in Software Development: No Silver Bullets AllowedEstimating in Software Development: No Silver Bullets Allowed
Estimating in Software Development: No Silver Bullets AllowedTechWell
 
Enterprise Lean-Agile: It’s More Than Scrum
Enterprise Lean-Agile: It’s More Than ScrumEnterprise Lean-Agile: It’s More Than Scrum
Enterprise Lean-Agile: It’s More Than ScrumTechWell
 
Bw5 pugh
Bw5 pughBw5 pugh
Bw5 pughTechWell
 
Agile Requirements Is Not an Oxymoron
Agile Requirements Is Not an OxymoronAgile Requirements Is Not an Oxymoron
Agile Requirements Is Not an OxymoronTechWell
 
Using Non-Violent Communication Skills for Managing Team Conflict
Using Non-Violent Communication Skills for Managing Team ConflictUsing Non-Violent Communication Skills for Managing Team Conflict
Using Non-Violent Communication Skills for Managing Team ConflictTechWell
 
Implementing Crowdsourced Testing
Implementing Crowdsourced TestingImplementing Crowdsourced Testing
Implementing Crowdsourced TestingTechWell
 
An Automation Culture: The Key to Agile Success
An Automation Culture: The Key to Agile SuccessAn Automation Culture: The Key to Agile Success
An Automation Culture: The Key to Agile SuccessTechWell
 
How to Break Software: Embedded Edition
How to Break Software: Embedded EditionHow to Break Software: Embedded Edition
How to Break Software: Embedded EditionTechWell
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanFelipe Prado
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsSloan Carne
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadTom Eston
 
A Brave New World
A Brave New WorldA Brave New World
A Brave New WorldSensePost
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Eating the elephant
Eating the elephantEating the elephant
Eating the elephantRamece Cave
 
Internet Security is an Oxymoron
Internet Security is an OxymoronInternet Security is an Oxymoron
Internet Security is an OxymoronMax Nokhrin
 

Más contenido relacionado

Destacado

Speed Grooming Requirements with SAFe
Speed Grooming Requirements with SAFeSpeed Grooming Requirements with SAFe
Speed Grooming Requirements with SAFeTechWell
 
Rapid Software Testing: Strategy
Rapid Software Testing: StrategyRapid Software Testing: Strategy
Rapid Software Testing: StrategyTechWell
 
Information Obfuscation: Protecting Corporate Data
Information Obfuscation: Protecting Corporate DataInformation Obfuscation: Protecting Corporate Data
Information Obfuscation: Protecting Corporate DataTechWell
 
Database Development: The Object-oriented and Test-driven Way
Database Development: The Object-oriented and Test-driven WayDatabase Development: The Object-oriented and Test-driven Way
Database Development: The Object-oriented and Test-driven WayTechWell
 
Better Test Designs to Drive Test Automation Excellence
Better Test Designs to Drive Test Automation ExcellenceBetter Test Designs to Drive Test Automation Excellence
Better Test Designs to Drive Test Automation ExcellenceTechWell
 
Estimating in Software Development: No Silver Bullets Allowed
Estimating in Software Development: No Silver Bullets AllowedEstimating in Software Development: No Silver Bullets Allowed
Estimating in Software Development: No Silver Bullets AllowedTechWell
 
Enterprise Lean-Agile: It’s More Than Scrum
Enterprise Lean-Agile: It’s More Than ScrumEnterprise Lean-Agile: It’s More Than Scrum
Enterprise Lean-Agile: It’s More Than ScrumTechWell
 
Agile Requirements Is Not an Oxymoron
Agile Requirements Is Not an OxymoronAgile Requirements Is Not an Oxymoron
Agile Requirements Is Not an OxymoronTechWell
 
Using Non-Violent Communication Skills for Managing Team Conflict
Using Non-Violent Communication Skills for Managing Team ConflictUsing Non-Violent Communication Skills for Managing Team Conflict
Using Non-Violent Communication Skills for Managing Team ConflictTechWell
 
Implementing Crowdsourced Testing
Implementing Crowdsourced TestingImplementing Crowdsourced Testing
Implementing Crowdsourced TestingTechWell
 
An Automation Culture: The Key to Agile Success
An Automation Culture: The Key to Agile SuccessAn Automation Culture: The Key to Agile Success
An Automation Culture: The Key to Agile SuccessTechWell
 
How to Break Software: Embedded Edition
How to Break Software: Embedded EditionHow to Break Software: Embedded Edition
How to Break Software: Embedded EditionTechWell
 

Destacado (13)

Speed Grooming Requirements with SAFe
Speed Grooming Requirements with SAFeSpeed Grooming Requirements with SAFe
Speed Grooming Requirements with SAFe
 
Rapid Software Testing: Strategy
Rapid Software Testing: StrategyRapid Software Testing: Strategy
Rapid Software Testing: Strategy
 
Information Obfuscation: Protecting Corporate Data
Information Obfuscation: Protecting Corporate DataInformation Obfuscation: Protecting Corporate Data
Information Obfuscation: Protecting Corporate Data
 
Database Development: The Object-oriented and Test-driven Way
Database Development: The Object-oriented and Test-driven WayDatabase Development: The Object-oriented and Test-driven Way
Database Development: The Object-oriented and Test-driven Way
 
Better Test Designs to Drive Test Automation Excellence
Better Test Designs to Drive Test Automation ExcellenceBetter Test Designs to Drive Test Automation Excellence
Better Test Designs to Drive Test Automation Excellence
 
Estimating in Software Development: No Silver Bullets Allowed
Estimating in Software Development: No Silver Bullets AllowedEstimating in Software Development: No Silver Bullets Allowed
Estimating in Software Development: No Silver Bullets Allowed
 
Enterprise Lean-Agile: It’s More Than Scrum
Enterprise Lean-Agile: It’s More Than ScrumEnterprise Lean-Agile: It’s More Than Scrum
Enterprise Lean-Agile: It’s More Than Scrum
 
Bw5 pugh
Bw5 pughBw5 pugh
Bw5 pugh
 
Agile Requirements Is Not an Oxymoron
Agile Requirements Is Not an OxymoronAgile Requirements Is Not an Oxymoron
Agile Requirements Is Not an Oxymoron
 
Using Non-Violent Communication Skills for Managing Team Conflict
Using Non-Violent Communication Skills for Managing Team ConflictUsing Non-Violent Communication Skills for Managing Team Conflict
Using Non-Violent Communication Skills for Managing Team Conflict
 
Implementing Crowdsourced Testing
Implementing Crowdsourced TestingImplementing Crowdsourced Testing
Implementing Crowdsourced Testing
 
An Automation Culture: The Key to Agile Success
An Automation Culture: The Key to Agile SuccessAn Automation Culture: The Key to Agile Success
An Automation Culture: The Key to Agile Success
 
How to Break Software: Embedded Edition
How to Break Software: Embedded EditionHow to Break Software: Embedded Edition
How to Break Software: Embedded Edition
 

Similar a Danger! Danger! Your Mobile Applications Are Not Secure

Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanFelipe Prado
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsSloan Carne
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadTom Eston
 
A Brave New World
A Brave New WorldA Brave New World
A Brave New WorldSensePost
 
Eating the elephant
Eating the elephantEating the elephant
Eating the elephantRamece Cave
 
Internet Security is an Oxymoron
Internet Security is an OxymoronInternet Security is an Oxymoron
Internet Security is an OxymoronMax Nokhrin
 
Security in the News
Security in the NewsSecurity in the News
Security in the NewsJames Sutter
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Advanced monitoring
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19TechSoup
 
Send Anywhere - The easiest way to send files across devices
Send Anywhere - The easiest way to send files across devicesSend Anywhere - The easiest way to send files across devices
Send Anywhere - The easiest way to send files across devicessuhyuk kang
 
Bigdata and ai in p2 p industry: Knowledge graph and inference
Bigdata and ai in p2 p industry: Knowledge graph and inferenceBigdata and ai in p2 p industry: Knowledge graph and inference
Bigdata and ai in p2 p industry: Knowledge graph and inferencesfbiganalytics
 
Online Security & Website Optimization
Online Security & Website OptimizationOnline Security & Website Optimization
Online Security & Website OptimizationAleksandr Yershov
 
Tech essentials for Product managers
Tech essentials for Product managersTech essentials for Product managers
Tech essentials for Product managersNitin T Bhat
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
HTML 5 & The Modern Web
HTML 5 & The Modern WebHTML 5 & The Modern Web
HTML 5 & The Modern WebJumping Bean
 

Similar a Danger! Danger! Your Mobile Applications Are Not Secure (20)

Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scan
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU Investigators
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
 
A Brave New World
A Brave New WorldA Brave New World
A Brave New World
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Eating the elephant
Eating the elephantEating the elephant
Eating the elephant
 
Internet Security is an Oxymoron
Internet Security is an OxymoronInternet Security is an Oxymoron
Internet Security is an Oxymoron
 
Security in the News
Security in the NewsSecurity in the News
Security in the News
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on Security
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
 
Dmdh workshop #6
Dmdh workshop #6Dmdh workshop #6
Dmdh workshop #6
 
Send Anywhere - The easiest way to send files across devices
Send Anywhere - The easiest way to send files across devicesSend Anywhere - The easiest way to send files across devices
Send Anywhere - The easiest way to send files across devices
 
Bigdata and ai in p2 p industry: Knowledge graph and inference
Bigdata and ai in p2 p industry: Knowledge graph and inferenceBigdata and ai in p2 p industry: Knowledge graph and inference
Bigdata and ai in p2 p industry: Knowledge graph and inference
 
Online Security & Website Optimization
Online Security & Website OptimizationOnline Security & Website Optimization
Online Security & Website Optimization
 
Tech essentials for Product managers
Tech essentials for Product managersTech essentials for Product managers
Tech essentials for Product managers
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
HTML 5 & The Modern Web
HTML 5 & The Modern WebHTML 5 & The Modern Web
HTML 5 & The Modern Web
 

Más de TechWell

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and RecoveringTechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization TechWell
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTechWell
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartTechWell
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyTechWell
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTechWell
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowTechWell
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityTechWell
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyTechWell
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTechWell
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipTechWell
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsTechWell
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GameTechWell
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsTechWell
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationTechWell
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessTechWell
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateTechWell
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessTechWell
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTechWell
 

Más de TechWell (20)

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and Recovering
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build Architecture
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good Start
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test Strategy
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for Success
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlow
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your Sanity
 
Ma 15
Ma 15Ma 15
Ma 15
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps Strategy
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOps
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—Leadership
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile Teams
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile Game
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps Implementation
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery Process
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to Automate
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for Success
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile Transformation
 

Último

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Último (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Danger! Danger! Your Mobile Applications Are Not Secure

  • 1.           BW8 Concurrent Session  11/7/2012 2:15 PM                "Danger! Danger! Your Mobile Applications Are Not Secure"       Presented by: Johannes Ullrich SANS Technology Institute                   Brought to you by:        340 Corporate Way, Suite 300, Orange Park, FL 32073  888‐268‐8770 ∙ 904‐278‐0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com
  • 2. Johannes Ullrich SANS Technology Institute As chief research officer for the SANS Institute, Johannes Ullrich is responsible for the SANS Internet Storm Center (ISC) (isc.sans.edu) and the GIAC Gold program. He founded DShield.org, which is now the data collection engine behind the ISC. Widely recognized for his work with the ISC, in 2004 Network World named Johannes one of the fifty most powerful people in the networking industry, and SC Magazine named him one of the top five most influential IT security thinkers in 2005. Prior to working for SANS, Johannes held positions as a lead support engineer for a web development company and as a research physicist.
  • 3. Danger! Danger! D !D ! Your Mobile Applications Are Not Secure Johannes B. Ullrich, Ph.D. SANS Technology Institute Outline • • • • • Challenge Example Application Proper Input Validation Business Logic Summary 1
  • 4. Mobile Web Application Challenge • Limited Connectivity – 3G/4G/5G… it never works as advertised – Data caps – Device processing and storage Mobile Web Application Opportunities • HTML 5 provides for a rich coding environment i t • “like native app” web application development • Somewhat platform independent • Access to many sensors and other phone hardware features 2
  • 5. Security Pitfalls • Relying on on-device storage and processing i • Trusting device to perform business logic (and access control) • Client side input validation • Trust in sensors (e g geo location) (e.g. Application Walkthrough • Application was developed for a nonprofit preservation group fit ti • Non-technical audience (easy of use) 3
  • 6. Constraints • No budget • Focus on iPhone • Had to work reasonably well on iPhone • Integrate with undocumented city APIs “Inventory” • Volunteers enter information about houses as they walk past them h th lk t th • More then 1,000 houses cataloged in less then 1month • Has to be easy and fast • Protection against bad data entry (intentional or accidental) 4
  • 7. “Data Retrieval” • Most data is considered public • But some data only available to specific groups (e.g. a “boarding group” that will board open houses. Don’t want to advertise open houses) • Integration with web services offered by city “Forum” • Off the shelf discussion forum • Used for authentication • Integrates with information about houses 5
  • 8. Data Entry Challenge • Entering addresses on a phone is a pain. i • Two solutions: – Enter number first, then show a list of valid street names that have a house with that number – Use geo location to show list of close addresses Address Validation • Addresses need to be broken down into: i t – Number – Street Name – Direction – Type 6
  • 9. Difficult Addresses • • • • 7th Street vs Seventh Str. Boulevard Street Pearl Place vs Pearl Street W 7th Street vs. 7th Street West Solutions • Google/Yahoo solved the issue, and offer web services for address ff b i f dd normalization • Requires internet access, can be too slow on mobile to compete with typing speed • Rely on outside feed. Or use (buggy) city data 7
  • 10. On Device Storage • HTML 5 enables significant on device storage t • Mostly used to cache data to reduce network traffic • Cookies still primary source of authentication data On Device Storage Validation • Only data for which the client has access is stored on the device i t d th d i • Assumption: One user per device • Data associated with time-to-live (TTL) to avoid stale data • Most sessions < 30 minutes ( (= default TTL) 8
  • 11. Problems with HTML 5 storage • No access control • Risk of cross-domain exposure via XSS • Data leakage of confidential data • Accepted risks: authentication cookie, cookie with limited lifetime controlled by server Image Acquisition • Main limitations of (current) HTML 5 web apps is no access to camera b i t • Workaround: submit images via email • Not easy, and needs to be revised once HTML5 Media Capture standard becomes more ubiquitous 9
  • 12. Image Submission via e-mail • Parsing e-mail • Authentication based on “From” address (INSECURE!) • Extracting images • Address in Subject • Validating address using EXIF d ld dd data • Manual validation Validating Images • Verify basic constraints (size…) • Check MIME type in e-mail headers • Check MIME type on server using “file” library • Extract EXIF data • Resize image f web for b • Manual approval 10
  • 13. Outstanding issues • Image feature is pretty much not used (t d (too complex to use) l t ) • Needs to switch to media capture API ASAP • Media capture API needs to use based “file upload checklist” file checklist User Authentication • User Authentication in mobile web apps i a significant problem is i ifi t bl • Typical username / password combination is not working well for mobile apps due to hardware limitations 11
  • 14. Alternative User Authentication • Use persistent cookies: Risky. Can lead to l d t problems with poorly bl ith l protected devices • Use transaction authentication in addition to persistent cookies • Add behavior detection Authentication issue solution in sample app • Use “Single Sign on” by leveraging phpBB authentication ( h BB th ti ti (user needs to d t log in only once) • User persistent cookies for low risk transactions • Watch user behavior for abuse 12
  • 15. Example Abuse Cases • Spam: user adds spam comments to site, or uploads spam i it l d images • Data Pollution: user adds wrong data into application skewing results • Data Harvesting: user harvests data from site Spam • • • • Simple “CAPTCHA” on first sign in Content validation on posts “speed limit” on posts Unauthenticate user once bad behaviour is detected. 13
  • 16. Data Pollution • First layer: similar to spam. Check at what rate data i entered and h t t d t is t d d prevent bots from entering data via CAPTCHA • Second Layer: use duplicate entries (data entered by several users about the same property) to determine submitter quality Data Harvesting • Not a huge problem in our case as data is d t i considered public id d bli • But can have performance impact • Simple rate limiting works so far • Offer bulk data / API for more efficient access 14
  • 17. Authentication Logic • User connects to website and reaches page that requires h th t i authentication • Redirect to PHPBB for login (if not already logged in) • Mobile app uses PHPBB cookie to authenticate user • Mobile app creates session for user Session content • Number of entries made • Time of session • For each submission: If applicable, quality score compared to prior submissions • Geoscore: use GPS to verify submission was made in vicinity 15
  • 18. suspect criteria • More then 5 submissions in 5 minutes i t • More then 3 submissions that do not agree with prior data • More then 2 miles away from submitted location How to deal with “Suspects” • Initially silently marking data for review i • If behavior persists, log out the user and ask to re-authenticate 16
  • 19. Mobile Web App Checklist • Do not store confidential data on the client li t • Do not send data to the client unless the client has access control (=access control on the server) • Verify authentication token timeout on server Mobile App Checklist • Sensible authentication: Take capabilities and limitation of d i biliti d li it ti f device into account • Keep all authentication related information on the server • Don’t trust sensors alone, but use Don t alone them as a backup. 17
  • 20. Thank you! jullrich@sans.edu Twitter: johullrich http://isc.sans.edu Please Contribute Daily Updates * Daily Podcast * Live Data Feeds 35 18