OWASP Birmingham - Mobile Application Security

David Rook

Mobile Application Security

OWASP Birmingham

Friday, 9 December 2011

if (slide == introduction)
System.out.println("I’m David Rook");

• Application Security Lead, Realex Payments, Dublin
CISSP, CISA, GCIH and many other acronyms

• Security Ninja (@securityninja)

• Speaker at developer and security conferences

• Microsoft Developer Security MVP

• Developed and released Agnitio


Agenda

• The mobile applosion!

• Android and iOS app analysis


There’s an app for that

• There’s an app for that......

• Apps allow users to do more than send SMS and play Snake
• Completely changed the way people view and use phones
• Businesses love apps, if they don’t have one they want one
• Innovative apps for customers using mobile functionality

Businesses can beneﬁt from having a mobile presence
Customers “expect” a mobile presence from companies nowadays. Companies can u9lise this to oﬀer new ways of doing exis9ng
tasks such as mobile boarding passes, mobile banking and check share prices.

Business can be created or rapidly grow because of mobile apps
Rovio is probably the most famous example but certainly not the only or last one.


Businesses can beneﬁt from having a mobile presence
Customers “expect” a mobile presence from companies nowadays. Companies can u9lise this to oﬀer new ways of doing exis9ng
tasks such as mobile boarding passes, mobile banking and check share prices.


• Mobile apps can create value for a business

• Businesses can benefit from having a mobile presence
• Most developers have not been trained to write secure code

What could possibly go wrong? Well we need to understand how many apps/downloads/smartphones ﬁrst



• Not trained to write secure code, new to mobile development......




• Not trained to write secure code, new to mobile development......
• What could possibly go wrong?



Over 1 million apps in all of the app stores, pre<y much all of the million plus are in the App Store or Market Place (500,000
Apple and 600,000 Android ‐ all other app stores about 50,000 at the most)

EsCmated $15 billion of income from app sales in 2011 (hLp://www.gartner.com/it/page.jsp?id=1529214)

About 30 BILLION app downloads from App Store and Android Market Place (18bn for app store hLp://en.wikipedia.org/wiki/
App_Store_(iOS) and about 7bn for the Market Place hLp://en.wikipedia.org/wiki/Android_Market)

since the Apple App Store was launched on the 11th July 2008

115m smartphones sold in Q3 2011 (hLp://www.gartner.com/it/page.jsp?id=1848514)


1
Apps







1 15
Apps Income







1 15 30
Apps Income Downloads







1 15 30 115
Apps Income Downloads Phones







Android market place has about 600,000 apps now (December 2011 hLp://www.androlib.com/appstats.aspx)
Apple App Store has over 500,000 apps now (October hLp://en.wikipedia.org/wiki/App_Store_(iOS)#cite_note‐18billion‐52)
Nokia OviStore is now around 50,000 apps (hLp://en.wikipedia.org/wiki/Ovi_(Nokia)#Ovi_Store)
BlackBerry App World also around 50,000 apps (hLp://en.wikipedia.org/wiki/BlackBerry_App_World)
Windows Phone Marketplace has round 40,000 apps (hLp://en.wikipedia.org/wiki/Windows_Phone_Marketplace)


• The predicted growth happened

• 1,000,000+ apps by the end of 2011
• How many have been developed with security in mind?
• The answer isn’t “none” but it won’t be many, ≤1%?




• 1,000,000+ apps by the end of 2011
• But none of us are surprised by this are we?




• 1,000,000+ apps by the end of 2011
• But none of us are surprised by this are we?
• I want us to try and find the insecure apps with Agnitio


Mobile payments

• Payments made using a mobile

• I’m not talking about NFC or in app payments
• I want to share some real world payment stats with you
• Based on analysis of Realex hosted payment page hits


Mobile payments

Total Hits Mobile Hits
1500000

1350000

1200000

1050000

900000

750000

600000

450000

300000

150000

0
Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov
This shows hits to our hosted payment page so it isn’t showing transac9ons but it’s a decent guide.
Total hits grew from 675,853 in January to 1,039,725 in November. Mobile hits grew from 9887 (1.5%) in January to 38738 (3.7%) in
November
This is a 9ny amount of our overall transac9ons as well, about 3.5m transac9ons in Q3 on this chart but overall we did 16.2m

Mobile payments

Mobile Hits iOS Android BlackBerry
40000

36000

32000

28000

24000

20000

16000

12000

8000

4000

0
Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov
iOS way out in front, about 6 9mes as many hits from iOS devices as Android devices.
Doesn’t really show an increase in transac9ons from mobiles (as it’s based on hits) but it does show the increase in the use of
mobiles for sensi9ve ac9ons such as credit card payments. Roughly a 4 9mes increase from January to November

Mobile App Threat Modeling

• Like a web app threat model but scarier

• External dependencies completely out of your control
• No longer a server maintained by your operations team
• Phones not owned or maintained by you (or anyone!)
• What are your external dependencies for a mobile app?


Mobile App Threat Modeling


hLp://theunderstatement.com/post/11982112928/android‐orphans‐visualizing‐a‐sad‐history‐of‐support

■ 7 of the 18 Android phones never ran a current version of the OS.
■ 12 of 18 only ran a current version of the OS for a maLer of weeks or less.
■ 10 of 18 were at least two major versions behind well within their two year contract period.
■ 11 of 18 stopped gefng any support updates less than a year ager release.
■ 13 of 18 stopped gefng any support updates before they even stopped selling the device or very shortly thereager.
■ 15 of 18 don’t run Gingerbread, which shipped in December 2010.
■ At least 16 of 18 will almost certainly never get Ice Cream Sandwich.

Mobile app security issues

• Data in transit and at rest

• Dangerous inputs

Data in transit and at rest: Local Data Storage (Files, Caches and SQLite databases) ‐ you need to acknowledge that the data isn’t
really secure when its on the users device. Be careful what you store on the device and where you store it. If you encrypt the data on
the device where are you going to put the encryp9on key? When reviewing code for these type of issues you will be looking for
func9ons such as Context.openFileOutput() and Context.openFileInput() as well as ﬁle permissions. You can use things like the
keychain on iOS to secure ﬁles and data on the device.

Consuming 3rd party web services ‐ interes9ng apps need to talk to something else. You have to treat the data from these services as
“dangerous” and validate it like you would any other data. You also need to consider the fact that you don’t know where the data is
going or how it’s handled/stored etc When reviewing code you will be looking for func9ons that open network connec9ons, receive
input etc

iOS Image caching problem: In iOS when an applica9on moves to the background the system takes a screen shot of the applica9on's
main window. This screen shot is used to animate transi9ons when the app is reopened. What if sensi9ve info was on the screen?

hLp://sogware‐security.sans.org/blog/2011/01/14/whats‐in‐your‐ios‐image‐cache‐backgrounding‐snapshot/

General Input: Of course you need to keep an eye on SQL query related methods. Things like query() and rawQuery() in Android and
sqlite3_exec() in iOS and data received via intent messages for your data to receive and process.

Android and iOS

Android
Linux based OS
Applica9ons wriLen in Java
Java is compiled to DEX bytecode

iOS
Unix based OS
Applica9ons wriLen in Objec9ve‐C

Android Source Code

package com.denimgroup.android.training.pandemobium.stocktrader;

import android.app.Activity;
import android.os.Bundle;
import android.util.Log;
import android.webkit.WebView;

public class TipsActivity extends Activity {

private WebView wvTips;

    /** Called when the activity is first created. */
    @Override
    public void onCreate(Bundle savedInstanceState) {

Log.i("TipsActivity", " Loading up browser page to display stock tips");

        super.onCreate(savedInstanceState);
        setContentView(R.layout.tips);

        wvTips = (WebView)findViewById(R.id.wv_tips);
        wvTips.loadUrl(getString(R.string.tip_list));
    }
}

How do we analyse Android code now? If you have the source code it’s preLy simple, just like a normal Java code review with some
Android specific checks of course. Otherwise you need to do the following:

download the .apk onto an AVD or a rooted phone
Unpack this and run a tool like apktool to make the AndroidManifest.xml file into a human readable format
Then you will need to convert the .DEX file into a jar file with another tool like dex2jar
You will then need to unzip the jar file and then decompile the class files into the original source code

AndroidManifest.xml

• A good place to start your security code reviews!

• Applications and System code have an AndroidManifest file
• Declares the package name, a unique identifier for the app
• Defines the permissions needed by the application
• Defines app activities and intents
• Compressed XML file in the .apk

AcCviCes ‐ is an applica9on component that provides a screen with which users can interact in order to do something, such as dial
the phone, take a photo, send an email, or view a map.

Intent ‐ ac9vi9es are ac9vated through messages, called intents. You can “call” your own ac9vi9es or let Android pick the right one
for you ‐ opening a URL for example. Let’s say there is an applica9on that finds hotels and would like to use another applica9on to
book it. For that it creates an implicit “Intent” where it says: “hey android, I intent to book this hotel, please find an applica9on that
is capable of booking it, and pass the data to do the booking” They have Ac9ons, Data and Categories.

"A different strategy is needed for implicit intents. In the absence of a designated target, the Android system must find the best
component (or components) to handle the intent" <‐‐ do you know what the target (i.e. other app) is going to do with your data?

Intent is basically a message that is passed between components (such as AcCviCes, Services, Broadcast Receivers, and Content
Providers).

One component that wants to invoke another has to express its' intent to do a job. And any other component that exists and has
claimed that it can do such a job through intent‐filters, is invoked by the android plavorm to accomplish the job. This means, both
the components are not aware of each other's existence and can s9ll work together to give the desired result for the end‐user.

hLp://developer.android.com/guide/topics/manifest/manifest‐intro.html

Agnitio hands on

• AndroidManifest.xml - before and after

Show Pandora applica9on AndroidManifest.xml:

Show SDK versions:
<uses‐sdk android:minSdkVersion="3" android:targetSdkVersion="8" />

Permissions:
<uses‐permission android:name="android.permission.INTERNET" />
<uses‐permission android:name="android.permission.ACCESS_NETWORK_STATE" />

Ac9on = ACTION_MAIN Start up as the ini9al ac9vity of a task, with no data input and no returned output.
Category = CATEGORY_LAUNCHER The ac9vity can be the ini9al ac9vity of a task and is listed in the top‐level applica9on launcher.

Android Static Analysis

• Context.openFileOutput()
• Context.openOrCreateDatabase()
• rawQuery()
• URLConnection()
• HttpResponse()
• MODE_PRIVATE
• MODE_WORLD_READABLE
• MODE_WORLD_WRITABLE

Context.openFileOutput() creates a local ﬁle on the device.
Context.openOrCreateDatabase() creates a local ﬁle on the device containing a SQLite database.
rawQuery Untrusted inputs should not be used to create SQL statements.  It is preferable to compile queries using
Database.compileStatement() and then put untrusted values into parameters passed to that statement.  Also note that untrusted
values should not be used to build up the strings passed to Database.compileStatement()
URLConnecCon() Mobile devices communicate across a variety of networks ‐ both trusted and untrusted.  Therefore it is important
that communica9ons be encrypted ‐ typically using HTTPS.
H<pResponse() Mobile devices communicate across a variety of networks ‐ both trusted and untrusted.  Therefore it is important
that communica9ons be encrypted ‐ typically using HTTPS. Data returned in a method like this must be validated before being used
in sinks.
Context.MODE_PRIVATE ‐ This is the most secure sefng because the resource will only be readable by the applica9on that created
it
Context.MODE_WORLD_READABLE ‐ This allows other applica9ons who know the name and loca9on of the resource to read it
Context.MODE_WORLD_WRITEABLE ‐ This allows other applica9ons who know the name and loca9on of the resource to write to it.

Agnitio hands on

• Analyse the Android Pandemobium app

Browse to PreferencesAc9vity.java, select the Java rules and click scan on this file.

openFileOutput method highlighted shows that the username and password is being wriLen in the clear to the device file
system. Explain whilst MODE_PRIVATE is being used it’s limited.

accountServiceURL is also highlighted, we need to open resvaluesstrings.xml to see what this URL is ‐ it’s a non SSL URL.

Go back to PreferencesAc9vity.java and show how we submit the username and password to this no SSL URL on the
“actualURL” line.

Next openFileOutput highlighted writes a value called accountId to a file in the clear with MODE_WORLD_READABLE and
MODE_WORLD_WRITABLE set. Why is this important? Well let’s see how accountId is used!

Browse to TradeAc9vity.java, select the Java rules and click scan on this file.

Scroll down un9l you see URL highlighted on the end of tradeServiceURL, we need to open resvaluesstrings.xml to see what
this URL is ‐ it’s a non SSL URL.

Go back to TradeAc9vity.java and show how we submit the accountId (retrieved using retrieveAccountId in u9l
AccountU9ls.java) as part of stock purchase request on the “actualURL” line. Any malicious app on the phone could retrieve
our WORLD_READABLE accountId value and submit trade requests as us. Two lines down (Try { Log.d) we also write the
request URL to a log file including the accountId again.

iOS Source Code

#import "TipViewController.h"
#import "StockDatabase.h"
#import "/usr/include/sqlite3.h"
#import "ASIHTTPRequest.h"
#import "ASIFormDataRequest.h"

@implementation TipViewController

@synthesize keyboardToolbar;

- (id)initWithNibName:(NSString *)nibNameOrNil bundle:(NSBundle *)nibBundleOrNil
{
    self = [super initWithNibName:nibNameOrNil bundle:nibBundleOrNil];
    if (self) {
        // Custom initialization
        stockDB = [[StockDatabase alloc] init];
    }
    return self;
}

How do we analyse iOS code now? If you have the source code it’s preLy simple, just like a normal Objec9ve‐C code review, you
almost need to treat this like an old C/C++ style code review and look for things like Buﬀer Overﬂows ‐ like the world of fashion,
what is old is new again.

It isn’t impossible to get the source code from an app (i.e. decompiling it) but it is very hard, certainly not as easy as it is with
Android apps.

iOS Static Analysis

• writeToFile()
• openURL()
• sqlite3_prepare()
• NSFILE

writeToFile() writes data to a local ﬁle on the device.
openURL() Mobile devices communicate across a variety of networks ‐ both trusted and untrusted. Therefore it is important that
communica9ons be encrypted ‐ typically using HTTPS.
sqlite3_prepare() Untrusted inputs should not be used to create SQL statements. It is preferable to compile queries using
sqlite_prepare_v2 or sqlite_prepare16_v2 and then put untrusted values into parameters passed to that statement.
NSFILE Data ﬁles on iOS receive some protec9on from other processes, but care should be taken when storing data in case the
device is lost and jailbroken by an aLacker.

Agnitio hands on

• Analyse the iOS Pandemobium app

CD "C:UsersDavid RookDesktop"

adb pull /data/app/com.pandora.android.apk

My USB key........

• I have some things on my USB key you might want

• .apk files of popular and “suspicious” Android apps
• System.img file for v2.2 emulator to enable the marketplace
• You have to trust my USB key is safe to use ;-)


www.securityninja.co.uk
http://sourceforge.net/projects/agnitiotool/

@securityninja

/realexninja

/securityninja

/realexninja


QUESTIONS?
www.securityninja.co.uk
http://sourceforge.net/projects/agnitiotool/

@securityninja

/realexninja

/securityninja

/realexninja


OWASP Birmingham - Mobile Application Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (16)

Similar to OWASP Birmingham - Mobile Application Security

Similar to OWASP Birmingham - Mobile Application Security (20)

More from Security Ninja

More from Security Ninja (17)

Recently uploaded

Recently uploaded (20)

OWASP Birmingham - Mobile Application Security