2. if (slide == introduction)
System.out.println("I’m David Rook");
• Application Security Lead, Realex Payments, Dublin
CISSP, CISA, GCIH and many other acronyms
• Security Ninja (@securityninja)
• Speaker at developer and security conferences
• Microsoft Developer Security MVP
• Developed and released Agnitio
Friday, 9 December 2011
3. Agenda
• The mobile applosion!
• Android and iOS app analysis
Friday, 9 December 2011
4. There’s an app for that
• There’s an app for that......
• Apps allow users to do more than send SMS and play Snake
• Completely changed the way people view and use phones
• Businesses love apps, if they don’t have one they want one
• Innovative apps for customers using mobile functionality
Friday, 9 December 2011
Businesses can benefit from having a mobile presence
Customers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng
tasks such as mobile boarding passes, mobile banking and check share prices.
Business can be created or rapidly grow because of mobile apps
Rovio is probably the most famous example but certainly not the only or last one.
5. There’s an app for that
Friday, 9 December 2011
Businesses can benefit from having a mobile presence
Customers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng
tasks such as mobile boarding passes, mobile banking and check share prices.
6. There’s an app for that
Friday, 9 December 2011
Businesses can benefit from having a mobile presence
Customers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng
tasks such as mobile boarding passes, mobile banking and check share prices.
7. There’s an app for that
Friday, 9 December 2011
Businesses can benefit from having a mobile presence
Customers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng
tasks such as mobile boarding passes, mobile banking and check share prices.
8. There’s an app for that
Friday, 9 December 2011
Businesses can benefit from having a mobile presence
Customers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng
tasks such as mobile boarding passes, mobile banking and check share prices.
9. There’s an app for that
Friday, 9 December 2011
Businesses can benefit from having a mobile presence
Customers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng
tasks such as mobile boarding passes, mobile banking and check share prices.
10. There’s an app for that
Friday, 9 December 2011
Businesses can benefit from having a mobile presence
Customers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng
tasks such as mobile boarding passes, mobile banking and check share prices.
11. There’s an app for that
Friday, 9 December 2011
Businesses can benefit from having a mobile presence
Customers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng
tasks such as mobile boarding passes, mobile banking and check share prices.
12. There’s an app for that
Friday, 9 December 2011
Businesses can benefit from having a mobile presence
Customers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng
tasks such as mobile boarding passes, mobile banking and check share prices.
13. There’s an app for that
Friday, 9 December 2011
Businesses can benefit from having a mobile presence
Customers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng
tasks such as mobile boarding passes, mobile banking and check share prices.
14. There’s an app for that
Friday, 9 December 2011
Businesses can benefit from having a mobile presence
Customers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng
tasks such as mobile boarding passes, mobile banking and check share prices.
15. There’s an app for that
Friday, 9 December 2011
Businesses can benefit from having a mobile presence
Customers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng
tasks such as mobile boarding passes, mobile banking and check share prices.
16. There’s an app for that
• Mobile apps can create value for a business
• Businesses can benefit from having a mobile presence
• Innovative apps for customers using mobile functionality
• Most developers have not been trained to write secure code
Friday, 9 December 2011
What could possibly go wrong? Well we need to understand how many apps/downloads/smartphones first
17. There’s an app for that
• Mobile apps can create value for a business
• Businesses can benefit from having a mobile presence
• Innovative apps for customers using mobile functionality
• Most developers have not been trained to write secure code
• Not trained to write secure code, new to mobile development......
Friday, 9 December 2011
What could possibly go wrong? Well we need to understand how many apps/downloads/smartphones first
18. There’s an app for that
• Mobile apps can create value for a business
• Businesses can benefit from having a mobile presence
• Innovative apps for customers using mobile functionality
• Most developers have not been trained to write secure code
• Not trained to write secure code, new to mobile development......
• What could possibly go wrong?
Friday, 9 December 2011
What could possibly go wrong? Well we need to understand how many apps/downloads/smartphones first
19. There’s an app for that
Friday, 9 December 2011
Over 1 million apps in all of the app stores, pre<y much all of the million plus are in the App Store or Market Place (500,000
Apple and 600,000 Android ‐ all other app stores about 50,000 at the most)
EsCmated $15 billion of income from app sales in 2011 (hLp://www.gartner.com/it/page.jsp?id=1529214)
About 30 BILLION app downloads from App Store and Android Market Place (18bn for app store hLp://en.wikipedia.org/wiki/
App_Store_(iOS) and about 7bn for the Market Place hLp://en.wikipedia.org/wiki/Android_Market)
since the Apple App Store was launched on the 11th July 2008
115m smartphones sold in Q3 2011 (hLp://www.gartner.com/it/page.jsp?id=1848514)
20. There’s an app for that
1
Apps
Friday, 9 December 2011
Over 1 million apps in all of the app stores, pre<y much all of the million plus are in the App Store or Market Place (500,000
Apple and 600,000 Android ‐ all other app stores about 50,000 at the most)
EsCmated $15 billion of income from app sales in 2011 (hLp://www.gartner.com/it/page.jsp?id=1529214)
About 30 BILLION app downloads from App Store and Android Market Place (18bn for app store hLp://en.wikipedia.org/wiki/
App_Store_(iOS) and about 7bn for the Market Place hLp://en.wikipedia.org/wiki/Android_Market)
since the Apple App Store was launched on the 11th July 2008
115m smartphones sold in Q3 2011 (hLp://www.gartner.com/it/page.jsp?id=1848514)
21. There’s an app for that
1 15
Apps Income
Friday, 9 December 2011
Over 1 million apps in all of the app stores, pre<y much all of the million plus are in the App Store or Market Place (500,000
Apple and 600,000 Android ‐ all other app stores about 50,000 at the most)
EsCmated $15 billion of income from app sales in 2011 (hLp://www.gartner.com/it/page.jsp?id=1529214)
About 30 BILLION app downloads from App Store and Android Market Place (18bn for app store hLp://en.wikipedia.org/wiki/
App_Store_(iOS) and about 7bn for the Market Place hLp://en.wikipedia.org/wiki/Android_Market)
since the Apple App Store was launched on the 11th July 2008
115m smartphones sold in Q3 2011 (hLp://www.gartner.com/it/page.jsp?id=1848514)
22. There’s an app for that
1 15 30
Apps Income Downloads
Friday, 9 December 2011
Over 1 million apps in all of the app stores, pre<y much all of the million plus are in the App Store or Market Place (500,000
Apple and 600,000 Android ‐ all other app stores about 50,000 at the most)
EsCmated $15 billion of income from app sales in 2011 (hLp://www.gartner.com/it/page.jsp?id=1529214)
About 30 BILLION app downloads from App Store and Android Market Place (18bn for app store hLp://en.wikipedia.org/wiki/
App_Store_(iOS) and about 7bn for the Market Place hLp://en.wikipedia.org/wiki/Android_Market)
since the Apple App Store was launched on the 11th July 2008
115m smartphones sold in Q3 2011 (hLp://www.gartner.com/it/page.jsp?id=1848514)
23. There’s an app for that
1 15 30 115
Apps Income Downloads Phones
Friday, 9 December 2011
Over 1 million apps in all of the app stores, pre<y much all of the million plus are in the App Store or Market Place (500,000
Apple and 600,000 Android ‐ all other app stores about 50,000 at the most)
EsCmated $15 billion of income from app sales in 2011 (hLp://www.gartner.com/it/page.jsp?id=1529214)
About 30 BILLION app downloads from App Store and Android Market Place (18bn for app store hLp://en.wikipedia.org/wiki/
App_Store_(iOS) and about 7bn for the Market Place hLp://en.wikipedia.org/wiki/Android_Market)
since the Apple App Store was launched on the 11th July 2008
115m smartphones sold in Q3 2011 (hLp://www.gartner.com/it/page.jsp?id=1848514)
24. There’s an app for that
Friday, 9 December 2011
Android market place has about 600,000 apps now (December 2011 hLp://www.androlib.com/appstats.aspx)
Apple App Store has over 500,000 apps now (October hLp://en.wikipedia.org/wiki/App_Store_(iOS)#cite_note‐18billion‐52)
Nokia OviStore is now around 50,000 apps (hLp://en.wikipedia.org/wiki/Ovi_(Nokia)#Ovi_Store)
BlackBerry App World also around 50,000 apps (hLp://en.wikipedia.org/wiki/BlackBerry_App_World)
Windows Phone Marketplace has round 40,000 apps (hLp://en.wikipedia.org/wiki/Windows_Phone_Marketplace)
25. There’s an app for that
• The predicted growth happened
• 1,000,000+ apps by the end of 2011
• How many have been developed with security in mind?
• The answer isn’t “none” but it won’t be many, ≤1%?
Friday, 9 December 2011
26. There’s an app for that
• The predicted growth happened
• 1,000,000+ apps by the end of 2011
• How many have been developed with security in mind?
• The answer isn’t “none” but it won’t be many, ≤1%?
• But none of us are surprised by this are we?
Friday, 9 December 2011
27. There’s an app for that
• The predicted growth happened
• 1,000,000+ apps by the end of 2011
• How many have been developed with security in mind?
• The answer isn’t “none” but it won’t be many, ≤1%?
• But none of us are surprised by this are we?
• I want us to try and find the insecure apps with Agnitio
Friday, 9 December 2011
28. Mobile payments
• Payments made using a mobile
• I’m not talking about NFC or in app payments
• I want to share some real world payment stats with you
• Based on analysis of Realex hosted payment page hits
Friday, 9 December 2011
29. Mobile payments
Total Hits Mobile Hits
1500000
1350000
1200000
1050000
900000
750000
600000
450000
300000
150000
0
Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov
Friday, 9 December 2011
This shows hits to our hosted payment page so it isn’t showing transac9ons but it’s a decent guide.
Total hits grew from 675,853 in January to 1,039,725 in November. Mobile hits grew from 9887 (1.5%) in January to 38738 (3.7%) in
November
This is a 9ny amount of our overall transac9ons as well, about 3.5m transac9ons in Q3 on this chart but overall we did 16.2m
30. Mobile payments
Mobile Hits iOS Android BlackBerry
40000
36000
32000
28000
24000
20000
16000
12000
8000
4000
0
Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov
Friday, 9 December 2011
iOS way out in front, about 6 9mes as many hits from iOS devices as Android devices.
Doesn’t really show an increase in transac9ons from mobiles (as it’s based on hits) but it does show the increase in the use of
mobiles for sensi9ve ac9ons such as credit card payments. Roughly a 4 9mes increase from January to November
31. Mobile App Threat Modeling
• Like a web app threat model but scarier
• External dependencies completely out of your control
• No longer a server maintained by your operations team
• Phones not owned or maintained by you (or anyone!)
• What are your external dependencies for a mobile app?
Friday, 9 December 2011
33. Friday, 9 December 2011
hLp://theunderstatement.com/post/11982112928/android‐orphans‐visualizing‐a‐sad‐history‐of‐support
■ 7 of the 18 Android phones never ran a current version of the OS.
■ 12 of 18 only ran a current version of the OS for a maLer of weeks or less.
■ 10 of 18 were at least two major versions behind well within their two year contract period.
■ 11 of 18 stopped gefng any support updates less than a year ager release.
■ 13 of 18 stopped gefng any support updates before they even stopped selling the device or very shortly thereager.
■ 15 of 18 don’t run Gingerbread, which shipped in December 2010.
■ At least 16 of 18 will almost certainly never get Ice Cream Sandwich.
34. Mobile app security issues
• Data in transit and at rest
• Dangerous inputs
Friday, 9 December 2011
Data in transit and at rest: Local Data Storage (Files, Caches and SQLite databases) ‐ you need to acknowledge that the data isn’t
really secure when its on the users device. Be careful what you store on the device and where you store it. If you encrypt the data on
the device where are you going to put the encryp9on key? When reviewing code for these type of issues you will be looking for
func9ons such as Context.openFileOutput() and Context.openFileInput() as well as file permissions. You can use things like the
keychain on iOS to secure files and data on the device.
Consuming 3rd party web services ‐ interes9ng apps need to talk to something else. You have to treat the data from these services as
“dangerous” and validate it like you would any other data. You also need to consider the fact that you don’t know where the data is
going or how it’s handled/stored etc When reviewing code you will be looking for func9ons that open network connec9ons, receive
input etc
iOS Image caching problem: In iOS when an applica9on moves to the background the system takes a screen shot of the applica9on's
main window. This screen shot is used to animate transi9ons when the app is reopened. What if sensi9ve info was on the screen?
hLp://sogware‐security.sans.org/blog/2011/01/14/whats‐in‐your‐ios‐image‐cache‐backgrounding‐snapshot/
General Input: Of course you need to keep an eye on SQL query related methods. Things like query() and rawQuery() in Android and
sqlite3_exec() in iOS and data received via intent messages for your data to receive and process.
35. Android and iOS
Friday, 9 December 2011
Android
Linux based OS
Applica9ons wriLen in Java
Java is compiled to DEX bytecode
iOS
Unix based OS
Applica9ons wriLen in Objec9ve‐C
36. Android Source Code
package com.denimgroup.android.training.pandemobium.stocktrader;
import android.app.Activity;
import android.os.Bundle;
import android.util.Log;
import android.webkit.WebView;
public class TipsActivity extends Activity {
private WebView wvTips;
/** Called when the activity is first created. */
@Override
public void onCreate(Bundle savedInstanceState) {
Log.i("TipsActivity", " Loading up browser page to display stock tips");
super.onCreate(savedInstanceState);
setContentView(R.layout.tips);
wvTips = (WebView)findViewById(R.id.wv_tips);
wvTips.loadUrl(getString(R.string.tip_list));
}
}
Friday, 9 December 2011
How do we analyse Android code now? If you have the source code it’s preLy simple, just like a normal Java code review with some
Android specific checks of course. Otherwise you need to do the following:
download the .apk onto an AVD or a rooted phone
Unpack this and run a tool like apktool to make the AndroidManifest.xml file into a human readable format
Then you will need to convert the .DEX file into a jar file with another tool like dex2jar
You will then need to unzip the jar file and then decompile the class files into the original source code
37. AndroidManifest.xml
• A good place to start your security code reviews!
• Applications and System code have an AndroidManifest file
• Declares the package name, a unique identifier for the app
• Defines the permissions needed by the application
• Defines app activities and intents
• Compressed XML file in the .apk
Friday, 9 December 2011
AcCviCes ‐ is an applica9on component that provides a screen with which users can interact in order to do something, such as dial
the phone, take a photo, send an email, or view a map.
Intent ‐ ac9vi9es are ac9vated through messages, called intents. You can “call” your own ac9vi9es or let Android pick the right one
for you ‐ opening a URL for example. Let’s say there is an applica9on that finds hotels and would like to use another applica9on to
book it. For that it creates an implicit “Intent” where it says: “hey android, I intent to book this hotel, please find an applica9on that
is capable of booking it, and pass the data to do the booking” They have Ac9ons, Data and Categories.
"A different strategy is needed for implicit intents. In the absence of a designated target, the Android system must find the best
component (or components) to handle the intent" <‐‐ do you know what the target (i.e. other app) is going to do with your data?
Intent is basically a message that is passed between components (such as AcCviCes, Services, Broadcast Receivers, and Content
Providers).
One component that wants to invoke another has to express its' intent to do a job. And any other component that exists and has
claimed that it can do such a job through intent‐filters, is invoked by the android plavorm to accomplish the job. This means, both
the components are not aware of each other's existence and can s9ll work together to give the desired result for the end‐user.
hLp://developer.android.com/guide/topics/manifest/manifest‐intro.html
38. Agnitio hands on
• AndroidManifest.xml - before and after
Friday, 9 December 2011
Show Pandora applica9on AndroidManifest.xml:
Show SDK versions:
<uses‐sdk android:minSdkVersion="3" android:targetSdkVersion="8" />
Permissions:
<uses‐permission android:name="android.permission.INTERNET" />
<uses‐permission android:name="android.permission.ACCESS_NETWORK_STATE" />
Ac9on = ACTION_MAIN Start up as the ini9al ac9vity of a task, with no data input and no returned output.
Category = CATEGORY_LAUNCHER The ac9vity can be the ini9al ac9vity of a task and is listed in the top‐level applica9on launcher.
39. Android Static Analysis
• Context.openFileOutput()
• Context.openOrCreateDatabase()
• rawQuery()
• URLConnection()
• HttpResponse()
• MODE_PRIVATE
• MODE_WORLD_READABLE
• MODE_WORLD_WRITABLE
Friday, 9 December 2011
Context.openFileOutput() creates a local file on the device.
Context.openOrCreateDatabase() creates a local file on the device containing a SQLite database.
rawQuery Untrusted inputs should not be used to create SQL statements. It is preferable to compile queries using
Database.compileStatement() and then put untrusted values into parameters passed to that statement. Also note that untrusted
values should not be used to build up the strings passed to Database.compileStatement()
URLConnecCon() Mobile devices communicate across a variety of networks ‐ both trusted and untrusted. Therefore it is important
that communica9ons be encrypted ‐ typically using HTTPS.
H<pResponse() Mobile devices communicate across a variety of networks ‐ both trusted and untrusted. Therefore it is important
that communica9ons be encrypted ‐ typically using HTTPS. Data returned in a method like this must be validated before being used
in sinks.
Context.MODE_PRIVATE ‐ This is the most secure sefng because the resource will only be readable by the applica9on that created
it
Context.MODE_WORLD_READABLE ‐ This allows other applica9ons who know the name and loca9on of the resource to read it
Context.MODE_WORLD_WRITEABLE ‐ This allows other applica9ons who know the name and loca9on of the resource to write to it.
40. Agnitio hands on
• Analyse the Android Pandemobium app
Friday, 9 December 2011
Browse to PreferencesAc9vity.java, select the Java rules and click scan on this file.
openFileOutput method highlighted shows that the username and password is being wriLen in the clear to the device file
system. Explain whilst MODE_PRIVATE is being used it’s limited.
accountServiceURL is also highlighted, we need to open resvaluesstrings.xml to see what this URL is ‐ it’s a non SSL URL.
Go back to PreferencesAc9vity.java and show how we submit the username and password to this no SSL URL on the
“actualURL” line.
Next openFileOutput highlighted writes a value called accountId to a file in the clear with MODE_WORLD_READABLE and
MODE_WORLD_WRITABLE set. Why is this important? Well let’s see how accountId is used!
Browse to TradeAc9vity.java, select the Java rules and click scan on this file.
Scroll down un9l you see URL highlighted on the end of tradeServiceURL, we need to open resvaluesstrings.xml to see what
this URL is ‐ it’s a non SSL URL.
Go back to TradeAc9vity.java and show how we submit the accountId (retrieved using retrieveAccountId in u9l
AccountU9ls.java) as part of stock purchase request on the “actualURL” line. Any malicious app on the phone could retrieve
our WORLD_READABLE accountId value and submit trade requests as us. Two lines down (Try { Log.d) we also write the
request URL to a log file including the accountId again.
41. iOS Source Code
#import "TipViewController.h"
#import "StockDatabase.h"
#import "/usr/include/sqlite3.h"
#import "ASIHTTPRequest.h"
#import "ASIFormDataRequest.h"
@implementation TipViewController
@synthesize keyboardToolbar;
- (id)initWithNibName:(NSString *)nibNameOrNil bundle:(NSBundle *)nibBundleOrNil
{
self = [super initWithNibName:nibNameOrNil bundle:nibBundleOrNil];
if (self) {
// Custom initialization
stockDB = [[StockDatabase alloc] init];
}
return self;
}
Friday, 9 December 2011
How do we analyse iOS code now? If you have the source code it’s preLy simple, just like a normal Objec9ve‐C code review, you
almost need to treat this like an old C/C++ style code review and look for things like Buffer Overflows ‐ like the world of fashion,
what is old is new again.
It isn’t impossible to get the source code from an app (i.e. decompiling it) but it is very hard, certainly not as easy as it is with
Android apps.
42. iOS Static Analysis
• writeToFile()
• openURL()
• sqlite3_prepare()
• NSFILE
Friday, 9 December 2011
writeToFile() writes data to a local file on the device.
openURL() Mobile devices communicate across a variety of networks ‐ both trusted and untrusted. Therefore it is important that
communica9ons be encrypted ‐ typically using HTTPS.
sqlite3_prepare() Untrusted inputs should not be used to create SQL statements. It is preferable to compile queries using
sqlite_prepare_v2 or sqlite_prepare16_v2 and then put untrusted values into parameters passed to that statement.
NSFILE Data files on iOS receive some protec9on from other processes, but care should be taken when storing data in case the
device is lost and jailbroken by an aLacker.
43. Agnitio hands on
• Analyse the iOS Pandemobium app
Friday, 9 December 2011
CD "C:UsersDavid RookDesktop"
adb pull /data/app/com.pandora.android.apk
44. My USB key........
• I have some things on my USB key you might want
• .apk files of popular and “suspicious” Android apps
• System.img file for v2.2 emulator to enable the marketplace
• You have to trust my USB key is safe to use ;-)
Friday, 9 December 2011