Learn about the risks and vulnerabilities specific to mobile platforms, and review case studies on some high-profile attacks.
- [Instructor] The rapid growth and variety of applications in mobile technology has brought with it many new threats. The functionality of the platforms and the new technologies being introduced all offer a broader attack surface. While security is struggling to keep up with the demands, not only of the technology, but of usability. The infrastructure supporting mobile technology is now quite complex. The challenge of achieving non-intrusive security is most pronounced on mobile platforms and the many flaws found over the last few years have squashed any idea that the mobile operating systems are somehow less vulnerable than their IT counterparts, all of which goes to make the job of the security tester critical to the continuing growth and success of mobile device use.
The Open Web Application Security Project, OWASP, started life by providing a framework and tools for testing web applications. However, it's tremendous success spurred the creation of additional security testing projects in mobile, but more recently internet of things. The OWASP Mobile Security Project, whose webpage is shown here, is a good place to start in looking at the threats to mobile applications and the best practices in mobile device and applications security. OWASP maintains a list of mobile threats that should be checked and a key deliverable from the OWASP project is the annual top ten threat list.
This provides a useful start point for testing and is a basic hygiene check for any mobile application. We can see here the 2014 top ten mobile threats. Of course the relative importance of vulnerabilities changes regularly and as a consequence this list is reissued annually. Viewer threat to merge and older applications which had previously been checked may become subject to these newer threats. In addition, threats that may have been identified as low end threats may become more of an issue should malware be detected in the wild.
Here we can see the list of 2016 top ten threats. Some of which are the same and a number of which have been redefined. The three key threats of insecure data authentication and cryptography have all increased in priority and the issue of extraneous functionality has come in at number ten and will likely increase in priority as we go forward. Let's take a quick look at each of them. Improper platform usage. This category covers misuse of a platform feature or failure to use platform security controls including android intents, platform commissions, misuse of touch ID, the key chain, and other security controls in the mobile operating system.
Insecure data storage combines two of the threats from the 2014 top ten. Insecure data storage and unintended data leakage. Unfortunately, there are far too many ways in which these issues can occur. In a recent study of mobile apps it was found that 5% transfer personal information to third party servers and about half transmitted device and location information. Insecure communication covers poor hand shaking, incorrect SSL versions, weak negotiation, clear text communication of sensitive assets and other similar issues.
Even supposedly secure communications can prove to have weaknesses through such issues as poor random number generators. Insecure authentication when authenticating the end user or through bad session management is the next big threat. This can include failing to identify the user and to correctly maintain the user's identity throughout the session. Insufficient cryptography. This issue was highlighted with the weakness found in MD4 and MD5 some years ago. But in general cryptography is an area of significant concern because it's extremely difficult to design and code good cryptographic systems.
Vendor proprietary algorithms are of particular concern. Insecure authorization includes all threats related to failures in authorization. Specifically to use a restricted function or access control data. Client code quality is a catch all for code level implementation problems in the mobile client, such as buffer overflows, format string vulnerabilities, and various other coding mistakes. Code tampering covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification subsequent to the application being loaded.
This can be done through changing the contents of memory, changing the system APIs that the application uses, or modifying the application's data and resources. Reverse engineering, this is an interesting category of threat as it's the means by which testers validate security and provide recommendations for improvement to the developer. However, if an adversary gets hold of the application and reverse engineers it they're much more likely to exploit vulnerabilities in the application rather than reporting them. Extraneous functionality.
Often developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into production. Or they may include some form of amusement, such as what are known as Easter eggs. These are hidden functions which appear when special combinations of key strokes or mouse clicks are used. There are man more threats. The 2016 list of significant threats has 91 entries. So while the form factor maybe small the testing activity isn't. One of the key goals of the OWASP Mobile Security Project is to provide standardization of mobile application testing methodologies to ensure users can have confidence in their testing programs.
While specific techniques exist for individual platforms OWASP provides a general mobile threat model which applies to any platform and can be customized to meet the needs of both the owner and the tester. The guidance is not only intended for testers, but also for developers. Providing guidance and the development of applications, which are built from the ground up with security in mind. There are different ways of testing. The ideal assessment combines static analysis, dynamic analysis, and forensic analysis to ensure that the majority of the mobile application attack surface is covered.
The Android platform is able to be virtualized and so applications can be tested within a virtualized environment. When testing Apple applications however, there's no virtualized environment so the tester needs to jailbreak a device to use as the testing platform. A final note, this testing is designed to identify weaknesses in mobile applications and in the case of the iPhone it involves running applications on a device. The techniques we use may not be suitable for forensics use especially if evidential integrity is required.
These methods recognized by EC Council as integral part of those looking to earn their Certified Ethical Hacker certification. The complete CEH BOK can be found at https://www.eccouncil.org/Certification/certified-ethical-hacker/CEH-What-You-Will-Learn.
- Statistic and dynamic analysis of mobile applications
- Testing on Android
- Analyzing Android applications
- Securing iOS applications
- Jailbreaking iOS for command-line access
- Analyzing iOS apps