App Security Assessment
Mobile technology has provided business professionals and executives with the opportunity for greater productivity, availability and convenience. Unfortunately, it also has facilitated fraudulent and criminal behavior. Business resiliency mandates adequate security measures to mitigate the risks inherent in using mobile technology. As business risks and countermeasures are identified, the term “security” is focused on preventing breaches and protecting corporate data. Because information security options for commercial corporations have lagged behind the availability of new technology, businesses ultimately have to rely on employees’ ethics and due diligence in protecting confidential corporate, market and customer information.
Whether you are planning to implement your our apps developed in-house or you are thinking in rolling-out a mobile strategy from a third party software vendor (Oracle, Microstrategy…) evaluating your environment and application security is key for your peace of mind and obviously your compliance requirements.
Our engineers are proficient in Sarbanes Oxley regulations (SOX) and can easily apply your policy requirements to your mobile strategy. However, we usually also complement your current policies and procedures with our extensive a exhaustive App Security reviews.
Some companies have the false sense of security about Apps that have been already reviewed either by Apple or Microsoft
Apple and Microsoft reviews are not focused in security. They don’t really care if your passwords are stored in clear text or you are not communicating with your servers with SSL. Their reviews are based more in the protection of the personal information of the user, errors in the apps or features that are promised but not present. Once in a while, they come up with new requirements after issues have already happened (Apple making changes to their inApp purchases requirements after being system was hacked for free inApp purchases).
Android apps don’t require any review or approval and are only pulled out of the Google Play Store if reported as fraudulent or malicious
Therefore, extra reviews are required to certify the security of mobile apps. Most of these reviews are executed in jailbroken devices to emulate the environment used by hackers and to be able to circumvent the manufacturer OS security measures. We may require authorization from the software manufacturer of the app in order to break into the code and reverse engineer the source.
OWASP is starting a monthly security blitz where we will rally the security community around a particular topic. The topic may be a vulnerability, defensive design approach, technology or even a methodology.
A major priority of the OWASP Mobile Security Project is to help standardize and disseminate mobile application testing methodologies. While specific techniques exist for individual platforms, a general mobile threat model can be used to assist test teams in creating a mobile security testing methodology for any platform. The outline which follows describes a general mobile application testing methodology which can be tailored to meet the security tester’s needs. It is high level in some places, and should be customized on a per-platform basis.
OUR APP SECURITY ASSESSMENT PROCESS
During this phase we obtain all the information about the application we are evaluating. Information that normally is provided to the users in order to utilize the application. We also obtain any necessary credentials to use the application. If the application has different levels of access we will obtain credentials for all levels.
We will evaluate the application as another simple user in order to understand the functionality and how it was originally design to work. During this phase we will also review the performance in different devices and networks.
This phase will be performed in a jailbroken device (iOS applications) or a rooted device (Android applications) in order to access some areas of the application that are restricted by a normal Mobile OS. We will be able to enter the previously sand-boxed environment and start analyzing the files that conform the application bundle and the ones that have been created after the application was installed and executed.
Also, we will evaluate the encryption of the application and proceed to decrypt it if necessary in order to perform a Source Code dump. We will review if the application is protected by Stack Smashing protection and identify some details of its architecture by inspecting its binaries. During this phase we will be able to locate potencial areas in the source code that could be hacked or tampered. We will also be able to inject new code in order to generate more visible content or workaround security measures as password protection.
This phase occurs with the application running on a hacked device (jailbroken or rooted). In some situations we will require to bypass any jailbreak protections by injecting code to confuse the application and make it believe we are in a legit an protected system.
During this analysis we will review the file activity generated by the application as well as the network activities (to verify if the network traffic is protected and encrypted). The application will be also placed into a debugger to examine debug logs that could have been forgotten by developers.
As an important task for this analysis we will review property lists, keyboard caches (populated by text fields with autocorrect), SnapShots that may contain private information and protocol handlers.
If the application uses a SQLite database we will analyze it in order to assess the security of the stored information. We may tamper with the data contained in the database in order to activate or deactivate settings that could reduce the security of the system.
During the Dynamic Analysis, we search for possible buffer overflows, SQL Injection and we conduct Cross Side Scripting tests.
Additionally, we may conduct attack tests agains the iOS KeyChain (if used) and XML processors.
- User settings
- Keyboard Caches
- Snapshots saved from screens
- Analyze Server Communications
- Regular Expressions
- Code and Script Injection
- Confidentiality of the Data
- Integrity of the Data. Tampering Protection
- SSL Certificate tampering
- Check Weark Cypher Suites
- Input validation
- Buffer Overflows
- Man in the middle
- User or session (UUID, IP, MAC, IMEI…)
- Out of Band authentication tokens
- Server-Side authentication, authorization and session management
- Session Length
- Session persistence between executions
- Web Cache Analysis
- Keystroke Logs
- Snapshots Analysis
- Cut/Paste Analysis
- URL Schemes
- API Analysis
- Key Management
- Hard-Coding of Keys
- Stored Keys
- Key Exchange System
- Encryption Algorithms