Enterprise mobileapplicationsecurity
0 likes656 views
This document discusses security challenges for enterprise mobile applications and provides recommendations to address them. It notes that 60% of corporate employees access content through public networks using mobile devices. This creates security risks as corporate data is accessed outside the firewall. The document outlines various attacks including device-based issues like lost/stolen devices, network/server attacks like spoofing and denial of service, and recommends practices for securing mobile applications and networks. These include encrypting data, using VPNs, disabling unnecessary device components, and implementing firewalls and intrusion prevention.
Enterprise mobileapplicationsecurity
- 1. Security – Enterprise Mobile Applications Venkat Alagarsamy venkat.alagarsamy@gmail.com www.linkedin.com/in/VenkatAlagarsamy www.scribd.com/VenkatAlagarsamy www.facebook.com/Venkatachalapathi.Alagarsamy www.slideshare.net/VenkatAlagarsamy www.twitter.com/TwitsOfVenkat VenkatAlagarsamy.blogspot.in Last Updated: 18th Jan 2013
- 2. Corporate Data Users • It is a business fact that nearly 60% of all corporate employees access content through public network using phones, tablets and other hand-held devices. • Other than employees, the customers and vendors too access the corporate database anywhere, anytime on any device. • Public
- 3. Statistics • 80% of corporate users using the device without knowing security threats. • 80% of corporate users using the jail Broken device • 70% of users do not have Anti-virus on their device • 70% is the possibility that the application getting misused. • 55% user losing sensitive credentials and corporate data to a hacker.
- 4. The Challenge The rapid adoption of mobile application by the corporate has created a significant security challenge because the corporate data is accessed outside of the firewall/DMZ. So the challenges to corporate mobile application developers are: How do I secure mobile application with/without limited users? How to secure the application itself? What is to be developed as mobile application? How should I provision this application to users?
- 5. Attacks – Device Based • Device based attacks – Misplaced or lost the device • Unencrypted credentials • Insecure Storage • Cached Data – Malware installation due to down loading unknown application • Malicious certificates • Reconfigure proxy settings or • Allow man-in-the-middle (MiTM) visibility into every user transaction.
- 6. Attacks – Network and Server Based • Identity Spoofing (IP address Spoofing) – Using a special programs attacker would construct IP packets that appear to originate from valid addresses inside the corporate intranet. – After gaining access to the network with a valid IP address, the attacker can modify, reroute, or delete data. • Password Attacks – Obtain lists of valid user and computer names and network information. – Modify server and network configurations, including
- 7. Attacks – Network and Server Based • Denial-of-Service Attack – Randomize the attention of corporate internal Information Systems staff so that they do not see the intrusion immediately, which allows the attacker to make more attacks during the diversion. – Send invalid data to applications or network services, which causes abnormal termination or behavior of the applications or services. – Flood a computer or the entire network with traffic until a shutdown occurs because of the overload. – Block traffic, which results in a loss of access to network resources by authorized users.
- 8. Attacks – Network and Server Based • Man-in-the-Middle Attack – actively monitoring, capturing, and controlling all communication and re-route a data exchange • Compromised-key-attack – By getting the compromised key, the attacker can decode any secured encrypted data and the use the data as required. • Sniffer Attack – Analyze network and gain information to eventually cause network to crash or to become corrupted. – Read transaction/data communications.
- 9. Attacks – Network and Server Based • Application-Layer Attack An application-layer attack targets application servers by deliberately causing a fault in a server's operating system or applications. This results in the attacker gaining the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of application, system, or network, and can do any of the following: – Read, add, delete, or modify data or operating system. – Introduce a virus program that uses corporate computers and software applications to copy viruses throughout corporate network. – Introduce a sniffer program to analyze network and gain information that can eventually be used to crash or to corrupt legacy systems and network.
- 10. Device Security - Reverse Engineering • Understand the logic and application security weakness • Look for key words like password, key, SQL and security logic (AES/DES) • Modify the code to bi-pass client side checks and rebuild app • Send request with altered data pack from modified apps • Steps: Get Executable Understand the technology
- 11. Device Security -Reverse Engineering – Tools Used OS De- compress or Object -> Class -> Functions Editor Windows Winzip ILSpy Visual Studio Notepad Obfuscator preemptive.com/products/dotfuscato r/overview confuser.codeplex.com/ Android Winzip Dex2Jar and JD-GUI Notepad Obfuscator http://proguard.sourceforge.net/ iOS iExplorer OTool and Class-dump- z
- 12. Device Security – Malwares Malwares (Worms and Trojans) are installed in the device either by SMS/MMS or by untrusted application download. Destroy Operating system Provide misleading information Steal data/cookies Deactivate other trusted applications Plant spyware to spy calendars, email accounts, notes etc.
- 13. Device Security – Malware Samples Virus Name OS Symptom, Propagation and Damages Cabir Symbi an Display „Caribe‟ whenever phone is turned on. Spread to other phone using Bluetooth Duts Wind ows Affect EXE file more than 4KB Skulls - Trojan Wind ows Replace all icons with image of skull. Commwarrior Symbi an Spread by MMS and Bluetooth. Hunt devices running Bluetooth and send infected files Gingermaster - Trojan Andro id Hidden malware. Steal device details and send to remote server. DroidKunFu – Trojan Andro id Gets privileges of root and install com.google and ssearch.apk, which remove files, open and auto download of some applications. It also sends device data to remote server.
- 14. Device Security – Antivirus Protection Software Operating System BullGu ard Lookou t McAfee ESET Kasper sky Trend Micro F- Secure Webroo t NetQin Android Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Symbian Ye s Ye s Ye s Ye s Ye s BlackBerry Ye s Ye s Ye s Windows Ye s Ye s
- 15. Device Security – Some Best Practices (User) Download applications from the official application store only. Otherwise you expose yourself and your mobile phone software provider does not protect you. Don‟t jailbreak or root device. If cracked software is installed you are inheriting a risk. Install an antivirus. Antivirus protects device against apps that try to steal data. Before installing the application, from application store understand and agree to the application device/data usage.‟ Disable Bluetooth and other wireless components when not in use.
- 16. Device Security – Enterprise Application Design Practices Should adhere to corporate password policy Transfer the data only through SSL or VPN (Use VPN if possible) Auto disable all unwanted components like Bluetooth when not required Make sure there is no memory leakage Do not store any critical data offline. If required, encrypt data and store using encrypted database like SQLCipher Ensure the device is registered for using the application Ensure the user logged-in is the right user to use the device and application Provide Single sign-on Provide remote-wipe if device lost Use dynamic key for encryption of in/out data where the key is controlled by server Do not use any special characters or SQL, in posting data
- 17. Network Security It is an activities designed to protect network for its Usability Reliability Integrity Safety From the threats like Viruses, worms, and Trojan horses Spyware and adware Zero-day attacks, also called zero-hour attacks Denial of service attacks Data interception and theft Identity theft
- 18. Network Security Components • Multiple layers of security. If one fails, others still stand. • Network security is accomplished through hardware and software. The software must be constantly updated and managed to protect from emerging threats. • Network security components often include: – Anti-virus and anti-spyware – Firewall, to block unauthorized access to your network (DMZ) – Intrusion prevention systems (IPS), to identify fast- spreading threats, such as zero-day or zero-hour attacks
- 19. Attackers – How they do? • Most popular attacks using – Reverse Engineering – Cross site scripting (XSS) – SQL Injection
- 20. Cross-site Scripting (XSS Attack) • As documented by Symantec 2007, 84% vulnerability are caused by XSS attacks. • Cross-Site Scripting (XSS) attacks occur when: – Data enters a Web application through an untrusted source, most frequently a web request. – The data is included in dynamic content that is sent to a web user without being validated for malicious code • It is a process of injecting a malicious content in web page and have the content (usually ActiveX, JavaScript, VBScript, Applet, Flash, HTML etc) executed in client browser – To steal client data.
- 21. Cross-site Scripting - XSS Types • Stored XSS Attacks – Permanently stores injected code in targeted components like database, message forum, visitor log, comment field, etc. • Reflected XSS Attacks – Injected code is reflected off the web server – As a response such as error message, search result etc. – eMail message When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user‟s browser. The browser then executes the code because it came from a "trusted" server.
- 22. XSS – Prevention Summary Data Type Conte xt Code Sample Defense Strin g HTML Body <span>UNTRUSTE D DATA </span> •HTML Entity Encoding Strin g Safe HTML Attribut es <input type=“text” name=“fname” value=“UNTRUSTE D DATA”> •Aggressive HTML Entity Encoding •Only place untrusted data into white list of safe attributes •Strictly validate unsafe attributes such as background, id and name Strin g GET Param eter <a href=“/site/search?v alue=UNTRUSTED DATA”> clickme </a> URL Encoding String Strin Untrus ted URL in a SRC <a href="UNTRUSTED URL">clickme</a> •Cannonicalize input •URL Validation •Safe URL verification •Whitelist http and https URL's only (Avoid Source: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Pre vention_Rules_Summary
- 23. XSS – Prevention Summary (Contd…) Source: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Pre vention_Rules_Summary Data Type Conte xt Code Sample Defense Strin g CSS Value <div style="width: UNTRU STED DATA;">Selection</di v> •Strict structural validation •CSS Hex encoding •Good design of CSS Features Strin g JavaS cript Variab le <script>var currentValue='UNTR USTED DATA';</script> <script>someFunctio n('UNTRUSTED DATA');</script> •Ensure JavaScript variables are quoted •JavaScript Hex Encoding •JavaScript Unicode Encoding •Avoid backslash encoding (" or ' or ) HTM L HTML Body <div>UNTRUSTED HTML</div> •HTML Validation (JSoup, AntiSamy, HTML Sanitizer) Strin DOM <script>document.wri te("UNTRUSTED
- 24. XSS Prevention – Output Encoding Source: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Pre vention_Rules_SummaryEncoding Type Encoding Mechanism HTML Entity Encoding Convert & to & Convert < to < Convert > to > Convert " to " Convert ' to ' Convert / to / HTML Attribute Encoding Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH; format, including spaces. (HH = Hex Value) URL Encoding Standard percent encoding, see: http://www.w3schools.com/tags/ref_urlencode.asp JavaScript Encoding Except for alphanumeric characters, escape all characters with the uXXXX unicode escaping format (X = Integer). CSS escaping supports XX and XXXXXX. Using a two character escape can cause problems if the next character
- 25. XSS Prevention – Testing Tools • Commercial License: o Veracode Dynamic Scanner o Whitehat o HP WebInspect o Cenzic Hailstorm o IBM AppScan o NTOSpider o Qualys o Burp Professional • Free/Open Source: o W3af o XSS-Me and Access-Me o OWASP ZAP o Skipfish o Wfuzz o Reference for more tools :
- 26. SQL Injection • SQL Injection Attack (SQLIA) is the one of the top 10 vulnerability, identified by OWASP. • It is a insertion of a SQL in posted request from client application to server. • By injecting SQL, the attacker can – Read sensitive database – Modify (insert/update/delete) database – Execute admin operations – Alter DB structure – Bi-pass user authentication
- 27. Sub Classes of SQLIA • Classic SQLIA • Inference SQL injection • Interacting with SQL injection • Database management system-specific SQLIA • Compounded SQLIA • SQL injection + insufficient authentication • SQL injection + DDoS attacks Source: http://en.wikipedia.org/wiki/SQL_injection
- 28. Prevention of SQL Injection – Primary Defense Prepare Statements (Parameterized Queries) – Attacker can not change the intent of a query. Recommendations Java EE – use PreparedStatement() with bind variables .NET – use parameterized queries like SqlCommand() or OleDbCommand() with bind variables PHP – use PDO with strongly typed parameterized queries (using bindParam()) Hibernate - use createQuery() with bind variables (called named parameters in Hibernate) SQLite - use sqlite3_prepare() to create a statement object Stored Procedures – Same like Prepare Statement Escaping All User Supplied Input Reference OWASP: https://www.owasp.org/index.php/ESAPI Google: http://owasp-esapi-
- 29. Prevention of SQL Injection – Additional Defense Least Privilege White list Input Validation Reference: http://ferruh.mavituna.com/sql-injection- cheatsheet-oku/ https://www.owasp.org/index.php/Input_Validation _Cheat_Sheet
- 30. Prevention of SQL Injection – Testing Tools SQL Inject-Me SQLMAP SQLler SQLbftools SQL Injection brute- force SQLBrute BobCat Absinthe Source: http://rochakchauhan.com/blog/2008/01/10/top-15-free-sql-injection- scanners/ SQL Injection Pen- testing tools SQID Blind SQL Injection Perl tool SQL Power Injector FJ-Injector framework SQLNinja Automatic SQL Injector NGGSS SQL Injector
- 31. Architectural and Development consideration Validate the Device Registration from Server Always use VPN (at least SSL) network for communication Encrypt the critical data in both ends Use Dynamic Encryption keys. A Encryption key should be used for only one communication and it should have automatic expiry. The key should have some complex generation logic. Do not store entire initial complete encryption key in device. i.e., a complete key should be generated based on partial key. Do no cache, store data. Do not create any cookies Disable all network components that are not used by the application Enforce password policy Enable single sign-on using servers like LDAP Disable client-scripting Do not keep any SQL in client side If necessary, to store offline data, use encrypted DB like SQLCipher Always validate the both input and output data for its format and canonical
- 32. Conclusion The security of mobile application should be ensured at all levels and by all players Application/service providers Organization Device providers Registries Data Centers/Cloud Services Government CERTs Users All players in this ecosystem must apply the basic rules for effective security Coordination Communication and