Mobile App Security Testing Is Also Essential

Transcript

1. Mobile App Security Testing Is Also Essential Mohit Sharma |

   Developer Advocate | MongoDB | @codeWithMohit

2. Some number first

3. 6,300,000,000 Total number of smartphone 2021 statista.com

4. 7,500,000,000 Total number of smartphone 2026 statista.com

5. statista.com

6. That’s lots of money

7. checkpoint.com Google Play Core Library, an app’s runtime interface with

   the Google Play Store also suffered from a persistent code execution vulnerability. 8% of all Google Play Applications had been compromised by this. Google app, Android, 5 billion install. Had a bug that let a malicious app on phone gain extensive permissions on your device *wired.com

8. OWASP • Top 10 Mobile Risk • Mobile Security Testing

   Guide Be aware

9. • Android Intent • Platform permission • Misuse of TouchID,

   KeyChain Misuse of a platform feature or failure to use platform security controls. Improper Platform Usage

10. Improper Platform Usage https://support.citrix.com/article/CTX214006

11. Improper Platform Usage Mitigation Android:allowBackup • Backup of the application

    and its data into the cloud should be disabled Android:debuggable • Debugging features of the application should be disabled Android:installLocation • The application should be installed in the internal, more secure, memory Dangerous permissions • The application should not require dangerous permissions, as defined by Android, e.g. allow to make phone calls

12. An adversary that has attained a lost/stolen mobile device; malware

    or a other repackaged app acting on the adversary’s behalf that executes on the mobile device. • SQL databases; • Log files; • XML data stores or manifest files; • Binary data stores; • SD card Insecure Data Storage

13. Insecure Data Storage

14. Insecure Data Storage • Save minimalistic data • Don’t save

    data in plain text • Always review information that is logged Mitigation

15. Insecure Communication When the solution transmits its data, it must

    traverse the mobile device’s carrier network and the internet. Threat agents might exploit vulnerabilities to intercept sensitive data while it’s traveling across the wire.

16. Insecure Communication Misafe smartwatches • attackers can easily eavesdrop on

    children’s conversations; track them; screw with the geofencing so that parents don’t receive notices when their children wander off;

17. Insecure Communication Don’t override Android & iOS default network settings.

    Mitigation Disable SSL pinning. Use Trusted CA only.

18. Insecure Authentication Relates to Authentication of end-users and bad session

    management. In mobile apps unlike in web apps, users are not always online. Hence mobile apps must be able to identify the user and maintain its identification along its session, when both online and offline.

19. Insecure Authentication • Grab Android app • Ola Android app

20. Insecure Authentication Mitigation • The application should have an inactivity

    timeout. • Authentication with newly added fingerprints should be temporarily disabled, provide PIN to enable fingerprints.

21. Insufficient Cryptography Cryptography was attempted, but insufficient in some way.

    For example developer might have used an outdated cryptographic algorithm or written a custom vulnerable algorithm.

22. Insufficient Cryptography • Ola Android app • Using weak encryption

    methods. • Same key used for multiple purpose.

23. Insufficient Cryptography Mitigation • Follow industry standards crypto • Create

    different key for different purpose. • Regular rotation of keys, by means of force update.

24. Insecure Authorization This category covers issues related to authorization such

    as forced browsing, privilege escalation, Insecure Direct Object Reference (IDOR) vulnerabilities, etc.

25. Insecure Authorization Viper smart start Pandora

26. Insecure Authorization Extensive Testing with various roles Mitigation Code &

    Access-log review by developer

27. Code Quality Expose vulnerabilities like • buffer overflows • format

    string vulnerabilities, • various other code-level mistakes that allow code to be executed on mobile devices. WhatsApp

28. Code Tempering Prevent an attacker from tampering the code on

    the telephone Mitigation The application should refuse to run on a rooted device • On a rooted device, users can manipulate the code of the application.

29. Reverse Engineering An attacker will typically download the targeted app

    from an app store and analyze it within their own local environment using a suite of different tools.

30. Reverse Engineering The code should be obfuscated • When the

    code is obfuscated, it is much more difficult to understand the logic of the code • This makes it more difficult to manipulate the code or to find potential vulnerabilities • Decompile the code and assess its readability Mitigation

31. Tools 1. https://github.com/linkedin/qark 2. https://github.com/facebook/mariana-trench/ 3. https://labs.f-secure.com/tools/drozer/

32. Reference 1. https://owasp.org/www-project-mobile-top-10/ 2. https://10alert.com/owasp-mobile-top-10-securi ty-risks-explained-with-real-world-examples/ 3. https://figi.itu.int/wp-content/uploads/2021/06/ Delphine-Peter_-DFS-Audit-of-DFS-apps.pdf 4.

    https://owasp.org/www-project-mobile-security -testing-guide/ 5. https://allabouttesting.org/owasp-mobile-top-10 -brief-overview/

33. Mohit Sharma | Developer Advocate | MongoDB | @codeWithMohit Thank

    you !!