OWASP MSTG in Real Life

Transcript

1. OWASP MSTG IN REAL LIFE MSTG USABILITY FOR SMALL TEAMS

   FROM THE PERSPECTIVE OF IOS ENGINEER JULIA POTAPENKO OWASP KYIV 6 APRIL 2019

2. TODAY WE WILL TALK ABOUT • SECURITY IN DEVELOPMENT LIFECYCLE

   • WHAT IS OWASP MSTG? • GENERAL TESTING GUIDE • IOS TESTING GUIDE

3. SECURITY IN DEVELOPMENT LIFECYCLE

4. SECURITY IN DEVELOPMENT LIFECYCLE PERFECT WORLD PROCESS • Preparation: Security

   trainings for all team members • Requirements phase: Risk evaluation • Design phase: Security design review, threat modeling • Implementation phase: Security best practices for particular language and platform • Validation phase: Security testing • Release and maintenance: Vulnerability management, responding to incidents OWASP S-SDLC: https://www.owasp.org/index.php/OWASP_Secure_Software_Development_Lifecycle_Project

5. SECURITY IN DEVELOPMENT LIFECYCLE IN REAL LIFE • Security features

   are added by request from the client • Client requests third party security audit closer to UAT or release date • Even if security features are planned, their implementation is of a lower priority comparing to UI/UX

6. SECURITY IN DEVELOPMENT LIFECYCLE IMPLEMENTING SECURITY FEATURES BY CLIENT REQUEST

   PROS • Allows low security awareness in the team • Safes time if you need to deserve clients trust • More time for development equals longer contract with client CONS • Huge refactoring including networking and UI/UX right before the release • Decreasing the whole product quality • Increasing security risks (band aid security)

7. SECURITY IN DEVELOPMENT LIFECYCLE EXAMPLE. MISSING SECURITY TRAINING. NO DESIGN

   REVIEW Enter phone number Enter OTP Accept TC & PP

8. WHAT IS OWASP MSTG?

9. WHAT IS OWASP MSTG? A COMPREHENSIVE MANUAL FOR MOBILE APP

   SECURITY TESTING AND REVERSE ENGINEERING. IT DESCRIBES TECHNICAL PROCESSES FOR VERIFYING THE CONTROLS LISTED IN THE OWASP MOBILE APPLICATION VERIFICATION STANDARD (MASVS). OWASP MSTG: https://github.com/OWASP/owasp-mstg

10. OWASP MASVS REQUIREMENTS • ARCHITECTURE, DESIGN AND THREAT MODELING •

    DATA STORAGE AND PRIVACY • CRYPTOGRAPHY • AUTHENTICATION AND SESSION MANAGEMENT • NETWORK COMMUNICATION • ENVIRONMENTAL INTERACTION • CODE QUALITY AND BUILD SETTINGS • RESILIENCY AGAINST REVERSE ENGINEERING OWASP MASVS: https://github.com/OWASP/owasp-masvs

11. WHAT IS OWASP MSTG? MASVS LEVELS https://github.com/OWASP/owasp-masvs/blob/master/Document/0x03-Using_the_MASVS.md

12. WHAT IS OWASP MSTG? https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management_Requirements.md EXAMPLE. AUTHENTICATION AND SESSION MANAGEMENT

    Description Level 4.1 If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. L1 4.4 The remote endpoint terminates the existing session when the user logs out. L1 4.7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire. L1 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. L2 4.11 The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices. L2

13. WHAT IS OWASP MSTG? https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management_Requirements.md EXAMPLE. CODE QUALITY AND BUILD

    SETTINGS REQUIREMENTS Description Level 7.1 The app is signed and provisioned with a valid certificate, of which the private key is properly protected. L1 7.2 The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable). L1 7.4 Debugging code has been removed, and the app does not log verbose errors or debugging messages. L1 7.5 All third party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities. L2

14. OWASP MSTG TABLE OF CONTENTS • OVERVIEW • GENERAL MOBILE

    APP TESTING GUIDE • ANDROID TESTING GUIDE • IOS TESTING GUIDE

15. GENERAL TESTING GUIDE

16. TABLE OF CONTENTS • MOBILE APP AUTHENTICATION ARCHITECTURES • TESTING

    NETWORK COMMUNICATION • CRYPTOGRAPHY IN MOBILE APPS • TESTING CODE QUALITY • TAMPERING AND REVERSE ENGINEERING • TESTING USER EDUCATION OWASP MSTG: https://github.com/OWASP/owasp-mstg

17. GENERAL TESTING GUIDE. MOBILE APP AUTHENTICATION ARCHITECTURES AUTHENTICATION • Basic:

    • Something the user knows: 
 password, PIN, pattern, etc. • Something the user has: 
 SIM-card, OTP (one time password) generator, hardware token, etc. • A biometric property: 
 fingerprint, retina, voice, etc. https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md • 2FA (2-Factor Authentication): • OTP by SMS or phone call • Hardware or software token • Push notifications in combination with PKI (public key infrastructure) and local authentication • Supplementary Authentication: • Geolocation • IP address • Time of the day • Device ID

18. GENERAL TESTING GUIDE. MOBILE APP AUTHENTICATION ARCHITECTURES EXAMPLE. BANKING APP.

    COMBINING SMS OTP WITH DEVICE AUTH Enter phone number Enter OTP Use biometrics

19. GENERAL TESTING GUIDE. MOBILE APP AUTHENTICATION ARCHITECTURES OTP BY SMS

    CONCERNS • Wireless Interception • Malicious Applications • SIM SWAP Attack • Verification Code Forwarding Attack
 
 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e- Testing-Authentication-and-Session-Management.md

20. GENERAL TESTING GUIDE. MOBILE APP AUTHENTICATION ARCHITECTURES EXAMPLE. BANKING APP.

    COMBINING CARD INFO WITH DEVICE ID Enter username and password Use biometrics Enter card expiration date

21. GENERAL TESTING GUIDE. MOBILE APP AUTHENTICATION ARCHITECTURES TRANSACTION SIGNING •

    Client generates public and private keys on user registration, registers public key with backend, saves private key to Keychain. • Backend sends transaction data to the client to be authorized. • Client unlocks Keychain, gets private key, signs the transaction and sends it back to backend. • Backend verifies it with public key.

22. GENERAL TESTING GUIDE. MOBILE APP AUTHENTICATION ARCHITECTURES THINGS TO CHECK

    • Check if with Backend • Login throttling • Session management • Access and refresh token • JWT • Login activity and blocking https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md • Check it on Client • Secure token storage • Access and refresh tokens handling • Proper error handling

23. GENERAL TESTING GUIDE. MOBILE APP AUTHENTICATION ARCHITECTURES CHECK LOCAL AUTHENTICATION

    • Local authentication should always be enforced at a remote endpoint or based on cryptographic primitive. Attackers can easily bypass local authentication if no data returns from the authentication process.

24. GENERAL TESTING GUIDE. MOBILE APP AUTHENTICATION ARCHITECTURES IOS TOUCH ID

    EXAMPLE David Linder 
 Don’t Touch Me That Way 
 https://youtu.be/XhXIHVGCFFM • Don’t • Rely on bool output • Forget to configure Touch ID • Do • Use Touch ID to get data from Keychain • Combine it with user password

25. GENERAL TESTING GUIDE. TESTING NETWORK COMMUNICATION TESTING NETWORK COMMUNICATION •

    Intercepting network traffic: Burp Suite, Charles Proxy, OWASP ZAP • Check data encryption in the network, SSL/TLS pinning • MASVS V5.5: The app doesn’t rely on a single insecure communication channel (e-mail or SMS) for critical operations such as enrollment and account recovery. • Pay attention to new technologies https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04f-Testing-Network-Communication.md

26. GENERAL TESTING GUIDE. CRYPTOGRAPHY IN MOBILE APPS CRYPTOGRAPHY • Identify

    insecure/deprecated algorithms • Prevent configuration issues: weak key or random number generators, insufficient key length, etc • Do not use symmetric encryption with hard-coded keys • Keep the keys in secured storage (Keychain, Keystore) or obfuscate/encrypt them https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md

27. GENERAL TESTING GUIDE. TESTING CODE QUALITY TESTING CODE QUALITY MASVS

    V6.2: All inputs from external sources and the user are validated and if necessary sanitized. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and networks sources. • Injection attacks • Memory corruption bugs • XSS attacks on WebView https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md

28. GENERAL TESTING GUIDE. TESTING CODE QUALITY STRUGGLING WITH XSS AND

    PROJECT REQUIREMENTS • We want a WebView in our app to register user with a third- party service. • Please, disable JavaScript on it. • You need to send a POST request with parameters when user opens the WebView. https://stackoverflow.com/questions/26253133/cant-set- headers-on-my-wkwebview-post-request https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06h-Testing-Platform-Interaction.md

29. GENERAL TESTING GUIDE. TAMPERING AND REVERSE ENGINEERING TAMPERING AND REVERSE

    ENGINEERING • Reverse engineering is a process of analyzing the compiled app to extract information about its source code. • Tampering is a process of changing mobile app to affect its behavior. https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md

30. GENERAL TESTING GUIDE. TAMPERING AND REVERSE ENGINEERING ULTIMATELY, THE REVERSE

    ENGINEER ALWAYS WINS https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md

31. IOS TESTING GUIDE

32. IOS TESTING GUIDE. PLATFORM OVERVIEW BENEFITS OF IOS PLATFORM •

    Separate sandbox for each application • Single distribution source • Sideloads are allowed only with Xcode or Enterprise program • iOS users tend to update their iOS version to the latest one while downgrading is questionable. • New UDID of iPhone XS, XS Max, XR

33. IOS TESTING GUIDE. SETTING UP A TESTING ENVIRONMENT FOR IOS

    APPS MANAGING JAILBREAK DEVICES After identifying and fixing vulnerability, Apple releases an update. Later on they stop signing the old iOS version that makes it impossible to downgrade. Define upgrading strategies • Use several devices to upgrade with every major release and wait for jailbreak availability https://canijailbreak.com/ https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06b-Basic-Security-Testing.md

34. IOS TESTING GUIDE. TESTING TOOLS TOOLS • Frida – to

    inject into running processes
 https://www.frida.re/ • objection – all-in-one framework
 https://github.com/sensepost/objection • iFunbox – easy access to filesystem
 http://www.i-funbox.com/ • class-dump – examining Objective-C runtime information
 http://stevenygard.com/projects/class-dump/ • cycript – to modify running applications
 http://www.cycript.org/ • Cydia Substrate - code modification tool to hook methods at app start
 http://www.cydiasubstrate.com/ • SSL Kill Switch 2 – to bypass SSL-pinning
 https://github.com/nabla-c0d3/ssl-kill-switch2 • xCon – to bypass jailbreak detection
 http://cydia.saurik.com/package/com.n00neimp0rtant.xcon/ https://github.com/OWASP/owasp-mstg/blob/master/Document/0x08-Testing-Tools.md

35. IOS TESTING GUIDE. IOS PLATFORM APIS TESTING PLATFORM INTERACTION •

    Testing app permissions • Testing custom URL schemas • Testing WebViews • Testing object persistance https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06h-Testing-Platform-Interaction.md

36. IOS TESTING GUIDE. IOS PLATFORM APIS EXAMPLE. URL SCHEME ISSUE

    IN SKYPE <iframe src=”tel:1-408-555-5555”>
 </iframe> https://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html <iframe src=”skype://14085555555?call">
 </iframe>

37. IOS TESTING GUIDE. DATA STORAGE ON IOS SENSITIVE DATA STORAGE

    • Make sure to use Keychain • Make sure to wipe Keychain • Do not store sensitive data in .plists • Need to store more data – use encrypted DBs https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06d-Testing-Data-Storage.md

38. IOS TESTING GUIDE. DATA STORAGE ON IOS TEST EXPOSING SENSITIVE

    DATA • Logs • Third party libraries • Keyboard cash • User interface • Background screenshots • Screenshots, video recording, airplay • Memory

39. IOS TESTING GUIDE. TAMPERING AND REVERSE ENGINEERING ON IOS TAMPERING

    AND REVERSE ENGINEERING • Objective-C allows method invocations to be changed at run time, making hooking into app functions easy. https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06c-Reverse-Engineering-and-Tampering.md

40. IOS TESTING GUIDE. IOS ANTI-REVERSING DEFENCES ANTI-REVERSING DEFENCES • Jailbreak

    detection • File-based checks • Permissions checks • Attempting to open Cydia and other malicious apps https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md

41. IOS TESTING GUIDE. IOS ANTI-REVERSING DEFENCES ANTI-DEBUGGING CHECKS • Anti-debugging

    checks • ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process. If a debugger attempts to attach, the process will terminate • sysctl used to retrieve info about current process, including info if the process is being debugged • Checking signature • Checking device binding https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md

42. IOS TESTING GUIDE. IOS ANTI-REVERSING DEFENCES HAVE YOU EVER IMPLEMENTED

    JAILBREAK DETECTION AND ANTI-REVERSING DEFENCES? USE RELIABLE THIRD PARTY SOLUTIONS! Overview of Solution Providers 
 https://nmgprod.s3.amazonaws.com/media/filer_public/8f/ 72/8f7224ef-9143-4f4b-b3a0-2d38c05e879d/ guide_mobile_payments_security_101.pdf

43. IOS SECURITY GUIDE HAVE YOU READ IOS SECURITY GUIDE? I

    bet you don’t :)
 https://www.apple.com/business/site/docs/ iOS_Security_Guide.pdf

44. THANK YOU!