Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Don’t get stung by OWASP - Episode II

Don’t get stung by OWASP - Episode II

In this second session, we will take a further dive into more of OWASP's top 10 threats for mobile security, the common Android security pitfalls we all succumb too and look how we may code in a more security-focused mindset going forwards.

Ed George

July 26, 2022
Tweet

More Decks by Ed George

Other Decks in Programming

Transcript

  1. Don’t get stung by OWASP Episode II @Sp4ghettiCode / spght.dev

    - Android Worldwide July 2022 - Ed Holloway-George
  2. @Sp4ghettiCode / spght.dev • Senior Android Dev @ ASOS •

    Dad to a Pomeranian • Security ‘enthusiast’ (Please please note: NOT expert) Find me on social: • @Sp4ghettiCode • spght.dev/talks • Follow me for more! (And dog pictures) Who am I? I’m this one. This is not me.
  3. @Sp4ghettiCode / spght.dev Talk Agenda AKA - What I hope

    I have enough time to cover • Introduction to more of the OWASP Top 10 • Address the most common mistakes in our apps • Q&A • Bedtime (for me at least!)
  4. @Sp4ghettiCode / spght.dev ⚠ MANDATORY LEGAL WARNING ⚠ You know,

    just in case someone goofs up later. • Anything you learn here is to be used for educational purposes ONLY • Do NOT test on apps you are not authorised to use • Please consider seeking your company’s security advice from someone that knows a lot more than me! • This talk is NOT associated with and/or endorsed by the OWASP Foundation or my employer!
  5. @Sp4ghettiCode / spght.dev ⚡ Re-intro to OWASP

  6. @Sp4ghettiCode / spght.dev ‘Who’ or ‘What’ is OWASP? • Open

    Web Application Security Project • Non-profit OWASP Foundation created in 2001 • Provides free security resources for developers & organisations alike • Also maintains ‘Top 10’ list(s) of the greatest security threats to application security
  7. @Sp4ghettiCode / spght.dev Top 10 Mobile Threats Source: owasp.org/www-project-mobile-top-10 (Last

    updated 2016) 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography PART 1 OF THIS TALK NOW AVAILABLE ON ANDROID WW’S YOUTUBE youtu.be/HRJw8RIgbSg spght.dev/talks 5
  8. @Sp4ghettiCode / spght.dev Next 10 Mobile Threats Source: owasp.org/www-project-mobile-top-10 (Last

    updated 2016) 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorisation 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10. Extraneous Functionality 5
  9. @Sp4ghettiCode / spght.dev Insecure Authorisation #6 OWASP Threat YOUR PERMISSIONS

  10. @Sp4ghettiCode / spght.dev Insecure Authorisation AKA - I don’t think

    you’re allowed to do that… • Authorisation != Authentication • Authentication = Proving your identity • Authorisation = Performing an action with permission • E.g. Logging in to Twitter • Authentication via email + password • Authorisation permits you to view your DMs (and not mine)
  11. @Sp4ghettiCode / spght.dev Introducing ‘Smart Sheriff’ South Korea’s answer to

    ‘How insecure can we make an app’ • Smart Sheriff was a 2015 government mandated parental monitoring mobile app in South Korea • By LAW must be installed on anyone under the age of 19’s phone • Gave parents the ability to monitor web searches, block sites and snoop on messages • Amazing talk: Smart Sheriff, Dumb Idea by Abraham Aranguren & Fabian Fäßler
  12. @Sp4ghettiCode / spght.dev Introducing ‘Smart Sheriff’ South Korea’s answer to

    ‘How insecure can we make an app’ • The app had an API to retrieve lost passwords for child accounts that could be called by any user • Passing in a mobile number would return either the app’s password or the mobile number of the child’s parent 🤦 • Trivial to traverse phone numbers to gain privileged info • Pen-test link @ spght.dev/talks Image: 7asecurity.com
  13. @Sp4ghettiCode / spght.dev Insecure Authorisation How to avoid it! •

    When using authorised APIs • Use the minimum required permissions for call • Verify any user roles server-side • Avoid using role/permission information that comes from the mobile device itself
  14. @Sp4ghettiCode / spght.dev Client Code Quality #7 OWASP Threat YOUR

    CODE (duh)
  15. @Sp4ghettiCode / spght.dev Client Code Quality What is it? •

    Difficult to define exactly… • Poorly written code! 🍝 • Not following coding ‘best practises’ • Misuse of a programming language • Javascript -> XSS Attack • SQL -> SQL Injection • C++/etc -> Buffer Overflow
  16. @Sp4ghettiCode / spght.dev Client Code Quality How to avoid it!

    • Have a solid code review process • Use static analysis tools e.g. SonarCloud / Snyk • Know the flaws and dangers with using particular languages • Consider using ‘Strict Mode’ to catch errors early
  17. @Sp4ghettiCode / spght.dev Client Code Quality Strict Mode • Tool

    within Android Framework to detect code violations at runtime • e.g. Performing I/O operations on the Main Thread • Leaks - e.g. not closing a ‘Closeable’ • Split into Thread + Virtual Machine violations
  18. @Sp4ghettiCode / spght.dev Client Code Quality Strict Mode • Allows

    for different ‘penalties’ on spotting a violation • Write to logcat • Show an ‘annoying dialog’ • Flash the device’s screen • Crash the app 🔥😅
  19. @Sp4ghettiCode / spght.dev Client Code Quality Strict Mode Examples StrictMode.setThreadPolicy(

    Builder() .detectDiskReads() .detectDiskWrites() .detectNetwork() .penaltyLog() .build() ) StrictMode.setVmPolicy( Penalty: Write to Logcat
  20. @Sp4ghettiCode / spght.dev Client Code Quality Strict Mode Examples StrictMode.setThreadPolicy(

    Builder() .detectCleartextNetwork() .detectLeakedSqlLiteObjects() .detectLeakedClosableObjects() .penaltyLog() .penaltyDeath() .build() ) Detect leaks and non- HTTPS traffic Penalty: Write to Logcat Penalty: Crash 🔥
  21. @Sp4ghettiCode / spght.dev Client Code Quality Strict Mode Usage •

    BEST PRACTISES: • Add within Application class before super.onCreate call • Use within debuggable builds only • Use penaltyDeath() for most serious cases • E.g. penaltyDeathOnCleartextNetwork() • Always read the docs!
  22. @Sp4ghettiCode / spght.dev Code Tampering #8 OWASP Threat YOUR CODE

    AGAIN
  23. @Sp4ghettiCode / spght.dev Code Tampering What is it? • The

    unwanted modification of your app’s code • Modification of your app’s resources • The unintended use of your app through the use of a ‘rooted/ jailbroken’ device • More common in popular apps such as ‘freemium’ games • Used by malicious actors to distribute modded APKs with spyware + more nasty surprises 😈
  24. @Sp4ghettiCode / spght.dev Code Tampering How could we do it?

    • Using APKTOOL: ibotpeaches.github.io/Apktool • Decompiles APK to resources and SMALI files • SMALI = Converted .dex byte-code • Run using: apktool d app.apk
  25. @Sp4ghettiCode / spght.dev Code Tampering Kotlin private fun showPinEntered(pinCount: Int)

    { binding.mainPin.text = "*".repeat(pinCount) }
  26. @Sp4ghettiCode / spght.dev Code Tampering Converted Smali Example .method private

    final showPinEntered(I)V .locals 2 .param p1, "pinCount" .line 56 iget-object v0, p0, Ldev/spght/owasp/login/LoginActivity;->binding:Ldev/spght/owasp/databinding/LoginBinding; if-nez v0, :cond_0 # Removed binding error handling code here for brevity iget-object v0, v0, Ldev/spght/owasp/databinding/LoginBinding;->mainPin:Landroid/widget/TextView; const-string v1, "*" check-cast v1, Ljava/lang/CharSequence; invoke-static {v1, p1}, Lkotlin/text/StringsKt;->repeat(Ljava/lang/CharSequence;I)Ljava/lang/String; move-result-object v1 check-cast v1, Ljava/lang/CharSequence; invoke-virtual {v0, v1}, Landroid/widget/TextView;->setText(Ljava/lang/CharSequence;)V .line 57 return-void .end method
  27. @Sp4ghettiCode / spght.dev Code Tampering Converted Smali Example .method private

    final showPinEntered(I)V .locals 2 .param p1, "pinCount"
  28. @Sp4ghettiCode / spght.dev Code Tampering Converted Smali Example .method private

    final showPinEntered(I)V check-cast v1, Ljava/lang/CharSequence; invoke-static {v1, p1}, Lkotlin/text/StringsKt;->repeat(Ljava/lang/CharSequence;I)Ljava/lang/String; move-result-object v1
  29. @Sp4ghettiCode / spght.dev Code Tampering Converted Smali Example .method private

    final showPinEntered(I)V invoke-virtual {v0, v1}, Landroid/widget/TextView;->setText(Ljava/lang/CharSequence;)V .line 57 return-void
  30. @Sp4ghettiCode / spght.dev Code Tampering ⚠ How to do it…

    # Re-compile the app # base in this example is the base folder of the decompiled app apktool b base # Generate a new key to sign the build keytool -genkeypair -v -keystore key.keystore -alias publishingdoc -keyalg RSA -keysize 2048 -validity 10000 # Sign the new app APK jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore ./key.keystore base.apk publishingdoc • Modify Smali files to do XYZ (i.e. whatever) • Samples: https://ur.link/43i ⚠ • Re-compile app using apktool then re-sign using jarsigner
  31. @Sp4ghettiCode / spght.dev Code Tampering How to detect it! •

    Root Detection SDKs • RootBeer: github.com/scottyab/rootbeer • Jetpack Security App Authenticator SDK • Verifies SHA-256 of signing certificates
  32. @Sp4ghettiCode / spght.dev Intermission Super shameless plug… • I have

    two articles with relevant code tampering material: • “Learning to 'Hack Android' with picoCTF” • “Hands on with Jetpack's Security App Authenticator library” ✨ BOTH AVAILABLE TO READ AT SPGHT.DEV ✨
  33. @Sp4ghettiCode / spght.dev Reverse Engineering #9 OWASP Threat YOUR CODE

    AGAIN, AGAIN
  34. @Sp4ghettiCode / spght.dev Reverse Engineering AKA gnireenignE esreveR • Decompiling

    your app and understanding how it works to find vulnerabilities + other goodies • Similar attack approach to Code Tampering • Uses a similar set of tools to look at source code
  35. @Sp4ghettiCode / spght.dev Reverse Engineering How to do it… •

    Your APK is just a ZIP file with extra spice • Rename app.apk to app.zip • Unzip • ??? • Profit • A wild folder with lots of files appeared!
  36. @Sp4ghettiCode / spght.dev Reverse Engineering The innards of your APK

    • .dex files are Dalvik Executable files • Similar to Java .class files but run on Android’s JVM • Contains Dalvik byte code • Possible to convert back to its original source code (lossy process)
  37. @Sp4ghettiCode / spght.dev Reverse Engineering How to do it… •

    Convert .dex to .jar • github.com/pxb1988/dex2jar • ⚠ Run dex2jar *.dex • ⚠ Open .jar in JADX / Luyten / JD-GUI • ⚠ Explore code
  38. @Sp4ghettiCode / spght.dev

  39. @Sp4ghettiCode / spght.dev Extraneous Functionality #10 OWASP Threat ITS YOUR

    CODE ONCE AGAIN YOU GET THE PICTURE…
  40. @Sp4ghettiCode / spght.dev Extraneous Functionality I.e. A treasure hunt for

    hackers • Hackers look for ‘back-doors’ in your app’s code • Hidden feature flags • Hard-coded debug accounts • Any other goodies you left behind…
  41. @Sp4ghettiCode / spght.dev Extraneous Functionality How to protect against it

    • Where possible, do not ship with anything included in your app that could be ‘enabled’ when you don’t want it to be • Ensure you strip out any hard-coded credentials or anything you use for QA-ing the app • GOOD CODE REVIEWS!
  42. @Sp4ghettiCode / spght.dev Thanks for watching! • Find me on

    Twitter @Sp4ghettiCode • Thanks to Android Worldwide for rescheduling this talk! • More resources and links at spght.dev/talks • Please do reach out if you are interested in learning more or have knowledge to share with the community! • Questions and Answers to follow…
  43. @Sp4ghettiCode / spght.dev EOF