Numerous companies are offering solutions to secure mobile devices in the enterprise by supporting a Bring Your Own Device (BYOD) policy inside the government. Yet even the most robust solutions are still unable to protect mobile devices from the large number of cyber threats that they face. This article introduces you to the Open Web Application Security Project (OWASP) Top Ten Risks. You will read about an example of one of these risks, and you will be introduced to a number of resources to help you develop more secure mobile applications.
One of the main threats to mobile devices is Man in the Middle (MitM) attacks. In a MitM attack the attacker inserts themselves between the communications from a user’s mobile device and another resource on the network. The most common example of this is attackers taking advantage of WiFi to force a user’s mobile device to connect to a WiFi Access Point, or to a computer operating as one, allowing them to view and manipulate all data between the users device and their intended recipient (see Figure 1).
VPNs, SSL, and other forms of encryption can help reduce data loss. However, depending upon the form and method of encryption, the attacker can sometimes decrypt traffic, capture encryption keys, or turn off encryption without the end user even knowing. Even worse, more sophisticated attackers can inject malicious code into a mobile device or directly attack a mobile device’s radio drivers, allowing device and kernel level attacks. While MitM attacks provide a large number of vectors for compromising a device, many developers are not aware of them, since few mobile application developers perform security testing of their applications. Next, we will look at some of the major issues with mobile applications and resources available to developers to test their applications to make them more secure.
While there is currently little in the way of security methodologies for testing mobile devices and mobile applications, the Open Web Application Security Project has started a new project focused on enhancing mobile application security. Currently OWASP provides high level guidance on what they consider the top ten worst security risks in mobile application development based upon the OWASP risk rating methodology.
In this article we will look at the first of the OWASP top ten, insecure data storage, which is one of the largest mistakes application developers make (for more information on the project you can watch this video). Often it is because application developers either assume certain data does not need to be stored securely, or mistakenly believe that access protection, such as a pin for your mobile device or network security such as HTTPS, are sufficient protection for sensitive data. As already stated, MitM attacks can easily expose data sent over WiFi even if it is protected by SSL.
Furthermore, applications that don’t share data over the network that are only used to store data locally also need to consider storing data securely, or at least provide the user an option to do it. Attackers who are able to successfully attack a mobile device will often look at capturing information from common storage places on the phone, or attack known applications that store information in plain text either in a file or a SQLite database. They will even look for data stored by applications that use weak encryption, knowing that they can brute force the file or data later. Unfortunately, this is surprisingly common and can even be seen in versions of Facebook’s official application for iOS and Android where potentially sensitive data is persisted as plain text.
Understanding OWASP security Anti-Patterns with GoatDroid and iGoat
These types of mobile attacks are so common that Jack Mannino of nVisium has purposely built insecure Android applications, collectively called GoatDroid, that demonstrate the OWASP Mobile Top 10 Risks. There is also a version of these applications for iOS called iGoat. In Figure 2 we see a simple example of an application login screen and the Android application code behind it. In the example, the developer is taking advantage of the Android Shared Preferences class to store the application credentials and enable the “remember me” function. Unfortunately, the developer has not encrypted the password or the login, and has made the credentials readable to other applications for specific attacks. Indeed, recent malware against Android devices by foreign actors takes advantage of the lack of secure data storage for many applications, collecting all types of sensitive information. In these cases, it is best practice to always encrypt data at rest (sitting on the device in some form), and there are numerous encryption tools and APIs available to mobile developers of any platform. Depending upon your platform, the OWASP mobile project outlines specific threats and remediation here.
While GoatDroid provides some good examples of insecurities, reviewing applications in your organization may not be as trivial if you are not provided with the source code. Fortunately, there are a large number of tools for assisting security testers and developers in testing applications they want to deploy to their organization’s mobile devices or to test applications they suspect might be malware.
For Android, perhaps the two most popular free Open Source applications are the Android Reverse Engineering (A.R.E) project and the Open Source Android Forensics (OSAF) project. Both projects provide tools to analyze Android applications, with the A.R.E. project much more focused on reverse engineering Android applications to look for Malware. Read Chapter 2. Android hardware platforms in Android Forensics: Investigation, Analysis, and Mobile Security for Google Android for details about Android hardware. OSAF is particularly useful for looking for insecure data storage with its built in static analyzer. The OSAF project is based on code from ViaForensics, originally developed by Andrew Hoog, for Law Enforcement.
Safari Books Online has the content you need
Check out these books by Andrew Hoog that cover iOS and Android forensics:
|Forensic analysts and security engineers have struggled with the lack of knowledge and supported tools for investigating Android devices. Android Forensics: Investigation, Analysis, and Mobile Security for Google Android seeks to address issues not only by providing in-depth insights into Android hardware, software, and ﬁlesystems, but also by sharing techniques for the forensic acquisition and subsequent analysis of these devices.|
|As sales and usage of iPhones increase so does the demand on organizations that conduct examinations on this device. iPhone and iOS Forensics takes an in-depth look at methods and processes that analyze the iPhone/iPod in an official legal manner. This book details the iPhone with information data sets that are new and evolving, with official hardware knowledge from Apple itself to help aid investigators. Learn techniques to forensically acquire the iPhone, iPad and other iOS devices.|
About the author
|Robi Sen is an experienced industry professional whose dynamic twenty-plus year career in information technology, engineering, and research has led him to work on cutting edge projects for NASA, the DoE, and the DoD. Robi also has extensive experience in the commercial space, including the creation of several successful start-up companies. He is recognized as an application development authority and regularly contributes to papers, articles, and technical books, where he continues to help develop and define technology beyond the bleeding-edge. He has comprehensive experience in resource management and a strong theoretical and practical background in security and encryption technologies. Robi has authored or contributed to numerous patents in wireless technology, in addition to penning award-winning historical primary research into the effects of agency on insurgency and irregular warfare. Robi earned his B.S. in mathematics from Colorado State University and his Master’s in Military History at Norwich University. Robi can be reached at firstname.lastname@example.org.|