Mobile Application Security—The New Frontier
by Bruce DeYoung, Director, Application Security, Coalfire
The Apple numbers are staggering:
- 100 million smartphones sold to date.
- 15 million tablet PCs sold since the 2010 introduction.
- 350,000 iOS-based apps available in the AppStore.
- 10 billion apps downloaded from the AppStore
The Android™ numbers are even more unbelievable and growing:
- 5 million Android-based smartphones sold and activated in 2009.
- 100,000 sold each month as of June 2010.
- 200,000 sold each month as of August 2010.
- 300,000 sold each month as of December 2010.
- 75 million Android-based smartphones will be active by 2012.
- 100,000+ apps now available in the Android Market.
- Over 1 billion Android apps downloaded from the Android Market.
The power and popularity of consumer mobile computing is changing quickly and dramatically. Applications as innocuous as iFart (the #1 downloaded app worldwide!) and Google’s free Google Sky Map (it’s so cool!) continue to grow more popular. In addition, commercial entities are rapidly adopting mobile-based applications for retail sales floors, restaurants and dining rooms, distributed mobile banking, just to name a few. But you have to wonder if these new toys/tools are secure? Sure, they’re useful, interesting, and even fun; but do they represent new vulnerabilities to personal or sensitive information that we haven’t even thought of yet? To the first question, the answer is, "not necessarily". To the second question, the answer is, "absolutely"!
These platforms introduce new threat landscapes and new opportunities for the bad guys to slyly capture data from millions of unsuspecting mobile app users, which they will then sell on the black market. Suddenly, our most personal and valuable information, including bank accounts, social security numbers, credit card numbers, debit PINs, credentials to corporate resources, images of scanned checks, is laid out on a cyber table simply waiting to be picked up by anyone who comes along. With so many people using their mobile devices to manage their lives, you can bet there is considerable effort being put into the art of hacking right now. Often this goes on behind closed doors or in dark, smoky rooms somewhere suspicious. But it may just be going on next door in your neighbor’s basement. The threat is everywhere.
Mobile application security is clearly in its infancy. However, significant research is underway to develop security best practices for both the iOS and Android platforms, including work on threat landscape for mobile devices, best practices/tools for mobile application design, as well as app pen testing. SANS is developing two independent application security courses for the iOS and Android platforms that will be ready this summer. OWASP is actively researching and developing the OWASP Mobile Top 10. Many enterprises are developing their own internal best practice policies and testing procedures for their mobile apps. PCI SSC continues to work on compliance requirements for mobile-based Point-of-Sale (POS) applications, and we look forward to their published guidelines soon.
What should you do if you are currently designing or implementing a mobile app? Here is a checklist of some security best practices to consider during your development and testing process. Note: these are iOS-specific, but can be more generally applied to the Android platform in most cases.
- Input and output validate every dynamic input (user input, external HTML or database feed, URLs)
- Audit traditional unsafe methods dealing with memory management (memcpy, strcpy, etc.
- Look for format string vulnerabilities
- Grep for password strings and hardcoded credentials/secrets in the code
- Grep for NSURL, CFStream, NSStream to locate and validate all network connections
- Grep for SQL strings and SQLLite queries
- Look for setAllowsAnyHTTPSCertificate and didReceiveAuthenticate to see if certificate exceptions are being bypassed
- Locate calls to NSLog to see what data is being logged
- Check implementation of URLSchemes in handleOpenUrl
- Ensure information is being secured in the KeyChain and/or the filesystem
- Be sure no critical data is stored using NSUserDefault
- Check the server side code and web-root, including implementations and payloads sent to the APN (Apple Push Notification) to verify that APN certs are pass-phrase protected
- Pay attention to UIWebView implementations: From what location is the HTLM being rendered? Is the URL always visible?
- Verify Copy-Paste functionality is disabled in sensitive fields (PHI, PII, credit card data)
- Verify UI fields that display critical data hide themselves in applicationWillTerminate and applicationWillEnterBackground to prevent screenshot caching
- Run the App and monitor data (Jailbreak/SSH or a tool such as PhoneView)
- Decrypt the binary and run ‘strings’
- Install Burp CA and monitor + fuzz HTTP/HTTPS traffic
- Look for leakage of UDID and/or PII/PHI to 3rd party analytics services or in clear-text
- Verify the server side architecture does not rely on the iOS device to truthfully state its location (this data can be intercepted and modified)
In short, do as much due-diligence as you can. Include your own research on mobile app security, and implement a plan for mobile app security assurance in your organization. Don’t let the intense pressure to get to market create a myopic view towards your application’s security in the marketplace. Short-cutting security may mean earlier entry to market, but exploitation of a vulnerable app will most likely destroy your brand quickly.
Coalfire Systems continues to work with many industry experts to stay on the front wave of this exciting new security space. Please do not hesitate to contact us for assistance in evaluating your mobile app secure development process, or to assess the security posture of your new mobile application.