Today is the day dubbed the most depressing/miserable/stressful day of the year, or Blue Monday. Cliff Arnall, a UK Psychologist, created a mathematical formula to calculate this based on a number of factors, including the holidays ending, work resuming, cold gloomy weather, etc. While I can’t attest to whether this is true, it prompted me to share a few thoughts if information security was adding to your misery or stress level!
My blog topic for this year’s most miserable day is on Mobile Application security and what to do if the lack of security in this area is adding to your stress level. The exploding use of smartphones and tablets in 2012 kept cybercriminals busy and security experts warn of more to come in 2013. The beginning of the year is a logical time to develop any plan, mobile security notwithstanding. If one of your goals in your information security plan is to reduce stress and improve Mobile Application Security, I believe the following information will be helpful.
Over the years the majority of organizations have made great strides in strengthening their network and operating system security. This has caused hackers to look to other areas of attack. One area of attack is web applications, as evidenced by the fact that the majority of breaches are currently occurring in this manner. As more mobile applications have been implemented, this is also a common attack vector.
Open Web Application Security Project (OWASP)
For years OWASP has published a list of the Top Ten Web Application security vulnerabilities. If you’re not familiar with OWASP, it is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Further information can be found at www.owasp.org. Their Top Ten list has become the defacto standard of web application vulnerabilities, and their website provides a wealth of information on improving web application security.
OWASP Mobile Security Project
In September 2011 OWASP announced the OWASP Mobile Security Project. This is intended to be a resource for developers and security teams to assist with building and maintaining secure mobile applications. Another goal is to classify mobile security risks and provide developmental controls to reduce their impact and odds of being exploited. As part of this effort, they published the following list of their Top Ten Mobile Risks:
- Insecure Data Storage
- Weak Server Side Controls
- Insufficient Transport Layer Protection
- Client Side Injection
- Poor Authorization and Authentication
- Improper Session Handling
- Security Decisions Via Untrusted Inputs
- Side Channel Data Leakage
- Broken Cryptography
- Sensitive Information Disclosure
Mobile Application Security Planning
When developing a plan for mobile application security there are multiple areas that impact security and therefore need to be addressed including:
- The application layer and the OWASP Top Ten Mobile Risks
- Mobile platform
- Carrier risks
- Server infrastructure
- Remote authentication services
Developer Security Training
Many developers have never received training on application security as most schools do not include this training in their curricula. Developer security training can take many forms depending on your developers’ experience. Some classes are one day in length and based on OWASP’s Mobile Top Ten Risks. Other classes may be a week or so in length covering topics such as incorporating security into your software development lifecycle (SDLC). Providing developer training is one of the most important first steps in improving mobile application security.
Mobile Application Technical Design Review
Another integral part of your mobile application security plan should be an assessment of the technical design of mobile applications. This review should ensure that information security best practices are being followed and incorporated into the secure development of mobile applications.
Mobile Application Security Assessment
Prior to the release of mobile applications, a security assessment should be performed. This assessment should involve multiple areas including both dynamic and static analysis as well as the other areas listed below.
Dynamic Mobile Application Security Assessment – A dynamic mobile application security assessment reviews the application by identifying vulnerabilities in areas such as data storage, network communication, cryptographic usage, remote web services, and business logic. In this assessment many of the OWASP Mobile Top Ten vulnerabilities are found.
Business Logic Review – Manual user testing of the security of the application is also necessary to fully understand the capabilities and functions of the application. All points of interaction and input need to be assessed, and attempts to exploit logic flaws within the application should be checked for issues such as invalid operations, bypassing validation checks, weak or invalid authentication, and authorization bypass.
Local Storage Review - In this stage testers should attempt to identify sensitive information which is stored locally on the device or expandable storage cards. This should verify that any sensitive information which must be stored on the device cannot be accessed or modified outside of trusted systems and processes.
Interprocess Communication Review - When developing a mobile application it is expected that only your application, as well as other trusted services, will have access to your data as well as critical functionality within the application itself. Testers should attempt to identify weaknesses in the trust model of the application and enumerate any sensitive operations or data which can be accessed or modified without the proper authorization by other applications or services.
Network Monitoring – Testers should monitor all network traffic generated by the mobile application. This includes identifying sensitive information being sent through clear-text protocols which may be observed and either stolen or reused by an attacker. Custom protocols should be analyzed and testers should attempt to reverse engineer data flows in the attempt to read or alter those communications.
Additionally, for all HTTP/s traffic generated from the application testers should use a “Web Proxy” to sit between the application and server. Using a web proxy tool, all submissions to the server get decrypted and the tester is able to view the entire transmission, including tokens, custom headers, values, cookies, and session IDs. This type of tool also allows the tester to create injection attacks and to modify data before sending the request to the server, thus bypassing client side validation.
Static Mobile Application Security Assessment – A static mobile application security assessment can use static binary analysis technology to review the application from a white box code review perspective. This method of testing can evaluate mobile applications through advanced modeling and can detect flaws in the software’s inputs and outputs that cannot be seen through dynamic scanning alone. By looking at the code in its compiled version, vulnerabilities introduced by APIs, compiler optimizations, linked libraries, and third party components are evaluated and identified (these items are not easily recognized by standard source code testing).
Web Services Testing
Over the years web services have become an integral part of mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. It’s critical that mobile web services are assessed through dynamic analysis to determine if these services can be abused by attackers.
Testers should assess your SOAP or REST based web services for many different types of vulnerabilities that are commonly found in web services and perform security testing that is specific to web services including but not limited to:
- XML Structural Testing
- XML Content-Level Testing
- HTTP GET parameters/REST Testing
- Naughty SOAP attachments
- Replay Testing
- Web Service MITM Testing
Realistic Mobile Application Security Planning
It’s important to understand that there is no mobile security program or technology that will ensure you’re 100% secure; no need to stress over achieving that! Your goal should be to implement a mobile application security plan as part of your information security program that improves mobile application security by lowering your risks, their potential impact, and your odds of being exploited.
Building and maintaining a mobile application security program that works for your organization (as well as for you) will unquestionably lower your overall stress level in 2013. Best wishes for a safe, successful, and less stressful January 21st and New Year!