You will Never Have Complete App Security

When I speak with clients, there always seems to be be the impression, on their part, that things are either secure or not secure. Unfortunately, whether it’s desktops, laptops, servers or smartphones, the principle is the same: You will never have complete application security.

It will always be possible to fool users into installing things or doing things they shouldn’t. There will always be vulnerabilities that allow root and hence allow, for example, memory dumps of decrypted data. There will probably always be NSA backdoors and the possibility to eavesdrop on radio frequency (RF) noise. There will always be some users that root their devices making things considerably easier for attackers.

This doesn’t mean you should give up and not consider security at all. For all apps, simple safeguards, for example, keeping data in the Android sandbox, provide basic protection with negligible extra effort. At the other end of the scale there’s a class of apps, for example banking and payment, that needs to make it algorithmically time consuming (via encryption) or extremely technically difficult (via tamper protection) for attackers to read sensitive data. You will never have complete application security but you can have high security that, for all normal intents and purposes, will keep your sensitive data safe.

Android App Hacking Getting Easier

appsecIn my post on my Thoughts on Google’s Android Security 2014 Year in Review  I mentioned that security isn’t only about potentially harmful applications (PHAs) being installed. It’s also about the ability to easily obtain information from stolen devices and reverse engineer apps.

Today I came across a tool from AppSec Labs, AppUse, that enables easy offline reverse engineering of apps. It brings some well-known command line tools, used to reverse engineer APKs, together with a hooked ROM to allow access to things (e.g. files, communication, database, encryption) you can’t normally see externally. This is all wrapped in an easy to use window UI. This tool will be mainly used for analysis of malware and penetration testing. However, it’s obviously also possible to use it for nefarious purposes.

If you have intellectual property within your app, think your app might be copied or your app needs to be particularly secure, (eg banking, payment, enterprise) you will want to look into obfuscation/packing and tamper detection.

Thoughts on Google’s Android Security 2014 Year in Review

androidI have finally got round to reading Google’s ‘Android Security 2014 Year in Review’ (pdf). I believe it’s mainly a public relations exercise to assure everyone that Android is safe and that Google is being proactive in improving security. However, having read the report it’s easy to come away with the impression that everything’s ok. There are few places in the report I thought “Yes, but…”.

First an obvious one. Google say they “provided device manufacturers with ongoing support for fixing security vulnerabilities in devices, including development of 79 security patches”. However, what they don’t say is that very few of them made their way onto consumers devices.

Google say “Fewer than 0.15% of devices that download only from Google Play had a Potentially Harmful Application (PHA) installed”. This doesn’t sound many. As an end user you will probably be comforted by such a statistic. However, what if you are a company with say 1000 employees? Statistically, at least one of them might be leaking company information. What if you are a bank with millions of customers using a banking app? If your app doesn’t adequately secure data then a very large number of people could be affected. I think what this means for developers is that just because there’s a low chance of infection, apps should still take exceptional steps to protect their own sensitive data and not solely rely on the fact the platform is secure most of the time. The fact that Android is “secure most of the time” is only of significance for end users.

androidphas

There’s lots of emphasis on Google’s Verify Apps that checks apps at time of install. This won’t catch everything. Attackers are getting good at installing skeleton apps and later downloading extra functionality after Verify Apps has stopped looking.

Also remember, security isn’t only about PHAs being installed. It’s also about the ability to easily obtain information from stolen devices, reverse engineer apps and other such activities that can cause nefarious deeds without even installing an app under Google’s Verify Apps.

iOS Mobile App Security

imasI have written a lot about Android security so here’s something on iOS to help redress the balance. iOS has similar challenges with encrypting data, enabling authentication and needs similar techniques such as detecting tampering via jailbroken phones or attached debuggers. This week I came across iMAS that helps developers solve some of these problems.

iMAS is a free set of open source components that “helps developers encrypt app data, prompt for passwords, prevent app tampering, and enforce enterprise policies on iOS devices”. As on Android, it’s often best to use pre-defined components rather than re-invent your own mobile that are more likely to have security flaws.

Cross Platform Tools and Security

blackhatasia15If you follow this site you will know I am not a great fan of cross platform tools. They tend to sacrifice performance and ‘look and feel’ for faster development. In cases where you can refine the look and feel, it usually becomes increasingly difficult to get screens with the correct UI idioms because most tools are based on generating html/javascript. Enterprise apps seem to be the most suitable use for cross platform tools as the look and feel of the UI tends to be less important. However, is this true?

I have recently written how anyone using app creating tools based on WebViews or using WebViews in their app needs to be aware of security vulnerabilities. Taking this further, there has been a recent presentation at BlackHat Asia 15 on ‘The nightmare behind the cross platform mobile apps dream‘.

The problem with cross platform is that it provides a uniform environment that offers up a large number of apps that can be hacked in the same way and, as it turns out, can also be more easily hacked. The presentation gives some sobering problems with Cordova, Adobe AIR and Titanium. For example, Adobe AIR’s EncryptedStorage API doesn’t do much and only stores data as Base64 encoded. Titanium’s default https is broken, doesn’t validate the SSL certificate and hence is vulnerable to Man in the Middle (MiTM) attacks.

If you are using cross platform tools then you are passing some responsibility for security to the framework. I am beginning to think platform tools are actually less suitable for Enterprise because that’s where there are usually increased security concerns.

SSL on Mobile is Still a Problem

securityintelligenceSecurity Intelligence has an article on ‘Cracks in the Digital Foundation of the Internet Crumbling the Core‘ based on IBM’s X-Force Threat Intelligence Quarterly.

The mobile part of the article mentions the CERT Tapioca tool that allows investigation of man-in-the-middle (MITM) attacks due to apps not correctly validating SSL certificates. This has produced 9,200 new app security vulnerabilities affecting over 2,600 unique vendors.

The article mentions “the unusual apathy mobile app developers seem to be displaying, leaving important banking applications vulnerable to critical disclosures” and “Despite warnings, 10 of the 17 banking applications tracked (59 percent) were still vulnerable four months later”.

Read more technical information on how to check for security exceptions, verify the SSL Certificate Hostname and SSL pinning.

Google’s Android for Work is Insecure

androidsecuritylogo.pngThere’s a very interesting article on "Android for Work: Demystified" that dissects Android for Work and concludes it isn’t that secure. The repercussions provide some important learnings for all apps that need to handle sensitive data.

Android for Work and Android disk encryption in general, suffer from a similar expectation and affliction. The expectation is that encrypted drives protect data which isn’t fully true. The affliction is that they only protect data ‘at rest’ while the phone isn’t running. Once the phone is running the drives are seen decrypted from software and can be accessed via root or via exploits that provide access as root.

The solution to the problem is, as the article hints, to encrypt the data itself and not just rely on the drive encryption. This is the crux of the message on my Android security web site. You need to define what data needs to be kept secure and protect it appropriately. Assume your app can and will be attacked and do your best to secure only the data that has to be secured. Don’t solely rely on mobile device management (MDM), drive encryption, apk re-packaging or any other higher level wrapper.

App Security Requirements

androidsecuritylogo.pngI believe that many Android (and iOS) developers have a blind spot for app security. Clients, product owners, product managers or whoever is responsible for the app rarely have security requirements and time-starved developers tend to ignore the problem.

What’s the problem? Well, on Android (see later for iOS) there are so many ways attackers can attack your app. Whether it’s re-packaging your app with malware, repackaging to circumvent functionality, stealing ip or stealing secure data an attacker has many choices of ways to attack. Methods include:

  • Unzipping, decompilation, recompilation and re-packaging of your code
  • Patching Android OS calls at runtime to intercept data
  • Examining runtime memory to see data
  • Taking a backup of app data and reading it offline

Some of these things are possible on unrooted devices and all these things are possible via a rooted device or, more seriously, via exploits that allow temporary access as root. Determined attackers can also create custom ROMs or emulator images that can intercept your app at given points in its lifecycle.

I encourage all Android developers to do some background reading. The droidsec Wiki is a great place to start to see the scale of the problem and the tools available. Unfortunately, there’s a lot more information on how to hack than there is on how to prevent hacking presumably because it’s more fun to break things than fix them. My Android Security site offers a ‘coding first’, guideline-based approach to prevent, as opposed to detect, security problems.

If you are a product owner or product manager I suggest you also research this area, define your secure data and, if necessary, uncover security requirements for your app.

For those iOS developers thinking, "Oh that’s Android, we are safe on iOS", you might like to take a look at Lookout’s latest assessment of iOS security and my previous post on Android vs iOS security.