LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad
Subscribe to this blog's feed

Recent Posts

Categories

Archives

Add me to your TypePad People list


Programming Blogs - Blog Catalog Blog Directory

Denim Group

March 26, 2013

BSides Austin Recap: Developing Secure Mobile Applications

By Dan Cornell

BSides Austin 2013 was at the end of last week and one of the things I did while I was there was give a short, two hour training session titled "Developing Secure Mobile Applications" This is a (very) cut down version of some of the instructor-led training classes we give on developing secure mobile applications and testing the security of mobile applications. Slides are online:

The abstract for the training was:

This course provides an introduction to security for mobile applications. It walks through a basic threat model for a mobile application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques.

Contact us for help building secure mobile applications and testing the security of mobile applications.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 26, 2013 in Dan Cornell, Denim Group, Information Security, iPhone, Mobile, Security, Speaking Events, ThreadStrong e-Learning, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , ,

March 13, 2013

Denim Group at InnoTech San Antonio 2013: Smart Phones Dumb Apps

By Dan Cornell

SA-Header
Folks headed to InnoTech San Antonio on Wednesday April 17th, 2013 should stop by the Denim Group booth and say howdy. Also, I'll be giving an updated version of my Smart Phones Dumb Apps talk at 1:00pm. The abstract for that talk is:

Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android.  Many of these applications are constructed without fully considering the associated security implications of their deployment.  Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services.  This talk discusses emerging threats associated with deploying  smartphone applications  and provides an overview of the threat modeling process.  The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks.

So if your organization is building - or using - mobile applications on platforms like Android and iOS (iPhone/iPad) you probably want to drop by. This is a fun, interactive presentation with a lot of examples that helps demonstrate why mobile security isn't just about MDM and dealing with BYOD. You also need to pay attention to the applications getting deployed on these mobile operating systems if you want to protect both your organization's and your customers' data.

Also if you want a FREE admission to InnoTech San Antonio 2013, head to www.innotechsan.com and use the code SPK13C to register.

 Contact us if you want to meet up at InnoTech San Antonio 2013 and talk about mobile application security.

--Dan

dan _at_ denimgroup.com

@danielcornell

Related articles
Denim Group at BSides Austin 2013: Building Secure Mobile Apps and Software Security Implementation Patterns
Search Software Quality: Understanding Mobile, Web and Cloud Apps and System Architecture
Smart Phones Dumb Apps Scripts Updated

March 13, 2013 in Conferences, Dan Cornell, Denim Group, Information Security, iPhone, Mobile, Security, Speaking Events, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

February 19, 2013

Smart Phones Dumb Apps Scripts Updated

By Dan Cornell

Mobile_phone

Last week I pushed some updates to the mobile application assessment scripts we released with my Smart Phones Dumb Apps presentation a while back. These scripts do some light static analysis on Android and (unencrypted) iOS binaries - mainly setting up a list of things to manually examine during a more thorough analysis. Most of these updates are courtesy of Abraham Aranguren ([name] . [surname] @owasp.org, @7a_ on Twitter) who updated a couple of packaged external tools those scripts relied on such as FindBugs and dex2jar (thanks!). You can also check out a great blog post Abraham put up listing a number of really valuable Android application security resources.

Mobile application security continues to be an area organizations struggle with. Everyone feels huge schedule pressures to get new applications and new functionality released. Developers dive into development projects without understanding how to design and build secure mobile applications. The result is pretty predictable - vulnerable mobile apps and, even scarier in most cases, vulnerable web services supporting those mobile apps.

Keep an eye on this space - at Denim Group we've been doing a lot of work both assessing the security of mobile applications as well as helping firms design and build secure mobile apps. In the next couple of months we're looking at making more of what we've been doing publicly available and hopefully organizations will be able to use that to step up their mobile security skills.

Contact us for help building secure mobile applications and setting up security assessment program for your organization's mobile strategy.

--Dan

dan _at_ denimgroup.com

@danielcornell

February 19, 2013 in Application Security Tools, Dan Cornell, Denim Group, Information Security, iPhone, Mobile, Open Source, OWASP, Scanners, Security, Static Analysis, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

September 03, 2008

Top 5 iPhone Application Security Risks

By Dan Cornell

Img_2084

[See this post on Smart Phones Dumb Apps for updated iPhone and Android security information along with presentation slides and sample code.]

Everyebody (myself included) is all excited about the iPhone.  ActiveSync connectivity to Exchange makes it a viable option for Enterprise users and the AppStore opens up all sorts of possibilities to extend the device's capabilities.  However, organizations looking to deploye iPhone apps should take a few things into consideration:

  1. The iPhone is a new device that will host sensitive information.  iPhones can be lost and stolen.  How much of your data is going to be sitting unencrypted on the device when that happens?  It is true that the iPhone SDK has a number of built-in cryptographic routines and that is great.  However when we've looked at the use of crypto in other mobile environments (commercial applications for Windows Mobile in particular) we have found that things like key storage and proper use of algorithms are sorely lacking.  I don't expect this will change for iPhone developers who are not specifically looking into security.  A recently-discovered bug allows attackers to bypass the phone keypad lock and view sensitve information like web history and contacts.  Expect more issues like this to surface and be careful what you store on your iPhones.
  2. This is a new platform and is not terribly open - many risks are still unknown.  We've posted here before about Apple's application kill switch. What else is going on under the hood?  What data is Apple slurping off iPhone devices and sending back for their analysis?  The Independent Security Evaluators folks made an excellent observation that the security features associated with iPhone applications are more geared toward protecting Apple's revenue model rather than protecting developers and users of applications.  The iPhone is a classic example of technology being deployed first and then secured later.
  3. The application development environment is C/C++/Objective-C based which re-opens the danger of buffer overflows.  At least J2ME and mobile .NET environments try to provide some protections against this traditional software security bugbear.  The iPhone development environment is a big step back if you want to avoid remote code execution flaws.  And everyone wants to avoid remote code execution flaws, right?  Issues with Apple's own Safari browser have already been documented and if organizations are developing their own applications they should expect more of the same.
  4. Applications are often a combination of native applications and web applications, opening the possibility of Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF).  One iPhone developer I talked to said that the only way they were able to have their application ready by the iPhone 2.0 launch date was to use web controls and re-purpose a lot of web-based code they had running a similar application and incorporate it into their app with embedded web controls.  Being able to re-use existing functionality is great for productivity, but creating hybrid web/native applications re-opens the possibility for web-only attacks like XSS and CSRF.  Combine that with buffer overflows and you have the worst of both worlds.
  5. The attack surface of the device is variable.  Between WiFi, bluetooth, 3G, and Edge wireless how do you know what can find your device at any given time?  With the built-in GPS and location services who knows who your device is telling about your location at any given time?  The iPhone is a very cool device because you can do a lot of stuff with it.  Security-minded organizations are going to ask what they should be doing with it.

iPhones are certainly cool and with new features like ActiveSync integration for Exchange they are going to increasingly penetrate enterprise environments.  However it is important that organizations understand the security risks associated with rolling out iPhones and running custom iPhone applications.

So what can be done?

  1. Think about the information you are going to deploy to your iPhone devices and use the available cryptographic routines to protect data while it is at rest on the device.
  2. This one you mostly just have to live with for a while unless Apple decides to open up or until the platform has been through more testing.  The important thing is to make decisions with eyes open and understand the risks.
  3. Train your developers in secure coding techniques to avoid buffer overflows and other issues plaguing C-based applications and use well-tested libraries to help reduce the risk of buffer overflows in your application code.
  4. Use threat modeling to know what data sources your application is using.  Train your developers to properly validate incoming inputs and to escape application outputs.
  5. Have users turn off features they don't need.  Not using WiFi?  Turn it off.  Not using bluetooth?  Turn it off too.  Entice your users to do this with promises of extended battery life.

I love my new iPhone, but I don't harbor many illusions about the risks it poses.

Contact us to talk about building security in to your iPhone applications.

--Dan
@danielcornell
dan _at_ denimgroup.com

September 03, 2008 in Dan Cornell, Denim Group, Information Security, iPhone, Security, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 12, 2008

Apple Can Disable iPhone Apps Remotely?

By Dan Cornell

Peoplewithbeluga

I saw an article on Engadget indicating that Apple may have the ability to remotely disable iPhone applications.  I saw a similar article on MacRumors a couple of days ago.

We have done some development for mobile devices in the past - specifically with Windows Mobile.  One of the big issues we saw with organizations trying to deploy Windows Mobile applications is that they were caught in a "dead zone" between the software platform provider (Microsoft), the device maker (Samsung, HTC, etc) and the network provider (T-Mobile, AT&T, etc).  Whenever anything went wrong everyone could just point at other providers in the chain and act like nothing was their fault.

One of the interesting things about Apple iPhone is that these three components are all provided the same way for everyone (in the US at least).  Apple provides the software and hardware, and AT&T provides the network.  That is good for application developers because it makes it more reasonable to expect that your applications are going to work the same wherever you deploy them.  Same hardware.  Same software platform.  Same network.

However another issue we had developing enterprise Windows Mobile applications was that the enterprise management tools were still developing - it was tricky to automatically provision and de-provision devices, applications, settings, etc.  It looks like iPhone applications can be automatically de-provisioned - the only problem is that Apple is the organization pulling the strings rather than an enterprise's IT department.

To paraphrase and somewhat mangle the words of Bruce Schneier: "When people say 'security' what they really mean is 'control.'"

Contact us for more information about building security in to your iPhone applications.

--Dan
@danielcornell
dan _at_ denimgroup.com

August 12, 2008 in Dan Cornell, Denim Group, Information Security, iPhone, Microsoft, Pro Services Life, Security, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 05, 2008

Denim Group Mentioned in an Article About iPhone Adoption

By Dan Cornell

Alan Weinkrantz gave us a mention in his most recent article in the Express News.

--Dan
dan _at_ denimgroup.com

August 05, 2008 in Dan Cornell, Denim Group, iPhone, Pro Services Life, Web/Tech | | Comments (0) | TrackBack (0)