Denim Group, Ltd. Blog

February 13, 2012 in John Dickson, Mobile | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: denim group, john b. dickson, john dickson, mobile application security, mobile applications, security webinar, webinar

February 09, 2012

Making Security Decisions About File Storage for Android Apps

A while back I posted about some static analysis techniques for analyzing file usage in Android applications and this post looks at the same topic but from the standpoint of an application developer making decisions about file storage for their apps.

If you are building applications for Android, you should always create files with the default permissions (Context.MODE_PRIVATE) This will make it so that only your app should be able to read the file and write to the file. Other malicious applications – even if they know the file’s location – should not be able to modify it. If you have to create a file that is readable by other applications (Context.MODE_WORLD_READABLE) you should probably have a good reason and you should assume that any data stored in that file might be read by any other application installed on the device. If you have to create a file that is writable by other applications (Context.MODE_WORLD_WRITEABLE) you should have an even better reason and you should assume that malicious apps will corrupt the contents of this file. This means that any time data from this file is used it must be positively validated to make sure that any changes made to the file by other apps do not cause unexpected behavior.

PLEASE NOTE: If a device with your application falls into the hands of a malicious user, or if another application is able to execute an attack that elevates its privileges then they will still have access to the files so you should plan accordingly and never store truly sensitive information on mobile devices.It is much safer to store sensitive data server-side and retrieve it to the device only when needed.

--Dan

dan _at_ denimgroup.com

Technorati Tags: android applications, dan cornell, denim group, file storage on android, mobile application security, mobile applications

February 09, 2012 in Mobile | Permalink | Comments (1) | TrackBack (0)

October 05, 2011

Slides from Rochester Security Summit Keynote Online: The Need For Open Software Security Standards In A Mobile And Cloudy World

The Need For Open Software Security Standards In A Mobile And Cloudy World

Slides from my keynote at the Rochester Security Summit are now online here:

View more presentations from Denim Group

The title of the talk was “The Need For Open Software Security Standards In A Mobile And Cloudy World” and the abstract was:

The security landscape is changing and the security industry must adapt to stay relevant. The economic and scale benefits of the cloud are causing organizations to move sensitive business processes and data outside of the safety of the corporate environment. New business models and other opportunities to create value through innovation are moving sensitive data and code onto untrusted mobile devices. Organizations are going to adopt these new cloud and mobile technologies and information security practitioners will be forced to evolve current models for risk management and mitigation. This presentation discusses the need for open software security standards to support this evolution. Being required to trust cloud service providers leads to a need for increased visibility into the software security practices of those providers. In addition, reliance on these providers’ software as well as the requirement to place software in untrusted environments such as mobile devices creates a demand for better standards for evaluating the security state of complicated systems. Many previous efforts have been focused on proprietary models that failed to provide sufficient insight or on models that lacked a level of technical rigor required to provide assurance. The solutions to these issues are open standards that are based on the real risks organizations encounter when adopting cloud and mobile technologies and the presentation outlines potential paths forward that can provide risk managers with the assurances they need while also freeing up businesses to intelligently consume emerging technologies.

I had a great time at the conference and really appreciate the hospitality of the Rochester crew.

--Dan

dan _at_ denimgroup.com

October 05, 2011 in Conferences, Mobile | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: 2011, cloud security, dan cornell, denim group, mobile security, rochester security summit, software security standards

August 16, 2011

Mobile Application Security Code Reviews: BSides Las Vegas Materials Online

David Rook (@securityninja) and I gave a training class at 2011 Security BSides Las Vegas on mobile application security code reviews. We used his Agnitio code review tool to analyze a flawed application and identify potential issues.

The slides are online here:

The code for the intentionally-flawed sample Pandemobium Stock Trader application can be found online here. The code online includes both Android and iOS versions of a vulnerable application as well as the backing web services that support the apps.

Contact us for more information on application security training programs including instructor-led training for and eLearning.

--Dan

dan _at_ denimgroup.com

August 16, 2011 in Mobile | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: bsides, dan cornell, david rook, denim group, las vegas, mobile app security code review, mobile applications, mobile apps, security bsides, security conference, training class

June 12, 2011

OWASP AppSecEU 2011 Slides Online: Security Testing Mobile Applications

I just got back from Dublin, Ireland where I attended OWASP AppSecEU 2011. I gave a training class on building secure mobile applications and testing the security of mobile applications and also did a presentation on different techniques for security testing mobile applications.

The slides from the presentation are online here:

During the presentation we looked at different techniques for security testing mobile applications:

Static (both source code and binary)
Dynamic
Forensic

Mobile security testing is different than web application security testing. Techniques like automated dynamic testing that can produce some quick and useful results for web applications do not necessarily provide the same immediate value for mobile apps. The presentation talks through some different approaches and where they can provide the most value. And for a bonus – all the photos in the presentation slide deck came from the Guinness Brewery Tour!

--Dan

dan _at_ denimgroup.com

June 12, 2011 in Conferences, Mobile, OWASP | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: appseceu, dan cornell, daniel cornell, denim group, dublin, ireland, mobile app security, mobile applications, mobile apps, owasp, presentation, security, testing

April 20, 2011

Using Static Analysis to Review File Access in Android Apps

The Android platform does some clever things to firewall apps off from one another. One of the important protections the platform provides is to install each application under its own Linux user account, and then use file ownership and permissions to keep one application from reading or modifying another app’s files. By default, files are set up so that they are only readable/writeable by their own app’s user account and you have to explicitly create files as world-readable and/or world writeable.

Because applications often misuse these platform protections, assessing the security of an Android application should include checks to verify that the application is taking proper advantage of them. There might be valid reasons for creating files that are world-readable and world-writeable, but finding these files is certainly cause for more inspection and probably a frank discussion with the developer about their threat model and design decisions. In this blog post we will look through some static analysis techniques and freely-available tools that can be used to perform some of this testing. All of the analysis scripts can be downloaded from the Google Code repository at www.smartphonesdumbapps.com. I’d recommend pulling down the latest from the Subversion repository rather than using one of the packaged downloads so you get the most updated code.

For the purposes of our testing, let’s assume that we have been given an Android app APK file – so all we have is what an attacker might pull down from an app store. Unbeknownst to us (at the current time), the application has a method that creates a bunch of files with a variety of permissions. The source code looks something like this:

private void createFilesForNoReason()
{
      FileOutputStream stream1, stream2, stream3, stream4;
      String privateFile = "privateFile";
      String worldReadableFile = "worldReadableFile";
      String worldWriteableFile = "worldWriteableFile";
      String worldReadableWriteableFile = "worldReadableWriteableFile";
      Context context = getApplicationContext();

      try {
            stream1 = context.openFileOutput(privateFile, Context.MODE_PRIVATE);
            stream2 = context.openFileOutput(worldReadableFile, Context.MODE_WORLD_READABLE);
            stream3 = context.openFileOutput(worldWriteableFile, Context.MODE_WORLD_WRITEABLE);
            stream4 = context.openFileOutput(worldReadableWriteableFile,
                                    Context.MODE_WORLD_READABLE |
                                    Context.MODE_WORLD_WRITEABLE);

      } catch (Exception e) {
            //    Serves you right for trying to open so many files with
            //    unjustified permissions...
      }

}

Before we got the APK file, this method would have been compiled down down to DEX bytecode. If we run the analyze_android.pl script from the analysis scripts we downloaded, one of the tasks that will be executed (among others) will be to disassemble the DEX code in the APK into {APP} /unpack/classes_dex_unpacked/ subdirectory. We can then go in and look at the DEX assembler for the different classes in the Android app. The DEX assembler for the createFilesForNoReason method looks like this:

.method private createFilesForNoReason()V
.limit registers 11
; this: v10 (Lcom/app/denim/group/Config;)
.catch java/lang/Exception from lf82 to lfa6 using lfaa
.var 2 is stream1 Ljava/io/FileOutputStream; from lf8a to lfa8
.var 3 is stream2 Ljava/io/FileOutputStream; from lf94 to lfa8
.var 4 is stream3 Ljava/io/FileOutputStream; from lf9e to lfa8
.line 97
        const-string    v1,"privateFile"
.line 98
        const-string    v6,"worldReadableFile"
.line 99
        const-string    v8,"worldWriteableFile"
.line 100
        const-string    v7,"worldReadableWriteableFile"
.line 101
        invoke-virtual {v10},com/app/denim/group/Config/getApplicationContext ; getApplicationContext()Landroid/content/Context;
        move-result-object      v0
.line 104
        const/4 v9,0
lf82:
        invoke-virtual {v0,v1,v9},android/content/Context/openFileOutput       ; openFileOutput(Ljava/lang/String;I)Ljava/io/FileOutputStream;
        move-result-object      v2
.line 105
        const/4 v9,1
        invoke-virtual {v0,v6,v9},android/content/Context/openFileOutput       ; openFileOutput(Ljava/lang/String;I)Ljava/io/FileOutputStream;
        move-result-object      v3
.line 106
        const/4 v9,2
        invoke-virtual {v0,v8,v9},android/content/Context/openFileOutput       ; openFileOutput(Ljava/lang/String;I)Ljava/io/FileOutputStream;
       move-result-object      v4
.line 108
        const/4 v9,3
.line 107
        invoke-virtual {v0,v7,v9},android/content/Context/openFileOutput       ; openFileOutput(Ljava/lang/String;I)Ljava/io/FileOutputStream;
lfa6:
        move-result-object     v5
lfa8:
.line 115
        return-void
lfaa:
.line 111
        move-exception v9
        goto    lfa8
.end method

If we want to look at what an Android app is doing with files, a good starting place would be calls to Context.openFileOutput(). In the DEX assembly, that means we would look for invoke-virtual calls to android/content/Context/openFileOutput. One example might look like this:

.line 107
invoke-virtual {v0,v7,v9},android/content/Context/openFileOutput

This shows us that the method was called, and the arguments for that method can be found in registers, v0, v7 and v9 (corresponding roughly to a Context “this” pointer, the filename to open for output and the file permissions (see openFileOutput() JavaDoc for more details). So now we know that this application is manipulating files for output and we need to track down the filename and file permissions. If we backtrack through the DEX assembler, starting at the invoke-virtual call and looking for where the v7 register was filled we find this:

.line 100
const-string v7,"worldReadableWriteableFile"

So in this case it looks like the file being opened is called (conveniently) “worldReadableWriteableFile” Now that we know the file name, we also need to determine the file access. Starting at the same invoke-virtual call if we backtrack and look for where the v9 register was filled we find:

.line 108
const/4 v9,3

So what we have determined is that this app essentially contains code in it somewhere that looks like:

context.openFileOutput(“worldReadableWriteableFile”, 3)

So what does the “3” mean? Poking around the JavaDoc some more we can determine that the values of the constants are:

Context.MODE_PRIVATE: 0
Context.MODE_WORLD_READABLE: 1
Context.MODE_WORLD_WRITEABLE: 2

So it appears that this file is both world readable and world writeable (1 | 2). At this point it is probably a good time to sit down with the development team and find out from them why the files needs to have essentially no file protections and explore alternate designs for the application that avoids this.

As you see we have done some quick, grep-like analysis of the application DEX assembly code and identified this one specific instance. Obviously this can be automated to run similar checks for all places where Context.openFileOutput() is being called. As luck would have it, there is another script available in the download that just just this. It is called android_file_usage.pl and is intended to be run with an argument that points to a directory containing disassembled DEX code. The android_analyze.pl run before actually does this as well and puts the output into the file {APP}/file_usage.txt.

So if we run android_file_usage.pl on all of the DEX assembly code created from the Java code listed above we get:

privateFile,0,NONE,DenimGroupApp_apk/unpack/classes_dex_unpacked/com/app/denim/group/Config.ddx
worldReadableFile,1,WORLD_READ,DenimGroupApp_apk/unpack/classes_dex_unpacked/com/app/denim/group/Config.ddx
worldWriteableFile,2,WORLD_WRITE,DenimGroupApp_apk/unpack/classes_dex_unpacked/com/app/denim/group/Config.ddx
worldReadableWriteableFile,3,WORLD_READWRITE,DenimGroupApp_apk/unpack/classes_dex_unpacked/com/app/denim/group/Config.ddx

Again – probably a great time to talk with the developers about file permissions on the Android platform.

The “static analysis” that is being performed here is pretty crudimentary – there are a variety of ways that apps could make it harder to find the arguments being passed in. For example, the filename could be constructed from multiple strings or user inputs rather than on a constant in the code. However, in tests using this automated analysis both on the test code as well as APKs from the wild it seems to fit most programmer coding idioms and compiler/disassembler behavior to at least get a quick first-look at what an app is doing with local files that can be followed up with a manual review of any calls to Context.openFileOutput() where the script was unsuccessful in determining access permissions.

In this blog post we have walked through one way of using static analysis to look at how Android apps are accessing files. This could also be done dynamically by looking at files created by the app on the device and looking at their file permissions, but we will save that for a future blog post.

--Dan

dan _at_ denimgroup.com

April 20, 2011 in Mobile, Static Analysis | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: android, app dev, application development, apps, dan cornell, daniel cornell, denim group, file access, mobile app security, mobile applications, mobile apps, static analysis

March 16, 2011

Security BSides Austin: 2011 Recap

As expected, the Security BSides Austin conference was a blast. There were a lot of great folks in attendance and plenty of great talks to go around. And of course there were Hackers on a Duck Friday night. Take a look at Jack Daniel’s photos from BSides Austin to get a feel for the event.

Everyone loves the coffee truck servicing Austin Security BSides

For some reason (mostly thanks to Ben Tomhave’s trickery) I ended up doing a number of talks during the conference. The slides should now all be up online:

Presentation: Smart Phones Dumb Apps (updated)
Guerilla Training: Cross-Site Scripting (XSS) Remediation
Guerilla Training: Designing Secure Mobile Applications

Also you can find links to the source code from my smartphone app analysis on the Google Code repository attached to the www.smarphonesdumbapps.com site.

John Steven lays down the law about Threat Modeling

I really enjoy the BSides conferences. They’re less vendor-driven that some of the big security conferences like RSA and BlackHat. The talks also tend to be a good mix of in-the-weeds technical topics and interesting perspectives on other security industry topics. Hopefully future BSides Austin events will be further integrated with South By Southwest (SxSW). Getting the security message out to developers and social media

--Dan

dan _at_ denimgroup.com

March 16, 2011 in Application Security Remediation, Conferences, Mobile | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: austin, bsides, cross site scripting, dan cornell, denim group, mobile applications, remediation, security, slidedeck, slideshare, smart phones dumb apps, software security, vulnerabilities, xss

Security BSides Austin: Designing Secure Mobile Applications Slides Online

I did a Guerilla Training session at Security BSides Austin on Designing Secure Mobile Applications. The slides from the session are online here:

This looks at issues similar to those in the Smart Phones Dumb Apps presentation but from the opposite side. Rather than looking at deconstructing and attacking mobile applications it looks at how to design them from the ground up to avoid security problems.

--Dan

dan _at_ denimgroup.com