Mobile application security
I was excited when Sean Gallagher told he was writing about what we believe is one of the most important areas of application security risk today, mobile application security. In his recent article for Ars Technica, “Mobile Application Security: Always Keep the Back Door Locked” Gallagher outlines that its important to address mobile application security because many of the mobile applications we use today access backend middleware and corporate data sources. We have email applications, Twitter front end applications, even payment and banking applications. These mobile applications carry the same risks we have been fighting with web applications – they enable traffic to pass through normal corporate defenses like network firewalls.
Why mobile applications are vulnerable
There has been so much talk about device security, but most mobile applications make server side calls and that’s really the part that needs securing because server side compromise will impact more users and can expose sensitive and costly information.
And since mobile applications are new and businesses are rushing to get them out the door, all too often they are aren’t architected and configured with proper security and access controls leaving them vulnerable to attackers. As Gallagher put it, “Speed (to market) Kills.”
Are mobile application vulnerabilities new?
The reality is that the vulnerabilities that are showing up in mobile applications aren’t new at all. There are the same old vulnerabilities that we have been hunting for over 13 years now, SQL Injection, XSS and the like. In my recent post, I call it mobile application security Where’s Waldo of application security. Read that post for more info on why the vulnerabilities are as Gallagher puts it, Deja Vu.
How easy it is to attack mobile applications
Man in the middle attacks
It’s surprisingly easy to attack mobile applications. I have parked myself in the mall with my laptop and a Wi-Fi Pineapple. The Wifi Pineapple enables me to deliver real Internet access with me as a ‘man in middle.’ As people join my Wifi, I can watch the traffic coming from their smartphones without them knowing that their smartphone is connected to me. And when their applications get updates from a server, I see those updates. I can pull data from the sniffed traffic to do a man-in-the-middle attack if the application doesn’t have additional sorts of controls and protection, it could then be used to attack and access data in the backend systems.
Finding incomplete NONCE usage
Another technique I use, is looking for lack of, or ineffective use of a NONCE, a number used once. When building mobile apps, developers must use one time tokens. The client must have a special session token that is only used to create the NONCE. It looks at what its going to send in a string and calculates a special value that will only be valid for that request because it will be very difficult to re-create that key for another request. So, it is very hard to hack those kinds of apps.
For people building mobile applications, the NONCE technique is fairly well-known. Its a part of OAUTH which is becoming standard. It has become a part of identify management, but unfortunately not everyone is using it. In normal web use it wasn’t as critical because you have slightly more trust in the communication layer, but with mobile, you can’t trust it at all and use of the NONCE is critical.
I’m seeing many mobile applications that use a NONCE for one kind of request, but not for another. For example in the case of an application that might front-end Twitter, the developers might use a NONCE for sending Tweets, but they might not use a NONCE for reading messages. Since there isn’t a NONCE used for reading messages, I can leverage the man in the middle attack described above to sniff credentials for a user and then read private messages as that user.
In a way, its similar to CSRF. It’s like the mobile equivalent to anti-CSRF support. It basically prevent replay attacks for mobile backends.
Thanks again for the great article Sean and for raising awareness on this important issue. Since this article was published, we launched NTOSpider 6.0 which is capable of reading mobile traffic and testing it for vulnerabilities. NTOSpider 6.0 allows you to scan mobile application server side calls.
NTO Spider 6 - http://www.ntobjectives.com/security-software/ntospider-application-security-scanner/