A mobile app security testing checklist is the first stop
in combating the near universal low standard of mobile app security. No
one’s to blame, writing secure code is hard with the competing
expectations of innovative User Interfaces, continuous Operating System
updates, API changes, new devices and lots of networks (3G, 4G, WiFi,
VPN).
The demand to release new features each
week on an agile cycle, refactoring, code churn and a focus on the parts
of the app that the user sees has made mobile app security testing a
low priority.
In mobile it’s necessary to remember that
you are shipping a binary of all your code that’s available to all
users, including gated features such as premium or admin access. There
are a few solutions to this problem such as using obfuscators,
enterprise distribution, or WebViews, however, we recommend following a
mobile app security testing checklist.
The mobile app security testing checklist
A platform agnostic high level mobile app
security testing checklist will help stop companies being victims of
the most critical and exploitable errors. These should be the first port
of call for anyone concerned about whether their mobile app is secure.
We also recommend taking a look at the links in the article below for a
comprehensive list of client, server side, and SSL checks.
1. SSL
SSL is essential, it has to be
implemented. Public networks are well known to be insecure and any good
developer owes it to their users to encrypt their data and protect their
privacy. Many developers will ignore SSL certificates or hostname
errors in their code with a quick monkey patch. This will be left in and
renders the SSL useless. To understand how to use SSL securely consider
the errors a penetration tester would look for in this checklist.
2. Debug code
Many developers leave their debug code in
production. This will still get compiled into the app along with any
API environments left in. This makes it easy for your web and network
infrastructure to be attacked. See the OWASP page on debug code.
3. Console.log in production code
When console.log is left in production
code this escalates exploits on Android in particular since on some
version other apps will be read it. The worst example of this we’ve seen
was a Fintech app that logged to Android on every REST call. This
included plaintext passwords, CCVs, and addresses. This kind of error
would be game over if it fell into the wrong hands and also causes PCI compliance issues. The key here is to use remote logging, not system logs.
4. WebViews
WebViews in apps are often sandboxed
properly, however, this is web code, so the same rules(XSS, CSRF) apply.
An XSS attack will allow session hijacking and access to the rest of
the app.
5. App files
This is more applicable to Android,
however, it is necessary to remember to encrypt SQLite databases, more
so when storing sensitive data. SQLCipher, which supports Open Source projects is good for this.
iOS app security testing checklist
Here’s a platform specific checklist for iOS app security testing.
1. The Keychain
Use the encrypted format in Keychain to
store sensitive information. In the event of physical access it’s easy
to dump the keychain data.
2. Data Protection
Use Data Protection classes appropriate to how sensitive the data is e.g. NSFileProtectionComplete.
3. When storing data use custom encryption and the built in API, this will protect your app even if the API is compromised.
4. Temporary data
Device forensics are often used to recover deleted data, make sure to overwrite temporary data before deleting it.
6. iTunes backup
The iTunes back up will often compromise app security so
make sure that important files such as plist & sqlite are stored in
Library/caches.
7. Xcode
Keep Xcode up to date, building the app with the most recent release will ensure that only the newest SSL Ciphers are supported.
To minimise
attack vectors and potential loss of revenue stop the app running on
Jailbroken devices with code that will detect rooting and that will
detect debuggers to stop reverse engineering of your code.
Android app security testing checklist
Here’s a platform specific checklist for
Android app security testing, looking at the protection of sensitive
data, client side code, and the protection of data in transit.
1. This one is worth repeating:
Stop including sensitive data in system logs and disable debug logging in production builds.
2. Webview on Android
Avoid storing sensitive data in the
WebView cache. Set up cache control headers on the server-side and make
sure the app clears its cache after receiving sensitive responses.
4. App backup
Disable app backup. Backups can
potentially allow an attacker to view or modify the application’s
locally-stored data without having root access to the device.
5. Reverse engineering
Obfuscate the binary before release to
protect the from reverse engineering attacks. Android apps are far more
open to reverse engineering,
6. App screenshots
Set the “FLAG_SECURE” attribute or
“android:excludeFromRecents” flag to stop app exposing sensitive data
via the automatic Android screenshot.
If this mobile app security checklist has
got your attention and you want to know more about secure mobile
development take at look this OWASP mobile app security checklist and these OWASP resources.
Tidak ada komentar:
Posting Komentar