Insecure Data Insecure Data Storage Storage MED HAMZA HADJ TAIEB 4SIM3
ENCARDÉE PAR : IMEN AOUINI 01
Threat Agents APPLICATION SPECIFIC
Threats agents include the following: an adversary that has attained a lost/stolen mobile device.
Malware or another repackaged app acting on the adversary’s behalf that executes on the mobile device. 02
Attack Vectors Vectors Attack EXPLOITABILITY EASY In the event that an adversary physically attains the mobile device, the adversary hooks up the mobile device to a computer with freely available software.
03
Attack Vectors Attack Vectors
EXPLOITABILITY EASY
These tools allow the adversary to see all third party application directories that often contain stored personally identifiable information (PII) or other sensitive information assets. An adversary may construct malware or modify a legitimate app to steal such information assets. 04
Security Weakness Weakness Security DETECTABILITY AVERAGE Organizations should expect a malicious user or malware to inspect sensitive data stores. Insecure data storage vulnerabilities occur when development teams assume that users or malware will not have access to a mobile device’s filesystem and subsequent sensitive information in data-stores on the device. Filesystems are easily accessible. •
•
•
Usage of poor encryption libraries is to be avoided. Rooting or jailbreaking a mobile device circumvents any encryption protections. When data is not protected properly, specialized tools are all that is needed to view application data. 05
Technical Technical Impacts Impacts
DENTITY THEFT DENTITY THEFT
PRIVACY VIOLATION PRIVACY VIOLATION
IMPACT SEVERE
This can result in data loss, in the best case for one user, and in the worst case for many users. It may also result in the following technical impacts: extraction of the app’s sensitive information via mobile malware, modified apps or forensic tools.
INSECUREDATA DATAMAY MAYRESULT RESULTIN INTHE THE INSECURE FOLLOWINGBUSINESS BUSINESSIMPACTS IMPACTS: : FOLLOWING
FRAUD FRAUD
EXTERNAL POLICY VIOLATION (PCI) EXTERNAL POLICY VIOLATION (PCI)
MATERIAL LOSS MATERIAL LOSS 06
Am I Vulnerable To 'Insecure Data Storage' ?
07
Am I Vulnerable To Am I Vulnerable To 'Insecure Data Storage' ? 'Insecure Data Storage' ? This category insecure data storage and unintended data leakage. Data stored insecurely includes, but is not limited to, the following : SQL DATABASES
XML DATA STORES OU MANIFEST FILES
LOG FILES
BINARY DATA STORES
SD CARD &Â CLOUD SYNCED
COOKIE STORES
08
Am I Vulnerable To Am I Vulnerable To 'Insecure Data Storage' ? 'Insecure Data Storage' ? Unintended data leakage includes, but is not limited to, vulnerabilities from:
THE OS
FRAMEWORKS
COMPILER ENVIRONMENT
NEW HARDWARE
ROOTED DEVICES
JAILBROKEN DEVICES
09
THIS IS OBVIOUSLY WITHOUT A DEVELOPER’S KNOWLEDGE. IN MOBILE DEVELOPMENT SPECIFICALLY, THIS IS MOST SEEN IN UNDOCUMENTED, OR INTERNAL PROCESSES SUCH AS:
The way the OS caches data, images, key-presses, logging, and buffers. The way the development framework caches data, images, key-presses, logging, and buffers.
The way or amount of data ad, analytic, social, or enablement frameworks cache data, images, logging, and buffers.
10
How Do I Prevent ‘Insecure Data Storage’?
11
IT IS IMPORTANT TO THREAT MODEL YOUR MOBILE APP, OS, PLATFORMS AND FRAMEWORKS TO UNDERSTAND THE INFORMATION ASSETS THE APP PROCESSES AND HOW THE APIS HANDLE THOSE ASSETS. ISCRUCIAL CRUCIALTO TOSEE SEEHOW HOWTHEY THEYHANDLE HANDLE ITITIS THE FOLLOWING TYPES OF FEATURES : THE FOLLOWING TYPES OF FEATURES : 12
URL caching (both request and response) Application backgroundin g Browser cookie objects
Keyboard press caching Intermediat e dataLoggin g Analytics data sent to 3rd parties.
Copy/Paste buffer caching HTML5 data storage
Logging 13
•DEMO•
14
Tools Tools
Genymotion Android Emulator Dex2Jar • ( .apk -> .jar ) JD-GUI ( Reading the .jar ) APK-Tool ( Getting AndroidManifest.xml ) VirtualBox DIVA ( Damn Insecure and Vulnerable APP )
14
CLICK HERE ⊳
15
THANK YOU!