Security research, news and guidance

Agnitio and Mobile Apps

August 16, 2011  |  Written by Security Ninja  |   Application Security   |   2 Comments

Hi everyone,

I’m finally back in the office after my annual trip to Las Vegas, still not fully over the jet lag but caffeine and a weekend that included lots of sleep are helping!

I released Agnitio v2.0 whilst I was in Las Vegas and talked about it at SecurityBSides, BlackHat and DEF CON in three different ways. I did a “normal” talk at SecurityBSides, an Arsenal talk at BlackHat and a SkyTalk at DEF CON. This allowed me to get user and audience feedback in three different ways as well from those had no app sec program and wanted something to base their program around through to those who do security code reviews as part of their day job.

The Arsenal talk allowed me to put Agnitio out in front of people who may not have used or heard about the tool before. It turned into something more like a workshop than a demo session, it was great to brainstorm with users of Agnitio in person about the features they would like to see changed/added and of course the problems they have had with the tool. I came back from Las Vegas with a very long list of ideas for features and an offer of developer’s time from a very large US financial services company. That is an offer I will be accepting so watch this space for really exciting new features in future versions of Agnitio!

That leads me nicely into the thing I really wanted to talk about in this blog post. I delivered a class at SecurityBSides Las Vegas with Daniel Cornell which looked at common mobile application security issues and how to use Agnitio v2.0 to find them in your source code. I was very happy to be delivering this class with Dan but I was even happier about Dan contributing mobile specific rules to Agnitio v2.0 and open sourcing his purposely vulnerable mobile applications!

Dan has given several mobile application security presentations over the past couple years and you can find some of his past presentations here. You can see the slides Dan used in our class here.

In his past presentations Dan has used the Pandemobium stock trader applications which was developed in a purposely insecure way. You can download the application (Android and iOS) from here. These applications have quite a few different vulnerabilities in them to help developers and security analysts explore mobile application security topics.

We used these applications in our class along with the mobile application security rules Dan contributed to Agnitio v2.0. I wanted to show you today how we used the Pandemobium apps and the mobile application security rules. If you want to analyse the source code yourself you can, all you need to do is download the applications and the latest version of Agnitio!

Mobile app review rules

As I mentioned above we have rules for analysing Android and iOS applications in Agnitio v2.0, a few of the rules are shown below:

openFileOutput

“Context.openFileOutput() creates a local file on the device.

Android allows storage resources to be constructed with the following permissions:

Context.MODE_PRIVATE – This is the most secure setting because the resource will only be readable by the application that created it

Context.MODE_WORLD_READABLE – This allows other applications who know the name and location of the resource to read it

Context.MODE_WORLD_WRITEABLE – This allows other applications who know the name and location of the resource to write to it.

NOTE: Regardless of the resource exposure based on the arguments to the creation function, malicious applications or malicious users that have root access to the device will be able to read or write to anything on the device. Truly sensitive data should never be stored on the device itself.

More info:

http://blog.denimgroup.com/denim_group/2011/04/using-static-analysis-to-review-file-access-in-android-apps.html

http://www.slideshare.net/denimgroup/smart-phones-dumb-apps

This work by Denim Group is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License <http://creativecommons.org/licenses/by-sa/3.0/>”

HttpResponse

“Mobile devices communicate across a variety of networks – both trusted and untrusted.  Therefore it is important that communications be encrypted – typically using HTTPS.  It is also important that HTTPS communications be configured to force proper server authentication.

In addition, many mobile applications communicate with 3rd party services and data returned from these services should be considered untrusted and positively validates for length, data type as well as any other business rules prior to use.

More info:

<http://www.slideshare.net/denimgroup/smart-phones-dumb-apps>

This work by Denim Group is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License <http://creativecommons.org/licenses/by-sa/3.0/>”

writeToFile

“Data files on iOS receive some protection from other processes, but care should be taken when storing data in case the device is lost and jailbroken by an attacker.  Ideally any files will have their NSFileProtectionKey attribute set to NSFileProtectionCompleteUnlessOpen.

iOS allows data to be stored protected in the Keychain, but developers have the option of controlling certain parameters about how this data can be accessed.  Any use of the keychain should be examined to determine if the protection settings are appropriate.

NOTE: Malicious users that have jailbreak access to the device will likely be able to read or write to anything on the device. Truly sensitive data should never be stored on the device itself.

More info:

<http://developer.apple.com/library/mac/#documentation/Cocoa/Reference/Foundation/Classes/NSString_Class/Reference/NSString.html> (look at the writeToFile message)

<http://developer.apple.com/library/mac/#documentation/Cocoa/Reference/Foundation/Classes/NSFileManager_Class/Reference/Reference.html>

<http://www.sit.fraunhofer.de/en/media/news/20110209-lost-iphone.html>

This work by Denim Group is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License <http://creativecommons.org/licenses/by-sa/3.0/>”

sqlite3_prepare

“Untrusted inputs should not be used to create SQL statements.  It is preferable to compile queries using sqlite_prepare_v2 or sqlite_prepare16_v2 and then put untrusted values into parameters passed to that statement.  Also note that untrusted values should not be used to build up the strings passed to sqlite_prepare_v2 sqlite_prepare16_v2.

More info:

<http://www.slideshare.net/denimgroup/mobile-browsercontenthandling-owaspnova20110303>

<http://www.sqlite.org/c3ref/prepare.html>

<http://www.sqlite.org/c3ref/stmt.html>

<http://www.slideshare.net/denimgroup/smart-phones-dumb-apps>

This work by Denim Group is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License <http://creativecommons.org/licenses/by-sa/3.0/>”

These rules look for potentially dangerous or commonly misused methods in Android and iOS applications. When the methods are found in the source code they are highlighted to draw the reviewer’s attention to potentially dangerous parts of the source code.

This of course won’t find vulnerabilities for you but the highlighted method comes with a detailed description and relevant checklist questions linked to it. This should help the human reviewer carry out better security code reviews by directing them towards the potentially dangerous methods and prompting them to ask the right questions about that method.

Android example

iOS example

The above images were created using the review rules that are provided with Agnitio v2.0 and the Pandemobium Android and iOS applications. You can of course add additional rules to the database and modify the ones Dan provided for mobile applications.

If you think of any additional rules for analysing Android and iOS applications let me know and I will add them to Agnitio database so others can use them as well!

SN

This entry was posted on August 16, 2011 at 6:11 pm and is filed under Application Security . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

VIDEOS & SLIDESHARES

Look at our latest security Videos & SlideShares

EVENTS & SEMINARS

Upcoming Security Events & Seminars

PODCASTS & DOWNLOADS

Check out our Podcasts & White Papers