/dec 13, 2010

Mobile App Top 10 List

By Chris Wysopal

The Top 10 Mobile Application Risks, or “Mobile App Top 10” for short, is designed to educate developers and security professionals about the mobile application behavior that puts users at risk. This behavior can be maliciously designed or inadvertent. Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose operating system. In this respect many of the risks are similar to those of traditional spyware, Trojan software, and insecurely designed apps. However, mobile devices are not just small computers. Mobile devices are designed around personal and communication functionality which makes the top mobile applications risks different from the top traditional computing risks. The Mobile App Top 10 can be used to determine the coverage of a security solution which can protect against these risks. A mobile app security solution can declare its coverage of the Mobile App Top 10 so customers can understand what risks the solution mitigates. Mobile app security solutions can be used in the development of an app, as part of an app store vetting process, for acceptance testing of an app, or for security software running on a mobile device.

Mobile App Top 10

There are 2 main categories of mobile app risks. The category of Malicious Functionality is a list of unwanted and dangerous behaviors that are stealthily placed in a Trojan app that the user is tricked into installing. The user thinks they are installing a game or utility and instead get hidden spyware, phishing UI, or unauthorized premium dialing. A. Malicious Functionality

  1. Activity monitoring and data retrieval
  2. Unauthorized dialing, SMS, and payments
  3. Unauthorized network connectivity (exfiltration or command & control)
  4. UI Impersonation
  5. System modification (rootkit, APN proxy config)
  6. Logic or Time bomb

The category of Vulnerabilities are errors in design or implementation that expose the mobile device data to interception and retrieval by attackers. Vulnerabilities can also expose the mobile device or the cloud applications used from the device to unauthorized access. B. Vulnerabilities

  1. Sensitive data leakage (inadvertent or side channel)
  2. Unsafe sensitive data storage
  3. Unsafe sensitive data transmission
  4. Hardcoded password/keys

A. Malicious Functionality Details

1. Activity monitoring and data retrieval Activity monitoring and data retrieval are the core functionality of any spyware. Data can be intercepted real time as it is being generated on the device. Examples would be sending each email sent on the device to a hidden 3rd party address, letting an attacker listen in on phone calls or simply open microphone recording. Stored data such as a contact list or saved email messages can also be retrieved. The following are examples of mobile data that attackers can monitor and intercept:

  1. Messaging (SMS and Email)
  2. Audio (calls and open microphone recording)
  3. Video (still and full-motion)
  4. Location
  5. Contact list
  6. Call history
  7. Browsing history
  8. Input
  9. Data files

Examples:

2. Unauthorized dialing, SMS, and payments Criminals seeking to monetize weaknesses in human nature and the mobile app distribution model can turn to premium rate phone calls and premium rate SMS messages. By including premium dialing functionality into a Trojan app the attacker can run up the victim’s phone bill and get the mobile carriers to collect and distribute the money to them. Mobile devices can also be used to purchase items, real and virtual, and have the cost billed on the customers mobile bill. Another use of unauthorized SMS text message is as a spreading vector for worms. Once a device is infected a worm can send SMS text messages to all contacts in the address book with a link to trick the recipient into downloading and install the worm. Examples:

3. Unauthorized network connectivity (exfiltration or command & control) Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker. Since mobile devices are designed for communication there are many potential vectors that a malicious app can use to send data to the attacker. A full function malicious program will often allow the attacker to direct commands to the spyware to for instance turn on the microphone or grab a data file at a particular time. The following are examples of communication channels attackers can use for exfiltration and command and control:

  1. Email
  2. SMS
  3. HTTP GET/POST
  4. TCP socket
  5. UDP socket
  6. DNS exfiltration
  7. Bluetooth
  8. Blackberry Messenger

4. UI impersonation Phishing attacks on PCs work by tricking the user to click on a link in their browser which brings them to a bogus website impersonating the UI of their bank or online service. The UI asks the user to enter in their credentials. The attacker collects the credentials and uses them to impersonate the victim. On the mobile device there are new opportunities for attackers to perform UI impersonation. This can take the form of a web view application which presents a native mobile UI as a proxy to a native web app. With this attack, the user thinks they are downloading a legitimate app, such as a banking app, but instead they are getting an imposter that proxies information to the bank’s genuine website. When the user authenticates they end up sending their credentials to the attacker. Another vector to impersonation is a malicious app popping up UI that impersonates that of the phone’s native UI or the UI of a legitimate application. The victim is asked to authenticate and ends up sending their credentials to an attacker. Example:

5. System modification (rootkit, APN, proxy config) Malicious applications will often attempt to modify the system configuration to hide their presence. This is often called rootkit behavior. Configuration changes also make certain attacks possible. An example is modifying the device proxy configuration or APN (Access Point Name). 6. Logic or Time bomb [CWE-511] Logic or time bombs are classic backdoor techniques that trigger malicious activity based on a specific event, device usage or time. Vulnerabilities

B. Vulnerabilities Details

7. Sensitive data leakage [CWE-200] Sensitive data leakage can be either inadvertent or side channel. A legitimate apps usage of device information and authentication credentials can be poorly implemented thereby exposing this sensitive data to 3rd parties.

  1. Location
  2. Owner ID info: name, number, device ID
  3. Authentication credentials
  4. Authorization tokens

Example:

8. Unsafe sensitive data storage [CWE-312] Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwords. Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off of the file system. It should be noted that storing sensitive data without encryption on removable media such as a micro SD card is especially risky. Examples:

9. Unsafe sensitive data transmission [CWE-319] It is important that sensitive data is encrypted in transmission lest it be eavesdropped by attackers. Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi, which is known to be insecure. SSL is one of the best ways to secure sensitive data in transit. If the app implements SSL it could still fall victim to a downgrade attack if it allows degrading HTTPS to HTTP. Another way SSL could be compromised is if the app does not fail on invalid certificates. This would enable that a man-in-the-middle attack. 10. Hardcoded password/keys [CWE-798] The use of hardcoded passwords or keys is sometimes used as a shortcut by developers to make the application easier to implement, support, or debug. Once this hardcoded password is discovered through reverse engineering it renders the security of the application or the systems it authenticates to with this password ineffective.

Credits

The research team at Lookout Mobile Security provided great recommendations for improving the list.

Veracode Security Solutions
Veracode Security Threat Guides

Related Posts

By Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.