[Owasp-leaders] OWASP Mobile Top Ten 2014 - M10 Datapoints

Jim Manico jim.manico at owasp.org
Wed Nov 5 11:54:49 UTC 2014


I suggest we move this to the mobile list and stop spamming leaders. :)

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

On Nov 5, 2014, at 7:52 PM, Jonathan Carter <jonathan.carter at owasp.org>
wrote:

And certificate pinning has more to do with content inspection of the
certificate issued by the server. So, you don't have to forge a certificate
within the client. You just have to modify the values of the properties you
are inspecting and then compare that against the attacker's destination.
It's a very real and legitimate mobile attack vector.

On Wed, Nov 5, 2014 at 3:50 AM, Jonathan Carter <jonathan.carter at owasp.org>
wrote:

> The attacker is downloading the app, making the mods to their own version
> of the app, and then distributing that to the victim.
>
> On Wed, Nov 5, 2014 at 3:48 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> What I'm hearing is....
>>
>> 1) You can modify •your own• mobile binary
>> 2) Change •your own• pinned cert
>> 3) And then man in the middle yourself (by making a forged certificate
>> signed by a real authority?)
>>
>> I do not see this as a real risk.
>>
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>> On Nov 5, 2014, at 7:41 PM, Erwin Geirnaert <
>> erwin.geirnaert at zionsecurity.com> wrote:
>>
>>  Hi Jim,
>>
>>
>>
>> If we can execute a man-in-the-middle during black-box mobile app
>> security testing, we often find more issues and attack vectors.
>>
>> Man-in-the-middle is for mobile a real problem.
>>
>>
>>
>> Best regards,
>>
>>
>>
>> Erwin
>>
>>
>>
>> *From:* Jim Manico [mailto:jim.manico at owasp.org <jim.manico at owasp.org>]
>> *Sent:* 05 November 2014 11:38
>> *To:* Erwin Geirnaert; Jonathan Carter
>> *Cc:* OWASP Leaders
>> *Subject:* Re: [Owasp-leaders] OWASP Mobile Top Ten 2014 - M10 Datapoints
>>
>>
>>
>> I do not see *self* man-in-the-middle as a serious risk.
>>
>> Now if the attacker can modify the mobile app of a victim and change the
>> pinned cert of other clients, that is a big deal. But my understanding is
>> that is not the scenario Jonathan was referring to, if so please elaborate
>> how that would work...
>>
>> Again, a pinned cert is NOT private data. It's a *public* cert signed by
>> an authority. (Or a hash of a signed public cert like the experimental IETF
>> headers for browsers :
>> https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/)
>>
>> Aloha,
>> Jim
>>
>>  On 11/5/14 5:28 PM, Erwin Geirnaert wrote:
>>
>> Man-in-the-middle
>>
>>
>>
>> *From:* owasp-leaders-bounces at lists.owasp.org [
>> mailto:owasp-leaders-bounces at lists.owasp.org
>> <owasp-leaders-bounces at lists.owasp.org>] *On Behalf Of *Jim Manico
>> *Sent:* 05 November 2014 10:15
>> *To:* Jonathan Carter
>> *Cc:* OWASP Leaders
>> *Subject:* Re: [Owasp-leaders] OWASP Mobile Top Ten 2014 - M10 Datapoints
>>
>>
>>
>> So, if the attacker modifies their own pinned certificate in a mobile
>> app, what do they accomplish? The inability to use that webservice. What is
>> accomplished from a security point of view? Nothing....
>>
>> - Jim
>>
>> On 11/5/14 4:38 PM, Jonathan Carter wrote:
>>
>>  In that particular case, the attacker will perform static analysis,
>> identify the sensitive code associated with the hardcoded data, and then
>> modify the actual data values.
>>
>>
>>
>> On Tue, Nov 4, 2014 at 11:41 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>  Certificate pinning does hard-code •secrets•, it hard-codes the
>> •public• SSL/TLS key. This is a significant difference, Jonathan.
>>
>> --
>>
>> Jim Manico
>>
>> @Manicode
>>
>> (808) 652-3805
>>
>>
>> On Nov 5, 2014, at 11:38 AM, Jonathan Carter <jonathan.carter at owasp.org>
>> wrote:
>>
>>  While M10 does touch on digital rights management, it goes far beyond
>> that.  Here's an easy example: certificate pinning.  Certificate pinning is
>> a classic coding technique that relies upon hardcoded data.  This security
>> control has an inherent set of other related binary vulnerabilities that
>> would allow an attacker to completely bypass or disable your flawlessly
>> written code.  You must make it as difficult as possible to prevent someone
>> from modifying that hardocded data.  If they do, you've completely made
>> your certificate pinning control irrelevant.  This is what M10 is touching
>> on and it's something that OWASP really doesn't like to talk about or
>> acknowledge.
>>
>>
>>
>> On Tue, Nov 4, 2014 at 7:12 PM, Tim <tim.morgan at owasp.org> wrote:
>>
>>
>> Hi Leaders,
>>
>> I have brought up my concerns about M10 before and I have done a fair
>> bit of thinking about this since then.  I think it would be useful to
>> re-frame the discussion with some more subtle distinctions:
>>
>>
>> 0. Are all software security risks also considered business risks?
>>
>>    Yes, I would say so.  It is hard to find a computer security risk
>>    that doesn't pose some kind of business risk.
>>
>>
>> 1. Are all business risks considered security risks?
>>
>>    No, I definitely don't think so.  There are plenty of things
>>    outside of the realm of software security that are very real
>>    business risks (e.g. employees running over a business partner in
>>    the parking lot by accident).
>>
>>
>> 2. Is binary modification/repackaging a real business risk to
>>    intellectual property?
>>
>>    Yes!  It is happening already.  An attacker could repackage your
>>    app, redistribute, and reap benefits from app stores based on your
>>    hard work.
>>
>>
>> 3. How is mobile reverse engineering and/or repackaging a security
>>    risk?
>>
>>    Yes, specifically:
>>
>>    A) Reverse engineering can expose crypto keys and any other secrets
>>       that are foolishly embedded in the app.
>>
>>    B) Repackaging can be used to try and fool users into installing
>>       the wrong version of an application which has malicious intent.
>>       Very similar to phishing.
>>
>>
>> 4. Does mobile app obfuscation/monitoring/anti-reverse engineering
>>    technology help solve a *business* risk?
>>
>>    Yes, in that it raises the cost of reusing the compiled version of
>>    the software.  Raise the cost enough, and the attacker might as
>>    well write their own app.  Even if you don't raise the cost *that*
>>    high, you reduce the number of people willing to target your app
>>    specifically.
>>
>>
>> 5. Does mobile app obfuscation/monitoring/anti-reverse engineering
>>    technology help solve a *security* risk?
>>
>>    No, I don't think so.
>>
>>    Regarding (3A)-- If crypto keys/credentials/etc are valuable, it
>>    doesn't take a whole lot of effort decode an obfuscated binary to
>>    get that them.  Definitely worth the minimal effort.
>>
>>    Regarding (3B)-- If cloning apps like this is effective against
>>    users, then it's just as easy to copy the images from the company's
>>    website, slap it on a "hello world" app, add a login form, and
>>    poof: you have users' credentials.  You don't need to clone a whole
>>    app to fool users.
>>
>>
>>
>>
>> I think many folks on each side of the discussion are correct in what
>> they are saying, but they are talking about different things.  Look at
>> the issue with a slightly higher resolution, particularly in the
>> context of what attacks are actually applicable, and it all becomes
>> much more clear:  Remove M10.  (After all, OWASP is primarily about
>> computer security, not digital rights management.)
>>
>>
>> Cheers,
>> tim
>>
>>
>>
>>   _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141105/79576dd0/attachment.html>


More information about the OWASP-Leaders mailing list