[Owasp-leaders] OWASP Mobile Top Ten 2014 - M10 Datapoints

Jason Haddix jason.haddix at owasp.org
Wed Nov 5 18:34:10 UTC 2014


Just an FYI: I will not tolerate having a flame war on Thursdays call. All
arguments should be constructive and have the end goal of the projects
health in mind. Also, keep in mind we have a timeslot to adhere to and
other issues to discuss, so keep your points succinct.

On Wed, Nov 5, 2014 at 6:22 AM, Jim Manico <jim.manico at owasp.org> wrote:

> Jonathan,
>
> The main point I was trying to make is that a pinned cert is a •public•
> piece of data. This is not a folk story, nor do we need "big data" to back
> up that conjecture, it's how pinning works.
>
> https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
>
> I look forward to hearing the discussions on M10 this Thursday.
>
> Also please note, I have no skin in this debate. I was attempting to add
> some measure of value to this conversation. "Big Data" is not needed to
> evaluate software architecture security decisions. There is also great
> danger in data-only decision making, especially when considering how poor
> our industry is at data gathering and data analysis.
>
> +1 To Andre's and Brad Hills comments in this thread. They described my
> concern better than I could.
>
> Please note, even though you do not approve of my experience in this
> field, •many• other folks who •do• have incredibly deep experience (and
> data) in this area have expressed similar concerns. These are best
> addressed with rational debate.
>
> PS: Here is an example of what I think of as "data analysis fallacy".
> Most of the data I have seen demonstrates that many mobile apps have true
> secrets hard-coded and other weaknesses. The data is obvious that it's
> really bad out there. But to say that obfuscation technology is needed to
> fix this is the main data analysis "leap of faith" that I am not convinced
> of.
>
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Nov 5, 2014, at 8:09 PM, Jonathan Carter <jonathan.carter at owasp.org>
> wrote:
>
> I fully encourage people that have opinions to come forward. What I don't
> encourage is people trying to make bold statements without all the facts.
>
> On Wed, Nov 5, 2014 at 4:07 AM, psiinon <psiinon at gmail.com> wrote:
>
>> Jonathon,
>>
>> I think thats out of order :(
>> You should be able to make valid arguments for or against points of view
>> without resorting to personal attacks like this.
>> Putting forward your opinion is not making things personal, and
>> criticizing people for doing so can discourage other people from taking
>> part in the debate.
>> Please stop this line of reasoning.
>>
>> Simon
>>
>> On Wed, Nov 5, 2014 at 12:01 PM, Jonathan Carter <
>> jonathan.carter at owasp.org> wrote:
>>
>>> I think you've made this personal by trying to impose your view of the
>>> world on a technical space you really don't specialize in. My 2 cents...
>>>
>>>
>>> On Wed, Nov 5, 2014 at 3:58 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>>> I politely suggest you stick to the debate and move this to the mobile
>>>> list. No need to make this personal, it's not my intention, Jonathan, and I
>>>> hope it's not yours either.
>>>>
>>>> --
>>>> Jim Manico
>>>> @Manicode
>>>> (808) 652-3805
>>>>
>>>> On Nov 5, 2014, at 7:55 PM, Jonathan Carter <jonathan.carter at owasp.org>
>>>> wrote:
>>>>
>>>> With all due respect, you are a web guy and not a mobile guy.
>>>>
>>>> On Wed, Nov 5, 2014 at 3:53 AM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>>
>>>>> So an attacker who is savvy enough to distribute custom modified
>>>>> mobile apps and who knows how to surgically identify pinned certs and
>>>>> change them can't get around obfuscation? I disagree with this threat
>>>>> model, I submit with respect.
>>>>>
>>>>> --
>>>>> Jim Manico
>>>>> @Manicode
>>>>> (808) 652-3805
>>>>>
>>>>> On Nov 5, 2014, at 7:50 PM, Jonathan Carter <jonathan.carter at owasp.org>
>>>>> wrote:
>>>>>
>>>>> The attacker is downloading the app, making the mods to their own
>>>>> version of the app, and then distributing that to the victim.
>>>>>
>>>>> On Wed, Nov 5, 2014 at 3:48 AM, Jim Manico <jim.manico at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> What I'm hearing is....
>>>>>>
>>>>>> 1) You can modify •your own• mobile binary
>>>>>> 2) Change •your own• pinned cert
>>>>>> 3) And then man in the middle yourself (by making a forged
>>>>>> certificate signed by a real authority?)
>>>>>>
>>>>>> I do not see this as a real risk.
>>>>>>
>>>>>> --
>>>>>> Jim Manico
>>>>>> @Manicode
>>>>>> (808) 652-3805
>>>>>>
>>>>>> On Nov 5, 2014, at 7:41 PM, Erwin Geirnaert <
>>>>>> erwin.geirnaert at zionsecurity.com> wrote:
>>>>>>
>>>>>>  Hi Jim,
>>>>>>
>>>>>>
>>>>>>
>>>>>> If we can execute a man-in-the-middle during black-box mobile app
>>>>>> security testing, we often find more issues and attack vectors.
>>>>>>
>>>>>> Man-in-the-middle is for mobile a real problem.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>>
>>>>>>
>>>>>> Erwin
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* Jim Manico [mailto:jim.manico at owasp.org
>>>>>> <jim.manico at owasp.org>]
>>>>>> *Sent:* 05 November 2014 11:38
>>>>>> *To:* Erwin Geirnaert; Jonathan Carter
>>>>>> *Cc:* OWASP Leaders
>>>>>> *Subject:* Re: [Owasp-leaders] OWASP Mobile Top Ten 2014 - M10
>>>>>> Datapoints
>>>>>>
>>>>>>
>>>>>>
>>>>>> I do not see *self* man-in-the-middle as a serious risk.
>>>>>>
>>>>>> Now if the attacker can modify the mobile app of a victim and change
>>>>>> the pinned cert of other clients, that is a big deal. But my understanding
>>>>>> is that is not the scenario Jonathan was referring to, if so please
>>>>>> elaborate how that would work...
>>>>>>
>>>>>> Again, a pinned cert is NOT private data. It's a *public* cert
>>>>>> signed by an authority. (Or a hash of a signed public cert like the
>>>>>> experimental IETF headers for browsers :
>>>>>> https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/)
>>>>>>
>>>>>> Aloha,
>>>>>> Jim
>>>>>>
>>>>>>  On 11/5/14 5:28 PM, Erwin Geirnaert wrote:
>>>>>>
>>>>>> Man-in-the-middle
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* owasp-leaders-bounces at lists.owasp.org [
>>>>>> mailto:owasp-leaders-bounces at lists.owasp.org
>>>>>> <owasp-leaders-bounces at lists.owasp.org>] *On Behalf Of *Jim Manico
>>>>>> *Sent:* 05 November 2014 10:15
>>>>>> *To:* Jonathan Carter
>>>>>> *Cc:* OWASP Leaders
>>>>>> *Subject:* Re: [Owasp-leaders] OWASP Mobile Top Ten 2014 - M10
>>>>>> Datapoints
>>>>>>
>>>>>>
>>>>>>
>>>>>> So, if the attacker modifies their own pinned certificate in a mobile
>>>>>> app, what do they accomplish? The inability to use that webservice. What is
>>>>>> accomplished from a security point of view? Nothing....
>>>>>>
>>>>>> - Jim
>>>>>>
>>>>>> On 11/5/14 4:38 PM, Jonathan Carter wrote:
>>>>>>
>>>>>>  In that particular case, the attacker will perform static analysis,
>>>>>> identify the sensitive code associated with the hardcoded data, and then
>>>>>> modify the actual data values.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Nov 4, 2014 at 11:41 PM, Jim Manico <jim.manico at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>  Certificate pinning does hard-code •secrets•, it hard-codes the
>>>>>> •public• SSL/TLS key. This is a significant difference, Jonathan.
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Jim Manico
>>>>>>
>>>>>> @Manicode
>>>>>>
>>>>>> (808) 652-3805
>>>>>>
>>>>>>
>>>>>> On Nov 5, 2014, at 11:38 AM, Jonathan Carter <
>>>>>> jonathan.carter at owasp.org> wrote:
>>>>>>
>>>>>>  While M10 does touch on digital rights management, it goes far
>>>>>> beyond that.  Here's an easy example: certificate pinning.  Certificate
>>>>>> pinning is a classic coding technique that relies upon hardcoded data.
>>>>>> This security control has an inherent set of other related binary
>>>>>> vulnerabilities that would allow an attacker to completely bypass or
>>>>>> disable your flawlessly written code.  You must make it as difficult as
>>>>>> possible to prevent someone from modifying that hardocded data.  If they
>>>>>> do, you've completely made your certificate pinning control irrelevant.
>>>>>> This is what M10 is touching on and it's something that OWASP really
>>>>>> doesn't like to talk about or acknowledge.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Nov 4, 2014 at 7:12 PM, Tim <tim.morgan at owasp.org> wrote:
>>>>>>
>>>>>>
>>>>>> Hi Leaders,
>>>>>>
>>>>>> I have brought up my concerns about M10 before and I have done a fair
>>>>>> bit of thinking about this since then.  I think it would be useful to
>>>>>> re-frame the discussion with some more subtle distinctions:
>>>>>>
>>>>>>
>>>>>> 0. Are all software security risks also considered business risks?
>>>>>>
>>>>>>    Yes, I would say so.  It is hard to find a computer security risk
>>>>>>    that doesn't pose some kind of business risk.
>>>>>>
>>>>>>
>>>>>> 1. Are all business risks considered security risks?
>>>>>>
>>>>>>    No, I definitely don't think so.  There are plenty of things
>>>>>>    outside of the realm of software security that are very real
>>>>>>    business risks (e.g. employees running over a business partner in
>>>>>>    the parking lot by accident).
>>>>>>
>>>>>>
>>>>>> 2. Is binary modification/repackaging a real business risk to
>>>>>>    intellectual property?
>>>>>>
>>>>>>    Yes!  It is happening already.  An attacker could repackage your
>>>>>>    app, redistribute, and reap benefits from app stores based on your
>>>>>>    hard work.
>>>>>>
>>>>>>
>>>>>> 3. How is mobile reverse engineering and/or repackaging a security
>>>>>>    risk?
>>>>>>
>>>>>>    Yes, specifically:
>>>>>>
>>>>>>    A) Reverse engineering can expose crypto keys and any other secrets
>>>>>>       that are foolishly embedded in the app.
>>>>>>
>>>>>>    B) Repackaging can be used to try and fool users into installing
>>>>>>       the wrong version of an application which has malicious intent.
>>>>>>       Very similar to phishing.
>>>>>>
>>>>>>
>>>>>> 4. Does mobile app obfuscation/monitoring/anti-reverse engineering
>>>>>>    technology help solve a *business* risk?
>>>>>>
>>>>>>    Yes, in that it raises the cost of reusing the compiled version of
>>>>>>    the software.  Raise the cost enough, and the attacker might as
>>>>>>    well write their own app.  Even if you don't raise the cost *that*
>>>>>>    high, you reduce the number of people willing to target your app
>>>>>>    specifically.
>>>>>>
>>>>>>
>>>>>> 5. Does mobile app obfuscation/monitoring/anti-reverse engineering
>>>>>>    technology help solve a *security* risk?
>>>>>>
>>>>>>    No, I don't think so.
>>>>>>
>>>>>>    Regarding (3A)-- If crypto keys/credentials/etc are valuable, it
>>>>>>    doesn't take a whole lot of effort decode an obfuscated binary to
>>>>>>    get that them.  Definitely worth the minimal effort.
>>>>>>
>>>>>>    Regarding (3B)-- If cloning apps like this is effective against
>>>>>>    users, then it's just as easy to copy the images from the company's
>>>>>>    website, slap it on a "hello world" app, add a login form, and
>>>>>>    poof: you have users' credentials.  You don't need to clone a whole
>>>>>>    app to fool users.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I think many folks on each side of the discussion are correct in what
>>>>>> they are saying, but they are talking about different things.  Look at
>>>>>> the issue with a slightly higher resolution, particularly in the
>>>>>> context of what attacks are actually applicable, and it all becomes
>>>>>> much more clear:  Remove M10.  (After all, OWASP is primarily about
>>>>>> computer security, not digital rights management.)
>>>>>>
>>>>>>
>>>>>> Cheers,
>>>>>> tim
>>>>>>
>>>>>>
>>>>>>
>>>>>>   _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Jason Haddix
OWASP Mobile Top Ten Project Leader
Mobile Security Researcher
(805) 698 2885
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141105/f342a6df/attachment-0001.html>


More information about the OWASP-Leaders mailing list