<div dir="ltr">Distribution of modifications is a whole other kettle of fish. There's a number of different means that attackers distribute changes.  Typically, they'll modify, repackage, and then distribute via either iTunes, Google Play, or third-party stores. There's also the avenue of direct infection. Which then goes into the runtime self-modification detection side of life.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 5, 2014 at 2:37 AM, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    I do not see <i><b>self</b></i> man-in-the-middle as a serious
    risk.<br>
    <br>
    Now if the attacker can modify the mobile app of a victim and change
    the pinned cert of other clients, that is a big deal. But my
    understanding is that is not the scenario Jonathan was referring to,
    if so please elaborate how that would work...<br>
    <br>
    Again, a pinned cert is NOT private data. It's a <i><b>public</b></i>
    cert signed by an authority. (Or a hash of a signed public cert like
    the experimental IETF headers for browsers :
    <a href="https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/" target="_blank">https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/</a>)<br>
    <br>
    Aloha,<br>
    Jim<div><div class="h5"><br>
    <br>
    <br>
    <div>On 11/5/14 5:28 PM, Erwin Geirnaert
      wrote:<br>
    </div>
    <blockquote type="cite">
      
      
      
      <div>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Man-in-the-middle<u></u><u></u></span></p>
        <p class="MsoNormal"><a name="1497f881209256e9__MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></a></p>
        <div>
          <div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
            <p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext" lang="EN-US">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext" lang="EN-US"> <a href="mailto:owasp-leaders-bounces@lists.owasp.org" target="_blank">owasp-leaders-bounces@lists.owasp.org</a>
                [<a href="mailto:owasp-leaders-bounces@lists.owasp.org" target="_blank">mailto:owasp-leaders-bounces@lists.owasp.org</a>] <b>On
                  Behalf Of </b>Jim Manico<br>
                <b>Sent:</b> 05 November 2014 10:15<br>
                <b>To:</b> Jonathan Carter<br>
                <b>Cc:</b> OWASP Leaders<br>
                <b>Subject:</b> Re: [Owasp-leaders] OWASP Mobile Top Ten
                2014 - M10 Datapoints<u></u><u></u></span></p>
          </div>
        </div>
        <p class="MsoNormal"><u></u> <u></u></p>
        <p class="MsoNormal" style="margin-bottom:12.0pt">So, if the
          attacker modifies their own pinned certificate in a mobile
          app, what do they accomplish? The inability to use that
          webservice. What is accomplished from a security point of
          view? Nothing....<br>
          <br>
          - Jim<u></u><u></u></p>
        <div>
          <p class="MsoNormal">On 11/5/14 4:38 PM, Jonathan Carter
            wrote:<u></u><u></u></p>
        </div>
        <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
          <div>
            <p class="MsoNormal">In that particular case, the attacker
              will perform static analysis, identify the sensitive code
              associated with the hardcoded data, and then modify the
              actual data values.<u></u><u></u></p>
          </div>
          <div>
            <p class="MsoNormal"><u></u> <u></u></p>
            <div>
              <p class="MsoNormal">On Tue, Nov 4, 2014 at 11:41 PM, Jim
                Manico <<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>>
                wrote:<u></u><u></u></p>
              <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
                <div>
                  <div>
                    <p class="MsoNormal" style="margin-bottom:12.0pt">Certificate
                      pinning does hard-code •secrets•, it hard-codes
                      the •public• SSL/TLS key. This is a significant
                      difference, Jonathan.<u></u><u></u></p>
                    <div>
                      <p class="MsoNormal">--<u></u><u></u></p>
                    </div>
                    <div>
                      <p class="MsoNormal">Jim Manico<u></u><u></u></p>
                    </div>
                    <div>
                      <p class="MsoNormal">@Manicode<u></u><u></u></p>
                    </div>
                    <div>
                      <p class="MsoNormal"><a href="tel:%28808%29%20652-3805" target="_blank">(808) 652-3805</a><u></u><u></u></p>
                    </div>
                  </div>
                  <div>
                    <div>
                      <div>
                        <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
                          On Nov 5, 2014, at 11:38 AM, Jonathan Carter
                          <<a href="mailto:jonathan.carter@owasp.org" target="_blank">jonathan.carter@owasp.org</a>>
                          wrote:<u></u><u></u></p>
                      </div>
                      <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
                        <div>
                          <div>
                            <p class="MsoNormal">While M10 does touch on
                              digital rights management, it goes far
                              beyond that.  Here's an easy example:
                              certificate pinning.  Certificate pinning
                              is a classic coding technique that relies
                              upon hardcoded data.  This security
                              control has an inherent set of other
                              related binary vulnerabilities that would
                              allow an attacker to completely bypass or
                              disable your flawlessly written code.  You
                              must make it as difficult as possible to
                              prevent someone from modifying that
                              hardocded data.  If they do, you've
                              completely made your certificate pinning
                              control irrelevant.  This is what M10 is
                              touching on and it's something that OWASP
                              really doesn't like to talk about or
                              acknowledge.<u></u><u></u></p>
                            <div>
                              <p class="MsoNormal"><u></u> <u></u></p>
                              <div>
                                <p class="MsoNormal">On Tue, Nov 4, 2014
                                  at 7:12 PM, Tim <<a href="mailto:tim.morgan@owasp.org" target="_blank">tim.morgan@owasp.org</a>>
                                  wrote:<u></u><u></u></p>
                                <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
                                  <p class="MsoNormal"><br>
                                    Hi Leaders,<br>
                                    <br>
                                    I have brought up my concerns about
                                    M10 before and I have done a fair<br>
                                    bit of thinking about this since
                                    then.  I think it would be useful to<br>
                                    re-frame the discussion with some
                                    more subtle distinctions:<br>
                                    <br>
                                    <br>
                                    0. Are all software security risks
                                    also considered business risks?<br>
                                    <br>
                                       Yes, I would say so.  It is hard
                                    to find a computer security risk<br>
                                       that doesn't pose some kind of
                                    business risk.<br>
                                    <br>
                                    <br>
                                    1. Are all business risks considered
                                    security risks?<br>
                                    <br>
                                       No, I definitely don't think so. 
                                    There are plenty of things<br>
                                       outside of the realm of software
                                    security that are very real<br>
                                       business risks (e.g. employees
                                    running over a business partner in<br>
                                       the parking lot by accident).<br>
                                    <br>
                                    <br>
                                    2. Is binary
                                    modification/repackaging a real
                                    business risk to<br>
                                       intellectual property?<br>
                                    <br>
                                       Yes!  It is happening already. 
                                    An attacker could repackage your<br>
                                       app, redistribute, and reap
                                    benefits from app stores based on
                                    your<br>
                                       hard work.<br>
                                    <br>
                                    <br>
                                    3. How is mobile reverse engineering
                                    and/or repackaging a security<br>
                                       risk?<br>
                                    <br>
                                       Yes, specifically:<br>
                                    <br>
                                       A) Reverse engineering can expose
                                    crypto keys and any other secrets<br>
                                          that are foolishly embedded in
                                    the app.<br>
                                    <br>
                                       B) Repackaging can be used to try
                                    and fool users into installing<br>
                                          the wrong version of an
                                    application which has malicious
                                    intent.<br>
                                          Very similar to phishing.<br>
                                    <br>
                                    <br>
                                    4. Does mobile app
                                    obfuscation/monitoring/anti-reverse
                                    engineering<br>
                                       technology help solve a
                                    *business* risk?<br>
                                    <br>
                                       Yes, in that it raises the cost
                                    of reusing the compiled version of<br>
                                       the software.  Raise the cost
                                    enough, and the attacker might as<br>
                                       well write their own app.  Even
                                    if you don't raise the cost *that*<br>
                                       high, you reduce the number of
                                    people willing to target your app<br>
                                       specifically.<br>
                                    <br>
                                    <br>
                                    5. Does mobile app
                                    obfuscation/monitoring/anti-reverse
                                    engineering<br>
                                       technology help solve a
                                    *security* risk?<br>
                                    <br>
                                       No, I don't think so.<br>
                                    <br>
                                       Regarding (3A)-- If crypto
                                    keys/credentials/etc are valuable,
                                    it<br>
                                       doesn't take a whole lot of
                                    effort decode an obfuscated binary
                                    to<br>
                                       get that them.  Definitely worth
                                    the minimal effort.<br>
                                    <br>
                                       Regarding (3B)-- If cloning apps
                                    like this is effective against<br>
                                       users, then it's just as easy to
                                    copy the images from the company's<br>
                                       website, slap it on a "hello
                                    world" app, add a login form, and<br>
                                       poof: you have users'
                                    credentials.  You don't need to
                                    clone a whole<br>
                                       app to fool users.<br>
                                    <br>
                                    <br>
                                    <br>
                                    <br>
                                    I think many folks on each side of
                                    the discussion are correct in what<br>
                                    they are saying, but they are
                                    talking about different things. 
                                    Look at<br>
                                    the issue with a slightly higher
                                    resolution, particularly in the<br>
                                    context of what attacks are actually
                                    applicable, and it all becomes<br>
                                    much more clear:  Remove M10. 
                                    (After all, OWASP is primarily about<br>
                                    computer security, not digital
                                    rights management.)<br>
                                    <br>
                                    <br>
                                    Cheers,<br>
                                    tim<u></u><u></u></p>
                                </blockquote>
                              </div>
                              <p class="MsoNormal"><u></u> <u></u></p>
                            </div>
                          </div>
                        </div>
                      </blockquote>
                    </div>
                  </div>
                  <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
                    <div>
                      <p class="MsoNormal">_______________________________________________<br>
                        OWASP-Leaders mailing list<br>
                        <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                        <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><u></u><u></u></p>
                    </div>
                  </blockquote>
                </div>
              </blockquote>
            </div>
            <p class="MsoNormal"><u></u> <u></u></p>
          </div>
        </blockquote>
        <p class="MsoNormal"><u></u> <u></u></p>
      </div>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>