Develop Secure Mobile Apps by Studying Vulnerable Android, iOS, and Mobile Web Apps
Posted by Richard Penshorn and Tom Mullaney
This is the first blog post in a series documenting two interns’ journey as they explore secure mobile app development and the OWASP Mobile Top 10.
In today’s mobile world, demand for high-quality, feature-rich applications is increasing, while mobile app development cycles are becoming shorter. With time-to-market pressures greater than ever, security vulnerabilities are manifesting themselves in every stage of the mobile app development life cycle.
For our summer internship project, we wanted to come up with a way to help developers create more secure mobile apps.
We decided to do this by building a set of insecure mobile apps (Android, iOS, and Mobile Web) and backend server whose collective vulnerabilities will cover all of the OWASP Mobile Top 10 risks. When we release our apps to the public, they will be accompanied by a rich set of documentation which will include code examples detailing each vulnerability. The documentation will also cover security-focused development approaches that will help educate and empower mobile developers to write more secure code.
We will also provide an Amazon EC2 image and Open Virtualization Archive (OVA) for quick setup and deployment. If this interests you, please sign up to be instantly notified when we release future blog posts on this subject (see form in the upper-right corner of your screen).
OUR PROJECT TEAM
Being interns at Praetorian has been a unique experience. Throughout our internship, we have been exposed to every department within the company. We learned specifics about various business processes, security testing methodologies development cycles, and even how the sales and marketing teams operate. Praetorian’s start-up culture and transparency have offered us more hands-on opportunities for learning compared to internships that we have had at larger corporations in the past. There are five of us from the University of Texas who were invited to intern with the Praetorian team this summer. During the first week, we all came up with several summer project ideas and broke into groups based on the projects we selected to take on.
This blog post and our group’s summer project are a collaborative effort between Richard Penshorn and Tom Mullaney. We are both studying electrical engineering at The University of Texas at Austin with a focus in computer architecture and software engineering. We are very active with the IEEE Communications Society Student Chapter and have held leadership positions within the organization.
THE DAMN VULNERABLE MOBILE APP PROJECT
The approach we took to build our set of vulnerable mobile apps was to put ourselves in the shoes of developers working at a “hip tech company” focused on creating a new mobile payment solution. As we developed our mobile apps, we used commonly accepted design styles and practices but purposely overlooked secure development best practices. We used popular guides and books found on Google and other accessible resources to solve issues that came up during development.
We used the latest and most popular APIs in our mobile apps. This ensured that the security issues we introduced would not be a result of using old technology or poorly maintained codebases. Our apps take advantage of NFC, QR codes, full featured REST client, SQLite, and external API calls. We followed various guides found on the Internet when implementing these technologies and even included security fixes when recommended. We followed tutorials and guides found on the Internet, even though we knew they were not necessarily the most secure approaches, because we wanted to document and show various ways in which developers introduce insecure code.
Our backend server is code complete and we are currently finishing the Android and mobile web vulnerable apps. Next item on our list is tackling the iOS vulnerable app. When we complete our summer project, all of the OWASP Mobile Top 10 security risks will exist within our mobile apps.
OWASP MOBILE TOP 10
M1: Insecure Data Storage (Android & iOS)M2: Weak Server Side Controls (Ruby)M3: Insufficient Transport Layer Protection (Android & iOS)M4: Client Side Injection (Android & iOS)M5: Poor Authorization and Authentication (Ruby)M6: Improper Session Handling (Ruby)M7: Security Decisions via Untrusted Inputs (Ruby)M8: Side Channel Data Leakage (Android & iOS)M9: Broken Cryptography (Android & iOS)M10: Sensitive Information Disclosure (Android, iOS & Ruby)
- End-to-end testing environment including a full-featured server component
- Incorporation of advanced device features such as NFC and QR codes
- iOS, Android, and Mobile Web all supported in one project
- Both insecure and secure versions of the mobile apps
- Detailed documentation with descriptions of the vulnerabilities, examples of how to patch the issues, and relevant code snippets
- Complete coverage of the OWASP Mobile Top 10 list
We will convey this information by creating a series of blog posts that illustrate vulnerabilities falling under the OWASP Mobile Top 10 as well as examining design and implementation strategies for preventing these issues from occurring in the first place.
Our project will provide value to mobile developers, security professionals, and anyone else interested in mobile security. Ultimately, we hope developers will learn from studying our vulnerable apps and use that knowledge to create more secure mobile apps of their own.