To get our service to the performance level where it is today has taken many hard earned lessons. These were learned satisfying the application security testing needs for some of the biggest and most sophisticated software vendors and largest enterprises in the world. We also learned plenty by performing security testing for small organizations getting their feet wet in application security for the very first time. The beauty of a SaaS security testing service is all customers from a global Fortune 50 company to 2 person software shop get the same reliable, repeatable, easy to use service. We don’t blink when a large company says they need 100 apps analyzed in 100 days or when 100 small organizations each need 1 app analyzed.

Being recognized as a SAST leader is significant milestone, but we are not satisfied and we are not standing still. We will have some exciting new announcements in January which will make it even easier for anyone to get an application analyzed. It will take only a few clicks to get an account, upload your application binary, and view test results. Printing pictures online through a photo service is more complicated. Our platform support will continue to grow to handle new languages and more types of mobile apps. We will continue to get more accurate (less false positives and more true positives) every day, as we tune our analysis engine to the world’s software codebase. The community effect of SaaS allows us to use the collective intelligence gathered from all our customers to create the most accurate analysis possible. We will continue to grow our integration from our cloud API to on premise systems: IDEs, bug tracking/quality systems, and GRC dashboards. We won’t stop until every application is security tested; quickly, inexpensively, and accurately, with nothing more than a browser or IDE.

A full copy of the Gartner Magic Quadrant for Static Application Security Testing report is available for download: [the report should be available soon]
http://www.veracode.com/analyst-reports/index.html

Veracode Security Guides

Data Security Resources

Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose operating system. In this respect many of the risks are similar to those of traditional spyware, Trojan software, and insecurely designed apps. However, mobile devices are not just small computers. Mobile devices are designed around personal and communication functionality which makes the top mobile applications risks different from the top traditional computing risks.

The Mobile App Top 10 can be used to determine the coverage of a security solution which can protect against these risks. A mobile app security solution can declare its coverage of the Mobile App Top 10 so customers can understand what risks the solution mitigates. Mobile app security solutions can be used in the development of an app, as part of an app store vetting process, for acceptance testing of an app, or for security software running on a mobile device.

Mobile App Top 10

There are 2 main categories of mobile app risks. The category of Malicious Functionality is a list of unwanted and dangerous behaviors that are stealthily placed in a Trojan app that the user is tricked into installing. The user thinks they are installing a game or utility and instead get hidden spyware, phishing UI, or unauthorized premium dialing.

A. Malicious Functionality

1. Activity monitoring and data retrieval
2. Unauthorized dialing, SMS, and payments
3. Unauthorized network connectivity (exfiltration or command & control)
4. UI Impersonation
5. System modification (rootkit, APN proxy config)
6. Logic or Time bomb

The category of Vulnerabilities are errors in design or implementation that expose the mobile device data to interception and retrieval by attackers. Vulnerabilities can also expose the mobile device or the cloud applications used from the device to unauthorized access.

B. Vulnerabilities

7. Sensitive data leakage (inadvertent or side channel)
8. Unsafe sensitive data storage
9. Unsafe sensitive data transmission
10. Hardcoded password/keys

A. Malicious Functionality Details

1. Activity monitoring and data retrieval

Activity monitoring and data retrieval are the core functionality of any spyware. Data can be intercepted real time as it is being generated on the device. Examples would be sending each email sent on the device to a hidden 3rd party address, letting an attacker listen in on phone calls or simply open microphone recording. Stored data such as a contact list or saved email messages can also be retrieved.

The following are examples of mobile data that attackers can monitor and intercept:

1. Messaging (SMS and Email)
2. Audio (calls and open microphone recording)
3. Video (still and full-motion)
4. Location
5. Contact list
6. Call history
7. Browsing history
8. Input
9. Data files

Examples:

• Secret SMS Replicator for Android
• RBackupPRO for Symbian

2. Unauthorized dialing, SMS, and payments

Criminals seeking to monetize weaknesses in human nature and the mobile app distribution model can turn to premium rate phone calls and premium rate SMS messages. By including premium dialing functionality into a Trojan app the attacker can run up the victim’s phone bill and get the mobile carriers to collect and distribute the money to them. Mobile devices can also be used to purchase items, real and virtual, and have the cost billed on the customers mobile bill.

Another use of unauthorized SMS text message is as a spreading vector for worms. Once a device is infected a worm can send SMS text messages to all contacts in the address book with a link to trick the recipient into downloading and install the worm.

Examples:

• Premium rate SMS – Trojan-SMS.AndroidOS.FakePlayer.a
• Premium rate phone call –Windows Mobile Troj/Terdial-A

3. Unauthorized network connectivity (exfiltration or command & control)

Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker. Since mobile devices are designed for communication there are many potential vectors that a malicious app can use to send data to the attacker. A full function malicious program will often allow the attacker to direct commands to the spyware to for instance turn on the microphone or grab a data file at a particular time.

The following are examples of communication channels attackers can use for exfiltration and command and control:

1. Email
2. SMS
3. HTTP GET/POST
4. TCP socket
5. UDP socket
6. DNS exfiltration
7. Bluetooth
8. Blackberry Messenger

4. UI impersonation

Phishing attacks on PCs work by tricking the user to click on a link in their browser which brings them to a bogus website impersonating the UI of their bank or online service. The UI asks the user to enter in their credentials. The attacker collects the credentials and uses them to impersonate the victim. On the mobile device there are new opportunities for attackers to perform UI impersonation. This can take the form of a web view application which presents a native mobile UI as a proxy to a native web app. With this attack, the user thinks they are downloading a legitimate app, such as a banking app, but instead they are getting an imposter that proxies information to the bank’s genuine website. When the user authenticates they end up sending their credentials to the attacker.

Another vector to impersonation is a malicious app popping up UI that impersonates that of the phone’s native UI or the UI of a legitimate application. The victim is asked to authenticate and ends up sending their credentials to an attacker.

Example:

• Proxy/MITM 09Droid Banking apps

5. System modification (rootkit, APN, proxy config)

Malicious applications will often attempt to modify the system configuration to hide their presence. This is often called rootkit behavior. Configuration changes also make certain attacks possible. An example is modifying the device proxy configuration or APN (Access Point Name).

6. Logic or Time bomb [CWE-511]

Logic or time bombs are classic backdoor techniques that trigger malicious activity based on a specific event, device usage or time.
Vulnerabilities

B. Vulnerabilities Details

7. Sensitive data leakage [CWE-200]

Sensitive data leakage can be either inadvertent or side channel. A legitimate apps usage of device information and authentication credentials can be poorly implemented thereby exposing this sensitive data to 3rd parties.

1. Location
2. Owner ID info: name, number, device ID
3. Authentication credentials
4. Authorization tokens

Example:

• Storm8 Phone Number Farming

8. Unsafe sensitive data storage [CWE-312]

Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwords. Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off of the file system. It should be noted that storing sensitive data without encryption on removable media such as a micro SD card is especially risky.

Examples:

• Citibank insecure storage of sensitive data
• Wells Fargo Mobile application 1.1 for Android stores a username and password, along with account balances, in clear text.

9. Unsafe sensitive data transmission [CWE-319]

It is important that sensitive data is encrypted in transmission lest it be eavesdropped by attackers. Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi, which is known to be insecure. SSL is one of the best ways to secure sensitive data in transit. If the app implements SSL it could still fall victim to a downgrade attack if it allows degrading HTTPS to HTTP. Another way SSL could be compromised is if the app does not fail on invalid certificates. This would enable that a man-in-the-middle attack.

10. Hardcoded password/keys [CWE-798]

The use of hardcoded passwords or keys is sometimes used as a shortcut by developers to make the application easier to implement, support, or debug. Once this hardcoded password is discovered through reverse engineering it renders the security of the application or the systems it authenticates to with this password ineffective.

Credits

The research team at Lookout Mobile Security provided great recommendations for improving the list.

Veracode Security Solutions

Veracode Security Threat Guides

1. Sandboxing goes mainstream with adoption by Firefox and Internet Explorer
Sandboxing can prevent the exploitation of coding errors by preventing code running inside the sandbox from interacting with the operating system. Software companies with apps that are designed to render data and interpret script code downloaded from the Internet start to adopt sandboxing.

2. Microsoft follows Google and Mozilla and starts paying a bug bounty
Following Google’s and Mozilla’s lead, more companies offer to pay researchers for reporting bugs to them. Microsoft, which stated years ago that they wouldn’t ever pay for bugs, caves to industry pressure as they are hit with more uncoordinated disclosures than their peers.

3. A mobile app causes a major enterprise security breach
Rapid growth of mobile apps continues on enterprise-connected mobile devices. Inevitably, attackers leverage this juicy new attack vector to penetrate corporate perimeters and gain access to sensitive data. It also turns out that the malicious application that enabled the attack was downloaded through a well-known and trusted app store.

4. Government and corporations stock up on anti-leak security products to defend against insider attacks, but high profile leaks continue
The insider threat problem is so huge that a single security product category such as DLP coupled with new policies on removable media fails to make a dent on leaks. The comprehensive security programs focused on internal applications and internal networks take years to implement. New organizations copy the Wikileaks model to give more outlets for leaked information.

5. A critical infrastructure facility in the US suffers a damaging incident resulting from a Stuxnet-like stealthy targeted worm
Stuxnet demonstrated a sophisticated, aggressive attack capability that can be replicated. Removable media is once again used to bridge an air gap and a zero-day vulnerability in a SCADA system is used to cause physical damage.

Veracode Security Solutions

Veracode Security Threat Guides

In the realm of automated web application testing, today’s technologies fall into one of two categories, Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). SAST analyzes application binaries or source code, detecting vulnerabilities by identifying insecure code paths without actually executing the program. In contrast, DAST detects vulnerabilities by conducting attacks against a running instance of the application, simulating the behavior of a live attacker. Most enterprises have incorporated at least one SAST or DAST technology; those with mature SDLCs may even use more than one of each.

In the past year or so, industry analysts and product vendors have become enamored with so-called “hybrid analysis” technologies. Hybrid techniques aim to correlate the results of SAST and DAST to dramatically expand dynamic coverage, prioritize the combined set of results, and reduce both false positives and false negatives. This whitepaper will examine each of these claims to give consumers technical insight into whether hybrid technologies can realistically live up to the hype.

Several observations will be described in the following sections:

• Hybrid analysis may expand dynamic coverage, but the lack of application context limits its effectiveness.
• The challenge of reliably generating URL-to-source mappings, coupled with the existence of URL rewriting, undermines the accuracy and usefulness of vulnerability correlation.
• Hybrid analysis does not reduce false positive rates; rather, it lulls users into a false sense of security by suggesting that non-correlated vulnerabilities are false positives.
• Correlation should not be equated with exploitability. Vulnerabilities should be prioritized based on severity and business impact, not based on how many scanners are capable of detecting it.

Download the full whitepaper.

Veracode Security Solutions

Veracode Security Threat Guides