BSides LV 2023 - Ground Floor - Tuesday

move it up [Music] [Music] thank you [Music] thank you [Music] [Music] foreign [Music] foreign [Music] [Music] oh yeah [Music] foreign [Music] foreign [Music] thank you [Music] thank you [Music] foreign [Music] thanks [Music] foreign [Music] [Music] foreign [Music] thank you [Music] anything [Music] else [Music] foreign [Music] another question [Music] foreign [Music] foreign [Music] thank you [Music] [Music] [Music] foreign foreign [Music] [Music] thank you [Music] [Music] foreign [Music] thank you [Music] [Music] [Music] thank you [Music] foreign [Music] foreign [Music] thank you [Music] thanks [Music] [Music] [Applause] [Music] thank you [Music] thank you [Music] [Applause] [Music] thank you foreign [Music] [Music] [Music] oh [Music] I don't wanna jinx it baby [Music] [Music] baby you'll kill me giving me Wind and Rain some kind of butterfly baby [Music] [Music] but I don't wanna miss you baby [Music] [Music] maybe you'll give me [Music] fly [Music] baby [Music] [Music] baby you'll get me appetite [Music] [Music] oh oh [Music] foreign [Music] [Music] foreign [Music] foreign [Music] [Music] move it up moving up and welcome to besides Las Vegas this talk builds hybrid mobile application like a security pro is given by vanida a security researcher from synopsis a few announced announcements before we begin we would like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsors Prisma Cloud Sam grab blue cut Plex track Toyota conductor one it's their support along with our other sponsors donors and volunteers that make this event possible we have policies about cell phones and these talks are being streamed live except in the underground as a courtesy to our speakers and audio audience we ask that you check to make sure your cell phones are set to silent please if you have a question use the audience microphone right there to ask or you can check with me or any other person if you want to use it or ask questions you may be asked to make announcements so as a reminder the B-side Las Vegas photo policy prohibit taking pictures without the explicit permission of everyone in the frame these stalls have been also being recorded except in on the ground and will be available on YouTube in the future please move over to this side of the room and enjoy your talk thank you and welcome Vanita [Applause] hey thank you my name is welcome to my session build hybrid mobile apps like a security pro I also go by the name Vinnie like my cousin Winnie in case that name is too hard uh so let's get started so a little bit about me I am a security researcher at synopsis and my job involves evaluating Frameworks and new languages and all of this research goes into static analysis tools that will help catch instances where those libraries are implemented in securely before this I was actually in the Consulting working in the field doing pen tests and source code reviews of mobile apps and web applications so uh most of my clients were in the financial or healthcare industry I live in the Indianapolis area and when I'm not working I like to do things that keep me off screens like learning new dance forms I learned a bit of violin and I also like to be outdoorsy and go on Hikes however my current obsession is all about growing some vegetables in my apartment patio and I'm here for 10 days I'm pretty sure they'll be dead when I go back home all right so in today's session we're first going to set the foundation and talk about some basic concepts about mobile applications like their characteristics what they're made of uh what that threat model is like how it's different from that of a web application and then we'll go over some basic concepts about mobile apps as well and then we'll go over certain principles of application security and see how you can use them to build hybrid mobile apps securely you can build them really fast but it's also important to build them securely and we'll use those principles to understand how to do that at the end of the session I have a fun little interactive exercise plan for you all where I'll show you some insecure pieces of code and if you correctly identify the insecure line of code I have some goodies to give away so uh we'll then wrap it up and summarize everything we've learned today and open it up to questions so Going Back to Basics how many of you here have built mobile apps before okay how many of you have been on the other end of the spectrum and hacked or broke in mobile apps before okay I've got more hackers here okay great okay so just really click some one-on-one for mobile apps uh initially mobile apps were just for productivity right like to check your calendar your email your planner if you remember Blackberry was one of the first ones who made this available to use on the go but now mobile apps are not for productivity I think they're for everything else they're for uh calling a cab ordering food looking at the sky and identifying stars and I hear there's a mobile app too hunt down ghosts I really hope that doesn't work and uh 99 of these mobile applications uh cater towards two main operating systems apples IOS and Android which is owned by Google um all of these mobile applications are built using software development kits or sdks and typically there is there is one SDK per platform which means there is one for Android usually based on on Java and kotlin and there's another for iOS and it's usually based on Swift and Objective C so when you have a SDK per platform what's the biggest downside to that does anybody know correct yes so to repeat that answer the downside is that you have to start building uh the code from scratch again when you start uh supporting new platforms which is a lot of duplication of effort and that is where hybrid applications came into being where you can just pick a framework like react native or xamarin Cordova what have you and you code just once you test just once and then you build it based on the platform that you want to support which means your developers have now saved a lot of time these applications are came to be known as cross-platform apps or hybrid applications and they tend to have a lot of web components in them for the rest of this talk we'll try to use the word hybrid apps to refer to cross-platform apps as well as hybrid apps um some characteristics about mobile applications every mobile app on your phone is running on its own isolated environment what that means is that that application process only has access to the data in its own isolated environment this environment is usually referred to as a container or a Sandbox and to talk to other applications on the device or access data in a different sandbox it would need the right permissions and it has to leverage inter-process communication fun fact about why it's called a sandbox imagine a bunch of kids playing in a big sandbox now I don't have kids but I've been told that's a recipe for disaster because kids don't want to share and it will lead to fights so what do you do you split them up and put them in their own sandbox and everything's Jolly so apparently that's how the term sandbox came into being in the mobile world anyway so mobile applications tend to have a lot of code and a lot of data on the device because it cannot bother the server every time it wants to access some data that you as a user frequently request for example your display picture your username your email address it tends to store this data on the device so that it can quickly grab it and render it in your mobile application because you probably open your mobile app more often than you do web apps so mobile apps tend to do that and in terms of how it would communicate with the server it's not very different from that of a web application it would typically make calls to the server using rest or soap API calls authentication is something interesting in mobile apps because in web apps you would probably use username and passwords to log in every single time I'll try to stay here uh you probably are going to use usernames and passwords every single time you want to log in but mobile apps make this easy they make re-authentication easy because mobile apps can Leverage The biometric authentication and the passcode that you already have on your device which means mobile apps could save some session information or username and passwords or GWT tokens they tend to save them on the device now everything we've discussed so far is what the uh what the mobile OS provides by default in terms of security context but this is your device you probably want to tweak it and customize it for your own like liking imagine you had a laptop and you did not have root access or admin access on it you wouldn't be cool with that similarly some users like to have the ability to really own that device and make it work for them and not have to work within boundaries so such users could jailbreak or root their phone which from a higher level means you're just disabling all of these security features and isolation but hey you can download that cute little emoji keyboard right so going over the threat model of mobile applications in my opinion one of the biggest Assets in mobile apps is data now in web apps 2 Data is an asset but in web apps most of the data tends to be on the server side in a database or on the cloud but in mobile applications like we discussed before a lot of sensitive data could be stored on the device so it's a very big asset similarly the code of a mobile application could be on the device which means that it's not just UI code there could actually be some validation code there could be something more interesting than just like low impact UI code so that is also a very big asset and we discussed about how user credentials or session information could also be stored on the device so threat agents to all these assets could be other malicious apps on the device or it could be someone who has stolen your phone especially if it's jailbroken maybe it's easier to access that data and users are also threat agents because at the end of the day an attacker is a user and they're trying to understand your app to understand how to break it but in general the likelihood of a successful attack on your mobile application is considered low because first of all the attacker has to stay up to date with all of the security updates that these os's are making very frequently number two the attacker may need an already compromised environment or has to chain a bunch of vulnerabilities to get a to get a high impact vulnerability so that is why in general it's mobile application exploits are considered to have low likelihood okay so now let's get into hybrid mobile applications which is why you're here so like we discussed before what is a hybrid mobile application it is something that you just code and build once and you can release it for multiple platforms and it's not just for mobile Oasis it could also be for Linux or Mac OS or even on web browsers so it's it's gotten really really easy to build hybrid mobile applications thanks to these platforms thanks to these Frameworks and um and these Frameworks tend to be Cordoba or ionic flutter react native and because these Frameworks have made it so easy hybrid applications are on the rise in fact according to recent statistic uh a lot of the retail applications in the market right now are built through one of these Frameworks so just a fun fact so how would you go about building these hybrid mobile applications it's just like any other mobile app you start by creating your widgets your UI except in hybrid mobile applications a lot of this is already done for you a lot of this is already pre-built and tested and made available to you through libraries and when I talk about libraries I like to use this example I think uh uh consider you're trying to make a big bowl of chili for a barbecue you're probably not going to go and get all of the individual ingredients and cut it up and chop it up and add it to your chili you're probably going to get canned beans and canned corn and add it and save time so similarly with hybrid mobile applications a lot of the functionalities not just for UI whether you want to implement data storage or talking to the server or trying to implement biometric authentication all of this code is already tested for multiple platforms and made available on package managers like npm or pub.dev depending on the framework and you can just like grab that library and plug it into your code and you just have that functionality like that this is another reason why hybrid mobile applications are really easy and very popular because it's so easy to create these libraries are usually maintained through open source or through the community of that framework and currently here are some numbers flutter has 36 000 libraries and react native has 46 000 libraries and that number is just growing it's just making it easier and easier to plug in and play your hybrid mobile applications here are some examples of hybrid mobile applications in the market right now some really famous ones BMW Skype Walmart so many of them here's an example of what a library would typically look like here on the right side you can see that the library's name is local auth it's a flutter Library it's maintained by the package manager pub.dev you can see that it supports three platforms Android iOS and windows it seems quite popular 99 popularity and it's maintained by the verified publisher flutter now if you're a developer you would probably stop at this page of the library documentation or maybe you would go to the installing page or look at an example see how you can implement it but how many of us really go deeper and understand how these apis work do we really look at it from a security perspective I don't know so we learn how to do that in this talk so here's an example sample code of how you would use this Library so you would add this Library as a dependency you would import it into your project and then it's as simple as calling the authenticate API to implement biometric authentication for your user if you didn't have this Library you probably will have I don't know three times as many lines of code to implement this so libraries really make it easy now uh I saw that there are a lot of hackers here can anyone recognize what's wrong with this code is there anything insecure so if you're a pen tester and you've hacked mobile applications before you will see that this API returns a Boolean value and if you've hacked mobile apps before you know that it's extremely trivial to flip the switch on a false Boolean to a true Boolean and trick the app into thinking that authentication actually passed but it would have failed so such kind of validation is considered insecure it's called event-based validation and we will talk about that more in a future slide Okay so we've talked about hybrid mobile apps we talked about the fact that you may be building these hybrid apps through a bunch of libraries from the open source it's third party so I researched this I researched such things in my job so why don't I just give you a list of secure libraries for every framework for every functionality I could do that but what if the library gets outdated or what if there's a cve in the future or it gets associated with a supply chain issue what would you do then so let's take an alternate approach and go buy this if you recognize what this means it translates to if you give a person a fish they'll just eat once but if you give if you teach that man how to fish they will eat forever so we'll take a similar approach today and see how we can evaluate libraries on our own and to do that we will take the help of five principles of application Security today and see how you can comply by them use them when you're picking libraries or when you're writing your hybrid mobile application from scratch it doesn't matter these these principles will really help you okay so the first principle I have is called the principle of least privilege and what it means is that less is more or that you need to have a granular permission model when you're building a application web or mobile it doesn't matter you need to work on the least number of privileged privileges that you can get by with so mobile applications need the user's permission to access a lot of features on the device like Bluetooth or location or Apple pay a lot of things or photos so user has to explicitly Grant permission to the user to do this uh but your application shouldn't ask for permissions it doesn't really need like you may not want to think that oh maybe I'll need it in a future release I'll just ask the permission it doesn't work like that users will get suspicious and you may also violate some data privacy laws depending on where you're using that application so let's take an example to understand this principle assume that there is a music streaming app like Spotify and that app asks permissions for your devices Bluetooth it's fine it probably wants to connect to a speaker but what if it asks permission to your camera or microphone probably doesn't need that permission it is suspicious it's violating this principle let's take another example a food delivery app can someone name a suspicious permission it can ask yes correct yes that is the correct answer so when you're building your mobile application you probably want to make sure can I throw it to you I will try okay thank you okay great so when you're building a mobile application you probably want to work on the minimum set of permissions and when we talk about hybrid mobile applications uh you may be using a lot of libraries for different functionalities like data storage or uh biometric authentication or web views so you want to make sure that the library is not asking for permissions that you don't really need and even if it does you want to make sure that they're configurable that you're able to turn them off and they're not and the library is not forcing an insecure default on you you may also be using libraries that help you handle these permissions like checking if the user already granted a permission or maybe you could it it helps you ask the user for permission at runtime so in either case it's important to again have a known set of permissions you want to allow and make sure that you're explaining to the user why you need that permission so that they can make an informed decision applications also tend to expose some of their functionalities in the form of say intents or Universal links and you may want to put some restrictions there too and not expose it to all applications on the device you can make use of app groups make the app belong to a certain group of applications so that you expose your functionalities only there or you could even make use of what the native OS provides like one-time access or signature based permissions you can leverage all of that which libraries may not provide the next principle I have for you is called security by obscurity and yes that is my cat hiding behind my plants and she thinks she's obscure but she's not so what this principle means is that if the inner workings of your application are completely hidden you're safe that doesn't sound right does it and you would be correct that is a myth and that has long been debunked but let's think about this principle from a mobile application perspective we discussed how mobile applications are very client heavy which means a lot of the code and data is actually present on the device so maybe this principle can be helpful assume that you released your application without any obscurity or obfuscation and an attacker can download this application they don't even need an account on your application they can just decompile unpack your application understand what's going on understand the different methods and classes and they