Things Our Developers (Don't) Do!

Missing Culture of Security

...in programming world

1. Trusting 3rd Party Libraries

https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/

The Mechanism

Victim?

It affected those 3rd-party applications that used "Sign in with Apple" without implementing their own additional security measures

Damage?

A full account takeover of user accounts was possible on these 3rd-party applications irrespective of whether victim had a valid Apple ID or not

Learning!

Do not trust external entities

https://cdn-media-1.freecodecamp.org/images/GjdAgJVKbRvRrn4q9KbPhz0TwzEx-vorv9ir

2. Insecure Authorization (API)

Learning!

Implement server-side authorisation checks to identify and block unauthorised requests from non-privileged user accounts

https://www.soapui.org/soapui/media/images/dojo/Testing_Dojo_Illustrations_03_Authentication_VS_Authorization.png

3. Insecure Authorization (AWS)

https://aws.amazon.com/cognito/

https://github.com/appsecco/VyAPI

The Mechanism

Feature...

"Amazon Cognito supports unauthenticated identities. If your application allows customers to use the application without logging in, you can enable access for unauthenticated identities."

Flaw?

Each AWS Cognito identity pool that is configured with an unauthenticated role could potentially be vulnerable to breaches affecting least privilege principle, allowing unauthorised users access to potentially sensitive and private information stored in AWS services

https://github.com/riddhi-shree/nullCommunity/blob/master/Android/amazon_cognito_authz_issue/README.md

List of AWS services potentially accessible by unauthenticated users

Learning!

Always follow the least privilege principle when configuring IAM roles, i.e., each AWS Cognito role should have the smallest set of AWS permissions required to perform respective user actions

4. Improper API Rate Limiting

https://developer.github.com/v3/#rate-limiting

Expectation?

If you hit a rate limit, it's expected that you back off from making requests and try again later when you're permitted to do so. Failure to do so may result in the banning of your app.

Reality!

X-RateLimit-Reset response header was missing

X-RateLimit-Remaining response header was getting reset to higher value unexpectedly

As good as not having rate limiting

Learning!

Implement API rate limiting checks effectively so that brute force attacks could be prevented

https://airbrake.io/docs/assets/img/docs/airbrake/rate_limit.png

5. Improper App Hardening

Attack?

Attackers attempt to reverse-engineer your mobile app
Attackers try to intercept communication between the server and the app

Protection!

Root and Jailbreak detection
Emulator detection
Obfuscation
Encryption
Certificate pinning
Tamper prevention
etc.

Reverse Engineer

Intercept Calls to SSL Libraries

https://www.veracode.com/sites/default/files/mobile-data-breach.gif

Learning!

Disallow app installation if a rooted/jailbroken device is detected
Ensure strong anti-tamper and obfuscation systems are in place

6. Sensitive Files in App Bundle

Extract Bundled Resources

Learning!

Do not ship sensitive files in app bundles

https://i.stack.imgur.com/DwNYs.png

7. Miscellaneous!!

Hardcoded Secrcets

https://www.nowsecure.com/wp-content/uploads/2020/02/image1.png

Plaintext data in SQLite database

https://1.bp.blogspot.com/-EiMyvr8QDU0/XWgt_XR8JMI/AAAAAAAANUM/51Iuf5acUNYgOkCSmR73-st9ZI_HWYZ1wCEwYBhgL/s1600/whatsapp%2BE2E.png

Leftovers in Cache files

https://wiki.genexus.com/commwiki/servlet/apgetwikiimage?19352,2

And, the list goes on...

Things Our Developers (Don't) Do!

BESbswyBESbswyBESbswyBESbswy