Mobile app security, or “Who will check the reviewers?”

Congratulations, you are the second person
hacked safe today van der Vode.
So, Mr. Ocean,
You entered the long rows of those
who made the titanic efforts
to get things done
and, in the end, become only the second.
You do not know the names of these people
because they are covered with oblivion.
Do you know the word "oblivion"?
That means about you
forget everything and forever. "
Mr. Night Fox (k / f "Ocean's 12")

Hello, reader Habra!
Imagine that you are a tailor and you sewed a suit for a person to order. The man told you how he wants to look in this suit, where to go in it and how much he is ready to pay for it. You listened to him carefully, took all the measurements, sewed this beautiful dream costume with love, using all the modern fashion trends. He obeyed all the wishes of his dear client. And then came the hour of triumph: the costume is ready, the man put it on, and he is happy looking at himself in the mirror. In the evening, he called and said that his wife and guests on his anniversary also liked him. But one of the guests said that this costume has flaws: it is not yellow, you cannot put out the fire in it, anyone can steal this costume, and (both on!) - he does not have a hood and you can’t put a hammer or a saw in your pocket.


')
But excuse me, are you telling man what yellow is the color? What kind of fire and hood? This is a suit for official events. The man says that he himself is surprised and puzzled. He likes the suit, and it is beautifully sewn. And you advise him to score on this guest and not to call him more in order to avoid any other such garbage. You both laugh, wish each other a pleasant evening and say goodbye. Winner Opinions committed to oblivion.

Here we are on the site of this tailor. Made the client company a mobile application to order. We discussed each step taking into account the needs of users (users of this particular application, and not the whole ANY mobile application), agreed on each element. Everyone is happy, including the users, but then a certain Guest drew up with his OPINION. And to put it somewhere would be his OPINION, but it is so clumsy and angular that it hardly fits.

Judge for yourself

All of us (almost all) use smartphones and mobile applications. And, of course, we all (some of us) think about the security of our personal data, which we store in the phone. But, anyway, the majority relies on application developers. Indeed, the task of secure storage and transmission of data is one of the most important tasks that developers are engaged in. It is not surprising that customer companies try to play it safe and sometimes give up the developed application to a review of a third company (preferably, widely known).
We also had such a case, and the application of our company fell on the so-called "check". The result was a kind of presentation describing how bad things are. Below we have the arguments of the reviewers, their comments and conclusions. Enjoy

Connection security

Argument
The connection to the server is made using the https protocol and TLS-encrypted traffic, which is de facto a standard for modern applications. However, the implementation on the device does not meet all the requirements for the correct use of https. In particular, the application establishes the connection by obtaining any TLS certificate. This vulnerability allows full listening of sensitive application data:
• You can read in the clear all the transmitted data or change them.
• PAN credit card numbers, CVC / CVV codes, personal user data are subject to leakage.
• Substitution of forms of payment, interception of data.

Counter argument
Colleagues, well, after all, not any TLS-certificate, but any trusted at the level of the operating system. Of course, the user may “inadvertently” add the certificate of the attacker who gained control of the communication channel. Such a “vulnerability” is inherent in principle to all sites. Nevertheless, life does not stop, and people register and make purchases on websites. There is a lot depends on the caution of the user. In the case of an application, you can enhance security by implementing the specific certificate used by the server (SSL Pinning) into the application. But this requires coordination with the customer and prevents the certificate from being changed (at least, the corresponding key) on the server without updating the application.

Conclusion
The argument is generally not entirely accurate. Most applications, as well as browsers, work at the same level of security of the connection. Written in this way, it can frighten the customer very much, in what was obviously the goal.

Application data

Argument
Customer data is stored on the device in the clear. Neither system protection (Keychain, iOS Data Protection) nor encryption of this data is used. This vulnerability allows:
On any device (without jailbreak and other modifications), when connected to a computer in a minute, get user data. This can be done, for example, by the iFunBox file manager.

Counter argument
This statement is deceptive: it seems that colleagues checked the application on an unlocked phone. The fact is that iOS Data Protection is used to protect data (the NSFileProtectionComplete flag - and we rechecked it). This means that when a device with a configured pin or Touch ID is locked (locked), the file is encrypted and can only be decrypted after unlocking. If the device is not blocked, then it’s pointless to talk about protecting data from an attacker who has physical access to the device: it can simply launch the application and view everything.

The option of improving security with a pin-code was considered by us. However, its use on data protection applications is a very controversial idea. If you make it optional, the user can not install it, in the same way as not install it on the entire device. If you make it mandatory, users will have to enter two PIN codes: on the phone and on the application. In addition, without a pin code, such things as mail, browser (with cache and saved passwords), calls and messages remain unprotected on the device. Having access to them, an attacker can not only cause significant damage, but most likely get access to a user account on the server (if there is one and, for example, has the “forgot password” function). And the application is unlikely to store data more critical than the listed things.

Conclusion: The argument is incorrect. We believe that there was a mistake of the verifier or the verifier intentionally expected that the customer would make a mistake if he tried to verify it himself. You cannot read the data on the locked phone, but with the device in hand you can do everything in an open application.

JailBreak Threat

Argument
With the jailbreak installed, it is possible to remotely copy application data along with the database and other files.

Counter argument
Anything to protect or guarantee "if there is an established jailbreak" is a completely different story. We generally recommend nothing to anyone "if there is an established jailbreak" not guaranteed. For example, it also happens: github.com/iSECPartners/ios-ssl-kill-switch . How can you protect the user who will put it to himself? Is there a check for the installed jailbreak? First, any jailbreak check can be circumvented. Secondly, it is unlikely that the user is aware that his jailbreak is; and here it is worth considering who we are protecting: the user from attacks or the application from the user. Thirdly, the presence of some checks can lead to problems when passing appstore review, or when the application is running, because many checks are that the application is trying to do what applications on non-jailbreak devices do not allow.

Conclusion: The argument is incorrect. We will not protect the application and user data from the user.

System screenshots

Argument
System screenshots are not disguised, and may contain private billing information of customers. System screenshots are stored in the device’s memory and are easily accessible when connected to a computer.

Counter argument
Well, again, rather, the unlocked phone was checked. For system screenshots, "iOS Data Protection" is also used, and they are not available in a locked phone. And if the phone is unlocked and there is access to it, then anyone can see the screenshots.

Conclusion
The argument is contrived and is intended to sow panic, because the screenshots are protected at the system level.

Debugger

Argument
The application at start does not check for the presence of a debugger, which allows you to restore the algorithms of the application and modify it.

Counter argument
Restore the algorithms of work - it is unclear what the purpose of this action is and why write about it? We do not have any secret algorithms, and you can only modify the application if there is a jailbreak, and we have already written about it - this can damage only the user himself.

Conclusion
The argument is meaningless. It is not clear why he is cited and whether the author of the so-called “presentation” understands the meaning of what he is writing about.

TOTAL:

As you can see, the security points in the quick analysis affected the right ones, but their interpretation and presentation raise some questions.

Of all the listed arguments, it makes sense to improve only the security of the connection by applying a pinning certificate. At one time, we offered to do this to the customer, but did not make any progress on this issue on the server side. Perhaps this analysis will help us in the dialogue with the customer as an additional argument.

In general, the comrades created the presentation in red with big words and, as you have already seen, with shallow statements and panicked the client company.
Was this analysis objective and what was its purpose?
Is the time and money spent by our client right?
How generally is it ethical from a professional point of view to present obviously incorrect arguments against someone else's product?



As they say, who will check the one who checked?
We always welcome constructive criticism of our products, but here the level of argumentation and the adequacy of the approach compromise the very idea of ​​cross-analysis.
Have a nice day and success in developing applications ... secure applications.