Jump to content

[TOPIC: topicViewTemplate]
[GLOBAL: userSmallPhoto]
Photo

Security threats and vulnerabilities
Started by daljit.kumar4 Nov 04 2019 07:44 PM

3 replies to this topic
security vulnerabilities insecure
[TOPIC CONTROLS]
[/TOPIC CONTROLS]
[modOptionsDropdown]
[/modOptionsDropdown]
[reputationFilter]
[TOPIC: post.html]
#1

daljit.kumar4

[GLOBAL: userInfoPane.html]
daljit.kumar4
  • Observer

  • 11 posts
  • Corona SDK

We have built an official app that is available on Google and Apple stores. Our security team has run a scan of the app to identify any security threats or vulnerabilities. We have been able to fix most of the issues they pointed out. However, there are few issues that we are stuck with and we are not sure how we can fix them using Corona SDK. Your help in this matter will be greatly appreciated.

 

  1. Insecure data storage

“Insecure data storage vulnerabilities occur when development teams assume that users or malware will not have access to a mobile device's filesystem and subsequent sensitive information in data-stores on the device. Filesystems are easily accessible. Organizations should expect a malicious user or malware to inspect sensitive data stores. Rooting or jailbreaking a mobile device circumvents any encryption protections. When data is not protected properly, specialized tools are all that is needed to view application data.”

 

In our app, we are using WebView to access our organization’s Single Sign On page for authentication. This page sets up some cookies that are stored in the data folder of the app in the device by Corona. The cookie file can easily be read by other apps and they can steal the critical authentication information. Can this cookie file be made secure by providing some password protection?

 

  1. Information gets cached in iOS snapshot section

In order to provide the visual transitions in the interface, iOS has been proven to capture and store snapshots (screenshots or captures) as images stored in the file system portion of the device NAND flash. This occur when a device suspends (rather than terminates), when either the home button is pressed, or a phone call or other event temporarily suspends the application. These images can often contain user and application data, and in one published case contained the user’s credit card information, his properties details and his personal details. Pressing the iPhone/iPad home button shrinks the iOS application and moves it to the background with a nice effect. To create that shrinking effect, iOS takes a screenshot of the application and stores it in the Library/Caches/Snapshots folder in the respective application’s home directory. This might result in storing the user’s sensitive information on the device without user’s knowledge. Snapshots stored on the iPhone will automatically clear after the device is rebooted. An attacker can get access to sensitive details in case the device is compromised.

 

We tried using system events such as applicationSuspend to hide any critical information being displayed on the screen. However, it still shows a snapshot of the last screen that was visible. Is there a way we can blur the app or hide some section of the app when the app user presses the Home button?

 

  1. Backup flag not set to false in Android

“The Android operating system offers a backup/restore mechanism of installed packages through the ADB utility. By default, full backup of applications including the private files stored in /data is performed, but this behavior can be customized by implementing a Backup Agent class. This way applications can feed the backup process with custom files and data. Attacker can get sensitive information from back file of the application. “

 

We tried adding following code in the Android section of build.settings but it didn’t work.

 

allowBackup="false",

fullBackupContent="false"

 

Is there a way we can set the Backup Flag to false in the build.settings?

 

  1. Application works on rooted/jailbroken devices

“Rooted/Jailbroken devices can have malicious applications guided by attackers to take sensitive information from other installed applications. An adversary can take advantage of this to perform malicious activity. An attacker can take advantage of this to perform malicious activity like stealing of data from local storage, sniffing traffic and sending it to malicious domain. ”

 

Can we block execution on rooted/jailbroken devices?

 



[TOPIC: post.html]
#2

XeduR @Spyric

[GLOBAL: userInfoPane.html]
XeduR @Spyric
  • Contributor

  • 981 posts
  • Corona SDK

What sort of scan did your security team run? Those seem like boilerplate descriptions of known issues rather than the results of any particular scan.

 

It'd also be worthwhile to know what sort of app you are working with/on, i.e. are you handling users' credit card information in the app, is the app full of corporate secrets, or is it just some game? In other words, how paranoid should you be about protecting the data and what level of security should be expected?
 

Corona does not support rooted/jailbroken devices, but to my knowledge there is very little that can be done to prevent any apps from running on said devices. The only thing I can think of would be to use Google Play licensing, but there are ways to get around that as well.

 

The simplest step you could try to setting up protection against the iOS snapshot is to create a single black rectangle that covers the entire screen that you toggle visible when the app suspends and invisible when the app resumes.

 

Finally, the crux of all security and encryption related topics is access. You could easily encrypt your local files and they wouldn't be readable anymore. However, you'd need to store the keys somewhere. If they are stored locally, then anyone with the access and the know how can find the keys and undo your encryption. If you hardcode them, either partially or fully, then we get to a point again where someone can just dig them up from the source code, etc.

 

The reason why I used the word paranoid before is because most security measures are rendered insufficient as soon as you give the attacker physical access to the device. So, to limit access, you could store everything online. However, then we get to the point that storing everything online isn't necessary that safe either because then a single hack can jeopardise the data of all users.

 

Most apps don't really prepare for an eventuality where a user's device is stolen by someone with sufficient technical knowledge to hack it.



[TOPIC: post.html]
#3

daljit.kumar4

[GLOBAL: userInfoPane.html]
daljit.kumar4
  • Observer

  • 11 posts
  • Corona SDK

Hi XeduR,

 

Thanks for your response. Please see my responses inline. If you have any more information on this, that would be great.

 

What sort of scan did your security team run? Those seem like boilerplate descriptions of known issues rather than the results of any particular scan.

[Daljit Kumar: The security team ran the scans using various tools. Yes, the descriptions provided are boilerplate and there are more specific details on the issues which We may not be able to share in the forum due to confidentiality. But I can assure you that the scans are run by professionals.]

 

It'd also be worthwhile to know what sort of app you are working with/on, i.e. are you handling users' credit card information in the app, is the app full of corporate secrets, or is it just some game? In other words, how paranoid should you be about protecting the data and what level of security should be expected?

[Daljit Kumar: It is not about what kind of sensitive information the app is storing. I work with an organization which has some standards of security measurements whenever there is an app that's used for clients. So it is more to do with the policy of the organization. We need to find remediation of these threats or need to take down the app from play stores.]
 

Corona does not support rooted/jailbroken devices, but to my knowledge there is very little that can be done to prevent any apps from running on said devices. The only thing I can think of would be to use Google Play licensing, but there are ways to get around that as well.

[Daljit Kumar: Thanks for the information.]

 

The simplest step you could try to setting up protection against the iOS snapshot is to create a single black rectangle that covers the entire screen that you toggle visible when the app suspends and invisible when the app resumes.

[Daljit Kumar: As mentioned in my post, We tried doing this using the system events such as applicationSuspend and applicationResume but it doesn't seem to work. If there is any working sample you can point us to that would be great.]

 

Finally, the crux of all security and encryption related topics is access. You could easily encrypt your local files and they wouldn't be readable anymore. However, you'd need to store the keys somewhere. If they are stored locally, then anyone with the access and the know how can find the keys and undo your encryption. If you hardcode them, either partially or fully, then we get to a point again where someone can just dig them up from the source code, etc.

[Daljit Kumar: The issue mentioned above is specifically for the cookies file created by Corona in the data folder when using a webview for authentication using our organization's single sign on page. This cookie file can be opened in database browser for sqllite and information can be stolen. We are only looking at the option of securing this file by making it password protected, if possible. Since we don't create this file and it is created automatically, we are not sure how to achieve that.]

 

The reason why I used the word paranoid before is because most security measures are rendered insufficient as soon as you give the attacker physical access to the device. So, to limit access, you could store everything online. However, then we get to the point that storing everything online isn't necessary that safe either because then a single hack can jeopardise the data of all users.

[Daljit Kumar: I agree that there is a limit to how secure we can make our app. However, as mentioned above we are trying our best based on known issues and remediation aligning to our organization's policy.]

 

Most apps don't really prepare for an eventuality where a user's device is stolen by someone with sufficient technical knowledge to hack it.

 



[TOPIC: post.html]
#4

agramonte

[GLOBAL: userInfoPane.html]
agramonte
  • Corona Geek

  • 1,255 posts
  • Corona SDK

Webview: The built in webview does not have secure cookies. I looked at this briefly in the past and to me the easiest solution would have been to create a native plugin for the GeckoView (https://mozilla.github.io/geckoview/) . In the end I abandoned the project. I would recommend implementing the minimal required to make your app work.

 

Screenshot: although not fail proof you should be able to capture the "key" sequence to blur the screen before the image is taken. Similar to the way that some social network apps do it. This should get you passed the audit.

 

Android backup: the two flags for backup have to be inside the application tag and inside the manifest for them to work. I have never done this for the backup tags, but for other tags the easiest way is to create a native plugin just with a manifest inside aar. The aar manifest will get merged with your app at build time.

 

Rooted: The easiest checker for Root that i know of is here: https://github.com/scottyab/rootbeer. Again you'll need a plugin or switch to native builds.

 

Hope some of this helps. Hopefully others have easier solutions




[topic_controls]
[/topic_controls]

Also tagged with one or more of these keywords: security, vulnerabilities, insecure