Secure your applications
and risk management
HP’s latest Cyber Risk Report found that well known attacks are still commonplace and vulnerabilities that give access to unnecessary files and directions are dominant issues.
Misused security features trouble both Web and mobile apps
Programmers still make fundamental security mistakes when coding
Vulnerabilities also exist outside the application code
Even perfectly coded software can be dangerously vulnerable when misconfigured.
Information courtesy of HP Cybersecurity Risk Report 2015
Here are five surprising application design flaws real organizations didn’t know they had! Luckily these were fixed before hackers found them. To design better, protected applications read each essential tip in each scenario.
Online phone retailers give away free iPhones
A telco provider had first stock of the latest iPhones. Customers could pre-order their iPhone and get it for free if they purchased the most expensive phone subscription plan.
Selecting the subscription plan and the latest iPhone, customers would see the two separate items in their online shopping basket: the payment plan and the free iPhone.
What’s the hack? Savvy customers would remove the payment plan from the basket and get the iPhone for free!
Tip: Enforce your business rules in all steps of the process.
Cheap meals delivered to your door hack
An online food delivery website connected local food businesses and hungry people. They paid businesses in one bulk sum of all orders every month, which saved time and helped businesses generate more revenue.
Customers would pay for their meals in the shopping basket. What the site did not see was that the payment amount was visible in the source code and easily editable.
The result? Hungry students bought hundreds of pizzas for as little as 1 cent without being noticed.
Tip: Never trust user input and always do calculations on the backend, where the prices are known and can’t be altered by the customer.
Major bank gives easy access to customers’ accounts
One bank allowed customers to view their stock and share options in their account interface via a separate part of the site.
By clicking on ‘View my stocks’, the website would show www.bank.com/stocks. Hackers could find and access the customer’s account number via the separate site’s setting.
The worst thing is that this bug already existed 15 years ago and appeared again recently.
Tip: Always carry out a lessons learned after a breach. Never reproduce the same design and requirements to new versions without referring to past incidents.
Online Payment System and local businesses free goods giveaway
An online payment system similar to Paypal offered three types of services to verify payment:
- Free: No verification of payment
- Low-cost: Url verification
- Pro: Call-back from bank to online business to verify payment has gone through
For the low-cost version,after the shopper selected the payment he would be redirected through the Online Payment System to his bank. The URL would look like:
To fool the store into thinking the transaction had been paid, the shopper could copy and paste www.shop.com/transaction_state=Z into his browser to skip the whole banking process and return to the store.
Tip: Always verify remote decisions either by cryptographically signing them or by use of out-of-bound communication.
Government public services. An ideal target for political warfare
A country’s government services wanted to provide a single sign-on for their citizens to provide easy access to public services. Instead of the person choosing their own username, their social security number is their username instead.
If an password was incorrectly entered more than four times the account would be locked. This means a reactivation had be done, for which the activation code would be sent by post. This would take one full work week. With a simple algorithm, hackers could find out all possible social security numbers and log into each account four times with a known wrong password.
The result? A hacker could create a denial of service and disable the whole country for a week!
Tip: Use a delayed lockout based on time and a captcha to prevent an automated DoS. Also implement the use of 2-factor authentication.
As mobile development becomes more mainstream, there’s no better time to start thinking about mobile security. Too often, a mobile team will put features over security to get the product out of the door but to achieve a fully positive user experience, you just cannot ignore security.Read the article in full
According to OWASP*, these are the top 10 risks for mobiles.
* Open Web Application Security Project
1. Weak Server Side Controls
2. Insecure Data Storage
3. Insufficient Transport Layer Protection
4. Unintended Data Leakage
5. Poor Authorization and Authentication
6. Broken Cryptography
7. Client Side Injection
8. Security Decisions Via Untrusted Inputs
9. Improper Session Handling
10. Lack of Binary Protections
To ensure that you do not fall into these traps, here are 7 things you can already do to protect your mobile apps.
Don’t store data if you don’t have to
Store your sensitive data securely and even better, don’t store passwords or personal indentification information.
Remember to look at the server side
The server side is the most often overlooked piece of the mobile application, and therefore usually yields the most critical vulnerabilities. Validate all input and use a whitelisting approach for special/control characters.
Encrypt and protect your traffic
Secure your communications across networks. With pentesters, check that your TLS implementations do not do any of the following:
- Trust any certificate it sees (self-signed or any root)
- Allow expired certificates
- Can connect to HTTPS once, and then fall back (mixed mode)
Know your OS to avoid unintended data leakage
Look at your target OS and ensure that none of the operating systems features leak private data.
Know your libraries
Audit any baked in Ad or Analytic Libraries for unnecessary transmission of private data and make sure you proxy the application during QA testing.
Analyze mobile traffic data
Beware of the hidden communications that your mobile applications perform. Your mobile communications talk to more than one destination and therefore your data is shared to more than just one network.
Make it hard for the attacker
Harden your binaries. Look to see what easy and free binary defences your developers can implement.
Daniel Miessler, Practice Principal, HP Fortify on Demand
Less Scroll down