The Open Web Application Security Project (OWASP) has listed Insufficient Cryptography as the fifth most exploited risk in mobile applications. Insufficient Cryptography or insecure usage of cryptography is a common vulnerability in mobile apps that leverage encryption. Due to weak encryption algorithms or flaws within the encryption process, the potential hacker is able to return the encrypted code or sensitive data to its original unencrypted form.
Exploitation of broken cryptography results in both technical as well as business impacts. While the technical impact includes unauthorized access and retrieval of sensitive information from the mobile device, business impacts may result in Privacy Violations, Information Theft, Code Theft, Intellectual Property Theft, or Reputational Damage.
How to Assess Vulnerability to Insufficient Cryptography?
There are two ways in which broken cryptography can be exposed within mobile apps.
- The encryption/decryption process used by the mobile app is fundamentally flawed and can be exploited by the adversary to decrypt sensitive data.
- The encryption/decryption algorithm employed by the mobile app is weakly built and can be directly decrypted by the adversary.
The following scenarios of encryption misuse can result in such attacks:
Reliance Upon Built-In Code Encryption Processes
Heavy reliance on the built-in encryption code can result in bypassing of the built-in code encryption algorithms by an adversary. In iOS applications, the app loader decrypts the app in memory and proceed to execute the code after its signature has been verified by iOS. This feature, in theory, prevents an attacker from conducting binary attacks against an iOS mobile app.In case of non-iOS devices, where the above addendum is not prevalent, an adversary will download the encrypted app onto their jailbroken device using freely available tools like ClutchMod or GBD, and take a snapshot of the decrypted app once the app loader loads it into memory and decrypts it. The adversary can then use tools like IDA Pro or Hopper to easily perform static/dynamic analysis of the app and conduct further binary attacks.
Poor Key Management Processes
The best algorithms don’t matter if you mishandle your keys. Many mistake implementing their own protocol for employing the correct encryption algorithm. Some examples of the problems here include:
- Including the keys in the same attacker-readable directory as the encrypted content;
- Making the keys otherwise available to the attacker;
- Avoid the use of hardcoded keys within your binary; and
- Keys may be intercepted via binary attacks.
Creation and Use of Custom Encryption Protocols
Mishandling encryption becomes easier when a device uses its own encryption algorithms or protocols. Thus, it is highly imperative that a developer uses modern algorithms that are accepted as strong by the security community, and whenever possible leverage the state of the art encryption APIs within the mobile platform.
Use of Insecure and/or Deprecated Algorithms
Cryptographic algorithms and protocols like RC2, MD4, MD5, and SHA1, which are shown to have significant weaknesses or are otherwise insufficient for modern security requirements must not be employed.
Prevent Insufficient Cryptography
While the above-mentioned attack scenarios educate developers on the dos and don’ts to follow while creating encryption and decryption algorithms, following best practices must be followed when handling sensitive data:
- Avoid the storage of any sensitive data on a mobile device.
- Apply cryptographic standards that will withstand the test of time for at least 10 years into the future; and
- Follow the NIST guidelines on recommended algorithms
Worried that your phone might be vulnerable to such threats? Protect your mobile now with Astra’s Complete Security Suite for Android and iOS apps