Continuing on our learning about the OWASP Top 10 Mobile threats, today we’ll see what Broken Cryptography means and how it can cause damage.
Broken cryptography attacks come into the picture when an app developer wants to take advantage of encryption in his application. In order to exploit this weakness, an adversary must successfully return encrypted code or sensitive data to its original unencrypted form due to weak encryption algorithms or flaws within the encryption process.
Are you vulnerable to Broken Cryptography?
Broken Cryptography or insecure usage of cryptography is mostly common in mobile apps that leverage encryption. There are two ways in which broken cryptography can be manifested within mobile apps.
First, the mobile app may use a process behind the encryption / decryption that is fundamentally flawed and can be exploited by the adversary to decrypt sensitive data.
Second, the mobile app may implement or leverage an encryption / decryption algorithm that is weak in nature and can be directly decrypted by the adversary.
If we go in detail, the following scenarios can result in such attacks:
1. Reliance Upon Built-In Code Encryption Processes
By default, iOS applications are protected (in theory) from reverse engineering via code encryption. The iOS security model requires that apps be encrypted and signed by trustworthy sources in order to execute in non-jailbroken environments. Upon start-up, the iOS app loader will decrypt the app in memory and proceed to execute the code after its signature has been verified by iOS. This feature, in theory, prevents an attacker from conducting binary attacks against an iOS mobile app.
Using freely available tools like ClutchMod or GBD, an adversary will download the encrypted app onto their jailbroken device and take a snapshot of the decrypted app once the iOS loader loads it into memory and decrypts it (just before the loader kicks off execution). Once the adversary takes the snapshot and stores it on disk, the adversary can use tools like IDA Pro or Hopper to easily perform static / dynamic analysis of the app and conduct further binary attacks.
2. Poor Key Management Processes
The best algorithms don’t matter if you mishandle your keys. Many make the mistake of using the correct encryption algorithm, but implementing their own protocol for employing it. Some examples of problems here include:
- Including the keys in the same attacker-readable directory as the encrypted content;
- Making the keys otherwise available to the attacker;
- Avoid the use of hardcoded keys within your binary; and
- Keys may be intercepted via binary attacks.
3. Creation and Use of Custom Encryption Protocols
There is no easier way to mishandle encryption–mobile or otherwise–than to try to create and use your own encryption algorithms or protocols.
Always use modern algorithms that are accepted as strong by the security community, and whenever possible leverage the state of the art encryption APIs within your mobile platform.
4. Use of Insecure and/or Deprecated Algorithms
Many cryptographic algorithms and protocols should not be used because they have been shown to have significant weaknesses or are otherwise insufficient for modern security requirements. These include:
How can Broken Cryptography be misused?
There are two ways in which an attack can occur – decryption of data via physical access to the device or network traffic capture, or malicious apps on the device with access to the encrypted data.
What are the impacts of Broken Cryptography?
Technical Impact: Broken Cryptography can result in unauthorised access and retrieval of sensitive information from the mobile device.
Business Impact: Broken Cryptography can cause a number of business impacts, like:
- Privacy Violations
- Information Theft
- Code Theft
- Intellectual Property Theft, or
- Reputational Damage
Broken Cryptography is a threat that can be easily exploited. Hence, use advised ways of encryption and make sure you use modern algorithms that are accepted as strong by the security community.
You should definitely read our story on how we hacked Ola Cabs app which was also because of a poor encryption method.