Page 11 - FIGI: Security audit of various DFS applications
P. 11

f)  M6 Insecure Authorization                         scan QR codes for making payments will need
            g)  M7 Client Code Quality                            the permission to use the camera.
            h)  M8 Code Tampering                                 Note that permissions regarding storage of data
            i)  M9 Reverse Engineering                            are considered in the next section.
            j)  M10 Extraneous Functionality                      An app that requires dangerous permissions
                                                                  could abuse the permissions to attack the user.
            Categories M6, M7 and M10 are out of the scope of     For example, it could dial premium rated phone
            our tests as they would require access to the source   numbers if dialling permission were granted.
            code of the application or reverse engineering the
            logic of the application.
            The following set of 18 tests has been selected based   2�2  M2  Insecure Data Storage
            on their pertinence and of the feasibility of the test:  These tests are also done by analysing the manifest
                                                               of the application and by running app on a phone.
            2�1  M1  Improper Platform Usage                   Following issues are verified:
            These tests are done by analysing the manifest of the
            application. The following issues are verified:    a)  T2�1    Android�permission� WRITE_EXTERNAL_
                                                                  STORAGE:
            a)  T1�1  Android: allowBackup :                      The app should not require this permission with-
                                       3
                This setting should be set to false, which is not   out a valid reason.
                the default value.                                This permission allows the app to read and write
                If  this  attribute  is  set  to  false,  no  backup  or   data on a memory card inserted in the phone.
                restore of the application will ever be performed,   If the application needs to store substantial
                even by a full-system backup that would other-    amounts of non-sensitive information, this would
                wise cause all application data to be saved       justify writing to external storage.
            b)  T1�2  Android: debuggable :                       By gaining access to the memory card, an attack-
                                       4
                This setting should be set to false, which is the   er could be able to tamper with the application
                default value.                                    or to extract sensitive information.
                If an application is flagged as debuggable, intrud-     Note that even if the application fails this test, it
                ers can inject their own code to execute it in the   does not necessarily mean that the application
                context of the vulnerable application process.    will write sensitive data to external storage.
            c)  T1�3  Android: installLocation :               b)  T2�2  Disabling screenshots:
                                         5
                This should be set to internalOnly or unset, which      The app should disable screenshots while it is
                is the default value.                             running and only show a blank image when in the
                If this parameter is set to auto or preferExternal,   task switcher.
                the application may be installed on a removable      This is a standard behaviour for secure applica-
                memory card.                                      tions and can be achieved with an application
                By gaining access to the memory card, an attack-  parameter called FLAG_SECURE . This can be
                                                                                                6
                er could be able to tamper with the application   tested by running the application and a) trying to
                or to extract sensitive information.              make a screenshot, b) switching between apps
                Note that even if the application fails this test, it   and observer the thumbnail of the application.
                does not necessarily mean that the application      Without this setting, a malicious application
                will be installed on the removable card.          could potentially steal sensitive information from
            d)  T1�4  Dangerous permissions:                      the screen of an application.
                The application should not require dangerous
                permissions without a valid reason.
                Android apps must explicitly ask for permissions   2�3  M3  Insecure Communication
                for many types of operations. Some of these per-
                missions are labelled ''dangerous'' by Android.   a)  T3�1    Application should only use HTTPS con-
                The app must explicitly ask the user to grant     nections:
                dangerous permissions with a dialog (e.g., Allow      When running the traffic of the app through an
                App to make phone calls?). There may be valid     audit machine and observing the packets, only
                reasons for requesting dangerous permissions.     HTTPS traffic should be observed for the appli-
                For example, a DFS application that needs to      cation.



                                                                           Security audit of various DFS applications  9
   6   7   8   9   10   11   12   13   14   15   16