OWASP_Russia_2016_-_Yury_Chemerkin_--_run.pdf
YuryChemerkin
15 views
70 slides
Jul 21, 2024
Slide 1 of 70
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
About This Presentation
The presentation, given by Yury Chemerkin focused on the vulnerabilities of popular mobile applications and strategies to improve their security.
Slide Content
(LEAKED)MOBILE APPLICATION DATAPRIVACY
YURY CHEMERKIN
SECURITY EXPERT RESEARCHER
YURY CHEMERKIN
SECURITY EXPERT RESEARCHER
[ AGENDA ]
•Intro
•Similar public researchers
•Related/Previous work
•Current results
•Final thoughts
•Intro
•Similar public researchers
•Related/Previous work
•Current results
•Final thoughts
UNTRUSTED PLACES
•Untrusted chargeable places.
•When you connect your device to them you will see a notification
you plugged to PC/Mac
•Untrusted network places.
•When you connect your device to them
•You will see nothing
•You will see a question about untrusted certificate. You accept or
decline it
•Someone make you to install trusted certificate
•Untrusted chargeable places.
•When you connect your device to them you will see a notification
you plugged to PC/Mac
•Untrusted network places.
•When you connect your device to them
•You will see nothing
•You will see a question about untrusted certificate. You accept or
decline it
•Someone make you to install trusted certificate
UNTRUSTED PLACES
PROBLEM. WHAT/WHO MAKES US INSECURE?
•Are we revealing everything about ourselves everywhere?
•Perhaps
•Don’t we know anything about security and privacy?
•Perhaps
•Aren’t app developers responsible for security fails?
•Whosaid they’re not? They are!
•They prefer not to tell about it only
•Are we revealing everything about ourselves everywhere?
•Perhaps
•Don’t we know anything about security and privacy?
•Perhaps
•Aren’t app developers responsible for security fails?
•Whosaid they’re not? They are!
•They prefer not to tell about it only
https://www.itr.co.uk/mobile-app/
ITR RESEARCH RESULTS.
WHY CONSUMER UNINSTALLED MOBILE APPS
ITR RESEARCH RESULTS.
WHY CONSUMER UNINSTALLED MOBILE APPS
HOW MUCH DOES YOUR SECURITY COST?
•Non-Special ‘Home’ Software
•MacroplantSoftware -$35-70 (home), $200-2500 (enterprise).
•XK72 Software -$50 per license or $400-700 per bundle
•PortSwigger-$300 per year
•… and so on
•Also, cracked edition is available (no difference pirate or buy )
•Special ‘Forensics’ Software
•ElcomsoftBreakers -$80 (home, you have to know your password), $200 (pro –
you don’t have to know it), $800 –bundle
•ElcomsoftBundles -$1 500 –2 500
•Oxygen Software –more expensive in twice at least
•… and so on
•Also, cracked edition is available for some old editions (better buy new edition)
•Non-Special ‘Home’ Software
•MacroplantSoftware -$35-70 (home), $200-2500 (enterprise).
•XK72 Software -$50 per license or $400-700 per bundle
•PortSwigger-$300 per year
•… and so on
•Also, cracked edition is available (no difference pirate or buy )
•Special ‘Forensics’ Software
•ElcomsoftBreakers -$80 (home, you have to know your password), $200 (pro –
you don’t have to know it), $800 –bundle
•ElcomsoftBundles -$1 500 –2 500
•Oxygen Software –more expensive in twice at least
•… and so on
•Also, cracked edition is available for some old editions (better buy new edition)
OXYGEN FORENSIC® DETECTIVE
•Oxygen Forensic® Detective introduces offline maps and new
physical approach for Samsung Android devices!
•The updated version offers a new physical method for Samsung
Android OS devices via customer forensic recovery. This innovative
approach allows to bypass screen lock and extract a full physical
image of supported Samsung devices.
•This innovative approach = root, steal data, deroot
•http://www.oxygen-forensic.com/en/events/news/666-oxygen-
forensic-detective-introduces-offline-maps-and-new-physical-
approach-for-samsung-android-devices
•Oxygen Forensic® Detective introduces offline maps and new
physical approach for Samsung Android devices!
•The updated version offers a new physical method for Samsung
Android OS devices via customer forensic recovery. This innovative
approach allows to bypass screen lock and extract a full physical
image of supported Samsung devices.
•This innovative approach = root, steal data, deroot
•http://www.oxygen-forensic.com/en/events/news/666-oxygen-
forensic-detective-introduces-offline-maps-and-new-physical-
approach-for-samsung-android-devices
FACTS ABOUT APP INSECURITY
•At first glance, the VK Music app only displayed legitimate functionality –it
played audio files uploaded to the social network. But further study showed that
it also contained malicious code designed to steal VKontakteuser accounts and
promote certain groups on the social network.
•https://securelist.com/blog/incidents/72458/stealing-to-the-sound-of-music/
•“In Russia will be kept of phone numbers, logins and passwords of users.
Messages we do not store, they are on the devices of users,” Moscow
representative of the company Viber said. According to the company’s lawyers,
messengers also fall under the law which requires to store personal data of
Russians on servers located on the territory of the country.
•http://appleapple.top/viber-moved-their-servers-to-russia/
•At first glance, the VK Music app only displayed legitimate functionality –it
played audio files uploaded to the social network. But further study showed that
it also contained malicious code designed to steal VKontakteuser accounts and
promote certain groups on the social network.
•https://securelist.com/blog/incidents/72458/stealing-to-the-sound-of-music/
•“In Russia will be kept of phone numbers, logins and passwords of users.
Messages we do not store, they are on the devices of users,” Moscow
representative of the company Viber said. According to the company’s lawyers,
messengers also fall under the law which requires to store personal data of
Russians on servers located on the territory of the country.
•http://appleapple.top/viber-moved-their-servers-to-russia/
FACTS ABOUT APP INSECURITY
•InstaAgent, an app that connects to Instagramand promises to track the people
that have visited a user's Instagram account, appears to be storing the
usernames and passwords of Instagram users, sending them to a suspicious
remote server.
•An app developer from Peppersoftdownloaded InstaAgent--full name "Who
Viewed Your Profile -InstaAgent" --and discovered it's reading Instagram
account usernames and passwords, sending them via clear text to a remote
server -instagram.zunamedia.com.
•http://www.macrumors.com/2015/11/10/malicious-instaagent-instagram-app/
•InstaAgent, an app that connects to Instagramand promises to track the people
that have visited a user's Instagram account, appears to be storing the
usernames and passwords of Instagram users, sending them to a suspicious
remote server.
•An app developer from Peppersoftdownloaded InstaAgent--full name "Who
Viewed Your Profile -InstaAgent" --and discovered it's reading Instagram
account usernames and passwords, sending them via clear text to a remote
server -instagram.zunamedia.com.
•http://www.macrumors.com/2015/11/10/malicious-instaagent-instagram-app/
FACTS ABOUT APP INSECURITY
•Researchers find data leaks in Instagram, Grindr, OoVooand more. The problems include
storing images and videos in unencrypted form on Web sites, storing chat logs in plaintext
on the device, sending passwords in plaintext…
•http://www.cnet.com/news/researchers-find-data-leaks-in-instagram-grindr-oovoo-and-
more
•Another Popular Android Application, Another Leak. We have found that another popular
Google play app, “Camera360 Ultimate,” not only enhances the users’ photos but also
inadvertently leaks sensitive data, which gives malicious parties unauthorized access to users’
Camera360 Cloud accounts and photos.
•https://www.fireeye.com/blog/threat-research/2015/08/another_popular_andr.html
•Researchers find data leaks in Instagram, Grindr, OoVooand more. The problems include
storing images and videos in unencrypted form on Web sites, storing chat logs in plaintext
on the device, sending passwords in plaintext…
•http://www.cnet.com/news/researchers-find-data-leaks-in-instagram-grindr-oovoo-and-
more
•Another Popular Android Application, Another Leak. We have found that another popular
Google play app, “Camera360 Ultimate,” not only enhances the users’ photos but also
inadvertently leaks sensitive data, which gives malicious parties unauthorized access to users’
Camera360 Cloud accounts and photos.
•https://www.fireeye.com/blog/threat-research/2015/08/another_popular_andr.html
WHAT COMPANIES THINK ABOUT
‘QUOTES’ AND INSECURITY
•Instagram said it's moving to encrypted communications for its images by moving to
HTTPS, the secure version of the standard used to transfer Web data over the Internet.
•They did it but it’s still affected to MITM attacks
•"Message data is stored in an unencrypted format because the operating systems
(both iOS and Android) provide data isolation that prevents apps from having their
storage read by other apps. This is considered standard in the industry, and is
completely safe," the Kiksaid.
•Standard… it’s safe… just ROFL… and did you know there is way to root device
without owner knowledge?
‘QUOTES’ AND INSECURITY
•Instagram said it's moving to encrypted communications for its images by moving to
HTTPS, the secure version of the standard used to transfer Web data over the Internet.
•They did it but it’s still affected to MITM attacks
•"Message data is stored in an unencrypted format because the operating systems
(both iOS and Android) provide data isolation that prevents apps from having their
storage read by other apps. This is considered standard in the industry, and is
completely safe," the Kiksaid.
•Standard… it’s safe… just ROFL… and did you know there is way to root device
without owner knowledge?
WHAT COMPANIES THINK ABOUT
‘QUOTES’ AND INSECURITY
•SECURITY is core at 4Talk. Starting from secure phone number registration, to
interaction only with confirmed personal contacts, to fully managing your account
from any device you use.
•Y2014 wasn’t protected at all
•Y2015: Protected for Windows in-rest & transit, prevent MITM
•Y2015-2016: Protected for Android in-transit only, prevent MITM
•This app hasn’t PROXY FEATURE (!) So fun protection
•Y2015: Not protected at all for Mac
•Y2016: Network is protected (thanks Apple) for Mac
•Y2015-2016: Not protected for iOS and Mac OS at all
•Data Leakage is data that becomes available when you perform typical activities.
Instead, Vulnerability is a weakness of program. Thus, Vulnerability ≠ Data
Leakage, because no weakness in normal activities…
•Average security support answer in regards of fail. Just spend small amount of
money ($$) to steal the user data with fake networks in public places!
‘QUOTES’ AND INSECURITY
•SECURITY is core at 4Talk. Starting from secure phone number registration, to
interaction only with confirmed personal contacts, to fully managing your account
from any device you use.
•Y2014 wasn’t protected at all
•Y2015: Protected for Windows in-rest & transit, prevent MITM
•Y2015-2016: Protected for Android in-transit only, prevent MITM
•This app hasn’t PROXY FEATURE (!) So fun protection
•Y2015: Not protected at all for Mac
•Y2016: Network is protected (thanks Apple) for Mac
•Y2015-2016: Not protected for iOS and Mac OS at all
•Data Leakage is data that becomes available when you perform typical activities.
Instead, Vulnerability is a weakness of program. Thus, Vulnerability ≠ Data
Leakage, because no weakness in normal activities…
•Average security support answer in regards of fail. Just spend small amount of
money ($$) to steal the user data with fake networks in public places!
WHAT COMPANIES THINK ABOUT
‘QUOTES’ AND INSECURITY
•In its defense, AgileBitsinsisted that AgileKeychainwas still secure, and
noted that the format dates back to 2008 when the company was
concerned about speed and battery drain problems caused by encryption.
•http://appleinsider.com/articles/15/10/20/1password-to-change-file-
formats-after-key-file-found-to-contain-unencrypted-data
•If you browse to your .agilekeychain“file” on disk, you find that it is
actually a directory. Inside this directory is a file named “1Password.html”.
•http://timedoctor.org/2015/10/misleading-headlines-popularity-rises-
200/
‘QUOTES’ AND INSECURITY
•In its defense, AgileBitsinsisted that AgileKeychainwas still secure, and
noted that the format dates back to 2008 when the company was
concerned about speed and battery drain problems caused by encryption.
•http://appleinsider.com/articles/15/10/20/1password-to-change-file-
formats-after-key-file-found-to-contain-unencrypted-data
•If you browse to your .agilekeychain“file” on disk, you find that it is
actually a directory. Inside this directory is a file named “1Password.html”.
•http://timedoctor.org/2015/10/misleading-headlines-popularity-rises-
200/
PREVIOUS RESEARCH
•I did many researches on mobile and app security.
•First of them were about something average between OS and Apps –
BlackBerry, Android. It was published and present around the world
•2013-2015 Researches
•Cross OS apps -protection concepts, OS specifics per concept, outlines &
remediation, EMM specifics
•“We know Twitter & Dropbox are better secured than bank apps!”
•http://www.slideshare.net/EC-Council/hh-yury-chemerkin
•http://defcamp.ro/dc14/Yury_Chemerkin.pdf
•In 2014 presented results cover ~700 apps
•Also in 2015
•http://def.camp/wp-
content/uploads/dc2015/Chemerkin_Yury_DefCamp_2015.pdf
•In 2015 presented results cover ~700 apps
•2016 Current results: most interested cases (all up-to-dated prior the event)
•I did many researches on mobile and app security.
•First of them were about something average between OS and Apps –
BlackBerry, Android. It was published and present around the world
•2013-2015 Researches
•Cross OS apps -protection concepts, OS specifics per concept, outlines &
remediation, EMM specifics
•“We know Twitter & Dropbox are better secured than bank apps!”
•http://www.slideshare.net/EC-Council/hh-yury-chemerkin
•http://defcamp.ro/dc14/Yury_Chemerkin.pdf
•In 2014 presented results cover ~700 apps
•Also in 2015
•http://def.camp/wp-
content/uploads/dc2015/Chemerkin_Yury_DefCamp_2015.pdf
•In 2015 presented results cover ~700 apps
•2016 Current results: most interested cases (all up-to-dated prior the event)
SPECIAL PART FOR DEFCAMP 2015.
LAST MINUTE RESEARCH
•Everyone got a booklet-guide. Here was a short info about
trusted taxi companies.
•Meridian –no in-app payment features, store & transmitting
everything in plaintext
•Account, Local’n’Maps, and Device Information
•SpeedTaxi–no in-app payment features, store & transmitting
everything in plaintext. Some issues with a server
•Account, Local’n’Maps, Device and Message Information
•Cobalcescu–no in-app payment features, store & transmitting
everything in plaintext. Some issues with a server
•Account and Travel Information
LAST MINUTE RESEARCH
•Everyone got a booklet-guide. Here was a short info about
trusted taxi companies.
•Meridian –no in-app payment features, store & transmitting
everything in plaintext
•Account, Local’n’Maps, and Device Information
•SpeedTaxi–no in-app payment features, store & transmitting
everything in plaintext. Some issues with a server
•Account, Local’n’Maps, Device and Message Information
•Cobalcescu–no in-app payment features, store & transmitting
everything in plaintext. Some issues with a server
•Account and Travel Information
PRETTY INTERESTING SECURITY AND PRIVACY FAILS
HOW TO FAIL WITH HTTPS
•Be any app like [ AirCanada] and send information about device and environment
•Be news/social app like [ Anews/Flipboard] and send everything in plaintext via http
•Be storage app like [ AsusWebStorage] and send credentials in plaintext
•(also fail with old hash algorithm, see next slides)
•Be travel app like [ AviaSales/Momondo], send everything in plaintext and rely on
3
rd
party server MITM protection
•Be storage app like [ Box], prevent MITM but fail and reveal credentials to MITM tool
•Be taxi app like [ Gett/MaximTaxi] and send everything in plaintext, also fail with
MITM protect of my credit card
•Be hotel app like [ Hotels.ru] and fail everywhere even with sending a password in
mail body in plaintext
HOW TO FAIL WITH HTTPS
•Be any app like [ AirCanada] and send information about device and environment
•Be news/social app like [ Anews/Flipboard] and send everything in plaintext via http
•Be storage app like [ AsusWebStorage] and send credentials in plaintext
•(also fail with old hash algorithm, see next slides)
•Be travel app like [ AviaSales/Momondo], send everything in plaintext and rely on
3
rd
party server MITM protection
•Be storage app like [ Box], prevent MITM but fail and reveal credentials to MITM tool
•Be taxi app like [ Gett/MaximTaxi] and send everything in plaintext, also fail with
MITM protect of my credit card
•Be hotel app like [ Hotels.ru] and fail everywhere even with sending a password in
mail body in plaintext
UNTRUSTED PLACES.
KINVEYIS A BACKEND FOR STORING
FILES & USER ACCOUNTS
KINVEYIS A BACKEND FOR STORING
FILES & USER ACCOUNTS
UNTRUSTED PLACES. KINVEY.
ADMIN IS LOGGING IN TO KINVEYCONSOLE
ADMIN IS LOGGING IN TO KINVEYCONSOLE
UNTRUSTED PLACES. KINVEY.
APP IS LOGGING IN & DOWNLOADING
FILES
APP IS LOGGING IN & DOWNLOADING
FILES
PROTECTION LEVELS.
•Some of 10 levels we’re using (0…9)
•0 –plaintext (stored as and with 777 access or transferred as is)
•2 –weak (shared w/o dev.perm, MITM w/o root-fake cert)
•4 –medium (shared w dev.perm, MITM w root-fake cert)
•5 –cached data
•6 –protected (looks good but can be patched)
•7 –strong protected (can’t be patched or bypassed or at least
incredible hard)
•Some of 10 levels we’re using (0…9)
•0 –plaintext (stored as and with 777 access or transferred as is)
•2 –weak (shared w/o dev.perm, MITM w/o root-fake cert)
•4 –medium (shared w dev.perm, MITM w root-fake cert)
•5 –cached data
•6 –protected (looks good but can be patched)
•7 –strong protected (can’t be patched or bypassed or at least
incredible hard)
APP INSECURITY. DISCLAIMER
•Everything presented further contains information for educational
purposes and only with using only your data & licenses. Moreover, to
each app presented here was not applied any techniques and actions
such as:
•modifying, decompiling, disassembling, decrypting and other actions with the
object code of any Program, aimed at obtaining source codes of any Program
•Also, as known,
•the User may make a modification of the Software solely for his or hers own use
and reverse engineering for debugging such modifications.
•All app results are up-to-date and test on up-to-date OS (iOS 9,
Android 5).
•Important note. In fact, no app has been changed at all and if you’re on old
Android OS < 5 or iOS < 9 than your data can be stolen without or with fake root
certificate depend on case, otherwise, NO
•Everything presented further contains information for educational
purposes and only with using only your data & licenses. Moreover, to
each app presented here was not applied any techniques and actions
such as:
•modifying, decompiling, disassembling, decrypting and other actions with the
object code of any Program, aimed at obtaining source codes of any Program
•Also, as known,
•the User may make a modification of the Software solely for his or hers own use
and reverse engineering for debugging such modifications.
•All app results are up-to-date and test on up-to-date OS (iOS 9,
Android 5).
•Important note. In fact, no app has been changed at all and if you’re on old
Android OS < 5 or iOS < 9 than your data can be stolen without or with fake root
certificate depend on case, otherwise, NO
WE GUARANTEE THE
CONFIDENTIALITY OF YOUR DATA
•Confidentiality-Ininformationsecurity,
confidentiality"istheproperty,that
informationisnotmadeavailableor
disclosedtounauthorizedindividuals,entities,
orprocesses"(ExcerptISO27000).
•https://en.wikipedia.org/wiki/Information_security#Confidentiality
CONFIDENTIALITY OF YOUR DATA
•Confidentiality-Ininformationsecurity,
confidentiality"istheproperty,that
informationisnotmadeavailableor
disclosedtounauthorizedindividuals,entities,
orprocesses"(ExcerptISO27000).
•https://en.wikipedia.org/wiki/Information_security#Confidentiality
WE GUARANTEE THE
CONFIDENTIALITY OF YOUR DATA
CONFIDENTIALITY OF YOUR DATA
HOTELS.RU
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•Token, Cached Data, Screenshot (iOS only)
•Network data [Android: Plaintext], [iOS:
Medium]
•Geo Location, Token, Passwords, IDs, Room Details,
Address
•Reveal
2013 2014 2015 2016
Plaintext Plaintext Plaintext
Android: Plaintext
iOS -Medium
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•Token, Cached Data, Screenshot (iOS only)
•Network data [Android: Plaintext], [iOS:
Medium]
•Geo Location, Token, Passwords, IDs, Room Details,
Address
•Reveal
2013 2014 2015 2016
Plaintext Plaintext Plaintext
Android: Plaintext
iOS -Medium
HOTELS.COM
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•Cached data
•Network data [Android: Medium], [iOS:
Medium]
•Geo Location, Device Data, Room Details
2013 2014 2015 2016
N/A N/A MediumMedium
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•Cached data
•Network data [Android: Medium], [iOS:
Medium]
•Geo Location, Device Data, Room Details
2013 2014 2015 2016
N/A N/A MediumMedium
HOTELS.COM. EULA/PRIVACY
•How we protect your information
•We want you to feel confident about using this website and our Apps to make
travel arrangements, and we are committed to protecting the information we
collect. While no website or App can guarantee security, we have implemented
appropriate administrative, technical, and physical security procedures to help
protect the personal information you provide to us. For example, only authorized
employees are permitted to access personal information, and they may only do
so for permitted business functions. In addition, we use encryption when
transmitting your sensitive personal information between your system and ours,
and we employ firewalls and intrusion detection systems to help prevent
unauthorized persons from gaining access to your information.
•https://ru.hotels.com/customer_care/privacy.html#protect
•How we protect your information
•We want you to feel confident about using this website and our Apps to make
travel arrangements, and we are committed to protecting the information we
collect. While no website or App can guarantee security, we have implemented
appropriate administrative, technical, and physical security procedures to help
protect the personal information you provide to us. For example, only authorized
employees are permitted to access personal information, and they may only do
so for permitted business functions. In addition, we use encryption when
transmitting your sensitive personal information between your system and ours,
and we employ firewalls and intrusion detection systems to help prevent
unauthorized persons from gaining access to your information.
•https://ru.hotels.com/customer_care/privacy.html#protect
AEROEXPRESS
•Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]
•Tickets + QR code, Email, Phone, Password, Screenshot of any app windows (iOS only)
•Network data [Weak]
•Email, Phone, Password, Unique UserID, Last Login Time, email & phone confirmed, DeviceID,
•OrderID, Base64(hash of Order), Order URL, Order date, Trip date, cost of order,
•TicketID, Route Info, ticket GUID, token, ticket QR Code
•Bank Card info (number, cvv, name, expiration), tokens, *aeroexpress.ru, *ruru, *bank (AlfaBank)
•According to release notes & PCI DSS, App doesn’t store bank card info (payment data).
You can’t input that data type manually. However,
•iOS: Doesn’t store data after successful payment
•Android: Stores data after successful payment
•Both: Continue stores data after update -if previous version wasn’t removed and data not wiped
2013 2014 2015 2016
Weak Weak Weak
Weak, Expect to remove
local card info but fail
•Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]
•Tickets + QR code, Email, Phone, Password, Screenshot of any app windows (iOS only)
•Network data [Weak]
•Email, Phone, Password, Unique UserID, Last Login Time, email & phone confirmed, DeviceID,
•OrderID, Base64(hash of Order), Order URL, Order date, Trip date, cost of order,
•TicketID, Route Info, ticket GUID, token, ticket QR Code
•Bank Card info (number, cvv, name, expiration), tokens, *aeroexpress.ru, *ruru, *bank (AlfaBank)
•According to release notes & PCI DSS, App doesn’t store bank card info (payment data).
You can’t input that data type manually. However,
•iOS: Doesn’t store data after successful payment
•Android: Stores data after successful payment
•Both: Continue stores data after update -if previous version wasn’t removed and data not wiped
2013 2014 2015 2016
Weak Weak Weak
Weak, Expect to remove
local card info but fail
AEROEXPRESS. EULA/PRIVACY
•Certified by the PCI DSS on a yearly basis. The certificate confirms the site's compliance with
the standards of the following international payment systems: Visa/MasterCard, American
Express, JCB, and Discover.
•To obtain the certificate, all the systems that receive, transmit, and encrypt card information
together with the overall structure of the company must meet the minimum of 288
requirements stated in the PCI SAQ (Self-Assessment Questionnaire D and Attestation of
Compliance).
•The Thawte 128-bit SSL Certificate is a technology of data encryption. The confidential
information about your card number, CVV2 code, and other details are submitted to our site
through encryption. To exchange information, a standard SSL-encryption is applied; the
length of the key is 128 bit. Encrypted, it is further redirected to the bank's processing
center through the payment gateway.
•https://aeroexpress.tickets.ru/en/content/safety_payments.html
•Certified by the PCI DSS on a yearly basis. The certificate confirms the site's compliance with
the standards of the following international payment systems: Visa/MasterCard, American
Express, JCB, and Discover.
•To obtain the certificate, all the systems that receive, transmit, and encrypt card information
together with the overall structure of the company must meet the minimum of 288
requirements stated in the PCI SAQ (Self-Assessment Questionnaire D and Attestation of
Compliance).
•The Thawte 128-bit SSL Certificate is a technology of data encryption. The confidential
information about your card number, CVV2 code, and other details are submitted to our site
through encryption. To exchange information, a standard SSL-encryption is applied; the
length of the key is 128 bit. Encrypted, it is further redirected to the bank's processing
center through the payment gateway.
•https://aeroexpress.tickets.ru/en/content/safety_payments.html
AEROEXPRESS.
PASSES PCI DSS CERTIFICATION
•AeroexpresshaspasseditsPCIDSScertification.Nowitisevensaferforpassengerstopay
foronlineservicesprovidedbythisexpresscarrier.
•InearlyFebruary,AeroexpresspasseditsPCIDSS(PaymentCardIndustryDataSecurity
Standard)certification,whichisaimedatensuringthesecureprocessing,storageand
transferofdataaboutVisaandMasterCardholders.GiventhePCIDSScertifiedsecurity
level,Aeroexpresspassengerscanpayforticketsviathewebsiteorthecompany’smobile
appusingbankcardsandcanbeconfidentthattheirpersonaldataandfundsaresafely
secured.PCIDSSprovidesforacomprehensiveapproachthatensuresinformationsecurity
andunitesthepaymentsystemprogrammesofVISAAccountInformationSecurity(AIS),Visa
CardholderInformationSecurityProgram(CISP),andMasterCardSiteDataProtection.We
wouldliketoremindyouthatyoucanreceiveadiscountofRUB50andRUB100when
purchasingStandardandReturnticketsonthewebsiteorviathecompany’smobileapp.
•https://aeroexpress.ru/en/press_releases/news20090589.html
PASSES PCI DSS CERTIFICATION
•AeroexpresshaspasseditsPCIDSScertification.Nowitisevensaferforpassengerstopay
foronlineservicesprovidedbythisexpresscarrier.
•InearlyFebruary,AeroexpresspasseditsPCIDSS(PaymentCardIndustryDataSecurity
Standard)certification,whichisaimedatensuringthesecureprocessing,storageand
transferofdataaboutVisaandMasterCardholders.GiventhePCIDSScertifiedsecurity
level,Aeroexpresspassengerscanpayforticketsviathewebsiteorthecompany’smobile
appusingbankcardsandcanbeconfidentthattheirpersonaldataandfundsaresafely
secured.PCIDSSprovidesforacomprehensiveapproachthatensuresinformationsecurity
andunitesthepaymentsystemprogrammesofVISAAccountInformationSecurity(AIS),Visa
CardholderInformationSecurityProgram(CISP),andMasterCardSiteDataProtection.We
wouldliketoremindyouthatyoucanreceiveadiscountofRUB50andRUB100when
purchasingStandardandReturnticketsonthewebsiteorviathecompany’smobileapp.
•https://aeroexpress.ru/en/press_releases/news20090589.html
PCI DSS. DATE: MARCH 2015
•6.2 Penetration Test Case Study
….
•Main vulnerabilities ….
•Man in the middle
https://www.pcisecuritystandards.org/documents/Penetration_Testing_
Guidance_March_2015.pdf
•6.2 Penetration Test Case Study
….
•Main vulnerabilities ….
•Man in the middle
https://www.pcisecuritystandards.org/documents/Penetration_Testing_
Guidance_March_2015.pdf
PLATIUS
•Locally stored data [Android: Plaintext/Protected], [iOS:
Strong Protected]
•Same like network data
•Network data [Android: Weak], [iOS: Medium]
•Email, Birthday, Full Name, Phone, Gender, Activation code,
•Bank Card info (number, cvv, name, expiration), tokens, *platius,
*ruru, *bank (Sberbank)
2013 2014 2015 2016
Android -Weak
iOS -Weak
Android -Weak
iOS -Weak
Android -Weak
iOS -Weak
Android -No changes
iOS -Medium
•Locally stored data [Android: Plaintext/Protected], [iOS:
Strong Protected]
•Same like network data
•Network data [Android: Weak], [iOS: Medium]
•Email, Birthday, Full Name, Phone, Gender, Activation code,
•Bank Card info (number, cvv, name, expiration), tokens, *platius,
*ruru, *bank (Sberbank)
2013 2014 2015 2016
Android -Weak
iOS -Weak
Android -Weak
iOS -Weak
Android -Weak
iOS -Weak
Android -No changes
iOS -Medium
PLATIUS. EULA/PRIVACY
•6.4 The administration doesn't guarantee ensuring
confidentiality of information and data on the Participant
and doesn't bear any responsibility as transfer of the
specified data is carried out by means of open
communication channels for disclosure of such information.
•https://platius.ru/en-GB/Information/Agreement
•6.4 The administration doesn't guarantee ensuring
confidentiality of information and data on the Participant
and doesn't bear any responsibility as transfer of the
specified data is carried out by means of open
communication channels for disclosure of such information.
•https://platius.ru/en-GB/Information/Agreement
ROCKETBANK
•Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]
•Email, Full Name, Phone, bank code word, Geo Location
•Network data [Android: Weak], [iOS: Medium]
•Email, Full Name, Phone, Activation code, bank code word,
•Passport : Details Data (All Info)
•Full Name, Full Address, Document ID, Birthday, Owner Image
•https://rocketbank.ru/api/v5/emails/..../form
•tariff": "i-am-vip-bitch-9-percent"
•Bitch, please © How I met your mother
2013 2014 2015 2016
Weak Weak Weak
Android -Weak
iOS -Medium
•Locally stored data [Android: Plaintext/Protected], [iOS: Strong Protected]
•Email, Full Name, Phone, bank code word, Geo Location
•Network data [Android: Weak], [iOS: Medium]
•Email, Full Name, Phone, Activation code, bank code word,
•Passport : Details Data (All Info)
•Full Name, Full Address, Document ID, Birthday, Owner Image
•https://rocketbank.ru/api/v5/emails/..../form
•tariff": "i-am-vip-bitch-9-percent"
•Bitch, please © How I met your mother
2013 2014 2015 2016
Weak Weak Weak
Android -Weak
iOS -Medium
ROCKETBANK. EULA/PRIVACY
•Клиентсоглашается,чтоиспользованиеАутентификационныхданных,втомчислесгенерированных
Исполнителемуникальныхкодов,направляемыхКлиентунаконтактныйномертелефона,является
надлежащейидостаточнойИдентификацией/АутентификациейКлиента,вцеляхсовершенияопераций
черезУдаленныеканалыобслуживания.
•Uniquecodesandphonenumberare2paramsareenoughtoperform
authenticatedactionsoverinternet
•Исполнительненесетрисков,связанныхснеправомернымиспользованиемтретьимилицами
информации,указаннойвп.I.19Условий(above)
•RocketbankTeamdoesn’tgiveashitaboutrisks
•Клиентпринимаетнасебяриски,связанныесвозможнымнарушениемконфиденциальности,
возникающиевследствиеиспользованиясистемытелефоннойсвязиисетиИнтернет.
•Theclientisonlyresponsibleforeverythinghappenedwithhimandhis
dataoverinternet.Teamisagaindoesn’tgiveashitaboutanykindof
protection
•https://rocketbank.ru/rules
•Клиентсоглашается,чтоиспользованиеАутентификационныхданных,втомчислесгенерированных
Исполнителемуникальныхкодов,направляемыхКлиентунаконтактныйномертелефона,является
надлежащейидостаточнойИдентификацией/АутентификациейКлиента,вцеляхсовершенияопераций
черезУдаленныеканалыобслуживания.
•Uniquecodesandphonenumberare2paramsareenoughtoperform
authenticatedactionsoverinternet
•Исполнительненесетрисков,связанныхснеправомернымиспользованиемтретьимилицами
информации,указаннойвп.I.19Условий(above)
•RocketbankTeamdoesn’tgiveashitaboutrisks
•Клиентпринимаетнасебяриски,связанныесвозможнымнарушениемконфиденциальности,
возникающиевследствиеиспользованиясистемытелефоннойсвязиисетиИнтернет.
•Theclientisonlyresponsibleforeverythinghappenedwithhimandhis
dataoverinternet.Teamisagaindoesn’tgiveashitaboutanykindof
protection
•https://rocketbank.ru/rules
RBK MONEY
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•Credentials…
•Network data [Android: Medium], [iOS:
Medium]
•Credentials…
2013 2014 2015 2016
MediumMediumMediumMedium
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•Credentials…
•Network data [Android: Medium], [iOS:
Medium]
•Credentials…
2013 2014 2015 2016
MediumMediumMediumMedium
RBK MONEY. EULA/PRIVACY
•This is a question of common sense and caution. The more careful you are
the less chance to be deceived by scammers and other fraudsters. The
main protection from them is your unique password. To ensure security
make password not shorter than 8 symbols (use combination of random
letters and numbers) Don’t enter it anywhere except for the RBK Money
website and do not reveal it to other people. Use modern antivirus
programs where possible.
•Information about your card is stored, encrypted and shown only to you.
The payment is considered processed after card activation. RBK Money
reserves the right to make additional payment confirmation by phone.
•http://www.rbkmoney.com/en/support#safety
•http://www.rbkmoney.com/en/support#cards
•This is a question of common sense and caution. The more careful you are
the less chance to be deceived by scammers and other fraudsters. The
main protection from them is your unique password. To ensure security
make password not shorter than 8 symbols (use combination of random
letters and numbers) Don’t enter it anywhere except for the RBK Money
website and do not reveal it to other people. Use modern antivirus
programs where possible.
•Information about your card is stored, encrypted and shown only to you.
The payment is considered processed after card activation. RBK Money
reserves the right to make additional payment confirmation by phone.
•http://www.rbkmoney.com/en/support#safety
•http://www.rbkmoney.com/en/support#cards
DELIVERY CLUB
•Locally stored data [Android: Plaintext/Protected],
[iOS: Strong Protected]
•Token, address, geo location, password, ID, full name,
phone, short card info
•Network data [Android: Medium], [iOS: Medium]
•Token, secret, deviceID, Full Name, phone,email,
password, Card Info (short, w/o cvv),address, geo
location, Loyalty Account Info
2013 2014 2015 2016
Plaintext/ Medium
(card)
Plaintext/ Medium
(card)
Plaintext/ Medium
(card)
Medium
•Locally stored data [Android: Plaintext/Protected],
[iOS: Strong Protected]
•Token, address, geo location, password, ID, full name,
phone, short card info
•Network data [Android: Medium], [iOS: Medium]
•Token, secret, deviceID, Full Name, phone,email,
password, Card Info (short, w/o cvv),address, geo
location, Loyalty Account Info
2013 2014 2015 2016
Plaintext/ Medium
(card)
Plaintext/ Medium
(card)
Plaintext/ Medium
(card)
Medium
DELIVERY CLUB. EULA/PRIVACY
•We implement a variety of security measures to maintain the safety of your
personal information when you place an order
•We offer the use of a secure server. All supplied sensitive/credit information is
transmitted via Secure Socket Layer (SSL) technology and then encrypted into our
Payment gateway providers database only to be accessible by those authorized
with special access rights to such systems, and are required to keep the
information confidential.
•After a transaction, your private information will be kept on file for more than 60
days in order to show your actions history and simplify future orders creation.
•http://www.delivery-club.ru/google_privacy.html
•We implement a variety of security measures to maintain the safety of your
personal information when you place an order
•We offer the use of a secure server. All supplied sensitive/credit information is
transmitted via Secure Socket Layer (SSL) technology and then encrypted into our
Payment gateway providers database only to be accessible by those authorized
with special access rights to such systems, and are required to keep the
information confidential.
•After a transaction, your private information will be kept on file for more than 60
days in order to show your actions history and simplify future orders creation.
•http://www.delivery-club.ru/google_privacy.html
ROSINTER
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•Account info, tokens
•Network data [Android: Weak], [iOS: Weak]
•Email, Birthday,Full Name, token,apn-token,
Loyalty Account Info, Device Info, Geo, Phone,
Stream
2013 2014 2015 2016
Weak Weak Weak Weak
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•Account info, tokens
•Network data [Android: Weak], [iOS: Weak]
•Email, Birthday,Full Name, token,apn-token,
Loyalty Account Info, Device Info, Geo, Phone,
Stream
2013 2014 2015 2016
Weak Weak Weak Weak
ANYWAYANYDAY
•Locally stored data [Android: Plaintext/Protected],
[iOS: Strong Protected]
•Passenger Info, Passport Info, Loyalty Info, Birthday,
Order/Ticket Info, Trip Info, Credentials Info
•Network data [Android: Medium], [iOS: Protected]
•Passenger Info, Passport Info, Loyalty Info, Birthday,
Order/Ticket Info, Trip Info, Credentials Info
Important note. In fact, app wasn’t changed at all and if
you’re on old iOS < 9 than your data can be stolen with fake
root certificate, otherwise, NO
2013 2014 2015 2016
Medium Medium Medium
Android: Medium
iOS: Protected?
•Locally stored data [Android: Plaintext/Protected],
[iOS: Strong Protected]
•Passenger Info, Passport Info, Loyalty Info, Birthday,
Order/Ticket Info, Trip Info, Credentials Info
•Network data [Android: Medium], [iOS: Protected]
•Passenger Info, Passport Info, Loyalty Info, Birthday,
Order/Ticket Info, Trip Info, Credentials Info
Important note. In fact, app wasn’t changed at all and if
you’re on old iOS < 9 than your data can be stolen with fake
root certificate, otherwise, NO
2013 2014 2015 2016
Medium Medium Medium
Android: Medium
iOS: Protected?
ANYWAY. EULA/PRIVACY
•Длязащитыперсональныхданныхпользователейотнеправомерногоили
случайногодоступа, уничтожения, изменения, блокирования,
копирования, распространения, атакжеиныхнеправомерныхдействийс
нимитретьихлицприменяютсянеобходимыеидостаточные
организационныеитехническиемеры.
•To protect users' personal data against unauthorized or accidental access,
destruction, modification, blocking, copying, distribution, and other illegal actions
of third parties to them we apply the necessary and sufficient organizational and
technical measures.
•
https://www.anywayanyday.com/avia/privacypolicy/
•Длязащитыперсональныхданныхпользователейотнеправомерногоили
случайногодоступа, уничтожения, изменения, блокирования,
копирования, распространения, атакжеиныхнеправомерныхдействийс
нимитретьихлицприменяютсянеобходимыеидостаточные
организационныеитехническиемеры.
•To protect users' personal data against unauthorized or accidental access,
destruction, modification, blocking, copying, distribution, and other illegal actions
of third parties to them we apply the necessary and sufficient organizational and
technical measures.
•
https://www.anywayanyday.com/avia/privacypolicy/
ALFABANK
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•Token (Alfa-Ally-Chat), Screenshot -Protected
•Network data [Android: Medium], [iOS:
Medium]
•Name, Device Info, Token (Alfa-Ally-Chat),
Password, Login, Account Info, Payment Info, Short
Card Info, Transaction Info
2013 2014 2015 2016
MediumMediumMediumMedium
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•Token (Alfa-Ally-Chat), Screenshot -Protected
•Network data [Android: Medium], [iOS:
Medium]
•Name, Device Info, Token (Alfa-Ally-Chat),
Password, Login, Account Info, Payment Info, Short
Card Info, Transaction Info
2013 2014 2015 2016
MediumMediumMediumMedium
AMAZON CLOUD, PHOTOS
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
•Cached, Sync Documents
•Network data [Android: Protected Failed],
[iOS: Protected Failed]
•Reveal credentials and drop connection
2013 2014 2015 2016
Weak/Medium Weak/Medium Protected FailedProtected Failed
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong
Protected]
•Cached, Sync Documents
•Network data [Android: Protected Failed],
[iOS: Protected Failed]
•Reveal credentials and drop connection
2013 2014 2015 2016
Weak/Medium Weak/Medium Protected FailedProtected Failed
AMAZON APP MARKET, GOOGLE
PLAY, MOBOMARKET
•Network data [Android: Medium]
•Amazon & Google reveal all data including
APK data (can be replaced with another)
•Network data [Android: Plaintext]
•MoboMarketreveal all data including APK data
(can be replaced with another)
2013 2014 2015 2016
Amazon –Weak, Google –
Medium, Mobomarket-
Plaintext
Amazon –Weak, Google –
Medium, Mobomarket-
Plaintext
Amazon –Weak, Google –
Medium, Mobomarket-
Plaintext
Amazon –Weak, Google –
Medium, Mobomarket-
Plaintext
PLAY, MOBOMARKET
•Network data [Android: Medium]
•Amazon & Google reveal all data including
APK data (can be replaced with another)
•Network data [Android: Plaintext]
•MoboMarketreveal all data including APK data
(can be replaced with another)
2013 2014 2015 2016
Amazon –Weak, Google –
Medium, Mobomarket-
Plaintext
Amazon –Weak, Google –
Medium, Mobomarket-
Plaintext
Amazon –Weak, Google –
Medium, Mobomarket-
Plaintext
Amazon –Weak, Google –
Medium, Mobomarket-
Plaintext
MOBOMARKET. EULA/PRIVACY
•We encrypt our services and data transmission using SSL. We strive at all times to ensure
that your personal data will be protected against unauthorized or accidental access,
processing, correction or deletion. We implement appropriate security measures to
safeguard and secure your personal data. Please note, however, that no security measures
are 100% effective. We encourage you to take measures to protect your personal data.
•You are responsible for maintaining the privacy and the confidentiality of Information.
Please keep yourself informed when accessing the internet and to always read and review
the policy / privacy statement on the site that you are accessing. Please ensure that you do
the following: (i) not to disclose your password, (ii) not to provide any personal information
to anyone, including their names, (iii) never fill online forms without your prior authorization.
Please use complex passwords with long enough combinations of letters and numbers that
require unusual keyboard combinations whereas; simple passwords are easy to be broken.
Please never give your password to anyone online. In any event, please change your
password periodically.
•http://www.mobomarket.net/policy.html
•We encrypt our services and data transmission using SSL. We strive at all times to ensure
that your personal data will be protected against unauthorized or accidental access,
processing, correction or deletion. We implement appropriate security measures to
safeguard and secure your personal data. Please note, however, that no security measures
are 100% effective. We encourage you to take measures to protect your personal data.
•You are responsible for maintaining the privacy and the confidentiality of Information.
Please keep yourself informed when accessing the internet and to always read and review
the policy / privacy statement on the site that you are accessing. Please ensure that you do
the following: (i) not to disclose your password, (ii) not to provide any personal information
to anyone, including their names, (iii) never fill online forms without your prior authorization.
Please use complex passwords with long enough combinations of letters and numbers that
require unusual keyboard combinations whereas; simple passwords are easy to be broken.
Please never give your password to anyone online. In any event, please change your
password periodically.
•http://www.mobomarket.net/policy.html
GOOGLEPLAY. EULA/PRIVACY
•We work hard to protect Google and our users from unauthorisedaccess to or unauthorised
alteration, disclosure or destruction of information that we hold. In particular:
•We encrypt many of our servicesusing SSL.
•We offer youtwo-step verificationwhen you access your Google Account and aSafe
Browsing featurein Google Chrome.
•We review our information collection, storage and processing practices, including physical
security measures, to guard against unauthorisedaccess to systems.
•We restrict access to personal information to Google employees, contractors and agents
who need to know that information in order to process it for us and who are subject to strict
contractual confidentiality obligations. They may be disciplined or their contract terminated
if they fail to meet these obligations.
•http://www.google.com/intl/en-GB_ru/policies/privacy/
•We work hard to protect Google and our users from unauthorisedaccess to or unauthorised
alteration, disclosure or destruction of information that we hold. In particular:
•We encrypt many of our servicesusing SSL.
•We offer youtwo-step verificationwhen you access your Google Account and aSafe
Browsing featurein Google Chrome.
•We review our information collection, storage and processing practices, including physical
security measures, to guard against unauthorisedaccess to systems.
•We restrict access to personal information to Google employees, contractors and agents
who need to know that information in order to process it for us and who are subject to strict
contractual confidentiality obligations. They may be disciplined or their contract terminated
if they fail to meet these obligations.
•http://www.google.com/intl/en-GB_ru/policies/privacy/
APP IN THE AIR
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•Loyalty Info, Order/Ticket Info, Trip Info, Full Info,
Trip Info (Media Data), Stats, UserID, Work Info
(from Facebook)
•Network data [Android: Medium], [iOS:
Protected]
•Loyalty Info, Order/Ticket Info, Trip Info, Full Info,
Trip Info (Media Data), Stats, UserID, Work Info
(from Facebook), Tokens
2013 2014 2015 2016
Plaintext Plaintext Weak Medium Medium
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•Loyalty Info, Order/Ticket Info, Trip Info, Full Info,
Trip Info (Media Data), Stats, UserID, Work Info
(from Facebook)
•Network data [Android: Medium], [iOS:
Protected]
•Loyalty Info, Order/Ticket Info, Trip Info, Full Info,
Trip Info (Media Data), Stats, UserID, Work Info
(from Facebook), Tokens
2013 2014 2015 2016
Plaintext Plaintext Weak Medium Medium
APP IN THE AIR. EULA/PRIVACY
•The security of your personal information is important to us. We do not hold any liability for any personal data or any
sensitive information you provided.
•We follow generally accepted industry standards to protect the personal information submitted, both during transmission and
once we receive it. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure.
Therefore, while our goal to use commercially acceptable ways to protect your personal information, we cannot guarantee it
is absolutely secure. Please keep it in mind before submitting any information about yourself. Please note that information that
you voluntarily make public in your user profile, or which you disclose by posting comments or inserting of the Content will be
publicly available and viewable by others. We do not hold any liability for any information that you voluntarily choose to be
public through such and/or other explicit actions.
•We only use personal information collected through the APPINTHEAIR project and our Services for the purposes described in
the Terms http://i.appintheair.mobi/termsofuse. For example, we may use information we collect:
•provide our Services or information you request, and to process and complete any transactions;
•to your emails, submissions, questions, comments, requests, and complaints and provide customer service;
•http://www.appintheair.mobi/privacypolicy
•The security of your personal information is important to us. We do not hold any liability for any personal data or any
sensitive information you provided.
•We follow generally accepted industry standards to protect the personal information submitted, both during transmission and
once we receive it. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure.
Therefore, while our goal to use commercially acceptable ways to protect your personal information, we cannot guarantee it
is absolutely secure. Please keep it in mind before submitting any information about yourself. Please note that information that
you voluntarily make public in your user profile, or which you disclose by posting comments or inserting of the Content will be
publicly available and viewable by others. We do not hold any liability for any information that you voluntarily choose to be
public through such and/or other explicit actions.
•We only use personal information collected through the APPINTHEAIR project and our Services for the purposes described in
the Terms http://i.appintheair.mobi/termsofuse. For example, we may use information we collect:
•provide our Services or information you request, and to process and complete any transactions;
•to your emails, submissions, questions, comments, requests, and complaints and provide customer service;
•http://www.appintheair.mobi/privacypolicy
ASUS WEBSTORAGE
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•MD5(Password.ToLowerString())
•Network data [Android: Medium], [iOS:
Medium]
•Login, Email, Encryption Key(?), Tokens, Device
Settings, Sync Documents, File Details
•MD5(Password.ToLowerString())
2013 2014 2015 2016
MediumMediumMediumMedium
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•MD5(Password.ToLowerString())
•Network data [Android: Medium], [iOS:
Medium]
•Login, Email, Encryption Key(?), Tokens, Device
Settings, Sync Documents, File Details
•MD5(Password.ToLowerString())
2013 2014 2015 2016
MediumMediumMediumMedium
ASUS WEBSTORAGE. EULA/PRIVACY
•We take precautions to protect your personal information against unauthorized access or
unauthorized alteration, disclosure or destruction. These include internal reviews of our
personal information collection, storage and processing practices and security measures, as
well as physical security measures to guard against unauthorized access to systems where
we store your personal information. Transmission of personal information between different
locations of ASUS Cloud affiliated companies is performed through our secured wide area
network. When you submit personal information via the service, your information is protected
both online and offline. However, ASUS Cloud cannot guarantee a perfect security on the
internet. When using the internet, we recommended that you use alphanumerical usernames
and passwords and change your passwords on a regular basis, as well as keep your
computer up to date by applying the latest available security updates for your software
and using such tools as virus/spyware scanners.
•If you have any questions regarding the security of our web site, please refer to our security
web page.
•ISO27001, SSL, AES, RAID, https://www.asuswebstorage.com/navigate/security/
https://service.asuswebstorage.com/privacy/
•We take precautions to protect your personal information against unauthorized access or
unauthorized alteration, disclosure or destruction. These include internal reviews of our
personal information collection, storage and processing practices and security measures, as
well as physical security measures to guard against unauthorized access to systems where
we store your personal information. Transmission of personal information between different
locations of ASUS Cloud affiliated companies is performed through our secured wide area
network. When you submit personal information via the service, your information is protected
both online and offline. However, ASUS Cloud cannot guarantee a perfect security on the
internet. When using the internet, we recommended that you use alphanumerical usernames
and passwords and change your passwords on a regular basis, as well as keep your
computer up to date by applying the latest available security updates for your software
and using such tools as virus/spyware scanners.
•If you have any questions regarding the security of our web site, please refer to our security
web page.
•ISO27001, SSL, AES, RAID, https://www.asuswebstorage.com/navigate/security/
https://service.asuswebstorage.com/privacy/
SKYPE
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•Media data (attachments), Message (or last
messages), friend list, Email/Login, Snapshot
•Network data [Android: Weak/Strong], [iOS:
Weak/Strong]
•Media data (attachments), Message (or last
messages), Email/Login,Device Data, UserID, MS
Live password, no skype password
2013 2014 2015 2016
Weak/StrongWeak/StrongWeak/StrongWeak/Strong
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•Media data (attachments), Message (or last
messages), friend list, Email/Login, Snapshot
•Network data [Android: Weak/Strong], [iOS:
Weak/Strong]
•Media data (attachments), Message (or last
messages), Email/Login,Device Data, UserID, MS
Live password, no skype password
2013 2014 2015 2016
Weak/StrongWeak/StrongWeak/StrongWeak/Strong
EVERNOTE
•Locally stored data [Android: Plaintext/Protected],
[iOS: Strong Protected]
•Tokens, UserID, SycDocuments (notes), cached data,
SnapShot(iOS only)
•Network data [Android: Medium], [iOS: Protected]
•Sync Documents (notes), Full name, Account Details,
Credentials, tokens, etc.
•Important note. In fact, app wasn’t changed at all and
if you’re on old iOS < 9 than your data can be stolen
with fake root certificate, otherwise, NO
2013 2014 2015 2016
Medium Medium Medium
Android –Medium
iOS -Protected
•Locally stored data [Android: Plaintext/Protected],
[iOS: Strong Protected]
•Tokens, UserID, SycDocuments (notes), cached data,
SnapShot(iOS only)
•Network data [Android: Medium], [iOS: Protected]
•Sync Documents (notes), Full name, Account Details,
Credentials, tokens, etc.
•Important note. In fact, app wasn’t changed at all and
if you’re on old iOS < 9 than your data can be stolen
with fake root certificate, otherwise, NO
2013 2014 2015 2016
Medium Medium Medium
Android –Medium
iOS -Protected
EVERNOTE. EULA/PRIVACY
•Evernote is committed to protecting the security of your information
and takes reasonable precautions to protect it. We use industry
standard encryption to protect your data in transit. This is commonly
referred to as transport layer security (“TLS”) or secure socket layer
(“SSL”) technology. However, internet data transmissions, cannot be
guaranteed to be 100% secure, and as a result, we cannot ensure
the security of information during its transmission between you and us;
accordingly, you acknowledge that you do so at your own risk.
•https://evernote.com/legal/privacy.php?noredirect
•Evernote is committed to protecting the security of your information
and takes reasonable precautions to protect it. We use industry
standard encryption to protect your data in transit. This is commonly
referred to as transport layer security (“TLS”) or secure socket layer
(“SSL”) technology. However, internet data transmissions, cannot be
guaranteed to be 100% secure, and as a result, we cannot ensure
the security of information during its transmission between you and us;
accordingly, you acknowledge that you do so at your own risk.
•https://evernote.com/legal/privacy.php?noredirect
CYBER GHOST
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•tokens
•Network data [Android: Medium/Strong
Protected], [iOS: Medium/Strong Protected]
•Login, oauthconsumer_key, token, token_secret,
radius_password, geo location, ip, country, account
details, license key, license expiration
2013 2014 2015 2016
N/A N/A
Medium/Strong
Protected
Medium/Strong
Protected
•Locally stored data [Android:
Plaintext/Protected], [iOS: Strong Protected]
•tokens
•Network data [Android: Medium/Strong
Protected], [iOS: Medium/Strong Protected]
•Login, oauthconsumer_key, token, token_secret,
radius_password, geo location, ip, country, account
details, license key, license expiration
2013 2014 2015 2016
N/A N/A
Medium/Strong
Protected
Medium/Strong
Protected
CYBERGHOST. EULA/PRIVACY
•Personal data: CyberGhostcollects and uses no personal data, such as e-mail
addresses, name, domicile address and payment information.
•If you register for the Premium-Service of CyberGhostVPN, we store a fully
anonymous User ID, an encoded password and your pay scale information (activation
key, start and end).The stored e-mail addresses are not linked to a User ID.
•Log data: CyberGhostkeeps no logs which enable interference with your IP address,
the moment or content of your data traffic.We make express reference to the fact
that we do not record in logs communication contents or data regarding the accessed
websites or the IP addresses.
•In March 2012, CyberGhosthad successfully passed an audit and verification
conducted by QSCertfor the implemented Information Safety Management System
(ISMS) according to the international industrial standards ISO27001 and ISO9001.
The certification confirms the high quality of the internal safety processes and is
renewed yearly ever since.
•http://www.cyberghostvpn.com/en/privacypolicy
•Personal data: CyberGhostcollects and uses no personal data, such as e-mail
addresses, name, domicile address and payment information.
•If you register for the Premium-Service of CyberGhostVPN, we store a fully
anonymous User ID, an encoded password and your pay scale information (activation
key, start and end).The stored e-mail addresses are not linked to a User ID.
•Log data: CyberGhostkeeps no logs which enable interference with your IP address,
the moment or content of your data traffic.We make express reference to the fact
that we do not record in logs communication contents or data regarding the accessed
websites or the IP addresses.
•In March 2012, CyberGhosthad successfully passed an audit and verification
conducted by QSCertfor the implemented Information Safety Management System
(ISMS) according to the international industrial standards ISO27001 and ISO9001.
The certification confirms the high quality of the internal safety processes and is
renewed yearly ever since.
•http://www.cyberghostvpn.com/en/privacypolicy
ISO 27001, ISMS, ETC.
•ISO27001 (and similar standards for non-IT areas) explicitly
do not require "have you taken every sensible precaution to
ensure it is", it is sufficient to have a policy that acknowledges
that you haven't taken a bunch of very sensible precautions
and that you simply accept the risks caused by that
•If a company with a proper ISMS only accepts file uploads
with unsecure FTP, it means theythought about thisand
decided either it's not their problem or they don't care
•ISO27001 (and similar standards for non-IT areas) explicitly
do not require "have you taken every sensible precaution to
ensure it is", it is sufficient to have a policy that acknowledges
that you haven't taken a bunch of very sensible precautions
and that you simply accept the risks caused by that
•If a company with a proper ISMS only accepts file uploads
with unsecure FTP, it means theythought about thisand
decided either it's not their problem or they don't care
RESPONSIBLE DEVELOPER VS LAZY ONE
•Apple (!) & Google (!)
•QIWI –best app with own
cryptography and has implemented all
security features
•Dropbox -has implemented all security
features
•App in the Air (network, in progress)
•CyberGhost(network, in progress)
•Asus Web Storage (pwd, in progress)
•Sberbank(background fixing)
•Hotels.Ru(network, in progress)
•DeliveryClub(network, in progress)
•AnywayAnyday(network, having fun
with hardcoded ‘anyway’ 192bit
256bit key)
•Evernote (network)
•… everyone you saw in this slide or
among my researches
•Apple (!) & Google (!)
•QIWI –best app with own
cryptography and has implemented all
security features
•Dropbox -has implemented all security
features
•App in the Air (network, in progress)
•CyberGhost(network, in progress)
•Asus Web Storage (pwd, in progress)
•Sberbank(background fixing)
•Hotels.Ru(network, in progress)
•DeliveryClub(network, in progress)
•AnywayAnyday(network, having fun
with hardcoded ‘anyway’ 192bit
256bit key)
•Evernote (network)
•… everyone you saw in this slide or
among my researches
PANDA SM MANAGER IOS APPLICATION
-MITM SSL CERTIFICATE VULNERABILITY
•"Panda Systems Management is the new way to manage and monitor IT systems."
"Inventory, monitoring, management, remote control and reporting... All from a single Web-
based console"
(https://itunes.apple.com/us/app/panda-sm-manager/id672205099)
•Timeline–Almost 1 Year (!)
•July 19, 2015 -Notified Panda Security via [email protected], e-mail bounced
July 20, 2015 -Resent vulnerability report to [email protected]&
[email protected]
July 20, 2015 -Panda Security responded stating they will investigate
July 31, 2015 -Asked for an update on their investigation
August 3, 2015 -Panda Security responded stating that the issue has been escalated and is
still being reviewed
August 14, 2015 -Asked for an update on their investigation
October 16, 2015 -Asked for an update on their investigation
•… NO ANSWER …
March 1, 2016 -Panda Security released version 2.6.0 which resolves this vulnerability
-MITM SSL CERTIFICATE VULNERABILITY
•"Panda Systems Management is the new way to manage and monitor IT systems."
"Inventory, monitoring, management, remote control and reporting... All from a single Web-
based console"
(https://itunes.apple.com/us/app/panda-sm-manager/id672205099)
•Timeline–Almost 1 Year (!)
•July 19, 2015 -Notified Panda Security via [email protected], e-mail bounced
July 20, 2015 -Resent vulnerability report to [email protected]&
[email protected]
July 20, 2015 -Panda Security responded stating they will investigate
July 31, 2015 -Asked for an update on their investigation
August 3, 2015 -Panda Security responded stating that the issue has been escalated and is
still being reviewed
August 14, 2015 -Asked for an update on their investigation
October 16, 2015 -Asked for an update on their investigation
•… NO ANSWER …
March 1, 2016 -Panda Security released version 2.6.0 which resolves this vulnerability
ADVICES.
YOU’RE DEVELOPER? DON’T CARE ABOUT SECURITY/PRIVACY?
THEN YOUR CHOICE IS …
•BlackBerry. Protects everything locally stored except public folders & external
storage. Also it’s hardly to MITM except plain http traffic. Even for Android (!)
•Windows Modern 10 apps. Anti-MITM protection on OS level by default (still
researching it, also can’t confirm it for Android app support –Project Astoria)
•iOS. Ok.Easy way to make user to install trusted fake certificate to MITM.
Upgrade! Local app files on iOS < 8.3 could be accessed without jailbreak
•Android. Fail. Easy way to make user to install trusted fake certificate to MITM.
Some vendors prevent unlocking bootloader without user interaction to avoid root
without his asking. But some doesn’t (!)
•Windows Desktop. Fail. Easy way to change access permissions. MITM depends on
certain app only
•Mac OS. Fail. Easy way to access app files. MITM depends on certain app only
YOU’RE DEVELOPER? DON’T CARE ABOUT SECURITY/PRIVACY?
THEN YOUR CHOICE IS …
•BlackBerry. Protects everything locally stored except public folders & external
storage. Also it’s hardly to MITM except plain http traffic. Even for Android (!)
•Windows Modern 10 apps. Anti-MITM protection on OS level by default (still
researching it, also can’t confirm it for Android app support –Project Astoria)
•iOS. Ok.Easy way to make user to install trusted fake certificate to MITM.
Upgrade! Local app files on iOS < 8.3 could be accessed without jailbreak
•Android. Fail. Easy way to make user to install trusted fake certificate to MITM.
Some vendors prevent unlocking bootloader without user interaction to avoid root
without his asking. But some doesn’t (!)
•Windows Desktop. Fail. Easy way to change access permissions. MITM depends on
certain app only
•Mac OS. Fail. Easy way to access app files. MITM depends on certain app only
REMEDIATION: ANDROID
•Follow security programming guide from Google
•Call ‘setStorageEncryption’ API for locally stored files (new Android OS
v5+)
•Encrypt externally stored files on SD Card or Cloud (any OS)
•Define when encryption signature doesn’t matter, else avoid it
•Reduce using of ‘MODE_WORLD_READABLE’ unless it really needs
•Avoid hardcoded and debug tracks as much as possible (it’s easy to
decompile)
•Add extra protect beyond OS (encryption, wiping, etc.)
•Follow security programming guide from Google
•Call ‘setStorageEncryption’ API for locally stored files (new Android OS
v5+)
•Encrypt externally stored files on SD Card or Cloud (any OS)
•Define when encryption signature doesn’t matter, else avoid it
•Reduce using of ‘MODE_WORLD_READABLE’ unless it really needs
•Avoid hardcoded and debug tracks as much as possible (it’s easy to
decompile)
•Add extra protect beyond OS (encryption, wiping, etc.)
REMEDIATION : IOS
•Follow security programming guide from Apple
•Never store credentials on the phone file system.Use API or web scheme
instead
•Define when encryption signature doesn’t matter, else avoid it
•Use implemented protection mechanism in iOS…
•But … add extra protection layer beyond OS protection in case of
jailbreak
•Use any API and protection mechanisms properly but never default settings
•Don’t forget to encrypt SQL databases
•Follow security programming guide from Apple
•Never store credentials on the phone file system.Use API or web scheme
instead
•Define when encryption signature doesn’t matter, else avoid it
•Use implemented protection mechanism in iOS…
•But … add extra protection layer beyond OS protection in case of
jailbreak
•Use any API and protection mechanisms properly but never default settings
•Don’t forget to encrypt SQL databases
REMEDIATION : BLACKBERRY
•Follow security programming guide from BlackBerry
•Don’t store credentials in shared folders
•Encrypt data stored in shared folders
•Use implemented protection mechanism in BlackBerry…
•But … add extra protection layer beyond just in case
•Don’t forget to encrypt SQL databases
•Don’t develop Android app-ports
•Try to avoid using ported or Android native app under BlackBerry
•Develop more and use native apps for BlackBerry
•Follow security programming guide from BlackBerry
•Don’t store credentials in shared folders
•Encrypt data stored in shared folders
•Use implemented protection mechanism in BlackBerry…
•But … add extra protection layer beyond just in case
•Don’t forget to encrypt SQL databases
•Don’t develop Android app-ports
•Try to avoid using ported or Android native app under BlackBerry
•Develop more and use native apps for BlackBerry
REMEDIATION: WINMOBILE10
•Credentials stored or transferred in plaintext locally.
•Data usually stored or transferred structured file type that simplify
an analysis
•Signature-based encryption helps quickly decrypt data (depends on
dynamically linked libraries)
•Data stored in SQLite databases usually not encrypted
•Keys may be hardcoded or put in data folder
•Applications could be analyzed on Windows 10 Desktop via known
methods like a desktop applications
•Credentials stored or transferred in plaintext locally.
•Data usually stored or transferred structured file type that simplify
an analysis
•Signature-based encryption helps quickly decrypt data (depends on
dynamically linked libraries)
•Data stored in SQLite databases usually not encrypted
•Keys may be hardcoded or put in data folder
•Applications could be analyzed on Windows 10 Desktop via known
methods like a desktop applications
REMEDIATION: WIN 10
•Credentials stored or transferred in plaintext locally.
•Data usually stored or transferred structured file type that
simplify an analysis
•Signature-based encryption helps quickly decrypt data
(depends on dynamically linked libraries)
•Data stored in SQLite databases usually not encrypted
•Keys may be hardcoded or put in data folder
•Application data folder is access without any restrictions
•Credentials stored or transferred in plaintext locally.
•Data usually stored or transferred structured file type that
simplify an analysis
•Signature-based encryption helps quickly decrypt data
(depends on dynamically linked libraries)
•Data stored in SQLite databases usually not encrypted
•Keys may be hardcoded or put in data folder
•Application data folder is access without any restrictions
REMEDIATION: MAC OS X
•Credentials stored/ transferred in plaintext locally.
•Data stored in a keychain without additional protection or encryption
•Data usually stored or transferred structured file type that simplify an analysis
•Signature-based encryption that helps to quickly decrypt data
•Avoiding protection mechanism in iOS that leads to pure protection eventually
•Data stored in SQLite databases usually not encrypted
•Keys may be hardcoded
•Application data folder is access without any restrictions
•Credentials stored/ transferred in plaintext locally.
•Data stored in a keychain without additional protection or encryption
•Data usually stored or transferred structured file type that simplify an analysis
•Signature-based encryption that helps to quickly decrypt data
•Avoiding protection mechanism in iOS that leads to pure protection eventually
•Data stored in SQLite databases usually not encrypted
•Keys may be hardcoded
•Application data folder is access without any restrictions
[ YURY CHEMERKIN ]
•MULTISKILLED SECURITY EXPERT
•WORK FOR ADVANCED MONITORING
•EXPERIENCED IN:
•REVERSE ENGINEERING & AV, DEVELOPMENT (PAST)
•MOBILE SECURITY, & CLOUD SECURITY
•IAM, COMPLIANCE, FORENSICS
•PARTICIPATION & SPEAKING AT MANY SECURITY
CONFERENCES
•MULTISKILLED SECURITY EXPERT
•WORK FOR ADVANCED MONITORING
•EXPERIENCED IN:
•REVERSE ENGINEERING & AV, DEVELOPMENT (PAST)
•MOBILE SECURITY, & CLOUD SECURITY
•IAM, COMPLIANCE, FORENSICS
•PARTICIPATION & SPEAKING AT MANY SECURITY
CONFERENCES
(LEAKED)MOBILE APPLICATION
DATAPRIVACY
HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
YURYCHEMERKIN
SEND A MAIL TO:[email protected]
DATAPRIVACY
HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
YURYCHEMERKIN
SEND A MAIL TO:[email protected]
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 15
- Slides 70
- Age 498 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views