Test

Powered by Blogger.

Sunday 16 November 2014

Security Considerations for Hybrid Android Applications

In Android versions before 4.2 (Jelly Bean, targetSdkVersion 17), the JavaScript layer, upon getting access to the exposed Java object, can access all of the object's public members using reflection. Reflection is a powerful set of APIs, commonly used by programs that require the ability to examine or modify the runtime behavior of applications running in the Java Virtual Machine. For platforms before API level 17, you can use reflection inside of JavaScript by calling something like:

function execute(cmdArgs) {

boundObj.getClass().forName("Java.lang.Runtime").getMethod("getRuntime",

null).invoke(null,null).exec(cmdArgs);

}

var p = execute(["/data/data/com.yourapp/malicious-app"]);

document.write(getContents(p.getInputStream()));

This could allow an attacker to run malicious Java code in the host application's context, which could pose a security risk. As an application developer, care must be taken to ensure that we expose the Java object to WebView only as necessary, especially in the case of running JavaScript from untrusted sources such as external websites and so on.

 

HttpOnly Cookies and the Secure Flag

 

Cookies are one of the most common ways developers store application data. Among other things, it is used to remember the state of the web application in the previous run. Access to this data by untrusted JavaScript could pose a huge risk to your application. To prevent this, you can make your cookies HttpOnly in the HTTP response. The HttpOnly cookie flag became a standard with the RFC #6265 document that can be found at the ietf.org website.

 

An HttpOnly flagged cookie cannot be stolen easily via non-HTTP methods, such as JavaScript or Flash using document.cookie as a pervasive attack technique. Here's an example of how the HttpOnly attribute is visible in the HTTP headers:

 

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Set-Cookie: id=cdb6352b48e62e0691efe552e3e4cecb; path=/; HttpOnly

 

If you use the SSL protocol for delivering your web content and need to set cookies using JavaScript, then you need to enable the secure flag in your cookie function in order to set a secure cookie.

 

document.cookie = "name=value; expires=date; path=path; domain=domain; secure";

 

Preventing Local Files from Being Loaded in the WebView

 

The setAllowFileAccess() API allows developers to control access to local files by the WebView. This API is one of several WebView settings you can configure at runtime. By default, this setting is enabled for accessing files in the filesystem. This setting does not restrict the WebView to load local resources from the file:///android_asset (assets) and file:///android_res (resources) directories. For security reasons, if your app does not require access to the filesystem, it is a good practice to turn this setting off.

 

settings.setAllowFileAccess(false);

The SSH Protocol

SSH is a protocol, not a product. It is a specification of how to conduct secure communication over a network.The SSH protocol covers authentication, encryption, and the integrity of data transmitted over a network, as shown in Figure 1-2. Let's define these terms:

 

Authentication : Reliably determines someone's identity. If you try to log into an account on a remote computer, SSH asks for digital proof of your identity. If you pass the test, you may log in; otherwise SSH rejects the connection.

 

Encryption :Scrambles data so it is unintelligible except to the intended recipients. This protects your data as it passes over the network.

 

Integrity:Guarantees the data traveling over the network arrives unaltered. If a third party captures and modifies your data in transit, SSH detects this fact.

 

Secure Socket Layer (SSL) Protocol

The Secure Socket Layer (SSL) protocol is an authentication and encryption technique providing security services to TCP clients by way of a Berkeley sockets-style API. It was initially developed by Netscape Communications Corporation to secure the HTTP protocol between web clients and servers, and that is still its primary use, though nothing about it is specific to HTTP. It is on the IETF standards track as RFC-2246, under the name "TLS" for Transport Layer Security. An SSL participant proves its identity by a digital certificate, a set of cryptographic

data. A certificate indicates that a trusted third party has verified the binding between an identity and a given cryptographic key. Web browsers automatically check the certificate provided by a web server when they connect by SSL, ensuring that the server is the one the user intended to contact. Thereafter, transmissions between the browser and the web server are encrypted.SSL is used most often for web applications, but it can also "tunnel" other protocols.

It is secure only if a "trusted third party" exists. Organizations known as certificate authorities (CAs) serve this function. If a company wants a certificate from the CA, the company must prove its identity to the CA through other means, such as legal documents. Once the proof is sufficient, the CA issues the certificate.

For more information, visit the OpenSSL project at:

http://www.openssl.org/

 

Kerberos

Kerberos is a secure authentication system for environments where networks may be monitored, and computers aren't under central control. It was developed as part of Project Athena, a wide-ranging research and development effort at the Massachusetts Institute of Technology (MIT). Kerberos authenticates users by way of tickets, small sequences of bytes with limited lifetimes, while user passwords remain secure on a central machine. Kerberos and SSH solve similar problems but are quite different in scope. SSH is lightweight and easily deployed, designed to work on existing systems with minimal changes. To enable secure access from one machine to another, simply install

an SSH client on the first and a server on the second, and start the server.

 Kerberos, in contrast, requires significant infrastructure to be established before use, such as administrative user accounts, a heavily secured central host, and software for network-wide clock synchronization. In return for this added complexity, Kerberos ensures that users' passwords travel on the network as little as possible and are stored only on the central host. SSH sends passwords across the network (over encrypted connections, of course) on each login and stores keys on each host from which SSH is used. Kerberos also serves other purposes beyond the scope of SSH, including a centralized user account database, access control lists, and a hierarchical model of trust.

Securing Wordpress Blogs using SSL and HTTPS

Hacking the WordPress Login – Stealing Usernames and Passwords Using Free Tools

As explained in the previous security post Website SSL and HTTPS explained, unless you access your WordPress dashboard or admin pages over an HTTPS connection (using an SSL web server certificate), the username and password are sent in clear text over the internet, hence you risk of having them stolen.

In this WordPress security blog post we will explain how malicious hackers can hack your WordPress login by sniffing (also known as capturing) your WordPress username and password using free tools.

How to Capture & Hack WordPress Passwords

Routing of Clear Text Data Over the Internet

When you access your WordPress dashboard (wp-admin section) or any other website, the data is not sent directly from your computer browser to the web server. It is routed through a number of devices on the internet. Therefore before the data reaches your server, your data is passing through and being accessed by a number of routers, switches, servers, proxy servers etc which are administered by different entities.

Depending on the geographical location of your computer and web server, your data might be routed through 5 to 20, or more devices until it reaches its destination. And since such data is sent in clear text, should a malicious hacker tap into one of these devices and captures its traffic, the hacker can easily retrieve your WordPress username or password as explained below.

Hacking WordPress Login (Capturing the Credentials)

Once a malicious hacker can access your data by tapping into a device from where your data is being routed (which could also be your very own wireless router), he can use free tools such as Wireshark to capture your WordPress login session, which will include your WordPress username and password.

Depending on the type of access the hacker manages to gain, he can also route all of the device's traffic through his own proxy software, such as Fiddler, which is also a free tool.

At this stage hacking your WordPress login is very easy because the malicious hacker can capture all of the web traffic passing through that device. For example below is a screenshot from Fiddler capturing a WordPress login session (i.e. the traffic exchanged between a user's web browser and a WordPress website while logging in to the WordPress dashboard or admin pages).

Sniffing and Capturing WordPress Passwords

Once the malicious hacker has a copy of the web data exchanged between your web browser and your WordPress blog or website, he can browse through it to identify your WordPress password. In this test case we used admin as username with passwordStr0ngPass. By identifying the HTTP POST request from the above screenshot, i.e. when the browser sent the password to the WordPress site, the hacker can see your username and password in clear text as highlighted in the below screenshot.

From the above screenshot we can see that the Logparameter contains the username used to login to WordPress (admin) and the pwd parameter contains the password (Str0ngPass).

Note: The above screenshot shows exactly the clear text (including your WordPress username and password) your web browser sends to the WordPress login page to login.

A hacker does not need to be tech savvy himself to do such tasks. These free tools are very easy to use and anyone who has a basic idea of how the web works, can easily capture and steal WordPress passwords, hence why we always recommend you to turn on WordPress SSL for your login pages.

Protect Your WordPress Login and Password

There are several ways how to protect your WordPress login details, i.e. the WordPress username and password and avoid having them stolen. The first and most secure way is to access your WordPress dashboard over an HTTPS connection. Refer to theWordPress HTTPS (SSL) security tutorial to configure WordPress SSL using a plugin or refer to our Definitive Guide to Implementing WordPress SSL to implement SSL manually on your WordPress.

Although we recommend every WordPress administrators to implement both an SSL Web server certificate for WordPress SSL (HTTPS) connection, it is recommended to also  add two-factor authentication. It is important to add two-factor authentication as well because even though malicious hackers are not be able to steal your credentials when the WordPress login page is over SSL, your WordPress is still susceptible to brute force attacks. Two-factor authentication protects your WordPress from automated brute force attacks. Remember, the more layers of WordPress security you can implement, the better it is.

RSS

Categories

Followers

Blog Archive

rTechIndia

RtechIndia->technology ahead

rtech

rtechindia

RtechIndia

Go rtechindia

Go rtechindia

RtechIndia

Sunday 16 November 2014

Security Considerations for Hybrid Android Applications

In Android versions before 4.2 (Jelly Bean, targetSdkVersion 17), the JavaScript layer, upon getting access to the exposed Java object, can access all of the object's public members using reflection. Reflection is a powerful set of APIs, commonly used by programs that require the ability to examine or modify the runtime behavior of applications running in the Java Virtual Machine. For platforms before API level 17, you can use reflection inside of JavaScript by calling something like:

function execute(cmdArgs) {

boundObj.getClass().forName("Java.lang.Runtime").getMethod("getRuntime",

null).invoke(null,null).exec(cmdArgs);

}

var p = execute(["/data/data/com.yourapp/malicious-app"]);

document.write(getContents(p.getInputStream()));

This could allow an attacker to run malicious Java code in the host application's context, which could pose a security risk. As an application developer, care must be taken to ensure that we expose the Java object to WebView only as necessary, especially in the case of running JavaScript from untrusted sources such as external websites and so on.

 

HttpOnly Cookies and the Secure Flag

 

Cookies are one of the most common ways developers store application data. Among other things, it is used to remember the state of the web application in the previous run. Access to this data by untrusted JavaScript could pose a huge risk to your application. To prevent this, you can make your cookies HttpOnly in the HTTP response. The HttpOnly cookie flag became a standard with the RFC #6265 document that can be found at the ietf.org website.

 

An HttpOnly flagged cookie cannot be stolen easily via non-HTTP methods, such as JavaScript or Flash using document.cookie as a pervasive attack technique. Here's an example of how the HttpOnly attribute is visible in the HTTP headers:

 

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Set-Cookie: id=cdb6352b48e62e0691efe552e3e4cecb; path=/; HttpOnly

 

If you use the SSL protocol for delivering your web content and need to set cookies using JavaScript, then you need to enable the secure flag in your cookie function in order to set a secure cookie.

 

document.cookie = "name=value; expires=date; path=path; domain=domain; secure";

 

Preventing Local Files from Being Loaded in the WebView

 

The setAllowFileAccess() API allows developers to control access to local files by the WebView. This API is one of several WebView settings you can configure at runtime. By default, this setting is enabled for accessing files in the filesystem. This setting does not restrict the WebView to load local resources from the file:///android_asset (assets) and file:///android_res (resources) directories. For security reasons, if your app does not require access to the filesystem, it is a good practice to turn this setting off.

 

settings.setAllowFileAccess(false);

The SSH Protocol

SSH is a protocol, not a product. It is a specification of how to conduct secure communication over a network.The SSH protocol covers authentication, encryption, and the integrity of data transmitted over a network, as shown in Figure 1-2. Let's define these terms:

 

Authentication : Reliably determines someone's identity. If you try to log into an account on a remote computer, SSH asks for digital proof of your identity. If you pass the test, you may log in; otherwise SSH rejects the connection.

 

Encryption :Scrambles data so it is unintelligible except to the intended recipients. This protects your data as it passes over the network.

 

Integrity:Guarantees the data traveling over the network arrives unaltered. If a third party captures and modifies your data in transit, SSH detects this fact.

 

Secure Socket Layer (SSL) Protocol

The Secure Socket Layer (SSL) protocol is an authentication and encryption technique providing security services to TCP clients by way of a Berkeley sockets-style API. It was initially developed by Netscape Communications Corporation to secure the HTTP protocol between web clients and servers, and that is still its primary use, though nothing about it is specific to HTTP. It is on the IETF standards track as RFC-2246, under the name "TLS" for Transport Layer Security. An SSL participant proves its identity by a digital certificate, a set of cryptographic

data. A certificate indicates that a trusted third party has verified the binding between an identity and a given cryptographic key. Web browsers automatically check the certificate provided by a web server when they connect by SSL, ensuring that the server is the one the user intended to contact. Thereafter, transmissions between the browser and the web server are encrypted.SSL is used most often for web applications, but it can also "tunnel" other protocols.

It is secure only if a "trusted third party" exists. Organizations known as certificate authorities (CAs) serve this function. If a company wants a certificate from the CA, the company must prove its identity to the CA through other means, such as legal documents. Once the proof is sufficient, the CA issues the certificate.

For more information, visit the OpenSSL project at:

http://www.openssl.org/

 

Kerberos

Kerberos is a secure authentication system for environments where networks may be monitored, and computers aren't under central control. It was developed as part of Project Athena, a wide-ranging research and development effort at the Massachusetts Institute of Technology (MIT). Kerberos authenticates users by way of tickets, small sequences of bytes with limited lifetimes, while user passwords remain secure on a central machine. Kerberos and SSH solve similar problems but are quite different in scope. SSH is lightweight and easily deployed, designed to work on existing systems with minimal changes. To enable secure access from one machine to another, simply install

an SSH client on the first and a server on the second, and start the server.

 Kerberos, in contrast, requires significant infrastructure to be established before use, such as administrative user accounts, a heavily secured central host, and software for network-wide clock synchronization. In return for this added complexity, Kerberos ensures that users' passwords travel on the network as little as possible and are stored only on the central host. SSH sends passwords across the network (over encrypted connections, of course) on each login and stores keys on each host from which SSH is used. Kerberos also serves other purposes beyond the scope of SSH, including a centralized user account database, access control lists, and a hierarchical model of trust.

Securing Wordpress Blogs using SSL and HTTPS

Hacking the WordPress Login – Stealing Usernames and Passwords Using Free Tools

As explained in the previous security post Website SSL and HTTPS explained, unless you access your WordPress dashboard or admin pages over an HTTPS connection (using an SSL web server certificate), the username and password are sent in clear text over the internet, hence you risk of having them stolen.

In this WordPress security blog post we will explain how malicious hackers can hack your WordPress login by sniffing (also known as capturing) your WordPress username and password using free tools.

How to Capture & Hack WordPress Passwords

Routing of Clear Text Data Over the Internet

When you access your WordPress dashboard (wp-admin section) or any other website, the data is not sent directly from your computer browser to the web server. It is routed through a number of devices on the internet. Therefore before the data reaches your server, your data is passing through and being accessed by a number of routers, switches, servers, proxy servers etc which are administered by different entities.

Depending on the geographical location of your computer and web server, your data might be routed through 5 to 20, or more devices until it reaches its destination. And since such data is sent in clear text, should a malicious hacker tap into one of these devices and captures its traffic, the hacker can easily retrieve your WordPress username or password as explained below.

Hacking WordPress Login (Capturing the Credentials)

Once a malicious hacker can access your data by tapping into a device from where your data is being routed (which could also be your very own wireless router), he can use free tools such as Wireshark to capture your WordPress login session, which will include your WordPress username and password.

Depending on the type of access the hacker manages to gain, he can also route all of the device's traffic through his own proxy software, such as Fiddler, which is also a free tool.

At this stage hacking your WordPress login is very easy because the malicious hacker can capture all of the web traffic passing through that device. For example below is a screenshot from Fiddler capturing a WordPress login session (i.e. the traffic exchanged between a user's web browser and a WordPress website while logging in to the WordPress dashboard or admin pages).

Sniffing and Capturing WordPress Passwords

Once the malicious hacker has a copy of the web data exchanged between your web browser and your WordPress blog or website, he can browse through it to identify your WordPress password. In this test case we used admin as username with passwordStr0ngPass. By identifying the HTTP POST request from the above screenshot, i.e. when the browser sent the password to the WordPress site, the hacker can see your username and password in clear text as highlighted in the below screenshot.

From the above screenshot we can see that the Logparameter contains the username used to login to WordPress (admin) and the pwd parameter contains the password (Str0ngPass).

Note: The above screenshot shows exactly the clear text (including your WordPress username and password) your web browser sends to the WordPress login page to login.

A hacker does not need to be tech savvy himself to do such tasks. These free tools are very easy to use and anyone who has a basic idea of how the web works, can easily capture and steal WordPress passwords, hence why we always recommend you to turn on WordPress SSL for your login pages.

Protect Your WordPress Login and Password

There are several ways how to protect your WordPress login details, i.e. the WordPress username and password and avoid having them stolen. The first and most secure way is to access your WordPress dashboard over an HTTPS connection. Refer to theWordPress HTTPS (SSL) security tutorial to configure WordPress SSL using a plugin or refer to our Definitive Guide to Implementing WordPress SSL to implement SSL manually on your WordPress.

Although we recommend every WordPress administrators to implement both an SSL Web server certificate for WordPress SSL (HTTPS) connection, it is recommended to also  add two-factor authentication. It is important to add two-factor authentication as well because even though malicious hackers are not be able to steal your credentials when the WordPress login page is over SSL, your WordPress is still susceptible to brute force attacks. Two-factor authentication protects your WordPress from automated brute force attacks. Remember, the more layers of WordPress security you can implement, the better it is.