Mobile App Security - Use & Abuse Cases


Mike and I discuss threat modeling - the process of systematically creating "abuse cases" for your mobile application and other tactics that help software developers learn to secure their mobile apps.

(Full transcript after the break, or download MP3 audio here)

Want to know when more clips from this interview are posted? Follow @g33ktalktv on Twitter for updates.


Mike: One of the things we commonly, as security consultants, train developments teams for- and architects and other folks in the creation of software- is threat modeling. And, that's where we kind of just go through a brainstorming exercise and we think of all the threats that exist against what we're trying to create, and think about how the application can be attacked. How can it be compromised? And if these attacks are successful, what does it mean against the bottom line? How much is it going to cost us if a certain attack results in a breach of some sort of data?

Pete: So, that's threat modeling and there's also the concept of modeling out abuse cases as well, right? Not just a use case, but-

Mike: Right. An abuse case.

Pete: Many developers don't think in terms of an abuse case. What would a malicious person, someone with malicious intent, do? How would they walk through the application, how could they potentially turn it on itself.

Mike: Right. So, a use case might be- we need to let the user enter their credentials and store them permanently or semi-permanently. An abuse case for that would be- well, a third party application exists on the device, the device is jailbroken and it spiders the filesystem and finds this file containing our user's credentials.

Pete: Or an attacker trying to abuse the forgot password feature to try to gain access to an account in an unauthorized way.

Mike: Exactly. So, the point being- we do the threat modeling, as known as, like a risk assessment. We figure out- OK, what is our true risk here? Then, we can kind of make a decision. Like, OK, maybe it's OK to store these credentials, it's just for our gaming platform. But, when we say, OK, this is an ecommerce site, and the credentials can be used to potentially access credit card data for our customer, maybe it's not worth it for us to store these credentials on the device. So, I really think that it's important that developers and other folks involved in the creating of software, they really think about- what does the application need to do, and what are the risks inherent with that? And then if they decide, you know what? The risk is acceptable to us. We'd like to store the credentials on the device. Then, they need to understand what secure mechanisms exist on the platform that will allow them to do that.

Pete: And this would be platform specific, right?

Mike: Platform specific, correct.

Pete: Well, if I'm a developer and I'm trying to get used to this concept. Maybe this concept of creating abuse cases is a little bit new to me. How do I get started writing an abuse case for my app? I guess basically, think like a hacker.

Mike: Yea.

Pete: Any other tips or tricks, in order to help somebody think about how to come up with malicious ways to circumvent auth or do the nasty things inside an application?

Mike: Yea, it really is- you have to put your bad guy hat on and just start to really think outside of the box. And, that could be pretty hard for you to do just sitting at your desk by yourself. So, it can be a fun exercise to get the whole team involved and even potentially bring in a security guy to just give a talk. Or even a little more in depth, a 45 minute presentation of threat modeling and giving you a mock threat model. We really open your eyes and get you thinking in a different way, which is what you need to do if you need to kind these flaws before they come to exist in your app.