Professional Documents
Culture Documents
OWASP Russia 2016 - Yury Chemerkin — Run
OWASP Russia 2016 - Yury Chemerkin — Run
YURY CHEMERKIN
SECURITY EXPERT RESEARCHER
[ AGENDA ]
• Intro
• Similar public researchers
• Related/Previous work
• Current results
• Final thoughts
UNTRUSTED PLACES
• “In Russia will be kept of phone numbers, logins and passwords of users.
Messages we do not store, they are on the devices of users,” Moscow
representative of the company Viber said. According to the company’s lawyers,
messengers also fall under the law which requires to store personal data of
Russians on servers located on the territory of the country.
• http://appleapple.top/viber-moved-their-servers-to-russia/
FACTS ABOUT APP INSECURITY
• InstaAgent, an app that connects to Instagram and promises to track the people
that have visited a user's Instagram account, appears to be storing the
usernames and passwords of Instagram users, sending them to a suspicious
remote server.
• An app developer from Peppersoft downloaded InstaAgent -- full name "Who
Viewed Your Profile - InstaAgent" -- and discovered it's reading Instagram
account usernames and passwords, sending them via clear text to a remote
server - instagram.zunamedia.com.
• http://www.macrumors.com/2015/11/10/malicious-instaagent-instagram-app/
FACTS ABOUT APP INSECURITY
• Researchers find data leaks in Instagram, Grindr, OoVoo and more. The problems include
storing images and videos in unencrypted form on Web sites, storing chat logs in plaintext
on the device, sending passwords in plaintext…
• http://www.cnet.com/news/researchers-find-data-leaks-in-instagram-grindr-oovoo-and-
more
• Another Popular Android Application, Another Leak. We have found that another popular
Google play app, “Camera360 Ultimate,” not only enhances the users’ photos but also
inadvertently leaks sensitive data, which gives malicious parties unauthorized access to users’
Camera360 Cloud accounts and photos.
• https://www.fireeye.com/blog/threat-research/2015/08/another_popular_andr.html
WHAT COMPANIES THINK ABOUT
‘QUOTES’ AND INSECURITY
• Instagram said it's moving to encrypted communications for its images by moving to
HTTPS, the secure version of the standard used to transfer Web data over the Internet.
• They did it but it’s still affected to MITM attacks
• Be travel app like [ AviaSales / Momondo], send everything in plaintext and rely on
3rd party server MITM protection
• Be storage app like [ Box ], prevent MITM but fail and reveal credentials to MITM tool
• Be taxi app like [ Gett / MaximTaxi ] and send everything in plaintext, also fail with
MITM protect of my credit card
• Be hotel app like [ Hotels.ru ] and fail everywhere even with sending a password in
mail body in plaintext
UNTRUSTED PLACES.
KINVEY IS A BACKEND FOR STORING
FILES & USER ACCOUNTS
UNTRUSTED PLACES. KINVEY.
ADMIN IS LOGGING IN TO KINVEY CONSOLE
UNTRUSTED PLACES. KINVEY.
APP IS LOGGING IN & DOWNLOADING
FILES
PROTECTION LEVELS.
• Also, as known,
• the User may make a modification of the Software solely for his or hers own use
and reverse engineering for debugging such modifications.
• https://en.wikipedia.org/wiki/Information_security#Confidentiality
WE GUARANTEE THE
CONFIDENTIALITY OF YOUR DATA
HOTELS.RU
Android: Plaintext
Plaintext Plaintext Plaintext
iOS - Medium
• According to release notes & PCI DSS, App doesn’t store bank card info (payment data).
You can’t input that data type manually. However,
• iOS: Doesn’t store data after successful payment
• Android: Stores data after successful payment
• Both: Continue stores data after update - if previous version wasn’t removed and data not wiped
• Certified by the PCI DSS on a yearly basis. The certificate confirms the site's compliance with
the standards of the following international payment systems: Visa/MasterCard, American
Express, JCB, and Discover.
• To obtain the certificate, all the systems that receive, transmit, and encrypt card information
together with the overall structure of the company must meet the minimum of 288
requirements stated in the PCI SAQ (Self-Assessment Questionnaire D and Attestation of
Compliance).
• The Thawte 128-bit SSL Certificate is a technology of data encryption. The confidential
information about your card number, CVV2 code, and other details are submitted to our site
through encryption. To exchange information, a standard SSL-encryption is applied; the
length of the key is 128 bit. Encrypted, it is further redirected to the bank's processing
center through the payment gateway.
• https://aeroexpress.tickets.ru/en/content/safety_payments.html
AEROEXPRESS.
PASSES PCI DSS CERTIFICATION
• Aeroexpress has passed its PCI DSS certification. Now it is even safer for passengers to pay
for online services provided by this express carrier.
• In early February, Aeroexpress passed its PCI DSS (Payment Card Industry Data Security
Standard) certification, which is aimed at ensuring the secure processing, storage and
transfer of data about Visa and MasterCard holders. Given the PCI DSS certified security
level, Aeroexpress passengers can pay for tickets via the website or the company’s mobile
app using bank cards and can be confident that their personal data and funds are safely
secured. PCI DSS provides for a comprehensive approach that ensures information security
and unites the payment system programmes of VISA Account Information Security (AIS), Visa
Cardholder Information Security Program (CISP), and MasterCard Site Data Protection. We
would like to remind you that you can receive a discount of RUB 50 and RUB 100 when
purchasing Standard and Return tickets on the website or via the company’s mobile app.
• https://aeroexpress.ru/en/press_releases/news20090589.html
PCI DSS. DATE: MARCH 2015
• https://platius.ru/en-GB/Information/Agreement
ROCKETBANK
Android - Weak
Weak Weak Weak
iOS - Medium
• This is a question of common sense and caution. The more careful you are
the less chance to be deceived by scammers and other fraudsters. The
main protection from them is your unique password. To ensure security
make password not shorter than 8 symbols (use combination of random
letters and numbers) Don’t enter it anywhere except for the RBK Money
website and do not reveal it to other people. Use modern antivirus
programs where possible.
• Information about your card is stored, encrypted and shown only to you.
The payment is considered processed after card activation. RBK Money
reserves the right to make additional payment confirmation by phone.
• http://www.rbkmoney.com/en/support#safety
• http://www.rbkmoney.com/en/support#cards
DELIVERY CLUB
Amazon – Weak, Google – Amazon – Weak, Google – Amazon – Weak, Google – Amazon – Weak, Google –
Medium, Mobomarket - Medium, Mobomarket - Medium, Mobomarket - Medium, Mobomarket -
Plaintext Plaintext Plaintext Plaintext
• We encrypt our services and data transmission using SSL. We strive at all times to ensure
that your personal data will be protected against unauthorized or accidental access,
processing, correction or deletion. We implement appropriate security measures to
safeguard and secure your personal data. Please note, however, that no security measures
are 100% effective. We encourage you to take measures to protect your personal data.
• You are responsible for maintaining the privacy and the confidentiality of Information.
Please keep yourself informed when accessing the internet and to always read and review
the policy / privacy statement on the site that you are accessing. Please ensure that you do
the following: (i) not to disclose your password, (ii) not to provide any personal information
to anyone, including their names, (iii) never fill online forms without your prior authorization.
Please use complex passwords with long enough combinations of letters and numbers that
require unusual keyboard combinations whereas; simple passwords are easy to be broken.
Please never give your password to anyone online. In any event, please change your
password periodically.
• http://www.mobomarket.net/policy.html
GOOGLEPLAY. EULA/PRIVACY
• We work hard to protect Google and our users from unauthorised access to or unauthorised
alteration, disclosure or destruction of information that we hold. In particular:
• We encrypt many of our services using SSL.
• We offer you two-step verification when you access your Google Account and a Safe
Browsing feature in Google Chrome.
• We review our information collection, storage and processing practices, including physical
security measures, to guard against unauthorised access to systems.
• We restrict access to personal information to Google employees, contractors and agents
who need to know that information in order to process it for us and who are subject to strict
contractual confidentiality obligations. They may be disciplined or their contract terminated
if they fail to meet these obligations.
• http://www.google.com/intl/en-GB_ru/policies/privacy/
APP IN THE AIR
• The security of your personal information is important to us. We do not hold any liability for any personal data or any
sensitive information you provided.
• We follow generally accepted industry standards to protect the personal information submitted, both during transmission and
once we receive it. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure.
Therefore, while our goal to use commercially acceptable ways to protect your personal information, we cannot guarantee it
is absolutely secure. Please keep it in mind before submitting any information about yourself. Please note that information that
you voluntarily make public in your user profile, or which you disclose by posting comments or inserting of the Content will be
publicly available and viewable by others. We do not hold any liability for any information that you voluntarily choose to be
public through such and/or other explicit actions.
• We only use personal information collected through the APPINTHEAIR project and our Services for the purposes described in
the Terms http://i.appintheair.mobi/termsofuse. For example, we may use information we collect:
• provide our Services or information you request, and to process and complete any transactions;
• to your emails, submissions, questions, comments, requests, and complaints and provide customer service;
• http://www.appintheair.mobi/privacypolicy
ASUS WEBSTORAGE
• Log data: CyberGhost keeps no logs which enable interference with your IP address,
the moment or content of your data traffic. We make express reference to the fact
that we do not record in logs communication contents or data regarding the accessed
websites or the IP addresses.
• http://www.cyberghostvpn.com/en/privacypolicy
ISO 27001, ISMS, ETC.
YURY CHEMERKIN
SEND A MAIL TO: YURY.S@CHEMERKIN.COM
HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN