12 Apr, 2011

Exploitable Mobile App Challenge- Now Open!!

by Ken Johnson

Today, we are opening up the submissions portal for the Exploitable Mobile App Challenge. The submission period kicks off today (April 12, 2011) and will run through May 20, 2011. We want you to show us your mobile application development and security skills by writing highly hackable, completely insecure applications. Why on Earth would we do this? We want to raise the bar for awareness of mobile risks while having a little bit of fun in the process. As mobile platforms become increasingly complex and increasingly important in society, we are only going to see a greater number of attacks and vulnerabilities hitting the news. This is truly the golden age for mobile application security!

Judging this competition is an esteemed panel of 3 primary judges, with several others pitching in to help review the applications as they are submitted.  The 3 primary judges scoring the applications are nVisium’s own Jack Mannino, Rapid 7’s Rob Fuller (better known as  @Mubix), and the toughest ninja in all of application security, David Rook ( @SecurityNinja).

We don’t plan to keep all of your submissions for ourselves. When the competition is over, every single application submitted will be donated to  OWASP to help form what will be (to our knowledge) the largest collection of vulnerable mobile apps around.  While this competition is not directly or officially affiliated with OWASP, we feel that this will help the security community as a whole.  The apps can be used by developers and security people alike to learn more about mobile application security and help them develop the skills needed to build bulletproof code in the future. In this competition, we will be accepting _ iOS _ applications and Android applications. Our apologies to Blackberry, Windows Phone, and webOS developers.  If this competition gains as much traction as we think it will, we may open it up to additional platforms next year as their ecosystems continue to grow.

The developer of the best iOS application will win a 32gb iPad 2 , while the winner for the best Android submission will win a Motorola Xoom. Everyone that submits an application will get a t-shirt and additional “swag” for their efforts. More importantly though, you’ll be contributing to making the world a better place (seriously).

Here are the ground rules for the Exploitable Mobile App Challenge:

Applications will be judged based on their creativity, complexity, and level of difficulty for each vulnerability implemented.

Creativity: If your application consists of using a WebView to launch a static web page, that’s not very creative. Some of the mobile applications being released these days push the limits of creativity to the max. Pick a few of your favorite applications, and try to implement some of their unique features that if exploited, could be potentially catastrophic to humanity as a whole.

Complexity : Many mobile applications communicate with remote services as well as account for environmental considerations (location, orientation, etc). Some even interact with other applications both on the device and installed on devices within their proximity. We think these types of applications are much more interesting than wallpaper or ringtone apps. They also have the potential to be much difficult to develop, and even more difficult to implement securely. We encourage you to write simple web services of your own, or even applications that interact with existing web service APIs and authentication schemes.

Vulnerabilities: will be rated Easy, Harder, or Insane. An example of an Easy vulnerability is using hardcoded credentials or API keys, while an Insane vulnerability might allow a remote attacker to use the mobile device in order to pivot into other applications or even corporate networks. An Easy vulnerability carries about 1/8 the weight of an Insane vulnerability, while Harder vulnerabilities carry about 1/2 the weight of an Insane vulnerability. If you can chain these issues together, bonus points!

You will be able to submit up to 2 applications. Identical vulnerabilities used in both applications will only be scored once, so if you write a really similar application for both iOS and Android, you’ll have to choose where you want the points to go. Each application should have a list of the vulnerabilities contained within the code and brief tutorial in a separate document. The application’s source code and vulnerability list should be zipped or compressed into a single file and uploaded.

So, what are you waiting for?  Sign up for an account, start cranking out code, and show off your skills! Click on the “Login” button at the top of the page or visit  https://nvisiumsecurity.com/Login to get started!

Good luck, and happy hacking to all that participate!