SAP Mobile Platform Security: Introduction

Mobile devices are actively integrated into business processes nowadays. Companies use more and more business applications and mobile devices. Employees increasingly bring their own equipment to the workplace (BYOD policy – Bring Your Own Device) and gain access to the critical corporate information.

SAP Mobile Platform (or SMP, formerly Sybase Unwired Platform, or SUP) is a mobile enterprise application platform (MEAP) solution. SMP is used for monitoring and controlling applications, which are installed on mobile phones and have access to business data. The main aim of SMP is providing business data to mobile devices with the enterprise cybersecurity. The platform capabilities allow users to work with data from SAP business applications using mobile apps both online and offline. This data can be accessed through all modern mobile devices. Android, Blackberry, iPhone / iPad and Windows / Windows Mobile devices are used by end users. Installed client applications are connected to SMP. These programs can be found on Play Market, Apple Store, or Windows Store.

SMP security service supports secure connections using SSL between the app and the server. Data on the device or in-transit can be encrypted with the user supplied key. It supports authentication, authorization, access control to various apps and roles, Single-Sign-On, security audit logging, etc. to provide an end to end cybersecurity from devices to the platform.

In order to secure the access further, Mobile Device Management software should be applied. All the security functionality from device to SMP such as SSL, authentication, authorization, and Single-Sign-On are provided along with the device management, app configurations, and the device data security. SMP works with any MDM provider besides Afaria/Mobile Secure for mobile device management.

SMP is also a platform which includes tools for rapid development of client applications for various platforms, but let’s focus on risks first.

Risks associated with attacks on SAP Mobile Technology

Risks related to business applications usually include espionage, sabotage, and fraud. Some of the potential risks for SAP Mobile Platform if somebody finds vulnerabilities in this platform and exploits them, are provided below:

    An attacker can gain an unauthorized access to business applications, such as ERP, CRM, BI, by hacking SAP Mobile platform. SMP can be considered a “proxy” for access to business systems. Usually, mobile devices and mobile applications, especially from 3rd parties, for cybersecurity reasons are not allowed to be connected directly to ERP but with the use of SMP instead. If cybercriminals are able to get access to SMP, they will be able to get almost direct access to mission-critical systems inside the company, such as ERP, SCM, BI, and others.
    Perpetrators access critical data stored on mobile devices, such as personal data (SSN), personal healthcare data (PHI), credit card data (PCI). An unauthorized access to this data can turn into a data breach if somebody exploits this vulnerability against multiple mobile devices, or into a targeted attack against high-level executives from commerce, government, or military.
    The modification of critical data stored or presented on mobile devices can be performed. Some vulnerabilities may allow changing critical data stored on a mobile device, or show fake data by means of a Man-in-the-Middle attack. Imagine what will happen if, for example, a nurse sees the wrong results, executives get modified information about financial results from a BI system, warehouse logistics employees will be informed about the lack of goods in stock.
    Denial of Service attacks occurs on SAP Mobile Infrastructure. Imagine that nobody will be able to connect to the latest business data via a mobile device. This risk is especially critical due to the fact that mobile access is mostly used by C-level executives to analyze the latest dashboards. In addition, mobile devices can be used in a warehouse, so the entire supply chain can be deactivated with a simple DoS attack.

Vulnerabilities identified by ERPScan researchers:

Now let’s see how real the listed risks are and if there are vulnerabilities which can be exploited to prove that those risks exist. We found multiple vulnerabilities in SAP Mobile Technology including SAP Mobile Platform, SAP Mobile Applications, and SAP Afaria MDM. We will now show 4 of them, which were recently patched by SAP. Each of them is associated with a particular risk described in the previous section. The first two vulnerabilities are server-side and the last two are client-side.

  • Sabotage attack example. SAP Mobile Platform uses Sybase SQL Anywhere as the database. An attacker can use a special request to crash the Sybase SQL Anywhere database server that results in a denial of service.
    Vulnerability reported: 09.12.2014
    Vendor response: 10.12.2014
    Date of Public Advisory: 15.03.2015
    Defense: SAP Note 2108161
  • Vulnerability in SAP Mobile Platform Portal page. An XXE (XML External Entity) vulnerability allows multiple attack vectors. First of all, XXE can be used for a Denial of Service attack on Portal, which would make impossible all interactions between mobile devices and ERP system or any other mission-critical application. Secondly, it is possible to get access to the file system and get the full control over the server. Sometimes, an access to business systems is provided to 3rd parties or subcontractors just via SAP Mobile, so they can use this XXE vulnerability to obtain the broader and direct access to ERPs or other mission-critical systems. Then they may proceed to espionage, sabotage, and fraud attacks against SAP ERP using vulnerabilities in SAP ERP, with plenty of them according to our report.
    Vulnerability reported: 29.12.2014
    Vendor response: 30.12.2014
    Date of Public Advisory: 15.03.2015
    Defense: SAP Note 2125513
  • Espionage attack example. Critical healthcare information disclosures in the SAP EMR Unwired application for Android. Google store indicates that the number of installations is 1000-5000. SAP EMR Unwired permits doctors and nurses to get up-to-date information of all patients, including findings and charts, view X-ray and CT images (non-diagnostic quality images), clinical orders, risk factors, demographics, lab results, patients’ latest vital signs, progress notes, DRG, diagnoses, procedure codes, etc. The app connects to clinical back-end systems, including the hospital information and imaging systems (PACS), and displays the patient’s data in a clear and easy-to-read format on the Android device (information from the app description in Google Play). An Unauthorized Access vulnerability in the mobile applications allows attackers to access short-lived temporary documents. To exploit this kind of vulnerability, you need to upload a malicious app to the victim’s phone. As a rule, you can’t get access to an application from another one without a local privilege escalation exploit.
    Vulnerability reported: 20.04.2013
    Vendor response: 21.04.2013
    Date of Public Advisory: 16.11.2013
    Defense: SAP Note 1864518
  • Sabotage/Espionage. Vulnerability in the SAP EMR Unwired application for Android. It is possible to reconfigure this application so that it will connect to a malicious server. The threat exists only if the user confirms the settings changes, but the attacker can show this confirmation window infinitely until they click OK. Thus, it will be possible to send fake medical data into the mobile application so nurses will receive the wrong information about the patient’s health and assign the wrong course of treatment. This can lead to an unpredictable damage for patients.
    Vulnerability reported: 20.04.2013
    Vendor response: 21.04.2013
    Date of Public Advisory: 15.02.2015
    Defense: SAP Note 2117079

Do you want more?

Subscribe me to your mailing list