mobile application security
play

Mobile Application Security Testing and Code Review 19 Nov 2013 - PowerPoint PPT Presentation

Feb 23, 2023 •2.83k likes •3.77k views

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device Security 2013 Boston, MA Presen sented ted by: Francis Brown & Joe DeMesy Bishop Fox www.bishopfox.com Introductions VERY QUICKLY

  1. Mobile Application Security Testing and Code Review 19 Nov 2013 – Mobile and Smart Device Security 2013 – Boston, MA Presen sented ted by: Francis Brown & Joe DeMesy Bishop Fox www.bishopfox.com

  2. Introductions VERY QUICKLY… • Hi, I’m Fran • Partner at Bishop Fox • You may remember me from such hacks as: • RFID Thief • Diggity Search Tool Suite • SharePoint Hacking 2

  3. Introductions VERY QUICKLY… • Hi, I’m Joe • Sr. Security Analyst at Bishop Fox • I like Python, Linux, and cryptography • Phones / embedded devices are pretty cool too 3

  4. Today We’re Covering HACKING MOBILE APPS • Attacks against mobile apps • Real world examples • Defense against the dark arts 4

  5. Agenda TECHNICAL BRIEF • Breaki king ng iOS Apps • Static Analysis • Dynamic Analysis • Counter-measures • Breaki king ng Andro roid id Apps • Static Analysis • Dynamic Analysis • Counter-measures 5

  6. App Security Requirements A FEW SCENARIOS • Online finance • Point-of-sale • Streaming media and DRM • Mobile Device Management (MDM) 6

  7. The Golden Rule OF APP SECURITY 7

  8. Users are Ev Evil il EVERY LAST ONE OF ‘EM • They have complete control • Do not trust them • Design apps & APIs accordingly 8

  9. iOS Applications STATIC ANALYSIS 9

  10. iOS Perquisites WHAT YOU NEED TO START • Jailbroken iOS Device • SSH Access (scp) • Mac & Xcode • HTTP Proxy • Burp Suite Free/Pro ($300) • Zed Attack Proxy • ARM Disassembler • Hopper ($50) • IDA Pro ($600+) 10

  11. HTTP Proxy Setup NETWORK ANALYSIS 11

  12. Burp Suite Setup 12

  13. Python – m SimpleHTTPServer 13

  14. Install You Own CA 14

  15. WiFi Settings > Proxy 15

  16. You’re Done! WELL SORT OF… 16

  17. AppStore Encryption DECRYPTING BINARIES 17

  18. Binary Encryption GETTING PLAIN-TEXT BINS • Encrypted Binaries • AppStore • Clutch • Rasticrac • No Encryption • Provisioned Device • Test Flight, etc. 18

  19. Clutch AWESOME TOOL • Decrypts iOS applications and repackages them • Saves apps in: /var/root/Documents/Cracked • Saves apps as .ipa files (they’re just ZIPs) • Use: clutch <app name> 19

  20. AppStore Archive Structure GETTING PLAIN-TEXT BINS  Foobar.ipa  iTunesMetadata.plist  iTunesArtwork  Payload/  Foobar.app  Foobar  … 20

  21. Bundle Identifier ITUNES METADATA PLIST 21

  22. Static Analysis IOS APP SECURITY 22

  23. Static Analysis DUMPING CLASS INTERFACES 23

  24. class-dump-z ANOTHER AWESOME TOOL • Dump class information from a Mach-O binary • Shows Objective-C classes, methods, properties • Useful for peering into iOS apps • Great for searching for keywords 24

  25. #import <XXUnknownSuperclass.h> // Unknown library @class NSString; @interface XXasymEncryptor : XXUnknownSuperclass { NSString* _publicKeyID; NSString* _privateKeyID; } @property(copy, nonatomic) NSString* privateKeyID; @property(copy, nonatomic) NSString* publicKeyID; -(id)privateQueryDict; -(id)publicQueryDict; -(void)decryptWithPrivateKey; -(void)encryptWithPublicKey; -(void)KeysPlease; -(id)decryptData:(id)data; -(id)encryptData:(id)data; -(id)init; @end

  26. #import <XXUnknownSuperclass.h> // Unknown library @class NSString; @interface XXasymEncryptor : XXUnknownSuperclass { NSString* _publicKeyID; NSString* _privateKeyID; } @property(copy, nonatomic) NSString* privateKeyID; @property(copy, nonatomic) NSString* publicKeyID; -(id)privateQueryDict; -(id)publicQueryDict; -(void)decryptWithPrivateKey; -(void)encryptWithPublicKey; -(void)KeysPlease; -(id)decryptData:(id)data; -(id)encryptData:(id)data; -(id)init; @end

  27. Jailbreak Detection #import <Foundation/NSObject.h> @interface FoobarUtil : NSObject { } +(id)getMACUID; +(id)getMACBasedUID; +(id)hashDataToHexString:(char*)hexString length:(int)length; +(id)hashData:(id)data; +(id)iTunesMetadataPlist; +(BOOL)appIsCracked; +(BOOL)deviceIsJailbroken; +(int)deviceCPUFrequency; 27

  28. Jailbreak Detection COMMON DETECTION METHODS Me Metho hods • Fork() • Stat() / Lstat() • Cydia • /apt/ • Etc • dyld_count() • dyld_get_image_name() 28

  29. ARM Assembly 29

  30. 30

  31. 31

  32. Pseudo Code NO ASSEMBLY REQUIRED 32

  33. XOR is Not Obfuscation 33

  34. Dynamic Analysis IOS APP SECURITY 34

  35. iOS Device Logs XCODE DEVICE CONSOLE • Window > Organizer • Cmd + Shift + 2 • Real-time logs  35

  36. iOS Device Logs WALL OF TEXT 36

  37. Mobile Substrate HOOKING MADE EASY 37

  38. Mobile Substrate OBJ-C RUNTIME MANIPULATION • Written by Jay Freeman “Saurik” • Dynamic library injection framework • Cydia “Tweaks” • Included with Cydia by default 38

  39. Obj-C Message Passing Objective-C Call Native C Run Code iOS App Call 39

  40. Obj-C Message Passing Objective-C Call Mobile Native C Run Code iOS App Substrate Call Our code runs here 40

  41. Class Dump Example IMPLEMENTING THE ATTACK @class NSString; @interface DeviceSecurity: { BOOL _jbstatus; } @property(assign, nonatomic) BOOL jbstatus; +( BOOL )isJailbroken; @end 41

  42. Class Dump Example IMPLEMENTING THE ATTACK @class NSString; @interface DeviceSecurity : { BOOL _jbstatus; } @property(assign, nonatomic) BOOL jbstatus; +( BOOL ) isJailbroken ; @end 42

  43. Tweak Syntax IMPLEMENTING THE ATTACK #import “substrate.h” %hook DeviceSecurity -( BOOL ) isJailbroken { %log; // Logos built-in logging return NO; // Return FALSE } %end 43

  44. Generating Function Hooks LOG ALL THE THINGS $ class-dump-z FoobarApp – H $ ./ios-hooker.py --target Foobar.h – g – s – l [*] Successfully parsed 1 of 1 file(s) [*] Generated 120 function hook(s) [*] Hooks written to: Tweak.xm (8954 bytes) $ make package 44

  45. Cycript GIVES YOU SUPERPOWERS 45

  46. Cycript Magic IOS HACKER’S BEST FRIEND • JavaScript REPL • JavaScript + Cycript language extensions • Objective-C runtime is merged into the REPL • Attach to running apps 46

  47. Cycript ALIEN BLUE APP 47

  48. Cycript IOS HACKER’S BEST FRIEND iphone:~root# cycript – p AlienBlue cy# cy# UIApp @"<UIApplication: 0x8ba2c0>" cy# cy# UIApp.keyWindow.delegate @"<CustomNavigationController: 0x836900 >” cy# 48

  49. Cycript Extended IOS HACKER’S BEST FRIEND $ ./slcycript AlienBlue [+] Launching cycript wrapper... [+] Attaching to process AlienBlue with PID 4831 [+] Importing JavaScript helper functions, please wait... cy# cy# ui(UIApp.keyWindow, "Reddits") <UILabel: 0x82f0d0; frame = (132 12; 55 21); text = 'Reddits'; clipsToBounds = YES; userInteractionEnabled = NO; layer = <CALayer: 0x82f190>> 49

  50. Cycript Extended IOS HACKER’S BEST FRIEND cy# label = new Instance(0x82f0d0) @"<UILabel: 0x82f0d0; frame = (132 12; 55 21); text = 'Reddits'; clipsToBounds = YES; userInteractionEnabled = NO; layer = <CALayer: 0x82f190>>" cy# cy# label.text @"Reddits" cy# label.text=@"Diggs" @"Diggs" cy# 50

  51. Cycript Extended IOS HACKER’S BEST FRIEND cy# hexdump(label.text,64) " c8 02 20 3f 8c 07 00 06 05 44 69 67 67 73 00 00 .........Diggs.. 12 48 65 6c 76 65 74 69 63 61 4e 65 75 65 2d 42 .HelveticaNeue.B 6f 6c 64 00 00 00 00 00 00 00 00 00 00 00 00 00 old............. c8 02 20 3f ad 07 00 01 b0 2b 84 00 12 00 00 00 ................ " cy# cy# [ label setHidden: 1 ] cy# 51

  52. MDM Security Policy 52

  53. Cycript & iOS Mobile Substrate DE DEMO MONSTRA NSTRATION TION 53

  54. Recommendations REALISTIC CONSIDERATIONS 54

  55. Defense Against Dark Arts EXPECTO PATRONIS • Mobile security can be defeated • It comes down to context and difficulty • For example… 55

  56. iOS Recommendations HARDENING YOUR APP 1. Assembly and/or C 2. Inline functions 3. Obj-C obfuscation 4. Certificate pinning 5. Change release • Metaforic – Commercial • AppMinder – BSD Licensed a) http://appminder.nesolabs.de/ 56

  57. Free ‘n Easy Obfuscation DEFENSIVE SHELLCODE 57

  58. Android Applications STATIC ANALYSIS 58

  59. Google Play Store APK PACKAGES 59

  60. Android Packages EASILY ACQUIRED • APKs are signed, not encrypted • APK Extractor • Direct Download 60

  61. Android Perquisites WHAT YOU NEED TO START • Root’d Device • Cydia Substrate • ADT Eclipse Bundle • Procyon • Dex2jar • Substrate Plug-in • HTTP Proxy • Burp Suite Free/Pro ($300) • Zed Attack Proxy 61

  62. Decompile the Bytecode BYTECODE REFLECTION dex2jar <App>.apk 62

  63. Dex2jar & Procyon MORE THAN JUST INTERFACES $ dex2jar Foobar.apk dex2jar foobar.apk -> Foobar-dex2jar.jar $ procyon – jar Foobar-dex2jar.jar – o src/ Decompiling com/foobar/Parser... Decompiling com/foobar/XMLWriter... … 63

  64. Decompiled Java Code MORE THAN JUST INTERFACES 64

  65. Dynamic Analysis ANDROID RUNTIME 65

  66. Android Zygote 66

  67. Cydia Substrate SUBSTRATE FOR ANDROID 67

  68. Class Hook Example IMPLEMENTING THE ATTACK Class to hook Method to hook 68

  69. Class Hook Example IMPLEMENTING THE ATTACK 69

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity It used to be that phones had so little connectivity to devices other than the phone network that security wasn't a huge deal Phone number

660 views • 15 slides
Security CS 4720 Mobile Application Development CS 4720 The Traditional Security Model

Security CS 4720 Mobile Application Development CS 4720 The Traditional Security Model

Security CS 4720 Mobile Application Development CS 4720 The Traditional Security Model The Firewall Approach Keep the good guys in and the bad guys out CS 4720 2 Distributed System Security Islands of Security

883 views • 39 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

37.39k views • 30 slides
Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva 12/12/2016 Jrmy MATOS whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products

867 views • 22 slides
Mobile Application Security Testing ASSES SESSMENT NT &amp; CODE REVIEW EW st 2014 Sept. t.

Mobile Application Security Testing ASSES SESSMENT NT &amp; CODE REVIEW EW st 2014 Sept. t.

Mobile Application Security Testing ASSES SESSMENT NT &amp; CODE REVIEW EW st 2014 Sept. t. 31 31 st Presenters ITAC 2014 Bishop Fox Francis Brown Partner Joe DeMesy Security Associate 2 2 Int ntrodu roductions ctions

1.32k views • 86 slides
What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University tl;dr The computers inside the computer Every chip has one or more CPUs inside; they have exploitable bugs

1.23k views • 87 slides
The NAI Mobile Application Code: Extending Third-Party Compliance into the Mobile Ecosystem Why

The NAI Mobile Application Code: Extending Third-Party Compliance into the Mobile Ecosystem Why

The NAI Mobile Application Code: Extending Third-Party Compliance into the Mobile Ecosystem Why a Mobile Application Code? Extend the NAI compliance program into the mobile application space Provide extra flexibility for this rapidly

319 views • 18 slides
Authentication CS 4720 Mobile Application Development CS 4720 System Security Human:

Authentication CS 4720 Mobile Application Development CS 4720 System Security Human:

Authentication CS 4720 Mobile Application Development CS 4720 System Security Human: social engineering attacks Physical: steal the server itself Network: treat your server like a 2 year old Operating System: the war

574 views • 22 slides
Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction Statistics of Mobile Usage Current State of Mobile Security Recent Attacks Various Mobile Threats Security &amp; Privacy

1.03k views • 57 slides
Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues. Mobile access is expected to become the main access method. Services and mobile commerce (mCommerce) are expected to become a major business.

818 views • 20 slides
APPLICATION SECURITY HackInParis 2013 Dmitriy Evdokimov Andrey Chasovskikh About us Dmitriy

APPLICATION SECURITY HackInParis 2013 Dmitriy Evdokimov Andrey Chasovskikh About us Dmitriy

WINDOWS PHONE 8 APPLICATION SECURITY HackInParis 2013 Dmitriy Evdokimov Andrey Chasovskikh About us Dmitriy D1g1 Evdokimov - Security researcher at ERPScan - Mobile security, RE, fuzzing, exploit dev etc. - Editor of Russian hacking

742 views • 43 slides
CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Announcement Course Evaluations Now online Will be available from Friday, Dec 7 Will also allow students to do

864 views • 50 slides
Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps Defense

1.17k views • 93 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: https://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

1.31k views • 11 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: http://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

981 views • 10 slides
4MOST 4m Multi-Object Spectroscopic Telescope 4MOST: a Wide-field, high-multiplex optical

4MOST 4m Multi-Object Spectroscopic Telescope 4MOST: a Wide-field, high-multiplex optical

4MOST 4m Multi-Object Spectroscopic Telescope 4MOST: a Wide-field, high-multiplex optical spectroscopic survey facility for ESO Roelof de Jong, PI (AIP) 15 April 2016 www.4MOST.eu 1 4MOST 4m Multi-Object Spectroscopic Telescope 4MOST:

403 views • 9 slides
AMD &amp; SSSD Two SiPM-based scintillation detectors for Auger Johannes Schumacher for the

AMD &amp; SSSD Two SiPM-based scintillation detectors for Auger Johannes Schumacher for the

AMD &amp; SSSD Two SiPM-based scintillation detectors for Auger Johannes Schumacher for the Pierre Auger Collaboration HAP workshop Feb. 2016 Outline Motivation for SiPMs Part 1: AMD Aachen Muon Detector Part 2: SSSD SiPMs

555 views • 41 slides
N e w P h y s i c s w i t h Mu o n s F i r s t l o o k a t g - 2 ,

N e w P h y s i c s w i t h Mu o n s F i r s t l o o k a t g - 2 ,

N e w P h y s i c s w i t h Mu o n s F i r s t l o o k a t g - 2 , Mu 3 e a n d m o r e T r a c k s v s c a l o G a v i n H e s k e t h U n i v e r s i t y o f B i r m

1.39k views • 68 slides
Status of the Mu3e Experiment https://www.psi.ch/mu3e/ Search for + e + e + e - CLFV 2019

Status of the Mu3e Experiment https://www.psi.ch/mu3e/ Search for + e + e + e - CLFV 2019

Status of the Mu3e Experiment https://www.psi.ch/mu3e/ Search for + e + e + e - CLFV 2019 Conference Charged Lepton Flavor Violation 17.-20.6. 2019, Fukuoka (Kyushu) A. Schning on behalf of Mu3e

820 views • 36 slides
Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About

Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About

Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About It) Wade Trappe Agenda Agenda Tales from the Dark Side of Security Wireless in Particular Decomposing the Problem into Problems

697 views • 40 slides
Privacy Preserving Data Mining Li Xiong Department of Mathematics and Computer Science

Privacy Preserving Data Mining Li Xiong Department of Mathematics and Computer Science

CS378 Introduction to Data Mining Privacy Preserving Data Mining Li Xiong Department of Mathematics and Computer Science Department of Biomedical Informatics Emory University Netflix Sequel 2006, Netflix announced the challenge 2007,

951 views • 58 slides
UART Thou Mad? Mickey and Toby Legal Notice Our opinion is our own. It DOES NOT IN ANY WAY

UART Thou Mad? Mickey and Toby Legal Notice Our opinion is our own. It DOES NOT IN ANY WAY

UART Thou Mad? Mickey and Toby Legal Notice Our opinion is our own. It DOES NOT IN ANY WAY represent the view of our employers. whoami - Mickey whoami - Toby Agenda Intro UART o Background o Finding it Embedded systems overview

493 views • 24 slides
The Dark Side of Digital Financial Transformation: Cybersecurity and Technological Risk Douglas

The Dark Side of Digital Financial Transformation: Cybersecurity and Technological Risk Douglas

The Dark Side of Digital Financial Transformation: Cybersecurity and Technological Risk Douglas W. Arner Kerry Holdings Professor in Law University of Hong Kong Douglas.Arner@hku.hk FinTech Evolution and Typology FinTech Evolution The

1.13k views • 27 slides

More recommend