Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 1/43
Igor Falcomatà
Android e ...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 2/43
• attività professionale:...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 3/43
http://en.wikipedia.org/w...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 4/43
• Architetture: ARM, (MIP...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 5/43
• Sandbox (OS level)
• sa...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 6/43
• Sandbox (OS level)
• sa...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 7/43
hot-spot user
desktop
ext...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 8/43
hot-spot user
desktop
ext...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 9/43
hot-spot user
desktop
ext...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 10/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 11/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 12/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 13/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 14/43
desktop
ext. router
web ...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 15/43
desktop
ext. router
web ...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 16/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 17/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 18/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 19/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 20/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 21/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 22/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 23/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 24/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 25/43
https://threatpost.com/e...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 26/43
https://threatpost.com/e...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 27/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 28/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 29/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 30/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 31/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 32/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 33/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 34/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 35/43
hot-spot user
desktop
ex...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 36/43
https://www.owasp.org/in...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 37/43
bonus track :)
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 38/43
bonus track :)
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 39/43
http://www.guardian.co.u...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 40/43
• diffusione e “geopardi...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 41/43
• dati personali (posta,...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 42/43
• url e web-services “pr...
Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 43/43
Webografia: http://www.e...
Upcoming SlideShare
Loading in …5
×

Android e mobile security - Falcomatà

271 views
214 views

Published on

Slides from Igor Falcomatà talk @Codemotion Roma 2014

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
271
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Android e mobile security - Falcomatà

  1. 1. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 1/43 Igor Falcomatà Android e mobile security (for developers) ifalcomata@enforcer.it – CTO, Enforcer
  2. 2. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 2/43 • attività professionale: •analisi delle vulnerabilità e penetration testing (~15 anni) •security consulting •formazione • altro: •sikurezza.org •(F|Er|bz)lug free advertising >free advertising >
  3. 3. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 3/43 http://en.wikipedia.org/w/index.php?title=File:Android-System-Architecture.svg
  4. 4. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 4/43 • Architetture: ARM, (MIPS, x86, ..) • Kernel • Kernel Linux 2.6.x (Android 1, 2 e 3.x) • Kernel Linux 3.0.x (Android 4.x) • componenti e driver standard • FS, processi, permessi, processi • vulnerabilità standard ;) • Componenti custom • binder, ashmem, pmem, logger, wavelocks, OOM, alarm timers, paranoid network security, gpio, .. • android e vendor custom hw driver • nuove vulnerabilità da scoprire ;)
  5. 5. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 5/43 • Sandbox (OS level) • sandboxing con uid/gid linux + patch kernel (protected API) • 1 processo = 1 applicazione = 1 VM (+ componenti OS) • protected API per accesso all'hw: camera, gps, bluetooth, telefonia, SMS/MMS, connessioni di rete) • root = root (full access) • Librerie • bionic libc (!= gnu libc, !posix) • udev, WebKit, OpenGL, SQLite, crypto, .. (& bugs) • Dalvik VM (!= JVM) • Java Code -> dex bytecode • custom Java libraries • può lanciare codice nativo (syscall, ioctls, .. ) -> kernel
  6. 6. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 6/43 • Sandbox (OS level) • sandboxing con uid/gid linux + patch kernel (protected API) • 1 processo = 1 applicazione = 1 VM (+ componenti OS) • protected API per accesso all'hw: camera, gps, bluetooth, telefonia, SMS/MMS, connessioni di rete) • root = root (full access) • Librerie • bionic libc (!= gnu libc, !posix) • udev, WebKit, OpenGL, SQLite, crypto, .. (& bugs) • Dalvik VM (!= JVM) • Java Code -> dex bytecode • custom Java libraries • può lanciare codice nativo (syscall, ioctls, .. ) -> kernel “Like all security features, the Application Sandbox is not unbreakable. However, to break out of the Application Sandbox in a properly configured device, one must compromise the security of the the Linux kernel.” “Like all security features, the Application Sandbox is not unbreakable. However, to break out of the Application Sandbox in a properly configured device, one must compromise the security of the the Linux kernel.”
  7. 7. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 7/43 hot-spot user desktop ext. router web server app backend db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud
  8. 8. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 8/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious 3rd party app backend
  9. 9. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 9/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious 3rd party app backend • vettori: • chat • e-mail • link su social network • MiTM / dns spoofing / .. • exploit: • sito malicious -> • app (pwned) -> • kernel (pwned) -> • r00t!!
  10. 10. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 10/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious 3rd party app backend • classico “client side attack”: • exploit app/lib • (webkit, ..) • exec codice arbitrario • -> kernel (syscall, ioctls, ..) • situazione no-win • “non ci interessa” • però...: • root -> controllo completo • accesso ai dati di ogni app
  11. 11. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 11/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious 3rd party app backend
  12. 12. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 12/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious 3rd party app backend
  13. 13. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 13/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious 3rd party app backend • root -> controllo completo • dati personali posta, documenti, rubrica,calendario, .. • intercettazioni audio, video, messaging, network, .. • geolocalizzazione foto, social network, .. • credenziali siti, posta, VPN, .. → cloud storage
  14. 14. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 14/43 desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user Mr. MobileMalicious app backend
  15. 15. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 15/43 desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user Mr. MobileMalicious app backend OOB covert channel (UMTS/GPRS/SMS/..) Bring Your 0wned Device
  16. 16. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 16/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user servizi in cloud app backend
  17. 17. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 17/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user servizi in cloud app backend
  18. 18. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 18/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user servizi in cloud Mr. WifiMiTM app backend
  19. 19. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 19/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user servizi in cloud Mr. WifiMiTM app backend no HTTPS (ahi ahi ahi) MiTM Hot Spot Rogue APs
  20. 20. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 20/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user servizi in cloud Mr. WifiMiTM app backend
  21. 21. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 21/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user servizi in cloud Mr. WifiMiTM app backend
  22. 22. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 22/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user servizi in cloud Mr. WifiMiTM app backend • MiTM (browser) • no SSL? • traffic mangling • SSL? • utente “continua”? • game over
  23. 23. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 23/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user servizi in cloud Mr. WifiMiTM app backend • MiTM (app) • no SSL? • traffic mangling • SSL? • app verifica cert? • OK! • app non verifica cert? • game over
  24. 24. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 24/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user servizi in cloud Mr. WifiMiTM app backend • game over = traffic mangling • sniffing • credenziali • dati • reverse engineering • traffico/protocolli • business logic • analisi API/URL • rogue/fake app • HTML-like c.s. attacks • injection JS & co. • client side injection
  25. 25. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 25/43 https://threatpost.com/en_us/blogs/research-shows-serious-problems-android-app-ssl-implementations-101912
  26. 26. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 26/43 https://threatpost.com/en_us/blogs/research-shows-serious-problems-android-app-ssl-implementations-101912 Sì vabbé, nel 2012.. ma ora..
  27. 27. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 27/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious app backend download .apk (install app)
  28. 28. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 28/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious app backend • .apk • download • market install • adb pull • estrazione • dex2jar, apk-extractor, .. • analisi • risorse, manifest, .. • decompilazione • jd-gui, ypjd, ..
  29. 29. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 29/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious app backend
  30. 30. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 30/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious app backend
  31. 31. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 31/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious app backend
  32. 32. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 32/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious app backend • .apk • analisi business logic • broken/no auth • broken/no session management • credenziali/certificati • URL/API “privati” • HTTP/JSON/XMLRPC/WS/.. • SQL Injections • Path Traversal • Broken/no auth/session m. • ... • custom/altri protocolli • reverse engineering • vedi sopra
  33. 33. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 33/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious app backend
  34. 34. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 34/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious app backend http://www.example.com/app/privateapi?user=paperino http://www.example.com/app/privateapi?user=pluto
  35. 35. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 35/43 hot-spot user desktop ext. router web server db server file server dep. server desktop desktop firewall access point BY0D user wifi user 3G user servizi in cloud Mr. MobileMalicious app backend http://www.example.com/app/privateapi?user=paperino&pass=moo http://www.example.com/app/privateapi?user=pluto'--&pass=boh
  36. 36. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 36/43 https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks
  37. 37. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 37/43 bonus track :)
  38. 38. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 38/43 bonus track :)
  39. 39. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 39/43 http://www.guardian.co.uk/technology/2012/jan/30/android-malware-row
  40. 40. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 40/43 • diffusione e “geopardizzazione” (AUGH!) • sorgenti (AOSP), docs, SDK, NDK, emulatore, .. • .apk → decompilazione, reversing, debug • aggiornamenti OS, app e market alternativi • permessi delle applicazioni “delegati” agli utenti • Linux Kernel, ~ Linux userspace e librerie (e bug) • exploit mitigation techniques (fail) (< 2.3, < 4.0.3) • OOB “covert” channel (umts/gprs, SMS, ..) • territori poco explorati: OS/lib custom, hw driver http://www.enforcer.it/dl/android_security_smau2012.pdf
  41. 41. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 41/43 • dati personali (posta, documenti, rubrica, calendario, ..) • intercettazioni (audio, video, messaging, network, ..) • geolocalizzazione (foto, social network, ..) • credenziali (siti, posta, VPN, ..) → cloud storage • HTML-like client side attacks • EvilApp want to eat your soul.. Install? YES!!! • BY0D (Bring Your 0wned Device) • banking OTP ($$) • NFC ($$)
  42. 42. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 42/43 • url e web-services “privati” • business logic esposta (client-side) • -> device -> credenziali -> back-end • -> device -> storage -> back-end • credenziali e certificati hard-coded (.apk) • no/lazy input validation • no/broken authentication & session management • the good ole web security vulns
  43. 43. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 43/43 Webografia: http://www.enforcer.it/dl/android_security_smau2012.pdf Igor Falcomatà ifalcomata@enforcer.it – CTO, Enforcer Android e mobile security (for developers) Domande?

×