Avalanche Disclosure
Story about static analysis of 15k mobile Apps
Who am I?
• Work hard on defense
• Have fun in offensive
• Break things
Alexey Troshichev
@pl0lq
pl0lq@hackapp.com
#ZeroNi...
What’s wrong with an App ?
Insecure transfer
Injections
Insecure storage
Architecture flaws

Mobile OWASP for bla-bla-bla ...
Common Attacks

#ZeroNights2013

hackapp.com

4
On-device analysis ?
Unlock Device
Remove DRM
Setup research environment
Dynamic analysis
Time & Brains

#ZeroNights2013

...
App is dangerous for user, but
what’s about vendor ?
Why should we waste time attacking
one user, when we can just break i...
What App can tell us?
Testing environment disclosure
Third party services authentication data
Built-in accounts
Something ...
Why it’s interesting?
Installation is not important
Finally, we are just searching strings…
…and it could be automated =)
...
Let’s build a Grinder !

#ZeroNights2013

hackapp.com

9
AWK, STRINGS, GREP ?
Not suitable for binary containers
Too many garbage

#ZeroNights2013

hackapp.com

10
“Typical” Application

DRM

#ZeroNights2013

hackapp.com

11
Actual Application

#ZeroNights2013

hackapp.com

12
Steps
Containers recursive traversal
“Unusual” files search
Selective GREP
Structure validation

#ZeroNights2013

hackapp....
Let’s take ~15k iOS Apps
from iTunes Finance section…
…I like Finance

#ZeroNights2013

hackapp.com

14
What’s inside ?
224061 files of 1396 types

#ZeroNights2013

hackapp.com

15
Low hanging fruits
94452 files = 42% of whole

#ZeroNights2013

hackapp.com

16
Shared authentication

#ZeroNights2013

hackapp.com

17
“Secure” communication

#ZeroNights2013

hackapp.com

18
Third party services

#ZeroNights2013

hackapp.com

19
Third party services

#ZeroNights2013

hackapp.com

20
Access to user data
AWS-secret:eyH0aw7IW7wdL8z2eSyK/A8q7rIF7uEMVpvQkbwC

You “publish” your contacts and photos by install...
Not identified
•
•
•
•
•
•
•
•
•
•
•
•
•
•

RSA private key:MIICeQIBADANBgkqhkiG9w6xmHVejkTokPs68ow==
secret:164AC36F64FCC...
4% Apps released
with hardcoded credentials

#ZeroNights2013

hackapp.com

23
DEV Environment
svn://mokah.siab01.com/
https://test.freerange360.com/
http://test.mmf.berlingskemedia.net
http://test.inf...
Mad Stuff

#ZeroNights2013

hackapp.com

25
Shocking configs

SMS gateway
OpenVpn config
#ZeroNights2013

hackapp.com

26
Unpredictable

#ZeroNights2013

hackapp.com

27
Developers Certificates
P12 containers, most are encrypted, but..

#ZeroNights2013

hackapp.com

28
HAVE NO TIME TO EXPLAIN

#ZeroNights2013

hackapp.com

29
Is there an App for that?

http://hackapp.com/
#ZeroNights2013

hackapp.com

30
Dashboard

#ZeroNights2013

hackapp.com

31
Report

#ZeroNights2013

hackapp.com

32
Details

#ZeroNights2013

hackapp.com

33
Questions ?

URL:
Twitter:
Mail:
#ZeroNights2013

http://hackapp.com/
@hackapp
info@hackapp.com
hackapp.com

34
Upcoming SlideShare
Loading in...5
×

Alexey Troshichev - Strike to the infrastructure a story about analyzing thousands mobile apps

661

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
661
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Alexey Troshichev - Strike to the infrastructure a story about analyzing thousands mobile apps

  1. 1. Avalanche Disclosure Story about static analysis of 15k mobile Apps
  2. 2. Who am I? • Work hard on defense • Have fun in offensive • Break things Alexey Troshichev @pl0lq pl0lq@hackapp.com #ZeroNights2013 hackapp.com 2
  3. 3. What’s wrong with an App ? Insecure transfer Injections Insecure storage Architecture flaws Mobile OWASP for bla-bla-bla … #ZeroNights2013 hackapp.com 3
  4. 4. Common Attacks #ZeroNights2013 hackapp.com 4
  5. 5. On-device analysis ? Unlock Device Remove DRM Setup research environment Dynamic analysis Time & Brains #ZeroNights2013 hackapp.com 5
  6. 6. App is dangerous for user, but what’s about vendor ? Why should we waste time attacking one user, when we can just break into backend to get them all ? Why always just binary file? #ZeroNights2013 hackapp.com 6
  7. 7. What App can tell us? Testing environment disclosure Third party services authentication data Built-in accounts Something you can’t even imagine =) #ZeroNights2013 hackapp.com 7
  8. 8. Why it’s interesting? Installation is not important Finally, we are just searching strings… …and it could be automated =) #ZeroNights2013 hackapp.com 8
  9. 9. Let’s build a Grinder ! #ZeroNights2013 hackapp.com 9
  10. 10. AWK, STRINGS, GREP ? Not suitable for binary containers Too many garbage #ZeroNights2013 hackapp.com 10
  11. 11. “Typical” Application DRM #ZeroNights2013 hackapp.com 11
  12. 12. Actual Application #ZeroNights2013 hackapp.com 12
  13. 13. Steps Containers recursive traversal “Unusual” files search Selective GREP Structure validation #ZeroNights2013 hackapp.com 13
  14. 14. Let’s take ~15k iOS Apps from iTunes Finance section… …I like Finance #ZeroNights2013 hackapp.com 14
  15. 15. What’s inside ? 224061 files of 1396 types #ZeroNights2013 hackapp.com 15
  16. 16. Low hanging fruits 94452 files = 42% of whole #ZeroNights2013 hackapp.com 16
  17. 17. Shared authentication #ZeroNights2013 hackapp.com 17
  18. 18. “Secure” communication #ZeroNights2013 hackapp.com 18
  19. 19. Third party services #ZeroNights2013 hackapp.com 19
  20. 20. Third party services #ZeroNights2013 hackapp.com 20
  21. 21. Access to user data AWS-secret:eyH0aw7IW7wdL8z2eSyK/A8q7rIF7uEMVpvQkbwC You “publish” your contacts and photos by installing the app… =( #ZeroNights2013 hackapp.com 21
  22. 22. Not identified • • • • • • • • • • • • • • RSA private key:MIICeQIBADANBgkqhkiG9w6xmHVejkTokPs68ow== secret:164AC36F64FCC2D5 secret:33728B17A93A4A92 secret:4711429DAE3C6F7C secret:62ebd594bc903feeea5ee459715e08fa secret:6508E621E259AC4A secret:697E46CE13AA557B secret:76a863da0821f58ecb13e31cb761c573 secret:a7df64e1d5a33a93c12b06fa0f8c6f47 secret_android:2859389F73072C90 secret_android:3D05E67E03216A9B secret_android:66549A9BB401AF56 secret_android:678649CED531B8E8 secret_android:745A209380630940 (and more, and more, and more…) #ZeroNights2013 hackapp.com 22
  23. 23. 4% Apps released with hardcoded credentials #ZeroNights2013 hackapp.com 23
  24. 24. DEV Environment svn://mokah.siab01.com/ https://test.freerange360.com/ http://test.mmf.berlingskemedia.net http://test.informatel.com http://test.improveagency.com http://test.appswiz.com https://test.freerange360. https://dev.magtab.com:8888 http://dev.touchpublisher.com http://dev.pressrun.com/ http://dev.openstreetmap.de/ http://dev.aleph-labs.com (and more, and more… ) #ZeroNights2013 hackapp.com 24
  25. 25. Mad Stuff #ZeroNights2013 hackapp.com 25
  26. 26. Shocking configs SMS gateway OpenVpn config #ZeroNights2013 hackapp.com 26
  27. 27. Unpredictable #ZeroNights2013 hackapp.com 27
  28. 28. Developers Certificates P12 containers, most are encrypted, but.. #ZeroNights2013 hackapp.com 28
  29. 29. HAVE NO TIME TO EXPLAIN #ZeroNights2013 hackapp.com 29
  30. 30. Is there an App for that? http://hackapp.com/ #ZeroNights2013 hackapp.com 30
  31. 31. Dashboard #ZeroNights2013 hackapp.com 31
  32. 32. Report #ZeroNights2013 hackapp.com 32
  33. 33. Details #ZeroNights2013 hackapp.com 33
  34. 34. Questions ? URL: Twitter: Mail: #ZeroNights2013 http://hackapp.com/ @hackapp info@hackapp.com hackapp.com 34
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×