Uploaded byHackApp
2,961 views

Avalanche Disclosure

The document discusses the results of analyzing over 15,000 iOS finance apps. Several common security issues were found, including hardcoded credentials in 4% of apps that could give access to user data and backend systems. Tests revealed unencrypted private keys, authentication secrets, and development environment details. Many apps also contained SMS gateway configurations and open VPN profiles.

Embed presentation

Downloaded 17 times
Avalanche Disclosure Story about static analysis of 15k mobile Apps
Who am I? • Work hard on defense • Have fun in offensive • Break things Alexey Troshichev @pl0lq pl0lq@hackapp.com #ZeroNights2013 hackapp.com 2
What’s wrong with an App ? Insecure transfer Injections Insecure storage Architecture flaws Mobile OWASP for bla-bla-bla … #ZeroNights2013 hackapp.com 3
Common Attacks #ZeroNights2013 hackapp.com 4
On-device analysis ? Unlock Device Remove DRM Setup research environment Dynamic analysis Time & Brains #ZeroNights2013 hackapp.com 5
App is dangerous for user, but what’s about vendor ? Why should we waste time attacking one user, when we can just break into backend to get them all ? Why always just binary file? #ZeroNights2013 hackapp.com 6
What App can tell us? Testing environment disclosure Third party services authentication data Built-in accounts Something you can’t even imagine =) #ZeroNights2013 hackapp.com 7
Why it’s interesting? Installation is not important Finally, we are just searching strings… …and it could be automated =) #ZeroNights2013 hackapp.com 8
Let’s build a Grinder ! #ZeroNights2013 hackapp.com 9
AWK, STRINGS, GREP ? Not suitable for binary containers Too many garbage #ZeroNights2013 hackapp.com 10
“Typical” Application DRM #ZeroNights2013 hackapp.com 11
Actual Application #ZeroNights2013 hackapp.com 12
Steps Containers recursive traversal “Unusual” files search Selective GREP Structure validation #ZeroNights2013 hackapp.com 13
Let’s take ~15k iOS Apps from iTunes Finance section… …I like Finance #ZeroNights2013 hackapp.com 14
What’s inside ? 224061 files of 1396 types #ZeroNights2013 hackapp.com 15
Low hanging fruits 94452 files = 42% of whole #ZeroNights2013 hackapp.com 16
Shared authentication #ZeroNights2013 hackapp.com 17
“Secure” communication #ZeroNights2013 hackapp.com 18
Third party services #ZeroNights2013 hackapp.com 19
Third party services #ZeroNights2013 hackapp.com 20
Access to user data AWS-secret:eyH0aw7IW7wdL8z2eSyK/A8q7rIF7uEMVpvQkbwC You “publish” your contacts and photos by installing the app… =( #ZeroNights2013 hackapp.com 21
Not identified • • • • • • • • • • • • • • RSA private key:MIICeQIBADANBgkqhkiG9w6xmHVejkTokPs68ow== secret:164AC36F64FCC2D5 secret:33728B17A93A4A92 secret:4711429DAE3C6F7C secret:62ebd594bc903feeea5ee459715e08fa secret:6508E621E259AC4A secret:697E46CE13AA557B secret:76a863da0821f58ecb13e31cb761c573 secret:a7df64e1d5a33a93c12b06fa0f8c6f47 secret_android:2859389F73072C90 secret_android:3D05E67E03216A9B secret_android:66549A9BB401AF56 secret_android:678649CED531B8E8 secret_android:745A209380630940 (and more, and more, and more…) #ZeroNights2013 hackapp.com 22
4% Apps released with hardcoded credentials #ZeroNights2013 hackapp.com 23
DEV Environment svn://mokah.siab01.com/ https://test.freerange360.com/ http://test.mmf.berlingskemedia.net http://test.informatel.com http://test.improveagency.com http://test.appswiz.com https://test.freerange360. https://dev.magtab.com:8888 http://dev.touchpublisher.com http://dev.pressrun.com/ http://dev.openstreetmap.de/ http://dev.aleph-labs.com (and more, and more… ) #ZeroNights2013 hackapp.com 24
Mad Stuff #ZeroNights2013 hackapp.com 25
Shocking configs SMS gateway OpenVpn config #ZeroNights2013 hackapp.com 26
Unpredictable #ZeroNights2013 hackapp.com 27
Developers Certificates P12 containers, most are encrypted, but.. #ZeroNights2013 hackapp.com 28
HAVE NO TIME TO EXPLAIN #ZeroNights2013 hackapp.com 29
Is there an App for that? http://hackapp.com/ #ZeroNights2013 hackapp.com 30
Dashboard #ZeroNights2013 hackapp.com 31
Report #ZeroNights2013 hackapp.com 32
Details #ZeroNights2013 hackapp.com 33
Questions ? URL: Twitter: Mail: #ZeroNights2013 http://hackapp.com/ @hackapp info@hackapp.com hackapp.com 34

More Related Content

PPTX
Owasp for testing_mobile_apps_opd
byPawel Rzepa
 
PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
PDF
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
byMauricio Velazco
 
PDF
Feeding the Virtual Patch Pipeline
byDevOps.com
 
PPTX
Threat Hunting with Splunk
bySplunk
 
PPTX
Purple is the New Black: Modern Approaches for Application Security
byTanya Janca
 
PDF
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
byMauricio Velazco
 
PDF
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
byDevOps.com
 
Owasp for testing_mobile_apps_opd
byPawel Rzepa
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
byMauricio Velazco
 
Feeding the Virtual Patch Pipeline
byDevOps.com
 
Threat Hunting with Splunk
bySplunk
 
Purple is the New Black: Modern Approaches for Application Security
byTanya Janca
 
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
byMauricio Velazco
 
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
byDevOps.com
 

What's hot

PPTX
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
byDakiry
 
PPTX
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
byAjin Abraham
 
PDF
Red Team vs. Blue Team on AWS
byPriyanka Aash
 
PDF
Threat Intelligence Field of Dreams
byGreg Foss
 
PDF
Opencart security testing
byvikram vashisth
 
PPTX
Security War Games
bySeniorStoryteller
 
PDF
Creating Your Own Threat Intel Through Hunting & Visualization
byRaffael Marty
 
PPTX
Static Analysis Security Testing for Dummies... and You
byKevin Fealey
 
PDF
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
PPTX
Rugged DevOps at Scale with Rich Mogull
bySeniorStoryteller
 
PDF
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
PDF
ChaoSlingr: Introducing Security-Based Chaos Testing
byPriyanka Aash
 
PDF
Threat Hunting with Splunk Hands-on
bySplunk
 
PPTX
Splunk Enterprise for Information Security Hands-On Breakout Session
bySplunk
 
PPTX
Stephen Sadowski - Securely automating infrastructure in the cloud
byDevSecCon
 
PDF
Basics of Meterpreter Evasion
byNipun Jaswal
 
PDF
TakeDownCon Rocket City: Cyber Security via Technology Fails by Jeremy Conway
byEC-Council
 
PDF
Enabling effective hunt teaming and incident response
byjeffmcjunkin
 
PPTX
Threat Hunting with Splunk
bySplunk
 
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
byDakiry
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
byAjin Abraham
 
Red Team vs. Blue Team on AWS
byPriyanka Aash
 
Threat Intelligence Field of Dreams
byGreg Foss
 
Opencart security testing
byvikram vashisth
 
Security War Games
bySeniorStoryteller
 
Creating Your Own Threat Intel Through Hunting & Visualization
byRaffael Marty
 
Static Analysis Security Testing for Dummies... and You
byKevin Fealey
 
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
Rugged DevOps at Scale with Rich Mogull
bySeniorStoryteller
 
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
ChaoSlingr: Introducing Security-Based Chaos Testing
byPriyanka Aash
 
Threat Hunting with Splunk Hands-on
bySplunk
 
Splunk Enterprise for Information Security Hands-On Breakout Session
bySplunk
 
Stephen Sadowski - Securely automating infrastructure in the cloud
byDevSecCon
 
Basics of Meterpreter Evasion
byNipun Jaswal
 
TakeDownCon Rocket City: Cyber Security via Technology Fails by Jeremy Conway
byEC-Council
 
Enabling effective hunt teaming and incident response
byjeffmcjunkin
 
Threat Hunting with Splunk
bySplunk
 

Similar to Avalanche Disclosure

PPTX
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
byNikola Milosevic
 
PPTX
Building a Mobile Security Program
byDenim Group
 
PDF
Developing Secure Mobile Applications
byDenim Group
 
PDF
Securing Mobile Apps - Appfest Version
bySubho Halder
 
PDF
Mobile arsenal
byAckcent
 
PPTX
Application Security: What do we need to know?
byJose L. Quiñones-Borrero
 
PDF
Security Testing Mobile Applications
byDenim Group
 
PPTX
For Business's Sake, Let's focus on AppSec
byLalit Kale
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
PDF
Attacking and Defending Mobile Applications
byJerod Brennen
 
PPTX
Virtue Security - The Art of Mobile Security 2013
byVirtue Security
 
PDF
Mbs r35 a
bySelectedPresentations
 
PDF
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
byeightbit
 
PPTX
Building an application security program
byOutpost24
 
PDF
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
byiphonepentest
 
PDF
How to Build Secure Mobile Apps.pdf
byvenkatprasadvadla1
 
PDF
Mobile security chess board - attacks & defense
byBlueinfy Solutions
 
PPTX
Security Imeprative for iOS and Android Apps
bySymosis Security (Previously C-Level Security)
 
PDF
Smart Bombs: Mobile Vulnerability and Exploitation
byTom Eston
 
PPTX
"Certified" apps, are they really secure? Break them or fix them, your choice!
byJose L. Quiñones-Borrero
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
byNikola Milosevic
 
Building a Mobile Security Program
byDenim Group
 
Developing Secure Mobile Applications
byDenim Group
 
Securing Mobile Apps - Appfest Version
bySubho Halder
 
Mobile arsenal
byAckcent
 
Application Security: What do we need to know?
byJose L. Quiñones-Borrero
 
Security Testing Mobile Applications
byDenim Group
 
For Business's Sake, Let's focus on AppSec
byLalit Kale
 
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
Attacking and Defending Mobile Applications
byJerod Brennen
 
Virtue Security - The Art of Mobile Security 2013
byVirtue Security
 
Mbs r35 a
bySelectedPresentations
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
byeightbit
 
Building an application security program
byOutpost24
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
byiphonepentest
 
How to Build Secure Mobile Apps.pdf
byvenkatprasadvadla1
 
Mobile security chess board - attacks & defense
byBlueinfy Solutions
 
Security Imeprative for iOS and Android Apps
bySymosis Security (Previously C-Level Security)
 
Smart Bombs: Mobile Vulnerability and Exploitation
byTom Eston
 
"Certified" apps, are they really secure? Break them or fix them, your choice!
byJose L. Quiñones-Borrero
 

Recently uploaded

PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
communication-skills-with-technology tools
byJaleto Sunkemo
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
communication-skills-with-technology tools
byJaleto Sunkemo
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 

Avalanche Disclosure