2. Important notes
• The goal of this presentation is to provide you a basic
knowledge about mobile risks and easy methodology
to find those risks in your applications.
• If you want to add anything important/interesting
and related to the topic – feel free to interrupt me ;).
6. Insecure data storage – what it is?
• Simple words definition: valuable pieces of
data (e.g. passwords, cookies, personal
information) are stored in the data-stores on
the device in insecure (plain text or reversable
encoding) format.
7. Insecure data storage – what to look for?
• Look for any sensitive information in:
– SQLite databases (local)
– XML Data Stores
– Plain text configuration files
– Cookie stores
– SD Card
8. Insecure data storage – how to find?
• Install and run application for some time
• Monitor changes in /sdcard before and after
installing an application
• Analyze package files on different stages:
adb pull /data/data/<apk_package_name>
10. Insecure data storage – real example
• Outlook stored all attachements as
unencrypted and world readable files on
external storage.
11. Insecure data storage - mitigations
• Don’t store data unless it’s absolutely
necessarry.
• Use encryption for local storage (use method
setStorageEncryption).
• For databases consider using SQLcipher for
Sqlite data encryption.
• Ensure any shared preferences properties are
NOT MODE_WORLD_READABLE.
13. Insufficient transport layer protection
– what it is?
• Simple words definition: application does NOT
implement TLS or it does incorrectly.
14. What do you mean „incorrectly”?
• Insecure implementations are:
– Using known weak ciphers / version (e.g.
SSLv2/SSLv3, RC4)
– Securing only part of the communication (e.g. only
authentication)
– Lack of certificate inspection
15. Certificate inspection in web
applications – chain of trust.
• In web applications the validation of certificate is on
the side of a browser.
• It is done by a „chain of trust”.
• But how a mobile app can know if it is
communicating with a proper server?
16. Cert Pinning - theory
• Embedded in source code expected X509
certificate or public key.
if (presented_cert == pinned_cert)
Start_connection();
else
Drop_connection();
17. Cert Pinning - reality
• Guys from Leibniz Universität Hannover tested
100 apps and…
• 21 apps trust all certificates
• 20 apps accept all hostnames
• And in the end they asked developers why it
happened…
More: https://www.owasp.org/images/7/77/Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl%2BMarian_Harbach%2BMathew_Smith.pdf
18. Insufficient transport layer protection-
how to find?
• Passive analysis with Wireshark/Burp (to
check if all traffic is encrypted)
• Use Mallodroid:
./mallodroid.py –f AppToCheck.apk –d ./javaout
• Look for end point implementation flaws using
SSLyze (or https://www.ssllabs.com/ssltest/
for public domain):
sslyze --regular www.example.com:443
20. Insufficient transport layer protection-
few facts from reality
• According to the FireEye research from July 17
2014, among 1000 most-downloaded free
applications in the Google Play store:
Source: https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html
21. Insufficient transport layer protection-
mitigations
• Any sensitive data MUST be transfered over TLS
• How to do it properly? Follow the rules:
https://www.owasp.org/index.php/Transport_Layer_Protectio
n_Cheat_Sheet
23. Unintended data leakage – what it is?
• Simple word definition: OS/frameworks puts
sensitive information in an insecure location in
the device.
• Important note: insecure data storage talks
about developer conscious efforts to store
data in insecure manner, while unintended
data leakage refers to OS/framework specific
quirks which can cause data leakages.
24. Unintended data leakage – common
leakage points
• URL Caching
• Copy/Paste buffer Caching
• Logging
• Analytics data sent to 3rd parties (e.g. ads
sending GPS location)
25. Unintended data leakage – how to
find?
• Extract data from leaking content providers using
Drozer:
dz> run app.provider.finduri <package_name>
• Use logcat to verify what is being logged using
ADB:
adb logcat [output filter] | grep cookie,username…
• Use listener (Burp/Wireshark) to monitor what is
being sent to 3rd parties.
• Use Intent Sniffer to see if any confidential data is
sent via Intents.
27. Unintended data leakage - mitigations
• NEVER log any sensitive information (observe
what you’re storing in crashlogs).
• Disable copy/paste function for sensitive part
of the application.
• Disable debugging
(android:debuggable="false").
29. Poor Authorization and Authentication
– what is it?
• Simple words definition: if you’re able to
bypass authentication and/or laverage your
privileges then… your app has poor
authorization and/or authentication.
30. Poor Authorization and Authentication
– how to find?
• Try to bypass authentication by accessing
exported activities using Drozer:
dz> run app.activity.start –component <component_name>
• Intercept traffic with Burp and modify parameter
to login as other user/see unauthorized content
(e.g. by manipulating device ID).
• Test account lockout policy
• Test strong password policy
32. Poor Authorization and Authentication
– real example
• A flaw in application can become an entry
point to compromise an operating system.
• For example a Viber app:
https://www.youtube.com/watch?time_continue=40&v=rScheIQDD0k
33. And always remember to…
• …stay reasonable when you’re going to follow
advices from the Internet…
34. Poor Authorization and Authentication
- mitigations
• Assume that client-side authorization and
authentication controls can be bypassed - they
must be re-enforced on the server-side whenever
possible!
• Persistent authentication (Remember Me)
functionality implemented within mobile
applications should never store a user’s
password on the device. It should be optional
and not be enabled by default.
• Do not allow for offline brute force attacks.
36. Broken Cryptography – what it is?
• Simple words definition: using insecure
implementation or implementing it in a
insecure way.
• Few reminders (yeah I know you know it…):
– encoding != encryption
– obfuscation != encryption
37. Broken Cryptography – how to find?
• Decompile the apk using dex2jar (or luyten for
more verbose result) and review jar file in JD-GUI.
• Look for decryption keys (in attacker-readable
folder or hardcoded within binary).
• Try to break encryption algorithm if an
application uses custom encryption.
• Look for usage of insecure and/or deprecated
algorithms (e.g. RC4, MD4/5, SHA1 etc.).
41. Broken Cryptography - mitigations
• Use known, strong cryptography
implementations.
• Do not hardcode keys/credentials/OAUTH
tokens.
• Do not store keys on a device. Use password
based encryption instead.
43. Client side injection – what it is?
• Simple words definition: malicious code can
be provided as an input and executed by the
application (on the client side).
• The malicious code can come from:
– Other application via intent/content provider
– Shared file
– Server response
– Third party website
44. Client side injection – what to inject?
• SQL injection to local db
• XSS/WebView injection
• Directory traversal
• Intent injection
45. A new Android’s toy – the Intents
• Android application can talk
(Inter-Process-
Communication) to any
other component (e.g.
other application, system
service, running new
activity etc.) via special
objects called Intents.
Intent i = new Intent(Intent.ACTION_VIEW,Uri.parse(„https://owasp.org”));
Intent i = new Intent(android.provider.MediaStore.Action_IMAGE_CAPTURE);
46. Client side injection – how to find?
• SQL injections:
dz> run scanner.provider.injection –a <package_name>
• Data path traversal
dz> run scanner.provider.traversal –a <package_name>
• Intent injections
dz> run app.package.manifest –a <package_name>
dz> run app.activity.info –a <package_name>
dz> run app.service.info --permission null –a <package_name>
dz> run intents.fuzzinozer --package_name <package_name> --
fuzzing_intent
48. Client side injection – real example
• The UniversalMDMClient (built-in application Samsung KNOX
– a security feature to seperate personal and professional
activities).
• Crafted URI with „smdm://” prefix allows for remote
installation of ANY application, while a user thinks he’s
installing an update for UniversalMDMClient.
• How it works in practice?
https://www.youtube.com/watch?time_continue=56&v=6O9OBmsv-CM
49. Client side injection - mitigations
• Always validate on a server side any user input!
• For internal communication use only explicit
Intents.
• Avoid using Intent-filter. Even if the Activity has
atribute „exported=false” another application can
define the same filter and a system displays a
dialog, so the user can pick which app to use.
51. Improper session handling – what it is?
• Simple words definition: if your session token
can be guessed, retrieved by third party or
never expires then you have a problem.
52. Improper session handling – how to
find?
• Intercept requests with proxy (e.g. Burp) and
verify if:
– Verify if a session expires (copy a cookie and try to use
it after 30 minutes)
– Verify if a session is destroyed after authentication
state changes (e.g. switching from any logged in user
to another logged in user)
– Verify if you are able to guess any other session (e.g.
it’s easy to impersonate other user when application
uses device ID as a session token)
53. Improper session handling – few facts
from reality
• What we know is that „sessions have to expire”…
• …but how long should it REALLY last?
• According to experiment* the average application
session (counted from opening an app to closing
it) lasts… 71.56 seconds.
* - http://www.mendeley.com/research/falling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage/
54. Improper session handling -
mitigations
• Invalidate session on a server side.
• Set session expiration time adjusted to your
application.
• Destroy all unused session tokens.
• Use only high entropy, tested token
generation resources.