Smart Bombs: Mobile Vulnerability and Exploitation


Published on

Tom Eston has spent quite a bit of time evaluating mobile applications. In this presentation he will provide the audience with a high level understanding of what the risks are, how to evaluate mobile applications and provide examples of how things have been done wrong. Tom has used a variety of the top 25 applications downloaded from the Apple App Store and Google Play to provide real world examples of the problems applications face. Tom has mapped out how these applications are vulnerable to the OWASP Mobile Top 10 security issues.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Smart Bombs: Mobile Vulnerability and Exploitation

  1. 1. Smart Bombs: Mobile Vulnerability and Exploitation Tom Eston
  2. 2. Grilled Smart Phones 2
  3. 3. Windows Mobile Wins! 3
  4. 4. Tom Eston• Manager, SecureState Profiling & Penetration Team• Blogger –• Infrequent Podcaster – Security Justice/Social Media Security• Zombie aficionado• I like to break new technology 4
  5. 5. What are we talking about today?• What’s at risk?• Tools, Testing and Exploitation• Common vulnerabilities found in popular apps (this is the fun part)• Special thanks to Kevin Johnson and John Sawyer who helped with this research! 5
  6. 6. What are Smart Bombs?• We’ve got powerful technology in the palm of our hands!• We store and transmit sensitive data• Mobile devices are being used by: – Major Businesses (PII) – Energy Companies (The Grid) – The Government(s) – Hospitals (PHI) – Your Mom (Scary) 6
  7. 7. That’s right…your Mom 7
  8. 8. Testing Mobile Apps• What are the three major areas for testing? – File System What are apps writing to the file system? How is data stored? – Application Layer How are apps communicating via HTTP and Web Services? SSL? – Transport Layer How are apps communicating over the network? TCP and Third-party APIs 8
  9. 9. OWASP Top 10 Mobile Risks1. Insecure Data Storage2. Weak Server Side Controls3. Insufficient Transport Layer Protection4. Client Side Injection5. Poor Authorization and Authentication 9
  10. 10. OWASP Top 10 Mobile Risks6. Improper Session Handling7. Security Decisions Via Untrusted Inputs8. Side Channel Data Leakage9. Broken Cryptography10. Sensitive Information Disclosure 10
  11. 11. OWASP Mobile Security Project• You should get involved!• 11
  12. 12. Other Issues• Privacy of your data! – Mobile apps talk to many third party APIs (ads) – What’s collected by Google/Apple/Microsoft? 12
  13. 13. Common Tools• SSH• VNC server• A compiler (gcc / agcc)• Android SDK (adb!)• Xcode• iExplorer (iOS GUI file explorer)• Jailbroken iDevice• Rooted Android Device 13
  14. 14. File System Analysis• Forensic approach – File system artifacts – Timeline analysis – Log analysis – Temp files 14
  15. 15. Forensic Tools• Mobile Forensic Tools – EnCase, FTK, Cellebrite• Free and/or Open Source – file, strings, less, dd, md5sum – The Sleuthkit (mactime, mac-robber) 15
  16. 16. Timelines• Timelines are awesome – Anyone know log2timeline?• Filesystem – mac-robber – mactime• Logs – Application- & OS-specific 16
  17. 17. Temp Files 17
  18. 18. Viewing & Searching Files• cat, less, vi, strings, grep• SQLite files – GUI browser, API (Ruby, Python, etc)• Android apps – ashell, aSQLiteManager, aLogViewer 18
  19. 19. Application Layer - HTTP• Tools Used: – Burp Suite – Burp Suite – oh yeah Burp Suite! 19
  20. 20. Why Look at the App Layer?• Very common in mobile platforms• Many errors are found within the application – And how it talks to the back end service• Able to use many existing tools 20
  21. 21. Misunderstanding Encryption 21
  22. 22. Base64 Encoding is NOT Encryption!• Really. It’s 2012.Base64:TXkgc3VwZXIgc2VjcmV0IGtleSE=Plaintext:My super secret key! 22
  23. 23. Want Credentials? Note: This is actually a hardcoded password in the UPS app… 23
  24. 24. Transport Layer - TCP• Tools Used: – Wireshark – Tcpdump – NetworkMiner 24
  25. 25. Why look at the transport layer?• Check to see how network protocols are handled in the app• Easily look for SSL certificate or other communication issues 25
  26. 26. NetworkMiner• Extracts files/images and more• Can pull out clear txt credentials• Quickly view parameters 26
  27. 27. 27
  28. 28. TCP Lab Setup• Run tcpdump directly on the device• Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this)• Import PCAPs into NetworkMiner 28
  29. 29. App Vulnerabilities• Several examples that we’ve found• Many from the Top 25 downloaded apps 29
  30. 30. Facebook• OAuth Tokens Stored in PLIST file• Simply copy the PLIST file to another device, you’re logged in as them!• I’m finding OAuth tokens in lots of PLIST files…Dropbox and apps that use Dropbox like password managers… 30
  31. 31. Evernote• Notebooks are stored in the cloud• But…caches some files on the device…• OWASP M1: Insecure Data Storage 31
  32. 32. 32
  33. 33. MyFitnessPal• Android app stores sensitive data on the device (too much data) 33
  34. 34. 34
  35. 35. Password Keeper “Lite”• PIN and passwords stored in clear-text SQLite database• So much for the security of your passwords… 35
  36. 36. 36
  37. 37. 37
  38. 38. 38
  39. 39. Draw Something• Word list stored on the device• Modify to mess with your friends 39
  40. 40. LinkedIn• SSL only for authentication• Session tokens and data sent over HTTP• Lots of apps do this• M3: Insufficient Transport Layer Protection• Note: This was fixed with the latest version of the app (for iOS at least) 40
  41. 41. Auth over SSL Data sent over HTTP 41
  42. 42. 42
  43. 43. Pandora• Registration over HTTP• User name/Password and Registration info sent over clear text• Unfortunately…lots of apps do this 43
  44. 44. 44
  45. 45. Hard Coded Passwords/Keys• Major Grocery Chain “Rewards” Android app• Simple to view the source, extract private key• OWASP M9: Broken Cryptography• Do developers really do this? 45
  46. 46. Why yes, they do! 46
  47. 47. Privacy Issues• Example: Draw Something App (Top 25)• UDID and more sent to the following third-party ad providers: – – – – 47
  48. 48. What is UDID?• Alphanumeric string that uniquely identifies an Apple device 48
  49. 49. 49
  50. 50. Pinterest and 50
  51. 51. 51
  52. 52. Conclusions• Mobile devices are critically common• Most people use them without thinking of security• Developers seem to be repeating the past• Lots of issues besides Mobile Application Security – BYOD – The device itself (Jailbreaking/Rooting) – MDM and Enterprise Management – The list goes on… 52