Smart Bombs: Mobile Vulnerability and Exploitation


Published on

Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Smart Bombs: Mobile Vulnerability and Exploitation

  1. 1. Mobile Vulnerability and Exploitation John Sawyer – InGuardians Tom Eston – SecureState Kevin Johnson – Secure Ideas
  2. 2. John Sawyer InGuardians, Inc. - Senior Security Analyst - Author/Blogger 1@stplace - Retired CTF packet monkey  Winners DEFCON 14 & 15 Avid Mountain Biker… in Florida.
  3. 3. Tom Eston Manager, SecureState Profiling & Penetration Team Blogger – Infrequent Podcaster – Security Justice/Social Media Security Zombie aficionado I like to break new technology
  4. 4. Kevin Johnson Father of Brenna and Sarah Secure Ideas, Senior Security Consultant SANS Instructor and Author  SEC542/SEC642/SEC571 Open-Source Bigot  SamuraiWTF, Yokoso, Laudanum etc Ninja
  5. 5. What are we talking about today? What’s at risk? Tools, Testing and Exploitation Common vulnerabilities found in popular apps (this is the fun part)
  6. 6. What are Smart Bombs? We’ve got powerful technology in the palm of our hands! We store and transmit sensitive data Mobile devices are being used by:  Major Businesses (PII)  Energy Companies (The Grid)  The Government(s)  Hospitals (PHI)  Your Mom (Scary)
  7. 7. That’s right…your Mom
  8. 8. Testing Mobile Apps What are the 3 major areas for testing?  File System What are apps writing to the file system? How is data stored?  Application Layer How are apps communicating via HTTP and Web Services? SSL?  Transport Layer How are apps communicating over the network? TCP and Third-party APIs
  9. 9. OWASP Top 10 Mobile Risks1. Insecure Data Storage2. Weak Server Side Controls3. Insufficient Transport Layer Protection4. Client Side Injection5. Poor Authorization and Authentication
  10. 10. OWASP Top 10 Mobile Risks6. Improper Session Handling7. Security Decisions Via Untrusted Inputs8. Side Channel Data Leakage9. Broken Cryptography10. Sensitive Information Disclosure
  11. 11. OWASP Mobile Security Project You should get involved!
  12. 12. Other Issues Privacy of your data!  Mobile apps talk to many third party APIs (ads)  What’s collected by Google/Apple/Microsoft?
  13. 13. Common Tools SSH VNC server A compiler (gcc / agcc) Android SDK (adb!) XCode Jailbroken iDevice Rooted Android Device
  14. 14. Filesystem Analysis Forensic approach  Filesystem artifacts  Timeline analysis  Log analysis  Temp files
  15. 15. Forensic Tools Mobile Forensic Tools  EnCase, FTK, Cellebrite Free and/or Open Source  file, strings, less, dd, md5sum  The Sleuthkit (mactime, mac-robber)
  16. 16. Timelines Timelines are awesome  Anyone know log2timeline? Filesystem  mac-robber  mactime Logs  Application- & OS-specific
  17. 17. Filesystem Timelines mac-robber  C app  free & open source  must be compiled to run on devices mactime  Part of The Sleuthkit  runs on Mac, Win, Linux
  18. 18. Compiling mac-robber (Android) Android  Install arm gcc toolchain  Compile & push via adb   I used Ubuntu, works on MobiSec & Backtrack  Detailed instructions: ○ guide-compiling-mac-robber-for-android-vuln-research.html
  19. 19. Compiling mac-robber (iOS) iOS (jailbroken)  Download & Install libgcc onto device  Install iphone-gcc  Download & Install C headers/libraries
  20. 20. Running mac-robber (iOS) iOS & Android via SSH Android via adb Then, process each with mactime
  21. 21. Filesystem Timelines
  22. 22. Where is the data?
  23. 23. Temp Files
  24. 24. Gallery Lock Lite “Protects” your images
  25. 25. Viewing & Searching Files cat, less, vi, strings, grep SQLite files  GUI browser, API (Ruby, Python, etc) Android apps  ashell, aSQLiteManager, aLogViewer
  26. 26. Application Layer - HTTP Tools Used:  Burp Suite  Burp Suite  oh yeah Burp Suite!
  27. 27. Why Look at the App Layer? Very common in mobile platforms Many errors are found within the application  And how it talks to the back end service Able to use many existing tools
  28. 28. Launching Burp Suite Memory!
  29. 29. Misunderstanding Encryption
  30. 30. Want Credentials?
  31. 31. Transport Layer - TCP Tools Used:  Wireshark  Tcpdump  Network Miner
  32. 32. Why look at the transport layer? Check to see how network protocols are handled in the app Easily look for SSL certificate or other communication issues
  33. 33. NetworkMiner Extracts files/images and more Can pull out clear txt credentials Quickly view parameters
  34. 34. TCP Lab Setup Run tcpdump directly on the device Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this) Import PCAPs into NetworkMiner
  35. 35. App Vulnerabilities Several examples that we’ve found Many from the Top 25 downloaded apps
  36. 36. Evernote Notebooks are stored in the cloud But…caches some files on the device… OWASP M1: Insecure Data Storage
  37. 37. MyFitnessPal Android app stores sensitive data on the device (too much data)
  38. 38. Password Keeper “Lite” PIN and passwords stored in clear-text SQLite database So much for the security of your passwords…
  39. 39. Draw Something Word list stored on the device Modify to mess with your friends
  40. 40. LinkedIn SSL only for authentication Session tokens and data sent over HTTP Lots of apps do this M3: Insufficient Transport Layer Protection
  41. 41. Auth over SSL Data sent over HTTP
  42. 42. Pandora Registration over HTTP User name/Password and Registration info sent over clear text Unfortunately…lots of apps do this
  43. 43. Hard Coded Passwords/Keys Major Grocery Chain “Rewards” Android app Simple to view the source, extract private key OWASP M9: Broken Cryptography Do developers really do this?
  44. 44. Why yes, they do!
  45. 45. Privacy Issues Example: Draw Something App (Top 25) UDID and more sent to the following third-party ad providers:    
  46. 46. What is UDID? Alpha-numeric string that uniquely identifies an Apple device
  47. 47. Pinterest and
  48. 48. Conclusions Mobile devices are critically common Most people use them without thinking of security Developers seem to be repeating the past We need to secure this area
  49. 49. Contact Us John Sawyer  Twitter: @johnhsawyer  Tom Eston  Twitter: @agent0x0  Kevin Johnson  Twitter: @secureideas 
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.