Gursev kalra _mobile_application_security_testing - ClubHack2009

1,400 views
1,349 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,400
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
46
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Gursev kalra _mobile_application_security_testing - ClubHack2009

  1. 1. Mobile Application Security Testing Gursev Kalra Dec 5, 2009
  2. 2. Agenda ►Introduction ►Browser Based Mobile Applications ►Installable Mobile Applications ►Intercepting Application Traffic ►Various Traffic Interception Schemes ►Mobile Traffic and SSL ►Conclusion www.foundstone.com © 2008, McAfee, Inc.
  3. 3. Introduction ►Who am I? ■ Senior Security Consultant – Foundstone Professional Services ■ Web Applications, Networks… www.foundstone.com © 2008, McAfee, Inc.
  4. 4. Introduction ►Mobile Applications ■ Tremendous growth in consumer and business mobile applications ■ Many new players ■ Security aspects might get overlooked www.foundstone.com © 2008, McAfee, Inc.
  5. 5. Browser Based Mobile Applications www.foundstone.com © 2008, McAfee, Inc.
  6. 6. Installable Mobile Applications www.foundstone.com © 2008, McAfee, Inc.
  7. 7. Intercepting Application Traffic for Nokia S40 Series Phones • Set up a custom web proxy and obtain its IP and port • Edit the configuration WML and change proxy IP and port to the custom web proxy • Compile WML to a provisioning (WBXML) file • Transfer the new settings to S40 mobile phone • Activate custom settings and access the Internet using new settings www.foundstone.com © 2008, McAfee, Inc.
  8. 8. Intercepting Application Traffic for Nokia S60 Series Phones • Set up a custom web proxy and obtain its IP and port • Create duplicate of existing Access Point settings • For the copy created, change the proxy IP and port to the custom proxy • Access Internet using custom proxy settings www.foundstone.com © 2008, McAfee, Inc.
  9. 9. Proxy With Public IP Address  Phone with Application  Access Point: Service provider default settings  Proxy Server Address: W1.X2.Y3.Z4 (Public IP)  Port Number: 8888 Internet  Public IP: W1.X2.Y3.Z4  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888 W1.X2.Y3.Z4 www.foundstone.com © 2008, McAfee, Inc.
  10. 10. Proxy On WLAN  Phone with Application  WLAN Netw. Name: PenTest Internet  WLAN Mode: WPA2  Proxy Server Address: SSID: PenTest 192.168.30.102 IP: 192.168.30.100  Port Number: 8888 192.168.30.101  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888 www.foundstone.com 192.168.30.102 © 2008, McAfee, Inc.
  11. 11. Proxy With One Phone Internet  Public IP - Connected to Internet via Mobile Phone Modem  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888  Phone with Application  Phone as a Modem  Access Point: Service provider default W1.X2.Y3.Z4 settings  Proxy Server Address: W1.X2.Y3.Z4 www.foundstone.com  Port Number: 8888 © 2008, McAfee, Inc.
  12. 12. Proxy With External Internet Connection Internet  Phone with Application  Access Point: Service provider default settings  Proxy Server Address: W1.X2.Y3.Z4  Port Number: 8888 USB Modem  Public IP - Connected to Internet via Mobile Phone Modem  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888 W1.X2.Y3.Z4 www.foundstone.com © 2008, McAfee, Inc.
  13. 13. Mobile Traffic Interception and SSL • Export your web proxy’s certificated in DER format • Copy the certificate file to a web server • Set the MIME type of the directory to which the certificate is copied to application/x-x509-ca-cert • Use the mobile web browser to browse to the certificate file • Import the certificate when prompted • Delete the un-trusted certificate after testing www.foundstone.com © 2008, McAfee, Inc.
  14. 14. Conclusion ►Mobile applications extend traditional network boundaries and introduce new avenues of attack ►They often have access to sensitive business and personal information ►They are constantly challenging and extending their reach ►Security is critical and should be part of SDLC!! www.foundstone.com © 2008, McAfee, Inc.
  15. 15. Queries www.foundstone.com © 2008, McAfee, Inc.
  16. 16. Thank You Gursev Kalra gursev(dot)kalra(at)foundstone(dot)com www.foundstone.com © 2008, McAfee, Inc.

×