Your SlideShare is downloading. ×
Pentesting Mobile Applications (Prashant Verma)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Pentesting Mobile Applications (Prashant Verma)

4,214
views

Published on

ClubHack 2011 Hacking and Security Conference. …

ClubHack 2011 Hacking and Security Conference.
Talk - Pentesting Mobile Applications
Speaker - Prashant Verma

Published in: Technology

0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,214
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
287
Comments
0
Likes
7
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Pentesting Mobile Applications Prashant Verma Security Consultant & Competency Lead
  • 2. Target Mobile
  • 3. Types of Mobile Applications• Browser based Mobile Applications (WAP)• Installed Applications
  • 4. Android architecture• DVM • ~JVM • dex files• Sandboxing • Apps run with its user, group• Apps may share data, if run with same user
  • 5. iOS Architecture Core OS & Core Services – Low level file handling, network Sockets etc. Include Technologies like Core Foundation, CFNetwork, SQLite etc Written in C Media Layer – Supports audio and 2D and 3D video Cocoa Touch Layer – Provides infrastructure used by applications. Contains the UIKit Framework Written in Objective-C
  • 6. Pentesting Mobile Applications• Reading Stored Data• Capturing Requests• Reversing the Application Package• Platform Specific Issues
  • 7. Reading Stored Data
  • 8. Reading Stored Data• Mobile applications store data in local memory of handset• This data is stored by developers in files locally and is used by the application• Look out for the persistent stored information in the mobiles for sensitive data (pwd, keys, account details etc.)• This may involve hacking / jailbreaking the phone
  • 9. Reading Stored Data: Android• Android Applications store the data in directory /data/data/[PACKAGE_NAME]• sharedpreferences • Context.MODE_PRIVATE • Context.MODE_WORLD_READABLE • Context.MODE_WORLD_WRITEABLE• Files may be stored using the filesystem at /data/data/[PACKAGE_NAME]/files/filenam• Storage in the SQLite databases • Can be read using SQLite browser
  • 10. Reading Stored Data: Android• Demo 1 • Let us see how the stored data can be accessed in an Android phone • <Connect the phone via USB debugging mode, show the storage directory in Android, browser to show the different storage formats, read the files, read the databases using SQLite browser>
  • 11. Reading Stored Data: iOS• iPhone too stores the data in the application directory • /private/var/mobile/Applications/ApplicationID/• Plist files ..can be read using • Property List Editor • plutil• Sqlite databases • Same procedure to read as Android
  • 12. Capturing the Traffic
  • 13. Capturing The Traffic• Capture HTTP requests & responses• Carry out Parameter Manipulation and other attacks• Set up a proxy in between the server & the client to intercept.• This can be achieved by • Proxying the real devices • Proxying the emulators
  • 14. Capturing The Traffic : Android• Proxying Android Device • Root your phone  • Install Superuser • Install a proxy tool like ProxyDroid or Auto Proxy • Set the proxy IP address & port no.• Emulators can also be proxied
  • 15. Capturing The Traffic
  • 16. Capturing The Traffic : iPhones• Proxying Apple iPhone / iPAD • Setup a proxy ipaddress and port for the wifi connection • Entire traffic is routed through this proxy• Proxying Simulators • Open the Simulator within the xcode IDE • GUI option to set proxy ipaddress and port
  • 17. Capturing The Traffic: iPhones• Demo 2 • Let us now see how to proxy an iPhone device to capture the traffic • <connect the phone & laptop to the wifi, setup laptop as proxy for the phone, show the captured traffic in the laptop, demonstrate the parameter manipulation attack>
  • 18. Capturing The Traffic: iPhones
  • 19. Reversing the Application Package
  • 20. Reversing the Application Package• Reverse Engineer the application logic and source code• Identify the flaws in the code base to exploit them• Look for sensitive data like passwords, encryption algorithms and keys• Nokia jar files & Android apk packages are easy to reverse
  • 21. Reversing the Android Package• Two step process • apk to dex conversion • dex to java conversion
  • 22. Reversing the Android Package• Demo 3 • Let us now see how to reverse engineer an Android application package • <Take a .apk Android Package, demonstrate the reversing process to convert it to readable java files, show the sample vulnerability in the java file>
  • 23. Platform Specific Issues
  • 24. Platform Specific Issues• Android the prime target of malwares • ZITMO • Android Market had malicious apps• Apple iOS • iOS URL Schemes • Screenshot Caching issue
  • 25. Malware: ZITMO• User logs in to his banking application• ZITMO, in background, listens to the incoming SMS• ZITMO obtains the SMS• ZITMO forwards the SMS to the attacker’s web address• SMS contains the one time password (the second factor of the two factor authentication)• Attacker can use it to bypass the two factor authentication
  • 26. Android Market• Recently, Google Android Market was in news for distributing Malicious Applications• Google had to remove these infected applications from the Market• Lack of Proper Vetting Process by Google, as opposed to Apple App Store• Experts have advised Google for establishing the same
  • 27. iOS URL Schemes• iOS URL schemes • URL schemes are used for web server connections, without additional parameters • This involves sending the required parameters in the URL, which makes it a vulnerable implementation • Sometimes username-password is also send this way • Prefer other implementations, if easily possible without URL schemes
  • 28. iOS Screenshot Caching• Whenever users press the Home button while using an Application • iOS takes screenshot of application • This is required for the zoom-out animation while leaving the app • This same screenshot used to simulate zoom-in animation while returning to app • This is store in the device memory and can be used by anyone having access to rooted device• Black out the View whenever Home button is pressed while using the application.
  • 29. Securing Mobile Applications
  • 30. Security Best Practices• Do not hardcode sensitive information• Do not store sensitive information locally• If required to be stored, do not store at easily readable location like memory card.• Encrypt the stored data• Implement SSL• Protect the webserver against application layer attacks
  • 31. Security Best Practices• Sanitize inputs, use prepared statements (protection against client side injection)• Implement Proper Authentication. Do not use UDID or other hardware IDs for auth.• Prefer encryption over encoding or obfuscation
  • 32. OWASP Mobile Top 10 Risks
  • 33. References• Android official documentation• Apple iOS code guide• OWASP Mobile Top 10 Project• Palisade – The application security magazine• GoatDroid Project• iGoat Project
  • 34. Thank you Prashant Verma Security Consultant & Competency Lead verma.prashantkumar@gmail.com