Iasi code camp 20 april 2013 playing buggy-bogdan-alecu
Playing boogie buggyBogdan ALECU
Topics▪ About me▪ The buggy world▪ Where does your data go?Bogdan ALECU
About meBogdan ALECU▪ Independent security researcher▪ Sysadmin @ LEVI9▪ Passionate about security, specially when it’s related tomobile devices, CISSP, CEH, CISA,CCSP▪ #infosec conferences: DeepSec, DefCamp, EUSecWest▪ Started with NetMonitor, continued with VoIP and finallyGSM networks / mobile phones▪ @msecnet / www.m-sec.net / firstname.lastname@example.org
The buggy worldBogdan ALECU▪Developers▪Testers▪Customers▪How do you test?▪But is it enough?
The buggy worldBogdan ALECUREADY FOR SOMEREAL LIFE EXAMPLES?
The buggy worldBogdan ALECU▪ Try accessing the website while pretendingto be browsing from your mobile device▪ You would be surprised of the instantaccess you get▪ No luck? Try Googlebot!▪ If your log shows a sensitive access beingmade by GoogleBot, will you worry ?
The buggy worldBogdan ALECU▪ Those damn headers …DEMO time
The buggy worldBogdan ALECU▪ Having the right headers (security byobscurity) can open a lot of doors
The buggy worldBogdan ALECU▪ Those damn headers … AGAIN!Yet another demo
The buggy worldBogdan ALECU▪ Don’t bullshit me: admit your weakness!
The buggy worldBogdan ALECU▪Implementation gone wild▪ How many of you use the Internet onyour mobile device?▪ Do you know what DNS is?
The buggy worldBogdan ALECUSetup a VPN server on port 53, UDP (DNSport)… and connect to your server… pass the traffic to the InternetUNLIMITEDMOBILE DATA TRAFFIC!
Where does your data go?Bogdan ALECU▪Is the data securely transferred?▪What info is the app sending?▪When does it sends the info?▪Does the app accept any certificate?▪What is it stored locally?
Where does your data go?Bogdan ALECU▪Mallory gatewayhttp://intrepidusgroup.com/insight/2010/12/mallory-and-me-setting-up-a-mobile-mallory-gateway/
Where does your data go?Bogdan ALECU▪ Short demo
Call to actionBogdan ALECU▪ Don’t rely on thing that most users have noidea how to check if your app is secure.You might meet someone like me and itwill get ugly ▪ Write your code in a secure way▪ Testers: learn how to really tests mobileapps. It’s not all about the usageexperience!
The end?!?Bogdan ALECUThank you all!Don’t forget about feedbackformswww.m-sec.net / @msecnet