Auditing Mobile Applications

*[ AUDITING MOBILE APPLICATIONS ]Author: Jose SelviDate: 30/Jun/2011

$ WHOIS JSELVI Jose Selvi http://twitter.com/JoseSelvi jselvi@s21sec.com jselvi@pentester.eshttp://www.s21sec.com http://www.pentester.es

INDEX Apps Revolution Divide & Conquer (D&C) Mobile Networking Server Side Client Side What’s Up with WhatsApp

APPS REVOLUTION Pág. 5

“OLD SCHOOL” APPS

WEBSITE FEVER

MOBILE FEVER

APPLICATIONS EVOLUTION 2010

DIVIDE & CONQUER (D&C)AND MORE Pág. 5

MOBILE LAB

MOBILE LAB CLIENT

MOBILE LAB SERVER CLIENT

MOBILE LAB NETWORK CLIENT SERVER Phone full control Some ways We CAN’T change the server SW full control We’re able to control the We CAN’T have a network look to the We’re able to software change config and software Sometimes hard and expensive Black Box Testing

JAILBREAK / ROOTING Sometimes emulator r00lz! • Android Emulator (SDK) • iOS Simulator (SDK) But sometimes not... We don’t have full built-in control Maybe we should... • iOS Jailbreak • Android Rooting

MOBILE NETWORKING Pág. 5

MULTI-CHANNEL!

MOBILE LAB

MAN-IN-THE-MIDDLE msf auxiliary(fakedns) > [*] DNS bypass domain api.facebook.com resolved 66.220.146.36 [*] DNS bypass domain iphone.facebook.com resolved 66.220.153.30 [*] DNS bypass domain m.facebook.com resolved 66.220.158.26

“FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER

“FAKE” DNS ¿whois www.google.com? IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER

“FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 ¿whois www.google.com? 20.20.20.20 DNS SERVER

“FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 www.google.com = 74.125.39.104 20.20.20.20 DNS SERVER

“FAKE” DNS www.google.com = 74.125.39.104 IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER

“FAKE” DNS ¿whois api.facebook.com? IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER

“FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 ¿whois api.facebook.com? 20.20.20.20 DNS SERVER

“FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 api.facebook.com = 20.20.20.20 20.20.20.20 DNS SERVER

“FAKE” DNS api.facebook.com = 20.20.20.20 IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER

“FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 PROXY 20.20.20.20 DNS SERVER

REDIRECT TRICK IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 20.20.20.20 GW: 20.20.20.20 DNS: 8.8.8.8 PROXY

SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8

SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 CERT 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8

PKI: Public Key Infraestructure SERVER PUB PRIV CA PUB PRIV CLIENT PUB PUB PUB PUB CA1

PKI: Public Key Infraestructure SERVER CA PUB PRIV PUB PRIV INFO CERT CLIENT PUB PUB PUB PUB CA1

PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB CA1

PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT DIGEST PUB PUB PUB PUB CA1

PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV DIGEST INFO CERT PUB CLIENT DIGEST PUB PUB PUB PUB CA1

PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV SIGNED DIGEST INFO CERT PUB CLIENT DIGEST PUB PUB PUB PUB CA1

PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT DIGEST SIGNED DIGEST PUB PUB PUB PUB CA1

PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB DIGEST CA1 SIGNED DIGEST

PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB DIGEST CA1 DIGEST’

Real Certificate Sample

SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8

SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 CERT 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8

SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8 FAKE CA

SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8

IMPORT CERTIFICATESiPhone / iPad • Export from proxy (Burp, ...) o built (openssl, ...). • iPhone Configuration UtilityAndroid• Only VPN certs, not Web.• Hard...• Still Working...

BINGO!

SERVER SIDE Pág. 5

AS USUAL... Browser Nessus Qualys SQLMap Metasploit Backtrack ... Of course, your brain!

CLIENT SIDE Pág. 5

iOS BINARY FORMAT

ANDROID BINARY FORMAT

ANDROID BINARY FORMATApp.java

ANDROID BINARY FORMATApp.java App.class

ANDROID BINARY FORMATApp.java App.class App.dex

PUT ALL TOGETHER!

Man-in-the- CRACKING VERIFYCERTcertificados como válidos), algo que evidentemente no podrá hacer un atacante que notuviera previo control de la máquina pero que nos situa en la posición de un intruso quehaya comprometido previamente el NOC de Good. En esta ocasión, dado que no se haconseguido vulnerar los certificados SSL, NO bastaría con el compromiso de algunos delos routers internmedios, como SI ocurría en el caso anterior. www.s21sec.c

WHAT’S UP WITH WHATSAPP? Pág. 5

KNOWN WHATSAPP ISSUES Unencrypted Traffic • But using 443 tcp port... Storing ALL conversation FOREVER Storing GPS position! • WTF!! • Why??!! Much more... Great research from SecurityByDefault guys!

WHATSAPP HIJACKING

ALERT! SPAM! SEC-560: Network Penetration Testing and Ethical Hacking

THANKS! QUESTIONS? Jose Selvi http://twitter.com/JoseSelvi jselvi@s21sec.com jselvi@pentester.eshttp://www.s21sec.com http://www.pentester.es

*[ THANKS! SEE YOU! ] Pág. 7

Auditing Mobile Applications

by Eventos Creativos on Jul 14, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

Auditing Mobile Applications — Presentation Transcript