Auditing Mobile Applications

1,082
-1

Published on

Charla impartida por José Selvi en el IV Curso de Verano de Seguridad Informática de la Universidad Europea de Madrid.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,082
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
84
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Auditing Mobile Applications

  1. 1. *[ AUDITING MOBILE APPLICATIONS ]Author: Jose SelviDate: 30/Jun/2011
  2. 2. $ WHOIS JSELVI Jose Selvi http://twitter.com/JoseSelvi jselvi@s21sec.com jselvi@pentester.eshttp://www.s21sec.com http://www.pentester.es
  3. 3. INDEX Apps Revolution Divide & Conquer (D&C) Mobile Networking Server Side Client Side What’s Up with WhatsApp
  4. 4. APPS REVOLUTION Pág. 5
  5. 5. “OLD SCHOOL” APPS
  6. 6. “OLD SCHOOL” APPS
  7. 7. WEBSITE FEVER
  8. 8. WEBSITE FEVER
  9. 9. WEBSITE FEVER
  10. 10. MOBILE FEVER
  11. 11. MOBILE FEVER
  12. 12. MOBILE FEVER
  13. 13. MOBILE FEVER
  14. 14. MOBILE FEVER
  15. 15. APPLICATIONS EVOLUTION 2010
  16. 16. DIVIDE & CONQUER (D&C)AND MORE Pág. 5
  17. 17. MOBILE LAB
  18. 18. MOBILE LAB CLIENT
  19. 19. MOBILE LAB SERVER CLIENT
  20. 20. MOBILE LAB SERVER CLIENT
  21. 21. MOBILE LAB NETWORK CLIENT SERVER Phone full control Some ways We CAN’T change the server SW full control We’re able to control the We CAN’T have a network look to the We’re able to software change config and software Sometimes hard and expensive Black Box Testing
  22. 22. JAILBREAK / ROOTING Sometimes emulator r00lz! • Android Emulator (SDK) • iOS Simulator (SDK) But sometimes not... We don’t have full built-in control Maybe we should... • iOS Jailbreak • Android Rooting
  23. 23. MOBILE NETWORKING Pág. 5
  24. 24. MULTI-CHANNEL!
  25. 25. MOBILE LAB
  26. 26. MAN-IN-THE-MIDDLE msf auxiliary(fakedns) > [*] DNS bypass domain api.facebook.com resolved 66.220.146.36 [*] DNS bypass domain iphone.facebook.com resolved 66.220.153.30 [*] DNS bypass domain m.facebook.com resolved 66.220.158.26
  27. 27. “FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  28. 28. “FAKE” DNS ¿whois www.google.com? IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  29. 29. “FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 ¿whois www.google.com? 20.20.20.20 DNS SERVER
  30. 30. “FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 ¿whois www.google.com? 20.20.20.20 DNS SERVER
  31. 31. “FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 www.google.com = 74.125.39.104 20.20.20.20 DNS SERVER
  32. 32. “FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 www.google.com = 74.125.39.104 20.20.20.20 DNS SERVER
  33. 33. “FAKE” DNS www.google.com = 74.125.39.104 IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  34. 34. “FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  35. 35. “FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  36. 36. “FAKE” DNS ¿whois api.facebook.com? IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  37. 37. “FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 ¿whois api.facebook.com? 20.20.20.20 DNS SERVER
  38. 38. “FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 api.facebook.com = 20.20.20.20 20.20.20.20 DNS SERVER
  39. 39. “FAKE” DNS api.facebook.com = 20.20.20.20 IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  40. 40. “FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  41. 41. “FAKE” DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 PROXY 20.20.20.20 DNS SERVER
  42. 42. REDIRECT TRICK IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 20.20.20.20 GW: 20.20.20.20 DNS: 8.8.8.8 PROXY
  43. 43. REDIRECT TRICK IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 20.20.20.20 GW: 20.20.20.20 DNS: 8.8.8.8 PROXY
  44. 44. REDIRECT TRICK IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 20.20.20.20 GW: 20.20.20.20 DNS: 8.8.8.8 PROXY
  45. 45. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8
  46. 46. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 CERT 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8
  47. 47. PKI: Public Key Infraestructure SERVER PUB PRIV CA PUB PRIV CLIENT PUB PUB PUB PUB CA1
  48. 48. PKI: Public Key Infraestructure SERVER CA PUB PRIV PUB PRIV INFO CERT CLIENT PUB PUB PUB PUB CA1
  49. 49. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB CA1
  50. 50. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB CA1
  51. 51. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT DIGEST PUB PUB PUB PUB CA1
  52. 52. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV DIGEST INFO CERT PUB CLIENT DIGEST PUB PUB PUB PUB CA1
  53. 53. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV SIGNED DIGEST INFO CERT PUB CLIENT DIGEST PUB PUB PUB PUB CA1
  54. 54. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT DIGEST SIGNED DIGEST PUB PUB PUB PUB CA1
  55. 55. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT DIGEST SIGNED DIGEST PUB PUB PUB PUB CA1
  56. 56. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB DIGEST CA1 SIGNED DIGEST
  57. 57. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB DIGEST CA1 DIGEST’
  58. 58. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB DIGEST CA1 DIGEST’
  59. 59. Real Certificate Sample
  60. 60. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8
  61. 61. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 CERT 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8
  62. 62. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8 FAKE CA
  63. 63. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8
  64. 64. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8
  65. 65. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8
  66. 66. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8
  67. 67. IMPORT CERTIFICATESiPhone / iPad • Export from proxy (Burp, ...) o built (openssl, ...). • iPhone Configuration UtilityAndroid• Only VPN certs, not Web.• Hard...• Still Working...
  68. 68. BINGO!
  69. 69. SERVER SIDE Pág. 5
  70. 70. AS USUAL... Browser Nessus Qualys SQLMap Metasploit Backtrack ... Of course, your brain!
  71. 71. CLIENT SIDE Pág. 5
  72. 72. iOS BINARY FORMAT
  73. 73. iOS BINARY FORMAT
  74. 74. iOS BINARY FORMAT
  75. 75. iOS BINARY FORMAT
  76. 76. iOS BINARY FORMAT
  77. 77. ANDROID BINARY FORMAT
  78. 78. ANDROID BINARY FORMATApp.java
  79. 79. ANDROID BINARY FORMATApp.java App.class
  80. 80. ANDROID BINARY FORMATApp.java App.class App.dex
  81. 81. ANDROID BINARY FORMATApp.java App.class App.dex
  82. 82. ANDROID BINARY FORMATApp.java App.class App.dex
  83. 83. PUT ALL TOGETHER!
  84. 84. Man-in-the- CRACKING VERIFYCERTcertificados como válidos), algo que evidentemente no podrá hacer un atacante que notuviera previo control de la máquina pero que nos situa en la posición de un intruso quehaya comprometido previamente el NOC de Good. En esta ocasión, dado que no se haconseguido vulnerar los certificados SSL, NO bastaría con el compromiso de algunos delos routers internmedios, como SI ocurría en el caso anterior. www.s21sec.c
  85. 85. WHAT’S UP WITH WHATSAPP? Pág. 5
  86. 86. WHAT’S UP WITH WHATSAPP? Pág. 5
  87. 87. KNOWN WHATSAPP ISSUES Unencrypted Traffic • But using 443 tcp port... Storing ALL conversation FOREVER Storing GPS position! • WTF!! • Why??!! Much more... Great research from SecurityByDefault guys!
  88. 88. WHATSAPP HIJACKING
  89. 89. ALERT! SPAM! SEC-560: Network Penetration Testing and Ethical Hacking
  90. 90. THANKS! QUESTIONS? Jose Selvi http://twitter.com/JoseSelvi jselvi@s21sec.com jselvi@pentester.eshttp://www.s21sec.com http://www.pentester.es
  91. 91. *[ THANKS! SEE YOU! ] Pág. 7

×