Codecamp Iasi 2013 - Playing buggy
Bogdan Alecu presents some real world examples of bugs, specially the ones related to mobile security
For more info go to www.m-sec.net
4. About me
Bogdan ALECU
▪ Independent security researcher
▪ Sysadmin @ LEVI9
▪ Passionate about security, specially when it’s related to
mobile devices, CISSP, CEH, CISA,CCSP
▪ #infosec conferences: DeepSec, DefCamp, EUSecWest
▪ Started with NetMonitor, continued with VoIP and finally
GSM networks / mobile phones
▪ @msecnet / www.m-sec.net / alecu@m-sec.net
5. The buggy world
Bogdan ALECU
▪Developers
▪Testers
▪Customers
▪How do you test?
▪But is it enough?
17. The buggy world
Bogdan ALECU
▪ 20K application
▪ Two factor authentication
▪ ACL IP
▪ User authenticated automatically if …
… coming from the right internal IP
23. The buggy world
Bogdan ALECU
▪ Try accessing the website while pretending
to be browsing from your mobile device
▪ You would be surprised of the instant
access you get
▪ No luck? Try Googlebot!
▪ If your log shows a sensitive access being
made by GoogleBot, will you worry ?
30. The buggy world
Bogdan ALECU
▪Implementation gone wild
▪ How many of you use the Internet on
your mobile device?
▪ Do you know what DNS is?
31. The buggy world
Bogdan ALECU
Setup a VPN server on port 53, UDP (DNS
port)
… and connect to your server
… pass the traffic to the Internet
UNLIMITED
MOBILE DATA TRAFFIC!
42. Where does your data go?
Bogdan ALECU
▪Is the data securely transferred?
▪What info is the app sending?
▪When does it sends the info?
▪Does the app accept any certificate?
▪What is it stored locally?
43. Where does your data go?
Bogdan ALECU
▪Mallory gateway
http://intrepidusgroup.com/insight/
2010/12/mallory-and-me-setting-
up-a-mobile-mallory-gateway/
46. Call to action
Bogdan ALECU
▪ Don’t rely on thing that most users have no
idea how to check if your app is secure.
You might meet someone like me and it
will get ugly
▪ Write your code in a secure way
▪ Testers: learn how to really tests mobile
apps. It’s not all about the usage
experience!