 Just Mobile Phone
 Phone calls
 Sending text message or MMS
 Alarm clock
 Calculator
 Listen music
 Edge for Surf ...
 3G, 4G and WIFI support on Mobile network
 Became more intelligent – Smart Phone
 Sending email
 Surf internet
 Chec...
 Companies started creating mobile applications to offer
services to clients
 Storing and synchronizing data files in th...
Mobile App Attack Surface
 Client Software on Mobile Device
 Communications Channel
 Server Side Infrastructure
Server Side
Infrastructure
Comm.
...
Mobile Phone
Internet
Application Server
Client Software
Communication Channel
Server Side
Infrastructure
 Packages are typically downloaded from an AppStore,
Google Play or provided via Company website
 Testing requires a dev...
 Attention points
 Files on the local file system
 Application authentication & authorization
 Error Handling & Sessio...
 Channel between the client and the server (HTTPs,
EDGE, 3G)
 Testing with HTTP Proxy (Burp, ZAP) to intercept and
manip...
 Attention points
 Sniff sensitive information
 Replay attack vulnerabilities
 Secure transfer of sensitive information
 The attack vectors for the web servers behind a mobile
application is similar to those use for regular websites
 Perfor...
 Attention points
 OWASP Top 10 vulnerabilities (SQLi, XSS, …)
 Running services and version
 Infrastructure vulnerabi...
Pentest iOS Application
 Insecure Storage
 Why application needs to store data
▪ Ease of use for user
▪ Popularity
▪ Activity with single click
...
 Insecure Storage
 Local Data Storage
▪ Plist and XML files
▪ NSuserDefaults
▪ Class provides a programmatic interface f...
 Enumerate sensitive information from local files
 Wordpress iOS App (.plist) stored user & pass
 SQL Injection in Local Database
 Most Mobile platforms uses SQLite as database to store
information on the device
 Usi...
 a” or “a”=“a
 Bad Code
NSString *uid = [myHTTPConnection getUID];
NSString *statement = [NSString StringWithFormat : @”SELECT username...
 Buffer Overflow
 When the input data is longer
than the buffer size, if it is accepted,
it will overwrite other data in...
 Decrypt Application and find hardcoded secrets
 Applications from the AppStore is encrypted and Signed
 Decrypt Application and find hardcoded secrets
 Clutch
▪ Used for iOS application decryption
▪ Can be run from the comm...
 Decrypt Application and find hardcoded secrets
 Runtime Analysis with GDB
▪ Use clutch
▪ View classdump-z output
▪ Set ...
 Poor or no encryption during transit
 Traffic over HTTP
 Token passing
 Device ID over poor channel
 UDID Privacy co...
 BurpSuite Proxy
 Apps communicate with backend web services
 OWASP Top 10 auditing
 Most communication using XML
 MitM and inject bad ...
 Client Software
 Found backend path in Localizable.strings
 Server-Side Infrastructure
 Access to port 8080 (Apache T...
 Localizable.strings
 Logged in with Default Tomcat credentials
 Upload Malicious JSP code
 Backend Compromised
 Database Compromised
Pentest Android Application
 Local Data Storage flaws
 Weak encoding/encryption
 Insecure Storage
 Reverse Engineering
▪ APKtool to decode resources
▪ Convert the .apk file into .zip
▪ Extract the zip...
 Insecure Storage
 Reverse Engineering
 Insecure Storage
 Reverse Engineering
 BurpSuite Proxy
 Insecure Logging
 Identity Decloaking
 Apps communicate with backend web services
 OWASP Top 10 auditing
 Fuzz data sent/received
 Client Software
 Found backend path from Reverse Engineering
 Found FTP username and password
 Communication Channel
...
 Reverse Engineering
 Logged in with FTP credential
 100 porn images found !!
 Burp Proxy
 Access Mail
 Backend Compromised
 Authors: ZeQ3uL and diF
 http://www.exploit-db.com/papers/26620/
Local Storage Internet
Sniff Traffic
Mobile Application Pentest [Fast-Track]
Upcoming SlideShare
Loading in...5
×

Mobile Application Pentest [Fast-Track]

1,845

Published on

Published in: Technology
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,845
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
106
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide

Mobile Application Pentest [Fast-Track]

  1. 1.  Just Mobile Phone  Phone calls  Sending text message or MMS  Alarm clock  Calculator  Listen music  Edge for Surf internet !!
  2. 2.  3G, 4G and WIFI support on Mobile network  Became more intelligent – Smart Phone  Sending email  Surf internet  Check-on for flights  Online Banking transactions  Social Network (Facebook, Twitter, Instagram, Etc)
  3. 3.  Companies started creating mobile applications to offer services to clients  Storing and synchronizing data files in the cloud  Participating in social network sites  As the data that stored, processed and transferred can often be considered sensitive.
  4. 4. Mobile App Attack Surface
  5. 5.  Client Software on Mobile Device  Communications Channel  Server Side Infrastructure Server Side Infrastructure Comm. Channel Client Software
  6. 6. Mobile Phone Internet Application Server Client Software Communication Channel Server Side Infrastructure
  7. 7.  Packages are typically downloaded from an AppStore, Google Play or provided via Company website  Testing requires a device that is rooted or jailbroken for access to all files and folders on the local file system  Be able to decompiled, tampered or reverse engineered
  8. 8.  Attention points  Files on the local file system  Application authentication & authorization  Error Handling & Session Management  Business logic  Decompiling and Analyzing
  9. 9.  Channel between the client and the server (HTTPs, EDGE, 3G)  Testing with HTTP Proxy (Burp, ZAP) to intercept and manipulate alter traffic  If the application does not use the HTTP protocol, can use transparent TCP and UDP proxy like Mallory
  10. 10.  Attention points  Sniff sensitive information  Replay attack vulnerabilities  Secure transfer of sensitive information
  11. 11.  The attack vectors for the web servers behind a mobile application is similar to those use for regular websites  Perform host and service scans on the target system to identify running services
  12. 12.  Attention points  OWASP Top 10 vulnerabilities (SQLi, XSS, …)  Running services and version  Infrastructure vulnerability scanning
  13. 13. Pentest iOS Application
  14. 14.  Insecure Storage  Why application needs to store data ▪ Ease of use for user ▪ Popularity ▪ Activity with single click ▪ Decrease transaction time ▪ 9 out of 10 applications have this vulnerability  How attacker can gain access ▪ Wifi ▪ Default password after jail breaking (alpine) ▪ Physical Theft ▪ Temporary access to device ▪ Backup File
  15. 15.  Insecure Storage  Local Data Storage ▪ Plist and XML files ▪ NSuserDefaults ▪ Class provides a programmatic interface for interacting with default system ▪ Keep information in plist file ▪ SQLite data files ▪ Core Data Services ▪ Object Model, Relational Database ▪ SQLite Manage ▪ Table prefixed “z” ▪ Keychain
  16. 16.  Enumerate sensitive information from local files
  17. 17.  Wordpress iOS App (.plist) stored user & pass
  18. 18.  SQL Injection in Local Database  Most Mobile platforms uses SQLite as database to store information on the device  Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensitive database information  In case application is not filtering input, SQL Injection on local database is possible
  19. 19.  a” or “a”=“a
  20. 20.  Bad Code NSString *uid = [myHTTPConnection getUID]; NSString *statement = [NSString StringWithFormat : @”SELECT username FROM users where uid = ‘%@’”, uid]; const char *sql = [statement UTF8String];  Good Code Const char *sql = “SELECT username FROM users where uid = ?”; sqlite3_prepare_v2(db, sql, -1, &selectUid, NULL); Sqlite3_bind_int(selectUid, 1, uid); int status = sqlite3_step(selectUid);
  21. 21.  Buffer Overflow  When the input data is longer than the buffer size, if it is accepted, it will overwrite other data in memory.  No protection by default in C, Objective-C and C++
  22. 22.  Decrypt Application and find hardcoded secrets  Applications from the AppStore is encrypted and Signed
  23. 23.  Decrypt Application and find hardcoded secrets  Clutch ▪ Used for iOS application decryption ▪ Can be run from the command line
  24. 24.  Decrypt Application and find hardcoded secrets  Runtime Analysis with GDB ▪ Use clutch ▪ View classdump-z output ▪ Set breakpoint ▪ Analyze objc_msgsend ▪ Find passcode ▪ Evade checks  https://vimeo.com/66617415
  25. 25.  Poor or no encryption during transit  Traffic over HTTP  Token passing  Device ID over poor channel  UDID Privacy concerns (Can be used to track user)
  26. 26.  BurpSuite Proxy
  27. 27.  Apps communicate with backend web services  OWASP Top 10 auditing  Most communication using XML  MitM and inject bad XML  UIWebviews (Used to embed web content in app)  Execute JavaScript (XSS)  Fuzz data sent/received
  28. 28.  Client Software  Found backend path in Localizable.strings  Server-Side Infrastructure  Access to port 8080 (Apache Tomcat)  Logged in with default tomcat username and password  Upload Malicious JSP code into webserver (Bypass Symantec)  Access to configuration file that contain database credentials  OWNed !! Database server
  29. 29.  Localizable.strings
  30. 30.  Logged in with Default Tomcat credentials
  31. 31.  Upload Malicious JSP code
  32. 32.  Backend Compromised
  33. 33.  Database Compromised
  34. 34. Pentest Android Application
  35. 35.  Local Data Storage flaws
  36. 36.  Weak encoding/encryption
  37. 37.  Insecure Storage  Reverse Engineering ▪ APKtool to decode resources ▪ Convert the .apk file into .zip ▪ Extract the zipped file, Found classes.dex ▪ Dex2jar for convert .dex to .jar ▪ Using JD GUI to open JAR file and review source code
  38. 38.  Insecure Storage  Reverse Engineering
  39. 39.  Insecure Storage  Reverse Engineering
  40. 40.  BurpSuite Proxy
  41. 41.  Insecure Logging
  42. 42.  Identity Decloaking
  43. 43.  Apps communicate with backend web services  OWASP Top 10 auditing  Fuzz data sent/received
  44. 44.  Client Software  Found backend path from Reverse Engineering  Found FTP username and password  Communication Channel  Found Mail’s credentials  Server-Side Infrastructure  Access FTP Server  Access Terminal Service  Logged in with FTP credential  PWNed !! Backend server  Compromised internal server
  45. 45.  Reverse Engineering
  46. 46.  Logged in with FTP credential
  47. 47.  100 porn images found !!
  48. 48.  Burp Proxy
  49. 49.  Access Mail
  50. 50.  Backend Compromised
  51. 51.  Authors: ZeQ3uL and diF  http://www.exploit-db.com/papers/26620/ Local Storage Internet Sniff Traffic
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×