Mobile Application Pentest [Fast-Track]

2,345
-1

Published on

Published in: Technology
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,345
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
120
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide

Mobile Application Pentest [Fast-Track]

  1. 1.  Just Mobile Phone  Phone calls  Sending text message or MMS  Alarm clock  Calculator  Listen music  Edge for Surf internet !!
  2. 2.  3G, 4G and WIFI support on Mobile network  Became more intelligent – Smart Phone  Sending email  Surf internet  Check-on for flights  Online Banking transactions  Social Network (Facebook, Twitter, Instagram, Etc)
  3. 3.  Companies started creating mobile applications to offer services to clients  Storing and synchronizing data files in the cloud  Participating in social network sites  As the data that stored, processed and transferred can often be considered sensitive.
  4. 4. Mobile App Attack Surface
  5. 5.  Client Software on Mobile Device  Communications Channel  Server Side Infrastructure Server Side Infrastructure Comm. Channel Client Software
  6. 6. Mobile Phone Internet Application Server Client Software Communication Channel Server Side Infrastructure
  7. 7.  Packages are typically downloaded from an AppStore, Google Play or provided via Company website  Testing requires a device that is rooted or jailbroken for access to all files and folders on the local file system  Be able to decompiled, tampered or reverse engineered
  8. 8.  Attention points  Files on the local file system  Application authentication & authorization  Error Handling & Session Management  Business logic  Decompiling and Analyzing
  9. 9.  Channel between the client and the server (HTTPs, EDGE, 3G)  Testing with HTTP Proxy (Burp, ZAP) to intercept and manipulate alter traffic  If the application does not use the HTTP protocol, can use transparent TCP and UDP proxy like Mallory
  10. 10.  Attention points  Sniff sensitive information  Replay attack vulnerabilities  Secure transfer of sensitive information
  11. 11.  The attack vectors for the web servers behind a mobile application is similar to those use for regular websites  Perform host and service scans on the target system to identify running services
  12. 12.  Attention points  OWASP Top 10 vulnerabilities (SQLi, XSS, …)  Running services and version  Infrastructure vulnerability scanning
  13. 13. Pentest iOS Application
  14. 14.  Insecure Storage  Why application needs to store data ▪ Ease of use for user ▪ Popularity ▪ Activity with single click ▪ Decrease transaction time ▪ 9 out of 10 applications have this vulnerability  How attacker can gain access ▪ Wifi ▪ Default password after jail breaking (alpine) ▪ Physical Theft ▪ Temporary access to device ▪ Backup File
  15. 15.  Insecure Storage  Local Data Storage ▪ Plist and XML files ▪ NSuserDefaults ▪ Class provides a programmatic interface for interacting with default system ▪ Keep information in plist file ▪ SQLite data files ▪ Core Data Services ▪ Object Model, Relational Database ▪ SQLite Manage ▪ Table prefixed “z” ▪ Keychain
  16. 16.  Enumerate sensitive information from local files
  17. 17.  Wordpress iOS App (.plist) stored user & pass
  18. 18.  SQL Injection in Local Database  Most Mobile platforms uses SQLite as database to store information on the device  Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensitive database information  In case application is not filtering input, SQL Injection on local database is possible
  19. 19.  a” or “a”=“a
  20. 20.  Bad Code NSString *uid = [myHTTPConnection getUID]; NSString *statement = [NSString StringWithFormat : @”SELECT username FROM users where uid = ‘%@’”, uid]; const char *sql = [statement UTF8String];  Good Code Const char *sql = “SELECT username FROM users where uid = ?”; sqlite3_prepare_v2(db, sql, -1, &selectUid, NULL); Sqlite3_bind_int(selectUid, 1, uid); int status = sqlite3_step(selectUid);
  21. 21.  Buffer Overflow  When the input data is longer than the buffer size, if it is accepted, it will overwrite other data in memory.  No protection by default in C, Objective-C and C++
  22. 22.  Decrypt Application and find hardcoded secrets  Applications from the AppStore is encrypted and Signed
  23. 23.  Decrypt Application and find hardcoded secrets  Clutch ▪ Used for iOS application decryption ▪ Can be run from the command line
  24. 24.  Decrypt Application and find hardcoded secrets  Runtime Analysis with GDB ▪ Use clutch ▪ View classdump-z output ▪ Set breakpoint ▪ Analyze objc_msgsend ▪ Find passcode ▪ Evade checks  https://vimeo.com/66617415
  25. 25.  Poor or no encryption during transit  Traffic over HTTP  Token passing  Device ID over poor channel  UDID Privacy concerns (Can be used to track user)
  26. 26.  BurpSuite Proxy
  27. 27.  Apps communicate with backend web services  OWASP Top 10 auditing  Most communication using XML  MitM and inject bad XML  UIWebviews (Used to embed web content in app)  Execute JavaScript (XSS)  Fuzz data sent/received
  28. 28.  Client Software  Found backend path in Localizable.strings  Server-Side Infrastructure  Access to port 8080 (Apache Tomcat)  Logged in with default tomcat username and password  Upload Malicious JSP code into webserver (Bypass Symantec)  Access to configuration file that contain database credentials  OWNed !! Database server
  29. 29.  Localizable.strings
  30. 30.  Logged in with Default Tomcat credentials
  31. 31.  Upload Malicious JSP code
  32. 32.  Backend Compromised
  33. 33.  Database Compromised
  34. 34. Pentest Android Application
  35. 35.  Local Data Storage flaws
  36. 36.  Weak encoding/encryption
  37. 37.  Insecure Storage  Reverse Engineering ▪ APKtool to decode resources ▪ Convert the .apk file into .zip ▪ Extract the zipped file, Found classes.dex ▪ Dex2jar for convert .dex to .jar ▪ Using JD GUI to open JAR file and review source code
  38. 38.  Insecure Storage  Reverse Engineering
  39. 39.  Insecure Storage  Reverse Engineering
  40. 40.  BurpSuite Proxy
  41. 41.  Insecure Logging
  42. 42.  Identity Decloaking
  43. 43.  Apps communicate with backend web services  OWASP Top 10 auditing  Fuzz data sent/received
  44. 44.  Client Software  Found backend path from Reverse Engineering  Found FTP username and password  Communication Channel  Found Mail’s credentials  Server-Side Infrastructure  Access FTP Server  Access Terminal Service  Logged in with FTP credential  PWNed !! Backend server  Compromised internal server
  45. 45.  Reverse Engineering
  46. 46.  Logged in with FTP credential
  47. 47.  100 porn images found !!
  48. 48.  Burp Proxy
  49. 49.  Access Mail
  50. 50.  Backend Compromised
  51. 51.  Authors: ZeQ3uL and diF  http://www.exploit-db.com/papers/26620/ Local Storage Internet Sniff Traffic
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×