David RookMobile Application SecurityOWASP BirminghamFriday, 9 December 2011
if (slide == introduction)                  System.out.println("I’m David Rook"); • Application Security Lead, Realex Paym...
Agenda  • The mobile applosion!  • Android and iOS app analysisFriday, 9 December 2011
There’s an app for that  • There’s an app for that......        • Apps allow users to do more than send SMS and play Snake...
There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobi...
There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobi...
There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobi...
There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobi...
There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobi...
There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobi...
There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobi...
There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobi...
There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobi...
There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobi...
There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobi...
There’s an app for that  • Mobile apps can create value for a business        • Businesses can benefit from having a mobil...
There’s an app for that  • Mobile apps can create value for a business        • Businesses can benefit from having a mobil...
There’s an app for that  • Mobile apps can create value for a business        • Businesses can benefit from having a mobil...
There’s an app for thatFriday, 9 December 2011Over 1 million apps in all of the app stores, pre<y much all of the million ...
There’s an app for that                                                    1                                              ...
There’s an app for that                                                    1       15                                     ...
There’s an app for that                                                    1       15        30                           ...
There’s an app for that                                                    1       15        30        115                ...
There’s an app for thatFriday, 9 December 2011Android market place has about 600,000 apps now (December 2011 hLp://www.and...
There’s an app for that  • The predicted growth happened        • 1,000,000+ apps by the end of 2011        • How many hav...
There’s an app for that  • The predicted growth happened        • 1,000,000+ apps by the end of 2011        • How many hav...
There’s an app for that  • The predicted growth happened        • 1,000,000+ apps by the end of 2011        • How many hav...
Mobile payments  • Payments made using a mobile        • I’m not talking about NFC or in app payments        • I want to s...
Mobile payments                                                       Total Hits            Mobile Hits1500000135000012000...
Mobile payments                                 Mobile Hits                  iOS              Android                 Blac...
Mobile App Threat Modeling  • Like a web app threat model but scarier        • External dependencies completely out of you...
Mobile App Threat ModelingFriday, 9 December 2011
Friday, 9 December 2011hLp://theunderstatement.com/post/11982112928/android‐orphans‐visualizing‐a‐sad‐history‐of‐support  ...
Mobile app security issues  • Data in transit and at rest  • Dangerous inputsFriday, 9 December 2011Data in transit and at...
Android and iOSFriday, 9 December 2011AndroidLinux based OSApplica9ons wriLen in JavaJava is compiled to DEX bytecodeiOSUn...
Android Source Code  package com.denimgroup.android.training.pandemobium.stocktrader;  import   android.app.Activity;  imp...
AndroidManifest.xml  • A good place to start your security code reviews!        • Applications and System code have an And...
Agnitio hands on  • AndroidManifest.xml - before and afterFriday, 9 December 2011Show Pandora applica9on AndroidManifest.x...
Android Static Analysis  •   Context.openFileOutput()  •   Context.openOrCreateDatabase()  •   rawQuery()  •   URLConnecti...
Agnitio hands on  • Analyse the Android Pandemobium appFriday, 9 December 2011Browse to PreferencesAc9vity.java, select th...
iOS Source Code  #import    "TipViewController.h"  #import    "StockDatabase.h"  #import    "/usr/include/sqlite3.h"  #imp...
iOS Static Analysis  •   writeToFile()  •   openURL()  •   sqlite3_prepare()  •   NSFILEFriday, 9 December 2011writeToFile...
Agnitio hands on  • Analyse the iOS Pandemobium appFriday, 9 December 2011CD "C:UsersDavid RookDesktop"adb pull /data/app/...
My USB key........  • I have some things on my USB key you might want        • .apk files of popular and “suspicious” Andr...
www.securityninja.co.uk   http://sourceforge.net/projects/agnitiotool/                    @securityninja                  ...
QUESTIONS?             www.securityninja.co.uk   http://sourceforge.net/projects/agnitiotool/                    @security...
Upcoming SlideShare
Loading in...5
×

OWASP Birmingham - Mobile Application Security

1,612
-1

Published on

Mobile application security talk I gave at OWASP Birmingham.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,612
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
86
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

OWASP Birmingham - Mobile Application Security

  1. 1. David RookMobile Application SecurityOWASP BirminghamFriday, 9 December 2011
  2. 2. if (slide == introduction) System.out.println("I’m David Rook"); • Application Security Lead, Realex Payments, Dublin CISSP, CISA, GCIH and many other acronyms • Security Ninja (@securityninja) • Speaker at developer and security conferences • Microsoft Developer Security MVP • Developed and released AgnitioFriday, 9 December 2011
  3. 3. Agenda • The mobile applosion! • Android and iOS app analysisFriday, 9 December 2011
  4. 4. There’s an app for that • There’s an app for that...... • Apps allow users to do more than send SMS and play Snake • Completely changed the way people view and use phones • Businesses love apps, if they don’t have one they want one • Innovative apps for customers using mobile functionalityFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng tasks such as mobile boarding passes, mobile banking and check share prices.Business can be created or rapidly grow because of mobile appsRovio is probably the most famous example but certainly not the only or last one.
  5. 5. There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng tasks such as mobile boarding passes, mobile banking and check share prices.
  6. 6. There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng tasks such as mobile boarding passes, mobile banking and check share prices.
  7. 7. There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng tasks such as mobile boarding passes, mobile banking and check share prices.
  8. 8. There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng tasks such as mobile boarding passes, mobile banking and check share prices.
  9. 9. There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng tasks such as mobile boarding passes, mobile banking and check share prices.
  10. 10. There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng tasks such as mobile boarding passes, mobile banking and check share prices.
  11. 11. There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng tasks such as mobile boarding passes, mobile banking and check share prices.
  12. 12. There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng tasks such as mobile boarding passes, mobile banking and check share prices.
  13. 13. There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng tasks such as mobile boarding passes, mobile banking and check share prices.
  14. 14. There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng tasks such as mobile boarding passes, mobile banking and check share prices.
  15. 15. There’s an app for thatFriday, 9 December 2011Businesses can benefit from having a mobile presenceCustomers “expect” a mobile presence from companies nowadays. Companies can u9lise this to offer new ways of doing exis9ng tasks such as mobile boarding passes, mobile banking and check share prices.
  16. 16. There’s an app for that • Mobile apps can create value for a business • Businesses can benefit from having a mobile presence • Innovative apps for customers using mobile functionality • Most developers have not been trained to write secure codeFriday, 9 December 2011What could possibly go wrong? Well we need to understand how many apps/downloads/smartphones first
  17. 17. There’s an app for that • Mobile apps can create value for a business • Businesses can benefit from having a mobile presence • Innovative apps for customers using mobile functionality • Most developers have not been trained to write secure code • Not trained to write secure code, new to mobile development......Friday, 9 December 2011What could possibly go wrong? Well we need to understand how many apps/downloads/smartphones first
  18. 18. There’s an app for that • Mobile apps can create value for a business • Businesses can benefit from having a mobile presence • Innovative apps for customers using mobile functionality • Most developers have not been trained to write secure code • Not trained to write secure code, new to mobile development...... • What could possibly go wrong?Friday, 9 December 2011What could possibly go wrong? Well we need to understand how many apps/downloads/smartphones first
  19. 19. There’s an app for thatFriday, 9 December 2011Over 1 million apps in all of the app stores, pre<y much all of the million plus are in the App Store or Market Place (500,000 Apple and 600,000 Android ‐ all other app stores about 50,000 at the most)EsCmated $15 billion of income from app sales in 2011 (hLp://www.gartner.com/it/page.jsp?id=1529214)About 30 BILLION app downloads from App Store and Android Market Place (18bn for app store hLp://en.wikipedia.org/wiki/App_Store_(iOS) and about 7bn for the Market Place hLp://en.wikipedia.org/wiki/Android_Market)since the Apple App Store was launched on the 11th July 2008115m smartphones sold in Q3 2011 (hLp://www.gartner.com/it/page.jsp?id=1848514)
  20. 20. There’s an app for that 1 AppsFriday, 9 December 2011Over 1 million apps in all of the app stores, pre<y much all of the million plus are in the App Store or Market Place (500,000 Apple and 600,000 Android ‐ all other app stores about 50,000 at the most)EsCmated $15 billion of income from app sales in 2011 (hLp://www.gartner.com/it/page.jsp?id=1529214)About 30 BILLION app downloads from App Store and Android Market Place (18bn for app store hLp://en.wikipedia.org/wiki/App_Store_(iOS) and about 7bn for the Market Place hLp://en.wikipedia.org/wiki/Android_Market)since the Apple App Store was launched on the 11th July 2008115m smartphones sold in Q3 2011 (hLp://www.gartner.com/it/page.jsp?id=1848514)
  21. 21. There’s an app for that 1 15 Apps IncomeFriday, 9 December 2011Over 1 million apps in all of the app stores, pre<y much all of the million plus are in the App Store or Market Place (500,000 Apple and 600,000 Android ‐ all other app stores about 50,000 at the most)EsCmated $15 billion of income from app sales in 2011 (hLp://www.gartner.com/it/page.jsp?id=1529214)About 30 BILLION app downloads from App Store and Android Market Place (18bn for app store hLp://en.wikipedia.org/wiki/App_Store_(iOS) and about 7bn for the Market Place hLp://en.wikipedia.org/wiki/Android_Market)since the Apple App Store was launched on the 11th July 2008115m smartphones sold in Q3 2011 (hLp://www.gartner.com/it/page.jsp?id=1848514)
  22. 22. There’s an app for that 1 15 30 Apps Income DownloadsFriday, 9 December 2011Over 1 million apps in all of the app stores, pre<y much all of the million plus are in the App Store or Market Place (500,000 Apple and 600,000 Android ‐ all other app stores about 50,000 at the most)EsCmated $15 billion of income from app sales in 2011 (hLp://www.gartner.com/it/page.jsp?id=1529214)About 30 BILLION app downloads from App Store and Android Market Place (18bn for app store hLp://en.wikipedia.org/wiki/App_Store_(iOS) and about 7bn for the Market Place hLp://en.wikipedia.org/wiki/Android_Market)since the Apple App Store was launched on the 11th July 2008115m smartphones sold in Q3 2011 (hLp://www.gartner.com/it/page.jsp?id=1848514)
  23. 23. There’s an app for that 1 15 30 115 Apps Income Downloads PhonesFriday, 9 December 2011Over 1 million apps in all of the app stores, pre<y much all of the million plus are in the App Store or Market Place (500,000 Apple and 600,000 Android ‐ all other app stores about 50,000 at the most)EsCmated $15 billion of income from app sales in 2011 (hLp://www.gartner.com/it/page.jsp?id=1529214)About 30 BILLION app downloads from App Store and Android Market Place (18bn for app store hLp://en.wikipedia.org/wiki/App_Store_(iOS) and about 7bn for the Market Place hLp://en.wikipedia.org/wiki/Android_Market)since the Apple App Store was launched on the 11th July 2008115m smartphones sold in Q3 2011 (hLp://www.gartner.com/it/page.jsp?id=1848514)
  24. 24. There’s an app for thatFriday, 9 December 2011Android market place has about 600,000 apps now (December 2011 hLp://www.androlib.com/appstats.aspx)Apple App Store has over 500,000 apps now (October hLp://en.wikipedia.org/wiki/App_Store_(iOS)#cite_note‐18billion‐52)Nokia OviStore is now around 50,000 apps (hLp://en.wikipedia.org/wiki/Ovi_(Nokia)#Ovi_Store)BlackBerry App World also around 50,000 apps (hLp://en.wikipedia.org/wiki/BlackBerry_App_World)Windows Phone Marketplace has round 40,000 apps (hLp://en.wikipedia.org/wiki/Windows_Phone_Marketplace)
  25. 25. There’s an app for that • The predicted growth happened • 1,000,000+ apps by the end of 2011 • How many have been developed with security in mind? • The answer isn’t “none” but it won’t be many, ≤1%?Friday, 9 December 2011
  26. 26. There’s an app for that • The predicted growth happened • 1,000,000+ apps by the end of 2011 • How many have been developed with security in mind? • The answer isn’t “none” but it won’t be many, ≤1%? • But none of us are surprised by this are we?Friday, 9 December 2011
  27. 27. There’s an app for that • The predicted growth happened • 1,000,000+ apps by the end of 2011 • How many have been developed with security in mind? • The answer isn’t “none” but it won’t be many, ≤1%? • But none of us are surprised by this are we? • I want us to try and find the insecure apps with AgnitioFriday, 9 December 2011
  28. 28. Mobile payments • Payments made using a mobile • I’m not talking about NFC or in app payments • I want to share some real world payment stats with you • Based on analysis of Realex hosted payment page hitsFriday, 9 December 2011
  29. 29. Mobile payments Total Hits Mobile Hits1500000135000012000001050000 900000 750000 600000 450000 300000 150000 0 Jan Feb Mar Apr May Jun Jul Aug Sept Oct NovFriday, 9 December 2011This shows hits to our hosted payment page so it isn’t showing transac9ons but it’s a decent guide.Total hits grew from 675,853 in January to 1,039,725 in November. Mobile hits grew from 9887 (1.5%) in January to 38738 (3.7%) in NovemberThis is a 9ny amount of our overall transac9ons as well, about 3.5m transac9ons in Q3 on this chart but overall we did 16.2m
  30. 30. Mobile payments Mobile Hits iOS Android BlackBerry 40000 36000 32000 28000 24000 20000 16000 12000 8000 4000 0 Jan Feb Mar Apr May Jun Jul Aug Sept Oct NovFriday, 9 December 2011iOS way out in front, about 6 9mes as many hits from iOS devices as Android devices.Doesn’t really show an increase in transac9ons from mobiles (as it’s based on hits) but it does show the increase in the use of mobiles for sensi9ve ac9ons such as credit card payments. Roughly a 4 9mes increase from January to November
  31. 31. Mobile App Threat Modeling • Like a web app threat model but scarier • External dependencies completely out of your control • No longer a server maintained by your operations team • Phones not owned or maintained by you (or anyone!) • What are your external dependencies for a mobile app?Friday, 9 December 2011
  32. 32. Mobile App Threat ModelingFriday, 9 December 2011
  33. 33. Friday, 9 December 2011hLp://theunderstatement.com/post/11982112928/android‐orphans‐visualizing‐a‐sad‐history‐of‐support ■ 7 of the 18 Android phones never ran a current version of the OS. ■ 12 of 18 only ran a current version of the OS for a maLer of weeks or less. ■ 10 of 18 were at least two major versions behind well within their two year contract period. ■ 11 of 18 stopped gefng any support updates less than a year ager release. ■ 13 of 18 stopped gefng any support updates before they even stopped selling the device or very shortly thereager. ■ 15 of 18 don’t run Gingerbread, which shipped in December 2010. ■ At least 16 of 18 will almost certainly never get Ice Cream Sandwich.
  34. 34. Mobile app security issues • Data in transit and at rest • Dangerous inputsFriday, 9 December 2011Data in transit and at rest: Local Data Storage (Files, Caches and SQLite databases) ‐ you need to acknowledge that the data isn’t really secure when its on the users device. Be careful what you store on the device and where you store it. If you encrypt the data on the device where are you going to put the encryp9on key? When reviewing code for these type of issues you will be looking for func9ons such as Context.openFileOutput() and Context.openFileInput() as well as file permissions. You can use things like the keychain on iOS to secure files and data on the device.Consuming 3rd party web services ‐ interes9ng apps need to talk to something else. You have to treat the data from these services as “dangerous” and validate it like you would any other data. You also need to consider the fact that you don’t know where the data is going or how it’s handled/stored etc When reviewing code you will be looking for func9ons that open network connec9ons, receive input etciOS Image caching problem: In iOS when an applica9on moves to the background the system takes a screen shot of the applica9ons main window. This screen shot is used to animate transi9ons when the app is reopened. What if sensi9ve info was on the screen?hLp://sogware‐security.sans.org/blog/2011/01/14/whats‐in‐your‐ios‐image‐cache‐backgrounding‐snapshot/General Input: Of course you need to keep an eye on SQL query related methods. Things like query() and rawQuery() in Android and sqlite3_exec() in iOS and data received via intent messages for your data to receive and process.
  35. 35. Android and iOSFriday, 9 December 2011AndroidLinux based OSApplica9ons wriLen in JavaJava is compiled to DEX bytecodeiOSUnix based OSApplica9ons wriLen in Objec9ve‐C
  36. 36. Android Source Code package com.denimgroup.android.training.pandemobium.stocktrader; import android.app.Activity; import android.os.Bundle; import android.util.Log; import android.webkit.WebView; public class TipsActivity extends Activity { private WebView wvTips;     /** Called when the activity is first created. */     @Override     public void onCreate(Bundle savedInstanceState) {      Log.i("TipsActivity", " Loading up browser page to display stock tips");              super.onCreate(savedInstanceState);         setContentView(R.layout.tips);                  wvTips = (WebView)findViewById(R.id.wv_tips);         wvTips.loadUrl(getString(R.string.tip_list));     } }Friday, 9 December 2011How do we analyse Android code now? If you have the source code it’s preLy simple, just like a normal Java code review with some Android specific checks of course. Otherwise you need to do the following:download the .apk onto an AVD or a rooted phoneUnpack this and run a tool like apktool to make the AndroidManifest.xml file into a human readable formatThen you will need to convert the .DEX file into a jar file with another tool like dex2jarYou will then need to unzip the jar file and then decompile the class files into the original source code
  37. 37. AndroidManifest.xml • A good place to start your security code reviews! • Applications and System code have an AndroidManifest file • Declares the package name, a unique identifier for the app • Defines the permissions needed by the application • Defines app activities and intents • Compressed XML file in the .apkFriday, 9 December 2011AcCviCes ‐ is an applica9on component that provides a screen with which users can interact in order to do something, such as dial the phone, take a photo, send an email, or view a map.Intent ‐ ac9vi9es are ac9vated through messages, called intents. You can “call” your own ac9vi9es or let Android pick the right one for you ‐ opening a URL for example. Let’s say there is an applica9on that finds hotels and would like to use another applica9on to book it. For that it creates an implicit “Intent” where it says: “hey android, I intent to book this hotel, please find an applica9on that is capable of booking it, and pass the data to do the booking” They have Ac9ons, Data and Categories. "A different strategy is needed for implicit intents. In the absence of a designated target, the Android system must find the best component (or components) to handle the intent" <‐‐ do you know what the target (i.e. other app) is going to do with your data?Intent is basically a message that is passed between components (such as AcCviCes, Services, Broadcast Receivers, and Content Providers).One component that wants to invoke another has to express its intent to do a job. And any other component that exists and has claimed that it can do such a job through intent‐filters, is invoked by the android plavorm to accomplish the job. This means, both the components are not aware of each others existence and can s9ll work together to give the desired result for the end‐user.hLp://developer.android.com/guide/topics/manifest/manifest‐intro.html
  38. 38. Agnitio hands on • AndroidManifest.xml - before and afterFriday, 9 December 2011Show Pandora applica9on AndroidManifest.xml:Show SDK versions:<uses‐sdk android:minSdkVersion="3" android:targetSdkVersion="8" />Permissions:<uses‐permission android:name="android.permission.INTERNET" /><uses‐permission android:name="android.permission.ACCESS_NETWORK_STATE" />Ac9on = ACTION_MAIN Start up as the ini9al ac9vity of a task, with no data input and no returned output.Category = CATEGORY_LAUNCHER The ac9vity can be the ini9al ac9vity of a task and is listed in the top‐level applica9on launcher.
  39. 39. Android Static Analysis • Context.openFileOutput() • Context.openOrCreateDatabase() • rawQuery() • URLConnection() • HttpResponse() • MODE_PRIVATE • MODE_WORLD_READABLE • MODE_WORLD_WRITABLEFriday, 9 December 2011Context.openFileOutput() creates a local file on the device.Context.openOrCreateDatabase() creates a local file on the device containing a SQLite database.rawQuery Untrusted inputs should not be used to create SQL statements.  It is preferable to compile queries using Database.compileStatement() and then put untrusted values into parameters passed to that statement.  Also note that untrusted values should not be used to build up the strings passed to Database.compileStatement()URLConnecCon() Mobile devices communicate across a variety of networks ‐ both trusted and untrusted.  Therefore it is important that communica9ons be encrypted ‐ typically using HTTPS.H<pResponse() Mobile devices communicate across a variety of networks ‐ both trusted and untrusted.  Therefore it is important that communica9ons be encrypted ‐ typically using HTTPS. Data returned in a method like this must be validated before being used in sinks.Context.MODE_PRIVATE ‐ This is the most secure sefng because the resource will only be readable by the applica9on that created itContext.MODE_WORLD_READABLE ‐ This allows other applica9ons who know the name and loca9on of the resource to read itContext.MODE_WORLD_WRITEABLE ‐ This allows other applica9ons who know the name and loca9on of the resource to write to it.
  40. 40. Agnitio hands on • Analyse the Android Pandemobium appFriday, 9 December 2011Browse to PreferencesAc9vity.java, select the Java rules and click scan on this file.openFileOutput  method  highlighted shows that  the  username  and  password  is  being  wriLen in the  clear to  the  device  file system. Explain whilst MODE_PRIVATE is being used it’s limited.accountServiceURL is also highlighted, we need to open resvaluesstrings.xml to see what this URL is ‐ it’s a non SSL URL.Go  back  to  PreferencesAc9vity.java  and  show  how  we  submit  the  username  and  password  to  this  no  SSL  URL  on  the “actualURL” line.Next  openFileOutput  highlighted writes a value  called accountId  to  a file  in  the  clear  with  MODE_WORLD_READABLE  and MODE_WORLD_WRITABLE set. Why is this important? Well let’s see how accountId is used!Browse to TradeAc9vity.java, select the Java rules and click scan on this file.Scroll down un9l you see URL highlighted on the end of tradeServiceURL, we need to open resvaluesstrings.xml to see what this URL is ‐ it’s a non SSL URL.Go back to TradeAc9vity.java and show how we submit the accountId (retrieved using retrieveAccountId in u9lAccountU9ls.java) as part of stock purchase request on the “actualURL” line. Any malicious app on the phone could retrieve our WORLD_READABLE accountId value and submit trade requests as us. Two lines down (Try { Log.d) we also write the request URL to a log file including the accountId again.
  41. 41. iOS Source Code #import "TipViewController.h" #import "StockDatabase.h" #import "/usr/include/sqlite3.h" #import "ASIHTTPRequest.h" #import "ASIFormDataRequest.h" @implementation TipViewController @synthesize keyboardToolbar; - (id)initWithNibName:(NSString *)nibNameOrNil bundle:(NSBundle *)nibBundleOrNil {     self = [super initWithNibName:nibNameOrNil bundle:nibBundleOrNil];     if (self) {         // Custom initialization         stockDB = [[StockDatabase alloc] init];     }     return self; }Friday, 9 December 2011How do we analyse iOS code now? If you have the source code it’s preLy simple, just like a normal Objec9ve‐C code review, you almost need to treat this like an old C/C++ style code review and look for things like Buffer Overflows ‐ like the world of fashion, what is old is new again.It isn’t impossible to get the source code from an app (i.e. decompiling it) but it is very hard, certainly not as easy as it is with Android apps.
  42. 42. iOS Static Analysis • writeToFile() • openURL() • sqlite3_prepare() • NSFILEFriday, 9 December 2011writeToFile() writes data to a local file on the device.openURL() Mobile devices communicate across a variety of networks ‐ both trusted and untrusted.  Therefore it is important that communica9ons be encrypted ‐ typically using HTTPS.sqlite3_prepare() Untrusted inputs should not be used to create SQL statements.  It is preferable to compile queries using sqlite_prepare_v2 or sqlite_prepare16_v2 and then put untrusted values into parameters passed to that statement.NSFILE Data files on iOS receive some protec9on from other processes, but care should be taken when storing data in case the device is lost and jailbroken by an aLacker.
  43. 43. Agnitio hands on • Analyse the iOS Pandemobium appFriday, 9 December 2011CD "C:UsersDavid RookDesktop"adb pull /data/app/com.pandora.android.apk
  44. 44. My USB key........ • I have some things on my USB key you might want • .apk files of popular and “suspicious” Android apps • System.img file for v2.2 emulator to enable the marketplace • You have to trust my USB key is safe to use ;-)Friday, 9 December 2011
  45. 45. www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninjaFriday, 9 December 2011
  46. 46. QUESTIONS? www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninjaFriday, 9 December 2011

×