Virtue Security - The Art of Mobile Security 2013
Upcoming SlideShare
Loading in...5
×
 

Virtue Security - The Art of Mobile Security 2013

on

  • 746 views

A short presentation on some of the many issues that play a role in mobile security.

A short presentation on some of the many issues that play a role in mobile security.

Statistics

Views

Total Views
746
Views on SlideShare
470
Embed Views
276

Actions

Likes
0
Downloads
10
Comments
0

2 Embeds 276

http://www.virtuesecurity.com 274
http://dev1.virtuesecurity.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Virtue Security - The Art of Mobile Security 2013 Virtue Security - The Art of Mobile Security 2013 Presentation Transcript

    • THE ART OF MOBILESECURITY(ISC)2 NEW YORK METRO APRIL 2013Elliott Frantzhttp://www.virtuesecurity.com
    • Agenda• Platform security• Pentesting mobile applications• Identifying attack vectors• Current events• Changing culture and the future of mobilesecurity
    • Mobile Platform Security• Mobile platforms have a large gray areabetween functionality and security issues.• Many features of mobile platforms createcached artifacts of runtime data.• Applications must properly defend againstthese functions to contain sensitive data.
    • iOS Background Screen Cache• Screenshots taken when userhits the ‘home’ button.• Can be forensically recoveredfrom device.• App developers must properlyhandle background events tohide sensitive data on screen.
    • iOS UITextFields• Known as the iOS “native keylogger”• iOS will cache text entered in these fields• Data can be forensically recovered or easilyaccessed on a jailbroken device/private/var/mobile/Library/Keyboard/UserDictionary.sqlite/private/var/mobile/Library/Keyboard/dynamic-text.dat
    • Android Content Providers• Can act as a data store for multiple applications• Often used for single applications• Must properly restrict permissions for otherapplications• Malicious apps may attempt to read from yourprovider
    • Pentesting Mobile ApplicationsObjectives:• Identify data transmitted (Protocols, hosts, ports)• MITM the client to attack application layer• Analysis of business logic and technologies used• Identify and subvert client side controls• Static analysis of application binary• Identify cached data
    • Mobile Man-in-the-Middle• Many ways to MITM apps – go with simplestconfiguration (often a HTTP proxy)• Apps using custom protocols must use networkproxies like Mallory• A variety of frameworks are available to bypasscertificate pinning.
    • Application Analysis• Compare use of the application to the datatransmitted to determine client side controls.• Construct a threat model for business logic• What are the abuse cases that relate to thebusiness?
    • Defeating Client Side Controls (Android)• Android may be easiest to modify code andrepackage apk.• Tools such as Virtuous Ten can perform thisquickly• Apps can also be manipulated with JavaDebugging methods (DDMS)
    • Defeating Client Side Controls (iOS)• iOS Objective-C runtime can be easilymanipulated with cycript/Mobile Substrate• Can jump to arbitrary points in theapplication, call functions, replace code.
    • Code Patching• Identify “simple logic”Is_our_phone_jailbroken(){if// lengthy convoluted jailbreak detectionreturn 1elsereturn 0}• Only one byte needs to be modified
    • Attack Vectors• SMS/MMS• Baseband / WiFi• APNS/GCM (Push notifications)• Interapp Comm. (Intents, URL Schemes)• Lost/Stolen device• Technology misconfigurations (OAuth, etc)• Many more…
    • Camera EXIF Data• GPS data is often embedded in photos taken• Server side components must scrub EXIF data
    • WebViews• Introduces web based vectors (XSS, CSRF, etc..)• WebView JS may be invoked and take parametersfrom native code• Some configurations can invoke native code fromJS• Caching can be an issue (NSURLConnection)
    • C Memory Management• Dangerous functions should still be avoided(strcpy(), strcmp())• Memory should still be properly cleaned whenusing malloc(), free(), realloc(), etc..
    • Static Analysis (iOS)• iOS IPAs can be decrypted with a memory dumpat runtime.• Examine archive and plist files.• The binary can be examined like traditionalcompiled binaries (‘Strings’, dump symboltable, etc..)
    • Static Analysis (Android)• Android apps are packaged as APK files. (Can beextracted with any zip utility)• Inspect package for build/debug artifacts• Search code for hardcoded strings• Useful to reconstruct code as Java• Check for native code in /libs• Examine AndroidManifest.xml
    • Personal Devices• Consider how data can beleaked• Consider what apps caninvoke your application• Consider what apps yourapplication invokes
    • Hardware Concerns• Huawei and ZTEbecoming popularsmartphonemanufacturers.• Hardware isincreasingly easy tomanufacture.
    • Carrier Concerns• Owners of customized Android ROMs mustdistribute updates themselves (they don’t).• Millions of users are left with criticalvulnerabilities.
    • Where are we?• Not everything is terrible!• iOS and Android provide ASLR, DEP, applicationsandboxes built in.• ARMv8 introduces 64bit cpus
    • Where are we going?• We are more functionality driven than ever• Threats are more malicious than ever• World population is growing• Developing nations are increasingly technical
    • Questions?
    • References• http://iphonedevwiki.net/index.php/MobileSubstrate• http://www.cycript.org/• http://code.google.com/p/networkpx/wiki/class_dump_z• http://www.virtuous-ten-studio.com/• http://developer.android.com/guide/topics/providers/content-provider-basics.html• http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/Huawei-ZTE%20Investigative%20Report%20%28FINAL%29.pdf• http://intrepidusgroup.com/insight/mallory/• https://isecpartners.com/tools/mobile-security• http://www.virtuesecurity.com/