SlideShare a Scribd company logo

Virtue Security - The Art of Mobile Security 2013

Virtue Security
Virtue Security

A short presentation on some of the many issues that play a role in mobile security.

Technology
1 of 25
Download to read offline
THE ART OF MOBILE SECURITY (ISC)2 NEW YORK METRO APRIL 2013 Elliott Frantz http://www.virtuesecurity.com
Agenda • Platform security • Pentesting mobile applications • Identifying attack vectors • Current events • Changing culture and the future of mobile security
Mobile Platform Security • Mobile platforms have a large gray area between functionality and security issues. • Many features of mobile platforms create cached artifacts of runtime data. • Applications must properly defend against these functions to contain sensitive data.
iOS Background Screen Cache • Screenshots taken when user hits the ‘home’ button. • Can be forensically recovered from device. • App developers must properly handle background events to hide sensitive data on screen.
iOS UITextFields • Known as the iOS “native keylogger” • iOS will cache text entered in these fields • Data can be forensically recovered or easily accessed on a jailbroken device /private/var/mobile/Library/Keyboard/UserDictionary.sqlite /private/var/mobile/Library/Keyboard/dynamic-text.dat
Android Content Providers • Can act as a data store for multiple applications • Often used for single applications • Must properly restrict permissions for other applications • Malicious apps may attempt to read from your provider
Pentesting Mobile Applications Objectives: • Identify data transmitted (Protocols, hosts, ports) • MITM the client to attack application layer • Analysis of business logic and technologies used • Identify and subvert client side controls • Static analysis of application binary • Identify cached data
Mobile Man-in-the-Middle • Many ways to MITM apps – go with simplest configuration (often a HTTP proxy) • Apps using custom protocols must use network proxies like Mallory • A variety of frameworks are available to bypass certificate pinning.
Application Analysis • Compare use of the application to the data transmitted to determine client side controls. • Construct a threat model for business logic • What are the abuse cases that relate to the business?
Defeating Client Side Controls (Android) • Android may be easiest to modify code and repackage apk. • Tools such as Virtuous Ten can perform this quickly • Apps can also be manipulated with Java Debugging methods (DDMS)
Defeating Client Side Controls (iOS) • iOS Objective-C runtime can be easily manipulated with cycript/Mobile Substrate • Can jump to arbitrary points in the application, call functions, replace code.
Code Patching • Identify “simple logic” Is_our_phone_jailbroken() { if // lengthy convoluted jailbreak detection return 1 else return 0 } • Only one byte needs to be modified
Attack Vectors • SMS/MMS • Baseband / WiFi • APNS/GCM (Push notifications) • Interapp Comm. (Intents, URL Schemes) • Lost/Stolen device • Technology misconfigurations (OAuth, etc) • Many more…
Camera EXIF Data • GPS data is often embedded in photos taken • Server side components must scrub EXIF data
WebViews • Introduces web based vectors (XSS, CSRF, etc..) • WebView JS may be invoked and take parameters from native code • Some configurations can invoke native code from JS • Caching can be an issue (NSURLConnection)
C Memory Management • Dangerous functions should still be avoided (strcpy(), strcmp()) • Memory should still be properly cleaned when using malloc(), free(), realloc(), etc..
Static Analysis (iOS) • iOS IPAs can be decrypted with a memory dump at runtime. • Examine archive and plist files. • The binary can be examined like traditional compiled binaries (‘Strings’, dump symbol table, etc..)
Static Analysis (Android) • Android apps are packaged as APK files. (Can be extracted with any zip utility) • Inspect package for build/debug artifacts • Search code for hardcoded strings • Useful to reconstruct code as Java • Check for native code in /libs • Examine AndroidManifest.xml
Personal Devices • Consider how data can be leaked • Consider what apps can invoke your application • Consider what apps your application invokes
Hardware Concerns • Huawei and ZTE becoming popular smartphone manufacturers. • Hardware is increasingly easy to manufacture.
Carrier Concerns • Owners of customized Android ROMs must distribute updates themselves (they don’t). • Millions of users are left with critical vulnerabilities.
Where are we? • Not everything is terrible! • iOS and Android provide ASLR, DEP, application sandboxes built in. • ARMv8 introduces 64bit cpus
Where are we going? • We are more functionality driven than ever • Threats are more malicious than ever • World population is growing • Developing nations are increasingly technical
Questions?
References • http://iphonedevwiki.net/index.php/MobileSubstrate • http://www.cycript.org/ • http://code.google.com/p/networkpx/wiki/class_dump_z • http://www.virtuous-ten-studio.com/ • http://developer.android.com/guide/topics/providers/content-provider- basics.html • http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/H uawei-ZTE%20Investigative%20Report%20%28FINAL%29.pdf • http://intrepidusgroup.com/insight/mallory/ • https://isecpartners.com/tools/mobile-security • http://www.virtuesecurity.com/

Recommended

Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration TestingSurabaya Blackhat
 
Ultrabooks presentation
Ultrabooks presentationUltrabooks presentation
Ultrabooks presentationChris Harkins
 
Menofia UN -Mobile Security
Menofia UN -Mobile SecurityMenofia UN -Mobile Security
Menofia UN -Mobile SecurityAhmed Samara
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & androidEndeavour Software Technologies
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologiesDavid Strom
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 

More Related Content

What's hot

Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOSKai Aras
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authenticationMecklerMedia
 

What's hot (9)

Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOS
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and Encryption
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Cracking the Mobile Application Code
Cracking the Mobile Application CodeCracking the Mobile Application Code
Cracking the Mobile Application Code
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
 
IOS security
IOS securityIOS security
IOS security
 

Viewers also liked

Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009ClubHack
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Kyle Lai
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testingNowSecure
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWebsecurify
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 

Viewers also liked (13)

Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testing
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 

Similar to Virtue Security - The Art of Mobile Security 2013

[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012 hakersinfo
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhonessaurabhharit
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidMichael Rushanan
 
Implementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldImplementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldLINE Corporation
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 

Similar to Virtue Security - The Art of Mobile Security 2013 (20)

[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love Android
 
Lick my Lollipop
Lick my LollipopLick my Lollipop
Lick my Lollipop
 
Implementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldImplementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile World
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 

Recently uploaded

All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 

Recently uploaded (20)

All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 

Virtue Security - The Art of Mobile Security 2013

  • 1. THE ART OF MOBILE SECURITY (ISC)2 NEW YORK METRO APRIL 2013 Elliott Frantz http://www.virtuesecurity.com
  • 2. Agenda • Platform security • Pentesting mobile applications • Identifying attack vectors • Current events • Changing culture and the future of mobile security
  • 3. Mobile Platform Security • Mobile platforms have a large gray area between functionality and security issues. • Many features of mobile platforms create cached artifacts of runtime data. • Applications must properly defend against these functions to contain sensitive data.
  • 4. iOS Background Screen Cache • Screenshots taken when user hits the ‘home’ button. • Can be forensically recovered from device. • App developers must properly handle background events to hide sensitive data on screen.
  • 5. iOS UITextFields • Known as the iOS “native keylogger” • iOS will cache text entered in these fields • Data can be forensically recovered or easily accessed on a jailbroken device /private/var/mobile/Library/Keyboard/UserDictionary.sqlite /private/var/mobile/Library/Keyboard/dynamic-text.dat
  • 6. Android Content Providers • Can act as a data store for multiple applications • Often used for single applications • Must properly restrict permissions for other applications • Malicious apps may attempt to read from your provider
  • 7. Pentesting Mobile Applications Objectives: • Identify data transmitted (Protocols, hosts, ports) • MITM the client to attack application layer • Analysis of business logic and technologies used • Identify and subvert client side controls • Static analysis of application binary • Identify cached data
  • 8. Mobile Man-in-the-Middle • Many ways to MITM apps – go with simplest configuration (often a HTTP proxy) • Apps using custom protocols must use network proxies like Mallory • A variety of frameworks are available to bypass certificate pinning.
  • 9. Application Analysis • Compare use of the application to the data transmitted to determine client side controls. • Construct a threat model for business logic • What are the abuse cases that relate to the business?
  • 10. Defeating Client Side Controls (Android) • Android may be easiest to modify code and repackage apk. • Tools such as Virtuous Ten can perform this quickly • Apps can also be manipulated with Java Debugging methods (DDMS)
  • 11. Defeating Client Side Controls (iOS) • iOS Objective-C runtime can be easily manipulated with cycript/Mobile Substrate • Can jump to arbitrary points in the application, call functions, replace code.
  • 12. Code Patching • Identify “simple logic” Is_our_phone_jailbroken() { if // lengthy convoluted jailbreak detection return 1 else return 0 } • Only one byte needs to be modified
  • 13. Attack Vectors • SMS/MMS • Baseband / WiFi • APNS/GCM (Push notifications) • Interapp Comm. (Intents, URL Schemes) • Lost/Stolen device • Technology misconfigurations (OAuth, etc) • Many more…
  • 14. Camera EXIF Data • GPS data is often embedded in photos taken • Server side components must scrub EXIF data
  • 15. WebViews • Introduces web based vectors (XSS, CSRF, etc..) • WebView JS may be invoked and take parameters from native code • Some configurations can invoke native code from JS • Caching can be an issue (NSURLConnection)
  • 16. C Memory Management • Dangerous functions should still be avoided (strcpy(), strcmp()) • Memory should still be properly cleaned when using malloc(), free(), realloc(), etc..
  • 17. Static Analysis (iOS) • iOS IPAs can be decrypted with a memory dump at runtime. • Examine archive and plist files. • The binary can be examined like traditional compiled binaries (‘Strings’, dump symbol table, etc..)
  • 18. Static Analysis (Android) • Android apps are packaged as APK files. (Can be extracted with any zip utility) • Inspect package for build/debug artifacts • Search code for hardcoded strings • Useful to reconstruct code as Java • Check for native code in /libs • Examine AndroidManifest.xml
  • 19. Personal Devices • Consider how data can be leaked • Consider what apps can invoke your application • Consider what apps your application invokes
  • 20. Hardware Concerns • Huawei and ZTE becoming popular smartphone manufacturers. • Hardware is increasingly easy to manufacture.
  • 21. Carrier Concerns • Owners of customized Android ROMs must distribute updates themselves (they don’t). • Millions of users are left with critical vulnerabilities.
  • 22. Where are we? • Not everything is terrible! • iOS and Android provide ASLR, DEP, application sandboxes built in. • ARMv8 introduces 64bit cpus
  • 23. Where are we going? • We are more functionality driven than ever • Threats are more malicious than ever • World population is growing • Developing nations are increasingly technical
  • 25. References • http://iphonedevwiki.net/index.php/MobileSubstrate • http://www.cycript.org/ • http://code.google.com/p/networkpx/wiki/class_dump_z • http://www.virtuous-ten-studio.com/ • http://developer.android.com/guide/topics/providers/content-provider- basics.html • http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/H uawei-ZTE%20Investigative%20Report%20%28FINAL%29.pdf • http://intrepidusgroup.com/insight/mallory/ • https://isecpartners.com/tools/mobile-security • http://www.virtuesecurity.com/