Your SlideShare is downloading. ×
Virtue Security - The Art of Mobile Security 2013
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Virtue Security - The Art of Mobile Security 2013

670
views

Published on

A short presentation on some of the many issues that play a role in mobile security.

A short presentation on some of the many issues that play a role in mobile security.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
670
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. THE ART OF MOBILESECURITY(ISC)2 NEW YORK METRO APRIL 2013Elliott Frantzhttp://www.virtuesecurity.com
  • 2. Agenda• Platform security• Pentesting mobile applications• Identifying attack vectors• Current events• Changing culture and the future of mobilesecurity
  • 3. Mobile Platform Security• Mobile platforms have a large gray areabetween functionality and security issues.• Many features of mobile platforms createcached artifacts of runtime data.• Applications must properly defend againstthese functions to contain sensitive data.
  • 4. iOS Background Screen Cache• Screenshots taken when userhits the ‘home’ button.• Can be forensically recoveredfrom device.• App developers must properlyhandle background events tohide sensitive data on screen.
  • 5. iOS UITextFields• Known as the iOS “native keylogger”• iOS will cache text entered in these fields• Data can be forensically recovered or easilyaccessed on a jailbroken device/private/var/mobile/Library/Keyboard/UserDictionary.sqlite/private/var/mobile/Library/Keyboard/dynamic-text.dat
  • 6. Android Content Providers• Can act as a data store for multiple applications• Often used for single applications• Must properly restrict permissions for otherapplications• Malicious apps may attempt to read from yourprovider
  • 7. Pentesting Mobile ApplicationsObjectives:• Identify data transmitted (Protocols, hosts, ports)• MITM the client to attack application layer• Analysis of business logic and technologies used• Identify and subvert client side controls• Static analysis of application binary• Identify cached data
  • 8. Mobile Man-in-the-Middle• Many ways to MITM apps – go with simplestconfiguration (often a HTTP proxy)• Apps using custom protocols must use networkproxies like Mallory• A variety of frameworks are available to bypasscertificate pinning.
  • 9. Application Analysis• Compare use of the application to the datatransmitted to determine client side controls.• Construct a threat model for business logic• What are the abuse cases that relate to thebusiness?
  • 10. Defeating Client Side Controls (Android)• Android may be easiest to modify code andrepackage apk.• Tools such as Virtuous Ten can perform thisquickly• Apps can also be manipulated with JavaDebugging methods (DDMS)
  • 11. Defeating Client Side Controls (iOS)• iOS Objective-C runtime can be easilymanipulated with cycript/Mobile Substrate• Can jump to arbitrary points in theapplication, call functions, replace code.
  • 12. Code Patching• Identify “simple logic”Is_our_phone_jailbroken(){if// lengthy convoluted jailbreak detectionreturn 1elsereturn 0}• Only one byte needs to be modified
  • 13. Attack Vectors• SMS/MMS• Baseband / WiFi• APNS/GCM (Push notifications)• Interapp Comm. (Intents, URL Schemes)• Lost/Stolen device• Technology misconfigurations (OAuth, etc)• Many more…
  • 14. Camera EXIF Data• GPS data is often embedded in photos taken• Server side components must scrub EXIF data
  • 15. WebViews• Introduces web based vectors (XSS, CSRF, etc..)• WebView JS may be invoked and take parametersfrom native code• Some configurations can invoke native code fromJS• Caching can be an issue (NSURLConnection)
  • 16. C Memory Management• Dangerous functions should still be avoided(strcpy(), strcmp())• Memory should still be properly cleaned whenusing malloc(), free(), realloc(), etc..
  • 17. Static Analysis (iOS)• iOS IPAs can be decrypted with a memory dumpat runtime.• Examine archive and plist files.• The binary can be examined like traditionalcompiled binaries (‘Strings’, dump symboltable, etc..)
  • 18. Static Analysis (Android)• Android apps are packaged as APK files. (Can beextracted with any zip utility)• Inspect package for build/debug artifacts• Search code for hardcoded strings• Useful to reconstruct code as Java• Check for native code in /libs• Examine AndroidManifest.xml
  • 19. Personal Devices• Consider how data can beleaked• Consider what apps caninvoke your application• Consider what apps yourapplication invokes
  • 20. Hardware Concerns• Huawei and ZTEbecoming popularsmartphonemanufacturers.• Hardware isincreasingly easy tomanufacture.
  • 21. Carrier Concerns• Owners of customized Android ROMs mustdistribute updates themselves (they don’t).• Millions of users are left with criticalvulnerabilities.
  • 22. Where are we?• Not everything is terrible!• iOS and Android provide ASLR, DEP, applicationsandboxes built in.• ARMv8 introduces 64bit cpus
  • 23. Where are we going?• We are more functionality driven than ever• Threats are more malicious than ever• World population is growing• Developing nations are increasingly technical
  • 24. Questions?
  • 25. References• http://iphonedevwiki.net/index.php/MobileSubstrate• http://www.cycript.org/• http://code.google.com/p/networkpx/wiki/class_dump_z• http://www.virtuous-ten-studio.com/• http://developer.android.com/guide/topics/providers/content-provider-basics.html• http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/Huawei-ZTE%20Investigative%20Report%20%28FINAL%29.pdf• http://intrepidusgroup.com/insight/mallory/• https://isecpartners.com/tools/mobile-security• http://www.virtuesecurity.com/

×