Intro to Mobile Security Assessment:Tools and TechniquesCopyright 2012 WireHarbor Security, Inc.
Who am I?• Founder/President - WireHarbor Security, Inc.• Previously:Led Global Application Security for F500 Insurance co...
Agenda• Overview• Attack Vectors• Setup• Basic Techniques• Advanced Tech.• Questions
Objectives - Security Assessment• Determine the correct path to Exploitation.• Many Attacks, Weaknesses and Impacts.
RULE #1: Mobile SecurityPerform sensitive/confidential/dangerous operations OFF-DEVICE......also, we still can’t trust use...
Mobile Assessment: Key Difference• User-access to runtime environment DEVS: **New perspective allows us to see everything...
Jailbreak vs. Rooting• Jailbreak (iOS) - Users can break out of sandbox, but are stilllimited by the Apple kernel. (Your i...
Attack Vectors• GSM Network• GPS• Applications (Malware)• Application Vuln’s (Objective-C)• Browser Exploits• Web Services...
Security Controls• Reduced Attack Surface• Code Signing/App Store Approval Process - iOS Android is more of a free-for-al...
Mobile Security Assessment• Step #1 : Jailbreak• Step #2 : ???• Step #3 : PROFIT!!!
Jailbreak in 30 sec• DISCLAIMER: BRICK WARNING!!!• DISCLAIMER: RUNTIME PROTECTIONS BECOME NIL!• DISCLAIMER: APPSTORE DEREG...
Tools• Jailbroken/Rooted Device• Cydia Applications (tcpdump, sqlite, etc...)• Android Debug Bridge (ADB)• GDB (Runtime an...
Finding TargetsPLENTY of them out there…650,000+ Applications in AppStore*250,000+ listed for iPad•App Store: ~/Music/iTu...
TechniquesThe easy stuff…
Mobile Hacking 101• Gain Access• Look for interesting data Log Files Databases Crash Dumps In-Transit• Cause interesti...
Techniques: Log File Analysis• Applications output/store lots of logging data. ~/Library/Logs/CrashReporter/MobileDevice/...
Techniques: Data Storage• SQLite “Self-contained, zero-configuration, embeddable DB”• Finding sqlite files…• Automation F...
Techniques: Data Storage• Pulling out data… SELECT * FROM <table>
Techniques: SQL Injection• Should look familiar...
Techniques: XSS Injection• XSS is in there too... Be careful with WebKit. (UIWebView object)“Of the 197 vulnerabilities, ...
Techniques: Proxy Intercept• Certificate errors are validated. Manually install Burpsuite cert. http://www.tuaw.com/2011...
Techniques: Event Handler Abuse• Apps can register their own handlers via plist files.o openURL:[NSURL URLWithString:@"mya...
Techniques: Event Handler Abuse• Finding interesting handlers… $> strings <target>.app/<target> | grep "://“ | grep –v “h...
Advanced TechniquesThe FUN stuff…
Advanced Techniques: Overview• Binary Decryption API Tokens Hard-coded Passwords• Passive/Active Fuzzing• Reverse Engine...
Advanced Techniques: Objective-C (iOS) Primer• Abstraction of Standard C Based on Smalltalk Designed to be “Object-orien...
Advanced Techniques: iOS Binary Inspection• Object File display tool - otool (Xcode) Display file headers (Mach-O and Uni...
Advanced Techniques: iOS Binary Inspection• Universal Binaries Contain multiple versionso otool –f <file> May be encrypt...
Advanced Techniques: iOS Runtime Inspection• Anti-Debugging (The Anti-BYOD part) ptrace PT_DENY_ATTACH sysctl check Kno...
Advanced Techniques: iOS Runtime Inspection• GDB Execute/load binary Breakpoint on start address 0x2000 (PIE may cause t...
Advanced Techniques: iOS Binary Inspection,Unencrypted• IDA Pro Binary graphing/analysis…
IDA Pro: What to look for?• Using the Apple DEV reference File Writes Network Connections Keychain Access UI Form Fields
Advanced Techniques: iOS Runtime Manipulation• Cycript - Javascript/Obj-C Interpreter Hook active apps via Mobile Substra...
• Example:cy# [SBAwayController.sharedAwayController isPasswordProtected]1cy# [[UIApp.keyWindow recursiveDescription]<KHWi...
Advanced Techniques: Fuzzing• Custom scripts… (Python, Ruby, Javascript)• Dumb or Smart Mutation-Based: Randomly substitu...
Passive Fuzzing - iOS• Using MobileSubstrate:
• What can we do with this? Application Tracing/Logging (filesystem, network, etc...) Turn off Jailbreak detection Fake...
Trey Keifer847-239-5626trey.keifer@wireharbor.comTwitter: @wireharborFacebook: facebook.com/wireharborhttp://www.wireharbo...
Upcoming SlideShare
Loading in...5
×

Mobile Security Assessment: 101

1,537

Published on

BSides Chicago 2013 presentation by Trey Keifer of WireHarbor Security (http://www.wireharbor.com) on Mobile Application Security Assessment

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,537
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "Mobile Security Assessment: 101"

  1. 1. Intro to Mobile Security Assessment:Tools and TechniquesCopyright 2012 WireHarbor Security, Inc.
  2. 2. Who am I?• Founder/President - WireHarbor Security, Inc.• Previously:Led Global Application Security for F500 Insurance co.• Focus on: Application Security, Mobile Security, Source Code Review• Partnerships:
  3. 3. Agenda• Overview• Attack Vectors• Setup• Basic Techniques• Advanced Tech.• Questions
  4. 4. Objectives - Security Assessment• Determine the correct path to Exploitation.• Many Attacks, Weaknesses and Impacts.
  5. 5. RULE #1: Mobile SecurityPerform sensitive/confidential/dangerous operations OFF-DEVICE......also, we still can’t trust user input.
  6. 6. Mobile Assessment: Key Difference• User-access to runtime environment DEVS: **New perspective allows us to see everything you are doing**VS...
  7. 7. Jailbreak vs. Rooting• Jailbreak (iOS) - Users can break out of sandbox, but are stilllimited by the Apple kernel. (Your iPhone is still an iPhone)• Rooting (Android) - Implement a new kernel, turn your phoneinto ???I
  8. 8. Attack Vectors• GSM Network• GPS• Applications (Malware)• Application Vuln’s (Objective-C)• Browser Exploits• Web Services• Bluetooth• WIFI (Rogue Access Points)• NFC/RFID
  9. 9. Security Controls• Reduced Attack Surface• Code Signing/App Store Approval Process - iOS Android is more of a free-for-all• Sandboxing• NX Memory• ASLR/PIE (compiler flag) Rarely used in 3rdparty applications• Certificate Verification• Device Encryption
  10. 10. Mobile Security Assessment• Step #1 : Jailbreak• Step #2 : ???• Step #3 : PROFIT!!!
  11. 11. Jailbreak in 30 sec• DISCLAIMER: BRICK WARNING!!!• DISCLAIMER: RUNTIME PROTECTIONS BECOME NIL!• DISCLAIMER: APPSTORE DEREGULATION!• Beware of Jailbreak SCAMMERS!• iPhone Dev Team (blog.iphone-dev.org)• evad3rs Team (http://evasi0n.com/)• Android is more complicated. (SuperOneclick) Hardware/OS/Carrier dependent
  12. 12. Tools• Jailbroken/Rooted Device• Cydia Applications (tcpdump, sqlite, etc...)• Android Debug Bridge (ADB)• GDB (Runtime analysis)• IDA Pro (Binary Reverse-Engineering)• MobileSubstrate/Cycript• BurpSuite (HTTP Analysis)• Xcode/Eclipse (Custom development, binary tools)
  13. 13. Finding TargetsPLENTY of them out there…650,000+ Applications in AppStore*250,000+ listed for iPad•App Store: ~/Music/iTunes/iTunes Media/Mobile Applications .ipa file (zip archive)•On iOS: /var/mobile/Applications/<UUID>/<AppName>.app/*Source: Techcrunch, July 2012
  14. 14. TechniquesThe easy stuff…
  15. 15. Mobile Hacking 101• Gain Access• Look for interesting data Log Files Databases Crash Dumps In-Transit• Cause interesting execution Form Input/Output Application Redirects
  16. 16. Techniques: Log File Analysis• Applications output/store lots of logging data. ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE> /private/var/log/system.log
  17. 17. Techniques: Data Storage• SQLite “Self-contained, zero-configuration, embeddable DB”• Finding sqlite files…• Automation FTW! find . –exec file {} ;
  18. 18. Techniques: Data Storage• Pulling out data… SELECT * FROM <table>
  19. 19. Techniques: SQL Injection• Should look familiar...
  20. 20. Techniques: XSS Injection• XSS is in there too... Be careful with WebKit. (UIWebView object)“Of the 197 vulnerabilities, 142 are related to WebKit...”, ZDNet review of iOS6NSString *js = [[NSString alloc] initWithFormat:@”var v=”%@”;”, user];[mywebView stringByEvauatingJavaScriptFromString:js];
  21. 21. Techniques: Proxy Intercept• Certificate errors are validated. Manually install Burpsuite cert. http://www.tuaw.com/2011/02/21/how-to-inspect-ioss-http-traffic-without-spending-a-dime/
  22. 22. Techniques: Event Handler Abuse• Apps can register their own handlers via plist files.o openURL:[NSURL URLWithString:@"myapp://?foo=urb&blerg=gah"];
  23. 23. Techniques: Event Handler Abuse• Finding interesting handlers… $> strings <target>.app/<target> | grep "://“ | grep –v “http”<string>googlegmail://</string><string>googlegmail://</string><string>mgc://</string><string>currents://</string><string>googletranslate://</string><string>comgoogleshopper://</string><string>comgoogleearth://</string><string>googlelatitude://</string><string>googlebooks://</string><string>currents://</string>
  24. 24. Advanced TechniquesThe FUN stuff…
  25. 25. Advanced Techniques: Overview• Binary Decryption API Tokens Hard-coded Passwords• Passive/Active Fuzzing• Reverse Engineering Token Generation Algorithms• Runtime Execution Interception/Manipulation Interesting “hidden” methods Web Services API’s
  26. 26. Advanced Techniques: Objective-C (iOS) Primer• Abstraction of Standard C Based on Smalltalk Designed to be “Object-oriented easy.” The good old days:Buffer Overflows, Format Strings, etc... RETURN!!!
  27. 27. Advanced Techniques: iOS Binary Inspection• Object File display tool - otool (Xcode) Display file headers (Mach-O and Universal) Display Crypt segment info Dump machine code List Shared Libraries• ARM Processors RISC instruction set Little-endian representation
  28. 28. Advanced Techniques: iOS Binary Inspection• Universal Binaries Contain multiple versionso otool –f <file> May be encryptedo otool –l <file> | grep LC_ENCRYPTION_INFO–B1 –A4
  29. 29. Advanced Techniques: iOS Runtime Inspection• Anti-Debugging (The Anti-BYOD part) ptrace PT_DENY_ATTACH sysctl check Known files Binary Packing Code Checksums Driver Checks Timing Measurements Code Obfuscation Junk Code
  30. 30. Advanced Techniques: iOS Runtime Inspection• GDB Execute/load binary Breakpoint on start address 0x2000 (PIE may cause this to move on you)gdb $> dump memory <filename> <start address> <end address>
  31. 31. Advanced Techniques: iOS Binary Inspection,Unencrypted• IDA Pro Binary graphing/analysis…
  32. 32. IDA Pro: What to look for?• Using the Apple DEV reference File Writes Network Connections Keychain Access UI Form Fields
  33. 33. Advanced Techniques: iOS Runtime Manipulation• Cycript - Javascript/Obj-C Interpreter Hook active apps via Mobile Substrate Interact with binaries in runtime using JShttp://www.cycript.org/http://iphonedevwiki.net/index.php/Cycript_Tricks
  34. 34. • Example:cy# [SBAwayController.sharedAwayController isPasswordProtected]1cy# [[UIApp.keyWindow recursiveDescription]<KHWindow: 0x1517a0; baseClass = UIWindow; frame = (0 0; 320 480); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x151640>>| <UIView: 0x17a120; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x17a1b0>>| | <UIToolbar: 0x17a3f0; frame = (0 416; 320 44); autoresize = W+TM; layer = <CALayer: 0x17a0d0>>| | | <UIToolbarButton: 0x17d150; frame = (12 0; 26 44); alpha = 0.25; opaque = NO; layer = <CALayer: 0x17d2e0>>| | | | <UISwappableImageView: 0x17d4c0; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d570>>| | | <UIToolbarButton: 0x17d340; frame = (153 0; 26 44); opaque = NO; layer = <CALayer: 0x14a220>>| | | | <UISwappableImageView: 0x17a680; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17a6e0>>| | | <UIToolbarButton: 0x17df40; frame = (222 0; 18 44); opaque = NO; layer = <CALayer: 0x17d2b0>>| | | | <UISwappableImageView: 0x17dbf0; frame = (3 13; 18 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d3f0>>Advanced Techniques: iOS Runtime Manipulation
  35. 35. Advanced Techniques: Fuzzing• Custom scripts… (Python, Ruby, Javascript)• Dumb or Smart Mutation-Based: Randomly substitute data. Generation-Based: Substitute based off RFC or Standards.• Classic Targets Any file types. (PDF, PPT, etc…) Protocols (HTTP, SMS, Push Notifications, etc...) Image formats (PNG, TIFF, etc…)
  36. 36. Passive Fuzzing - iOS• Using MobileSubstrate:
  37. 37. • What can we do with this? Application Tracing/Logging (filesystem, network, etc...) Turn off Jailbreak detection Fake GPS data... (think: location-aware security) The possibilities get scarier as trust grows...Advanced Techniques: iOS Runtime Manipulation
  38. 38. Trey Keifer847-239-5626trey.keifer@wireharbor.comTwitter: @wireharborFacebook: facebook.com/wireharborhttp://www.wireharbor.comTHANK YOU!!!

×