INFOSECURITY 2013,BRUSSELSSecurity assessments in the mobile world
AgendaIntroductionMobile architecture ► An overview ► Perceived threatsHow to assess the threats ► General approach ► Mobile Devices ► Source Code review ► Sensitive files ► Application permissions ► Client side injections ► Data communication channel ► Server side controlsRecap
IntroductionWho am I? ► Tim Beyens ► Security Consultant focusing on mobile security and network security ► Working for Ernst & Young since 2009 ► Sector focus: Telecommunication ► Typical assignments: penetration testing, network security assignments, …. Technical security assessments
IntroductionTrends within the mobile worldOn the end-user front…
IntroductionTrends within the mobile worldThe Machine to Machine front is increasing as well…M2M mobile connections are expected to reach 12 billion by 2020 Industry Sector Smart meters enable efficient energy consumption and management by Utilities consumers and service providers Remote monitoring technologies can boost cost- and resource-efficient Healthcare healthcare provision and clinical collaboration Driver navigation and fleet management tools, on-demand in-vehicle entertainment result in intelligent route planning and greater consumer Automotive expenditure. Vehicle connectivity can bring new business models such as pay-as-you drive insurance Consumer Richer functionality and storage can improve product differentiation Electronics and customer centricitySources:Ernst & Young research in 2012 – M2M
Introduction Trends within the mobile world On the other hand, malware is also being rapidly developed… October July August April July February (2013) ► Secret key combo auth ► ZITMO banking trojan ► Weakness in SSL cert ► NotCompatible gains ► LuckyCat opens a ► LockScreen of bypass (iOS) affects all mobile handling exposes data access to local network backdoor that allows iPhone can be devices to interception (iOS) preferences (Andriod) remote acces (Android) circumvented (iOS) 2011 2012 2013March August September May July► Trojannised apps found ► Google authentication ► HTC phone vulnerability ► FakeInst SMS Trojan ► SMSzombie that on Chinese app store details sent in clear text leaks personal data cost end-users 30 abuses china’s SMS (Android) (Android) (Android) Miljon dollars (Android) payment Android) Most of these vulnerabilities originate from: ► Jailbreaks, Rootkits, ... ► Faulty configured application settings ► Faulty downloaded applications (from sources not controlled by the device) ► User preferences for simple passwords ► User allows application to access personal unneeded information ► Reuse of passwords among different applications ► Social engineering (ie. Gaining physical access to the smart phone to steal data)
IntroductionTrends within the mobile world… In numbers this means 2012 Malware targets Subscription to premium SMS 32% services 40% Information theft (banking apps) Botnet integration 28%Sources: ESET, Trends for 2013
Mobile ArchitectureAn overview Public 1 Private 2 1. 1 Public APN ► APN’s used by end-users or machines ► Public, only requires a SIM card of the provider ► Less secure but cheaper ► E.g. Your own PDA connecting over 3G 2 2. Private APN ► Used by companies to easily communicate with field equipment (e.g. G4S transportation) ► Private, only accessible through specific SIM cards ► Securer but more expensive ► E.g. coco-cola vending machine providing statuses on available stock
Mobile ArchitecturePerceived threats – End Users 1 2 31.1 Mobile phone ► Information disclosure (within the application source code) ► Data stored on the device contains personal information ► Insecure passwords usage2.2 Communication channel ► No encryption applied on the communication channel3.3 Server infrastructure ► Improper session, authorization and authentication handling ► Overall weak server side controls (e.g. server side injections)
Mobile ArchitecturePerceived threats -Machines 1Next to the threats described on the previous page, the machine to machine communication hasanother threat that is easily overlooked….11. Machines ► What if the SIM card (of the machine) is inserted in USB-3G stick? This allows access to the private APN. Which on his turn provides access to a front-end system of the owner of the private APN… From that point onwards the a similar penetration testing approach can be used to exploit the front-end device. Possible pitfalls: some SIM-cards might disallowed outgoing data traffic…
How to assess the threatsGeneral approach Mobile Device Communication channel Server side controlsObjective: Identify vulnerabilities on the Objective: Identify vulnerabilities in the Objective: Identify vulnerabilities on theapplications installed on the devices data communication channel. server side of the mobile application.themselves.► Reverse engineer the binary using tools ► Verify the application uses SSL/TSL ► Perform an attack and penetration such as: whenever sensitive information is being tests similar to other web application ► Clang (static code) transmitted. tests and use the information found on ► GDB the local device to leverage your ► iDA (Pro) successes. and investigate the source code for passwords, server-side keys, … but also learn how the application works!► Look for sensitive data in databases, logs, back-ups, cached files, …► Verify application’s permissions► Perform security tests similar to other web applications tests (e.g. session management, authentication management, …)
How to assess the threatsMobile device – Source code reviewSource code review - Android ► The downloaded package (.apk) is actually a zip containers, unzipping it will reveal the actual content. ► Loads of files including classes.dex Dex2Jar Tools used Jd-GUI Dex2jar.sh classes.dex > classes.jar Steps to be taken Open the classes.jar file in JD-GUI (or Eclipse,…)
How to assess the threatsMobile Phone – Source code reviewSource code review - iPhoneBefore starting any tests on the iOS… Make sure to jailbreak the device and install: ► OpenSSH ► Mobile terminal ► Cydia = The mother of all tools on jailbroken iPhones! App store for jailbroken iOS. ► Other Linux based tools you want…Connect your iPhone to a (wireless) hotspot and SSH to it! alpine
How to assess the threatsMobile device – Source code reviewSource code review – iPhone (cont.) ► Not that easy… because most Apple applications are encrypted and signed Code segments look gibberish when simply reversed ► However the downloaded file (.ipa in iTunes or .app when transferring it from the jailbroken iOS) is still a zip container, unzipping it will reveal the actual content.
How to assess the threatsMobile device – Source code reviewSource code review – iPhone (cont.) ► Find the application file in the container and … check that the encryption is actually on! ► LC_Encryption_info values information: ► Cryptid ► 1 if the binary is encrypted ► 0 if the binary is not encrypted ► Cryptsize is to what point the application is being encrypted ► The iPhone will auto-decrypt it when the application runs on your phone
How to assess the threatsMobile device – Source code reviewSource code review – iPhone (cont.)C_Encryption_info; CryptID= 1 ► Automatic: one application: Clutch ► Manual: Use a hex editor to change the value to 0 ► No clear method to find where the crypt-ID is search for /system/Library/Frameworks within the hex… can take some time… ► Run the app and dump the code using GDB ► GDB – p <PID of the application> ► Dump memory of your application based on the cryptsize. ► @CLI: dump memory app.bin <<start of application code >> our case (0X0000) to <<cryptsize>> (our case: 0X9000)
How to assess the threatsMobile device – Source code reviewSource code review – iPhone (cont.)C_Encryption_info; CryptID= 0 ► …When it is not on… or you used the previous steps… use IDAPro to reverse the application It stays in Assembly! objc.idc
How to assess the threatsMobile device – Source code reviewSource code review (cont.) – What to look for ► Passwords ► Hardcoded URL’s ► Administrator bypasses ► Input filter classes ► … Anything you would search for in a normal reverse engineering test…
How to assess the threatsMobile Phone - Sensitive files Data stored on the device Applications store data on various locations: ► SQLite database ► Cached data, back-ups, … ► Log files of applicationsEasy to find using the SSH connection, and simply inspecting them either using the “cat” commandor copying them locally on your computer and opening them using a viewer you like.
How to assess the threatsMobile Phone – Application permissions Incorrect authorization set for mobile applications Each application receives permissions that need to be reviewed because: ► Applications having access to extra functions might be abused (e.g. through client slide injection) by attackers to gain hold of extra information (low likelihood) ► End-users might not install the application (medium ? Likelihood) Can be reviewed only from iOS version 6 and reviewed iOS under the ‘Privacy settings’ tab Android Stored in the Manifest File
How to assess the threatsMobile Phone – Client side injections As with normal client applications, Mobile applications might by vulnerable to injections. Set-up of the above screenshots: vulnerable app1 (downloaded from http://www.veracode.com), and it contains a basic SQL injection to bypass authentication on the application.
How to assess the threatsCommunication channelProxy, Proxy and Proxy again…Each device has the possibility to proxy its traffic through a proxy: iOS AndroidOnce set-up the tests are identical to other web applications tests.
How to assess the threatsCommunication channel
How to assess the threatsServer side controls Again… Proxy, Proxy and Proxy again… ► Assess the back-end server as any web service you would encounter: ► WSDL Assessment ► Extracting extra information by manipulating requests ► Injection testing ► SOAP attachments ► … ► Do not forget to assess the infrastructure itself!
Recap ► Mobile applications and mobile phones are on the rise ► Machine 2 machine is on the rise ► But malware is on the rise to capture sensitive files!
Ernst & Young Tim BeyensAssurance | Tax | Transactions | Advisory Tel.: +32 2 774 91 812013 Ernst & Young Transaction Advisory Services Mobile: +32 495 743 592All rights reserved. Email: email@example.comAbout Ernst & YoungErnst & Young is a global leader in assurance, tax,transaction and advisory services. Worldwide, our167,000 people are united by our shared valuesand an unwavering commitment to quality. Wemake a difference by helping our people, ourclients and our wider communities achieve theirpotential.Ernst & Young refers to the global organization ofmember firms of Ernst & Young Global Limited,each of which is a separate legal entity.Ernst & Young Global Limited, a UK companylimited by guarantee, does not provide services toclients.For more information about our organization,please visit www.ey.com/be.Follow us: twitter.com/EY_Belgium