Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Avalanche Disclosure

2,423 views

Published on

Story about static analysis of 15k mobile Apps.

Published in: Technology, Design
  • Be the first to comment

Avalanche Disclosure

  1. 1. Avalanche Disclosure Story about static analysis of 15k mobile Apps
  2. 2. Who am I? • Work hard on defense • Have fun in offensive • Break things Alexey Troshichev @pl0lq pl0lq@hackapp.com #ZeroNights2013 hackapp.com 2
  3. 3. What’s wrong with an App ? Insecure transfer Injections Insecure storage Architecture flaws Mobile OWASP for bla-bla-bla … #ZeroNights2013 hackapp.com 3
  4. 4. Common Attacks #ZeroNights2013 hackapp.com 4
  5. 5. On-device analysis ? Unlock Device Remove DRM Setup research environment Dynamic analysis Time & Brains #ZeroNights2013 hackapp.com 5
  6. 6. App is dangerous for user, but what’s about vendor ? Why should we waste time attacking one user, when we can just break into backend to get them all ? Why always just binary file? #ZeroNights2013 hackapp.com 6
  7. 7. What App can tell us? Testing environment disclosure Third party services authentication data Built-in accounts Something you can’t even imagine =) #ZeroNights2013 hackapp.com 7
  8. 8. Why it’s interesting? Installation is not important Finally, we are just searching strings… …and it could be automated =) #ZeroNights2013 hackapp.com 8
  9. 9. Let’s build a Grinder ! #ZeroNights2013 hackapp.com 9
  10. 10. AWK, STRINGS, GREP ? Not suitable for binary containers Too many garbage #ZeroNights2013 hackapp.com 10
  11. 11. “Typical” Application DRM #ZeroNights2013 hackapp.com 11
  12. 12. Actual Application #ZeroNights2013 hackapp.com 12
  13. 13. Steps Containers recursive traversal “Unusual” files search Selective GREP Structure validation #ZeroNights2013 hackapp.com 13
  14. 14. Let’s take ~15k iOS Apps from iTunes Finance section… …I like Finance #ZeroNights2013 hackapp.com 14
  15. 15. What’s inside ? 224061 files of 1396 types #ZeroNights2013 hackapp.com 15
  16. 16. Low hanging fruits 94452 files = 42% of whole #ZeroNights2013 hackapp.com 16
  17. 17. Shared authentication #ZeroNights2013 hackapp.com 17
  18. 18. “Secure” communication #ZeroNights2013 hackapp.com 18
  19. 19. Third party services #ZeroNights2013 hackapp.com 19
  20. 20. Third party services #ZeroNights2013 hackapp.com 20
  21. 21. Access to user data AWS-secret:eyH0aw7IW7wdL8z2eSyK/A8q7rIF7uEMVpvQkbwC You “publish” your contacts and photos by installing the app… =( #ZeroNights2013 hackapp.com 21
  22. 22. Not identified • • • • • • • • • • • • • • RSA private key:MIICeQIBADANBgkqhkiG9w6xmHVejkTokPs68ow== secret:164AC36F64FCC2D5 secret:33728B17A93A4A92 secret:4711429DAE3C6F7C secret:62ebd594bc903feeea5ee459715e08fa secret:6508E621E259AC4A secret:697E46CE13AA557B secret:76a863da0821f58ecb13e31cb761c573 secret:a7df64e1d5a33a93c12b06fa0f8c6f47 secret_android:2859389F73072C90 secret_android:3D05E67E03216A9B secret_android:66549A9BB401AF56 secret_android:678649CED531B8E8 secret_android:745A209380630940 (and more, and more, and more…) #ZeroNights2013 hackapp.com 22
  23. 23. 4% Apps released with hardcoded credentials #ZeroNights2013 hackapp.com 23
  24. 24. DEV Environment svn://mokah.siab01.com/ https://test.freerange360.com/ http://test.mmf.berlingskemedia.net http://test.informatel.com http://test.improveagency.com http://test.appswiz.com https://test.freerange360. https://dev.magtab.com:8888 http://dev.touchpublisher.com http://dev.pressrun.com/ http://dev.openstreetmap.de/ http://dev.aleph-labs.com (and more, and more… ) #ZeroNights2013 hackapp.com 24
  25. 25. Mad Stuff #ZeroNights2013 hackapp.com 25
  26. 26. Shocking configs SMS gateway OpenVpn config #ZeroNights2013 hackapp.com 26
  27. 27. Unpredictable #ZeroNights2013 hackapp.com 27
  28. 28. Developers Certificates P12 containers, most are encrypted, but.. #ZeroNights2013 hackapp.com 28
  29. 29. HAVE NO TIME TO EXPLAIN #ZeroNights2013 hackapp.com 29
  30. 30. Is there an App for that? http://hackapp.com/ #ZeroNights2013 hackapp.com 30
  31. 31. Dashboard #ZeroNights2013 hackapp.com 31
  32. 32. Report #ZeroNights2013 hackapp.com 32
  33. 33. Details #ZeroNights2013 hackapp.com 33
  34. 34. Questions ? URL: Twitter: Mail: #ZeroNights2013 http://hackapp.com/ @hackapp info@hackapp.com hackapp.com 34

×