Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Attacking and Defending Mobile Applications

111,911 views

Published on

The rapid increase in mobile technology adoption in the workplace has resulted in a rise in mobile application attacks. This presentation provides attendees with insight into how mobile application attacks are perpetuated, as well as how we can develop to defend against them.

Published in: Technology
  • There is a useful site for you that will help you to write a perfect and valuable essay and so on. Check out, please ⇒ www.HelpWriting.net ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • To get professional research papers you must go for experts like ⇒ www.HelpWriting.net ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❶❶❶ http://bit.ly/2F90ZZC ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating direct: ♥♥♥ http://bit.ly/2F90ZZC ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Attacking and Defending Mobile Applications

  1. 1. Attacking and Defending Mobile Applications Jerod Brennen, Jacadis
  2. 2. Agenda • • • • AppSec in the SDLC Mobile Apps From an Attacker’s POV Defensive Tools and Techniques Resources
  3. 3. How to Write Good Code From http://xkcd.com/844/
  4. 4. The Secret to Learning Code “One of the best techniques to learn to code is to reverse engineer existing code.” From http://lifehacker.com/learn-to-code-by-breaking-someone-elses-code-1442438673 & http://blog.teamtreehouse.com/the-secret-to-learning-code
  5. 5. APPSEC IN THE SDLC
  6. 6. Understand Your Environment • What development methodologies do we follow? • What programming languages do we use? • What risk/security frameworks do we follow? • What third-party libraries do we use? • What stages in the development process require approval from the security team?
  7. 7. Understand Your Platform - iOS • Sandbox directories in iOS • Defend apps from one another • Keychain data is stored outside of the sandbox Image from https://developer.apple.com/library/ios/doc umentation/iphone/conceptual/iphoneospr ogrammingguide/TheiOSEnvironment/Thei OSEnvironment.html
  8. 8. Understand Your Platform - Android Two android apps, distinct sandboxes Two android apps, shared sandbox
  9. 9. Understand Your Platform - BlackBerry • QNX micro kernel • Allocates virtual memory to each process • Process manager functions like a traffic cop • Need to explicitly grant data access to each app Image from http://crackberry.com/history-qnx-andit%E2%80%99s-implementationblackberry-10
  10. 10. Understand Your Platform - Windows • Security provided by Windows 7 • Surface Shell manages apps, windows, orientation, and user sessions • Surface and Windows Integration handles critical failures Image from http://msdn.microsoft.com/enus/library/ff727809.aspx
  11. 11. Three Key Security Checks • Source Code Security Reviews – Manual Reviews – Reverse Binaries • Security Tests in QA – Positive AND Negative Test Cases • Analysis of “Deployed” Apps – Automated Scans – Manual Analysis
  12. 12. Source Code Reviews (OWASP) • Methodology (v1.1, current) – – – – – Preparation Security Code Review in the SDLC Security Code Review Coverage Application Threat Modeling Code Review Metrics • Methodology (v2.0, due in January 2014) – – – – – – Preparation Application Threat Modeling Understanding Code Layout/Design/Architecture Reviewing by Technical Control Reviewing by Vulnerability Security Code Review for Agile Development
  13. 13. The SQA Process • • • • • • • • • Initiation Planning Tracking Training Reviews Issue Resolution Testing Audit Process Improvement List from http://www.verndale.com/Our-Thinking/9-Steps-of-the-SQA-Process.aspx
  14. 14. Test Cases • Positive AND Negative • Top 10 Negative Test Cases – – – – – – – – – – Embedded Single Quote Required Data Entry Field Type Test Field Size Test Numeric Bounds Test Numeric Limits Test Date Bounds Test Date Validity Web Session Testing Performance Changes List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
  15. 15. Application Analysis • Automated scanning tools and manual analysis • OWASP Testing Guide (v3) – – – – – – – – – – Information Gathering Configuration Management Testing Authentication Testing Session Management Testing Authorization Testing Business Logic Testing Data Validation Testing Testing for Denial of Service Web Services Testing AJAX Testing • Version 4 in development (some material available)
  16. 16. MOBILE APPS FROM AN ATTACKER’S POV
  17. 17. There’s Gold in Them There Hills… From Blue Coat Systems 2013 Mobile Malware Report
  18. 18. OWASP Top 10 Mobile Risks Image from https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_ Ten_Mobile_Risks
  19. 19. Data at Rest - Deconstructing .ipa Files • Download from app store – Mac OS X 10.7 Lion: ~/Music/iTunes/iTunes Media/Mobile Applications/ – Mac OS X 10.6: ~/Music/iTunes/Mobile Applications/ – Windows 7: C:UsersUsernameMy MusiciTunesiTunes MediaMobile Applications • Extract app to folder using 7-zip • Manually examine the files using Notepad++ or prgrep • Look for sensitive info (integration points) – Connection strings – Calls to Internet-facing web services – Calls to other local resources
  20. 20. Advanced App Analysis - iOS • otool (run on binary, get size of encrypted payload) – https://developer.apple.com/library/mac/documentation/Darwin/Referen ce/ManPages/man1/otool.1.html • gdb (dump payload and payload size) – https://www.gnu.org/software/gdb/ • ldid (sign new binary) – http://gitweb.saurik.com/ldid.git • IDA Pro with objc-helper – https://www.hex-rays.com/products/ida/support/download.shtml – https://code.google.com/p/zynamics/source/checkout?repo=objc-helper • Class Dump – http://cydia.saurik.com/info/class-dump/ • Theos – http://iphonedevwiki.net/index.php/Theos
  21. 21. Data at Rest - Deconstructing .apk Files • Download from app store – Copy .apk file from rooted Android device to laptop via USB cable – Send .apk file from non-rooted Android device to Dropbox via APK Extractor – Alternately, you can download some .apk files from .apk archive sites • Extract app to folder using 7-zip • Manually examine the files using Notepad++ or prgrep • Look for sensitive info (integration points) – Connection strings – Calls to Internet-facing web services – Calls to other local resources
  22. 22. Advanced App Analysis - Android • APKTool – https://code.google.com/p/android-apktool/ • dex2jar – https://code.google.com/p/dex2jar/ • Smali – https://code.google.com/p/smali/ • androguard – https://code.google.com/p/androguard/ • APKManager – http://xdafileserver.nl/index.php?dir=Samsung%2FGalaxy+S +III%2FCUSTOM+ROMS%2Fwanamlite%2FApkManager%2FV 6.1 • Obfuscate your code with ProGuard and DexGuard – http://proguard.sourceforge.net/ – ProGuard is included in Android SDK; DexGuard is not
  23. 23. Data in Motion - Monitoring App Traffic • Plug laptop into wired network connection • Created an ad hoc wireless network on laptop • Connect mobile device to ad hoc wireless network • Start Wireshark on laptop – Capture ALL packets between mobile device and server • Use mobile device as a normal end user • Analyze Wireshark traffic – Unencrypted credentials – Unencrypted account information – Connection strings to servers (including third parties)
  24. 24. DEFENSIVE TOOLS & TECHNIQUES
  25. 25. Developer Training • OWASP Resources – – – – – Top 10 Application Security Risks Top 10 Mobile Security Risks WebGoat Project (Java) Mutillidae (PHP) Bricks (PHP and MySQL) • SANS Courses – – – – SEC542: DEV522: DEV541: DEV544: Web App Penetration Testing and Ethical Hacking Defending Web Applications Security Essentials Secure Coding in Java/JEE Secure Coding in .NET • Web Application Security Consortium – – – – Web Security Articles Web Security Glossary Web Hacking Incidents Database (WHID) WASC Threat Classification v2
  26. 26. Code Obfuscation Techniques • Implement anti-debug techniques – Limit runtime manipulation – Write critical portions of code in low-level C • Restrict debuggers – Tell the OS to prohibit debuggers from attaching to process – Android apps – android:debuggable=“false” in manifest • Trace checking – When trace detected, take defensive action • Optimizations – Hide complex logic with built-in compiler optimizations • Stripping binaries – Strips the symbol table List from https://viaforensics.com/resources/reports/best-practicesios-android-secure-mobile-development/code-complexity-obfuscation/
  27. 27. Santoku Linux • Sponsored by viaForensics • ‘Three uses’ – Mobile Forensics • Firmware flashing tools • Imaging tools • Forensics tools (free + commercial) – Mobile Malware Analysis • Mobile device emulators • Network service simulators • Decompilation and disassembly tools • Access to malware databases – Mobile Security Testing • Decompilation and disassembly tools • Customized app analysis scripts
  28. 28. MobiSec Linux • More robust than Santoku • Includes Blackberry tools • Includes emulators and simulators • Includes links to mobile infrastructure tools – BES Express – Google Mobile Management – iPhone Configuration Tool • Includes Smartphone Pentest Framework (SPF)
  29. 29. Windows App Security Tools • Microsoft SDL Threat Modeling Tool • FxCop – Static analyzer • BinScope – Binary analyzer • MiniFuzz File Fuzzer – Analyzes file-handling code • Banned.h – Header file – Remove banned functions from code All five (5) tools can be downloaded from http://msdn.microsoft.com/en-us/library/windowsphone/develop/ff402533(v=vs.105).aspx
  30. 30. iOS AppSec Cheat Sheet Image from https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet
  31. 31. RESOURCES
  32. 32. Resources - General • Secure Mobile Development: 42+ Best Practices for Secure iOS and Android Development – https://viaforensics.com/mobile-security/secure-mobile-development42-practices-secure-ios-android-development.html • Secure Mobile Application Development Reference • Developing Secure Mobile Applications • Security Assessment of BlackBerry Applications • Mobile App Security Code Reviews – http://www.denimgroup.com/media/pdfs/MobileDevReference.pdf – http://www.slideshare.net/denimgroup/developing-secure-mobileapplications-17732256 – http://resources.infosecinstitute.com/security-assessment-ofblackberry-applications/ http://www.slideshare.net/denimgroup/mobile-application-security-code-reviews – • – https://www.owasp.org/index.php/File:OWASP_Advanced_Mobile_Application_Co de_Review_Techniques.pptx OWASP Advanced Mobile Application Code Review Techniques • Santoku Linux • MobiSec Linux – https://santoku-linux.com/ – http://mobisec.secureideas.net/
  33. 33. Resources - Android • Understanding Android’s Security Framework (Tutorial) – http://siis.cse.psu.edu/android_sec_tutorial.html • Android Developer Security Tips – http://developer.android.com/training/articles/securitytips.html • Understanding Security on Android – http://www.ibm.com/developerworks/library/xandroidsecurity/ • Creating Secure (BlackBerry) Apps – http://developer.blackberry.com/bbos/java/documentation/sec urity_overview_1981777_11.html • BlackBerry 10 Security Considerations – http://developer.blackberry.com/native/documentation/cascad es/best_practices/security/
  34. 34. Resources - Windows • Security for Windows Phone (includes tool links) – http://msdn.microsoft.com/enus/library/windowsphone/develop/ff402533(v=vs.105).aspx • WebBrowser control security best practices for Windows Phone – http://msdn.microsoft.com/enus/library/windowsphone/develop/ff462081(v=vs.105).aspx • Web service security for Windows Phone – http://msdn.microsoft.com/enus/library/windowsphone/develop/gg521147(v=vs.105).aspx • How to encrypt data in a Windows Phone app – http://msdn.microsoft.com/enus/library/windowsphone/develop/hh487164(v=vs.105).aspx • Data for Windows Phone – http://msdn.microsoft.com/enus/library/windowsphone/develop/ff402541(v=vs.105).aspx • Hardening Windows 8 Apps for the Windows Store – http://www.youtube.com/watch?v=5pxfy5GyQ5g
  35. 35. Resources - iOS • iOS Application Security tutorial series (pen testing) – http://resources.infosecinstitute.com/ios-application-securitypart-1-setting-up-a-mobile-pentesting-platform/ • iOS Introduction to Secure Coding Guide – https://developer.apple.com/library/ios/documentation/Securit y/Conceptual/SecureCodingGuide/Introduction.html#//apple_r ef/doc/uid/TP40002415 • iOS App Sandboxing – https://developer.apple.com/app-sandboxing/ • Reverse Engineering an iOS Application – http://dinezhshetty.blogspot.com/2013/01/reverseengineering-ios-application.html • iOS Applications Reverse Engineering – http://media.hackinglab.com/scs3/scs3_pdf/SCS3_2011_Bachmann.pdf • Secure Development on iOS – https://www.isecpartners.com/media/12985/secure_developm ent_on_ios.pdf
  36. 36. Contact Info Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin/com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com/ contact@jacadis.com

×