Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Passwords On A Phone - Code Camp

288 views

Published on

Slides for a talk given at Silicon Valley Code Camp on Oct 8, 2017
Speaker: Sam Bowne

Published in: Education
  • Be the first to comment

  • Be the first to like this

Passwords On A Phone - Code Camp

  1. 1. Passwords on a Phone Silicon Valley Code Camp Oct 8, 2017
  2. 2. Me • Sam Bowne • Twitter: @sambowne • Instructor at City College San Francisco • All materials freely available at samsclass.info
  3. 3. Persistent Login •Users remain logged in even after shutting off their phone •How does the app remember who you are?
  4. 4. Target == GOOD
  5. 5. Target AU Android App
  6. 6. User Login
  7. 7. Server Response Random Number, stored in a cookie THIS IS THE RIGHT WAY
  8. 8. Staples == BAD
  9. 9. Tested in Jan 2017
  10. 10. Locally Stored Password • Right away this shows a problem • WHY store the password? <string name="encryptedPassword"> CT9SVzhhRaufBzCvmwENWQ== </string>
  11. 11. 1. Best way: Don't. Use a cookie 2. Use Android KeyChain 3. Encrypt with with a public key • Private key is kept secret on a server 4. Encrypt with with a private key • Private key is "hidden" on the phone (under the mat) 5. Store data unencrypted on the phone
  12. 12. Special Password • aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaA123 • 32 identical characters at beginning <string name="encryptedPassword"> 5V/uOkjK/Pxnb8yo7OdXzuVf7jpIyvz8Z2/ MqOznV84Chyt5lFv9LDpXXmJq9fUx </string>
  13. 13. Decode p = '5V/uOkjK/Pxnb8yo7OdXzuVf7jpIyvz8Z2/ MqOznV84Chyt5lFv9LDpXXmJq9fUx' >>> p.decode("base64").encode("hex") 'e55fee3a48cafcfc676fcca8ece757cee55fee3a4 8cafcfc676fcca8ece757ce02872b79945bfd2c3a5 75e626af5f531' e55fee3a48cafcfc676fcca8ece757ce e55fee3a48cafcfc676fcca8ece757ce 02872b79945bfd2c3a575e626af5f531
  14. 14. Read Smali Code
  15. 15. Constructing the Key
  16. 16. Final Key
  17. 17. Encryption Test
  18. 18. Notification • Notified Jan 2, 2017 • Automated response said it would be fixed • No response to follow-up email • April 13 -- Staples became homework
  19. 19. Notification • Fixed by May 9, 2017
  20. 20. Plaintext Password Storage
  21. 21. Plaintext Login
  22. 22. Broken SSL
  23. 23. A Feature, Not a Bug
  24. 24. Password Stored with Reversible Encryption
  25. 25. Home Depot Locally stored password is encrypted
  26. 26. Unpack APK
  27. 27. Salt -> Key
  28. 28. Complete Decryption
  29. 29. Kroger
  30. 30. Kroger
  31. 31. Safeway
  32. 32. Safeway
  33. 33. Walgreens
  34. 34. Walgreens
  35. 35. Multiple Vulnerabilities
  36. 36. Fixed
  37. 37. SSLstrip
  38. 38. sslstrip Proxy Changes HTTPS to HTTP Target
 Using
 Facebook Attacker: 
 sslstrip Proxy
 in the 
 Middle To Internet HTTP HTTPS
  39. 39. Sslstrip Vulnerability • If you go directly to an HTTPS URL, you are not vulnerable • But many sites use a 302 redirect from HTTP to HTTPS, rendering them vulnerable
  40. 40. Dork for sslstrip Vulnerability
  41. 41. HTTP 301 Redirect
  42. 42. Stealing Password

×