Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Savage Curtain: Mobile SSL Failures

3,991 views

Published on

This is a recap of the presentation we gave at BSides Las Vegas 2014 and DefCon 22 as part of the Wall of Sheep Presentations. The purpose of this presentation was to underscore common SSL implementation failures in mobile applications, how to avoid them and show how SSL Session Caching can be abused, particularly on Android, to create persistent and nearly undetectable MitM conditions.

Published in: Mobile
  • Be the first to comment

The Savage Curtain: Mobile SSL Failures

  1. 1. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth levelThe Savage Curtain:The Savage Curtain: Mobile SSL FailuresMobile SSL Failures
  2. 2. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Who are these guys? Tony Trummer - Staff Security Engineer aka “SecBro” Tushar Dalvi - Sr. Security Engineer & Pool Hustler
  3. 3. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Our employer generally does not have prior knowledge of, condone, support or otherwise endorse our research A Private Little War
  4. 4. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level The Menagerie { Apps are mash-ups of native and web code { Java, Objective C, Swift, etc. { Developers control SSL/TLS security settings
  5. 5. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Basics TLS provides several security features { Encryption { Authenticity { Integrity In apps, unlike browsers, whether you see a certificate warning is up to the app developer.
  6. 6. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Wolf in the Fold { TLS is really the ONLY protection against Man-in-the middle (MitM) attacks { MitM is significantly easier to perform against mobile devices
  7. 7. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Tomorrow Is Yesterday Before dismissing the idea of large- scale or supply-chain attacks... { Recent reports of pre-installed trojans on low-end Android devices { In 2013, Nokia was found to be performing MitM on customer traffic, reportedly for performance reasons { In 2013, reports surfaced claiming that the NSA and GCHQ (“Flying Pig”) were actually performing real-world MitM attacks
  8. 8. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level The Immunity Syndrome Infosec folks often roll their eyes when they read statements on sites or in apps that tout TLS use and how big their keys are
  9. 9. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Journey to Babel One night, after a few drinks, we decided to test some apps, starting with proxying their web requests
  10. 10. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Into Darkness
  11. 11. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level First aspect of certificate validation The app or OS must verify the certificate is cryptographically signed by the private key of a trusted Certificate Authority
  12. 12. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Proper certificate validation Certificate is signed by the private key of a trusted CA?Certificate is signed by the private key of a trusted CA? Is this an intermediate certificate?Is this an intermediate certificate? Trusted Root CATrusted Root CA
  13. 13. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Forget Something? Tony Tushar
  14. 14. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level A Piece of the Action
  15. 15. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level A Taste of Armageddon
  16. 16. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level The Trouble with Tribbles
  17. 17. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level The Trouble with Tribbles
  18. 18. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Testing for CA validation { Configure device to use proxy { Configure BurpSuite's proxy listener to “Generate a CA-signed per-host certificate” { DO NOT install the proxy's CA certificate on the test device { Verify you see a certificate warning in the native mobile browser { Step through each section of the app { If you see HTTPS traffic, in Burpsuite, the app failed
  19. 19. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Second aspect of validation Does the Subject Common or Alternative name match the hostname of the site you're visiting?
  20. 20. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Proper certificate validation Does the Common or Subject Alternative Name Match the hostname?Does the Common or Subject Alternative Name Match the hostname? Traces back to Trusted Root CATraces back to Trusted Root CA
  21. 21. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level By any other name
  22. 22. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level By any other name
  23. 23. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
  24. 24. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level The Apple
  25. 25. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level And the Children Shall Lead
  26. 26. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Amok Time
  27. 27. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level By any other name
  28. 28. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level By any other name
  29. 29. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Testing for proper hostname validation { Install Portswigger CA cert on device { Configure your device to use a proxy { Configure proxy listener to “Generate a CA- signed certificate with a specific hostname” { Set the hostname to foobar.com { Verify you see a certificate warning in the native mobile browser { Step through each section of the mobile app { If you see HTTPS traffic, the app failed
  30. 30. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Proper certificate validation Does the Common or Subject Alternative Name Match the DNS hostname?Does the Common or Subject Alternative Name Match the DNS hostname? Not expired? Not revoked?Not expired? Not revoked? Traces back to Trusted Root CATraces back to Trusted Root CA
  31. 31. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Damn it, Jim!
  32. 32. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level The Naked Time { Credit card numbers, passwords, and/or session cookies
  33. 33. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Dagger of the mind { Unencrypted credit card information { Tier 1 PCI merchant { 10 million+ installations
  34. 34. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Court Martial FTC vs. Fandango & Credit Karma { One of the major flaws cited in the suit was failure to validate SSL certificates on mobile applications { Agreed to “establish comprehensive security programs” { Agreed to “undergo independent security assessments every other year for 20 years” { Scolded publicly for not keeping “their privacy promises to consumers”
  35. 35. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
  36. 36. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level SSL session caching { During the initial handshake the certificate is validated { Subsequent client requests re-use the previous handshake and do not re-validate the certificate { TOFU (Trust On First Use)
  37. 37. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level The Enemy Within How would a bad guy get my phone? Why is it more likely on mobile?
  38. 38. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Patterns of Force If I have physical access, couldn't I just... { Install malicious app { Access your data
  39. 39. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Turnabout Intruder Since SSL session caching only checks the certificate once, you only need it on the device for as long it takes you to make the first connection, after which you can delete it
  40. 40. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level The City on the Edge of Forever { Server decides how long to accept the cached session { In other words, the bad guy gets to decide how long to accept the cached session... { We refer to this feature as “EverPWN”
  41. 41. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
  42. 42. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Shields Up! { Review your code { Implement policy { Test pre-release { Train developers
  43. 43. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Shields Up! In Android, investigate these: { TrustManager { SSLSocket { SSLSocketFactory getInsecure { HostNameVerifier In iOS, investigate these areas: { Don't use AFNetworking < v. 2.5.3 { _AFNETWORKING_ALLOW _INVALID_SSL_CERTIFICATES_ { SetAllowsAnyHTTPSCertificate { kCFStreamSSLAllowsAnyRoot
  44. 44. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Shields Up! { Certificate Pinning { Dev and prod signing certificates are required to be different in both iOS and Android { Build validation models based on which certificate is used to sign the app
  45. 45. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Live Long and Prosper Contact and testing instructions: http://www.secbro.com Tony Trummer: http://www.linkedin.com/in/tonytrummer @SecBro1 Tushar Dalvi: http://www.linkedin.com/in/tdalvi @TusharDalvi R.I.P Reggie Destin

×