SlideShare a Scribd company logo

Smart Bombs: Mobile Vulnerability and Exploitation

Tom Eston
Tom Eston

Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization. This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.

Technology
1 of 60
Download to read offline
Mobile Vulnerability and Exploitation John Sawyer – InGuardians Tom Eston – SecureState Kevin Johnson – Secure Ideas
John Sawyer  InGuardians, Inc. - Senior Security Analyst  DarkReading.com - Author/Blogger  1@stplace - Retired CTF packet monkey  Winners DEFCON 14 & 15  Avid Mountain Biker… in Florida.
Tom Eston  Manager, SecureState Profiling & Penetration Team  Blogger – SpyLogic.net  Infrequent Podcaster – Security Justice/Social Media Security  Zombie aficionado  I like to break new technology
Kevin Johnson  Father of Brenna and Sarah  Secure Ideas, Senior Security Consultant  SANS Instructor and Author  SEC542/SEC642/SEC571  Open-Source Bigot  SamuraiWTF, Yokoso, Laudanum etc  Ninja
What are we talking about today?  What’s at risk?  Tools, Testing and Exploitation  Common vulnerabilities found in popular apps (this is the fun part)
What are Smart Bombs?  We’ve got powerful technology in the palm of our hands!  We store and transmit sensitive data  Mobile devices are being used by:  Major Businesses (PII)  Energy Companies (The Grid)  The Government(s)  Hospitals (PHI)  Your Mom (Scary)
That’s right…your Mom
Testing Mobile Apps  What are the 3 major areas for testing?  File System What are apps writing to the file system? How is data stored?  Application Layer How are apps communicating via HTTP and Web Services? SSL?  Transport Layer How are apps communicating over the network? TCP and Third-party APIs
OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication
OWASP Top 10 Mobile Risks 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure
OWASP Mobile Security Project  You should get involved!  https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Other Issues  Privacy of your data!  Mobile apps talk to many third party APIs (ads)  What’s collected by Google/Apple/Microsoft?
Common Tools  SSH  VNC server  A compiler (gcc / agcc)  Android SDK (adb!)  XCode  Jailbroken iDevice  Rooted Android Device
Filesystem Analysis  Forensic approach  Filesystem artifacts  Timeline analysis  Log analysis  Temp files
Forensic Tools  Mobile Forensic Tools  EnCase, FTK, Cellebrite  Free and/or Open Source  file, strings, less, dd, md5sum  The Sleuthkit (mactime, mac-robber)
Timelines  Timelines are awesome  Anyone know log2timeline?  Filesystem  mac-robber  mactime  Logs  Application- & OS-specific
Filesystem Timelines  mac-robber  C app  free & open source  must be compiled to run on devices  mactime  Part of The Sleuthkit  runs on Mac, Win, Linux
Compiling mac-robber (Android)  Android  Install arm gcc toolchain  Compile & push via adb   I used Ubuntu, works on MobiSec & Backtrack  Detailed instructions: ○ http://www.darkreading.com/blog/232800148/quick-start- guide-compiling-mac-robber-for-android-vuln-research.html
Compiling mac-robber (iOS)  iOS (jailbroken)  Download & Install libgcc onto device  Install iphone-gcc  Download & Install C headers/libraries
Running mac-robber (iOS)  iOS & Android via SSH  Android via adb  Then, process each with mactime
Filesystem Timelines
Where is the data?
Temp Files
Gallery Lock Lite  “Protects” your images
Viewing & Searching Files  cat, less, vi, strings, grep  SQLite files  GUI browser, API (Ruby, Python, etc)  Android apps  ashell, aSQLiteManager, aLogViewer
Application Layer - HTTP  Tools Used:  Burp Suite  Burp Suite  oh yeah Burp Suite!
Why Look at the App Layer?  Very common in mobile platforms  Many errors are found within the application  And how it talks to the back end service  Able to use many existing tools
Launching Burp Suite  Memory!
Misunderstanding Encryption
Want Credentials?
Transport Layer - TCP  Tools Used:  Wireshark  Tcpdump  Network Miner
Why look at the transport layer?  Check to see how network protocols are handled in the app  Easily look for SSL certificate or other communication issues
NetworkMiner  Extracts files/images and more  Can pull out clear txt credentials  Quickly view parameters
TCP Lab Setup  Run tcpdump directly on the device  Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this)  Import PCAPs into NetworkMiner
App Vulnerabilities  Several examples that we’ve found  Many from the Top 25 downloaded apps
Evernote  Notebooks are stored in the cloud  But…caches some files on the device…  OWASP M1: Insecure Data Storage
MyFitnessPal  Android app stores sensitive data on the device (too much data)
Password Keeper “Lite”  PIN and passwords stored in clear-text SQLite database  So much for the security of your passwords…
Draw Something  Word list stored on the device  Modify to mess with your friends
LinkedIn  SSL only for authentication  Session tokens and data sent over HTTP  Lots of apps do this  M3: Insufficient Transport Layer Protection
Auth over SSL Data sent over HTTP
Pandora  Registration over HTTP  User name/Password and Registration info sent over clear text  Unfortunately…lots of apps do this
Hard Coded Passwords/Keys  Major Grocery Chain “Rewards” Android app  Simple to view the source, extract private key  OWASP M9: Broken Cryptography  Do developers really do this?
Why yes, they do!
Privacy Issues  Example: Draw Something App (Top 25)  UDID and more sent to the following third-party ad providers:  appads.com  mydas.mobi  greystripe.com  tapjoyads.com
What is UDID?  Alpha-numeric string that uniquely identifies an Apple device
Pinterest and Flurry.com
Conclusions  Mobile devices are critically common  Most people use them without thinking of security  Developers seem to be repeating the past  We need to secure this area
Contact Us  John Sawyer  Twitter: @johnhsawyer  john@inguardians.com  Tom Eston  Twitter: @agent0x0  teston@securestate.com  Kevin Johnson  Twitter: @secureideas  kjohnson@secureideas.net

Recommended

Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Jail breaking
Jail breakingJail breaking
Jail breakingRokkam Reddy
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 

Recommended

Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Jail breaking
Jail breakingJail breaking
Jail breakingRokkam Reddy
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOSKai Aras
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp ForensicAnimesh Shaw
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile HackingNovizul Evendi
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown Tom Eston
 
GPS and Weapons Technology
GPS and Weapons TechnologyGPS and Weapons Technology
GPS and Weapons TechnologySuchit Moon
 

More Related Content

What's hot

Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOSKai Aras
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 

What's hot (20)

Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOS
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a House
 
Android system security
Android system securityAndroid system security
Android system security
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 

Viewers also liked

The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown Tom Eston
 
GPS and Weapons Technology
GPS and Weapons TechnologyGPS and Weapons Technology
GPS and Weapons TechnologySuchit Moon
 
Comparison of mobile os
Comparison of mobile osComparison of mobile os
Comparison of mobile osasrf786
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS securitySumanth Veera
 
PCA General Assembly Report 2016
PCA General Assembly Report 2016PCA General Assembly Report 2016
PCA General Assembly Report 2016sandiferb
 
Frankfurt school culture industry
Frankfurt school culture industryFrankfurt school culture industry
Frankfurt school culture industryDeleuze78
 
Naval Aircraft & Missiles Web
Naval Aircraft & Missiles WebNaval Aircraft & Missiles Web
Naval Aircraft & Missiles WebLynn Seckinger
 
India's advancement in missile defence system
India's advancement in missile defence systemIndia's advancement in missile defence system
India's advancement in missile defence systemRajesh b.k.
 
China Railway Highspeed Train Jan 2015
China Railway Highspeed Train Jan 2015China Railway Highspeed Train Jan 2015
China Railway Highspeed Train Jan 2015Pradeep Kumar
 
Research on Comparative Study of Different Mobile Operating System_Part-1
Research on Comparative Study of Different Mobile Operating System_Part-1Research on Comparative Study of Different Mobile Operating System_Part-1
Research on Comparative Study of Different Mobile Operating System_Part-1Zulkar Naim
 
Ballistic missile defense system
Ballistic missile defense systemBallistic missile defense system
Ballistic missile defense systemMIT
 
Railway coaches
Railway coachesRailway coaches
Railway coachesnoor patel
 
Laser Guided Misiles
Laser Guided MisilesLaser Guided Misiles
Laser Guided MisilesAmit Ghodke
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 

Viewers also liked (20)

The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
 
GPS and Weapons Technology
GPS and Weapons TechnologyGPS and Weapons Technology
GPS and Weapons Technology
 
Stealth fighter technolgy
Stealth fighter technolgyStealth fighter technolgy
Stealth fighter technolgy
 
Deepak e bomb
Deepak e bombDeepak e bomb
Deepak e bomb
 
Radar ppt
Radar pptRadar ppt
Radar ppt
 
Comparison of mobile os
Comparison of mobile osComparison of mobile os
Comparison of mobile os
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS security
 
PCA General Assembly Report 2016
PCA General Assembly Report 2016PCA General Assembly Report 2016
PCA General Assembly Report 2016
 
Frankfurt school culture industry
Frankfurt school culture industryFrankfurt school culture industry
Frankfurt school culture industry
 
real numbers
real numbersreal numbers
real numbers
 
Ppt2 (1)
Ppt2 (1)Ppt2 (1)
Ppt2 (1)
 
Naval Aircraft & Missiles Web
Naval Aircraft & Missiles WebNaval Aircraft & Missiles Web
Naval Aircraft & Missiles Web
 
India's advancement in missile defence system
India's advancement in missile defence systemIndia's advancement in missile defence system
India's advancement in missile defence system
 
China Railway Highspeed Train Jan 2015
China Railway Highspeed Train Jan 2015China Railway Highspeed Train Jan 2015
China Railway Highspeed Train Jan 2015
 
Research on Comparative Study of Different Mobile Operating System_Part-1
Research on Comparative Study of Different Mobile Operating System_Part-1Research on Comparative Study of Different Mobile Operating System_Part-1
Research on Comparative Study of Different Mobile Operating System_Part-1
 
Ricky seminar
Ricky seminarRicky seminar
Ricky seminar
 
Ballistic missile defense system
Ballistic missile defense systemBallistic missile defense system
Ballistic missile defense system
 
Railway coaches
Railway coachesRailway coaches
Railway coaches
 
Laser Guided Misiles
Laser Guided MisilesLaser Guided Misiles
Laser Guided Misiles
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 

Similar to Smart Bombs: Mobile Vulnerability and Exploitation

Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)Avansa Mid- en Zuidwest
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecDroidConTLV
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00srini0x00
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionService2Media
 
Securing Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu SecuritySecuring Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu SecurityDeja vu Security
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 

Similar to Smart Bombs: Mobile Vulnerability and Exploitation (20)

Mobile security
Mobile securityMobile security
Mobile security
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSec
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA Compliance
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 
Securing Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu SecuritySecuring Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu Security
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Super1
Super1Super1
Super1
 

More from Tom Eston

Privacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile TechnologyPrivacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile TechnologyTom Eston
 
Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Tom Eston
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadTom Eston
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredSocial Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredTom Eston
 
Social Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More BrainsSocial Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More BrainsTom Eston
 
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringEnterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringTom Eston
 
Staying Safe & Secure on Twitter
Staying Safe & Secure on TwitterStaying Safe & Secure on Twitter
Staying Safe & Secure on TwitterTom Eston
 
New School Man-in-the-Middle
New School Man-in-the-MiddleNew School Man-in-the-Middle
New School Man-in-the-MiddleTom Eston
 
Rise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsRise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsTom Eston
 
Information Gathering With Maltego
Information Gathering With MaltegoInformation Gathering With Maltego
Information Gathering With MaltegoTom Eston
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactTom Eston
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
Online Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safelyOnline Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safelyTom Eston
 

More from Tom Eston (15)

Privacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile TechnologyPrivacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile Technology
 
Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredSocial Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and Uncensored
 
Social Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More BrainsSocial Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More Brains
 
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringEnterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
 
Staying Safe & Secure on Twitter
Staying Safe & Secure on TwitterStaying Safe & Secure on Twitter
Staying Safe & Secure on Twitter
 
New School Man-in-the-Middle
New School Man-in-the-MiddleNew School Man-in-the-Middle
New School Man-in-the-Middle
 
Rise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsRise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network Bots
 
Information Gathering With Maltego
Information Gathering With MaltegoInformation Gathering With Maltego
Information Gathering With Maltego
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security Assessments
 
Online Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safelyOnline Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safely
 

Recently uploaded

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 

Recently uploaded (20)

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 

Smart Bombs: Mobile Vulnerability and Exploitation

  • 1. Mobile Vulnerability and Exploitation John Sawyer – InGuardians Tom Eston – SecureState Kevin Johnson – Secure Ideas
  • 2. John Sawyer  InGuardians, Inc. - Senior Security Analyst  DarkReading.com - Author/Blogger  1@stplace - Retired CTF packet monkey  Winners DEFCON 14 & 15  Avid Mountain Biker… in Florida.
  • 3. Tom Eston  Manager, SecureState Profiling & Penetration Team  Blogger – SpyLogic.net  Infrequent Podcaster – Security Justice/Social Media Security  Zombie aficionado  I like to break new technology
  • 4. Kevin Johnson  Father of Brenna and Sarah  Secure Ideas, Senior Security Consultant  SANS Instructor and Author  SEC542/SEC642/SEC571  Open-Source Bigot  SamuraiWTF, Yokoso, Laudanum etc  Ninja
  • 5. What are we talking about today?  What’s at risk?  Tools, Testing and Exploitation  Common vulnerabilities found in popular apps (this is the fun part)
  • 6. What are Smart Bombs?  We’ve got powerful technology in the palm of our hands!  We store and transmit sensitive data  Mobile devices are being used by:  Major Businesses (PII)  Energy Companies (The Grid)  The Government(s)  Hospitals (PHI)  Your Mom (Scary)
  • 8. Testing Mobile Apps  What are the 3 major areas for testing?  File System What are apps writing to the file system? How is data stored?  Application Layer How are apps communicating via HTTP and Web Services? SSL?  Transport Layer How are apps communicating over the network? TCP and Third-party APIs
  • 9. OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication
  • 10. OWASP Top 10 Mobile Risks 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure
  • 11. OWASP Mobile Security Project  You should get involved!  https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  • 12. Other Issues  Privacy of your data!  Mobile apps talk to many third party APIs (ads)  What’s collected by Google/Apple/Microsoft?
  • 13. Common Tools  SSH  VNC server  A compiler (gcc / agcc)  Android SDK (adb!)  XCode  Jailbroken iDevice  Rooted Android Device
  • 14. Filesystem Analysis  Forensic approach  Filesystem artifacts  Timeline analysis  Log analysis  Temp files
  • 15. Forensic Tools  Mobile Forensic Tools  EnCase, FTK, Cellebrite  Free and/or Open Source  file, strings, less, dd, md5sum  The Sleuthkit (mactime, mac-robber)
  • 16. Timelines  Timelines are awesome  Anyone know log2timeline?  Filesystem  mac-robber  mactime  Logs  Application- & OS-specific
  • 17. Filesystem Timelines  mac-robber  C app  free & open source  must be compiled to run on devices  mactime  Part of The Sleuthkit  runs on Mac, Win, Linux
  • 18. Compiling mac-robber (Android)  Android  Install arm gcc toolchain  Compile & push via adb   I used Ubuntu, works on MobiSec & Backtrack  Detailed instructions: ○ http://www.darkreading.com/blog/232800148/quick-start- guide-compiling-mac-robber-for-android-vuln-research.html
  • 19. Compiling mac-robber (iOS)  iOS (jailbroken)  Download & Install libgcc onto device  Install iphone-gcc  Download & Install C headers/libraries
  • 20. Running mac-robber (iOS)  iOS & Android via SSH  Android via adb  Then, process each with mactime
  • 22. Where is the data?
  • 24. Gallery Lock Lite  “Protects” your images
  • 25.
  • 26. Viewing & Searching Files  cat, less, vi, strings, grep  SQLite files  GUI browser, API (Ruby, Python, etc)  Android apps  ashell, aSQLiteManager, aLogViewer
  • 27. Application Layer - HTTP  Tools Used:  Burp Suite  Burp Suite  oh yeah Burp Suite!
  • 28. Why Look at the App Layer?  Very common in mobile platforms  Many errors are found within the application  And how it talks to the back end service  Able to use many existing tools
  • 32. Transport Layer - TCP  Tools Used:  Wireshark  Tcpdump  Network Miner
  • 33. Why look at the transport layer?  Check to see how network protocols are handled in the app  Easily look for SSL certificate or other communication issues
  • 34. NetworkMiner  Extracts files/images and more  Can pull out clear txt credentials  Quickly view parameters
  • 35.
  • 36. TCP Lab Setup  Run tcpdump directly on the device  Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this)  Import PCAPs into NetworkMiner
  • 37. App Vulnerabilities  Several examples that we’ve found  Many from the Top 25 downloaded apps
  • 38. Evernote  Notebooks are stored in the cloud  But…caches some files on the device…  OWASP M1: Insecure Data Storage
  • 39.
  • 40. MyFitnessPal  Android app stores sensitive data on the device (too much data)
  • 41.
  • 42. Password Keeper “Lite”  PIN and passwords stored in clear-text SQLite database  So much for the security of your passwords…
  • 43.
  • 44.
  • 45.
  • 46. Draw Something  Word list stored on the device  Modify to mess with your friends
  • 47. LinkedIn  SSL only for authentication  Session tokens and data sent over HTTP  Lots of apps do this  M3: Insufficient Transport Layer Protection
  • 48. Auth over SSL Data sent over HTTP
  • 49.
  • 50. Pandora  Registration over HTTP  User name/Password and Registration info sent over clear text  Unfortunately…lots of apps do this
  • 51.
  • 52. Hard Coded Passwords/Keys  Major Grocery Chain “Rewards” Android app  Simple to view the source, extract private key  OWASP M9: Broken Cryptography  Do developers really do this?
  • 54. Privacy Issues  Example: Draw Something App (Top 25)  UDID and more sent to the following third-party ad providers:  appads.com  mydas.mobi  greystripe.com  tapjoyads.com
  • 55. What is UDID?  Alpha-numeric string that uniquely identifies an Apple device
  • 56.
  • 58.
  • 59. Conclusions  Mobile devices are critically common  Most people use them without thinking of security  Developers seem to be repeating the past  We need to secure this area
  • 60. Contact Us  John Sawyer  Twitter: @johnhsawyer  john@inguardians.com  Tom Eston  Twitter: @agent0x0  teston@securestate.com  Kevin Johnson  Twitter: @secureideas  kjohnson@secureideas.net