OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Mobile
Applica,on
Security
–
Effec,ve
Methodology,
Effec,ve
Tes,ng!

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Who Am I?
• Hemil
Shah
–
hemil@blueinfy.net
• Co-­‐CEO
&
Director,
Blueinfy
Solu,ons
• Past
experience
– eSphere
Security,
HBO,
KPMG,
IL&FS,
Net
Square
• Interest
– Web
and
mobile
security
research
• Published
research
– ArFcles
/
Papers
–
Packstroem,
etc.
– Web
Tools
–
wsScanner,
scanweb2.0,
AppMap,
AppCodeScan,
AppPrint
etc.
– Mobile
Tools
–
FSDroid,
iAppliScan,
DumpDroid
hemil@blueinfy.com
hRp://www.blueinfy.com
Blog
–
hRp://blog.blueinfy.com/

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
About
• Global
experience
worked
clients
based
in
USA,
UAE,
Europe
and
Asia-­‐pac.
• Clients/Partners
include
Fortune
100
companies.
• Delivery
model
and
support
• Blackbox
and
Whitebox
–
Scanners
and
Code
Analyzers
• Scanning
tools
and
technology
(15
years)
• Strong
and
tested
with
Fortune
clients
• Integrated
in
SDLC
• Help
client
in
miFgaFng
or
lowering
down
the
Risk
by
improving
process
• In
house
R&D
team
for
last
7
years
• Papers
and
PresentaFons
at
conference
like
RSA,
Blackhat,
HITB,
OWASP
etc.
• Books
wriRen
and
used
as
security
guides
Know-­‐How
Methods
&
Approach
Global
Delivery
&
Team
Technology
Ø BBC
Ø Dark
Readings
Ø Bank
Technology
Ø SecurityWeek
Ø MIT
Technology
Review
ApplicaFon
Security

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Enterprise Technology Trend
• 2007. Web services would rocket from $1.6
billion in 2004 to $34 billion. [IDC]
• 2008. Web Services or Service-Oriented
Architecture (SOA) would surge ahead.
[Gartner]
• 2009. Enterprise 2.0 in action and
penetrating deeper into the corporate
environment
• 2010. Flex/HTML5/Cloud/API
• 2012. HTML5/Mobile era.

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Past, Present and Future
Cloud
2010
Focus

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Mobile Infrastructure
www mail
intranet
router
DMZ
Internet
VPN
Dial-up
Other
Office
s
Exchange
firewall
Database
RAS

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Mobile App Environment
Web
Server
Static pages only
(HTML,HTM, etc.)Web
Client
Scripted
Web
Engine
Dynamic pages
(ASP,DHTML, PHP,
CGI, etc.)
ASP.NET on
.Net Framework,
J2EE App Server,
Web Services,
etc.
Application
Servers
And
Integrated
Framework
Internet DMZ Trusted
W
E
B
S
E
R
V
I
C
E
S
Mobile
SOAP/JSON etc.
DB
X
Internal/Corporate

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Mobile Apps

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Gartner Statistics

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Gartner Statistics

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Mobile Changes
• Application Infrastructure
Changing dimension Web Mobile
(AI1) Protocols HTTP & HTTPS JSON, SOAP, REST etc. over
HTTP & HTTPS
(AI2) Information
structures
HTML transfer JSON, JS Objects, XML, etc.
(AI3) Technology Java, DotNet, PHP,
Python and so on
Cocoa, Java with Platform
SDKs, HTML5
(AI4) Information
Store/Process
Mainly on Server Side Client and Server Side

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Mobile Changes
• Security Threats
Changing dimension Web Mobile
(T1) Entry points Structured Scattered and multiple
(T2) Dependencies Limited • Multiple technologies
• Information sources
• Protocols
(T3) Vulnerabilities Server side [Typical
injections]
• Web services [Payloads]
• Client side [Local Storage]
(T4) Exploitation Server side exploitation Both server and client side
exploitation

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Black Review flow
Architecture Review
Scoping
Server Side Application Footprinting
Mobile Application Footprinting
Application Threat Modeling
Application Deployment Assessment
Application Enumeration and Profiling
Application Discovery
Vulnerability Assessment
Mitigation Strategies
Application Security – Authentication,
Access Controls/Authorization, API misuse, Path traversal,
Sensitive information leakage, Error handling, Session management,
Protocol abuse, Input validations, Cross Site Scripting (XSS),
Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto,
Denial of Services, Malicious Code Injection, SQL injection,
XPATH and LDAP injections, OS command injection,
Parameter manipulations, Bruteforce, Buffer Overflow,
Format string, HTTP response splitting, HTTP replay,
XML injection, Canonicalization, Logging and auditing.
Mobile and Device Security
• Insecure storage
• Insecure network Communication - Carriers network security & WiFi network attacks
• Unauthorized dialing & SMS
• UI Impersonation/Spoofing
• Activity monitoring and data retrieval
• Sensitive data leakage
• Hardcoded passwords/keys
• Language issues
• Timely application update
• Jail breaking/Physical device theft
• KeyBoard cache/ClipBoard issue
• Reading information from SQLite database
• Insecure Protocol Handler implementation
• And few other loopholes
Reporting

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Insecure Storage

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Insecure Storage
• Why application needs to store data
– Ease of use for the user
– Popularity
– Competition
– Activity with single click
– Decrease Transaction time
– Post/Get information to/from Social Sites
• 9 out of 10 applications have this
vulnerability

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Insecure Storage
• How attacker can gain access
– Wifi
– Default password after jail breaking (alpine)
– Physical Theft
– Temporary access to device

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Insecure Storage
• What information we usually find
– Authentication Credentials
– Authorization tokens
– Financial Statements
– Credit card numbers
– Owner’s Information – Physical Address,
Name, Phone number
– Social Engineering Sites profile/habbits
– SQL Queries

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Local file access

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Insecure Network
Communication

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Insecure Network Channel
• Easy to perform MiM attacks as Mobile
devices uses untrusted network i.e open/
Public WiFi, HotSpot, Carrier’s Network
• Application deals with sensitive data i.e.
– Authentication credentials
– Authorization token
– PII Information (Privacy Violation) (Owner
Name, Phone number, UDID)

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Insecure Network Channel
• Can sniff the traffic to get an access to
sensitive data
• SSL is the best way to secure
communication channel
• Common Issues
– Does not deprecate HTTP requests
– Allowing invalid certificates
– Sensitive information in GET requests

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Session token

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Unauthorized Dialing/SMS

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Unauthorized Dialing/SMS
• Social Engineering using Mobile Devices
• Attacker plays with user’s mind
• User installs application
• Application sends premium rate SMS or a
premium rate phone call to unknown
number
• Used by Malware/Trojans

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
AndroidOS.FakePlayer
• August 2010
• Sends costly International SMS
• One SMS Costs – 25 USD (INR 1250)
• Application Sends SMS to –
– 3353 & 3354 numbers in Russia

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
GGTracker
• June 2010
• Another Application which sends
International SMS
• One SMS Costs – 40 USD (INR 2000)
• Application Sends Premium SMS to US
numbers

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
UI Impersonation

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
UI Impersonation
• Attack has been there since long
• On a mobile stack, known as UI
impersonation
• Other names are Phishing Attack,
ClickJacking
• Attacker plays with user’s mind and try to
impersonate as other user or other
application

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
UI Impersonation
• Victim looses credit card information or
authentication credentials or secret
• One application can create local PUSH
notification as it is created from apple
store
• Flow in review process of AppStore –
Anyone can name anything to their
application

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
NetFlix
• Oct -2011
• Steals users “netflix” account information
• Application shows error message to user
“Compatibility issues with the user’s
hardware” when user enters username
and password
• Once error message, application uninstalls
itself

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Activity Monitoring

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Activity Monitoring
• Sending a blind carbon copy of each
email to attacker
• Listening all phone calls
• Email contact list, pictures to attacker
• Read all emails stored on the device
• Usual intension of Spyware/Trojans

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Activity Monitoring
• Attacker can monitor –
– Audio Files
– Video
– Pictures
– Location
– Contact List
– Call/Browser/SMS History
– Data files

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Android.Pjapps
• Early 2010
• Steal/Change users information
• Application –
– Send and monitor incoming SMS messages
– Read/write to the user's browsing history and
bookmarks
– Install packages and Open Sockets
– Write to external storage
– Read the phone's state

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
System Modification

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
System Modification
• Application will attempt to modify system
configuration to hide itself (Historically this
is known as ROOTKIT)
• Configuration changes makes certain
attack possible i.e. –
– Modifying device proxy to get user’s activity
monitoring
– Configure BCC email sending to attacker

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
iKee – iPhone Worm
• “ikee” iPhone Worm
– Change root password
– Change wallpaper to Ricky Martin.
After infected by “ikee“
iPhone look like this

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
PII Information Leakage

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
PII Information Leakage
• Application usually have access to user’s
private information i.e. Owner Name,
Location, Physical Address, AppID,
Phone Number
• This information needs to be handled very
carefully as per the law in some countries
• Storing this information in plain text is not
allowed in some countries

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
PII Information

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Hardcoded Secrets

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Hardcoded Secrets
• Easiest way for developer to solve
complex issues/functionality
• Attacker can get this information by either
reverse engineering application or by
checking local storage

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Keychain Dumper

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Language Specific Issues

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Language Specific Issues
• Application in iOS are developed in
Objective-C language which is derived
from classic C language
• Along with this derivation, it also derives
security issues in C language i.e. overflow
attacks
• Using Dex2jar, source code of android
application can be accessed

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
dexdump
Convert dump .dex files:

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
SQL Injection in Local database

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
SQL Injection in Local database
• Most Mobile platforms uses SQLite as
database to store information on the
device
• Using any SQLite Database Browser, it is
possible to access database logs which
has queries and other sensitive database
information
• In case application is not filtering input,
SQL Injection on local database is
possible

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Injection…

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Information in Common
Services

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Common Services
• KeyBoard, Clipboard are shared amongst
all the applications.
• Information stored in clipboard can be
accessed by all the application
• Sensitive information should not be
allowed to copy/paste in the application

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Server Side Issues

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Server Side Issues
• Most Application makes server side calls
to either web services or some other
component. Security of server side
component is equally important as client
side
• Controls to be tested on the server side –
Security Control Categories for Server
Side Application– Authentication, Access
Controls/Authorization, API misuse, Path
traversal, Sensitive information leakage,

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Server Side Issues
Error handling, Session management,
Protocol abuse, Input validations, XSS,
CSRF, Logic bypass, Insecure crypto, DoS,
Malicious Code Injection, SQL injection,
XPATH and LDAP injections, OS command
injection, Parameter manipulations,
BruteForce, Buffer Overflow, HTTP
response splitting, HTTP replay, XML
injection, Canonicalization, Logging and
auditing.

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Binary auditing

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Using GDB

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Mobile Top 10 - OWASP
• Insecure Data Storage
• Weak Server Side Controls
• Insufficient Transport Layer Protection
• Client Side Injection
• Poor Authorization and Authentication
• Improper Session Handling
• Security Decisions Via Untrusted Inputs
• Side Channel Data Leakage
• Broken Cryptography
• Sensitive Information Disclosure

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Pen testing Check list
(iOS Applications)

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Pen testing Check list
• Fuzz all possible Inputs to the application
and validate output (Query String, POST
data, external HTML, RSS Feed or
database feed)
• Audit traditional memory unsafe methods
(strcpy, memcpy)
• Watch out for format string vulnerabilities
• Look for hard coded credentials / secrets

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Pen testing Check list
• Check network connection (grep for
NSURL, CFStream, NSStream)
• Check Database connection and queries
(grep SQL strings and SQLLite queries)
• Check only trusted certificate are allowed
(Look for setAllowsAnyHTTPSCertificate
and didReceiveAuthenticationChallenge)
• Check what is logged (grep NSLog)

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Pen testing Check list
• Check implementation of URLSchemes in
handleOpenURL
• Check what is stored in keychain
(kSecAttrAccessibleWhenUnlocked or
kSecAttrAccessibleAfterFirstUnlock
attributes when calling SecItemAdd or
SecItemUpdate) and the file system
(NSDataWritingFileProtectionComplete).

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Pen testing Check list
• Check how critical data is stored
(NSUserDefaults should not be used to
store critical data)
• Check Server Side controls
• Decrypt the binary and run strings to find
sensitive information

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Pen testing Check list
• Check whether application uses
UIWebView (How application loads HTLM
and where it is rendered from? Is URL
visible?)
• Check whether copy-paste functionality is
enabled in sensitive fields (PII fields)
• Install your favorite proxy to monitor +
fuzz web traffic
• Run the app using disassemble to monitor
calls

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Pen testing Check list
• Check whether critical data fields are
hidden in applicationWillTerminate and
applicationWillEnterBackground to
prevent screenshot caching
• Check how application handles PII
information

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Conclusion/Ques,ons
Hemil Shah
hemil@blueinfy.net
+91 99790 55100