Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile Application Scan and Testing

668 views

Published on

Mobile AppSec Review

Published in: Software
  • Be the first to comment

  • Be the first to like this

Mobile Application Scan and Testing

  1. 1. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Mobile  Applica,on  Security  –  Effec,ve   Methodology,     Effec,ve  Tes,ng!  
  2. 2. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Who Am I? •  Hemil  Shah  –  hemil@blueinfy.net   •  Co-­‐CEO  &  Director,  Blueinfy  Solu,ons   •  Past  experience     –  eSphere  Security,  HBO,  KPMG,  IL&FS,  Net  Square   •  Interest   –  Web  and  mobile  security  research   •  Published  research   –  ArFcles  /  Papers  –  Packstroem,  etc.   –  Web  Tools  –  wsScanner,  scanweb2.0,  AppMap,  AppCodeScan,  AppPrint  etc.   –  Mobile  Tools  –  FSDroid,  iAppliScan,  DumpDroid   hemil@blueinfy.com   hRp://www.blueinfy.com   Blog  –  hRp://blog.blueinfy.com/  
  3. 3. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon About • Global  experience  worked   clients  based  in  USA,  UAE,   Europe  and  Asia-­‐pac.   • Clients/Partners  include   Fortune  100  companies.   • Delivery  model  and  support   • Blackbox  and  Whitebox  –   Scanners  and  Code  Analyzers   • Scanning  tools  and  technology   (15  years)   • Strong  and  tested  with   Fortune  clients   • Integrated  in  SDLC   • Help  client  in  miFgaFng  or   lowering  down  the  Risk  by   improving  process   • In  house  R&D  team  for  last  7   years   • Papers  and  PresentaFons  at   conference  like  RSA,  Blackhat,   HITB,  OWASP  etc.   • Books  wriRen  and  used  as   security  guides   Know-­‐How   Methods  &   Approach   Global   Delivery  &   Team   Technology   Ø BBC   Ø Dark  Readings   Ø Bank  Technology   Ø SecurityWeek   Ø MIT  Technology  Review   ApplicaFon  Security    
  4. 4. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Enterprise Technology Trend •  2007. Web services would rocket from $1.6 billion in 2004 to $34 billion. [IDC] •  2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead. [Gartner] •  2009. Enterprise 2.0 in action and penetrating deeper into the corporate environment •  2010. Flex/HTML5/Cloud/API •  2012. HTML5/Mobile era.
  5. 5. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Past, Present and Future Cloud 2010 Focus
  6. 6. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Mobile Infrastructure www mail intranet router DMZ Internet VPN Dial-up Other Office s Exchange firewall Database RAS
  7. 7. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Mobile App Environment Web Server Static pages only (HTML,HTM, etc.)Web Client Scripted Web Engine Dynamic pages (ASP,DHTML, PHP, CGI, etc.) ASP.NET on .Net Framework, J2EE App Server, Web Services, etc. Application Servers And Integrated Framework Internet DMZ Trusted W E B S E R V I C E S Mobile SOAP/JSON etc. DB X Internal/Corporate
  8. 8. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Mobile Apps
  9. 9. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Gartner Statistics
  10. 10. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Gartner Statistics
  11. 11. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Mobile Changes •  Application Infrastructure Changing dimension Web Mobile (AI1) Protocols HTTP & HTTPS JSON, SOAP, REST etc. over HTTP & HTTPS (AI2) Information structures HTML transfer JSON, JS Objects, XML, etc. (AI3) Technology Java, DotNet, PHP, Python and so on Cocoa, Java with Platform SDKs, HTML5 (AI4) Information Store/Process Mainly on Server Side Client and Server Side
  12. 12. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Mobile Changes •  Security Threats Changing dimension Web Mobile (T1) Entry points Structured Scattered and multiple (T2) Dependencies Limited • Multiple technologies • Information sources • Protocols (T3) Vulnerabilities Server side [Typical injections] • Web services [Payloads] • Client side [Local Storage] (T4) Exploitation Server side exploitation Both server and client side exploitation
  13. 13. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Black Review flow Architecture Review Scoping Server Side Application Footprinting Mobile Application Footprinting Application Threat Modeling Application Deployment Assessment Application Enumeration and Profiling Application Discovery Vulnerability Assessment Mitigation Strategies Application Security – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing. Mobile and Device Security • Insecure storage • Insecure network Communication - Carriers network security & WiFi network attacks • Unauthorized dialing & SMS • UI Impersonation/Spoofing • Activity monitoring and data retrieval • Sensitive data leakage • Hardcoded passwords/keys • Language issues • Timely application update • Jail breaking/Physical device theft • KeyBoard cache/ClipBoard issue • Reading information from SQLite database • Insecure Protocol Handler implementation • And few other loopholes Reporting
  14. 14. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Insecure Storage
  15. 15. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Insecure Storage •  Why application needs to store data – Ease of use for the user – Popularity – Competition – Activity with single click – Decrease Transaction time – Post/Get information to/from Social Sites •  9 out of 10 applications have this vulnerability
  16. 16. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Insecure Storage •  How attacker can gain access – Wifi – Default password after jail breaking (alpine) – Physical Theft – Temporary access to device
  17. 17. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Insecure Storage •  What information we usually find – Authentication Credentials – Authorization tokens – Financial Statements – Credit card numbers – Owner’s Information – Physical Address, Name, Phone number – Social Engineering Sites profile/habbits – SQL Queries
  18. 18. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Local file access
  19. 19. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Insecure Network Communication
  20. 20. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Insecure Network Channel •  Easy to perform MiM attacks as Mobile devices uses untrusted network i.e open/ Public WiFi, HotSpot, Carrier’s Network •  Application deals with sensitive data i.e. – Authentication credentials – Authorization token – PII Information (Privacy Violation) (Owner Name, Phone number, UDID)
  21. 21. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Insecure Network Channel •  Can sniff the traffic to get an access to sensitive data •  SSL is the best way to secure communication channel •  Common Issues – Does not deprecate HTTP requests – Allowing invalid certificates – Sensitive information in GET requests
  22. 22. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Session token
  23. 23. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Unauthorized Dialing/SMS
  24. 24. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Unauthorized Dialing/SMS •  Social Engineering using Mobile Devices •  Attacker plays with user’s mind •  User installs application •  Application sends premium rate SMS or a premium rate phone call to unknown number •  Used by Malware/Trojans
  25. 25. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon AndroidOS.FakePlayer •  August 2010 •  Sends costly International SMS •  One SMS Costs – 25 USD (INR 1250) •  Application Sends SMS to – – 3353 & 3354 numbers in Russia
  26. 26. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon GGTracker •  June 2010 •  Another Application which sends International SMS •  One SMS Costs – 40 USD (INR 2000) •  Application Sends Premium SMS to US numbers
  27. 27. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon UI Impersonation
  28. 28. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon UI Impersonation •  Attack has been there since long •  On a mobile stack, known as UI impersonation •  Other names are Phishing Attack, ClickJacking •  Attacker plays with user’s mind and try to impersonate as other user or other application
  29. 29. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon UI Impersonation •  Victim looses credit card information or authentication credentials or secret •  One application can create local PUSH notification as it is created from apple store •  Flow in review process of AppStore – Anyone can name anything to their application
  30. 30. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon NetFlix •  Oct -2011 •  Steals users “netflix” account information •  Application shows error message to user “Compatibility issues with the user’s hardware” when user enters username and password •  Once error message, application uninstalls itself
  31. 31. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Activity Monitoring
  32. 32. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Activity Monitoring •  Sending a blind carbon copy of each email to attacker •  Listening all phone calls •  Email contact list, pictures to attacker •  Read all emails stored on the device •  Usual intension of Spyware/Trojans
  33. 33. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Activity Monitoring •  Attacker can monitor – – Audio Files – Video – Pictures – Location – Contact List – Call/Browser/SMS History – Data files
  34. 34. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Android.Pjapps •  Early 2010 •  Steal/Change users information •  Application – – Send and monitor incoming SMS messages – Read/write to the user's browsing history and bookmarks – Install packages and Open Sockets – Write to external storage – Read the phone's state
  35. 35. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon System Modification
  36. 36. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon System Modification •  Application will attempt to modify system configuration to hide itself (Historically this is known as ROOTKIT) •  Configuration changes makes certain attack possible i.e. – – Modifying device proxy to get user’s activity monitoring – Configure BCC email sending to attacker
  37. 37. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon iKee – iPhone Worm •  “ikee” iPhone Worm –  Change root password –  Change wallpaper to Ricky Martin. After infected by “ikee“ iPhone look like this
  38. 38. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon PII Information Leakage
  39. 39. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon PII Information Leakage •  Application usually have access to user’s private information i.e. Owner Name, Location, Physical Address, AppID, Phone Number •  This information needs to be handled very carefully as per the law in some countries •  Storing this information in plain text is not allowed in some countries
  40. 40. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon PII Information
  41. 41. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Hardcoded Secrets
  42. 42. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Hardcoded Secrets •  Easiest way for developer to solve complex issues/functionality •  Attacker can get this information by either reverse engineering application or by checking local storage
  43. 43. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Keychain Dumper
  44. 44. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Language Specific Issues
  45. 45. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Language Specific Issues •  Application in iOS are developed in Objective-C language which is derived from classic C language •  Along with this derivation, it also derives security issues in C language i.e. overflow attacks •  Using Dex2jar, source code of android application can be accessed
  46. 46. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon dexdump Convert dump .dex files:
  47. 47. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon SQL Injection in Local database
  48. 48. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon SQL Injection in Local database •  Most Mobile platforms uses SQLite as database to store information on the device •  Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensitive database information •  In case application is not filtering input, SQL Injection on local database is possible
  49. 49. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Injection…
  50. 50. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Information in Common Services
  51. 51. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Common Services •  KeyBoard, Clipboard are shared amongst all the applications. •  Information stored in clipboard can be accessed by all the application •  Sensitive information should not be allowed to copy/paste in the application
  52. 52. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Server Side Issues
  53. 53. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Server Side Issues •  Most Application makes server side calls to either web services or some other component. Security of server side component is equally important as client side •  Controls to be tested on the server side – Security Control Categories for Server Side Application– Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage,
  54. 54. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Server Side Issues Error handling, Session management, Protocol abuse, Input validations, XSS, CSRF, Logic bypass, Insecure crypto, DoS, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, BruteForce, Buffer Overflow, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
  55. 55. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Binary auditing
  56. 56. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Using GDB
  57. 57. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Mobile Top 10 - OWASP •  Insecure Data Storage •  Weak Server Side Controls •  Insufficient Transport Layer Protection •  Client Side Injection •  Poor Authorization and Authentication •  Improper Session Handling •  Security Decisions Via Untrusted Inputs •  Side Channel Data Leakage •  Broken Cryptography •  Sensitive Information Disclosure
  58. 58. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Pen testing Check list (iOS Applications)
  59. 59. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Pen testing Check list •  Fuzz all possible Inputs to the application and validate output (Query String, POST data, external HTML, RSS Feed or database feed) •  Audit traditional memory unsafe methods (strcpy, memcpy) •  Watch out for format string vulnerabilities •  Look for hard coded credentials / secrets
  60. 60. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Pen testing Check list •  Check network connection (grep for NSURL, CFStream, NSStream) •  Check Database connection and queries (grep SQL strings and SQLLite queries) •  Check only trusted certificate are allowed (Look for setAllowsAnyHTTPSCertificate and didReceiveAuthenticationChallenge) •  Check what is logged (grep NSLog)
  61. 61. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Pen testing Check list •  Check implementation of URLSchemes in handleOpenURL •  Check what is stored in keychain (kSecAttrAccessibleWhenUnlocked or kSecAttrAccessibleAfterFirstUnlock attributes when calling SecItemAdd or SecItemUpdate) and the file system (NSDataWritingFileProtectionComplete).
  62. 62. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Pen testing Check list •  Check how critical data is stored (NSUserDefaults should not be used to store critical data) •  Check Server Side controls •  Decrypt the binary and run strings to find sensitive information
  63. 63. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Pen testing Check list •  Check whether application uses UIWebView (How application loads HTLM and where it is rendered from? Is URL visible?) •  Check whether copy-paste functionality is enabled in sensitive fields (PII fields) •  Install your favorite proxy to monitor + fuzz web traffic •  Run the app using disassemble to monitor calls
  64. 64. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Pen testing Check list •  Check whether critical data fields are hidden in applicationWillTerminate and applicationWillEnterBackground to prevent screenshot caching •  Check how application handles PII information
  65. 65. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Conclusion/Ques,ons   Hemil Shah hemil@blueinfy.net +91 99790 55100

×