Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile code mining for discovery and exploits nullcongoa2013


Published on

Mobile Security Review

Published in: Software
  • Be the first to comment

  • Be the first to like this

Mobile code mining for discovery and exploits nullcongoa2013

  1. 1. Mobile Code Mining For Discovery and Exploits
  2. 2. Who Am I? Hemil Shah – Co-CEO & Director, Blueinfy Solutions Past experience eSphere Security, HBO, KPMG, IL&FS, Net Square Interest Web and mobile security research Published research Articles / Papers – Packstroem, etc. Web Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Mobile Tools – FSDroid, iAppliScan, DumpDroid Blog – Blog –
  3. 3. Enterprise Technology Trend 2007. Web services would rocket from $1.6 billion in 2004 to $34 billion. [IDC] 2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead. [Gartner] 2009. Enterprise 2.0 in action and penetrating deeper into the corporate environment 2010. Flex/HTML5/Cloud/API 2012. HTML5/Mobile era.
  4. 4. Past, Present and Future Cloud 2010 Focus
  5. 5. Mobile Infrastructure www mail intranet router DMZ Internet VPN Dial-up Other Offices Exchange firewall Database RAS
  6. 6. Mobile App Environment Web Server Static pages only (HTML,HTM, etc.)Web Client Scripted Web Engine Dynamic pages (ASP,DHTML, PHP, CGI, etc.) ASP.NET on .Net Framework, J2EE App Server, Web Services, etc. Application Servers And Integrated Framework Internet DMZ Trusted WW EE BB SS EE RR VV II CC EE SS Mobile SOAP/JSON etc. DB X Internal/Corporate
  7. 7. Mobile Apps
  8. 8. Mobile Changes Application Infrastructure Changing dimension Web Mobile (AI1) Protocols HTTP & HTTPS JSON, SOAP, REST etc. over HTTP & HTTPS (AI2) Information structures HTML transfer JSON, JS Objects, XML, etc. (AI3) Technology Java, DotNet, PHP, Python and so on Cocoa, Java with Platform SDKs, HTML5 (AI4) Information Store/Process Mainly on Server Side Client and Server Side
  9. 9. Mobile Changes Security Threats Changing dimension Web Mobile (T1) Entry points Structured Scattered and multiple (T2) Dependencies Limited • Multiple technologies • Information sources • Protocols (T3) Vulnerabilities Server side [Typical injections] • Web services [Payloads] • Client side [Local Storage] (T4) Exploitation Server side exploitation Both server and client side exploitation
  10. 10. Mobile Attacks
  11. 11. Insecure Storage
  12. 12. Insecure Storage Why application needs to store data • Ease of use for the user • Popularity • Competition • Activity with single click • Decrease Transaction time • Post/Get information to/from Social Sites 9 out of 10 applications have this vulnerability
  13. 13. Insecure Storage How attacker can gain access • Wifi • Default password after jail breaking (alpine) • Adb over wifi • Physical Theft • Temporary access to device
  14. 14. Insecure Storage What information we usually find • Authentication Credentials • Authorization tokens • Financial Statements • Credit card numbers • Owner’s Information – Physical Address, Name, Phone number • Social Engineering Sites profile/habbits • SQL Queries
  15. 15. DEMO
  16. 16. Insecure Network Communication
  17. 17. Insecure Network Channel • Easy to perform MiM attacks as Mobile devices uses untrusted network i.e open/Public WiFi, HotSpot, Carrier’s Network • Application deals with sensitive data i.e. • Authentication credentials • Authorization token • PII Information (Privacy Violation) (Owner Name, Phone number, UDID)
  18. 18. Insecure Network Channel • Can sniff the traffic to get an access to sensitive data • SSL is the best way to secure communication channel • Common Issues • Does not deprecate HTTP requests • Allowing invalid certificates • Sensitive information in GET requests
  19. 19. Session token
  20. 20. Unauthorized Dialing/SMS
  21. 21. Unauthorized Dialing/SMS • Social Engineering using Mobile Devices • Attacker plays with user’s mind • User installs application • Application sends premium rate SMS or a premium rate phone call to unknown number • Used by Malware/Trojans
  22. 22. AndroidOS.FakePlayer August 2010 • Sends costly International SMS • One SMS Costs – 25 USD (INR 1250) • Application Sends SMS to – • 3353 & 3354 numbers in Russia
  23. 23. GGTracker June 2010 • Another Application which sends International SMS • One SMS Costs – 40 USD (INR 2000) • Application Sends Premium SMS to US numbers
  24. 24. UI Impersonation
  25. 25. UI Impersonation • Attack has been there since long • On a mobile stack, known as UI impersonation • Other names are Phishing Attack, ClickJacking • Attacker plays with user’s mind and try to impersonate as other user or other application
  26. 26. UI Impersonation • Victim looses credit card information or authentication credentials or secret • One application can create local PUSH notification as it is created from apple store • Flow in review process of AppStore – Anyone can name anything to their application
  27. 27. NetFlix Oct -2011 • Steals users “netflix” account information • Application shows error message to user “Compatibility issues with the user’s hardware” when user enters username and password • Once error message, application uninstalls itself
  28. 28. Activity Monitoring
  29. 29. Activity Monitoring • Sending a blind carbon copy of each email to attacker • Listening all phone calls • Email contact list, pictures to attacker • Read all emails stored on the device • Usual intension of Spyware/Trojans
  30. 30. Activity Monitoring Attacker can monitor – • Audio Files • Video • Pictures • Location • Contact List • Call/Browser/SMS History • Data files
  31. 31. Android.Pjapps Early 2010 • Steal/Change users information • PjApps Application – • Send and monitor incoming SMS messages • Read/write to the user's browsing history and bookmarks • Install packages and Open Sockets • Write to external storage • Read the phone's state
  32. 32. System Modification
  33. 33. System Modification • Application will attempt to modify system configuration to hide itself (Historically this is known as ROOTKIT) • Configuration changes makes certain attack possible i.e. – • Modifying device proxy to get user’s activity monitoring • Configure BCC email sending to attacker
  34. 34. iKee – iPhone Worm “ikee” iPhone Worm Change root password Change wallpaper to Ricky Martin. After infected by “ikee“ iPhone look like this
  35. 35. PII Information Leakage
  36. 36. PII Information Leakage • Application usually have access to user’s private information i.e. Owner Name, Location, Physical Address, AppID, Phone Number • This information needs to be handled very carefully as per the law in some countries • Storing this information in plain text is not allowed in some countries
  37. 37. DEMO
  38. 38. Hardcoded Secrets
  39. 39. Hardcoded Secrets • Easiest way for developer to solve complex issues/functionality • Attacker can get this information by either reverse engineering application or by checking local storage
  40. 40. DEMO
  41. 41. Language Specific Issues
  42. 42. Language Specific Issues • Application in iOS are developed in Objective- C language which is derived from classic C language • Along with this derivation, it also derives security issues in C language i.e. overflow attacks
  43. 43. SQL Injection in Local database
  44. 44. SQL Injection in Local database • Most Mobile platforms uses SQLite as database to store information on the device • Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensitive database information • In case application is not filtering input, SQL Injection on local database is possible
  45. 45. DEMO
  46. 46. Information in Common Services
  47. 47. Common Services • KeyBoard, Clipboard are shared amongst all the applications. • Information stored in clipboard can be accessed by all the application • Sensitive information should not be allowed to copy/paste in the application
  48. 48. DEMO
  49. 49. Server Side Issues
  50. 50. Server Side Issues • Most Application makes server side calls to either web services or some other component. Security of server side component is equally important as client side • Controls to be tested on the server side – Security Control Categories for Server Side Application– Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage,
  51. 51. Server Side Issues • Error handling, Session management, Protocol abuse, Input validations, XSS, CSRF, Logic bypass, Insecure crypto, DoS, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, BruteForce, Buffer Overflow, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
  52. 52. Mobile Top 10 - OWASP • Insecure Data Storage • Weak Server Side Controls • Insufficient Transport Layer Protection • Client Side Injection • Poor Authorization and Authentication • Improper Session Handling • Security Decisions Via Untrusted Inputs • Side Channel Data Leakage • Broken Cryptography • Sensitive Information Disclosure
  53. 53. Decompiling Android Applications
  54. 54. Decompiling android application • Using Apktool - • Using Dex2Jar - • Using aapt (Bundled with Android SDK)
  55. 55. Use Apktool to convert the XML to readable format Android manifest file: APK Tool
  56. 56. DEMO
  57. 57. Use dex2jar to convert classes.dex file in the extracted folder to .class files Use JAD to convert the class files into JAVA files Dex2Jar and JAD
  58. 58. DEMO
  59. 59. Aapt • Android Asset Packaging Tool • Allows you to view , create and update Zip-compatible archives View components in an apk:
  60. 60. DEMO
  61. 61. Looking in to Code
  62. 62. Static Code Analysis • Introduce in Mac OS X v10.6, XCode 3.2, Clang analyzer merged into XCode. • Memory leakage warning • Run from Build->Analyze • Innovative shows you complete flow of object start to end • Configure as a automatic analysis during build process
  63. 63. Static Code Analysis Potential Memory Leak
  64. 64. Static Code Analysis Dead store – variable never used
  65. 65. Static Code Analysis Uninitialized Variable
  66. 66. Static Code Analysis Type Size Mismatch
  67. 67. Static Code Analysis Object used after release
  68. 68. Code Analysis with AppCodeScan • Semi automated tool • Ability to expand with custom rules • Simple tracing utility to verify and track vulnerabilities • Simple HTML reporting which can be converted to PDF
  69. 69. AppCodeScan • Sophisticated tool consist of two components • Code Scanning • Code Tracer • Allows you to trace back the variable • AppCodeScan is not complete automated static code analyzer. • It only relies on regex and lets you find SOURCE of the SINK
  70. 70. DEMO
  71. 71. ScanDroid • Ruby script to scan through source code (Pattern matching) for APIs • Also takes care about reverse engineering application • Make list of permissions • No code trace • No reporting
  72. 72. Rules in AppCodeScan • Writing rules is very straight forward • In an XML file which is loaded at run time • This release has rules for iOS and Android for - Local Storage, Unsafe APIs, SQL Injection, Network Connection, SSL Certificate Handling, Client Side Exploitation, URL Handlers, Logging, Credential Management and Accessing PII.
  73. 73. Sample Rules - Android
  74. 74. Android DEMO
  75. 75. Sample Rules - iOS
  76. 76. iOS DEMO
  77. 77. Debuggable flag in Android • One of the key attribute in android manifest file • Under “application” section • Describes debugging in enabled • If “Debuggable”attribute is set o true, the application will try to connect to a local unix socket “@jdwp-control” • Using JDWP, It is possible to gain full access to the Java process and execute arbitrary code in the context of the debugable application
  78. 78. CheckDebuggable Script • Checks in APK whether debuggable is enabled • Script can be found at – s.html • Paper can be found at - gable.pdf
  79. 79. DEMO
  80. 80. Conclusion – Questions?