Mobile security chess board - attacks & defense

Mobile
Security
chess
board
-‐

A4acks
&
Defense

Who Am I?
•  Hemil
Shah
–
hemil@blueinfy.net

•  Co-‐CEO
&
Director,
Blueinfy
Solu>ons

•  Past
experience

–  eSphere
Security,
HBO,
KPMG,
IL&FS,
Net
Square

•  Interest

–  ApplicaIon
security
research

•  Published
research

–  ArIcles
/
Papers
–
Packstroem,
etc.

–  Web
Tools
–
wsScanner,
scanweb2.0,
AppMap,
AppCodeScan,
AppPrint
etc.

–  Mobile
Tools
–
FSDroid,
iAppliScan,
DumpDroid

hemil@blueinfy.com

h4p://www.blueinfy.com

Blog
–
h4p://blog.blueinfy.com/

About
• Global
experience
worked

clients
based
in
USA,
UAE,

Europe
and
Asia-‐pac.

• Clients/Partners
include

Fortune
100
companies.

• Delivery
model
and
support

• Blackbox
and
Whitebox
–

Scanners
and
Code
Analyzers

• Scanning
tools
and
technology

(15
years)

• Strong
and
tested
with

Fortune
clients

• Integrated
in
SDLC

• Help
client
in
miIgaIng
or

lowering
down
the
Risk
by

improving
process

• In
house
R&D
team
for
last
7

years

• Papers
and
PresentaIons
at

conference
like
RSA,
Blackhat,

HITB,
OWASP
etc.

• Books
wri4en
and
used
as

security
guides

Know-‐How

Methods
&

Approach

Global

Delivery
&

Team

Technology

Ø BBC

Ø Dark
Readings

Ø Bank
Technology

Ø SecurityWeek

Ø MIT
Technology
Review

ApplicaIon
Security

Mobile
Top
10
-‐
OWASP

•  Weak
Server
Side
Controls

•  Insecure
Data
Storage

•  Insuﬃcient
Transport
Layer
ProtecIon

•  Unintended
Data
Leakage

•  Poor
AuthorizaIon
and
AuthenIcaIon

•  Broken
Cryptography

•  Client
Side
InjecIon

•  Security
Decisions
Via
Untrusted
Inputs

•  Improper
Session
Handling

•  Lack
of
Binary
ProtecIons

Contributor : Nvisium Security, HP Fortify, Andreas
Athanasoulias & Syntax IT, eSphere Security, Godfrey
Nolan and RIIS (Research Into Internet Systems), Arxan
Technologies
Ref - https://www.owasp.org/index.php/Mobile_Top_Contributions

Enterprise
Mobile
Cases

E-‐commerce

•  Typical
applicaIon
making
server
side
calls

•  Security
issues
and
hacks

–  Credit
card
and
Private
data
storage
with
poor
crypto

–  SQLite
hacks

–  SQL
injecIon
over
JSON

–  Ajax
driven
XSS

–  Several
XSS
with
Blog
component

–  Several
informaIon
leaks
through
JSON
fuzzing

•  Server
side
scan
with
tools/products
failed

Banking
ApplicaIon

•  Scanning
applicaIon
for
vulnerabiliIes

•  Typical
banking
running
with
middleware

•  VulnerabiliIes
–
Mobile
interface

–  Poor
encoding
to
store
SSN
and
PII
informa>on

locally

–  Very
sensi>ve
transac>on
informa>on
stored

locally

–  Default
OS
Behavior
leaking
informa>on

–  CredenIals
submi4ed
in
GET
request

–  Keys/session
stored
in
keychain
ﬁle

Social
ApplicaIon

•  Social
ApplicaIon
on
mulIple
plagorms

–  ApplicaIon
leverages
browser
component
as
part

of
the
mobile

–  Common
code
base
for
all
plagorms

–  Vulnerable

• Bypass
Proﬁle
validaIon
(Logical)
and
unique
device

installaIon

• Screenshot
revealing
sensi>ve
informa>on

• Default
OS
Behavior
leaking
informa>on

• PresentaIon
layer
(XSS
and
CSRF)

• Unencrypted
Communica>on
channel

Postmortem

•  One
pa4ern
in
all
the
reviews
-‐
SOME

INFORMATION
WAS
STORED
LOCALLY

•  More
than
99%
of
the
applicaIon
review
has

the
LOCAL
STORAGE
issue
as
we
saw
in
stats.

•  Server
side
and
logical
issues
are
sIll
hard
to

ﬁnd
but
have
biggest
impact.

Mobile
Threats
and
Risk

A4acks
on
Mobile

•  No JailBreak Required
•  Ease of attack -
Airports/Public places

Why
should
I
worry?

•  We
have
MDM
in
place

•  We
do
not
allow
any
JailBreak
or
rooted

device
in
our
environment
with
MDM

•  We
have
strict
policy
enforced
and
all
our

devices
are
forced
to
have
password
lock

•  May
or
may
not
have
BYOD

•  OS
provides
encrypIon

Mobile
A4acks

•  So
What
a4acks
are
we
talking
about?

•  Privacy
becomes
important
along
with
the

Security
in
mobile
space

•  It
is
MOBILE
so
chances
of
loosing
device
or

someone
gemng
physical
access
to
it
is
MUCH

MUCH
higher
than
the
other
devices

ExploitaIon

•  Physical
Then

•  Temporary
physical
access

•  Malware

•  Malicious
ApplicaIons

•  Lack
of
standardize
security
review
process

•  JailBreak/Rooted
devices

What
can
be
done???

•  InformaIon
found
in
local
storage
with

default
OS
behavior
–

•  Changing
OS
behavior
-‐

•  Server
side
exploitaIon
–

•  XSS
in
Mobile
Hybrid
applicaIon
–

Mobile
Infrastructure

www mail
intranet
router
DMZ
Internet
VPN
Dial-up
Other
Office
s
Exchange
firewall
Database
RAS

Mobile
App
Environment

Web
Server
Static pages only
(HTML,HTM, etc.)Web
Client
Scripted
Web
Engine
Dynamic pages
(ASP,DHTML, PHP,
CGI, etc.)
ASP.NET on
.Net Framework,
J2EE App Server,
Web Services,
etc.
Application
Servers
And
Integrated
Framework
Internet DMZ Trusted
W
E
B
S
E
R
V
I
C
E
S
Mobile
SOAP/JSON etc.
DB
X
Internal/Corporate

Mobile
Architecture

Presentation Layer
Business Layer
Data Access Layer
Authentication
Communication etc.
Runtime, Platform, Operating System Components
Server side
Components
Client side
Components
(Browser)
• HTML 5
• DOM
• XHR
• WebSocket
• Storage
• WebSQL
• Flash
• Flex
• AMF
• Silverlight • WCF
• XAML
• NET
• Storage
• JS
• Android
• iPhone/Pad
• Other
Mobile

Game
is
complex
–
Chess

Challenges

•  Diﬀerent
code
base

•  Achieve
things
with
single
click

•  Vendor
review
process
-‐
Not
transparent
–

Can
we
rely
on
it???

•  Decrease
transacIon
Ime

•  CompeIIon

•  Rapid
business
requirement
results
in
high

frequency
of
updates

Frequency
of
updates

•  Very
High
compare
to
Web
ApplicaIons

•  Usually,
4-‐5
updates
in
a
year
for
web

applicaIons
or
even
less
at
Imes

•  Usually,
10-‐12
updates
in
mobile
applicaIons

or
even
more
in
some
cases

•  We
all
have
accepted
that
applicaIon
needs

to
be
reviewed
before
going
to
producIon
–

DID
WE???

Frequency
of
Updates

Application Name

Number of
Releases in
iOS

Number of
Releases in
Android

Facebook
19
34

Twitter
22
25

Chase Bank
9
2

eBay
9
4

Amazon
10
3

Temple Run 2
12
10

FB Messenger
12
10

Whatsapp
4
154

skype
8
6

Top
5
vulnerability

•  From
the
stats
of
eSphere
data
-‐

0 10 20 30 40 50 60 70 80 90 100
Local Storage
Sensitive Information stored in Logs/
Default OS Behaviour
Copy/Paste enabled in sensitive fields -
Privacy issue
Cross Site Scripting
SQL Injection over JSON or other
streams

Weak
Server
Side
Controls

Server
Side
Issues

•  Most
ApplicaIon
makes
server
side
calls
to

either
web
services
or
some
other

component.
Security
of
server
side

component
is
equally
important
as
client
side

•  Controls
to
be
tested
on
the
server
side
–

Security
Control
Categories
for
Server
Side

ApplicaIon–
AuthenIcaIon,
Access
Controls/
AuthorizaIon,
API
misuse,
Path
traversal,

SensiIve
informaIon
leakage,

Server
Side
Issues

•  Error
handling,
Session
management,

Protocol
abuse,
Input
validaIons,
XSS,
CSRF,

Logic
bypass,
Insecure
crypto,
DoS,
Malicious

Code
InjecIon,
SQL
injecIon,
XPATH
and

LDAP
injecIons,
OS
command
injecIon,

Parameter
manipulaIons,
BruteForce,
Buﬀer

Overﬂow,
HTTP
response
splimng,
HTTP

replay,
XML
injecIon,
CanonicalizaIon,

Logging
and
audiIng.

Insecure
Storage

•  How
a4acker
can
gain
access

•  Wiﬁ

•  Default
password
aner
jail
breaking
(alpine)

•  Adb
over
wiﬁ

•  Physical
Then

•  Temporary
access
to
device

What

•  What
informaIon

–  AuthenIcaIon
CredenIals

–  AuthorizaIon
tokens

–  Financial
Statements

–  Credit
card
numbers

–  Owner’s
InformaIon
–
Physical
Address,
Name,

Phone
number

–  Social
Engineering
Sites
proﬁle/habbits

–  SQL
Queries

Insuﬃcient
Transport
Layer

ProtecIon

Insecure
Network
Channel

•  Easy
to
perform
MiM
a4acks
as
Mobile

devices
uses
untrusted
network
i.e
open/
Public
WiFi,
HotSpot,
Carrier’s
Network

•  ApplicaIon
deals
with
sensiIve
data
i.e.

•  AuthenIcaIon
credenIals

•  AuthorizaIon
token

•  PII
InformaIon
(Privacy
ViolaIon)
(Owner
Name,

Phone
number,
UDID)

Insecure
Network
Channel

•  Can
sniff
the
traffic
to
get
an
access
to

sensiIve
data

•  SSL
is
the
best
way
to
secure
communicaIon

channel

•  Common
Issues

•  Does
not
deprecate
HTTP
requests

•  Allowing
invalid
cerIficates

•  SensiIve
informaIon
in
GET
requests

Unintended
Data
Leakage

Unintended
Data
Leakage

•  Plagorm
issues
–
sandboxing
or
disable

controls

•  Cache

•  Logs,
Keystrokes,
screenshots
etc.

•  Temp
ﬁles

•  3rd
Party
libs
(AD
networks
and
analyIcs)

Data
Leakage

•  Default
OS
behavior
aner
iOS
4.0
to
cache
all

the
URLS
(Request/Response)
in
the
local

storage
in
file
named
cache.db
file

•  Cache.db
file
is
not
encrypted

•  By
default,
applicaIon
takes
last
screenshot

and
saves
it
in
to
file
system
when
user

presses
home
bu4on

Poor
AuthorizaIon
and

AuthenIcaIon

AuthorizaIon
&
AuthenIcaIon

•  No
password
complexity
specially
on
mobile

•  Hidden/No
Logout
bu4on

•  Long
session
Ime
out

•  No
account
lock
out

•  AuthorizaIon
ﬂags
or
based
on
the
local

storage

Cryptography

•  Broken
implementaIon

•  Hash/Encoding
used
in
place
of
encrypIon

•  Client
side
script
in
place
of
SSL

SQL
InjecIon
in
Local
database

•  Most
Mobile
plagorms
uses
SQLite
as

database
to
store
informaIon
on
the
device

•  Using
any
SQLite
Database
Browser,
it
is

possible
to
access
database
logs
which
has

queries
and
other
sensiIve
database

informaIon

•  In
case
applicaIon
is
not
ﬁltering
input,
SQL

InjecIon
on
local
database
is
possible

Security
Decisions
Via
Untrusted

Inputs

Untrusted
Source

•  Any
input
from
client
side
which
can
be

modiﬁed

•  Mainly
authenIcaIon
and
authorizaIon

decisions
based
on
the
untrusted
input

•  Easiest
way
for
developer
to
solve
complex

issues/funcIonality

•  A4acker
can
get
this
informaIon
by
either

reverse
engineering
applicaIon
or
by

checking
local
storage

KeyChain
Dumper

•  Easy
as
running
a
command

•  Upload
on
to
server
in
/var
directory

•  Give
execute
permission

•  Chmod
+x
/var/keychain_dumper

•  Get
all
the
keys

•  ./keychain_dumper

Improper
Session
Handling

Improper
Session

•  Session
is
key
for
any
applicaIon
for

authorizaIon

•  Session
is
stored
in
binary
format
but
can
be

easily
reversible

•  ApplicaIon
is
sending
sensiIve
informaIon

in
GET
request
(Be
it
on
HTTP
or
HTTPS)

Lack
of
Binary
protecIon

Lack
of
Binary
ProtecIon

•  Apple
signs
and
encrypts
all
the
binaries

•  SIll
strings
can
be
retrieved
from
the
binary

•  Storing
EncrypIon
and
DecrypIon
keys
in

the
client
side
is
sIll
a
problem

AutomaIon
in
ApplicaIon

Reviews

Manual
Review

•  Looking
for
informaIon
in
local
storage

manually
is
really
–

–  Time
Consuming

–  Tedious

–  Prone
to
be
false
negaIves
(how
accurately
you

can
check
files
more
than
once
in
an
hour
and
file

formats
are
different)

Manual
Review
-‐
iOS

What
do
we
need

•  AutomaIon!!!

•  AutomaIon!!!

•  AutomaIon!!!

•  AutomaIon!!!

•  AutomaIon!!!

•  Unfortunately
no
complete
automaIon
is

available
today
BUT
some
of
the
tools
which

can
be
handy
are
-‐

Snoop-‐it

•  The
only
tool
today
to
automate
iOS

applicaIon
reviews

•  Very
handy
and
gives
perfect
pointer
where

to
look
for

•  A
long
way
to
go
for
automaIon
like
web

Snoop-‐it
(Cont…)

•  Snoop-‐it
helps
you
monitor
–

–  File
system
access

–  Keychain
access

–  HTTP(S)
connecIons

–  Access
to
sensiIve
API

–  Debug
outputs

–  Tracing
App
internals

Snoop-‐it
(Cont…)

•  Along
with
Monitoring,
snoop-‐it
allows
to
-‐

–  Fake
hardware
idenIﬁer

–  Fake
locaIon/GPS
data

–  Explore
and
force
display
of

available
ViewController

–  List
custom
URL
schemes

–  List
available
ObjecIve-‐C
classes,
objects
and

methods

–  Bypass
basic
jailbreak
detecIon
mechanisms

iAppliScan

•  iAppliScan
allows
you
to
automate
iOS

applicaIon
review.

•  InteresIng
features
–

– 
Look
for
sensiIve
informaIon
in
files/directories

–  Find
whether
parIcular
file
exist
or
not

–  Download
file
for
further
analysis

–  Run
external
command

Review
without
JailBreak

Reviewing
without
jailbreaking

•  Is
it
really
possible
to
review
applicaIon
with

out
jailbreaking
?

•  “YES”

•  “YES”

•  “YES”

•  “YES”

Reviewing
without
jailbreaking

•  Plenty
of
tools
available
(Specially
for

Forensic)
to
brows
the
applicaIon
directory

without
jailbreaking.

•  iFunBox
allows
to
view
ﬁles
on
the
device

without
jailbreak

•  Displays
applicaIon’s
permissions

•  Browse
the
installed
applicaIon
directory

Reviewing
without
jailbreaking

•  Copy

the
enIre
applicaIon
directory
mulIple

Imes

•  Look
for
sensiIve
informaIon
in
the
ﬁles

•  Use
Proxy
on
non-‐jailbreak
device
to
check
all

server
side
a4acks.

Reviewing
with
iFunbox

Manual
Review
-‐
Android

FSDroid

•  Leverages
SDK
Class
–
No
hacks
in
here!!!

•  FSDroid
can
–

–  Monitor
ﬁle
system

–  Can
write
ﬁlter
to
monitor
parIcular
directory

–  Can
save
last
5
reports
for
future
use

–  Does
not
need
mobile
device
–
can
run
on

Emulator
smoothly

–  Easy
to
run
(As
easy
as
giving
directory
name
and

pressing
start
bu4on)

File
System
Monitoring
Demo

Static Code Analysis
•  Introduce in Mac OS X v10.6, XCode 3.2,
Clang analyzer merged into XCode.
•  Memory leakage warning
•  Run from Build->Analyze
•  Innovative shows you complete flow of
object start to end
•  Configure as a automatic analysis
during build process

StaIc
Code
Analysis

PotenIal
Memory
Leak

StaIc
Code
Analysis

Dead
store
–
variable
never
used

Code
Analysis
with
AppCodeScan

•  Semi
automated
tool

•  Ability
to
expand
with
custom
rules

•  Simple
tracing
uIlity
to
verify
and
track

vulnerabiliIes

•  Simple
HTML
reporIng
which
can
be

converted
to
PDF

AppCodeScan

•  SophisIcated
tool
consist
of
two
components

•  Code
Scanning

•  Code
Tracer

•  Allows
you
to
trace
back
the
variable

•  AppCodeScan
is
not
complete
automated

staIc
code
analyzer.

•  It
only
relies
on
regex
and
lets
you
ﬁnd

SOURCE
of
the
SINK

Rules
in
AppCodeScan

•  WriIng
rules
is
very
straight
forward

•  In
an
XML
ﬁle
which
is
loaded
at
run
Ime

•  This
release
has
rules
for
iOS
and
Android
for

-‐
Local
Storage,
Unsafe
APIs,
SQL
InjecIon,

Network
ConnecIon,
SSL
CerIﬁcate
Handling,

Client
Side
ExploitaIon,
URL
Handlers,

Logging,
CredenIal
Management
and

Accessing
PII.

Sample
Rules
-‐
Android

Sample
Rules
-‐
iOS

Debuggable
ﬂag
in
Android

•  One
of
the
key
a4ribute
in
android
manifest

ﬁle

•  Under
“applicaIon”
secIon

•  Describes
debugging
in
enabled

•  If
“Debuggable”a4ribute
is
set
o
true,
the

applicaIon
will
try
to
connect
to
a
local
unix

socket
“@jdwp-‐control”

•  Using
JDWP,
It
is
possible
to
gain
full
access
to

the
Java
process
and
execute
arbitrary
code
in

the
context
of
the
debugable
applicaIon

CheckDebuggable
Script

•  Checks
in
APK
whether
debuggable
is
enabled

•  Script
can
be
found
at
–
h4p://
www.espheresecurity.com/
resourcestools.html

•  Paper
can
be
found
at
-‐
h4p://
www.espheresecurity.com/
CheckDebuggable.pdf

Mobile security chess board - attacks & defense

Mobile security chess board - attacks & defense

Recommended

More Related Content

What's hot

What's hot(20)

Viewers also liked

Viewers also liked(14)

Similar to Mobile security chess board - attacks & defense

Similar to Mobile security chess board - attacks & defense(20)

More from Blueinfy Solutions

More from Blueinfy Solutions(10)

Recently uploaded

Recently uploaded(20)

Mobile security chess board - attacks & defense