SlideShare a Scribd company logo

I mas appsecusa-nov13-v2

Download as PPTX, PDF
D
drewz lin

The document discusses research conducted by Gregg Ganley and Gavin Black at MITRE in FY13-14 on iOS mobile application security. It describes their work on a tool called iMAS (iOS Mobile Application Security) which aims to provide additional security controls and containment for native iOS applications. iMAS addresses vulnerabilities related to runtime access, device access, application access, data at rest, and threats from app stores/malware. It utilizes techniques like encrypted code modules, forced inlining, secure MDM and more to raise security levels above standard iOS but below a fully customized/rooted mobile device environment. The document outlines the motivation, capabilities and future research directions for the iMAS project.

Technology
1 of 49
FY13 -14 MITRE Research Research Team: Gregg Ganley(PI) and Gavin Black Approved for Public Release: Case #13-2148
   –  © 2013 The MITRE Corporation. All rights reserved. Approved for Public Release: Case #13-2148
© 2013 The MITRE Corporation. All rights reserved. Approved for Public Release: Case #13-2148
 – – – –  – – – – – –  © 2013 The MITRE Corporation. All rights reserved. Approved for Public Release: Case #13-2148
  – –    – – –  – – – © 2013 The MITRE Corporation. All rights reserved. Approved for Public Release: Case #13-2148
  
4 Digit Passcode Native iOS Application App Signing App Store System components: RAM and Debugger Jailbreak / Root Access User Auth App Access Keychain Flash Data Storage SSH / Debugger iOS Core Services iOS Internet iPhone / iPad Hardware Vulnerable Areas Approved for Public Release: Case #13-2148
iMAS Secure Application Container iMAS Native iOS Application Secure MDM Control AppPassword Passcode Check Security-Check Encrypted Core Data Jailbreak / debugger attach AppIntegrity Check AppSignature Encrypted RAM Memory Check Check Disk Secure Foundation OpenSSL FIPS Dynamic App Bundling ECM Encrypted Code Modules           Off Device Trust Check    iOS iPhone / iPad Hardware App Store Malware SSH / Debugger   iOS Core Services Enterprise App Store    Tolerable Security Risk Open Source github.com/project-imas Approved for Public Release: Case #13-2148
Developer Access Apple Only Apple Only © 2013 The MITRE Corporation. All rights reserved. Approved for Public Release: Case #13-2148
DoD CIO Report FY11  50% (12) iMAS Applicable © 2013 The MITRE Corporation. All rights reserved. Approved for Public Release: Case #13-2148
60% (6) iMAS Apply Approved for Public Release: Case #13-2148
Security Controls Open Source iOS w/iMAS Art of the Possible (2014+) iMAS iOS w/iMAS with or without COTS iMAS (Sep 2014) Sept 2013 level iMAS (Sep 2013) iOS w/COTS App MDM Containers iOS iOS v4/5 iOS v6 iMAS iMAS controls raise security levels, bringing it closer to the Art of the Possible State of the Art (Sep 2013) Consumer Unclassified (Internet) iMAS (Sep 2014) State of the Art (Sep 2013) Enterprise Enterprise+ Sensitive (NIPRNET/MITRE) Mobile App Classification Level Approved for Public Release: Case #13-2148 Classified (SIPRNET/JWICS)
Approved for Public Release: Case #13-2148
Run-time: Device Access: 4 Digit Passcode RAM and Debugger Passcode Check Jailbreak / Root Access App Access: Security-Check Jailbreak / debugger attach None Memory Security AppPassword Encrypted RAM Disk Data At Rest: AppStore / Malware: App Tampering Forced-inlining AppIntegrity Check Encrypted Code Modules (ECM) Data in Transit: Keychain CoreData Encrypted Core Data Lightning Connector iMAS Secure Foundation OpenSSL / FIPS MDM Remote Control Vulnerable Areas Future Research Approved for Public Release: Case #13-2148
 – –  – – –  – – Approved for Public Release: Case #13-2148
 – –  – –  – Approved for Public Release: Case #13-2148
 – – –   –  Approved for Public Release: Case #13-2148
  – –  always_inline – – void debug_check()__attribute__((always_inline));  – –  (-finline-limit) always_inline Approved for Public Release: Case #13-2148
 Passcode Check AppPassword         Security-Check Encrypted Core Data Jailbreak / debugger attach Secure Foundation OpenSSL OpenSSL FIPS Forced-inlining Memory Security MDM Remote Control iMAS   AppIntegrity Check Encrypted Code Secure MDM Modules (ECM) Remote Control  Encrypted RAM Disk Dynamic App Bundling Off-device Trust Check © 2013 The MITRE Corporation. All rights reserved. Approved for Public Release: Case #13-2148
Approved for Public Release: Case #13-2148
       Approved for Public Release: Case #13-2148
Approved for Public Release: Case #13-2148
Approved for Public Release: Case #13-2148
Approved for Public Release: Case #13-2148
• iMAS Possibilities: Apple Push Notification Servers Find limitations Of MDM specification • • Single sign on app Remote App lock • • Remote App password reset Remote Jailbreak reporting Understand and test low level command structure iOS Device iMAS App 3. JSON formatted commands and acknowledgements Open Source MDM Server 0. Device Enrollment (Root Certificate, Enroll.mobileconfig) Ability to secure individual apps Provide scripts and guidance for initial setup Approved for Public Release: Case #13-2148 Maintain and enhance open source MDM server
Approved for Public Release: Case #13-2148
    – – Approved for Public Release: Case #13-2148
    –      AppPassword – – Secure Foundation OpenSSL / FIPS  Security-Check  Memory Security Jailbreak / debugger attach Approved for Public Release: Case #13-2148 
Approved for Public Release: Case #13-2148
Approved for Public Release: Case #13-2148
 – –  – –      –
  
… … © 2013 The MITRE Corporation. All rights reserved. Approved for Public Release: Case #13-2148
Approved for Public Release: Case #13-2148
  –     – – – – – Approved for Public Release: Case #13-2148
   – Approved for Public Release: Case #13-2148
iMAS - iOS Mobile Application Security Github: https://project-imas.github.com POC: MITRE, Bedford MA Gregg Ganley 781-271-2739 gganley@mitre.org Please ! Gavin Black • Share iMAS with SW Devs 781-271-4771 • Visit and Discover gblack@mitre.org • Download and Experiment • Feedback and push requests © 201312/17/2013 6:50 PM The MITRE Corporation. All rights reserved. Approved for Public Release: Case #13-2148
Approved for Public Release: Case #13-2148
  –  – – –  – –  
FY12 MITRE Internal Research - MIP mobile Patient Health Reader © 2013 The MITRE Corporation. All rights reserved. Approved for Public Release: Case #13-2148
 – – –  –   – – © 2013 The MITRE Corporation. All rights reserved. Approved for Public Release: Case #13-2148
    –  – ■ • • © 2013 The MITRE Corporation. All rights reserved. Approved for Public Release: Case #13-2148
Gregg Ganley Gavin Black         Approved for Public Release: Case #13-2148
iMAS Secure Application Container iMAS Native iOS Application App Signing Config Profile Extended App level Passcode App Store Jailbreak Detect / Disable RAM / Debugger lib / techniques Encrypted App Files and keychain Internet SSH / Debugger     iOS Core Services iOS iPhone / iPad Hardware Open Source Community   Approved for Public Release: Case #13-2148 Tolerable Security Risk
  ECM DynamicLib Builder iOS App ECM Plaintext DynamicLib ciphertext DynamicLib .dylib • Protected Functionality • Secured with ECM App Key  • At Install User enters ECM App Key • Encrypted w/User app password ECM Decoder iMAS Security In Use: Critical Functionality Encrypted iOS App iOS App ECM DynamicLib ECM ECM Decoder DynamicLib ECM Decoder iMAS Security Invulnerable to Decompiling iMAS Security User Enters app password ECM DynamicLib ECM Decoder iMAS Security At Rest: iOS App Critical Functionality Unlocked Approved for Public Release: Case #13-2148

Recommended

Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
drewz lin
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
NowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
NowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
NowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
NowSecure
 

Recommended

Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
drewz lin
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
NowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
NowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
NowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
NowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
NowSecure
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
NowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
NowSecure
 
Stealth Mango and the Prevalence of Mobile Surveillanceware
Stealth Mango and the Prevalence of Mobile SurveillancewareStealth Mango and the Prevalence of Mobile Surveillanceware
Stealth Mango and the Prevalence of Mobile Surveillanceware
Priyanka Aash
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00
srini0x00
 
LASCON 2015
LASCON 2015LASCON 2015
LASCON 2015
Clare Nelson, CISSP, CIPP-E
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
CODE BLUE
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Blueboxer2014
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Subho Halder
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
Subho Halder
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
Novizul Evendi
 
Portfolio security, analytics and forensic blue coat
Portfolio security, analytics and forensic blue coatPortfolio security, analytics and forensic blue coat
Portfolio security, analytics and forensic blue coat
Ronaldo Cesar Espíndola Ferreira
 

More Related Content

What's hot

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
NowSecure
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
NowSecure
 
Stealth Mango and the Prevalence of Mobile Surveillanceware
Stealth Mango and the Prevalence of Mobile SurveillancewareStealth Mango and the Prevalence of Mobile Surveillanceware
Stealth Mango and the Prevalence of Mobile Surveillanceware
Priyanka Aash
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
CODE BLUE
 

What's hot (20)

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
 
Stealth Mango and the Prevalence of Mobile Surveillanceware
Stealth Mango and the Prevalence of Mobile SurveillancewareStealth Mango and the Prevalence of Mobile Surveillanceware
Stealth Mango and the Prevalence of Mobile Surveillanceware
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00
 
LASCON 2015
LASCON 2015LASCON 2015
LASCON 2015
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
 

Similar to I mas appsecusa-nov13-v2

Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]
Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]
Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]
RootedCON
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
Nicholas Chia
 
Tsensors San Diego Sandhi Bhide - Nov 12-13 - Final
Tsensors San Diego Sandhi Bhide - Nov 12-13 - FinalTsensors San Diego Sandhi Bhide - Nov 12-13 - Final
Tsensors San Diego Sandhi Bhide - Nov 12-13 - Final
sandhibhide
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
Salesforce Developers
 

Similar to I mas appsecusa-nov13-v2 (20)

Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
Portfolio security, analytics and forensic blue coat
Portfolio security, analytics and forensic blue coatPortfolio security, analytics and forensic blue coat
Portfolio security, analytics and forensic blue coat
 
Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]
Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]
Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Extreme IoT Games
Extreme IoT GamesExtreme IoT Games
Extreme IoT Games
 
Security News Bytes Null Dec Meet Bangalore
Security News Bytes Null Dec Meet BangaloreSecurity News Bytes Null Dec Meet Bangalore
Security News Bytes Null Dec Meet Bangalore
 
200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? 200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds?
 
AppTalk Frontline: Web vs Hybrid vs Native
AppTalk Frontline: Web vs Hybrid vs NativeAppTalk Frontline: Web vs Hybrid vs Native
AppTalk Frontline: Web vs Hybrid vs Native
 
Measuring and improving your app's network performance oredev
Measuring and improving your app's network performance oredevMeasuring and improving your app's network performance oredev
Measuring and improving your app's network performance oredev
 
Tsensors San Diego Sandhi Bhide - Nov 12-13 - Final
Tsensors San Diego Sandhi Bhide - Nov 12-13 - FinalTsensors San Diego Sandhi Bhide - Nov 12-13 - Final
Tsensors San Diego Sandhi Bhide - Nov 12-13 - Final
 
e-Commerce Academy - Winning Consumer Market from Online to Offline in Mobile...
e-Commerce Academy - Winning Consumer Market from Online to Offline in Mobile...e-Commerce Academy - Winning Consumer Market from Online to Offline in Mobile...
e-Commerce Academy - Winning Consumer Market from Online to Offline in Mobile...
 
IRJET- Root Security Firewall
IRJET- Root Security FirewallIRJET- Root Security Firewall
IRJET- Root Security Firewall
 
IRJET- Root Security Firewall
IRJET- Root Security FirewallIRJET- Root Security Firewall
IRJET- Root Security Firewall
 
Sagemcom eclipse io t - 19022014 - v(0.12)-bis - final - pdf version
Sagemcom eclipse io t - 19022014 - v(0.12)-bis - final - pdf versionSagemcom eclipse io t - 19022014 - v(0.12)-bis - final - pdf version
Sagemcom eclipse io t - 19022014 - v(0.12)-bis - final - pdf version
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
 
DEF CON 27 - workshop - POLOTO - hacking the android apk
DEF CON 27 - workshop - POLOTO - hacking the android apkDEF CON 27 - workshop - POLOTO - hacking the android apk
DEF CON 27 - workshop - POLOTO - hacking the android apk
 
Adaptive Trust for Strong Network Security
Adaptive Trust for Strong Network SecurityAdaptive Trust for Strong Network Security
Adaptive Trust for Strong Network Security
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
 

More from drewz lin

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
drewz lin
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
drewz lin
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
drewz lin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
drewz lin
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
drewz lin
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
drewz lin
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
drewz lin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
drewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
drewz lin
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
drewz lin
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
drewz lin
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
drewz lin
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
drewz lin
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
drewz lin
 

More from drewz lin (20)

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
Hiroshi SHIBATA
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
Femke de Vroome
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
panagenda
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
Syngulon
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 

Recently uploaded (20)

WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 

I mas appsecusa-nov13-v2

Editor's Notes

  1. http://en.wikipedia.org/wiki/Return-oriented_programminghttp://en.wikipedia.org/wiki/Return-to-libc_attackhttp://www.infosecwriters.com/text_resources/pdf/return-to-libc.pdf
  2. Maintain and enhance existing open source MDM serverAdditional commands for managed applicationsScripts for autogenerating certificates and needed plist filesUpdating server to handle multiple enrolled devicesUnderstand and test low level command structureJSON formatted commands directly communicated to serverDirect communication with server after initial Apple push requestStill need to test iOS 7 MDM improvements (Application specific configuration dictionaries)Find limitations of MDMMessages sent to a device in standby or off are not receivedMust continually send until receiving an acknowledgmentNo application specific management, besides uninstall, until iOS 7Ability to secure individual applicationsManaged application removal, deletes entire sandbox for appMonitoring application that provides additional security to iMAS enabled apps