3. @NTXISSA #NTXISSACSC3
Bio
•Sr. Vulnerability Manager at Kimberly Clark.
•Built and manages KCC's first vulnerability management
program.
•Previously I worked at Yahoo! where I built and led global e-
Crime investigations and incident response teams. I received
Yahoo! Hackovation and Yahoo! Excellence awards for his
innovative work in successful operations against fake
customer care centers.
•Adjunct faculty at the Texas A&M University and teach
computer science courses.
•Completed Master of Science in Computer science and hold
degrees in Mathematics and Electronics engineer. Currently
working towards MBA at UT Dallas.
3
5. @NTXISSA #NTXISSACSC3
Mobile Industry In Numbers
• Google store has 1.6 million
applications, and Apple store has 1.5
million applications.
• There are 102 billions mobile app
download worldwide and 9 billions of
them are paid apps.
• This generated 26 billions U.S.
dollars..
NTX ISSA Cyber Security Conference – October 2-3, 2015 5
6. @NTXISSA #NTXISSACSC3
Security Problems
•Companies try to have mobile presence
desperately and ask their IT departments
or hire third parties to create mobile
applications for their products, services
and web sites.
• Companies would like to get their apps
out as soon as possible like they wanted
to have their websites without checking
their security in 90s.
6
7. @NTXISSA #NTXISSACSC3
Mobile Security in Numbers
•# of software aimed at mobile devices has
reportedly risen from about 14,000 to 40,000 or
about 185% in less than a year.
7
0
50
100
150
200
250
300
2007 2008 2009 2010 2011 2012 2013 2014 2015
IOS Vulnerabilities
0
5
10
15
20
25
30
35
40
2009 2010 2011 2012 2013 2014 2015
Android Vulnerabilities
8. @NTXISSA #NTXISSACSC3
Mobile vs Traditional OS
Vulnerability Type
8
0
50
100
150
200
250
300
350
400
iOS Vulnerabilities By Type
0
50
100
150
200
250
Windows 7 Vulnerabilities By Type
10. @NTXISSA #NTXISSACSC3
The Challenges For Incident
Responders
•Vulnerability X works only in Android version Y and
hardware is Samsung Model Z
•This could mean security teams needs to buy all
those hardware.
•Another issue is lack of mobile security knowledge.
Often security teams try to handle mobile security
incidents as traditional web security incidents.
•These cause longer hours of work and potentially
don’t help company to fix the issue.
10
11. @NTXISSA #NTXISSACSC3
Mobile vs PC Security
11
Mobile PC
DFIR
Lots of thing to figure out
Not capable tools
Well Established
Vulnerability
Management
Harder. Old vulnerabilities
require new testing
mechanism. Management
of devices
Distributed
No custom image
Good tools for testing
vulnerabilities. Good
patch management tools,
process, methodologies
Network Intrusion Harder LTE 4G 3G Established
e-Crime Apps store lots of
sensitive info including
birth date, banking
credentials etc… CC is also
stored
Similar to mobile
Physical Security Easy to steal Established
13. @NTXISSA #NTXISSACSC3
Mobile Vulnerability Triage
Android
•Potential Solutions
1)Cloud Solutions
-Testroid
-For pentest of apk files
2)VM
-Not flexible
-Networking issue to dump traffic (need to use VPN
otherwise no bridge mode for some corporate network )
13
14. @NTXISSA #NTXISSACSC3
Mobile Vulnerability Triage
3)Android SDK
•No need to install image/api/device images
•Very flexible
•Full emulator which actually runs on real
firmware image. Other than hardware
vulnerability we can find reproduce any
vulnerability in our code
14
15. @NTXISSA #NTXISSACSC3
Creating Emulator and Virtual
Devices
• AVD Manager
• The AVD Manager provides a graphical user interface in which you can create
and manage Android Virtual Devices (AVDs), which are required by the Android
Emulator.
• You can launch the AVD Manager in one of the following ways:
• In Eclipse: select Window > Android Virtual Device Manager, or click the AVD
Manager icon in the toolbar.
• In Android Studio: select Tools > Android > AVD Manager, or click the AVD
Manager icon in the toolbar.
• In other IDEs: Navigate to your SDK's tools/ directory and execute android avd.
• Emulator
The Android SDK includes a mobile device emulator — a virtual mobile device that
runs on your computer. The emulator lets you develop and test Android
applications without using a physical device.
15
19. @NTXISSA #NTXISSACSC3
Networking Scheme
19
10.0.2.1 Router/gateway address
10.0.2.2
Special alias to your host loopback interface (i.e.,
127.0.0.1 on your development machine)
10.0.2.3 First DNS server
10.0.2.4 / 10.0.2.5 / 10.0.2.6 Optional second, third and fourth DNS server (if any)
10.0.2.15
The emulated device's own network/ethernet
interface
127.0.0.1 The emulated device's own loopback interface
20. @NTXISSA #NTXISSACSC3
Sniffing Traffic
• Sniff Traffic
1st way:
• $emulator -tcpdump pcapFile.pcap -avd myAvd
• Hints: There are other commands related with emulator:
http://developer.android.com/tools/devices/emulator.html
2nd way:
• $telnet localhost portnumber
• $network capture start pcapFile.pcap
• $network capture stop
• Hints: There are other commands related telnet:
• http://developer.android.com/tools/devices/emulator.html
20
21. @NTXISSA #NTXISSACSC3
Sniffing Traffic iOS Devices
• Connect iOS device into your Mac.
• Find out iOS device’s UDID:
•Open iTunes
•Find your device and find serial number
•Click it, then you will see your UDID
• Go to your terminal and type ifconfig -l
• Type rvictl –s UDID to start device
• rvictl -s f2f587fcf78ff82dccff88fff7ab6db9e9b0bf94
• Starting device f2f587fcf78ff82dccff88fff7ab6db9e9b0bf94
• [SUCCEEDED]
• Type ifconfig –l You will see new interface i.e. rvi0
• Go to wireshark or do tcpdump to dump the traffic
• sudo tcpdump –i rvi0 –w dump.dump
21
22. @NTXISSA #NTXISSACSC3
Validating SSL Vulnerabilities
•Download burpsuite and configure like this:
•Click proxy tab and then click intercept tab.
Make sure intercept is off.
•Go to options tab (still under proxy tab).
Under proxy listener add your network device
(by default it is only listening on localhost)
22
23. @NTXISSA #NTXISSACSC3
Malicious Certificate
• By default burpsuite is act man in the middle for https connections. That
means it sends its own cert to your mobile device and have deal with
original https site by itself. Look below:
•
• Iphone-Encrypted with BurpsuiteCA---BurpSuite-
EncryptedWithBankingSiteCA---BankingSite
• This means your app should recognize this is not a valid cert for the site it
originally request i.e. banking site and drop the connection. At a minimum,
you should receive a warning from the app, but ideally you see no traffic
as well. Many apps will just fail silently or complain of connection issues,
which isn't ideal, but not "insecure" per se
• If you see any traffic in Burp suite that means your app has a validation
problem.
23
24. @NTXISSA #NTXISSACSC3
Second vulnerability: HostName
Mismatch
• Is the certificate's hostname verified by your application?
•For this you will need to acquire a valid certificate, from a
CA that is trusted by your device. Comodo is a good
source for a free 90 days certificate.
•Install the valid certificate in your BurpProxy and configure
it to offer this cert, rather than the default
• You can confirm step two is working, by going in to your
native browser on the device and trying to go to a HTTPS
site. You should receive a certificate hostname warning and
when you view the certificate details, you should see that the
cert you received is the one you installed in BurpSuite, not
the one issued by the PortSwigger CA.
24
27. @NTXISSA #NTXISSACSC3
Conclusion
•Mobile industry is a fast growing 26 billion dollars industry.
•Companies are rushing their mobile solutions without proper
security reviews
•This makes mobile apps attractive to hackers
•Most of the time incident responders don’t have good
process around triaging the vulnerabilities and know the
difference between PC and Mobile vulnerabilities
•By using free tools an incident responder can triage mobile
vulnerabilities
•We need to think creative!
27
29. @NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 2-3, 2015 29
Thank you