Untitled 1


Published on

Published in: Technology
  • Be the first to comment

Untitled 1

  1. 1. Security Testing of Mobile Applications (Android - BlackBerry - iOS)
  2. 2. Introduction to Android Security & AppUse Mobile application threat model - What makes mobile application security so different? • The Android linux OS security • The Dalvik VM • The Android security mechanisms • Application file system isolation • The permission model • Least privilege model • Database isolation • The Android emulator VS. physical device • The AppUse VM ("Android Pen-test Platform Unified Standalone Environment") • The Android Debug Bridge (ADB) • The logcat interface
  3. 3. Traffic Analysis and Manipulation • Intro to server side attacks - SQL injection, XSS • Insecure remote Authentication - client id, IMEI, etc. • Insecure session management • authorization • Traffic interception • Using proxies and sniffers • Importing SSL certificates & trusted CA's • Sensitive information transmission • Bypassing server certificate validations • Exposing insecure traffic
  4. 4. Insecure data K11storage • Exploring deployed application files at the /data/data directory • The file system security model • Insecure file system permissions • Insecure storage of sensitive data in files • The SDcard • The SQLite Database storage • Using sqlite browser • Application shared preferences storage • Storage of sensitive data at the server side • Secrets in code • Insecure log exposure • Bad cryptography
  5. 5. Reverse engineering the application binaries • The APK file package • APK extraction - Investigating layout, manifest, permissions and binaries • Extracting the content of the classes.dex file • Using smali/baksmali Dalvik assembler/disassembler • Using jasmin/jasper JVM assembler/disassembler • Decompilation • Using dex2jar • Identifying interesting API calls - file access, networking, SDcard access, SQLite, etc • Identifying insecure code - certificate validation bypass, insecure xml parsing, clipboard access, geo-location, address book, client xss and html injection, etc. • Finding hard coded secrets in code • Using Android Lint • Code patching and modification • Recreating and resigning the modified APK
  6. 6. Android application components security • Major component types - Activity, Service, Content provider, Broadcast receiver • The Intent message • Components and the manifest file • Using manifest explorer • Component permissions and visibility • Activating components • Accessing restricted screens • Attacking content providers and client side sql injection • Direct component invocation by unauthorized apps
  7. 7. Analyzing Runtime Analysis • Monitoring process activity • Observing file access • Monitoring network connectivity • Debugging • Setting breakpoints • Memory dumping and analysis • Analyzing logs using logcat
  8. 8. Android Platform Security Architecture Android seeks to be the most secure and usable operating system for mobile platforms by re-purpo  Protect user data  Protect system resources (including the network)  Provide application isolation To achieve these objectives, Android provides these key security features:  Robust security at the OS level through the Linux kernel  Mandatory application sandbox for all applications  Secure interprocess communication  Application signing  Application-defined and user-granted permissions The sections below describe these and other security features of the Android platform. Figure 1 summarizes the security components and considera
  9. 9. New Android's Feature will Regularly Scan Your Apps Recently Google has officially announced to increase the security of Android users by adding a new feature to android which will regularly scan all the The new feature by Google would be a part of Verify Apps feature which is already protecting android users from harmful apps installed by third party The feature will scan for spywares , malwares , sending unauthorized messages and in-app installations for changes in app activity after it is installed
  10. 10. The first comprehensive guide to discovering and preventing attacks on the Android OS As the Android operating system continues to increase its share of the smartphone market, smartphone hacking remains a growing threat. Written b If you are a mobile device administrator, security researcher, Android app developer, or consultant responsible for evaluating Android security, you w A crack team of leading Android security researchers explain Android security risks, security design and architecture, rooting, fuzz testing, and vulne Covers Android application building blocks and security as well as debugging and auditing Android apps Prepares mobile device administrators, security researchers, Android app developers, and security consultants to defend Android systems against a Android Hacker's Handbook is the first comprehensive resource for IT professionals charged with smartphone security.
  11. 11. IT Policy: -Primary policy for all protection mechanisms Access to Network/Resources/Settings Prohibited and Mandatory installations of apps Controlling third-party Java application permissions -Per-Handset + Global Policy stored on BES -Initial Policy is signed by master key at pairing Stored in NV RAM Future updates OTA must be signed by master key
  12. 12. Application Controls: - All applications run in the JVM - IT Policy controls how the applications interact -Developed with the user and company in mind Most restrictive overlap - I9 application control policy categories Cross Application Control -Hardware -Network domnains -PIM data/ applications -Inter-application communication -Browser -User Autherntication and Settings -Input Simulation -MDS
  13. 13. Code signing - Core BB applications must be RIM Signed - Class files verified for interface compliance - No user-defined class loaders -No Java Native Interface or user extensions -System classes cannot be overridden
  14. 14. Data Security -Java RMS offers various forms of crypto -Keys must be explicitly shared by apps -PIM protected by Blackberry Attachment Service Renders and decrypts data on the BES Sends rasterized information to display Avoids image exploits Manages PGP on BES
  15. 15. The iOS Security Model Apple has incorporated four layers of security in iOS to protect the user and their data. Device Security Techniques to prevent an unauthorized individual from using the device Data Security Techniques to protect the data stored on the device, even if the device is stolen Network Security Tools to encrypt data while it is in transit across a network Application Security Mechanisms to secure the operating system and isolate applications while they are running
  16. 16. Information gathering Observe application behavior Determine the application’s data states (at rest, in transit or on display) and sensitivity Identify access methods Identify what frameworks are in use Identify server side APIs that are in use Identify what protocols are in use Identify other applications or services with which the application interacts Decrypt Appstore binaries: the .ipa will be decrypted at runtime by the kernel’s mach loader. Cydia has several applications available: Crackulo Determine the architecture the application was compiled for: otool –f <app name> or lipo -info <app>. Get information about what functions, classes and methods are referenced in the application and in the dynamically loaded libraries. Use nm <a List the dynamic dependencies. Use otool –L <app name> Dump the load commands for the application. Use otool –l <app name> Dump the runtime information from the compiled application. Identify each class compiled into the program and its associated methods, instanc Dump the keychain using dump_keychain to reveal application specific credentials and passwords if stored in the keychain. Determine the security features in place: Locate the PIE (Position Independent Executable) - an app compiled without PIE (using the “–fPIE –pie” flag) will load the executable at a fixed Stack smashing protection - specify the –fstack-protector-all compiler flag. A “canary” is placed on the stack to protect the saved base pointer, s
  17. 17. iPhone Analyzer allows you to forensically examine or recover data from in iOS device. It principally works by importing backups produced from iTunes or third party software, and providing you with a rich interface to explore, analyze and recover data in human readable formats. Because it works from the backup files everything is forensically safe, and no changes are made to the data. IPhone Analyzer is now free for Personal use
  18. 18. If you’re an app developer with a solid foundation in Objective-C, this book is an absolute must—chances are very high that your company’s iOS app This guide illustrates several types of iOS attacks, as well as the tools and techniques that hackers use. You’ll learn best practices to help protect yo  Examine subtle vulnerabilities in real-world applications—and avoid the same problems in your apps  Learn how attackers infect apps with malware through code injection  Discover how attackers defeat iOS keychain and data-protection encryption  Use a debugger and custom code injection to manipulate the runtime Objective-C environment  Prevent attackers from hijacking SSL sessions and stealing traffic  Securely delete files and design your apps to prevent forensic data leakage  Avoid debugging abuse, validate the integrity of run-time classes, and make your code harder to trace
  19. 19. Top 10 Mobile Risks M1 : Weak Server Side Controls M2 : Insecure Data Storage M3 : Insufficient Transport Layer Protection M4 : Unintended Data Leakage M5 : Poor Authorization and Authentication M6 : Broken Cryptography M7 : Client Side Injection M8 : Security Decisions Via Untrusted Inputs M9 : Improper Session Handling M10: Lack of Binary Protections
  20. 20. What is the Heartbleed bug? It’s an OpenSSL vulnerability. OpenSSL is a security protocol that encrypts communications between your computer (or device) and a Web server. A Most websites, many operating systems, and many apps use OpenSSL. It’s everywhere, and one version of it has a critical bug that lets hackers exp Which operating systems are affected: iOS devices are safe. Windows Phone OS is likely safe. BlackBerry is “investigating.” Android is vulnerable if you have version 4.1.1, according to Google.
  21. 21. OWASP Mobile Security Project - MobiSec The MobiSec Live Environment Mobile Testing Framework project is a live environment for testing m
  22. 22. Thank you!