Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Leaky Mobile Apps: What You Need to Know


Published on

The amount of data collected by mobile devices and apps is shocking, and vulnerable mobile apps expose that data to compromise. In our static and dynamic analysis of hundreds-of-thousands of mobile apps, we found that 25 percent of them harbor at least one high-risk vulnerability such as collecting/transmitting location data, credentials, and more in cleartext. Mobile data may only be as secure as the weakest app on someone’s device. Mobile app developers need to protect the users of their apps by building high quality, secure apps. This presentation covers the most common mobile app vulnerabilities (including a real-world demonstration), how to identify those vulnerabilities, and what to do to remediate them.

Slides from NowSecure Senior Solutions Engineer Jon Porter's talk at the OWASP Denver Chapter's July 2017 meeting.

Published in: Mobile
  • Be the first to comment

  • Be the first to like this

Leaky Mobile Apps: What You Need to Know

  1. 1. Leaky mobile apps: 
 What you need to know July 19th, 2017
  2. 2. About Me • Jon Porter of House NowSecure - Mobile app security software company • Enthusiast of Mobile Security / Senior SE • BA Comp Sci / MS Info Sec • Solver of the Rubik’s Cube(s) • Drinker of 1000 beers (1229 to be exact)
  3. 3. • The mobile security problem • The state of mobile app security • 3-part mobile exploit demo • What can we do about it? Agenda
  5. 5. MOBILE DEVICES HAVE UNSEATED PCS Source: Benedict Evans
  6. 6. SPENDING MORE TIME WITH MOBILE APPS THAN DESKTOPS Source: Comscore by way of Benedict Evans
  7. 7. PRESSING MOBILE SECURITY ISSUES • Apps are vulnerable and leaking data • Lack of administrative access to devices • Complex ecosystem ◦ OEMs ◦ OS developers, carriers • Innovation outpaces security practices • Legacy security strategies are ineffective (“bolted on”) Typical security defenses fail in mobile se4ngs because they protect boundaries rather than the informa7on itself, and mobile users do not respect tradi7onal boundaries. Gartner
  8. 8. VULNERABILITIES IN ANDROID AND IOS Life[me Android CVEs by type (130 in 2015) Life[me iOS CVEs by type (375 in 2015) Source: CVE DetailsSource: CVE Details
  9. 9. MOBILE DATA IS VALUABLE AND A MARKET FOR COMPROMISE EXISTS • Governments ◦ Legi[mate need ◦ Legal framework ◦ Willingness to pay for it • Hacking Team weaponizes mobile security flaws for surveillance • Zerodium ◦ Sells zero-day exploits ◦ Offers $1 million for iOS jailbreaks • Malicious actors willing to pay ◦ Oppressive regimes ◦ Rogue states
  10. 10. THE ULTIMATE SURVEILLANCE TOOL? Apps can: • Read precise loca[on • Read phone logs • Read SMS • Record audio • Use camera • Start on boot • Connect to Internet
  12. 12. We tested 400K Apps
  13. 13. Source - 2016 NowSecure Mobile Security Report 25% of mobile apps have at least one 
 high risk security or privacy flaw
  14. 14. HIGH RISK ISSUES EXIST WITHIN EACH APP CATEGORY Source - 2016 NowSecure Mobile Security Report Gaming apps: Business apps: Social apps: 1.5x 3x 4x more likely to include a high risk vulnerability more likely to leak login creden[als more likely to leak login creden[als or email address
  15. 15. HIGH RISK ISSUES IN APPS WITH MORE THAN 1M DOWNLOADS Source - 2016 NowSecure Mobile Security Report
  16. 16. LEAKY APPS AND SOCIAL ENGINEERING Source - 2016 NowSecure Mobile Security Report • Informa[on leaked can prove valuable to akackers • Reconnaissance for targeted social engineering schemes • E.g., creden[als leaked by a produc[vity app ◦ Might grant an akacker access to a cache of sensi[ve informa[on ◦ Usernames ◦ GPS loca[on ◦ Unlock other sensi[ve informa[on about a user
  17. 17. EXAMPLES
  18. 18. Remote Akack Surface • Vungle provides in-app video adver[sing • App library serves >200M ads each month • Remote code execu[on • Data about the device and the user from the app EXAMPLE: 
 “Vungle products provide necessary infrastructure for app mone7za7on through video ads. More than 200 million people worldwide see Vungle ads each month.”

  20. 20. Remote Akack Surface • SDK downloads a zip file over hkp without TLS or verifica[on • Create a .dex file that contains code you want to execute • Add the .dex to the requested zip file, modify the network response and, you can gain remote code execu[on
 EXAMPLE: “An integrated mobile adver7sing plaEorm enabling adver7ser to op7mize ad efficiency and app developer to acquire the highest media benefit. “
  21. 21. ADLIBR SCALE
  22. 22. POPULAR APP USING ADLIB • A network-based akacker can modify traffic to gain control of the device due to a flaw in Adlibr SDK
 • The akacker can access current app data, world accessible data and chain with an exploit to gain elevated permissions
  23. 23. SAMPLE DATA LEAKED (HTTP) • Many ad networks send data in clear, including geoloca[on • ID derived from hardware can be tracked across [me and loca[ons • App pkg is iden[fied, enabling akacker to find target imei=352584060111000 mac=f8:a9:c2:4f:f3:80 androidid=88c8584b54bd9c00 serial=062f2dfb344be87b conn=wifi country=US dm=Nexus+5 dv=Android4.4.2 lat=41.83720397949219 long=-87.9613037109375 mcc=310 mnc=410 mmdid=mmh_AC78B68BD2E528CC0FC78AFB342E58CF _9099A5181F956FCAFB4AC9946DF71CCACB322F59 root=0 pknm=SimSimi plugged=true sdkversion=5.1.0-13.08.12.a ua=Dalvik%2F1.6.0+ %28Linux%3B+U%3B+Android+4.4.2%3B+Nexus+5+ Build%2FKOT49H%29
  24. 24. DATA DESTINATIONS Destination address IP Country KR US US KR KR US US US KR US US US US CN m US KR US US
  25. 25. INSECURE MOBILE APPS CREATE BUSINESS RISK FOR ENTERPRISES Starbucks Thieves siphoned money out of users’ accounts using the mobile app
 via USA Today Ola India’s largest startup with $1.1B in funding was hacked to allow unlimited free rides
 via The Next Web Hulu and Tinder App vulnerabili[es offered access to free premium accounts 
 via CNBC
  26. 26. DEMO
  27. 27. PART 1: CRITICAL VULNERABILITY IN PRE-INSTALLED KEYBOARD ON SAMSUNG DEVICES • Combining CVE-2015-4640 and CVE-2015-4641 • Execute arbitrary code in a privileged context • Result: silently execute malicious code on target device • Es[mated impact: 600 million devices DEMO
  28. 28. PART 2: INSTALLING A MALICIOUS APPLICATION • Silently installed using the previous exploit • Communicates device/user data to a C&C server • Even if removed, can be reinstalled by the akacker • The UI is just for demo purposes, and would not be required if using this in the wild DEMO
  29. 29. PART 3: EXPOSING LEAKY APPS • Escalate to root privilege using another exploit • Use the root permission to look for vulnerable applica[on (or all applica[ons) • Compress and send the data back to the C&C server DEMO
  31. 31. TIPS FOR SECURING YOUR MOBILE DEVICE 1. Update your opera[ng system and apps when new versions are available. 2. Add a passcode, PIN, or pakern lock. 3. Use different passwords for sites and apps. 4. Logout of your applica[ons. 5. Only download apps from the official App Store and Google Play. 6. Use two-factor user iden[fica[on when available. 7. Know what data is being collected by applica[ons.
  32. 32. OTHER FREE RESOURCES 1. Secure Mobile Dev Best Prac[ces 2. Mobile App Security Program Management Handbook 3. Mobile Banking Applica[ons: Security Challenges for Banks 4. Mobile Incident Response E-book SPONSORED OPEN SOURCE PROJECTS 1. Frida - inject JavaScript to explore na[ve apps on Windows, macOS, Linux, iOS, Android, and QNX 2. Radare - complete framework for reverse-engineering and analyzing binaries