Successfully reported this slideshow.
Your SlideShare is downloading. ×

Mobile Penetration Testing: Episode 1 - The Forensic Menace

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 30 Ad

Mobile Penetration Testing: Episode 1 - The Forensic Menace

Download to read offline

This is Episode 1 of a trilogy on mobile penetration testing - forensic analysis of data at rest on the device.

Episode 2 - Return of the Network/Back-end
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-ii-attack-of-the-code

Episode 3 - Attack of the Code
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-iii-attack-of-the-code

This is Episode 1 of a trilogy on mobile penetration testing - forensic analysis of data at rest on the device.

Episode 2 - Return of the Network/Back-end
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-ii-attack-of-the-code

Episode 3 - Attack of the Code
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-iii-attack-of-the-code

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to Mobile Penetration Testing: Episode 1 - The Forensic Menace (20)

Advertisement

More from NowSecure (20)

Recently uploaded (20)

Advertisement

Mobile Penetration Testing: Episode 1 - The Forensic Menace

  1. 1. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Episode I THE FORENSIC MENACE
  2. 2. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Episode II RETURN OF THE NETWORK/BACK-END Episode I THE FORENSIC MENACE Episode III ATTACK OF THE CODE
  3. 3. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Connect Twitter: @NowSecureMobile — Subscribe to #MobSec5, our weekly mobile security news digest http://mobsec5.nowsecure.com/ — Web: nowsecure.com
  4. 4. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Katie Strzempka Director of Mobile Services | NowSecure
  5. 5. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents ● Areas of analysis/coverage ● Forensics deep dive: Mobile data at rest ● Approaching Android ● Approaching iOS
  6. 6. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Your analysis checklist (a must have) ● Why a checklist? ○ Consistency across results & teams ○ Creates a minimum baseline for security ● Creating your checklist ○ Internal policies ○ OWASP Top 10, NIAP (for government), etc. ○ Group into high-level categories ○ Break-down categories into specific tests ● Allow analysts some leeway to get creative
  7. 7. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. A repeatable process drives consistency and metrics ● Establish testing requirements ● Identify areas for interpretation/creativity ● Help with on-boarding & training staff ● Show developers what and how you will test ● Explain what must be fixed & what’s accepted ● Ensure full coverage (more on that later) ● Repeatability allows for measurement ● Make reporting consistent For inspiration, see: OWASP Mobile Security Testing Guide
  8. 8. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Mobile forensics & data recovery Network, web services, and API testing Server-side penetration testing Reverse engineering & code analysis
  9. 9. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. https://www.bostonglobe.com/arts/2015/12/12/how-lightsaber-works/RY5A2SwWShmYiSORqdgMdN/story.html “You know that [little droid leaking data] is going to cause me a lot of trouble.”
  10. 10. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Where on a mobile device can data-at-rest be found? SD card/ Emulated SD card (Android) System log files RAM Source code (hardcoded) Web cache/history (hybrid/web- wrapper apps) Private application folder Keychain
  11. 11. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. What tools will allow you to achieve your data recovery and analysis objectives? ● Standard forensic acquisition software will recover file system ● But it won’t: ○ Decrypt Keychain to see if sensitive values are stored ○ Recover syslog files (requires a special Cydia package) ○ Extract memory for running app processes ● Command-line knowledge is required for open-source tools ● The wrong tools can lead you down a tedious, time-consuming path
  12. 12. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Sharpest tools in the shed Target Relevant tools and/or documentation File system ● Android: debug bridge (i.e., “adb pull” command) ● iOS: libimobiledevice System Log Files ● Android: logcat command-line tool ● iOS: Syslog (instructions for non-developers) iOS Keychain ● iOS Keychain analyzer RAM ● Android: Android debug bridge (i.e., “adb dumpsys meminfo”) ● iOS: heapdump-ios A full suite of mobile tools: Santoku Linux
  13. 13. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Prioritize findings by risk (likelihood+significance+value) ● Risk depends on location of data ● Take into consideration: ○ Sensitivity of the data ○ Likeliness of exploit ○ Remote vs. local attack ● Common Vulnerability Scoring System (CVSS) is one framework for assigning risk to vulnerabilities Likelihood Significance
  14. 14. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. https://en.wikipedia.org/wiki/Finn_(Star_Wars) “[Droid Android], please!”
  15. 15. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Requirements for Android forensic analysis Rooted Android device w/ USB cable We’ll be using a Google Nexus 5 Linux machine or VM w/ Android Studio tools May we recommend Santoku Linux?
  16. 16. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Where does data “rest” on Android? ● Private application folder* ● SD Card / Emulated SD Card* ● System log files ● RAM ● Hard-coded data in source code ● Web cache/history (for hybrid/web wrapper apps) Common storage areas
  17. 17. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Step 1: Locate your app (adb) Access the device shell: Locate the app data directory: Find the app’s private directory:
  18. 18. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Step 2: Pull app data off phone Pull data from the SD card/app directory: (adb pull <data-path-source> <destination>) :
  19. 19. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Step 3: Analyze app data App files recovered from Any.do Android app:
  20. 20. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.http://www.officialpsds.com/Darth-Vader-PSD108098.html “The [Emperor iOS] is not as forgiving as I am.”
  21. 21. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Requirements for iOS forensic analysis Linux machine or VM Again, give Santoku Linux a try Jailbroken iOS device (≤ 9.3.3) w/ USB cable We’ll be using an iPhone 6 Remote connection (SSH) & secure copy/paste (SCP) Instructions here
  22. 22. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Where does data “rest” in iOS? Common storage areas ● Private application folder* ● Syslog ● RAM ● Keychain ● Hard-coded values ● Web cache/history (for hybrid/web wrapper apps)
  23. 23. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Step 1: Locate your app Remotely connect to your iOS device App bundles and data location: App bundles location: App data location:
  24. 24. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Step 1 (continued): Locate your app Sort by most recently installed: Change into that directory/make sure it’s the target app:
  25. 25. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Step 2: Pull app data off phone /private/var/mobile/Containers/Data/Application/983FCB4E-E5B5-4C8C-A4AF-F9139FE74EC3 (for example) Make note of the full path from the previous step: Scp command to copy files from app folder:
  26. 26. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Step 3: Analyze app data App files recovered from Any.do iOS app:
  27. 27. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Pointers to keep in mind during forensic analysis SQLite databases, plist, and xml files are common: Find your favorite viewers When searching for data in large files, command line tools are best: Try grep Look for data stored as common hashes/encodings (base64, md5, sha256, etc.) iOS apps use the “Cache.db” file, which often contains large amounts of data Don’t limit yourself: explore storage locations beyond those discussed today!
  28. 28. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Create a checklist and document your process Assign responsibility for various test coverage areas Select the right tools to find/test for insecure data storage Look for data in common areas (but don’t limit yourself) If data is found, determine its value and the risk
  29. 29. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Episode II RETURN OF THE NETWORK/BACK-END Next Thursday, December 15 1 p.m. CST / 11 a.m. PST REGISTER NOW: http://bit.ly/2g7ZRXd
  30. 30. Let’s talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 - a digest of the week’s mobile news that matters - http://mobsec5.nowsecure.com/

×