The document discusses auditing mobile applications. It covers dividing auditing efforts between client-side and server-side testing. On the client side, it discusses approaches like jailbreaking or rooting phones to gain more access. It also covers techniques like man-in-the-middle attacks by manipulating DNS or SSL certificates. The document recommends standard tools for assessing the server-side but also analyzing the mobile app binaries like dex files on Android and iOS formats. It highlights privacy issues found in WhatsApp and potential hijacking risks if traffic is not encrypted.

1. *[ AUDITING MOBILE APPLICATIONS ]
Author: Jose Selvi
Date: 30/Jun/2011

2. $ WHOIS JSELVI
Jose Selvi
http://twitter.com/JoseSelvi
jselvi@s21sec.com jselvi@pentester.es
http://www.s21sec.com http://www.pentester.es

3. INDEX
Apps Revolution
Divide & Conquer (D&C)
Mobile Networking
Server Side
Client Side
What’s Up with WhatsApp

4. APPS REVOLUTION
Pág. 5

5. “OLD SCHOOL” APPS

6. “OLD SCHOOL” APPS

7. WEBSITE FEVER

8. WEBSITE FEVER

9. WEBSITE FEVER

10. MOBILE FEVER

11. MOBILE FEVER

12. MOBILE FEVER

13. MOBILE FEVER

14. MOBILE FEVER

15. APPLICATIONS EVOLUTION 2010

16. DIVIDE & CONQUER (D&C)
AND MORE
Pág. 5

17. MOBILE LAB

18. MOBILE LAB
CLIENT

19. MOBILE LAB
SERVER
CLIENT

20. MOBILE LAB
SERVER
CLIENT

21. MOBILE LAB
NETWORK
CLIENT SERVER
Phone full control Some ways We CAN’T change
the server
SW full control We’re able to
control the We CAN’T have a
network look to the
We’re able to
software
change config and
software Sometimes hard
and expensive Black Box Testing

22. JAILBREAK / ROOTING
Sometimes emulator r00lz!
• Android Emulator (SDK)
• iOS Simulator (SDK)
But sometimes not...
We don’t have full built-in control
Maybe we should...
• iOS Jailbreak
• Android Rooting

23. MOBILE NETWORKING
Pág. 5

24. MULTI-CHANNEL!

25. MOBILE LAB

26. MAN-IN-THE-MIDDLE
msf auxiliary(fakedns) >
[*] DNS bypass domain api.facebook.com resolved 66.220.146.36
[*] DNS bypass domain iphone.facebook.com resolved 66.220.153.30
[*] DNS bypass domain m.facebook.com resolved 66.220.158.26

27. “FAKE” DNS
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
20.20.20.20 DNS SERVER

28. “FAKE” DNS
¿whois www.google.com?
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
20.20.20.20 DNS SERVER

29. “FAKE” DNS
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
¿whois www.google.com?
20.20.20.20 DNS SERVER

30. “FAKE” DNS
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
¿whois www.google.com?
20.20.20.20 DNS SERVER

31. “FAKE” DNS
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
www.google.com = 74.125.39.104
20.20.20.20 DNS SERVER

32. “FAKE” DNS
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
www.google.com = 74.125.39.104
20.20.20.20 DNS SERVER

33. “FAKE” DNS
www.google.com = 74.125.39.104
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
20.20.20.20 DNS SERVER

34. “FAKE” DNS
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
20.20.20.20 DNS SERVER

35. “FAKE” DNS
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
20.20.20.20 DNS SERVER

36. “FAKE” DNS
¿whois api.facebook.com?
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
20.20.20.20 DNS SERVER

37. “FAKE” DNS
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
¿whois api.facebook.com?
20.20.20.20 DNS SERVER

38. “FAKE” DNS
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
api.facebook.com = 20.20.20.20
20.20.20.20 DNS SERVER

39. “FAKE” DNS
api.facebook.com = 20.20.20.20
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
20.20.20.20 DNS SERVER

40. “FAKE” DNS
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
20.20.20.20 DNS SERVER

41. “FAKE” DNS
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0
GW: 20.20.20.1
DNS: 20.20.20.20
PROXY
20.20.20.20 DNS SERVER

42. REDIRECT TRICK
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0 20.20.20.20
GW: 20.20.20.20
DNS: 8.8.8.8
PROXY

43. REDIRECT TRICK
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0 20.20.20.20
GW: 20.20.20.20
DNS: 8.8.8.8
PROXY

44. REDIRECT TRICK
IP: 20.20.20.10 10.10.10.10
MASK: 255.255.255.0 20.20.20.20
GW: 20.20.20.20
DNS: 8.8.8.8
PROXY

45. SSL/HTTPS
PROXY
IP: 20.20.20.10
MASK: 255.255.255.0 10.10.10.10
GW: 20.20.20.20
DNS: 8.8.8.8

46. SSL/HTTPS
PROXY
IP: 20.20.20.10
MASK: 255.255.255.0 CERT
10.10.10.10
GW: 20.20.20.20
DNS: 8.8.8.8

47. PKI: Public Key Infraestructure
SERVER
PUB PRIV
CA
PUB PRIV
CLIENT
PUB
PUB
PUB
PUB
CA1

48. PKI: Public Key Infraestructure
SERVER
CA
PUB PRIV PUB PRIV
INFO CERT
CLIENT
PUB
PUB
PUB
PUB
CA1

49. PKI: Public Key Infraestructure
SERVER
CA
PUB PRIV PRIV
INFO CERT
PUB
CLIENT
PUB
PUB
PUB
PUB
CA1

50. PKI: Public Key Infraestructure
SERVER
CA
PUB PRIV PRIV
INFO CERT
PUB
CLIENT
PUB
PUB
PUB
PUB
CA1

51. PKI: Public Key Infraestructure
SERVER
CA
PUB PRIV PRIV
INFO CERT
PUB
CLIENT DIGEST
PUB
PUB
PUB
PUB
CA1

52. PKI: Public Key Infraestructure
SERVER
CA
PUB PRIV PRIV
DIGEST INFO CERT
PUB
CLIENT DIGEST
PUB
PUB
PUB
PUB
CA1

53. PKI: Public Key Infraestructure
SERVER
CA
PUB PRIV PRIV
SIGNED DIGEST INFO CERT
PUB
CLIENT DIGEST
PUB
PUB
PUB
PUB
CA1

54. PKI: Public Key Infraestructure
SERVER
CA
PUB PRIV PRIV
INFO CERT
PUB
CLIENT DIGEST
SIGNED DIGEST
PUB
PUB
PUB
PUB
CA1

55. PKI: Public Key Infraestructure
SERVER
CA
PUB PRIV PRIV
INFO CERT
PUB
CLIENT DIGEST
SIGNED DIGEST
PUB
PUB
PUB
PUB
CA1

56. PKI: Public Key Infraestructure
SERVER
CA
PUB PRIV PRIV
INFO CERT
PUB
CLIENT
PUB
PUB
PUB
PUB DIGEST
CA1
SIGNED DIGEST

57. PKI: Public Key Infraestructure
SERVER
CA
PUB PRIV PRIV
INFO CERT
PUB
CLIENT
PUB
PUB
PUB
PUB DIGEST
CA1
DIGEST’

58. PKI: Public Key Infraestructure
SERVER
CA
PUB PRIV PRIV
INFO CERT
PUB
CLIENT
PUB
PUB
PUB
PUB DIGEST
CA1
DIGEST’

59. Real Certificate Sample

60. SSL/HTTPS
PROXY
IP: 20.20.20.10
MASK: 255.255.255.0 10.10.10.10
GW: 20.20.20.20
DNS: 8.8.8.8

61. SSL/HTTPS
PROXY
IP: 20.20.20.10
MASK: 255.255.255.0 CERT
10.10.10.10
GW: 20.20.20.20
DNS: 8.8.8.8

62. SSL/HTTPS
PROXY
IP: 20.20.20.10
MASK: 255.255.255.0 FAKE
CERT
10.10.10.10
CERT
GW: 20.20.20.20
DNS: 8.8.8.8
FAKE
CA

63. SSL/HTTPS
PROXY
IP: 20.20.20.10
MASK: 255.255.255.0 FAKE
CERT
10.10.10.10
CERT
GW: 20.20.20.20
DNS: 8.8.8.8

64. SSL/HTTPS
PROXY
IP: 20.20.20.10
MASK: 255.255.255.0 FAKE
CERT
10.10.10.10
CERT
GW: 20.20.20.20
DNS: 8.8.8.8

65. SSL/HTTPS
PROXY
IP: 20.20.20.10
MASK: 255.255.255.0 FAKE
CERT
10.10.10.10
CERT
GW: 20.20.20.20
DNS: 8.8.8.8

66. SSL/HTTPS
PROXY
IP: 20.20.20.10
MASK: 255.255.255.0 FAKE
CERT
10.10.10.10
CERT
GW: 20.20.20.20
DNS: 8.8.8.8

67. IMPORT CERTIFICATES
iPhone / iPad
• Export from proxy (Burp, ...) o built (openssl, ...).
• iPhone Configuration Utility
Android
• Only VPN certs, not Web.
• Hard...
• Still Working...

68. BINGO!

69. SERVER SIDE
Pág. 5

70. AS USUAL...
Browser
Nessus
Qualys
SQLMap
Metasploit
Backtrack
...
Of course, your brain!

71. CLIENT SIDE
Pág. 5

72. iOS BINARY FORMAT

73. iOS BINARY FORMAT

74. iOS BINARY FORMAT

75. iOS BINARY FORMAT

76. iOS BINARY FORMAT

77. ANDROID BINARY FORMAT

78. ANDROID BINARY FORMAT
App.java

79. ANDROID BINARY FORMAT
App.java App.class

80. ANDROID BINARY FORMAT
App.java App.class App.dex

81. ANDROID BINARY FORMAT
App.java App.class App.dex

82. ANDROID BINARY FORMAT
App.java App.class App.dex

83. PUT ALL TOGETHER!

84. Man-in-the-
CRACKING VERIFYCERT
certificados como válidos), algo que evidentemente no podrá hacer un atacante que no
tuviera previo control de la máquina pero que nos situa en la posición de un intruso que
haya comprometido previamente el NOC de Good. En esta ocasión, dado que no se ha
conseguido vulnerar los certificados SSL, NO bastaría con el compromiso de algunos de
los routers internmedios, como SI ocurría en el caso anterior.
www.s21sec.c

85. WHAT’S UP WITH WHATSAPP?
Pág. 5

86. WHAT’S UP WITH WHATSAPP?
Pág. 5

87. KNOWN WHATSAPP ISSUES
Unencrypted Traffic
• But using 443 tcp port...
Storing ALL conversation FOREVER
Storing GPS position!
• WTF!!
• Why??!!
Much more...
Great research from SecurityByDefault guys!

88. WHATSAPP HIJACKING

89. ALERT! SPAM!
SEC-560:
Network Penetration Testing
and Ethical Hacking

90. THANKS! QUESTIONS?
Jose Selvi
http://twitter.com/JoseSelvi
jselvi@s21sec.com jselvi@pentester.es
http://www.s21sec.com http://www.pentester.es

91. *[ THANKS! SEE YOU! ]
Pág. 7