The document discusses how to strengthen the security of mobile apps. It recommends conducting source code reviews, security testing apps during QA, and analyzing deployed apps. It provides examples of security checks like reviewing for vulnerabilities and threats. The document also shares tools for analyzing iOS and Android apps, such as reverse engineering toolkits and decompiling APK files. Resources are listed for tasks like monitoring network traffic and examining app databases and files.

1. Please, Please, PLEASE! Defend Your Mobile Apps!
Jerod Brennen, CISSP
CTO & Principal Security Consultant, Jacadis
Strengthening Cybersecurity Defenders #ISC2Congress

2. 2 #ISC2Congress
Agenda
» A Little Understanding Goes a Long Way
» Mobile App Defense 101
» Attacking Your Own Apps
» Vetting Apps
» Resources

3. How to Write Good Code
From http://xkcd.com/844/
3 #ISC2Congress

4. Understand Your Environment
» What development methodologies do we follow?
» What programming languages do we use?
» What risk/security frameworks do we follow?
» What third-party libraries do we use?
» What stages in the development process require
approval from the security team?
4 #ISC2Congress

5. Understand Your Platforms
5 #ISC2Congress
» iOS
» Android
» BlackBerry
» Windows

6. Three Four Key Security Checks
6 #ISC2Congress
» Defined Security
Requirements
– Project Plan
– RFP, Contracts, etc.
» Source Code Security
Reviews
– Manual Reviews
– Reverse Binaries
» Security Tests in QA
• Positive AND Negative
Test Cases
» Analysis of “Deployed”
Apps
• Automated Scans
• Manual Analysis

7. Source Code Reviews (OWASP)
7 #ISC2Congress
» Methodology (v1.1, current)
• Preparation
• Security Code Review in the SDLC
• Security Code Review Coverage
• Application Threat Modeling
• Code Review Metrics
» Methodology (v2.0, in development)
• Preparation
• Application Threat Modeling
• Understanding Code Layout/Design/Architecture
• Reviewing by Technical Control
• Reviewing by Vulnerability
• Security Code Review for Agile Development

8. QA Security Test Cases
8 #ISC2Congress
» Positive AND Negative
» Top 10 Negative Test Cases
• Embedded Single Quote
• Required Data Entry
• Field Type Test
• Field Size Test
• Numeric Bounds Test
• Numeric Limits Test
• Date Bounds Test
• Date Validity
• Web Session Testing
• Performance Changes
List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm

9. Application Analysis
» Automated scanning tools and manual analysis
9 #ISC2Congress
» OWASP Testing Guide (v3)
• Information Gathering
• Configuration Management Testing
• Authentication Testing
• Session Management Testing
• Authorization Testing
• Business Logic Testing
• Data Validation Testing
• Testing for Denial of Service
• Web Services Testing
• AJAX Testing
» 42+ Secure Mobile Development Best Practices
(viaForensics)

10. OWASP Top 10 Mobile Risks
Image from https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks
10 #ISC2Congress

11. iOS AppSec Cheat Sheet
Image from https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet
11 #ISC2Congress

12. Deconstructing .ipa Files
12 #ISC2Congress
» Download from app store
• Mac OS X 10.7 Lion: ~/Music/iTunes/iTunes
Media/Mobile Applications/
• Mac OS X 10.6: ~/Music/iTunes/Mobile
Applications/
• Windows 7: C:UsersUsernameMy
MusiciTunesiTunes MediaMobile Applications
» Extract app to folder using 7-zip
» Manually examine the files using
Notepad++ or prgrep
» Look for sensitive info (integration points)
• Connection strings
• Calls to Internet-facing web services
• Calls to other local resources

13. 13 #ISC2Congress
iOS Target Files
File name/extension Description
.sinf Apple iOS digital rights management file
.supp Apple iOS file (archives)
.plist Apple property list XML file
.nib Apple Interface Builder user interface
resources
.sqlite SQL Lite database file
AppName <no extension> App file itself
ChangeLog <no extension> No! Bad developer! Bad!
PkgInfo <no extension> 4b package type + 4b app signature

14. Deconstructing .apk Files
» Download from app store
• Copy .apk file from rooted Android device to
laptop via USB cable
• Send .apk file from non-rooted Android
device to Dropbox via APK Extractor
• Alternately, you can download some .apk
files from .apk archive sites
» Extract app to folder using 7-zip
» Manually examine the files using
Notepad++ or prgrep
» Look for sensitive info (integration
points)
• Connection strings
• Calls to Internet-facing web services
• Calls to other local resources
14 #ISC2Congress

15. Android Target Files
File name/extension Description
Assets <folder> All your base are belong in here
Lib <folder> .so files (third party libraries)
META-INF <folder> .rsa, .fs, manifest.mf (hash values + certs = integrity)
Res <folder> XML files and supporting graphics (how the app draws the
15 #ISC2Congress
interface)
Templates <folder> Licenses, release notes, etc.
AndroidManifest.xml Info that the device needs before it can run the app
classes.dex Dalvik Executable (Exterminate! Exterminate!)
resources.arsc Compiled application resources (strings, images, etc.)

16. Man-in-the-Middle
» Plug laptop into wired network connection
» Created an ad hoc wireless network on laptop
» Connect mobile device to ad hoc wireless network
» Start Wireshark on laptop
• Capture ALL packets between mobile device and server
» Use mobile device as a normal end user
» Analyze Wireshark traffic
• Unencrypted credentials
• Unencrypted account information
• Connection strings to servers (including third parties)
» Alternately, use a proxy like Mallory (TCP) or
16 #ISC2Congress
Charles/Burp (HTTP)

17. iOS Reverse Engineering Toolkit
17 #ISC2Congress
Running iRET
» Jailbreak your iDevice
» Install supporting utilities
» Install the target app
on jailbroken iDevice
» Open iRET app
» Open the target app
» Browse to
http://deviceip:5555
from your laptop
Supporting Utilities
» oTool
» dumpDecrypted
» Sqlite
» Theos
» Keychain_dumper
» file
» plutil
» Class-dump-z

18. 18 #ISC2Congress
Vetting an App
» Encrypted
communications
» Encrypted storage
» Use of UUID
» Analytics and ad
services
» Location services
» Data sharing
capabilities
– Bluetooth
» Access to…
• Address book
• Calendar
• Reminder
• Photos
• Microphone
• Social media services
• Lock screen images
• Cloud-based file sharing
services

19. 19 #ISC2Congress
Vetting Support

20. 20 #ISC2Congress
Resources
» Wireshark
• http://www.wireshark.org/
» SQLite Database Browser
• http://sourceforge.net/projects/sqlitebrowser/
» iPhone Backup Analyzer
• http://www.ipbackupanalyzer.com/
» iOS Reverse Engineering Toolkit
• http://blog.veracode.com/2014/03/introducing-the-ios-reverse-
engineering-toolkit/
• https://www.veracode.com/iret-ios-reverse-engineering-toolkit
» Charles Web Debugging Proxy
• http://www.charlesproxy.com/

21. 21 #ISC2Congress
Resources
» AXMLPrinter2
• https://code.google.com/p/android4me/downloads/list
» Android SDK + Android Developer Tools (ADT
bundle)
• http://developer.android.com/sdk/index.html
» dex2jar
• https://code.google.com/p/dex2jar/
» Java Decompiler (JD-GUI)
• http://jd.benow.ca/
» Step-by-Step Guide to Decompiling Android Apps
• http://slandail.net/step-by-step-guide-to-decompiling-android-
apps/

22. 22 #ISC2Congress
Resources
» Clueful
• http://www.cluefulapp.com/
» viaProtect
• https://www.viaprotect.com/
» Malwarebytes
• https://www.malwarebytes.org/mobile/
» Lookout
• https://www.lookout.com/
» MyPermissions
• http://mypermissions.com/

23. 23 #ISC2Congress
Questions?
Jerod Brennen, CISSP
CTO & Principal Security Consultant, Jacadis
LinkedIn: http://www.linkedin/com/in/slandail
Twitter: https://twitter.com/slandail
http://www.jacadis.com/
contact@jacadis.com