SlideShare a Scribd company logo

Smart Bombs: Mobile Vulnerability and Exploitation

SecureState
SecureState

This document discusses common vulnerabilities found in mobile applications. It begins by outlining the types of sensitive data stored on mobile devices and used by mobile apps. It then covers tools for analyzing the file system, application layer, and transport layer of mobile apps. Specific vulnerabilities are highlighted from the OWASP Mobile Top 10 list, including insecure data storage, weak server-side controls, and insufficient transport layer protection. Examples of vulnerabilities found in popular apps like Facebook, Evernote, MyFitnessPal, and LinkedIn are provided. The document concludes by emphasizing that mobile security issues go beyond just application vulnerabilities.

Technology
1 of 52
Download to read offline
Smart Bombs: Mobile Vulnerability and Exploitation Tom Eston
Grilled Smart Phones http://youtu.be/cir-MOzVggQ 2
Windows Mobile Wins! 3
Tom Eston • Manager, SecureState Profiling & Penetration Team • Blogger – SpyLogic.net • Infrequent Podcaster – Security Justice/Social Media Security • Zombie aficionado • I like to break new technology 4
What are we talking about today? • What’s at risk? • Tools, Testing and Exploitation • Common vulnerabilities found in popular apps (this is the fun part) • Special thanks to Kevin Johnson and John Sawyer who helped with this research! 5
What are Smart Bombs? • We’ve got powerful technology in the palm of our hands! • We store and transmit sensitive data • Mobile devices are being used by: – Major Businesses (PII) – Energy Companies (The Grid) – The Government(s) – Hospitals (PHI) – Your Mom (Scary) 6
That’s right…your Mom 7
Testing Mobile Apps • What are the three major areas for testing? – File System What are apps writing to the file system? How is data stored? – Application Layer How are apps communicating via HTTP and Web Services? SSL? – Transport Layer How are apps communicating over the network? TCP and Third-party APIs 8
OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 9
OWASP Top 10 Mobile Risks 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure 10
OWASP Mobile Security Project • You should get involved! • https://www.owasp.org/index.php/OWASP_Mobile_Security_Project 11
Other Issues • Privacy of your data! – Mobile apps talk to many third party APIs (ads) – What’s collected by Google/Apple/Microsoft? 12
Common Tools • SSH • VNC server • A compiler (gcc / agcc) • Android SDK (adb!) • Xcode • iExplorer (iOS GUI file explorer) • Jailbroken iDevice • Rooted Android Device 13
File System Analysis • Forensic approach – File system artifacts – Timeline analysis – Log analysis – Temp files 14
Forensic Tools • Mobile Forensic Tools – EnCase, FTK, Cellebrite • Free and/or Open Source – file, strings, less, dd, md5sum – The Sleuthkit (mactime, mac-robber) 15
Timelines • Timelines are awesome – Anyone know log2timeline? • Filesystem – mac-robber – mactime • Logs – Application- & OS-specific 16
Temp Files 17
Viewing & Searching Files • cat, less, vi, strings, grep • SQLite files – GUI browser, API (Ruby, Python, etc) • Android apps – ashell, aSQLiteManager, aLogViewer 18
Application Layer - HTTP • Tools Used: – Burp Suite – Burp Suite – oh yeah Burp Suite! 19
Why Look at the App Layer? • Very common in mobile platforms • Many errors are found within the application – And how it talks to the back end service • Able to use many existing tools 20
Misunderstanding Encryption 21
Base64 Encoding is NOT Encryption! • Really. It’s 2012. Base64: TXkgc3VwZXIgc2VjcmV0IGtleSE= Plaintext: My super secret key! 22
Want Credentials? Note: This is actually a hardcoded password in the UPS app… 23
Transport Layer - TCP • Tools Used: – Wireshark – Tcpdump – NetworkMiner 24
Why look at the transport layer? • Check to see how network protocols are handled in the app • Easily look for SSL certificate or other communication issues 25
NetworkMiner • Extracts files/images and more • Can pull out clear txt credentials • Quickly view parameters 26
27
TCP Lab Setup • Run tcpdump directly on the device • Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this) • Import PCAPs into NetworkMiner 28
App Vulnerabilities • Several examples that we’ve found • Many from the Top 25 downloaded apps 29
Facebook • OAuth Tokens Stored in PLIST file • Simply copy the PLIST file to another device, you’re logged in as them! • I’m finding OAuth tokens in lots of PLIST files…Dropbox and apps that use Dropbox like password managers… 30
Evernote • Notebooks are stored in the cloud • But…caches some files on the device… • OWASP M1: Insecure Data Storage 31
32
MyFitnessPal • Android app stores sensitive data on the device (too much data) 33
34
Password Keeper “Lite” • PIN and passwords stored in clear-text SQLite database • So much for the security of your passwords… 35
36
37
38
Draw Something • Word list stored on the device • Modify to mess with your friends 39
LinkedIn • SSL only for authentication • Session tokens and data sent over HTTP • Lots of apps do this • M3: Insufficient Transport Layer Protection • Note: This was fixed with the latest version of the app (for iOS at least) 40
Auth over SSL Data sent over HTTP 41
42
Pandora • Registration over HTTP • User name/Password and Registration info sent over clear text • Unfortunately…lots of apps do this 43
44
Hard Coded Passwords/Keys • Major Grocery Chain “Rewards” Android app • Simple to view the source, extract private key • OWASP M9: Broken Cryptography • Do developers really do this? 45
Why yes, they do! 46
Privacy Issues • Example: Draw Something App (Top 25) • UDID and more sent to the following third-party ad providers: – appads.com – mydas.mobi – greystripe.com – tapjoyads.com 47
What is UDID? • Alphanumeric string that uniquely identifies an Apple device 48
49
Pinterest and Flurry.com 50
51
Conclusions • Mobile devices are critically common • Most people use them without thinking of security • Developers seem to be repeating the past • Lots of issues besides Mobile Application Security – BYOD – The device itself (Jailbreaking/Rooting) – MDM and Enterprise Management – The list goes on… 52

Recommended

Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 

Recommended

Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile HackingNovizul Evendi
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsDario Caliendo
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp ForensicAnimesh Shaw
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreveerababu penugonda(Mr-IoT)
 
User's Guide to Online Privacy
User's Guide to Online PrivacyUser's Guide to Online Privacy
User's Guide to Online Privacycdunk12
 
Cyber security
Cyber securityCyber security
Cyber securityArjun Chetry
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
Cyber safety
Cyber safetyCyber safety
Cyber safetyArjun Chetry
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00srini0x00
 
Mobile phone Data Hacking
Mobile phone Data HackingMobile phone Data Hacking
Mobile phone Data HackingMd Abu Syeem Dipu
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSSam Bowne
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In LibrariesBlake Carver
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
 
Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps SecurityXavier Mertens
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 

More Related Content

What's hot

Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsDario Caliendo
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
User's Guide to Online Privacy
User's Guide to Online PrivacyUser's Guide to Online Privacy
User's Guide to Online Privacycdunk12
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00srini0x00
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSSam Bowne
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In LibrariesBlake Carver
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
 

What's hot (20)

Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanisms
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
User's Guide to Online Privacy
User's Guide to Online PrivacyUser's Guide to Online Privacy
User's Guide to Online Privacy
 
Cyber security
Cyber securityCyber security
Cyber security
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
 
Cyber safety
Cyber safetyCyber safety
Cyber safety
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00
 
Mobile phone Data Hacking
Mobile phone Data HackingMobile phone Data Hacking
Mobile phone Data Hacking
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOS
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
Android system security
Android system securityAndroid system security
Android system security
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & Anywhere
 

Similar to Smart Bombs: Mobile Vulnerability and Exploitation

Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNitesh Malviya
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchYury Chemerkin
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeekNightHyderabad
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityPaul Morse
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud SecuritySBWebinars
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
java-card20232024999999999999999999999999999999999999999999999999999999999999...
java-card20232024999999999999999999999999999999999999999999999999999999999999...java-card20232024999999999999999999999999999999999999999999999999999999999999...
java-card20232024999999999999999999999999999999999999999999999999999999999999...ouahibakellou
 

Similar to Smart Bombs: Mobile Vulnerability and Exploitation (20)

Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmware
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Internet security
Internet securityInternet security
Internet security
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the Internet
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
java-card20232024999999999999999999999999999999999999999999999999999999999999...
java-card20232024999999999999999999999999999999999999999999999999999999999999...java-card20232024999999999999999999999999999999999999999999999999999999999999...
java-card20232024999999999999999999999999999999999999999999999999999999999999...
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 

Smart Bombs: Mobile Vulnerability and Exploitation

  • 1. Smart Bombs: Mobile Vulnerability and Exploitation Tom Eston
  • 4. Tom Eston • Manager, SecureState Profiling & Penetration Team • Blogger – SpyLogic.net • Infrequent Podcaster – Security Justice/Social Media Security • Zombie aficionado • I like to break new technology 4
  • 5. What are we talking about today? • What’s at risk? • Tools, Testing and Exploitation • Common vulnerabilities found in popular apps (this is the fun part) • Special thanks to Kevin Johnson and John Sawyer who helped with this research! 5
  • 6. What are Smart Bombs? • We’ve got powerful technology in the palm of our hands! • We store and transmit sensitive data • Mobile devices are being used by: – Major Businesses (PII) – Energy Companies (The Grid) – The Government(s) – Hospitals (PHI) – Your Mom (Scary) 6
  • 8. Testing Mobile Apps • What are the three major areas for testing? – File System What are apps writing to the file system? How is data stored? – Application Layer How are apps communicating via HTTP and Web Services? SSL? – Transport Layer How are apps communicating over the network? TCP and Third-party APIs 8
  • 9. OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 9
  • 10. OWASP Top 10 Mobile Risks 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure 10
  • 11. OWASP Mobile Security Project • You should get involved! • https://www.owasp.org/index.php/OWASP_Mobile_Security_Project 11
  • 12. Other Issues • Privacy of your data! – Mobile apps talk to many third party APIs (ads) – What’s collected by Google/Apple/Microsoft? 12
  • 13. Common Tools • SSH • VNC server • A compiler (gcc / agcc) • Android SDK (adb!) • Xcode • iExplorer (iOS GUI file explorer) • Jailbroken iDevice • Rooted Android Device 13
  • 14. File System Analysis • Forensic approach – File system artifacts – Timeline analysis – Log analysis – Temp files 14
  • 15. Forensic Tools • Mobile Forensic Tools – EnCase, FTK, Cellebrite • Free and/or Open Source – file, strings, less, dd, md5sum – The Sleuthkit (mactime, mac-robber) 15
  • 16. Timelines • Timelines are awesome – Anyone know log2timeline? • Filesystem – mac-robber – mactime • Logs – Application- & OS-specific 16
  • 18. Viewing & Searching Files • cat, less, vi, strings, grep • SQLite files – GUI browser, API (Ruby, Python, etc) • Android apps – ashell, aSQLiteManager, aLogViewer 18
  • 19. Application Layer - HTTP • Tools Used: – Burp Suite – Burp Suite – oh yeah Burp Suite! 19
  • 20. Why Look at the App Layer? • Very common in mobile platforms • Many errors are found within the application – And how it talks to the back end service • Able to use many existing tools 20
  • 22. Base64 Encoding is NOT Encryption! • Really. It’s 2012. Base64: TXkgc3VwZXIgc2VjcmV0IGtleSE= Plaintext: My super secret key! 22
  • 23. Want Credentials? Note: This is actually a hardcoded password in the UPS app… 23
  • 24. Transport Layer - TCP • Tools Used: – Wireshark – Tcpdump – NetworkMiner 24
  • 25. Why look at the transport layer? • Check to see how network protocols are handled in the app • Easily look for SSL certificate or other communication issues 25
  • 26. NetworkMiner • Extracts files/images and more • Can pull out clear txt credentials • Quickly view parameters 26
  • 27. 27
  • 28. TCP Lab Setup • Run tcpdump directly on the device • Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this) • Import PCAPs into NetworkMiner 28
  • 29. App Vulnerabilities • Several examples that we’ve found • Many from the Top 25 downloaded apps 29
  • 30. Facebook • OAuth Tokens Stored in PLIST file • Simply copy the PLIST file to another device, you’re logged in as them! • I’m finding OAuth tokens in lots of PLIST files…Dropbox and apps that use Dropbox like password managers… 30
  • 31. Evernote • Notebooks are stored in the cloud • But…caches some files on the device… • OWASP M1: Insecure Data Storage 31
  • 32. 32
  • 33. MyFitnessPal • Android app stores sensitive data on the device (too much data) 33
  • 34. 34
  • 35. Password Keeper “Lite” • PIN and passwords stored in clear-text SQLite database • So much for the security of your passwords… 35
  • 36. 36
  • 37. 37
  • 38. 38
  • 39. Draw Something • Word list stored on the device • Modify to mess with your friends 39
  • 40. LinkedIn • SSL only for authentication • Session tokens and data sent over HTTP • Lots of apps do this • M3: Insufficient Transport Layer Protection • Note: This was fixed with the latest version of the app (for iOS at least) 40
  • 41. Auth over SSL Data sent over HTTP 41
  • 42. 42
  • 43. Pandora • Registration over HTTP • User name/Password and Registration info sent over clear text • Unfortunately…lots of apps do this 43
  • 44. 44
  • 45. Hard Coded Passwords/Keys • Major Grocery Chain “Rewards” Android app • Simple to view the source, extract private key • OWASP M9: Broken Cryptography • Do developers really do this? 45
  • 46. Why yes, they do! 46
  • 47. Privacy Issues • Example: Draw Something App (Top 25) • UDID and more sent to the following third-party ad providers: – appads.com – mydas.mobi – greystripe.com – tapjoyads.com 47
  • 48. What is UDID? • Alphanumeric string that uniquely identifies an Apple device 48
  • 49. 49
  • 51. 51
  • 52. Conclusions • Mobile devices are critically common • Most people use them without thinking of security • Developers seem to be repeating the past • Lots of issues besides Mobile Application Security – BYOD – The device itself (Jailbreaking/Rooting) – MDM and Enterprise Management – The list goes on… 52