SecureState, profile picture
Uploaded bySecureState
PDF, PPTX1,203 views

Smart Bombs: Mobile Vulnerability and Exploitation

This document discusses common vulnerabilities found in mobile applications. It begins by outlining the types of sensitive data stored on mobile devices and used by mobile apps. It then covers tools for analyzing the file system, application layer, and transport layer of mobile apps. Specific vulnerabilities are highlighted from the OWASP Mobile Top 10 list, including insecure data storage, weak server-side controls, and insufficient transport layer protection. Examples of vulnerabilities found in popular apps like Facebook, Evernote, MyFitnessPal, and LinkedIn are provided. The document concludes by emphasizing that mobile security issues go beyond just application vulnerabilities.

Technology◦
Related topics:
Mobile Security Insights•

Embed presentation

Download as PDF, PPTX
Smart Bombs: Mobile Vulnerability and Exploitation Tom Eston
Grilled Smart Phones http://youtu.be/cir-MOzVggQ 2
Windows Mobile Wins! 3
Tom Eston • Manager, SecureState Profiling & Penetration Team • Blogger – SpyLogic.net • Infrequent Podcaster – Security Justice/Social Media Security • Zombie aficionado • I like to break new technology 4
What are we talking about today? • What’s at risk? • Tools, Testing and Exploitation • Common vulnerabilities found in popular apps (this is the fun part) • Special thanks to Kevin Johnson and John Sawyer who helped with this research! 5
What are Smart Bombs? • We’ve got powerful technology in the palm of our hands! • We store and transmit sensitive data • Mobile devices are being used by: – Major Businesses (PII) – Energy Companies (The Grid) – The Government(s) – Hospitals (PHI) – Your Mom (Scary) 6
That’s right…your Mom 7
Testing Mobile Apps • What are the three major areas for testing? – File System What are apps writing to the file system? How is data stored? – Application Layer How are apps communicating via HTTP and Web Services? SSL? – Transport Layer How are apps communicating over the network? TCP and Third-party APIs 8
OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 9
OWASP Top 10 Mobile Risks 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure 10
OWASP Mobile Security Project • You should get involved! • https://www.owasp.org/index.php/OWASP_Mobile_Security_Project 11
Other Issues • Privacy of your data! – Mobile apps talk to many third party APIs (ads) – What’s collected by Google/Apple/Microsoft? 12
Common Tools • SSH • VNC server • A compiler (gcc / agcc) • Android SDK (adb!) • Xcode • iExplorer (iOS GUI file explorer) • Jailbroken iDevice • Rooted Android Device 13
File System Analysis • Forensic approach – File system artifacts – Timeline analysis – Log analysis – Temp files 14
Forensic Tools • Mobile Forensic Tools – EnCase, FTK, Cellebrite • Free and/or Open Source – file, strings, less, dd, md5sum – The Sleuthkit (mactime, mac-robber) 15
Timelines • Timelines are awesome – Anyone know log2timeline? • Filesystem – mac-robber – mactime • Logs – Application- & OS-specific 16
Temp Files 17
Viewing & Searching Files • cat, less, vi, strings, grep • SQLite files – GUI browser, API (Ruby, Python, etc) • Android apps – ashell, aSQLiteManager, aLogViewer 18
Application Layer - HTTP • Tools Used: – Burp Suite – Burp Suite – oh yeah Burp Suite! 19
Why Look at the App Layer? • Very common in mobile platforms • Many errors are found within the application – And how it talks to the back end service • Able to use many existing tools 20
Misunderstanding Encryption 21
Base64 Encoding is NOT Encryption! • Really. It’s 2012. Base64: TXkgc3VwZXIgc2VjcmV0IGtleSE= Plaintext: My super secret key! 22
Want Credentials? Note: This is actually a hardcoded password in the UPS app… 23
Transport Layer - TCP • Tools Used: – Wireshark – Tcpdump – NetworkMiner 24
Why look at the transport layer? • Check to see how network protocols are handled in the app • Easily look for SSL certificate or other communication issues 25
NetworkMiner • Extracts files/images and more • Can pull out clear txt credentials • Quickly view parameters 26
27
TCP Lab Setup • Run tcpdump directly on the device • Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this) • Import PCAPs into NetworkMiner 28
App Vulnerabilities • Several examples that we’ve found • Many from the Top 25 downloaded apps 29
Facebook • OAuth Tokens Stored in PLIST file • Simply copy the PLIST file to another device, you’re logged in as them! • I’m finding OAuth tokens in lots of PLIST files…Dropbox and apps that use Dropbox like password managers… 30
Evernote • Notebooks are stored in the cloud • But…caches some files on the device… • OWASP M1: Insecure Data Storage 31
32
MyFitnessPal • Android app stores sensitive data on the device (too much data) 33
34
Password Keeper “Lite” • PIN and passwords stored in clear-text SQLite database • So much for the security of your passwords… 35
36
37
38
Draw Something • Word list stored on the device • Modify to mess with your friends 39
LinkedIn • SSL only for authentication • Session tokens and data sent over HTTP • Lots of apps do this • M3: Insufficient Transport Layer Protection • Note: This was fixed with the latest version of the app (for iOS at least) 40
Auth over SSL Data sent over HTTP 41
42
Pandora • Registration over HTTP • User name/Password and Registration info sent over clear text • Unfortunately…lots of apps do this 43
44
Hard Coded Passwords/Keys • Major Grocery Chain “Rewards” Android app • Simple to view the source, extract private key • OWASP M9: Broken Cryptography • Do developers really do this? 45
Why yes, they do! 46
Privacy Issues • Example: Draw Something App (Top 25) • UDID and more sent to the following third-party ad providers: – appads.com – mydas.mobi – greystripe.com – tapjoyads.com 47
What is UDID? • Alphanumeric string that uniquely identifies an Apple device 48
49
Pinterest and Flurry.com 50
51
Conclusions • Mobile devices are critically common • Most people use them without thinking of security • Developers seem to be repeating the past • Lots of issues besides Mobile Application Security – BYOD – The device itself (Jailbreaking/Rooting) – MDM and Enterprise Management – The list goes on… 52

More Related Content

PDF
Smart Bombs: Mobile Vulnerability and Exploitation
byTom Eston
 
PDF
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
byTom Eston
 
PDF
Attacking and Defending Apple iOS Devices
byTom Eston
 
PDF
YOW! Connected 2014 - Developing Secure iOS Applications
byeightbit
 
PPTX
Hacking Mobile Apps
bySophos Benelux
 
PDF
Malware on Smartphones and Tablets - The Inconvenient Truth
byAGILLY
 
PPTX
iOS Security and Encryption
byUrvashi Kataria
 
PDF
Android security and penetration testing | DIVA | Yogesh Ojha
byYogesh Ojha
 
Smart Bombs: Mobile Vulnerability and Exploitation
byTom Eston
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
byTom Eston
 
Attacking and Defending Apple iOS Devices
byTom Eston
 
YOW! Connected 2014 - Developing Secure iOS Applications
byeightbit
 
Hacking Mobile Apps
bySophos Benelux
 
Malware on Smartphones and Tablets - The Inconvenient Truth
byAGILLY
 
iOS Security and Encryption
byUrvashi Kataria
 
Android security and penetration testing | DIVA | Yogesh Ojha
byYogesh Ojha
 

What's hot

PDF
Android Hacking
byantitree
 
PDF
Mobile Hacking
byNovizul Evendi
 
PDF
iOS backdoors attack points and surveillance mechanisms
byDario Caliendo
 
PPTX
Android Hacking + Pentesting
bySina Manavi
 
PPT
WhatsApp Forensic
byAnimesh Shaw
 
PDF
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
byeightbit
 
PDF
IoT security zigbee -- Null Meet bangalore
byveerababu penugonda(Mr-IoT)
 
PPTX
User's Guide to Online Privacy
bycdunk12
 
PDF
Cyber security
byArjun Chetry
 
PDF
Ruxmon April 2014 - Introduction to iOS Penetration Testing
byeightbit
 
PPTX
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
bySina Manavi
 
PDF
Cyber safety
byArjun Chetry
 
PDF
Hacking android apps by srini0x00
bysrini0x00
 
PPT
Mobile phone Data Hacking
byMd Abu Syeem Dipu
 
PDF
CNIT 128 Ch 3: iOS
bySam Bowne
 
PPTX
An Introduction To IT Security And Privacy In Libraries
byBlake Carver
 
PDF
Mobile Application Pentest [Fast-Track]
byPrathan Phongthiproek
 
PDF
Hacking your Android (slides)
byJustin Hoang
 
PDF
Android system security
byChong-Kuan Chen
 
PPTX
An Introduction To IT Security And Privacy In Libraries & Anywhere
byBlake Carver
 
Android Hacking
byantitree
 
Mobile Hacking
byNovizul Evendi
 
iOS backdoors attack points and surveillance mechanisms
byDario Caliendo
 
Android Hacking + Pentesting
bySina Manavi
 
WhatsApp Forensic
byAnimesh Shaw
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
byeightbit
 
IoT security zigbee -- Null Meet bangalore
byveerababu penugonda(Mr-IoT)
 
User's Guide to Online Privacy
bycdunk12
 
Cyber security
byArjun Chetry
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
byeightbit
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
bySina Manavi
 
Cyber safety
byArjun Chetry
 
Hacking android apps by srini0x00
bysrini0x00
 
Mobile phone Data Hacking
byMd Abu Syeem Dipu
 
CNIT 128 Ch 3: iOS
bySam Bowne
 
An Introduction To IT Security And Privacy In Libraries
byBlake Carver
 
Mobile Application Pentest [Fast-Track]
byPrathan Phongthiproek
 
Hacking your Android (slides)
byJustin Hoang
 
Android system security
byChong-Kuan Chen
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
byBlake Carver
 

Similar to Smart Bombs: Mobile Vulnerability and Exploitation

PDF
Info security - mobile approach
byEY Belgium
 
PPTX
Pentesting iPhone applications
bySatish b
 
PDF
C0c0n 2011 mobile security presentation v1.2
bySantosh Satam
 
PPT
Mobile Apps Security
byXavier Mertens
 
PDF
CNIT 128 8: Mobile development security
bySam Bowne
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
PDF
Hacking and Securing iOS Apps : Part 1
bySubhransu Behera
 
PPT
Emerging Threats and Attack Surfaces
byPeter Wood
 
PDF
Pentesting Mobile Applications (Prashant Verma)
byClubHack
 
PPTX
Pentesting iOS Applications
byjasonhaddix
 
PPTX
Virtue Security - The Art of Mobile Security 2013
byVirtue Security
 
PDF
CNIT 128 Ch 1: The mobile risk ecosystem
bySam Bowne
 
PDF
Designing Secure Mobile Apps
byDenim Group
 
PPTX
Building a Mobile Security Program
byDenim Group
 
PDF
The New Mobile Landscape - OWASP Ireland
byTyler Shields
 
PPTX
Security and Mobile Application Management with Worklight
byIBM WebSphereIndia
 
PDF
CactusCon - Practical iOS App Attack and Defense
bySeth Law
 
PPTX
Mobile application securitry risks ISACA Silicon Valley 2012
bySymosis Security (Previously C-Level Security)
 
PPTX
Mobile Application Security
byLenin Aboagye
 
PDF
The Android vs. Apple iOS Security Showdown
byTom Eston
 
Info security - mobile approach
byEY Belgium
 
Pentesting iPhone applications
bySatish b
 
C0c0n 2011 mobile security presentation v1.2
bySantosh Satam
 
Mobile Apps Security
byXavier Mertens
 
CNIT 128 8: Mobile development security
bySam Bowne
 
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
Hacking and Securing iOS Apps : Part 1
bySubhransu Behera
 
Emerging Threats and Attack Surfaces
byPeter Wood
 
Pentesting Mobile Applications (Prashant Verma)
byClubHack
 
Pentesting iOS Applications
byjasonhaddix
 
Virtue Security - The Art of Mobile Security 2013
byVirtue Security
 
CNIT 128 Ch 1: The mobile risk ecosystem
bySam Bowne
 
Designing Secure Mobile Apps
byDenim Group
 
Building a Mobile Security Program
byDenim Group
 
The New Mobile Landscape - OWASP Ireland
byTyler Shields
 
Security and Mobile Application Management with Worklight
byIBM WebSphereIndia
 
CactusCon - Practical iOS App Attack and Defense
bySeth Law
 
Mobile application securitry risks ISACA Silicon Valley 2012
bySymosis Security (Previously C-Level Security)
 
Mobile Application Security
byLenin Aboagye
 
The Android vs. Apple iOS Security Showdown
byTom Eston
 

Recently uploaded

PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
NTG - Data Center Management System Software
byMustafa Kuğu
 

Smart Bombs: Mobile Vulnerability and Exploitation

  • 1.
    Smart Bombs: MobileVulnerability and Exploitation Tom Eston
  • 2.
  • 3.
  • 4.
    Tom Eston • Manager,SecureState Profiling & Penetration Team • Blogger – SpyLogic.net • Infrequent Podcaster – Security Justice/Social Media Security • Zombie aficionado • I like to break new technology 4
  • 5.
    What are wetalking about today? • What’s at risk? • Tools, Testing and Exploitation • Common vulnerabilities found in popular apps (this is the fun part) • Special thanks to Kevin Johnson and John Sawyer who helped with this research! 5
  • 6.
    What are SmartBombs? • We’ve got powerful technology in the palm of our hands! • We store and transmit sensitive data • Mobile devices are being used by: – Major Businesses (PII) – Energy Companies (The Grid) – The Government(s) – Hospitals (PHI) – Your Mom (Scary) 6
  • 7.
  • 8.
    Testing Mobile Apps •What are the three major areas for testing? – File System What are apps writing to the file system? How is data stored? – Application Layer How are apps communicating via HTTP and Web Services? SSL? – Transport Layer How are apps communicating over the network? TCP and Third-party APIs 8
  • 9.
    OWASP Top 10Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 9
  • 10.
    OWASP Top 10Mobile Risks 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure 10
  • 11.
    OWASP Mobile SecurityProject • You should get involved! • https://www.owasp.org/index.php/OWASP_Mobile_Security_Project 11
  • 12.
    Other Issues • Privacyof your data! – Mobile apps talk to many third party APIs (ads) – What’s collected by Google/Apple/Microsoft? 12
  • 13.
    Common Tools • SSH • VNC server • A compiler (gcc / agcc) • Android SDK (adb!) • Xcode • iExplorer (iOS GUI file explorer) • Jailbroken iDevice • Rooted Android Device 13
  • 14.
    File System Analysis •Forensic approach – File system artifacts – Timeline analysis – Log analysis – Temp files 14
  • 15.
    Forensic Tools • MobileForensic Tools – EnCase, FTK, Cellebrite • Free and/or Open Source – file, strings, less, dd, md5sum – The Sleuthkit (mactime, mac-robber) 15
  • 16.
    Timelines • Timelines areawesome – Anyone know log2timeline? • Filesystem – mac-robber – mactime • Logs – Application- & OS-specific 16
  • 17.
  • 18.
    Viewing & SearchingFiles • cat, less, vi, strings, grep • SQLite files – GUI browser, API (Ruby, Python, etc) • Android apps – ashell, aSQLiteManager, aLogViewer 18
  • 19.
    Application Layer -HTTP • Tools Used: – Burp Suite – Burp Suite – oh yeah Burp Suite! 19
  • 20.
    Why Look atthe App Layer? • Very common in mobile platforms • Many errors are found within the application – And how it talks to the back end service • Able to use many existing tools 20
  • 21.
  • 22.
    Base64 Encoding isNOT Encryption! • Really. It’s 2012. Base64: TXkgc3VwZXIgc2VjcmV0IGtleSE= Plaintext: My super secret key! 22
  • 23.
    Want Credentials? Note: This is actually a hardcoded password in the UPS app… 23
  • 24.
    Transport Layer -TCP • Tools Used: – Wireshark – Tcpdump – NetworkMiner 24
  • 25.
    Why look atthe transport layer? • Check to see how network protocols are handled in the app • Easily look for SSL certificate or other communication issues 25
  • 26.
    NetworkMiner • Extracts files/imagesand more • Can pull out clear txt credentials • Quickly view parameters 26
  • 27.
  • 28.
    TCP Lab Setup •Run tcpdump directly on the device • Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this) • Import PCAPs into NetworkMiner 28
  • 29.
    App Vulnerabilities • Severalexamples that we’ve found • Many from the Top 25 downloaded apps 29
  • 30.
    Facebook • OAuth TokensStored in PLIST file • Simply copy the PLIST file to another device, you’re logged in as them! • I’m finding OAuth tokens in lots of PLIST files…Dropbox and apps that use Dropbox like password managers… 30
  • 31.
    Evernote • Notebooks arestored in the cloud • But…caches some files on the device… • OWASP M1: Insecure Data Storage 31
  • 32.
  • 33.
    MyFitnessPal • Android appstores sensitive data on the device (too much data) 33
  • 34.
  • 35.
    Password Keeper “Lite” •PIN and passwords stored in clear-text SQLite database • So much for the security of your passwords… 35
  • 36.
  • 37.
  • 38.
  • 39.
    Draw Something • Wordlist stored on the device • Modify to mess with your friends 39
  • 40.
    LinkedIn • SSL only for authentication • Session tokens and data sent over HTTP • Lots of apps do this • M3: Insufficient Transport Layer Protection • Note: This was fixed with the latest version of the app (for iOS at least) 40
  • 41.
    Auth over SSL Data sent over HTTP 41
  • 42.
  • 43.
    Pandora • Registration overHTTP • User name/Password and Registration info sent over clear text • Unfortunately…lots of apps do this 43
  • 44.
  • 45.
    Hard Coded Passwords/Keys • Major Grocery Chain “Rewards” Android app • Simple to view the source, extract private key • OWASP M9: Broken Cryptography • Do developers really do this? 45
  • 46.
  • 47.
    Privacy Issues • Example:Draw Something App (Top 25) • UDID and more sent to the following third-party ad providers: – appads.com – mydas.mobi – greystripe.com – tapjoyads.com 47
  • 48.
    What is UDID? •Alphanumeric string that uniquely identifies an Apple device 48
  • 49.
  • 50.
  • 51.
  • 52.
    Conclusions • Mobile devices are critically common • Most people use them without thinking of security • Developers seem to be repeating the past • Lots of issues besides Mobile Application Security – BYOD – The device itself (Jailbreaking/Rooting) – MDM and Enterprise Management – The list goes on… 52