Virtue Security - The Art of Mobile Security 2013


Published on

A short presentation on some of the many issues that play a role in mobile security.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Virtue Security - The Art of Mobile Security 2013

  2. 2. Agenda• Platform security• Pentesting mobile applications• Identifying attack vectors• Current events• Changing culture and the future of mobilesecurity
  3. 3. Mobile Platform Security• Mobile platforms have a large gray areabetween functionality and security issues.• Many features of mobile platforms createcached artifacts of runtime data.• Applications must properly defend againstthese functions to contain sensitive data.
  4. 4. iOS Background Screen Cache• Screenshots taken when userhits the ‘home’ button.• Can be forensically recoveredfrom device.• App developers must properlyhandle background events tohide sensitive data on screen.
  5. 5. iOS UITextFields• Known as the iOS “native keylogger”• iOS will cache text entered in these fields• Data can be forensically recovered or easilyaccessed on a jailbroken device/private/var/mobile/Library/Keyboard/UserDictionary.sqlite/private/var/mobile/Library/Keyboard/dynamic-text.dat
  6. 6. Android Content Providers• Can act as a data store for multiple applications• Often used for single applications• Must properly restrict permissions for otherapplications• Malicious apps may attempt to read from yourprovider
  7. 7. Pentesting Mobile ApplicationsObjectives:• Identify data transmitted (Protocols, hosts, ports)• MITM the client to attack application layer• Analysis of business logic and technologies used• Identify and subvert client side controls• Static analysis of application binary• Identify cached data
  8. 8. Mobile Man-in-the-Middle• Many ways to MITM apps – go with simplestconfiguration (often a HTTP proxy)• Apps using custom protocols must use networkproxies like Mallory• A variety of frameworks are available to bypasscertificate pinning.
  9. 9. Application Analysis• Compare use of the application to the datatransmitted to determine client side controls.• Construct a threat model for business logic• What are the abuse cases that relate to thebusiness?
  10. 10. Defeating Client Side Controls (Android)• Android may be easiest to modify code andrepackage apk.• Tools such as Virtuous Ten can perform thisquickly• Apps can also be manipulated with JavaDebugging methods (DDMS)
  11. 11. Defeating Client Side Controls (iOS)• iOS Objective-C runtime can be easilymanipulated with cycript/Mobile Substrate• Can jump to arbitrary points in theapplication, call functions, replace code.
  12. 12. Code Patching• Identify “simple logic”Is_our_phone_jailbroken(){if// lengthy convoluted jailbreak detectionreturn 1elsereturn 0}• Only one byte needs to be modified
  13. 13. Attack Vectors• SMS/MMS• Baseband / WiFi• APNS/GCM (Push notifications)• Interapp Comm. (Intents, URL Schemes)• Lost/Stolen device• Technology misconfigurations (OAuth, etc)• Many more…
  14. 14. Camera EXIF Data• GPS data is often embedded in photos taken• Server side components must scrub EXIF data
  15. 15. WebViews• Introduces web based vectors (XSS, CSRF, etc..)• WebView JS may be invoked and take parametersfrom native code• Some configurations can invoke native code fromJS• Caching can be an issue (NSURLConnection)
  16. 16. C Memory Management• Dangerous functions should still be avoided(strcpy(), strcmp())• Memory should still be properly cleaned whenusing malloc(), free(), realloc(), etc..
  17. 17. Static Analysis (iOS)• iOS IPAs can be decrypted with a memory dumpat runtime.• Examine archive and plist files.• The binary can be examined like traditionalcompiled binaries (‘Strings’, dump symboltable, etc..)
  18. 18. Static Analysis (Android)• Android apps are packaged as APK files. (Can beextracted with any zip utility)• Inspect package for build/debug artifacts• Search code for hardcoded strings• Useful to reconstruct code as Java• Check for native code in /libs• Examine AndroidManifest.xml
  19. 19. Personal Devices• Consider how data can beleaked• Consider what apps caninvoke your application• Consider what apps yourapplication invokes
  20. 20. Hardware Concerns• Huawei and ZTEbecoming popularsmartphonemanufacturers.• Hardware isincreasingly easy tomanufacture.
  21. 21. Carrier Concerns• Owners of customized Android ROMs mustdistribute updates themselves (they don’t).• Millions of users are left with criticalvulnerabilities.
  22. 22. Where are we?• Not everything is terrible!• iOS and Android provide ASLR, DEP, applicationsandboxes built in.• ARMv8 introduces 64bit cpus
  23. 23. Where are we going?• We are more functionality driven than ever• Threats are more malicious than ever• World population is growing• Developing nations are increasingly technical
  24. 24. Questions?
  25. 25. References•••••••••