Gursev kalra _mobile_application_security_testing - ClubHack2009

•

0 recomendaciones•953 vistas

ClubHack

Tecnología

Mobile Application
Security Testing

Gursev Kalra
Dec 5, 2009

Agenda

►Introduction
►Browser Based Mobile Applications
►Installable Mobile Applications
►Intercepting Application Traffic
►Various Traffic Interception Schemes
►Mobile Traffic and SSL
►Conclusion

www.foundstone.com
© 2008, McAfee, Inc.

Introduction

►Who am I?
■ Senior Security Consultant – Foundstone
Professional Services
■ Web Applications, Networks…

www.foundstone.com
© 2008, McAfee, Inc.

Introduction

►Mobile Applications
■ Tremendous growth in consumer and business
mobile applications
■ Many new players
■ Security aspects might get overlooked

www.foundstone.com
© 2008, McAfee, Inc.

Browser Based Mobile Applications

www.foundstone.com
© 2008, McAfee, Inc.

Installable Mobile Applications

www.foundstone.com
© 2008, McAfee, Inc.

Intercepting Application Traffic for
Nokia S40 Series Phones

• Set up a custom web proxy and obtain its IP and port

• Edit the configuration WML and change proxy IP and
port to the custom web proxy

• Compile WML to a provisioning (WBXML) file

• Transfer the new settings to S40 mobile phone

• Activate custom settings and access the Internet
using new settings

www.foundstone.com
© 2008, McAfee, Inc.

Intercepting Application Traffic for
Nokia S60 Series Phones

• Set up a custom web proxy and obtain its
IP and port

• Create duplicate of existing Access Point
settings

• For the copy created, change the proxy
IP and port to the custom proxy

• Access Internet using custom proxy
settings

www.foundstone.com
© 2008, McAfee, Inc.

Proxy With Public IP Address

 Phone with Application
 Access Point: Service provider default settings
 Proxy Server Address: W1.X2.Y3.Z4 (Public IP)
 Port Number: 8888 Internet

 Public IP: W1.X2.Y3.Z4
 Paros/Fiddler/Burp/Charles: Web
Proxy running on port 8888

W1.X2.Y3.Z4 www.foundstone.com
© 2008, McAfee, Inc.

Proxy On WLAN

 Phone with Application
 WLAN Netw. Name: PenTest Internet
 WLAN Mode: WPA2
 Proxy Server Address: SSID: PenTest
192.168.30.102 IP: 192.168.30.100
 Port Number: 8888

192.168.30.101

 Paros/Fiddler/Burp/Charles:
Web Proxy running on port
8888

www.foundstone.com
192.168.30.102 © 2008, McAfee, Inc.

Proxy With One Phone

Internet

 Public IP - Connected to Internet
via Mobile Phone Modem
 Paros/Fiddler/Burp/Charles:
Web Proxy running on port 8888

 Phone with Application
 Phone as a Modem
 Access Point: Service provider default
W1.X2.Y3.Z4 settings
 Proxy Server Address: W1.X2.Y3.Z4
www.foundstone.com
 Port Number: 8888 © 2008, McAfee, Inc.

Proxy With External Internet
Connection

Internet
 Phone with Application
 Access Point: Service provider default
settings
 Proxy Server Address: W1.X2.Y3.Z4
 Port Number: 8888
USB Modem

 Public IP - Connected to Internet
via Mobile Phone Modem
 Paros/Fiddler/Burp/Charles:
Web Proxy running on port
8888

W1.X2.Y3.Z4 www.foundstone.com
© 2008, McAfee, Inc.

Mobile Traffic Interception and SSL

• Export your web proxy’s certificated in DER format

• Copy the certificate file to a web server

• Set the MIME type of the directory to which the certificate is copied
to application/x-x509-ca-cert

• Use the mobile web browser to browse to the certificate file

• Import the certificate when prompted

• Delete the un-trusted certificate after testing

www.foundstone.com
© 2008, McAfee, Inc.

Conclusion

►Mobile applications extend traditional
network boundaries and introduce new
avenues of attack
►They often have access to sensitive
business and personal information
►They are constantly challenging and
extending their reach
►Security is critical and should be part of
SDLC!!

www.foundstone.com
© 2008, McAfee, Inc.

Queries

www.foundstone.com
© 2008, McAfee, Inc.

Thank You

Gursev Kalra
gursev(dot)kalra(at)foundstone(dot)com

www.foundstone.com
© 2008, McAfee, Inc.

Más contenido relacionado

La actualidad más candente

PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP SecurityPROIDEA

SIP, Unified Communications (UC) and SecurityDan York

Building a WebRTC Communication and collaboration platform - techleash barcampALTANAI BISHT

Vibe headline benefits 0411Robbie Graham

Yeastar My pbx u100_datasheet_enErick E. Guillén Araya

Product Overview: April 2015 (Si3D)SI3D systems

Yeastar My pbx u200_datasheet_enErick E. Guillén Araya

WebRTC Opens the FloodgatesChristina Inge

La actualidad más candente (8)

PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security

SIP, Unified Communications (UC) and Security

Building a WebRTC Communication and collaboration platform - techleash barcamp

Vibe headline benefits 0411

Yeastar My pbx u100_datasheet_en

Product Overview: April 2015 (Si3D)

Yeastar My pbx u200_datasheet_en

WebRTC Opens the Floodgates

Destacado

Mobile application security – effective methodology, efficient testing! hem...owaspindia

Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata

Pentesting Mobile Applications (Prashant Verma)ClubHack

Cybersecurity Best Practices in Financial ServicesJohn Rapa

How to scale mobile application security testingNowSecure

Mobile Apps Security Testing -1Krisshhna Daasaarii

iOS Application Pentestingn|u - The Open Security Community

Web and Mobile Application SecurityPrateek Jain

Basic Guide For Mobile Application TestingSourabh Kasliwal

Security Testing Mobile ApplicationsDenim Group

iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)

The curious case of mobile app security.pptxAnkit Giri

Pentesting iOS Applicationsjasonhaddix

Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies

Mobile Application Securitycclark_isec

Security testingbaskar p

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham

Destacado (17)

Mobile application security – effective methodology, efficient testing! hem...

Mobile Application Security Testing (Static Code Analysis) of Android App

Pentesting Mobile Applications (Prashant Verma)

Cybersecurity Best Practices in Financial Services

How to scale mobile application security testing

Mobile Apps Security Testing -1

iOS Application Pentesting

Web and Mobile Application Security

Basic Guide For Mobile Application Testing

Security Testing Mobile Applications

iOS-Application-Security-iAmPr3m

The curious case of mobile app security.pptx

Pentesting iOS Applications

Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com

Mobile Application Security

Security testing

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...

Similar a Gursev kalra _mobile_application_security_testing - ClubHack2009

Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields

Understanding WiFi Security Vulnerabilities and Solutionshemantchaskar

Understanding WiFi Security Vulnerabilities and SolutionsAirTight Networks

Top Ten Web Hacking Techniques (2008)Jeremiah Grossman

Cidway Banking 02 2011lfilliat

Hacking intranet websitesshehab najjar

Networking Social 2009Marvin Nurse

Advanced Wi-Fi pentestingYunfei Yang

Ssl Vpn presentation at CoolTech clubiplotnikov

Fy09 Sask Tel Learn It Ie7 And Ie8 Joel Semeniuksim100

End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)BAKOTECH

End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...BAKOTECH

News bytes Sept-2011Ashwin Patil, GCIH, GCIA, GCFE

Palo Alto Networks y la tecnología de Next Generation FirewallMundo Contact

VoIP Wars: Attack of the Cisco PhonesFatih Ozavci

Pangpse training q12011Joe Palo Alto

Top Ten Web Hacking Techniques (2010)Jeremiah Grossman

Top Ten Web Hacking Techniques – 2008Jeremiah Grossman

Information Security Risk Managementipspat

CTR350 Cradlepoint Product Brochure (quantum-wireless.com)Ari Zoldan

Similar a Gursev kalra _mobile_application_security_testing - ClubHack2009 (20)

Shmoocon 2010 - The Monkey Steals the Berries

Understanding WiFi Security Vulnerabilities and Solutions

Top Ten Web Hacking Techniques (2008)

Cidway Banking 02 2011

Hacking intranet websites

Networking Social 2009

Advanced Wi-Fi pentesting

Ssl Vpn presentation at CoolTech club

Fy09 Sask Tel Learn It Ie7 And Ie8 Joel Semeniuk

End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)

End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...

News bytes Sept-2011

Palo Alto Networks y la tecnología de Next Generation Firewall

VoIP Wars: Attack of the Cisco Phones

Pangpse training q12011

Top Ten Web Hacking Techniques (2010)

Top Ten Web Hacking Techniques – 2008

Information Security Risk Management

CTR350 Cradlepoint Product Brochure (quantum-wireless.com)

Más de ClubHack

India legal 31 october 2014ClubHack

Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreClubHack

Cyber InsuranceClubHack

Summarising Snowden and Snowden as internal threatClubHack

Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack

The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack

Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...ClubHack

Smart Grid Security by Falgun RathodClubHack

Legal Nuances to the Cloud by Ritambhara AgrawalClubHack

Infrastructure Security by Sivamurthy HiremathClubHack

Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanClubHack

Hacking and Securing iOS Applications by Satish BomissttyClubHack

Critical Infrastructure Security by Subodh BelgiClubHack

Content Type Attack Dark Hole in the Secure Environment by Raman GuptaClubHack

XSS Shell by Vandan JoshiClubHack

Clubhack Magazine Issue February 2012ClubHack

ClubHack Magazine issue 26 March 2012ClubHack

ClubHack Magazine issue April 2012ClubHack

ClubHack Magazine Issue May 2012ClubHack

ClubHack Magazine – December 2011ClubHack

Más de ClubHack (20)

India legal 31 october 2014

Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore

Cyber Insurance

Summarising Snowden and Snowden as internal threat

Fatcat Automatic Web SQL Injector by Sandeep Kamble

The Difference Between the Reality and Feeling of Security by Thomas Kurian

Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...

Smart Grid Security by Falgun Rathod

Legal Nuances to the Cloud by Ritambhara Agrawal

Infrastructure Security by Sivamurthy Hiremath

Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan

Hacking and Securing iOS Applications by Satish Bomisstty

Critical Infrastructure Security by Subodh Belgi

Content Type Attack Dark Hole in the Secure Environment by Raman Gupta

XSS Shell by Vandan Joshi

Clubhack Magazine Issue February 2012

ClubHack Magazine issue 26 March 2012

ClubHack Magazine issue April 2012

ClubHack Magazine Issue May 2012

ClubHack Magazine – December 2011

Último

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays

SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero

Commit 2024 - Secret Management made easyAlfredo García Lavilla

How to write a Business Continuity PlanDatabarracks

What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina

DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada

Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3

DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell

Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3

WordPress Websites for Engineers: Elevate Your Brandgvaughan

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3

Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada

The State of Passkeys with FIDO Alliance.pptxLoriGlavin3

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3

TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada

SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal

Gursev kalra _mobile_application_security_testing - ClubHack2009

1. Mobile Application Security Testing Gursev Kalra Dec 5, 2009

2. Agenda ►Introduction ►Browser Based Mobile Applications ►Installable Mobile Applications ►Intercepting Application Traffic ►Various Traffic Interception Schemes ►Mobile Traffic and SSL ►Conclusion www.foundstone.com © 2008, McAfee, Inc.

7. Intercepting Application Traffic for Nokia S40 Series Phones • Set up a custom web proxy and obtain its IP and port • Edit the configuration WML and change proxy IP and port to the custom web proxy • Compile WML to a provisioning (WBXML) file • Transfer the new settings to S40 mobile phone • Activate custom settings and access the Internet using new settings www.foundstone.com © 2008, McAfee, Inc.

8. Intercepting Application Traffic for Nokia S60 Series Phones • Set up a custom web proxy and obtain its IP and port • Create duplicate of existing Access Point settings • For the copy created, change the proxy IP and port to the custom proxy • Access Internet using custom proxy settings www.foundstone.com © 2008, McAfee, Inc.

9. Proxy With Public IP Address  Phone with Application  Access Point: Service provider default settings  Proxy Server Address: W1.X2.Y3.Z4 (Public IP)  Port Number: 8888 Internet  Public IP: W1.X2.Y3.Z4  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888 W1.X2.Y3.Z4 www.foundstone.com © 2008, McAfee, Inc.

10. Proxy On WLAN  Phone with Application  WLAN Netw. Name: PenTest Internet  WLAN Mode: WPA2  Proxy Server Address: SSID: PenTest 192.168.30.102 IP: 192.168.30.100  Port Number: 8888 192.168.30.101  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888 www.foundstone.com 192.168.30.102 © 2008, McAfee, Inc.

11. Proxy With One Phone Internet  Public IP - Connected to Internet via Mobile Phone Modem  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888  Phone with Application  Phone as a Modem  Access Point: Service provider default W1.X2.Y3.Z4 settings  Proxy Server Address: W1.X2.Y3.Z4 www.foundstone.com  Port Number: 8888 © 2008, McAfee, Inc.

12. Proxy With External Internet Connection Internet  Phone with Application  Access Point: Service provider default settings  Proxy Server Address: W1.X2.Y3.Z4  Port Number: 8888 USB Modem  Public IP - Connected to Internet via Mobile Phone Modem  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888 W1.X2.Y3.Z4 www.foundstone.com © 2008, McAfee, Inc.

13. Mobile Traffic Interception and SSL • Export your web proxy’s certificated in DER format • Copy the certificate file to a web server • Set the MIME type of the directory to which the certificate is copied to application/x-x509-ca-cert • Use the mobile web browser to browse to the certificate file • Import the certificate when prompted • Delete the un-trusted certificate after testing www.foundstone.com © 2008, McAfee, Inc.

14. Conclusion ►Mobile applications extend traditional network boundaries and introduce new avenues of attack ►They often have access to sensitive business and personal information ►They are constantly challenging and extending their reach ►Security is critical and should be part of SDLC!! www.foundstone.com © 2008, McAfee, Inc.

Gursev kalra _mobile_application_security_testing - ClubHack2009

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (8)

Destacado

Destacado (17)

Similar a Gursev kalra _mobile_application_security_testing - ClubHack2009

Similar a Gursev kalra _mobile_application_security_testing - ClubHack2009 (20)

Más de ClubHack

Más de ClubHack (20)

Último

Último (20)

Gursev kalra _mobile_application_security_testing - ClubHack2009