SlideShare una empresa de Scribd logo

Mobile Security Assessment: 101

W
wireharbor

BSides Chicago 2013 presentation by Trey Keifer of WireHarbor Security (http://www.wireharbor.com) on Mobile Application Security Assessment

Tecnología
1 de 38
Intro to Mobile Security Assessment: Tools and Techniques Copyright 2012 WireHarbor Security, Inc.
Who am I? • Founder/President - WireHarbor Security, Inc. • Previously: Led Global Application Security for F500 Insurance co. • Focus on:  Application Security, Mobile Security, Source Code Review • Partnerships:
Agenda • Overview • Attack Vectors • Setup • Basic Techniques • Advanced Tech. • Questions
Objectives - Security Assessment • Determine the correct path to Exploitation. • Many Attacks, Weaknesses and Impacts.
RULE #1: Mobile Security Perform sensitive/confidential/dangerous operations OFF-DEVICE... ...also, we still can’t trust user input.
Mobile Assessment: Key Difference • User-access to runtime environment  DEVS: **New perspective allows us to see everything you are doing** VS...
Jailbreak vs. Rooting • Jailbreak (iOS) - Users can break out of sandbox, but are still limited by the Apple kernel. (Your iPhone is still an iPhone) • Rooting (Android) - Implement a new kernel, turn your phone into ??? I
Attack Vectors • GSM Network • GPS • Applications (Malware) • Application Vuln’s (Objective-C) • Browser Exploits • Web Services • Bluetooth • WIFI (Rogue Access Points) • NFC/RFID
Security Controls • Reduced Attack Surface • Code Signing/App Store Approval Process - iOS  Android is more of a free-for-all • Sandboxing • NX Memory • ASLR/PIE (compiler flag)  Rarely used in 3rd party applications • Certificate Verification • Device Encryption
Mobile Security Assessment • Step #1 : Jailbreak • Step #2 : ??? • Step #3 : PROFIT!!!
Jailbreak in 30 sec • DISCLAIMER: BRICK WARNING!!! • DISCLAIMER: RUNTIME PROTECTIONS BECOME NIL! • DISCLAIMER: APPSTORE DEREGULATION! • Beware of Jailbreak SCAMMERS! • iPhone Dev Team (blog.iphone-dev.org) • evad3rs Team (http://evasi0n.com/) • Android is more complicated. (SuperOneclick)  Hardware/OS/Carrier dependent
Tools • Jailbroken/Rooted Device • Cydia Applications (tcpdump, sqlite, etc...) • Android Debug Bridge (ADB) • GDB (Runtime analysis) • IDA Pro (Binary Reverse-Engineering) • MobileSubstrate/Cycript • BurpSuite (HTTP Analysis) • Xcode/Eclipse (Custom development, binary tools)
Finding Targets PLENTY of them out there… 650,000+ Applications in AppStore* 250,000+ listed for iPad •App Store:  ~/Music/iTunes/iTunes Media/Mobile Applications  .ipa file (zip archive) •On iOS:  /var/mobile/Applications/<UUID>/<AppName>.app/ *Source: Techcrunch, July 2012
Techniques The easy stuff…
Mobile Hacking 101 • Gain Access • Look for interesting data  Log Files  Databases  Crash Dumps  In-Transit • Cause interesting execution  Form Input/Output  Application Redirects
Techniques: Log File Analysis • Applications output/store lots of logging data.  ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE>  /private/var/log/system.log
Techniques: Data Storage • SQLite  “Self-contained, zero-configuration, embeddable DB” • Finding sqlite files… • Automation FTW!  find . –exec file {} ;
Techniques: Data Storage • Pulling out data…  SELECT * FROM <table>
Techniques: SQL Injection • Should look familiar...
Techniques: XSS Injection • XSS is in there too...  Be careful with WebKit. (UIWebView object) “Of the 197 vulnerabilities, 142 are related to WebKit...”, ZDNet review of iOS 6 NSString *js = [[NSString alloc] initWithFormat:@”var v=”%@”;”, user]; [mywebView stringByEvauatingJavaScriptFromString:js];
Techniques: Proxy Intercept • Certificate errors are validated.  Manually install Burpsuite cert.  http://www.tuaw.com/2011/02/21/how-to-inspect-ioss-http-traffic- without-spending-a-dime/
Techniques: Event Handler Abuse • Apps can register their own handlers via plist files. o openURL:[NSURL URLWithString:@"myapp://?foo=urb&blerg=gah"];
Techniques: Event Handler Abuse • Finding interesting handlers…  $> strings <target>.app/<target> | grep "://“ | grep –v “http” <string>googlegmail://</string> <string>googlegmail://</string> <string>mgc://</string> <string>currents://</string> <string>googletranslate://</string> <string>comgoogleshopper://</string> <string>comgoogleearth://</string> <string>googlelatitude://</string> <string>googlebooks://</string> <string>currents://</string>
Advanced Techniques The FUN stuff…
Advanced Techniques: Overview • Binary Decryption  API Tokens  Hard-coded Passwords • Passive/Active Fuzzing • Reverse Engineering  Token Generation Algorithms • Runtime Execution Interception/Manipulation  Interesting “hidden” methods  Web Services API’s
Advanced Techniques: Objective-C (iOS) Primer • Abstraction of Standard C  Based on Smalltalk  Designed to be “Object-oriented easy.”  The good old days: Buffer Overflows, Format Strings, etc... RETURN!!!
Advanced Techniques: iOS Binary Inspection • Object File display tool - otool (Xcode)  Display file headers (Mach-O and Universal)  Display Crypt segment info  Dump machine code  List Shared Libraries • ARM Processors  RISC instruction set  Little-endian representation
Advanced Techniques: iOS Binary Inspection • Universal Binaries  Contain multiple versions o otool –f <file>  May be encrypted o otool –l <file> | grep LC_ENCRYPTION_INFO –B1 –A4
Advanced Techniques: iOS Runtime Inspection • Anti-Debugging (The Anti-BYOD part)  ptrace PT_DENY_ATTACH  sysctl check  Known files  Binary Packing  Code Checksums  Driver Checks  Timing Measurements  Code Obfuscation  Junk Code
Advanced Techniques: iOS Runtime Inspection • GDB  Execute/load binary  Breakpoint on start address 0x2000 (PIE may cause this to move on you) gdb $> dump memory <filename> <start address> <end address>
Advanced Techniques: iOS Binary Inspection, Unencrypted • IDA Pro Binary graphing/analysis…
IDA Pro: What to look for? • Using the Apple DEV reference  File Writes  Network Connections  Keychain Access  UI Form Fields
Advanced Techniques: iOS Runtime Manipulation • Cycript - Javascript/Obj-C Interpreter  Hook active apps via Mobile Substrate  Interact with binaries in runtime using JS http://www.cycript.org/ http://iphonedevwiki.net/index.php/Cycript_Tricks
• Example: cy# [SBAwayController.sharedAwayController isPasswordProtected] 1 cy# [[UIApp.keyWindow recursiveDescription] <KHWindow: 0x1517a0; baseClass = UIWindow; frame = (0 0; 320 480); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x151640>> | <UIView: 0x17a120; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x17a1b0>> | | <UIToolbar: 0x17a3f0; frame = (0 416; 320 44); autoresize = W+TM; layer = <CALayer: 0x17a0d0>> | | | <UIToolbarButton: 0x17d150; frame = (12 0; 26 44); alpha = 0.25; opaque = NO; layer = <CALayer: 0x17d2e0>> | | | | <UISwappableImageView: 0x17d4c0; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d570>> | | | <UIToolbarButton: 0x17d340; frame = (153 0; 26 44); opaque = NO; layer = <CALayer: 0x14a220>> | | | | <UISwappableImageView: 0x17a680; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17a6e0>> | | | <UIToolbarButton: 0x17df40; frame = (222 0; 18 44); opaque = NO; layer = <CALayer: 0x17d2b0>> | | | | <UISwappableImageView: 0x17dbf0; frame = (3 13; 18 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d3f0>> Advanced Techniques: iOS Runtime Manipulation
Advanced Techniques: Fuzzing • Custom scripts… (Python, Ruby, Javascript) • Dumb or Smart  Mutation-Based: Randomly substitute data.  Generation-Based: Substitute based off RFC or Standards. • Classic Targets  Any file types. (PDF, PPT, etc…)  Protocols (HTTP, SMS, Push Notifications, etc...)  Image formats (PNG, TIFF, etc…)
Passive Fuzzing - iOS • Using MobileSubstrate:
• What can we do with this?  Application Tracing/Logging (filesystem, network, etc...)  Turn off Jailbreak detection  Fake GPS data... (think: location-aware security)  The possibilities get scarier as trust grows... Advanced Techniques: iOS Runtime Manipulation
Trey Keifer 847-239-5626 trey.keifer@wireharbor.com Twitter: @wireharbor Facebook: facebook.com/wireharbor http://www.wireharbor.com THANK YOU!!!

Recomendados

YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
Stefan Esser
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
iOS jailbreaking
iOS jailbreakingiOS jailbreaking
iOS jailbreaking
Varun Luthra
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)
Reality Net System Solutions
 
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailSyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in Fail
Stefan Esser
 
Jail breaking
Jail breakingJail breaking
Jail breaking
Rokkam Reddy
 

Recomendados

YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterCanSecWest 2013 - iOS 6 Exploitation 280 Days Later
CanSecWest 2013 - iOS 6 Exploitation 280 Days Later
Stefan Esser
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
iOS jailbreaking
iOS jailbreakingiOS jailbreaking
iOS jailbreaking
Varun Luthra
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)
Reality Net System Solutions
 
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailSyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in Fail
Stefan Esser
 
Jail breaking
Jail breakingJail breaking
Jail breaking
Rokkam Reddy
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.
DataArt
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
Shakacon
 
from Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesfrom Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slides
Kai Aras
 
iOS Basics
iOS BasicsiOS Basics
iOS Basics
Richa Jain
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption Systems
Peter Teufl
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
Stefan Esser
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.
DataArt
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Jose Moruno Cadima
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
DefconRussia
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
Birju Tank
 
iOS platform
iOS platformiOS platform
iOS platform
maya_slides
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
Peter Teufl
 
Apple iOS
Apple iOSApple iOS
Apple iOS
Chetan Gowda
 
Session 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDKSession 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDK
Vu Tran Lam
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
Seguridad Apple
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOS
Seguridad Apple
 
ios-mobile-app-development-intro
ios-mobile-app-development-introios-mobile-app-development-intro
ios-mobile-app-development-intro
Remesh Govind M
 
Layer architecture of ios (1)
Layer architecture of ios (1)Layer architecture of ios (1)
Layer architecture of ios (1)
dwipalp
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
Karter Rohrer
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Synopsys Software Integrity Group
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
iphonepentest
 

Más contenido relacionado

La actualidad más candente

When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
Shakacon
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
Stefan Esser
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
DefconRussia
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
Karter Rohrer
 

La actualidad más candente (20)

Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
from Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesfrom Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slides
 
iOS Basics
iOS BasicsiOS Basics
iOS Basics
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption Systems
 
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelSyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS Kernel
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
iOS platform
iOS platformiOS platform
iOS platform
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
 
Apple iOS
Apple iOSApple iOS
Apple iOS
 
Session 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDKSession 1 - Introduction to iOS 7 and SDK
Session 1 - Introduction to iOS 7 and SDK
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOS
 
ios-mobile-app-development-intro
ios-mobile-app-development-introios-mobile-app-development-intro
ios-mobile-app-development-intro
 
Layer architecture of ios (1)
Layer architecture of ios (1)Layer architecture of ios (1)
Layer architecture of ios (1)
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
 

Similar a Mobile Security Assessment: 101

2012 java one-con3648
2012 java one-con36482012 java one-con3648
2012 java one-con3648
Eing Ong
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
qqlan
 
Crash Course in AngularJS + Ionic (Deep dive)
Crash Course in AngularJS + Ionic (Deep dive)Crash Course in AngularJS + Ionic (Deep dive)
Crash Course in AngularJS + Ionic (Deep dive)
ColdFusionConference
 
FI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS BasicsFI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS Basics
Petr Dvorak
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 

Similar a Mobile Security Assessment: 101 (20)

Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2Fiware IoT_IDAS_intro_ul20_v2
Fiware IoT_IDAS_intro_ul20_v2
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
2012 java one-con3648
2012 java one-con36482012 java one-con3648
2012 java one-con3648
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
iOS Development - Offline Class for Jasakomer
iOS Development - Offline Class for JasakomeriOS Development - Offline Class for Jasakomer
iOS Development - Offline Class for Jasakomer
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Android Workshop
Android WorkshopAndroid Workshop
Android Workshop
 
Crash Course in AngularJS + Ionic (Deep dive)
Crash Course in AngularJS + Ionic (Deep dive)Crash Course in AngularJS + Ionic (Deep dive)
Crash Course in AngularJS + Ionic (Deep dive)
 
FI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS BasicsFI MUNI 2012 - iOS Basics
FI MUNI 2012 - iOS Basics
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
MACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
MACTANS: Injecting Malware
into iOS Devices via Malicious ChargersMACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
MACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Ios development
Ios developmentIos development
Ios development
 

Último

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Último (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Mobile Security Assessment: 101

  • 1. Intro to Mobile Security Assessment: Tools and Techniques Copyright 2012 WireHarbor Security, Inc.
  • 2. Who am I? • Founder/President - WireHarbor Security, Inc. • Previously: Led Global Application Security for F500 Insurance co. • Focus on:  Application Security, Mobile Security, Source Code Review • Partnerships:
  • 3. Agenda • Overview • Attack Vectors • Setup • Basic Techniques • Advanced Tech. • Questions
  • 4. Objectives - Security Assessment • Determine the correct path to Exploitation. • Many Attacks, Weaknesses and Impacts.
  • 5. RULE #1: Mobile Security Perform sensitive/confidential/dangerous operations OFF-DEVICE... ...also, we still can’t trust user input.
  • 6. Mobile Assessment: Key Difference • User-access to runtime environment  DEVS: **New perspective allows us to see everything you are doing** VS...
  • 7. Jailbreak vs. Rooting • Jailbreak (iOS) - Users can break out of sandbox, but are still limited by the Apple kernel. (Your iPhone is still an iPhone) • Rooting (Android) - Implement a new kernel, turn your phone into ??? I
  • 8. Attack Vectors • GSM Network • GPS • Applications (Malware) • Application Vuln’s (Objective-C) • Browser Exploits • Web Services • Bluetooth • WIFI (Rogue Access Points) • NFC/RFID
  • 9. Security Controls • Reduced Attack Surface • Code Signing/App Store Approval Process - iOS  Android is more of a free-for-all • Sandboxing • NX Memory • ASLR/PIE (compiler flag)  Rarely used in 3rd party applications • Certificate Verification • Device Encryption
  • 10. Mobile Security Assessment • Step #1 : Jailbreak • Step #2 : ??? • Step #3 : PROFIT!!!
  • 11. Jailbreak in 30 sec • DISCLAIMER: BRICK WARNING!!! • DISCLAIMER: RUNTIME PROTECTIONS BECOME NIL! • DISCLAIMER: APPSTORE DEREGULATION! • Beware of Jailbreak SCAMMERS! • iPhone Dev Team (blog.iphone-dev.org) • evad3rs Team (http://evasi0n.com/) • Android is more complicated. (SuperOneclick)  Hardware/OS/Carrier dependent
  • 12. Tools • Jailbroken/Rooted Device • Cydia Applications (tcpdump, sqlite, etc...) • Android Debug Bridge (ADB) • GDB (Runtime analysis) • IDA Pro (Binary Reverse-Engineering) • MobileSubstrate/Cycript • BurpSuite (HTTP Analysis) • Xcode/Eclipse (Custom development, binary tools)
  • 13. Finding Targets PLENTY of them out there… 650,000+ Applications in AppStore* 250,000+ listed for iPad •App Store:  ~/Music/iTunes/iTunes Media/Mobile Applications  .ipa file (zip archive) •On iOS:  /var/mobile/Applications/<UUID>/<AppName>.app/ *Source: Techcrunch, July 2012
  • 15. Mobile Hacking 101 • Gain Access • Look for interesting data  Log Files  Databases  Crash Dumps  In-Transit • Cause interesting execution  Form Input/Output  Application Redirects
  • 16. Techniques: Log File Analysis • Applications output/store lots of logging data.  ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE>  /private/var/log/system.log
  • 17. Techniques: Data Storage • SQLite  “Self-contained, zero-configuration, embeddable DB” • Finding sqlite files… • Automation FTW!  find . –exec file {} ;
  • 18. Techniques: Data Storage • Pulling out data…  SELECT * FROM <table>
  • 19. Techniques: SQL Injection • Should look familiar...
  • 20. Techniques: XSS Injection • XSS is in there too...  Be careful with WebKit. (UIWebView object) “Of the 197 vulnerabilities, 142 are related to WebKit...”, ZDNet review of iOS 6 NSString *js = [[NSString alloc] initWithFormat:@”var v=”%@”;”, user]; [mywebView stringByEvauatingJavaScriptFromString:js];
  • 21. Techniques: Proxy Intercept • Certificate errors are validated.  Manually install Burpsuite cert.  http://www.tuaw.com/2011/02/21/how-to-inspect-ioss-http-traffic- without-spending-a-dime/
  • 22. Techniques: Event Handler Abuse • Apps can register their own handlers via plist files. o openURL:[NSURL URLWithString:@"myapp://?foo=urb&blerg=gah"];
  • 23. Techniques: Event Handler Abuse • Finding interesting handlers…  $> strings <target>.app/<target> | grep "://“ | grep –v “http” <string>googlegmail://</string> <string>googlegmail://</string> <string>mgc://</string> <string>currents://</string> <string>googletranslate://</string> <string>comgoogleshopper://</string> <string>comgoogleearth://</string> <string>googlelatitude://</string> <string>googlebooks://</string> <string>currents://</string>
  • 25. Advanced Techniques: Overview • Binary Decryption  API Tokens  Hard-coded Passwords • Passive/Active Fuzzing • Reverse Engineering  Token Generation Algorithms • Runtime Execution Interception/Manipulation  Interesting “hidden” methods  Web Services API’s
  • 26. Advanced Techniques: Objective-C (iOS) Primer • Abstraction of Standard C  Based on Smalltalk  Designed to be “Object-oriented easy.”  The good old days: Buffer Overflows, Format Strings, etc... RETURN!!!
  • 27. Advanced Techniques: iOS Binary Inspection • Object File display tool - otool (Xcode)  Display file headers (Mach-O and Universal)  Display Crypt segment info  Dump machine code  List Shared Libraries • ARM Processors  RISC instruction set  Little-endian representation
  • 28. Advanced Techniques: iOS Binary Inspection • Universal Binaries  Contain multiple versions o otool –f <file>  May be encrypted o otool –l <file> | grep LC_ENCRYPTION_INFO –B1 –A4
  • 29. Advanced Techniques: iOS Runtime Inspection • Anti-Debugging (The Anti-BYOD part)  ptrace PT_DENY_ATTACH  sysctl check  Known files  Binary Packing  Code Checksums  Driver Checks  Timing Measurements  Code Obfuscation  Junk Code
  • 30. Advanced Techniques: iOS Runtime Inspection • GDB  Execute/load binary  Breakpoint on start address 0x2000 (PIE may cause this to move on you) gdb $> dump memory <filename> <start address> <end address>
  • 31. Advanced Techniques: iOS Binary Inspection, Unencrypted • IDA Pro Binary graphing/analysis…
  • 32. IDA Pro: What to look for? • Using the Apple DEV reference  File Writes  Network Connections  Keychain Access  UI Form Fields
  • 33. Advanced Techniques: iOS Runtime Manipulation • Cycript - Javascript/Obj-C Interpreter  Hook active apps via Mobile Substrate  Interact with binaries in runtime using JS http://www.cycript.org/ http://iphonedevwiki.net/index.php/Cycript_Tricks
  • 34. • Example: cy# [SBAwayController.sharedAwayController isPasswordProtected] 1 cy# [[UIApp.keyWindow recursiveDescription] <KHWindow: 0x1517a0; baseClass = UIWindow; frame = (0 0; 320 480); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x151640>> | <UIView: 0x17a120; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x17a1b0>> | | <UIToolbar: 0x17a3f0; frame = (0 416; 320 44); autoresize = W+TM; layer = <CALayer: 0x17a0d0>> | | | <UIToolbarButton: 0x17d150; frame = (12 0; 26 44); alpha = 0.25; opaque = NO; layer = <CALayer: 0x17d2e0>> | | | | <UISwappableImageView: 0x17d4c0; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d570>> | | | <UIToolbarButton: 0x17d340; frame = (153 0; 26 44); opaque = NO; layer = <CALayer: 0x14a220>> | | | | <UISwappableImageView: 0x17a680; frame = (0 7; 26 27); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17a6e0>> | | | <UIToolbarButton: 0x17df40; frame = (222 0; 18 44); opaque = NO; layer = <CALayer: 0x17d2b0>> | | | | <UISwappableImageView: 0x17dbf0; frame = (3 13; 18 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17d3f0>> Advanced Techniques: iOS Runtime Manipulation
  • 35. Advanced Techniques: Fuzzing • Custom scripts… (Python, Ruby, Javascript) • Dumb or Smart  Mutation-Based: Randomly substitute data.  Generation-Based: Substitute based off RFC or Standards. • Classic Targets  Any file types. (PDF, PPT, etc…)  Protocols (HTTP, SMS, Push Notifications, etc...)  Image formats (PNG, TIFF, etc…)
  • 36. Passive Fuzzing - iOS • Using MobileSubstrate:
  • 37. • What can we do with this?  Application Tracing/Logging (filesystem, network, etc...)  Turn off Jailbreak detection  Fake GPS data... (think: location-aware security)  The possibilities get scarier as trust grows... Advanced Techniques: iOS Runtime Manipulation
  • 38. Trey Keifer 847-239-5626 trey.keifer@wireharbor.com Twitter: @wireharbor Facebook: facebook.com/wireharbor http://www.wireharbor.com THANK YOU!!!