SlideShare una empresa de Scribd logo

Mobile code mining for discovery and exploits nullcongoa2013

Descargar como PPT, PDF
B
Blueinfy Solutions

Mobile Security Review

Software
1 de 80
Mobile Code Mining For Discovery and Exploits
Who Am I? Hemil Shah – hemil@blueinfy.net Co-CEO & Director, Blueinfy Solutions Past experience eSphere Security, HBO, KPMG, IL&FS, Net Square Interest Web and mobile security research Published research Articles / Papers – Packstroem, etc. Web Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Mobile Tools – FSDroid, iAppliScan, DumpDroid hemil@blueinfy.com http://www.blueinfy.com Blog – http://blog.blueinfy.com/ hemil@blueinfy.com http://www.blueinfy.com Blog – http://blog.blueinfy.com/
Enterprise Technology Trend 2007. Web services would rocket from $1.6 billion in 2004 to $34 billion. [IDC] 2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead. [Gartner] 2009. Enterprise 2.0 in action and penetrating deeper into the corporate environment 2010. Flex/HTML5/Cloud/API 2012. HTML5/Mobile era.
Past, Present and Future Cloud 2010 Focus
Mobile Infrastructure www mail intranet router DMZ Internet VPN Dial-up Other Offices Exchange firewall Database RAS
Mobile App Environment Web Server Static pages only (HTML,HTM, etc.)Web Client Scripted Web Engine Dynamic pages (ASP,DHTML, PHP, CGI, etc.) ASP.NET on .Net Framework, J2EE App Server, Web Services, etc. Application Servers And Integrated Framework Internet DMZ Trusted WW EE BB SS EE RR VV II CC EE SS Mobile SOAP/JSON etc. DB X Internal/Corporate
Mobile Apps
Mobile Changes Application Infrastructure Changing dimension Web Mobile (AI1) Protocols HTTP & HTTPS JSON, SOAP, REST etc. over HTTP & HTTPS (AI2) Information structures HTML transfer JSON, JS Objects, XML, etc. (AI3) Technology Java, DotNet, PHP, Python and so on Cocoa, Java with Platform SDKs, HTML5 (AI4) Information Store/Process Mainly on Server Side Client and Server Side
Mobile Changes Security Threats Changing dimension Web Mobile (T1) Entry points Structured Scattered and multiple (T2) Dependencies Limited • Multiple technologies • Information sources • Protocols (T3) Vulnerabilities Server side [Typical injections] • Web services [Payloads] • Client side [Local Storage] (T4) Exploitation Server side exploitation Both server and client side exploitation
Mobile Attacks
Insecure Storage
Insecure Storage Why application needs to store data • Ease of use for the user • Popularity • Competition • Activity with single click • Decrease Transaction time • Post/Get information to/from Social Sites 9 out of 10 applications have this vulnerability
Insecure Storage How attacker can gain access • Wifi • Default password after jail breaking (alpine) • Adb over wifi • Physical Theft • Temporary access to device
Insecure Storage What information we usually find • Authentication Credentials • Authorization tokens • Financial Statements • Credit card numbers • Owner’s Information – Physical Address, Name, Phone number • Social Engineering Sites profile/habbits • SQL Queries
DEMO
Insecure Network Communication
Insecure Network Channel • Easy to perform MiM attacks as Mobile devices uses untrusted network i.e open/Public WiFi, HotSpot, Carrier’s Network • Application deals with sensitive data i.e. • Authentication credentials • Authorization token • PII Information (Privacy Violation) (Owner Name, Phone number, UDID)
Insecure Network Channel • Can sniff the traffic to get an access to sensitive data • SSL is the best way to secure communication channel • Common Issues • Does not deprecate HTTP requests • Allowing invalid certificates • Sensitive information in GET requests
Session token
Unauthorized Dialing/SMS
Unauthorized Dialing/SMS • Social Engineering using Mobile Devices • Attacker plays with user’s mind • User installs application • Application sends premium rate SMS or a premium rate phone call to unknown number • Used by Malware/Trojans
AndroidOS.FakePlayer August 2010 • Sends costly International SMS • One SMS Costs – 25 USD (INR 1250) • Application Sends SMS to – • 3353 & 3354 numbers in Russia
GGTracker June 2010 • Another Application which sends International SMS • One SMS Costs – 40 USD (INR 2000) • Application Sends Premium SMS to US numbers
UI Impersonation
UI Impersonation • Attack has been there since long • On a mobile stack, known as UI impersonation • Other names are Phishing Attack, ClickJacking • Attacker plays with user’s mind and try to impersonate as other user or other application
UI Impersonation • Victim looses credit card information or authentication credentials or secret • One application can create local PUSH notification as it is created from apple store • Flow in review process of AppStore – Anyone can name anything to their application
NetFlix Oct -2011 • Steals users “netflix” account information • Application shows error message to user “Compatibility issues with the user’s hardware” when user enters username and password • Once error message, application uninstalls itself
Activity Monitoring
Activity Monitoring • Sending a blind carbon copy of each email to attacker • Listening all phone calls • Email contact list, pictures to attacker • Read all emails stored on the device • Usual intension of Spyware/Trojans
Activity Monitoring Attacker can monitor – • Audio Files • Video • Pictures • Location • Contact List • Call/Browser/SMS History • Data files
Android.Pjapps Early 2010 • Steal/Change users information • PjApps Application – • Send and monitor incoming SMS messages • Read/write to the user's browsing history and bookmarks • Install packages and Open Sockets • Write to external storage • Read the phone's state
System Modification
System Modification • Application will attempt to modify system configuration to hide itself (Historically this is known as ROOTKIT) • Configuration changes makes certain attack possible i.e. – • Modifying device proxy to get user’s activity monitoring • Configure BCC email sending to attacker
iKee – iPhone Worm “ikee” iPhone Worm Change root password Change wallpaper to Ricky Martin. After infected by “ikee“ iPhone look like this
PII Information Leakage
PII Information Leakage • Application usually have access to user’s private information i.e. Owner Name, Location, Physical Address, AppID, Phone Number • This information needs to be handled very carefully as per the law in some countries • Storing this information in plain text is not allowed in some countries
DEMO
Hardcoded Secrets
Hardcoded Secrets • Easiest way for developer to solve complex issues/functionality • Attacker can get this information by either reverse engineering application or by checking local storage
DEMO
Language Specific Issues
Language Specific Issues • Application in iOS are developed in Objective- C language which is derived from classic C language • Along with this derivation, it also derives security issues in C language i.e. overflow attacks
SQL Injection in Local database
SQL Injection in Local database • Most Mobile platforms uses SQLite as database to store information on the device • Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensitive database information • In case application is not filtering input, SQL Injection on local database is possible
DEMO
Information in Common Services
Common Services • KeyBoard, Clipboard are shared amongst all the applications. • Information stored in clipboard can be accessed by all the application • Sensitive information should not be allowed to copy/paste in the application
DEMO
Server Side Issues
Server Side Issues • Most Application makes server side calls to either web services or some other component. Security of server side component is equally important as client side • Controls to be tested on the server side – Security Control Categories for Server Side Application– Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage,
Server Side Issues • Error handling, Session management, Protocol abuse, Input validations, XSS, CSRF, Logic bypass, Insecure crypto, DoS, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, BruteForce, Buffer Overflow, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
Mobile Top 10 - OWASP • Insecure Data Storage • Weak Server Side Controls • Insufficient Transport Layer Protection • Client Side Injection • Poor Authorization and Authentication • Improper Session Handling • Security Decisions Via Untrusted Inputs • Side Channel Data Leakage • Broken Cryptography • Sensitive Information Disclosure
Decompiling Android Applications
Decompiling android application • Using Apktool - http://code.google.com/p/android-apktool/ • Using Dex2Jar - http://code.google.com/p/dex2jar/ • Using aapt (Bundled with Android SDK)
Use Apktool to convert the XML to readable format Android manifest file: APK Tool
DEMO
Use dex2jar to convert classes.dex file in the extracted folder to .class files Use JAD to convert the class files into JAVA files Dex2Jar and JAD
DEMO
Aapt • Android Asset Packaging Tool • Allows you to view , create and update Zip-compatible archives View components in an apk:
DEMO
Looking in to Code
Static Code Analysis • Introduce in Mac OS X v10.6, XCode 3.2, Clang analyzer merged into XCode. • Memory leakage warning • Run from Build->Analyze • Innovative shows you complete flow of object start to end • Configure as a automatic analysis during build process
Static Code Analysis Potential Memory Leak
Static Code Analysis Dead store – variable never used
Static Code Analysis Uninitialized Variable
Static Code Analysis Type Size Mismatch
Static Code Analysis Object used after release
Code Analysis with AppCodeScan • Semi automated tool • Ability to expand with custom rules • Simple tracing utility to verify and track vulnerabilities • Simple HTML reporting which can be converted to PDF
AppCodeScan • Sophisticated tool consist of two components • Code Scanning • Code Tracer • Allows you to trace back the variable • AppCodeScan is not complete automated static code analyzer. • It only relies on regex and lets you find SOURCE of the SINK
DEMO
ScanDroid • Ruby script to scan through source code (Pattern matching) for APIs • Also takes care about reverse engineering application • Make list of permissions • No code trace • No reporting
Rules in AppCodeScan • Writing rules is very straight forward • In an XML file which is loaded at run time • This release has rules for iOS and Android for - Local Storage, Unsafe APIs, SQL Injection, Network Connection, SSL Certificate Handling, Client Side Exploitation, URL Handlers, Logging, Credential Management and Accessing PII.
Sample Rules - Android
Android DEMO
Sample Rules - iOS
iOS DEMO
Debuggable flag in Android • One of the key attribute in android manifest file • Under “application” section • Describes debugging in enabled • If “Debuggable”attribute is set o true, the application will try to connect to a local unix socket “@jdwp-control” • Using JDWP, It is possible to gain full access to the Java process and execute arbitrary code in the context of the debugable application
CheckDebuggable Script • Checks in APK whether debuggable is enabled • Script can be found at – http://www.espheresecurity.com/resourcestool s.html • Paper can be found at - http://www.espheresecurity.com/CheckDebug gable.pdf
DEMO
Conclusion – Questions?

Recomendados

Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application ReviewBlueinfy Solutions
 
Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and TestingBlueinfy Solutions
 
Android secure coding
Android secure codingAndroid secure coding
Android secure codingBlueinfy Solutions
 
Android attacks
Android attacksAndroid attacks
Android attacksBlueinfy Solutions
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobileBlueinfy Solutions
 

Recomendados

Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application ReviewBlueinfy Solutions
 
Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and TestingBlueinfy Solutions
 
Android secure coding
Android secure codingAndroid secure coding
Android secure codingBlueinfy Solutions
 
Android attacks
Android attacksAndroid attacks
Android attacksBlueinfy Solutions
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobileBlueinfy Solutions
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceUsing & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceCA API Management
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzingBlueinfy Solutions
 
Api security
Api security Api security
Api security teodorcotruta
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)Sam Bowne
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
CNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationCNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationSam Bowne
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
D@W REST security
D@W REST securityD@W REST security
D@W REST securityGaurav Sharma
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
resume
resumeresume
resumeShihao Jin
 
Karen White – Becoming a more powerful observer
Karen White – Becoming a more powerful observerKaren White – Becoming a more powerful observer
Karen White – Becoming a more powerful observerSACAP
 

Más contenido relacionado

La actualidad más candente

Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceUsing & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceCA API Management
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)Sam Bowne
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
CNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationCNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationSam Bowne
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 

La actualidad más candente (20)

Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceUsing & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack Surface
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
 
Api security
Api security Api security
Api security
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application Technologies
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
 
CNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationCNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the Application
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 

Destacado

Karen White – Becoming a more powerful observer
Karen White – Becoming a more powerful observerKaren White – Becoming a more powerful observer
Karen White – Becoming a more powerful observerSACAP
 
Brief History of the Soviet Jewry Movement
Brief History of the Soviet Jewry MovementBrief History of the Soviet Jewry Movement
Brief History of the Soviet Jewry Movementphilipspiegel
 
LeasePlan UK Lease Accounting Standard
LeasePlan UK Lease Accounting Standard LeasePlan UK Lease Accounting Standard
LeasePlan UK Lease Accounting Standard Rebecca Whittaker
 

Destacado (8)

resume
resumeresume
resume
 
Karen White – Becoming a more powerful observer
Karen White – Becoming a more powerful observerKaren White – Becoming a more powerful observer
Karen White – Becoming a more powerful observer
 
Brief History of the Soviet Jewry Movement
Brief History of the Soviet Jewry MovementBrief History of the Soviet Jewry Movement
Brief History of the Soviet Jewry Movement
 
Control Dynamics
Control DynamicsControl Dynamics
Control Dynamics
 
new resume
new resumenew resume
new resume
 
Casa-1000 project
Casa-1000 projectCasa-1000 project
Casa-1000 project
 
LeasePlan UK Lease Accounting Standard
LeasePlan UK Lease Accounting Standard LeasePlan UK Lease Accounting Standard
LeasePlan UK Lease Accounting Standard
 
SF Express
SF ExpressSF Express
SF Express
 

Similar a Mobile code mining for discovery and exploits nullcongoa2013

Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Architect a Winning Mobile Application
Architect a Winning Mobile ApplicationArchitect a Winning Mobile Application
Architect a Winning Mobile ApplicationTechWell
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsBitbar
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application PlatformNugroho Gito
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 

Similar a Mobile code mining for discovery and exploits nullcongoa2013 (20)

Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
Architect a Winning Mobile Application
Architect a Winning Mobile ApplicationArchitect a Winning Mobile Application
Architect a Winning Mobile Application
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
 

Más de Blueinfy Solutions

Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionBlueinfy Solutions
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams SecurityBlueinfy Solutions
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threatsBlueinfy Solutions
 

Más de Blueinfy Solutions (11)

Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal Injection
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
 

Último

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 

Último (20)

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 

Mobile code mining for discovery and exploits nullcongoa2013

  • 1. Mobile Code Mining For Discovery and Exploits
  • 2. Who Am I? Hemil Shah – hemil@blueinfy.net Co-CEO & Director, Blueinfy Solutions Past experience eSphere Security, HBO, KPMG, IL&FS, Net Square Interest Web and mobile security research Published research Articles / Papers – Packstroem, etc. Web Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Mobile Tools – FSDroid, iAppliScan, DumpDroid hemil@blueinfy.com http://www.blueinfy.com Blog – http://blog.blueinfy.com/ hemil@blueinfy.com http://www.blueinfy.com Blog – http://blog.blueinfy.com/
  • 3. Enterprise Technology Trend 2007. Web services would rocket from $1.6 billion in 2004 to $34 billion. [IDC] 2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead. [Gartner] 2009. Enterprise 2.0 in action and penetrating deeper into the corporate environment 2010. Flex/HTML5/Cloud/API 2012. HTML5/Mobile era.
  • 4. Past, Present and Future Cloud 2010 Focus
  • 6. Mobile App Environment Web Server Static pages only (HTML,HTM, etc.)Web Client Scripted Web Engine Dynamic pages (ASP,DHTML, PHP, CGI, etc.) ASP.NET on .Net Framework, J2EE App Server, Web Services, etc. Application Servers And Integrated Framework Internet DMZ Trusted WW EE BB SS EE RR VV II CC EE SS Mobile SOAP/JSON etc. DB X Internal/Corporate
  • 8. Mobile Changes Application Infrastructure Changing dimension Web Mobile (AI1) Protocols HTTP & HTTPS JSON, SOAP, REST etc. over HTTP & HTTPS (AI2) Information structures HTML transfer JSON, JS Objects, XML, etc. (AI3) Technology Java, DotNet, PHP, Python and so on Cocoa, Java with Platform SDKs, HTML5 (AI4) Information Store/Process Mainly on Server Side Client and Server Side
  • 9. Mobile Changes Security Threats Changing dimension Web Mobile (T1) Entry points Structured Scattered and multiple (T2) Dependencies Limited • Multiple technologies • Information sources • Protocols (T3) Vulnerabilities Server side [Typical injections] • Web services [Payloads] • Client side [Local Storage] (T4) Exploitation Server side exploitation Both server and client side exploitation
  • 12. Insecure Storage Why application needs to store data • Ease of use for the user • Popularity • Competition • Activity with single click • Decrease Transaction time • Post/Get information to/from Social Sites 9 out of 10 applications have this vulnerability
  • 13. Insecure Storage How attacker can gain access • Wifi • Default password after jail breaking (alpine) • Adb over wifi • Physical Theft • Temporary access to device
  • 14. Insecure Storage What information we usually find • Authentication Credentials • Authorization tokens • Financial Statements • Credit card numbers • Owner’s Information – Physical Address, Name, Phone number • Social Engineering Sites profile/habbits • SQL Queries
  • 15. DEMO
  • 17. Insecure Network Channel • Easy to perform MiM attacks as Mobile devices uses untrusted network i.e open/Public WiFi, HotSpot, Carrier’s Network • Application deals with sensitive data i.e. • Authentication credentials • Authorization token • PII Information (Privacy Violation) (Owner Name, Phone number, UDID)
  • 18. Insecure Network Channel • Can sniff the traffic to get an access to sensitive data • SSL is the best way to secure communication channel • Common Issues • Does not deprecate HTTP requests • Allowing invalid certificates • Sensitive information in GET requests
  • 21. Unauthorized Dialing/SMS • Social Engineering using Mobile Devices • Attacker plays with user’s mind • User installs application • Application sends premium rate SMS or a premium rate phone call to unknown number • Used by Malware/Trojans
  • 22. AndroidOS.FakePlayer August 2010 • Sends costly International SMS • One SMS Costs – 25 USD (INR 1250) • Application Sends SMS to – • 3353 & 3354 numbers in Russia
  • 23. GGTracker June 2010 • Another Application which sends International SMS • One SMS Costs – 40 USD (INR 2000) • Application Sends Premium SMS to US numbers
  • 25. UI Impersonation • Attack has been there since long • On a mobile stack, known as UI impersonation • Other names are Phishing Attack, ClickJacking • Attacker plays with user’s mind and try to impersonate as other user or other application
  • 26. UI Impersonation • Victim looses credit card information or authentication credentials or secret • One application can create local PUSH notification as it is created from apple store • Flow in review process of AppStore – Anyone can name anything to their application
  • 27. NetFlix Oct -2011 • Steals users “netflix” account information • Application shows error message to user “Compatibility issues with the user’s hardware” when user enters username and password • Once error message, application uninstalls itself
  • 29. Activity Monitoring • Sending a blind carbon copy of each email to attacker • Listening all phone calls • Email contact list, pictures to attacker • Read all emails stored on the device • Usual intension of Spyware/Trojans
  • 30. Activity Monitoring Attacker can monitor – • Audio Files • Video • Pictures • Location • Contact List • Call/Browser/SMS History • Data files
  • 31. Android.Pjapps Early 2010 • Steal/Change users information • PjApps Application – • Send and monitor incoming SMS messages • Read/write to the user's browsing history and bookmarks • Install packages and Open Sockets • Write to external storage • Read the phone's state
  • 33. System Modification • Application will attempt to modify system configuration to hide itself (Historically this is known as ROOTKIT) • Configuration changes makes certain attack possible i.e. – • Modifying device proxy to get user’s activity monitoring • Configure BCC email sending to attacker
  • 34. iKee – iPhone Worm “ikee” iPhone Worm Change root password Change wallpaper to Ricky Martin. After infected by “ikee“ iPhone look like this
  • 36. PII Information Leakage • Application usually have access to user’s private information i.e. Owner Name, Location, Physical Address, AppID, Phone Number • This information needs to be handled very carefully as per the law in some countries • Storing this information in plain text is not allowed in some countries
  • 37. DEMO
  • 39. Hardcoded Secrets • Easiest way for developer to solve complex issues/functionality • Attacker can get this information by either reverse engineering application or by checking local storage
  • 40. DEMO
  • 42. Language Specific Issues • Application in iOS are developed in Objective- C language which is derived from classic C language • Along with this derivation, it also derives security issues in C language i.e. overflow attacks
  • 43. SQL Injection in Local database
  • 44. SQL Injection in Local database • Most Mobile platforms uses SQLite as database to store information on the device • Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensitive database information • In case application is not filtering input, SQL Injection on local database is possible
  • 45. DEMO
  • 47. Common Services • KeyBoard, Clipboard are shared amongst all the applications. • Information stored in clipboard can be accessed by all the application • Sensitive information should not be allowed to copy/paste in the application
  • 48. DEMO
  • 50. Server Side Issues • Most Application makes server side calls to either web services or some other component. Security of server side component is equally important as client side • Controls to be tested on the server side – Security Control Categories for Server Side Application– Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage,
  • 51. Server Side Issues • Error handling, Session management, Protocol abuse, Input validations, XSS, CSRF, Logic bypass, Insecure crypto, DoS, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, BruteForce, Buffer Overflow, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
  • 52. Mobile Top 10 - OWASP • Insecure Data Storage • Weak Server Side Controls • Insufficient Transport Layer Protection • Client Side Injection • Poor Authorization and Authentication • Improper Session Handling • Security Decisions Via Untrusted Inputs • Side Channel Data Leakage • Broken Cryptography • Sensitive Information Disclosure
  • 54. Decompiling android application • Using Apktool - http://code.google.com/p/android-apktool/ • Using Dex2Jar - http://code.google.com/p/dex2jar/ • Using aapt (Bundled with Android SDK)
  • 55. Use Apktool to convert the XML to readable format Android manifest file: APK Tool
  • 56. DEMO
  • 57. Use dex2jar to convert classes.dex file in the extracted folder to .class files Use JAD to convert the class files into JAVA files Dex2Jar and JAD
  • 58. DEMO
  • 59. Aapt • Android Asset Packaging Tool • Allows you to view , create and update Zip-compatible archives View components in an apk:
  • 60. DEMO
  • 62. Static Code Analysis • Introduce in Mac OS X v10.6, XCode 3.2, Clang analyzer merged into XCode. • Memory leakage warning • Run from Build->Analyze • Innovative shows you complete flow of object start to end • Configure as a automatic analysis during build process
  • 64. Static Code Analysis Dead store – variable never used
  • 66. Static Code Analysis Type Size Mismatch
  • 67. Static Code Analysis Object used after release
  • 68. Code Analysis with AppCodeScan • Semi automated tool • Ability to expand with custom rules • Simple tracing utility to verify and track vulnerabilities • Simple HTML reporting which can be converted to PDF
  • 69. AppCodeScan • Sophisticated tool consist of two components • Code Scanning • Code Tracer • Allows you to trace back the variable • AppCodeScan is not complete automated static code analyzer. • It only relies on regex and lets you find SOURCE of the SINK
  • 70. DEMO
  • 71. ScanDroid • Ruby script to scan through source code (Pattern matching) for APIs • Also takes care about reverse engineering application • Make list of permissions • No code trace • No reporting
  • 72. Rules in AppCodeScan • Writing rules is very straight forward • In an XML file which is loaded at run time • This release has rules for iOS and Android for - Local Storage, Unsafe APIs, SQL Injection, Network Connection, SSL Certificate Handling, Client Side Exploitation, URL Handlers, Logging, Credential Management and Accessing PII.
  • 73. Sample Rules - Android
  • 77. Debuggable flag in Android • One of the key attribute in android manifest file • Under “application” section • Describes debugging in enabled • If “Debuggable”attribute is set o true, the application will try to connect to a local unix socket “@jdwp-control” • Using JDWP, It is possible to gain full access to the Java process and execute arbitrary code in the context of the debugable application
  • 78. CheckDebuggable Script • Checks in APK whether debuggable is enabled • Script can be found at – http://www.espheresecurity.com/resourcestool s.html • Paper can be found at - http://www.espheresecurity.com/CheckDebug gable.pdf
  • 79. DEMO