SlideShare una empresa de Scribd logo

Mobile security chess board - attacks & defense

B
Blueinfy Solutions

Mobile Security Review

Software
1 de 89
Descargar para leer sin conexión
Mobile  Security  chess  board  -­‐   A4acks  &  Defense  
Who Am I? •  Hemil  Shah  –  hemil@blueinfy.net   •  Co-­‐CEO  &  Director,  Blueinfy  Solu>ons   •  Past  experience     –  eSphere  Security,  HBO,  KPMG,  IL&FS,  Net  Square   •  Interest   –  ApplicaIon  security  research   •  Published  research   –  ArIcles  /  Papers  –  Packstroem,  etc.   –  Web  Tools  –  wsScanner,  scanweb2.0,  AppMap,  AppCodeScan,  AppPrint  etc.   –  Mobile  Tools  –  FSDroid,  iAppliScan,  DumpDroid   hemil@blueinfy.com   h4p://www.blueinfy.com   Blog  –  h4p://blog.blueinfy.com/  
About • Global  experience  worked   clients  based  in  USA,  UAE,   Europe  and  Asia-­‐pac.   • Clients/Partners  include   Fortune  100  companies.   • Delivery  model  and  support   • Blackbox  and  Whitebox  –   Scanners  and  Code  Analyzers   • Scanning  tools  and  technology   (15  years)   • Strong  and  tested  with   Fortune  clients   • Integrated  in  SDLC   • Help  client  in  miIgaIng  or   lowering  down  the  Risk  by   improving  process   • In  house  R&D  team  for  last  7   years   • Papers  and  PresentaIons  at   conference  like  RSA,  Blackhat,   HITB,  OWASP  etc.   • Books  wri4en  and  used  as   security  guides   Know-­‐How   Methods  &   Approach   Global   Delivery  &   Team   Technology   Ø BBC   Ø Dark  Readings   Ø Bank  Technology   Ø SecurityWeek   Ø MIT  Technology  Review   ApplicaIon  Security    
Mobile  Apps  
Market  Share  
Mobile  Top  10  -­‐  OWASP   •  Weak  Server  Side  Controls   •  Insecure  Data  Storage   •  Insufficient  Transport  Layer  ProtecIon   •  Unintended  Data  Leakage   •  Poor  AuthorizaIon  and  AuthenIcaIon   •  Broken  Cryptography   •  Client  Side  InjecIon   •  Security  Decisions  Via  Untrusted  Inputs   •  Improper  Session  Handling   •  Lack  of  Binary  ProtecIons     Contributor : Nvisium Security, HP Fortify, Andreas Athanasoulias & Syntax IT, eSphere Security, Godfrey Nolan and RIIS (Research Into Internet Systems), Arxan Technologies Ref - https://www.owasp.org/index.php/Mobile_Top_Contributions
Enterprise  Mobile  Cases  
E-­‐commerce   •  Typical  applicaIon  making  server  side  calls   •  Security  issues  and  hacks   –  Credit  card  and  Private  data  storage  with  poor  crypto   –  SQLite  hacks   –  SQL  injecIon  over  JSON   –  Ajax  driven  XSS   –  Several  XSS  with  Blog  component   –  Several  informaIon  leaks  through  JSON  fuzzing   •  Server  side  scan  with  tools/products  failed    
Banking  ApplicaIon   •  Scanning  applicaIon  for  vulnerabiliIes   •  Typical  banking  running  with  middleware     •  VulnerabiliIes  –  Mobile  interface   –  Poor  encoding  to  store  SSN  and  PII  informa>on   locally   –  Very  sensi>ve  transac>on  informa>on  stored   locally   –  Default  OS  Behavior  leaking  informa>on   –  CredenIals  submi4ed  in  GET  request   –  Keys/session  stored  in  keychain  file  
Social  ApplicaIon   •  Social  ApplicaIon  on  mulIple  plagorms   –  ApplicaIon  leverages  browser  component  as  part   of  the  mobile   –  Common  code  base  for  all  plagorms   –  Vulnerable     • Bypass  Profile  validaIon  (Logical)  and  unique  device   installaIon     • Screenshot  revealing  sensi>ve  informa>on     • Default  OS  Behavior  leaking  informa>on   • PresentaIon  layer  (XSS  and  CSRF)   • Unencrypted  Communica>on  channel  
Postmortem   •  One  pa4ern  in  all  the  reviews  -­‐  SOME   INFORMATION  WAS  STORED  LOCALLY   •  More  than  99%  of  the  applicaIon  review  has   the  LOCAL  STORAGE  issue  as  we  saw  in  stats.   •  Server  side  and  logical  issues  are  sIll  hard  to   find  but  have  biggest  impact.    
Mobile  Threats  and  Risk  
A4acks  on  Mobile   •  No JailBreak Required •  Ease of attack - Airports/Public places
Why  should  I  worry?   •  We  have  MDM  in  place   •  We  do  not  allow  any  JailBreak  or  rooted   device  in  our  environment  with  MDM   •  We  have  strict  policy  enforced  and  all  our   devices  are  forced  to  have  password  lock   •  May  or  may  not  have  BYOD     •  OS  provides  encrypIon  
Mobile  A4acks   •  So  What  a4acks  are  we  talking  about?     •  Privacy  becomes  important  along  with  the   Security  in  mobile  space   •  It  is  MOBILE  so  chances  of  loosing  device  or   someone  gemng  physical  access  to  it  is  MUCH   MUCH  higher  than  the  other  devices  
ExploitaIon   •  Physical  Then   •  Temporary  physical  access   •  Malware   •  Malicious  ApplicaIons   •  Lack  of  standardize  security  review  process   •  JailBreak/Rooted  devices  
What  can  be  done???   •  InformaIon  found  in  local  storage  with   default  OS  behavior  –     •  Changing  OS  behavior  -­‐     •  Server  side  exploitaIon  –   •  XSS  in  Mobile  Hybrid  applicaIon  –    
       Technology  Trends  
Mobile  Infrastructure   www mail intranet router DMZ Internet VPN Dial-up Other Office s Exchange firewall Database RAS
Mobile  App  Environment   Web Server Static pages only (HTML,HTM, etc.)Web Client Scripted Web Engine Dynamic pages (ASP,DHTML, PHP, CGI, etc.) ASP.NET on .Net Framework, J2EE App Server, Web Services, etc. Application Servers And Integrated Framework Internet DMZ Trusted W E B S E R V I C E S Mobile SOAP/JSON etc. DB X Internal/Corporate
Mobile  Architecture   Presentation Layer Business Layer Data Access Layer Authentication Communication etc. Runtime, Platform, Operating System Components Server side Components Client side Components (Browser) • HTML 5 • DOM • XHR • WebSocket • Storage • WebSQL • Flash • Flex • AMF • Silverlight • WCF • XAML • NET • Storage • JS • Android • iPhone/Pad • Other Mobile
Game  is  complex  –  Chess  
Challenges  
Challenges   •  Different  code  base   •  Achieve  things  with  single  click   •  Vendor  review  process  -­‐  Not  transparent  –   Can  we  rely  on  it???   •  Decrease  transacIon  Ime   •  CompeIIon     •  Rapid  business  requirement  results  in  high   frequency  of  updates  
Frequency  of  updates   •  Very  High  compare  to  Web  ApplicaIons   •  Usually,  4-­‐5  updates  in  a  year  for  web   applicaIons  or  even  less  at  Imes   •  Usually,  10-­‐12  updates  in  mobile  applicaIons   or  even  more  in  some  cases   •  We  all  have  accepted  that  applicaIon  needs   to  be  reviewed  before  going  to  producIon  –   DID  WE???  
Frequency  of  Updates   Application Name   Number of Releases in iOS   Number of Releases in Android   Facebook   19   34   Twitter   22   25   Chase Bank   9   2   eBay   9   4   Amazon   10   3   Temple Run 2   12   10   FB Messenger   12   10   Whatsapp   4   154   skype   8   6  
Mobile  A4acks   •  So  What  a4acks  are  we  talking  about?     •  Privacy  becomes  important  along  with  the   Security  in  mobile  space   •  It  is  MOBILE  so  chances  of  loosing  device  or   someone  gemng  physical  access  to  it  is  MUCH   MUCH  higher  than  the  other  devices  
Mobile  Top  10  -­‐  OWASP   •  Weak  Server  Side  Controls   •  Insecure  Data  Storage   •  Insufficient  Transport  Layer  ProtecIon   •  Unintended  Data  Leakage   •  Poor  AuthorizaIon  and  AuthenIcaIon   •  Broken  Cryptography   •  Client  Side  InjecIon   •  Security  Decisions  Via  Untrusted  Inputs   •  Improper  Session  Handling   •  Lack  of  Binary  ProtecIons     Contributor : Nvisium Security, HP Fortify, Andreas Athanasoulias & Syntax IT, eSphere Security, Godfrey Nolan and RIIS (Research Into Internet Systems), Arxan Technologies Ref - https://www.owasp.org/index.php/Mobile_Top_Contributions
Top  5  vulnerability   •  From  the  stats  of  eSphere  data  -­‐     0 10 20 30 40 50 60 70 80 90 100 Local Storage Sensitive Information stored in Logs/ Default OS Behaviour Copy/Paste enabled in sensitive fields - Privacy issue Cross Site Scripting SQL Injection over JSON or other streams
Mobile  A4acks  
Weak  Server  Side  Controls  
Server  Side  Issues   •  Most  ApplicaIon  makes  server  side  calls  to   either  web  services  or  some  other   component.  Security  of  server  side   component  is  equally  important  as  client  side   •  Controls  to  be  tested  on  the  server  side  –   Security  Control  Categories  for  Server  Side   ApplicaIon–  AuthenIcaIon,  Access  Controls/ AuthorizaIon,  API  misuse,  Path  traversal,   SensiIve  informaIon  leakage,  
Server  Side  Issues   •  Error  handling,  Session  management,   Protocol  abuse,  Input  validaIons,  XSS,  CSRF,   Logic  bypass,  Insecure  crypto,  DoS,  Malicious   Code  InjecIon,  SQL  injecIon,  XPATH  and   LDAP  injecIons,  OS  command  injecIon,   Parameter  manipulaIons,  BruteForce,  Buffer   Overflow,  HTTP  response  splimng,  HTTP   replay,  XML  injecIon,  CanonicalizaIon,   Logging  and  audiIng.    
Insecure  Data  Storage  
Insecure  Storage   •  How  a4acker  can  gain  access   •  Wifi     •  Default  password  aner  jail  breaking  (alpine)   •  Adb  over  wifi   •  Physical  Then   •  Temporary  access  to  device    
What   •  What  informaIon   –  AuthenIcaIon  CredenIals   –  AuthorizaIon  tokens   –  Financial  Statements   –  Credit  card  numbers   –  Owner’s  InformaIon  –  Physical  Address,  Name,   Phone  number   –  Social  Engineering  Sites  profile/habbits   –  SQL  Queries  
Insufficient  Transport  Layer   ProtecIon  
Insecure  Network  Channel   •  Easy  to  perform  MiM  a4acks  as  Mobile   devices  uses  untrusted  network  i.e  open/ Public  WiFi,  HotSpot,  Carrier’s  Network   •  ApplicaIon  deals  with  sensiIve  data  i.e.     •  AuthenIcaIon  credenIals   •  AuthorizaIon  token   •  PII  InformaIon  (Privacy  ViolaIon)  (Owner  Name,   Phone  number,  UDID)  
Insecure  Network  Channel   •  Can  sniff  the  traffic  to  get  an  access  to   sensiIve  data   •  SSL  is  the  best  way  to  secure  communicaIon   channel   •  Common  Issues   •  Does  not  deprecate  HTTP  requests   •  Allowing  invalid  cerIficates   •  SensiIve  informaIon  in  GET  requests  
Session  token  
Unintended  Data  Leakage  
Unintended  Data  Leakage     •  Plagorm  issues  –  sandboxing  or  disable   controls   •  Cache   •  Logs,  Keystrokes,  screenshots  etc.   •  Temp  files   •  3rd  Party  libs  (AD  networks  and  analyIcs)    
Data  Leakage   •  Default  OS  behavior  aner  iOS  4.0  to  cache  all   the  URLS  (Request/Response)  in  the  local   storage  in  file  named  cache.db  file   •  Cache.db  file  is  not  encrypted   •  By  default,  applicaIon  takes  last  screenshot   and  saves  it  in  to  file  system  when  user   presses  home  bu4on  
Poor  AuthorizaIon  and   AuthenIcaIon  
AuthorizaIon  &  AuthenIcaIon   •  No  password  complexity  specially  on  mobile     •  Hidden/No  Logout  bu4on   •  Long  session  Ime  out   •  No  account  lock  out   •  AuthorizaIon  flags  or  based  on  the  local   storage  
Broken  Cryptography  
Cryptography   •  Broken  implementaIon   •  Hash/Encoding  used  in  place  of  encrypIon   •  Client  side  script  in  place  of  SSL  
Client  Side  InjecIon  
SQL  InjecIon  in  Local  database   •  Most  Mobile  plagorms  uses  SQLite  as   database  to  store  informaIon  on  the  device   •  Using  any  SQLite  Database  Browser,  it  is   possible  to  access  database  logs  which  has   queries  and  other  sensiIve  database   informaIon   •  In  case  applicaIon  is  not  filtering  input,  SQL   InjecIon  on  local  database  is  possible  
Security  Decisions  Via  Untrusted   Inputs  
Untrusted  Source   •  Any  input  from  client  side  which  can  be   modified     •  Mainly  authenIcaIon  and  authorizaIon   decisions  based  on  the  untrusted  input   •  Easiest  way  for  developer  to  solve  complex   issues/funcIonality     •  A4acker  can  get  this  informaIon  by  either   reverse  engineering  applicaIon  or  by   checking  local  storage  
KeyChain  Dumper   •  Easy  as  running  a  command   •  Upload  on  to  server  in  /var  directory   •  Give  execute  permission   •  Chmod  +x  /var/keychain_dumper   •  Get  all  the  keys   •  ./keychain_dumper  
Improper  Session  Handling  
Improper  Session   •  Session  is  key  for  any  applicaIon  for   authorizaIon       •  Session  is  stored  in  binary  format  but  can  be   easily  reversible   •  ApplicaIon  is  sending  sensiIve  informaIon   in  GET  request  (Be  it  on  HTTP  or  HTTPS)  
Lack  of  Binary  protecIon  
Lack  of  Binary  ProtecIon   •  Apple  signs  and  encrypts  all  the  binaries     •  SIll  strings  can  be  retrieved  from  the  binary     •  Storing  EncrypIon  and  DecrypIon  keys  in   the  client  side  is  sIll  a  problem      
AutomaIon  in  ApplicaIon   Reviews  
Manual  Review     •  Looking  for  informaIon  in  local  storage   manually  is  really  –     –  Time  Consuming   –  Tedious   –  Prone  to  be  false  negaIves  (how  accurately  you   can  check  files  more  than  once  in  an  hour  and  file   formats  are  different)    
Manual  Review  -­‐  iOS  
What  do  we  need   •  AutomaIon!!!   •  AutomaIon!!!   •  AutomaIon!!!   •  AutomaIon!!!   •  AutomaIon!!!   •  Unfortunately  no  complete  automaIon  is   available  today  BUT  some  of  the  tools  which   can  be  handy  are  -­‐      
Snoop-­‐it   •  The  only  tool  today  to  automate  iOS   applicaIon  reviews   •  Very  handy  and  gives  perfect  pointer  where   to  look  for   •  A  long  way  to  go  for  automaIon  like  web    
Snoop-­‐it  (Cont…)   •  Snoop-­‐it  helps  you  monitor  –     –  File  system  access   –  Keychain  access   –  HTTP(S)  connecIons     –  Access  to  sensiIve  API   –  Debug  outputs   –  Tracing  App  internals  
Snoop-­‐it  (Cont…)   •  Along  with  Monitoring,  snoop-­‐it  allows  to  -­‐     –  Fake  hardware  idenIfier   –  Fake  locaIon/GPS  data   –  Explore  and  force  display  of   available  ViewController   –  List  custom  URL  schemes   –  List  available  ObjecIve-­‐C  classes,  objects  and   methods   –  Bypass  basic  jailbreak  detecIon  mechanisms  
Snoop-­‐it  
iAppliScan   •  iAppliScan  allows  you  to  automate  iOS   applicaIon  review.     •  InteresIng  features  –     –   Look  for  sensiIve  informaIon  in  files/directories   –  Find  whether  parIcular  file  exist  or  not   –  Download  file  for  further  analysis   –  Run  external  command    
iAppliScan  
Review  without  JailBreak  
Reviewing  without  jailbreaking   •  Is  it  really  possible  to  review  applicaIon  with   out  jailbreaking  ?   •  “YES”   •  “YES”   •  “YES”   •  “YES”  
Reviewing  without  jailbreaking   •  Plenty  of  tools  available  (Specially  for   Forensic)  to  brows  the  applicaIon  directory   without  jailbreaking.     •  iFunBox  allows  to  view  files  on  the  device   without  jailbreak   •  Displays  applicaIon’s  permissions   •  Browse  the  installed  applicaIon  directory    
Reviewing  without  jailbreaking   •  Copy    the  enIre  applicaIon  directory  mulIple   Imes   •  Look  for  sensiIve  informaIon  in  the  files   •  Use  Proxy  on  non-­‐jailbreak  device  to  check  all   server  side  a4acks.  
Reviewing  with  iFunbox  
AutomaIon  in  Android  
Manual  Review  -­‐  Android  
FSDroid   •  Leverages  SDK  Class  –  No  hacks  in  here!!!   •  FSDroid  can  –   –  Monitor  file  system     –  Can  write  filter  to  monitor  parIcular  directory   –  Can  save  last  5  reports  for  future  use   –  Does  not  need  mobile  device  –  can  run  on   Emulator  smoothly   –  Easy  to  run  (As  easy  as  giving  directory  name  and   pressing  start  bu4on)    
File  System  Monitoring  Demo  
Looking  in  to  Code  
Static Code Analysis •  Introduce in Mac OS X v10.6, XCode 3.2, Clang analyzer merged into XCode. •  Memory leakage warning •  Run from Build->Analyze •  Innovative shows you complete flow of object start to end •  Configure as a automatic analysis during build process
StaIc  Code  Analysis     PotenIal  Memory  Leak  
StaIc  Code  Analysis     Dead  store  –  variable  never  used  
Code  Analysis  with  AppCodeScan   •  Semi  automated  tool   •  Ability  to  expand  with  custom  rules   •  Simple  tracing  uIlity  to  verify  and  track   vulnerabiliIes   •  Simple  HTML  reporIng  which  can  be   converted  to  PDF    
AppCodeScan   •  SophisIcated  tool  consist  of  two  components     •  Code  Scanning   •  Code  Tracer   •  Allows  you  to  trace  back  the  variable   •  AppCodeScan  is  not  complete  automated   staIc  code  analyzer.   •  It  only  relies  on  regex  and  lets  you  find   SOURCE  of  the  SINK  
Rules  in  AppCodeScan   •  WriIng  rules  is  very  straight  forward   •  In  an  XML  file  which  is  loaded  at  run  Ime   •  This  release  has  rules  for  iOS  and  Android  for   -­‐  Local  Storage,  Unsafe  APIs,  SQL  InjecIon,   Network  ConnecIon,  SSL  CerIficate  Handling,   Client  Side  ExploitaIon,  URL  Handlers,   Logging,  CredenIal  Management  and   Accessing  PII.      
Sample  Rules  -­‐  Android    
Android  DEMO  
Sample  Rules  -­‐  iOS    
iOS  DEMO  
Debuggable  flag  in  Android   •  One  of  the  key  a4ribute  in  android  manifest   file   •  Under  “applicaIon”  secIon   •  Describes  debugging  in  enabled   •  If  “Debuggable”a4ribute  is  set  o  true,  the   applicaIon  will  try  to  connect  to  a  local  unix   socket  “@jdwp-­‐control”   •  Using  JDWP,  It  is  possible  to  gain  full  access  to   the  Java  process  and  execute  arbitrary  code  in   the  context  of  the  debugable  applicaIon  
CheckDebuggable  Script   •  Checks  in  APK  whether  debuggable  is  enabled   •  Script  can  be  found  at  –  h4p:// www.espheresecurity.com/ resourcestools.html   •  Paper  can  be  found  at  -­‐  h4p:// www.espheresecurity.com/ CheckDebuggable.pdf    
Conclusion  

Recomendados

Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application ReviewBlueinfy Solutions
 
Android attacks
Android attacksAndroid attacks
Android attacksBlueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzingBlueinfy Solutions
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threatsBlueinfy Solutions
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 

Recomendados

Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application ReviewBlueinfy Solutions
 
Android attacks
Android attacksAndroid attacks
Android attacksBlueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzingBlueinfy Solutions
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threatsBlueinfy Solutions
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerOWASP-Qatar Chapter
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hackingBlueinfy Solutions
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security Dilip Sharma
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilitiesBlazeDream Technologies Pvt Ltd
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications SecureAryashree Pritikrishna
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
Linda Peel – Coaching in someone’s home language
Linda Peel – Coaching in someone’s home language Linda Peel – Coaching in someone’s home language
Linda Peel – Coaching in someone’s home language SACAP
 
Nein, nein, nein
Nein, nein, neinNein, nein, nein
Nein, nein, neinSteven Casey
 

Más contenido relacionado

La actualidad más candente

Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerOWASP-Qatar Chapter
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security Dilip Sharma
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 

La actualidad más candente (20)

Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh Ummer
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilities
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
 

Destacado

Linda Peel – Coaching in someone’s home language
Linda Peel – Coaching in someone’s home language Linda Peel – Coaching in someone’s home language
Linda Peel – Coaching in someone’s home language SACAP
 
Workshop SDC - Cours Outils supports à la coordination 2016
Workshop SDC - Cours Outils supports à la coordination 2016Workshop SDC - Cours Outils supports à la coordination 2016
Workshop SDC - Cours Outils supports à la coordination 2016Sylvain Kubicki
 
获奖证书扫描版-2
获奖证书扫描版-2获奖证书扫描版-2
获奖证书扫描版-2xinhui liu
 
Maxine Petersen – Becoming myself through myself
Maxine Petersen – Becoming myself through myself Maxine Petersen – Becoming myself through myself
Maxine Petersen – Becoming myself through myself SACAP
 
Software security risk mitigation using object oriented design patterns
Software security risk mitigation using object oriented design patternsSoftware security risk mitigation using object oriented design patterns
Software security risk mitigation using object oriented design patternseSAT Journals
 
Modelo de consumidor .caso de estudio locatel y farmatodo
Modelo de consumidor .caso de estudio locatel y farmatodoModelo de consumidor .caso de estudio locatel y farmatodo
Modelo de consumidor .caso de estudio locatel y farmatodoValentina Maldonado Rincón
 
Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Michael Scovetta
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
Tapi pipeline ppt
Tapi pipeline pptTapi pipeline ppt
Tapi pipeline pptRoya Saqib
 

Destacado (14)

Linda Peel – Coaching in someone’s home language
Linda Peel – Coaching in someone’s home language Linda Peel – Coaching in someone’s home language
Linda Peel – Coaching in someone’s home language
 
Nein, nein, nein
Nein, nein, neinNein, nein, nein
Nein, nein, nein
 
Workshop SDC - Cours Outils supports à la coordination 2016
Workshop SDC - Cours Outils supports à la coordination 2016Workshop SDC - Cours Outils supports à la coordination 2016
Workshop SDC - Cours Outils supports à la coordination 2016
 
获奖证书扫描版-2
获奖证书扫描版-2获奖证书扫描版-2
获奖证书扫描版-2
 
Maxine Petersen – Becoming myself through myself
Maxine Petersen – Becoming myself through myself Maxine Petersen – Becoming myself through myself
Maxine Petersen – Becoming myself through myself
 
Software security risk mitigation using object oriented design patterns
Software security risk mitigation using object oriented design patternsSoftware security risk mitigation using object oriented design patterns
Software security risk mitigation using object oriented design patterns
 
PoSicionES dE SexO
PoSicionES dE SexOPoSicionES dE SexO
PoSicionES dE SexO
 
Modelo de consumidor .caso de estudio locatel y farmatodo
Modelo de consumidor .caso de estudio locatel y farmatodoModelo de consumidor .caso de estudio locatel y farmatodo
Modelo de consumidor .caso de estudio locatel y farmatodo
 
Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013
 
Oasis Advantage
Oasis AdvantageOasis Advantage
Oasis Advantage
 
MOTORDOM
MOTORDOMMOTORDOM
MOTORDOM
 
Close reading
Close readingClose reading
Close reading
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
Tapi pipeline ppt
Tapi pipeline pptTapi pipeline ppt
Tapi pipeline ppt
 

Similar a Mobile security chess board - attacks & defense

Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012Tjylen Veselyj
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...Amazon Web Services
 
The Loss of Intellectual Property in the Digital Age: What Companies can d…
The Loss of Intellectual Property in the Digital Age: What Companies can d…The Loss of Intellectual Property in the Digital Age: What Companies can d…
The Loss of Intellectual Property in the Digital Age: What Companies can d…Christopher Kranich
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Mobile Services & E-Services Case Study By Osama Abushaban
Mobile Services & E-Services Case Study By Osama AbushabanMobile Services & E-Services Case Study By Osama Abushaban
Mobile Services & E-Services Case Study By Osama AbushabanOsama Abushaban
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile ApplicationsGreg Patton
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...MongoDB
 
Information Security
Information SecurityInformation Security
Information SecurityMohit8780
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov
 

Similar a Mobile security chess board - attacks & defense (20)

Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
The Loss of Intellectual Property in the Digital Age: What Companies can d…
The Loss of Intellectual Property in the Digital Age: What Companies can d…The Loss of Intellectual Property in the Digital Age: What Companies can d…
The Loss of Intellectual Property in the Digital Age: What Companies can d…
 
WebApp_to_Container_Security.pdf
WebApp_to_Container_Security.pdfWebApp_to_Container_Security.pdf
WebApp_to_Container_Security.pdf
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
BREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAPBREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAP
 
Mobile Services & E-Services Case Study By Osama Abushaban
Mobile Services & E-Services Case Study By Osama AbushabanMobile Services & E-Services Case Study By Osama Abushaban
Mobile Services & E-Services Case Study By Osama Abushaban
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile Applications
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
 
Information Security
Information SecurityInformation Security
Information Security
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
 

Más de Blueinfy Solutions

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and TestingBlueinfy Solutions
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionBlueinfy Solutions
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams SecurityBlueinfy Solutions
 

Más de Blueinfy Solutions (10)

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal Injection
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
 

Último

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfayushiqss
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Nitya salvi
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyAnusha Are
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxalwaysnagaraju26
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 

Último (20)

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 

Mobile security chess board - attacks & defense

  • 1. Mobile  Security  chess  board  -­‐   A4acks  &  Defense  
  • 2. Who Am I? •  Hemil  Shah  –  hemil@blueinfy.net   •  Co-­‐CEO  &  Director,  Blueinfy  Solu>ons   •  Past  experience     –  eSphere  Security,  HBO,  KPMG,  IL&FS,  Net  Square   •  Interest   –  ApplicaIon  security  research   •  Published  research   –  ArIcles  /  Papers  –  Packstroem,  etc.   –  Web  Tools  –  wsScanner,  scanweb2.0,  AppMap,  AppCodeScan,  AppPrint  etc.   –  Mobile  Tools  –  FSDroid,  iAppliScan,  DumpDroid   hemil@blueinfy.com   h4p://www.blueinfy.com   Blog  –  h4p://blog.blueinfy.com/  
  • 3. About • Global  experience  worked   clients  based  in  USA,  UAE,   Europe  and  Asia-­‐pac.   • Clients/Partners  include   Fortune  100  companies.   • Delivery  model  and  support   • Blackbox  and  Whitebox  –   Scanners  and  Code  Analyzers   • Scanning  tools  and  technology   (15  years)   • Strong  and  tested  with   Fortune  clients   • Integrated  in  SDLC   • Help  client  in  miIgaIng  or   lowering  down  the  Risk  by   improving  process   • In  house  R&D  team  for  last  7   years   • Papers  and  PresentaIons  at   conference  like  RSA,  Blackhat,   HITB,  OWASP  etc.   • Books  wri4en  and  used  as   security  guides   Know-­‐How   Methods  &   Approach   Global   Delivery  &   Team   Technology   Ø BBC   Ø Dark  Readings   Ø Bank  Technology   Ø SecurityWeek   Ø MIT  Technology  Review   ApplicaIon  Security    
  • 6. Mobile  Top  10  -­‐  OWASP   •  Weak  Server  Side  Controls   •  Insecure  Data  Storage   •  Insufficient  Transport  Layer  ProtecIon   •  Unintended  Data  Leakage   •  Poor  AuthorizaIon  and  AuthenIcaIon   •  Broken  Cryptography   •  Client  Side  InjecIon   •  Security  Decisions  Via  Untrusted  Inputs   •  Improper  Session  Handling   •  Lack  of  Binary  ProtecIons     Contributor : Nvisium Security, HP Fortify, Andreas Athanasoulias & Syntax IT, eSphere Security, Godfrey Nolan and RIIS (Research Into Internet Systems), Arxan Technologies Ref - https://www.owasp.org/index.php/Mobile_Top_Contributions
  • 8. E-­‐commerce   •  Typical  applicaIon  making  server  side  calls   •  Security  issues  and  hacks   –  Credit  card  and  Private  data  storage  with  poor  crypto   –  SQLite  hacks   –  SQL  injecIon  over  JSON   –  Ajax  driven  XSS   –  Several  XSS  with  Blog  component   –  Several  informaIon  leaks  through  JSON  fuzzing   •  Server  side  scan  with  tools/products  failed    
  • 9. Banking  ApplicaIon   •  Scanning  applicaIon  for  vulnerabiliIes   •  Typical  banking  running  with  middleware     •  VulnerabiliIes  –  Mobile  interface   –  Poor  encoding  to  store  SSN  and  PII  informa>on   locally   –  Very  sensi>ve  transac>on  informa>on  stored   locally   –  Default  OS  Behavior  leaking  informa>on   –  CredenIals  submi4ed  in  GET  request   –  Keys/session  stored  in  keychain  file  
  • 10. Social  ApplicaIon   •  Social  ApplicaIon  on  mulIple  plagorms   –  ApplicaIon  leverages  browser  component  as  part   of  the  mobile   –  Common  code  base  for  all  plagorms   –  Vulnerable     • Bypass  Profile  validaIon  (Logical)  and  unique  device   installaIon     • Screenshot  revealing  sensi>ve  informa>on     • Default  OS  Behavior  leaking  informa>on   • PresentaIon  layer  (XSS  and  CSRF)   • Unencrypted  Communica>on  channel  
  • 11. Postmortem   •  One  pa4ern  in  all  the  reviews  -­‐  SOME   INFORMATION  WAS  STORED  LOCALLY   •  More  than  99%  of  the  applicaIon  review  has   the  LOCAL  STORAGE  issue  as  we  saw  in  stats.   •  Server  side  and  logical  issues  are  sIll  hard  to   find  but  have  biggest  impact.    
  • 13. A4acks  on  Mobile   •  No JailBreak Required •  Ease of attack - Airports/Public places
  • 14. Why  should  I  worry?   •  We  have  MDM  in  place   •  We  do  not  allow  any  JailBreak  or  rooted   device  in  our  environment  with  MDM   •  We  have  strict  policy  enforced  and  all  our   devices  are  forced  to  have  password  lock   •  May  or  may  not  have  BYOD     •  OS  provides  encrypIon  
  • 15. Mobile  A4acks   •  So  What  a4acks  are  we  talking  about?     •  Privacy  becomes  important  along  with  the   Security  in  mobile  space   •  It  is  MOBILE  so  chances  of  loosing  device  or   someone  gemng  physical  access  to  it  is  MUCH   MUCH  higher  than  the  other  devices  
  • 16. ExploitaIon   •  Physical  Then   •  Temporary  physical  access   •  Malware   •  Malicious  ApplicaIons   •  Lack  of  standardize  security  review  process   •  JailBreak/Rooted  devices  
  • 17. What  can  be  done???   •  InformaIon  found  in  local  storage  with   default  OS  behavior  –     •  Changing  OS  behavior  -­‐     •  Server  side  exploitaIon  –   •  XSS  in  Mobile  Hybrid  applicaIon  –    
  • 18.        Technology  Trends  
  • 19. Mobile  Infrastructure   www mail intranet router DMZ Internet VPN Dial-up Other Office s Exchange firewall Database RAS
  • 20. Mobile  App  Environment   Web Server Static pages only (HTML,HTM, etc.)Web Client Scripted Web Engine Dynamic pages (ASP,DHTML, PHP, CGI, etc.) ASP.NET on .Net Framework, J2EE App Server, Web Services, etc. Application Servers And Integrated Framework Internet DMZ Trusted W E B S E R V I C E S Mobile SOAP/JSON etc. DB X Internal/Corporate
  • 21. Mobile  Architecture   Presentation Layer Business Layer Data Access Layer Authentication Communication etc. Runtime, Platform, Operating System Components Server side Components Client side Components (Browser) • HTML 5 • DOM • XHR • WebSocket • Storage • WebSQL • Flash • Flex • AMF • Silverlight • WCF • XAML • NET • Storage • JS • Android • iPhone/Pad • Other Mobile
  • 22. Game  is  complex  –  Chess  
  • 24. Challenges   •  Different  code  base   •  Achieve  things  with  single  click   •  Vendor  review  process  -­‐  Not  transparent  –   Can  we  rely  on  it???   •  Decrease  transacIon  Ime   •  CompeIIon     •  Rapid  business  requirement  results  in  high   frequency  of  updates  
  • 25. Frequency  of  updates   •  Very  High  compare  to  Web  ApplicaIons   •  Usually,  4-­‐5  updates  in  a  year  for  web   applicaIons  or  even  less  at  Imes   •  Usually,  10-­‐12  updates  in  mobile  applicaIons   or  even  more  in  some  cases   •  We  all  have  accepted  that  applicaIon  needs   to  be  reviewed  before  going  to  producIon  –   DID  WE???  
  • 26. Frequency  of  Updates   Application Name   Number of Releases in iOS   Number of Releases in Android   Facebook   19   34   Twitter   22   25   Chase Bank   9   2   eBay   9   4   Amazon   10   3   Temple Run 2   12   10   FB Messenger   12   10   Whatsapp   4   154   skype   8   6  
  • 27. Mobile  A4acks   •  So  What  a4acks  are  we  talking  about?     •  Privacy  becomes  important  along  with  the   Security  in  mobile  space   •  It  is  MOBILE  so  chances  of  loosing  device  or   someone  gemng  physical  access  to  it  is  MUCH   MUCH  higher  than  the  other  devices  
  • 28. Mobile  Top  10  -­‐  OWASP   •  Weak  Server  Side  Controls   •  Insecure  Data  Storage   •  Insufficient  Transport  Layer  ProtecIon   •  Unintended  Data  Leakage   •  Poor  AuthorizaIon  and  AuthenIcaIon   •  Broken  Cryptography   •  Client  Side  InjecIon   •  Security  Decisions  Via  Untrusted  Inputs   •  Improper  Session  Handling   •  Lack  of  Binary  ProtecIons     Contributor : Nvisium Security, HP Fortify, Andreas Athanasoulias & Syntax IT, eSphere Security, Godfrey Nolan and RIIS (Research Into Internet Systems), Arxan Technologies Ref - https://www.owasp.org/index.php/Mobile_Top_Contributions
  • 29. Top  5  vulnerability   •  From  the  stats  of  eSphere  data  -­‐     0 10 20 30 40 50 60 70 80 90 100 Local Storage Sensitive Information stored in Logs/ Default OS Behaviour Copy/Paste enabled in sensitive fields - Privacy issue Cross Site Scripting SQL Injection over JSON or other streams
  • 31. Weak  Server  Side  Controls  
  • 32. Server  Side  Issues   •  Most  ApplicaIon  makes  server  side  calls  to   either  web  services  or  some  other   component.  Security  of  server  side   component  is  equally  important  as  client  side   •  Controls  to  be  tested  on  the  server  side  –   Security  Control  Categories  for  Server  Side   ApplicaIon–  AuthenIcaIon,  Access  Controls/ AuthorizaIon,  API  misuse,  Path  traversal,   SensiIve  informaIon  leakage,  
  • 33. Server  Side  Issues   •  Error  handling,  Session  management,   Protocol  abuse,  Input  validaIons,  XSS,  CSRF,   Logic  bypass,  Insecure  crypto,  DoS,  Malicious   Code  InjecIon,  SQL  injecIon,  XPATH  and   LDAP  injecIons,  OS  command  injecIon,   Parameter  manipulaIons,  BruteForce,  Buffer   Overflow,  HTTP  response  splimng,  HTTP   replay,  XML  injecIon,  CanonicalizaIon,   Logging  and  audiIng.    
  • 35. Insecure  Storage   •  How  a4acker  can  gain  access   •  Wifi     •  Default  password  aner  jail  breaking  (alpine)   •  Adb  over  wifi   •  Physical  Then   •  Temporary  access  to  device    
  • 36. What   •  What  informaIon   –  AuthenIcaIon  CredenIals   –  AuthorizaIon  tokens   –  Financial  Statements   –  Credit  card  numbers   –  Owner’s  InformaIon  –  Physical  Address,  Name,   Phone  number   –  Social  Engineering  Sites  profile/habbits   –  SQL  Queries  
  • 38. Insecure  Network  Channel   •  Easy  to  perform  MiM  a4acks  as  Mobile   devices  uses  untrusted  network  i.e  open/ Public  WiFi,  HotSpot,  Carrier’s  Network   •  ApplicaIon  deals  with  sensiIve  data  i.e.     •  AuthenIcaIon  credenIals   •  AuthorizaIon  token   •  PII  InformaIon  (Privacy  ViolaIon)  (Owner  Name,   Phone  number,  UDID)  
  • 39. Insecure  Network  Channel   •  Can  sniff  the  traffic  to  get  an  access  to   sensiIve  data   •  SSL  is  the  best  way  to  secure  communicaIon   channel   •  Common  Issues   •  Does  not  deprecate  HTTP  requests   •  Allowing  invalid  cerIficates   •  SensiIve  informaIon  in  GET  requests  
  • 42. Unintended  Data  Leakage     •  Plagorm  issues  –  sandboxing  or  disable   controls   •  Cache   •  Logs,  Keystrokes,  screenshots  etc.   •  Temp  files   •  3rd  Party  libs  (AD  networks  and  analyIcs)    
  • 43. Data  Leakage   •  Default  OS  behavior  aner  iOS  4.0  to  cache  all   the  URLS  (Request/Response)  in  the  local   storage  in  file  named  cache.db  file   •  Cache.db  file  is  not  encrypted   •  By  default,  applicaIon  takes  last  screenshot   and  saves  it  in  to  file  system  when  user   presses  home  bu4on  
  • 44. Poor  AuthorizaIon  and   AuthenIcaIon  
  • 45. AuthorizaIon  &  AuthenIcaIon   •  No  password  complexity  specially  on  mobile     •  Hidden/No  Logout  bu4on   •  Long  session  Ime  out   •  No  account  lock  out   •  AuthorizaIon  flags  or  based  on  the  local   storage  
  • 47. Cryptography   •  Broken  implementaIon   •  Hash/Encoding  used  in  place  of  encrypIon   •  Client  side  script  in  place  of  SSL  
  • 49. SQL  InjecIon  in  Local  database   •  Most  Mobile  plagorms  uses  SQLite  as   database  to  store  informaIon  on  the  device   •  Using  any  SQLite  Database  Browser,  it  is   possible  to  access  database  logs  which  has   queries  and  other  sensiIve  database   informaIon   •  In  case  applicaIon  is  not  filtering  input,  SQL   InjecIon  on  local  database  is  possible  
  • 50. Security  Decisions  Via  Untrusted   Inputs  
  • 51. Untrusted  Source   •  Any  input  from  client  side  which  can  be   modified     •  Mainly  authenIcaIon  and  authorizaIon   decisions  based  on  the  untrusted  input   •  Easiest  way  for  developer  to  solve  complex   issues/funcIonality     •  A4acker  can  get  this  informaIon  by  either   reverse  engineering  applicaIon  or  by   checking  local  storage  
  • 52. KeyChain  Dumper   •  Easy  as  running  a  command   •  Upload  on  to  server  in  /var  directory   •  Give  execute  permission   •  Chmod  +x  /var/keychain_dumper   •  Get  all  the  keys   •  ./keychain_dumper  
  • 54. Improper  Session   •  Session  is  key  for  any  applicaIon  for   authorizaIon       •  Session  is  stored  in  binary  format  but  can  be   easily  reversible   •  ApplicaIon  is  sending  sensiIve  informaIon   in  GET  request  (Be  it  on  HTTP  or  HTTPS)  
  • 55. Lack  of  Binary  protecIon  
  • 56. Lack  of  Binary  ProtecIon   •  Apple  signs  and  encrypts  all  the  binaries     •  SIll  strings  can  be  retrieved  from  the  binary     •  Storing  EncrypIon  and  DecrypIon  keys  in   the  client  side  is  sIll  a  problem      
  • 58. Manual  Review     •  Looking  for  informaIon  in  local  storage   manually  is  really  –     –  Time  Consuming   –  Tedious   –  Prone  to  be  false  negaIves  (how  accurately  you   can  check  files  more  than  once  in  an  hour  and  file   formats  are  different)    
  • 60. What  do  we  need   •  AutomaIon!!!   •  AutomaIon!!!   •  AutomaIon!!!   •  AutomaIon!!!   •  AutomaIon!!!   •  Unfortunately  no  complete  automaIon  is   available  today  BUT  some  of  the  tools  which   can  be  handy  are  -­‐      
  • 61. Snoop-­‐it   •  The  only  tool  today  to  automate  iOS   applicaIon  reviews   •  Very  handy  and  gives  perfect  pointer  where   to  look  for   •  A  long  way  to  go  for  automaIon  like  web    
  • 62. Snoop-­‐it  (Cont…)   •  Snoop-­‐it  helps  you  monitor  –     –  File  system  access   –  Keychain  access   –  HTTP(S)  connecIons     –  Access  to  sensiIve  API   –  Debug  outputs   –  Tracing  App  internals  
  • 63. Snoop-­‐it  (Cont…)   •  Along  with  Monitoring,  snoop-­‐it  allows  to  -­‐     –  Fake  hardware  idenIfier   –  Fake  locaIon/GPS  data   –  Explore  and  force  display  of   available  ViewController   –  List  custom  URL  schemes   –  List  available  ObjecIve-­‐C  classes,  objects  and   methods   –  Bypass  basic  jailbreak  detecIon  mechanisms  
  • 65. iAppliScan   •  iAppliScan  allows  you  to  automate  iOS   applicaIon  review.     •  InteresIng  features  –     –   Look  for  sensiIve  informaIon  in  files/directories   –  Find  whether  parIcular  file  exist  or  not   –  Download  file  for  further  analysis   –  Run  external  command    
  • 68. Reviewing  without  jailbreaking   •  Is  it  really  possible  to  review  applicaIon  with   out  jailbreaking  ?   •  “YES”   •  “YES”   •  “YES”   •  “YES”  
  • 69. Reviewing  without  jailbreaking   •  Plenty  of  tools  available  (Specially  for   Forensic)  to  brows  the  applicaIon  directory   without  jailbreaking.     •  iFunBox  allows  to  view  files  on  the  device   without  jailbreak   •  Displays  applicaIon’s  permissions   •  Browse  the  installed  applicaIon  directory    
  • 70. Reviewing  without  jailbreaking   •  Copy    the  enIre  applicaIon  directory  mulIple   Imes   •  Look  for  sensiIve  informaIon  in  the  files   •  Use  Proxy  on  non-­‐jailbreak  device  to  check  all   server  side  a4acks.  
  • 73. Manual  Review  -­‐  Android  
  • 74. FSDroid   •  Leverages  SDK  Class  –  No  hacks  in  here!!!   •  FSDroid  can  –   –  Monitor  file  system     –  Can  write  filter  to  monitor  parIcular  directory   –  Can  save  last  5  reports  for  future  use   –  Does  not  need  mobile  device  –  can  run  on   Emulator  smoothly   –  Easy  to  run  (As  easy  as  giving  directory  name  and   pressing  start  bu4on)    
  • 76. Looking  in  to  Code  
  • 77. Static Code Analysis •  Introduce in Mac OS X v10.6, XCode 3.2, Clang analyzer merged into XCode. •  Memory leakage warning •  Run from Build->Analyze •  Innovative shows you complete flow of object start to end •  Configure as a automatic analysis during build process
  • 78. StaIc  Code  Analysis     PotenIal  Memory  Leak  
  • 79. StaIc  Code  Analysis     Dead  store  –  variable  never  used  
  • 80. Code  Analysis  with  AppCodeScan   •  Semi  automated  tool   •  Ability  to  expand  with  custom  rules   •  Simple  tracing  uIlity  to  verify  and  track   vulnerabiliIes   •  Simple  HTML  reporIng  which  can  be   converted  to  PDF    
  • 81. AppCodeScan   •  SophisIcated  tool  consist  of  two  components     •  Code  Scanning   •  Code  Tracer   •  Allows  you  to  trace  back  the  variable   •  AppCodeScan  is  not  complete  automated   staIc  code  analyzer.   •  It  only  relies  on  regex  and  lets  you  find   SOURCE  of  the  SINK  
  • 82. Rules  in  AppCodeScan   •  WriIng  rules  is  very  straight  forward   •  In  an  XML  file  which  is  loaded  at  run  Ime   •  This  release  has  rules  for  iOS  and  Android  for   -­‐  Local  Storage,  Unsafe  APIs,  SQL  InjecIon,   Network  ConnecIon,  SSL  CerIficate  Handling,   Client  Side  ExploitaIon,  URL  Handlers,   Logging,  CredenIal  Management  and   Accessing  PII.      
  • 83. Sample  Rules  -­‐  Android    
  • 85. Sample  Rules  -­‐  iOS    
  • 87. Debuggable  flag  in  Android   •  One  of  the  key  a4ribute  in  android  manifest   file   •  Under  “applicaIon”  secIon   •  Describes  debugging  in  enabled   •  If  “Debuggable”a4ribute  is  set  o  true,  the   applicaIon  will  try  to  connect  to  a  local  unix   socket  “@jdwp-­‐control”   •  Using  JDWP,  It  is  possible  to  gain  full  access  to   the  Java  process  and  execute  arbitrary  code  in   the  context  of  the  debugable  applicaIon  
  • 88. CheckDebuggable  Script   •  Checks  in  APK  whether  debuggable  is  enabled   •  Script  can  be  found  at  –  h4p:// www.espheresecurity.com/ resourcestools.html   •  Paper  can  be  found  at  -­‐  h4p:// www.espheresecurity.com/ CheckDebuggable.pdf