SlideShare a Scribd company logo

Mobile security chess board - attacks & defense

B
Blueinfy Solutions

This document discusses mobile security and provides an overview of attacks and defenses. It begins with an introduction to common mobile security issues like weak storage of sensitive data. Examples are given covering threats to mobile e-commerce, banking, and social applications. The document also outlines the mobile threat landscape, including attacks that don't require jailbreaking, and privacy risks. It concludes with a discussion of technology trends in mobile architectures and the complexity of securing the mobile environment.

Software
1 of 89
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
Mobile  Security  chess  board  -­‐   A4acks  &  Defense  
Who Am I? ‱  Hemil  Shah  –  hemil@blueinfy.net   ‱  Co-­‐CEO  &  Director,  Blueinfy  Solu>ons   ‱  Past  experience     –  eSphere  Security,  HBO,  KPMG,  IL&FS,  Net  Square   ‱  Interest   –  ApplicaIon  security  research   ‱  Published  research   –  ArIcles  /  Papers  –  Packstroem,  etc.   –  Web  Tools  –  wsScanner,  scanweb2.0,  AppMap,  AppCodeScan,  AppPrint  etc.   –  Mobile  Tools  –  FSDroid,  iAppliScan,  DumpDroid   hemil@blueinfy.com   h4p://www.blueinfy.com   Blog  –  h4p://blog.blueinfy.com/  
About ‱ Global  experience  worked   clients  based  in  USA,  UAE,   Europe  and  Asia-­‐pac.   ‱ Clients/Partners  include   Fortune  100  companies.   ‱ Delivery  model  and  support   ‱ Blackbox  and  Whitebox  –   Scanners  and  Code  Analyzers   ‱ Scanning  tools  and  technology   (15  years)   ‱ Strong  and  tested  with   Fortune  clients   ‱ Integrated  in  SDLC   ‱ Help  client  in  miIgaIng  or   lowering  down  the  Risk  by   improving  process   ‱ In  house  R&D  team  for  last  7   years   ‱ Papers  and  PresentaIons  at   conference  like  RSA,  Blackhat,   HITB,  OWASP  etc.   ‱ Books  wri4en  and  used  as   security  guides   Know-­‐How   Methods  &   Approach   Global   Delivery  &   Team   Technology   Ă˜ïƒ˜â€ŻBBC   Ă˜ïƒ˜â€ŻDark  Readings   Ă˜ïƒ˜â€ŻBank  Technology   Ă˜ïƒ˜â€ŻSecurityWeek   Ă˜ïƒ˜â€ŻMIT  Technology  Review   ApplicaIon  Security    
Mobile  Apps  
Market  Share  
Mobile  Top  10  -­‐  OWASP   ‱  Weak  Server  Side  Controls   ‱  Insecure  Data  Storage   ‱  InsuïŹƒcient  Transport  Layer  ProtecIon   ‱  Unintended  Data  Leakage   ‱  Poor  AuthorizaIon  and  AuthenIcaIon   ‱  Broken  Cryptography   ‱  Client  Side  InjecIon   ‱  Security  Decisions  Via  Untrusted  Inputs   ‱  Improper  Session  Handling   ‱  Lack  of  Binary  ProtecIons     Contributor : Nvisium Security, HP Fortify, Andreas Athanasoulias & Syntax IT, eSphere Security, Godfrey Nolan and RIIS (Research Into Internet Systems), Arxan Technologies Ref - https://www.owasp.org/index.php/Mobile_Top_Contributions
Enterprise  Mobile  Cases  
E-­‐commerce   ‱  Typical  applicaIon  making  server  side  calls   ‱  Security  issues  and  hacks   –  Credit  card  and  Private  data  storage  with  poor  crypto   –  SQLite  hacks   –  SQL  injecIon  over  JSON   –  Ajax  driven  XSS   –  Several  XSS  with  Blog  component   –  Several  informaIon  leaks  through  JSON  fuzzing   ‱  Server  side  scan  with  tools/products  failed    
Banking  ApplicaIon   ‱  Scanning  applicaIon  for  vulnerabiliIes   ‱  Typical  banking  running  with  middleware     ‱  VulnerabiliIes  –  Mobile  interface   –  Poor  encoding  to  store  SSN  and  PII  informa>on   locally   –  Very  sensi>ve  transac>on  informa>on  stored   locally   –  Default  OS  Behavior  leaking  informa>on   –  CredenIals  submi4ed  in  GET  request   –  Keys/session  stored  in  keychain Â ïŹle  
Social  ApplicaIon   ‱  Social  ApplicaIon  on  mulIple  plagorms   –  ApplicaIon  leverages  browser  component  as  part   of  the  mobile   –  Common  code  base  for  all  plagorms   –  Vulnerable     ‱ Bypass  ProïŹle  validaIon  (Logical)  and  unique  device   installaIon     ‱ Screenshot  revealing  sensi>ve  informa>on     ‱ Default  OS  Behavior  leaking  informa>on   ‱ PresentaIon  layer  (XSS  and  CSRF)   ‱ Unencrypted  Communica>on  channel  
Postmortem   ‱  One  pa4ern  in  all  the  reviews  -­‐  SOME   INFORMATION  WAS  STORED  LOCALLY   ‱  More  than  99%  of  the  applicaIon  review  has   the  LOCAL  STORAGE  issue  as  we  saw  in  stats.   ‱  Server  side  and  logical  issues  are  sIll  hard  to   ïŹnd  but  have  biggest  impact.    
Mobile  Threats  and  Risk  
A4acks  on  Mobile   ‱  No JailBreak Required ‱  Ease of attack - Airports/Public places
Why  should  I  worry?   ‱  We  have  MDM  in  place   ‱  We  do  not  allow  any  JailBreak  or  rooted   device  in  our  environment  with  MDM   ‱  We  have  strict  policy  enforced  and  all  our   devices  are  forced  to  have  password  lock   ‱  May  or  may  not  have  BYOD     ‱  OS  provides  encrypIon  
Mobile  A4acks   ‱  So  What  a4acks  are  we  talking  about?     ‱  Privacy  becomes  important  along  with  the   Security  in  mobile  space   ‱  It  is  MOBILE  so  chances  of  loosing  device  or   someone  gemng  physical  access  to  it  is  MUCH   MUCH  higher  than  the  other  devices  
ExploitaIon   ‱  Physical  Then   ‱  Temporary  physical  access   ‱  Malware   ‱  Malicious  ApplicaIons   ‱  Lack  of  standardize  security  review  process   ‱  JailBreak/Rooted  devices  
What  can  be  done???   ‱  InformaIon  found  in  local  storage  with   default  OS  behavior  –     ‱  Changing  OS  behavior  -­‐     ‱  Server  side  exploitaIon  –   ‱  XSS  in  Mobile  Hybrid  applicaIon  –    
       Technology  Trends  
Mobile  Infrastructure   www mail intranet router DMZ Internet VPN Dial-up Other Office s Exchange firewall Database RAS
Mobile  App  Environment   Web Server Static pages only (HTML,HTM, etc.)Web Client Scripted Web Engine Dynamic pages (ASP,DHTML, PHP, CGI, etc.) ASP.NET on .Net Framework, J2EE App Server, Web Services, etc. Application Servers And Integrated Framework Internet DMZ Trusted W E B S E R V I C E S Mobile SOAP/JSON etc. DB X Internal/Corporate
Mobile  Architecture   Presentation Layer Business Layer Data Access Layer Authentication Communication etc. Runtime, Platform, Operating System Components Server side Components Client side Components (Browser) ‱ HTML 5 ‱ DOM ‱ XHR ‱ WebSocket ‱ Storage ‱ WebSQL ‱ Flash ‱ Flex ‱ AMF ‱ Silverlight ‱ WCF ‱ XAML ‱ NET ‱ Storage ‱ JS ‱ Android ‱ iPhone/Pad ‱ Other Mobile
Game  is  complex  –  Chess  
Challenges  
Challenges   ‱  DiïŹ€erent  code  base   ‱  Achieve  things  with  single  click   ‱  Vendor  review  process  -­‐  Not  transparent  –   Can  we  rely  on  it???   ‱  Decrease  transacIon  Ime   ‱  CompeIIon     ‱  Rapid  business  requirement  results  in  high   frequency  of  updates  
Frequency  of  updates   ‱  Very  High  compare  to  Web  ApplicaIons   ‱  Usually,  4-­‐5  updates  in  a  year  for  web   applicaIons  or  even  less  at  Imes   ‱  Usually,  10-­‐12  updates  in  mobile  applicaIons   or  even  more  in  some  cases   ‱  We  all  have  accepted  that  applicaIon  needs   to  be  reviewed  before  going  to  producIon  –   DID  WE???  
Frequency  of  Updates   Application Name   Number of Releases in iOS   Number of Releases in Android   Facebook   19   34   Twitter   22   25   Chase Bank   9   2   eBay   9   4   Amazon   10   3   Temple Run 2   12   10   FB Messenger   12   10   Whatsapp   4   154   skype   8   6  
Mobile  A4acks   ‱  So  What  a4acks  are  we  talking  about?     ‱  Privacy  becomes  important  along  with  the   Security  in  mobile  space   ‱  It  is  MOBILE  so  chances  of  loosing  device  or   someone  gemng  physical  access  to  it  is  MUCH   MUCH  higher  than  the  other  devices  
Mobile  Top  10  -­‐  OWASP   ‱  Weak  Server  Side  Controls   ‱  Insecure  Data  Storage   ‱  InsuïŹƒcient  Transport  Layer  ProtecIon   ‱  Unintended  Data  Leakage   ‱  Poor  AuthorizaIon  and  AuthenIcaIon   ‱  Broken  Cryptography   ‱  Client  Side  InjecIon   ‱  Security  Decisions  Via  Untrusted  Inputs   ‱  Improper  Session  Handling   ‱  Lack  of  Binary  ProtecIons     Contributor : Nvisium Security, HP Fortify, Andreas Athanasoulias & Syntax IT, eSphere Security, Godfrey Nolan and RIIS (Research Into Internet Systems), Arxan Technologies Ref - https://www.owasp.org/index.php/Mobile_Top_Contributions
Top  5  vulnerability   ‱  From  the  stats  of  eSphere  data  -­‐     0 10 20 30 40 50 60 70 80 90 100 Local Storage Sensitive Information stored in Logs/ Default OS Behaviour Copy/Paste enabled in sensitive fields - Privacy issue Cross Site Scripting SQL Injection over JSON or other streams
Mobile  A4acks  
Weak  Server  Side  Controls  
Server  Side  Issues   ‱  Most  ApplicaIon  makes  server  side  calls  to   either  web  services  or  some  other   component.  Security  of  server  side   component  is  equally  important  as  client  side   ‱  Controls  to  be  tested  on  the  server  side  –   Security  Control  Categories  for  Server  Side   ApplicaIon–  AuthenIcaIon,  Access  Controls/ AuthorizaIon,  API  misuse,  Path  traversal,   SensiIve  informaIon  leakage,  
Server  Side  Issues   ‱  Error  handling,  Session  management,   Protocol  abuse,  Input  validaIons,  XSS,  CSRF,   Logic  bypass,  Insecure  crypto,  DoS,  Malicious   Code  InjecIon,  SQL  injecIon,  XPATH  and   LDAP  injecIons,  OS  command  injecIon,   Parameter  manipulaIons,  BruteForce,  BuïŹ€er   OverïŹ‚ow,  HTTP  response  splimng,  HTTP   replay,  XML  injecIon,  CanonicalizaIon,   Logging  and  audiIng.    
Insecure  Data  Storage  
Insecure  Storage   ‱  How  a4acker  can  gain  access   ‱  WiïŹ     ‱  Default  password  aner  jail  breaking  (alpine)   ‱  Adb  over  wiïŹ   ‱  Physical  Then   ‱  Temporary  access  to  device    
What   ‱  What  informaIon   –  AuthenIcaIon  CredenIals   –  AuthorizaIon  tokens   –  Financial  Statements   –  Credit  card  numbers   –  Owner’s  InformaIon  –  Physical  Address,  Name,   Phone  number   –  Social  Engineering  Sites  proïŹle/habbits   –  SQL  Queries  
InsuïŹƒcient  Transport  Layer   ProtecIon  
Insecure  Network  Channel   ‱  Easy  to  perform  MiM  a4acks  as  Mobile   devices  uses  untrusted  network  i.e  open/ Public  WiFi,  HotSpot,  Carrier’s  Network   ‱  ApplicaIon  deals  with  sensiIve  data  i.e.     ‱  AuthenIcaIon  credenIals   ‱  AuthorizaIon  token   ‱  PII  InformaIon  (Privacy  ViolaIon)  (Owner  Name,   Phone  number,  UDID)  
Insecure  Network  Channel   ‱  Can  sniïŹ€  the  traïŹƒc  to  get  an  access  to   sensiIve  data   ‱  SSL  is  the  best  way  to  secure  communicaIon   channel   ‱  Common  Issues   ‱  Does  not  deprecate  HTTP  requests   ‱  Allowing  invalid  cerIïŹcates   ‱  SensiIve  informaIon  in  GET  requests  
Session  token  
Unintended  Data  Leakage  
Unintended  Data  Leakage     ‱  Plagorm  issues  –  sandboxing  or  disable   controls   ‱  Cache   ‱  Logs,  Keystrokes,  screenshots  etc.   ‱  Temp Â ïŹles   ‱  3rd  Party  libs  (AD  networks  and  analyIcs)    
Data  Leakage   ‱  Default  OS  behavior  aner  iOS  4.0  to  cache  all   the  URLS  (Request/Response)  in  the  local   storage  in Â ïŹle  named  cache.db Â ïŹle   ‱  Cache.db Â ïŹle  is  not  encrypted   ‱  By  default,  applicaIon  takes  last  screenshot   and  saves  it  in  to Â ïŹle  system  when  user   presses  home  bu4on  
Poor  AuthorizaIon  and   AuthenIcaIon  
AuthorizaIon  &  AuthenIcaIon   ‱  No  password  complexity  specially  on  mobile     ‱  Hidden/No  Logout  bu4on   ‱  Long  session  Ime  out   ‱  No  account  lock  out   ‱  AuthorizaIon Â ïŹ‚ags  or  based  on  the  local   storage  
Broken  Cryptography  
Cryptography   ‱  Broken  implementaIon   ‱  Hash/Encoding  used  in  place  of  encrypIon   ‱  Client  side  script  in  place  of  SSL  
Client  Side  InjecIon  
SQL  InjecIon  in  Local  database   ‱  Most  Mobile  plagorms  uses  SQLite  as   database  to  store  informaIon  on  the  device   ‱  Using  any  SQLite  Database  Browser,  it  is   possible  to  access  database  logs  which  has   queries  and  other  sensiIve  database   informaIon   ‱  In  case  applicaIon  is  not Â ïŹltering  input,  SQL   InjecIon  on  local  database  is  possible  
Security  Decisions  Via  Untrusted   Inputs  
Untrusted  Source   ‱  Any  input  from  client  side  which  can  be   modiïŹed     ‱  Mainly  authenIcaIon  and  authorizaIon   decisions  based  on  the  untrusted  input   ‱  Easiest  way  for  developer  to  solve  complex   issues/funcIonality     ‱  A4acker  can  get  this  informaIon  by  either   reverse  engineering  applicaIon  or  by   checking  local  storage  
KeyChain  Dumper   ‱  Easy  as  running  a  command   ‱  Upload  on  to  server  in  /var  directory   ‱  Give  execute  permission   ‱  Chmod  +x  /var/keychain_dumper   ‱  Get  all  the  keys   ‱  ./keychain_dumper  
Improper  Session  Handling  
Improper  Session   ‱  Session  is  key  for  any  applicaIon  for   authorizaIon       ‱  Session  is  stored  in  binary  format  but  can  be   easily  reversible   ‱  ApplicaIon  is  sending  sensiIve  informaIon   in  GET  request  (Be  it  on  HTTP  or  HTTPS)  
Lack  of  Binary  protecIon  
Lack  of  Binary  ProtecIon   ‱  Apple  signs  and  encrypts  all  the  binaries     ‱  SIll  strings  can  be  retrieved  from  the  binary     ‱  Storing  EncrypIon  and  DecrypIon  keys  in   the  client  side  is  sIll  a  problem      
AutomaIon  in  ApplicaIon   Reviews  
Manual  Review     ‱  Looking  for  informaIon  in  local  storage   manually  is  really  –     –  Time  Consuming   –  Tedious   –  Prone  to  be  false  negaIves  (how  accurately  you   can  check Â ïŹles  more  than  once  in  an  hour  and Â ïŹle   formats  are  diïŹ€erent)    
Manual  Review  -­‐  iOS  
What  do  we  need   ‱  AutomaIon!!!   ‱  AutomaIon!!!   ‱  AutomaIon!!!   ‱  AutomaIon!!!   ‱  AutomaIon!!!   ‱  Unfortunately  no  complete  automaIon  is   available  today  BUT  some  of  the  tools  which   can  be  handy  are  -­‐      
Snoop-­‐it   ‱  The  only  tool  today  to  automate  iOS   applicaIon  reviews   ‱  Very  handy  and  gives  perfect  pointer  where   to  look  for   ‱  A  long  way  to  go  for  automaIon  like  web    
Snoop-­‐it  (Cont
)   ‱  Snoop-­‐it  helps  you  monitor  –     –  File  system  access   –  Keychain  access   –  HTTP(S)  connecIons     –  Access  to  sensiIve  API   –  Debug  outputs   –  Tracing  App  internals  
Snoop-­‐it  (Cont
)   ‱  Along  with  Monitoring,  snoop-­‐it  allows  to  -­‐     –  Fake  hardware  idenIïŹer   –  Fake  locaIon/GPS  data   –  Explore  and  force  display  of   available  ViewController   –  List  custom  URL  schemes   –  List  available  ObjecIve-­‐C  classes,  objects  and   methods   –  Bypass  basic  jailbreak  detecIon  mechanisms  
Snoop-­‐it  
iAppliScan   ‱  iAppliScan  allows  you  to  automate  iOS   applicaIon  review.     ‱  InteresIng  features  –     –   Look  for  sensiIve  informaIon  in Â ïŹles/directories   –  Find  whether  parIcular Â ïŹle  exist  or  not   –  Download Â ïŹle  for  further  analysis   –  Run  external  command    
iAppliScan  
Review  without  JailBreak  
Reviewing  without  jailbreaking   ‱  Is  it  really  possible  to  review  applicaIon  with   out  jailbreaking  ?   ‱  “YES”   ‱  “YES”   ‱  “YES”   ‱  “YES”  
Reviewing  without  jailbreaking   ‱  Plenty  of  tools  available  (Specially  for   Forensic)  to  brows  the  applicaIon  directory   without  jailbreaking.     ‱  iFunBox  allows  to  view Â ïŹles  on  the  device   without  jailbreak   ‱  Displays  applicaIon’s  permissions   ‱  Browse  the  installed  applicaIon  directory    
Reviewing  without  jailbreaking   ‱  Copy    the  enIre  applicaIon  directory  mulIple   Imes   ‱  Look  for  sensiIve  informaIon  in  the Â ïŹles   ‱  Use  Proxy  on  non-­‐jailbreak  device  to  check  all   server  side  a4acks.  
Reviewing  with  iFunbox  
AutomaIon  in  Android  
Manual  Review  -­‐  Android  
FSDroid   ‱  Leverages  SDK  Class  –  No  hacks  in  here!!!   ‱  FSDroid  can  –   –  Monitor Â ïŹle  system     –  Can  write Â ïŹlter  to  monitor  parIcular  directory   –  Can  save  last  5  reports  for  future  use   –  Does  not  need  mobile  device  –  can  run  on   Emulator  smoothly   –  Easy  to  run  (As  easy  as  giving  directory  name  and   pressing  start  bu4on)    
File  System  Monitoring  Demo  
Looking  in  to  Code  
Static Code Analysis ‱  Introduce in Mac OS X v10.6, XCode 3.2, Clang analyzer merged into XCode. ‱  Memory leakage warning ‱  Run from Build->Analyze ‱  Innovative shows you complete flow of object start to end ‱  Configure as a automatic analysis during build process
StaIc  Code  Analysis     PotenIal  Memory  Leak  
StaIc  Code  Analysis     Dead  store  –  variable  never  used  
Code  Analysis  with  AppCodeScan   ‱  Semi  automated  tool   ‱  Ability  to  expand  with  custom  rules   ‱  Simple  tracing  uIlity  to  verify  and  track   vulnerabiliIes   ‱  Simple  HTML  reporIng  which  can  be   converted  to  PDF    
AppCodeScan   ‱  SophisIcated  tool  consist  of  two  components     ‱  Code  Scanning   ‱  Code  Tracer   ‱  Allows  you  to  trace  back  the  variable   ‱  AppCodeScan  is  not  complete  automated   staIc  code  analyzer.   ‱  It  only  relies  on  regex  and  lets  you Â ïŹnd   SOURCE  of  the  SINK  
Rules  in  AppCodeScan   ‱  WriIng  rules  is  very  straight  forward   ‱  In  an  XML Â ïŹle  which  is  loaded  at  run  Ime   ‱  This  release  has  rules  for  iOS  and  Android  for   -­‐  Local  Storage,  Unsafe  APIs,  SQL  InjecIon,   Network  ConnecIon,  SSL  CerIïŹcate  Handling,   Client  Side  ExploitaIon,  URL  Handlers,   Logging,  CredenIal  Management  and   Accessing  PII.      
Sample  Rules  -­‐  Android    
Android  DEMO  
Sample  Rules  -­‐  iOS    
iOS  DEMO  
Debuggable Â ïŹ‚ag  in  Android   ‱  One  of  the  key  a4ribute  in  android  manifest   ïŹle   ‱  Under  “applicaIon”  secIon   ‱  Describes  debugging  in  enabled   ‱  If  “Debuggable”a4ribute  is  set  o  true,  the   applicaIon  will  try  to  connect  to  a  local  unix   socket  “@jdwp-­‐control”   ‱  Using  JDWP,  It  is  possible  to  gain  full  access  to   the  Java  process  and  execute  arbitrary  code  in   the  context  of  the  debugable  applicaIon  
CheckDebuggable  Script   ‱  Checks  in  APK  whether  debuggable  is  enabled   ‱  Script  can  be  found  at  –  h4p:// www.espheresecurity.com/ resourcestools.html   ‱  Paper  can  be  found  at  -­‐  h4p:// www.espheresecurity.com/ CheckDebuggable.pdf    
Conclusion  

More Related Content

PPT
Automation In Android & iOS Application Review
Blueinfy Solutions
 
PPT
Android attacks
Blueinfy Solutions
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
PPT
Application fuzzing
Blueinfy Solutions
 
PPT
Advanced applications-architecture-threats
Blueinfy Solutions
 
PPT
Web Services Hacking and Security
Blueinfy Solutions
 
PPT
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
PPT
iOS Application Security Testing
Blueinfy Solutions
 
Automation In Android & iOS Application Review
Blueinfy Solutions
 
Android attacks
Blueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Application fuzzing
Blueinfy Solutions
 
Advanced applications-architecture-threats
Blueinfy Solutions
 
Web Services Hacking and Security
Blueinfy Solutions
 
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
iOS Application Security Testing
Blueinfy Solutions
 

What's hot (19)

PPT
Secure SDLC for Software
Shreeraj Shah
 
PPT
Assessment methodology and approach
Blueinfy Solutions
 
PPTX
Application Security TRENDS – Lessons Learnt- Firosh Ummer
OWASP-Qatar Chapter
 
PPT
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 
PPT
HTML5 hacking
Blueinfy Solutions
 
PPT
XSS and CSRF with HTML5
Shreeraj Shah
 
PPTX
Core defense mechanisms against security attacks on web applications
Karan Nagrecha
 
PDF
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
PDF
Axoss Web Application Penetration Testing Services
Bulent Buyukkahraman
 
DOC
Joomla web application development vulnerabilities
BlazeDream Technologies Pvt Ltd
 
PDF
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
 
PPT
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
 
PDF
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
PPTX
Presentation on Web Attacks
Vivek Sinha Anurag
 
PPTX
Web application vulnerability assessment
Ravikumar Paghdal
 
PDF
OWASP Top Ten in Practice
Security Innovation
 
PPTX
A5: Security Misconfiguration
Tariq Islam
 
PDF
Lets Make our Web Applications Secure
Aryashree Pritikrishna
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
Secure SDLC for Software
Shreeraj Shah
 
Assessment methodology and approach
Blueinfy Solutions
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
OWASP-Qatar Chapter
 
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 
HTML5 hacking
Blueinfy Solutions
 
XSS and CSRF with HTML5
Shreeraj Shah
 
Core defense mechanisms against security attacks on web applications
Karan Nagrecha
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
Axoss Web Application Penetration Testing Services
Bulent Buyukkahraman
 
Joomla web application development vulnerabilities
BlazeDream Technologies Pvt Ltd
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
 
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Presentation on Web Attacks
Vivek Sinha Anurag
 
Web application vulnerability assessment
Ravikumar Paghdal
 
OWASP Top Ten in Practice
Security Innovation
 
A5: Security Misconfiguration
Tariq Islam
 
Lets Make our Web Applications Secure
Aryashree Pritikrishna
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
Ad

Viewers also liked (14)

PDF
Linda Peel – Coaching in someone’s home language
SACAP
 
PDF
Nein, nein, nein
Steven Casey
 
PDF
Workshop SDC - Cours Outils supports Ă  la coordination 2016
Sylvain Kubicki
 
PDF
èŽ·ć„–èŻäčŠæ‰«æç‰ˆ-2
xinhui liu
 
PDF
Maxine Petersen – Becoming myself through myself
SACAP
 
PDF
Software security risk mitigation using object oriented design patterns
eSAT Journals
 
PPS
PoSicionES dE SexO
fernado altuve
 
PDF
Modelo de consumidor .caso de estudio locatel y farmatodo
Valentina Maldonado RincĂłn
 
PDF
Peter Norvig - NYC Machine Learning 2013
Michael Scovetta
 
PDF
Oasis Advantage
Allison Femino
 
PPT
MOTORDOM
South Fraser Blog
 
PPTX
Close reading
Carla Piper
 
PPT
Web Attacks - Top threats - 2010
Shreeraj Shah
 
PPTX
Tapi pipeline ppt
Roya Saqib
 
Linda Peel – Coaching in someone’s home language
SACAP
 
Nein, nein, nein
Steven Casey
 
Workshop SDC - Cours Outils supports Ă  la coordination 2016
Sylvain Kubicki
 
èŽ·ć„–èŻäčŠæ‰«æç‰ˆ-2
xinhui liu
 
Maxine Petersen – Becoming myself through myself
SACAP
 
Software security risk mitigation using object oriented design patterns
eSAT Journals
 
PoSicionES dE SexO
fernado altuve
 
Modelo de consumidor .caso de estudio locatel y farmatodo
Valentina Maldonado RincĂłn
 
Peter Norvig - NYC Machine Learning 2013
Michael Scovetta
 
Oasis Advantage
Allison Femino
 
MOTORDOM
South Fraser Blog
 
Close reading
Carla Piper
 
Web Attacks - Top threats - 2010
Shreeraj Shah
 
Tapi pipeline ppt
Roya Saqib
 
Ad

Similar to Mobile security chess board - attacks & defense (20)

PDF
Mobile Security
Xavier Mertens
 
PDF
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
PDF
Controlling Access to IBM i Systems and Data
Precisely
 
PPTX
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
 
PPTX
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 
PPTX
Mobile security services 2012
Tjylen Veselyj
 
PPTX
Security Imeprative for iOS and Android Apps
Symosis Security (Previously C-Level Security)
 
PPTX
The Loss of Intellectual Property in the Digital Age: What Companies can d

Christopher Kranich
 
PDF
WebApp_to_Container_Security.pdf
Anna Pasupathy, CISSP
 
PPTX
00. introduction to app sec v3
Eoin Keary
 
PPTX
BREACHED: Data Centric Security for SAP
UL Transaction Security
 
PDF
Mobile Services & E-Services Case Study By Osama Abushaban
Osama Abushaban
 
PDF
Invited Talk - Cyber Security and Open Source
hack33
 
PDF
Securing Your Mobile Applications
Greg Patton
 
PPTX
Understanding Database Encryption & Protecting Against the Insider Threat wit...
MongoDB
 
PPT
Information Security
Mohit8780
 
PPTX
Building a Mobile Security Program
Denim Group
 
PDF
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
Maxim Salnikov
 
PPTX
Mobile application securitry risks ISACA Silicon Valley 2012
Symosis Security (Previously C-Level Security)
 
PPTX
Implementing security for your library | PLAN Tech Day Conference
Brian Pichman
 
Mobile Security
Xavier Mertens
 
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
Controlling Access to IBM i Systems and Data
Precisely
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
 
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 
Mobile security services 2012
Tjylen Veselyj
 
Security Imeprative for iOS and Android Apps
Symosis Security (Previously C-Level Security)
 
The Loss of Intellectual Property in the Digital Age: What Companies can d

Christopher Kranich
 
WebApp_to_Container_Security.pdf
Anna Pasupathy, CISSP
 
00. introduction to app sec v3
Eoin Keary
 
BREACHED: Data Centric Security for SAP
UL Transaction Security
 
Mobile Services & E-Services Case Study By Osama Abushaban
Osama Abushaban
 
Invited Talk - Cyber Security and Open Source
hack33
 
Securing Your Mobile Applications
Greg Patton
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
MongoDB
 
Information Security
Mohit8780
 
Building a Mobile Security Program
Denim Group
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
Maxim Salnikov
 
Mobile application securitry risks ISACA Silicon Valley 2012
Symosis Security (Previously C-Level Security)
 
Implementing security for your library | PLAN Tech Day Conference
Brian Pichman
 

More from Blueinfy Solutions (10)

PDF
Mobile Application Scan and Testing
Blueinfy Solutions
 
PPT
Html5 on mobile
Blueinfy Solutions
 
PPT
Android secure coding
Blueinfy Solutions
 
PPT
Source Code Analysis with SAST
Blueinfy Solutions
 
PPT
XSS - Attacks & Defense
Blueinfy Solutions
 
PPT
Defending against Injections
Blueinfy Solutions
 
PPT
XPATH, LDAP and Path Traversal Injection
Blueinfy Solutions
 
PPT
Blind SQL Injection
Blueinfy Solutions
 
PPT
SQL injection basics
Blueinfy Solutions
 
PPT
HTTP protocol and Streams Security
Blueinfy Solutions
 
Mobile Application Scan and Testing
Blueinfy Solutions
 
Html5 on mobile
Blueinfy Solutions
 
Android secure coding
Blueinfy Solutions
 
Source Code Analysis with SAST
Blueinfy Solutions
 
XSS - Attacks & Defense
Blueinfy Solutions
 
Defending against Injections
Blueinfy Solutions
 
XPATH, LDAP and Path Traversal Injection
Blueinfy Solutions
 
Blind SQL Injection
Blueinfy Solutions
 
SQL injection basics
Blueinfy Solutions
 
HTTP protocol and Streams Security
Blueinfy Solutions
 

Recently uploaded (20)

PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
AI in Product Development-omnex systems
omnex systems
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 

Mobile security chess board - attacks & defense

  • 1. Mobile  Security  chess  board  -­‐   A4acks  &  Defense  
  • 2. Who Am I? ‱  Hemil  Shah  –  hemil@blueinfy.net   ‱  Co-­‐CEO  &  Director,  Blueinfy  Solu>ons   ‱  Past  experience     –  eSphere  Security,  HBO,  KPMG,  IL&FS,  Net  Square   ‱  Interest   –  ApplicaIon  security  research   ‱  Published  research   –  ArIcles  /  Papers  –  Packstroem,  etc.   –  Web  Tools  –  wsScanner,  scanweb2.0,  AppMap,  AppCodeScan,  AppPrint  etc.   –  Mobile  Tools  –  FSDroid,  iAppliScan,  DumpDroid   hemil@blueinfy.com   h4p://www.blueinfy.com   Blog  –  h4p://blog.blueinfy.com/  
  • 3. About ‱ Global  experience  worked   clients  based  in  USA,  UAE,   Europe  and  Asia-­‐pac.   ‱ Clients/Partners  include   Fortune  100  companies.   ‱ Delivery  model  and  support   ‱ Blackbox  and  Whitebox  –   Scanners  and  Code  Analyzers   ‱ Scanning  tools  and  technology   (15  years)   ‱ Strong  and  tested  with   Fortune  clients   ‱ Integrated  in  SDLC   ‱ Help  client  in  miIgaIng  or   lowering  down  the  Risk  by   improving  process   ‱ In  house  R&D  team  for  last  7   years   ‱ Papers  and  PresentaIons  at   conference  like  RSA,  Blackhat,   HITB,  OWASP  etc.   ‱ Books  wri4en  and  used  as   security  guides   Know-­‐How   Methods  &   Approach   Global   Delivery  &   Team   Technology   Ă˜ïƒ˜â€ŻBBC   Ă˜ïƒ˜â€ŻDark  Readings   Ă˜ïƒ˜â€ŻBank  Technology   Ă˜ïƒ˜â€ŻSecurityWeek   Ă˜ïƒ˜â€ŻMIT  Technology  Review   ApplicaIon  Security    
  • 6. Mobile  Top  10  -­‐  OWASP   ‱  Weak  Server  Side  Controls   ‱  Insecure  Data  Storage   ‱  InsuïŹƒcient  Transport  Layer  ProtecIon   ‱  Unintended  Data  Leakage   ‱  Poor  AuthorizaIon  and  AuthenIcaIon   ‱  Broken  Cryptography   ‱  Client  Side  InjecIon   ‱  Security  Decisions  Via  Untrusted  Inputs   ‱  Improper  Session  Handling   ‱  Lack  of  Binary  ProtecIons     Contributor : Nvisium Security, HP Fortify, Andreas Athanasoulias & Syntax IT, eSphere Security, Godfrey Nolan and RIIS (Research Into Internet Systems), Arxan Technologies Ref - https://www.owasp.org/index.php/Mobile_Top_Contributions
  • 8. E-­‐commerce   ‱  Typical  applicaIon  making  server  side  calls   ‱  Security  issues  and  hacks   –  Credit  card  and  Private  data  storage  with  poor  crypto   –  SQLite  hacks   –  SQL  injecIon  over  JSON   –  Ajax  driven  XSS   –  Several  XSS  with  Blog  component   –  Several  informaIon  leaks  through  JSON  fuzzing   ‱  Server  side  scan  with  tools/products  failed    
  • 9. Banking  ApplicaIon   ‱  Scanning  applicaIon  for  vulnerabiliIes   ‱  Typical  banking  running  with  middleware     ‱  VulnerabiliIes  –  Mobile  interface   –  Poor  encoding  to  store  SSN  and  PII  informa>on   locally   –  Very  sensi>ve  transac>on  informa>on  stored   locally   –  Default  OS  Behavior  leaking  informa>on   –  CredenIals  submi4ed  in  GET  request   –  Keys/session  stored  in  keychain Â ïŹle  
  • 10. Social  ApplicaIon   ‱  Social  ApplicaIon  on  mulIple  plagorms   –  ApplicaIon  leverages  browser  component  as  part   of  the  mobile   –  Common  code  base  for  all  plagorms   –  Vulnerable     ‱ Bypass  ProïŹle  validaIon  (Logical)  and  unique  device   installaIon     ‱ Screenshot  revealing  sensi>ve  informa>on     ‱ Default  OS  Behavior  leaking  informa>on   ‱ PresentaIon  layer  (XSS  and  CSRF)   ‱ Unencrypted  Communica>on  channel  
  • 11. Postmortem   ‱  One  pa4ern  in  all  the  reviews  -­‐  SOME   INFORMATION  WAS  STORED  LOCALLY   ‱  More  than  99%  of  the  applicaIon  review  has   the  LOCAL  STORAGE  issue  as  we  saw  in  stats.   ‱  Server  side  and  logical  issues  are  sIll  hard  to   ïŹnd  but  have  biggest  impact.    
  • 12. Mobile  Threats  and  Risk  
  • 13. A4acks  on  Mobile   ‱  No JailBreak Required ‱  Ease of attack - Airports/Public places
  • 14. Why  should  I  worry?   ‱  We  have  MDM  in  place   ‱  We  do  not  allow  any  JailBreak  or  rooted   device  in  our  environment  with  MDM   ‱  We  have  strict  policy  enforced  and  all  our   devices  are  forced  to  have  password  lock   ‱  May  or  may  not  have  BYOD     ‱  OS  provides  encrypIon  
  • 15. Mobile  A4acks   ‱  So  What  a4acks  are  we  talking  about?     ‱  Privacy  becomes  important  along  with  the   Security  in  mobile  space   ‱  It  is  MOBILE  so  chances  of  loosing  device  or   someone  gemng  physical  access  to  it  is  MUCH   MUCH  higher  than  the  other  devices  
  • 16. ExploitaIon   ‱  Physical  Then   ‱  Temporary  physical  access   ‱  Malware   ‱  Malicious  ApplicaIons   ‱  Lack  of  standardize  security  review  process   ‱  JailBreak/Rooted  devices  
  • 17. What  can  be  done???   ‱  InformaIon  found  in  local  storage  with   default  OS  behavior  –     ‱  Changing  OS  behavior  -­‐     ‱  Server  side  exploitaIon  –   ‱  XSS  in  Mobile  Hybrid  applicaIon  –    
  • 18.        Technology  Trends  
  • 19. Mobile  Infrastructure   www mail intranet router DMZ Internet VPN Dial-up Other Office s Exchange firewall Database RAS
  • 20. Mobile  App  Environment   Web Server Static pages only (HTML,HTM, etc.)Web Client Scripted Web Engine Dynamic pages (ASP,DHTML, PHP, CGI, etc.) ASP.NET on .Net Framework, J2EE App Server, Web Services, etc. Application Servers And Integrated Framework Internet DMZ Trusted W E B S E R V I C E S Mobile SOAP/JSON etc. DB X Internal/Corporate
  • 21. Mobile  Architecture   Presentation Layer Business Layer Data Access Layer Authentication Communication etc. Runtime, Platform, Operating System Components Server side Components Client side Components (Browser) ‱ HTML 5 ‱ DOM ‱ XHR ‱ WebSocket ‱ Storage ‱ WebSQL ‱ Flash ‱ Flex ‱ AMF ‱ Silverlight ‱ WCF ‱ XAML ‱ NET ‱ Storage ‱ JS ‱ Android ‱ iPhone/Pad ‱ Other Mobile
  • 22. Game  is  complex  –  Chess  
  • 24. Challenges   ‱  DiïŹ€erent  code  base   ‱  Achieve  things  with  single  click   ‱  Vendor  review  process  -­‐  Not  transparent  –   Can  we  rely  on  it???   ‱  Decrease  transacIon  Ime   ‱  CompeIIon     ‱  Rapid  business  requirement  results  in  high   frequency  of  updates  
  • 25. Frequency  of  updates   ‱  Very  High  compare  to  Web  ApplicaIons   ‱  Usually,  4-­‐5  updates  in  a  year  for  web   applicaIons  or  even  less  at  Imes   ‱  Usually,  10-­‐12  updates  in  mobile  applicaIons   or  even  more  in  some  cases   ‱  We  all  have  accepted  that  applicaIon  needs   to  be  reviewed  before  going  to  producIon  –   DID  WE???  
  • 26. Frequency  of  Updates   Application Name   Number of Releases in iOS   Number of Releases in Android   Facebook   19   34   Twitter   22   25   Chase Bank   9   2   eBay   9   4   Amazon   10   3   Temple Run 2   12   10   FB Messenger   12   10   Whatsapp   4   154   skype   8   6  
  • 27. Mobile  A4acks   ‱  So  What  a4acks  are  we  talking  about?     ‱  Privacy  becomes  important  along  with  the   Security  in  mobile  space   ‱  It  is  MOBILE  so  chances  of  loosing  device  or   someone  gemng  physical  access  to  it  is  MUCH   MUCH  higher  than  the  other  devices  
  • 28. Mobile  Top  10  -­‐  OWASP   ‱  Weak  Server  Side  Controls   ‱  Insecure  Data  Storage   ‱  InsuïŹƒcient  Transport  Layer  ProtecIon   ‱  Unintended  Data  Leakage   ‱  Poor  AuthorizaIon  and  AuthenIcaIon   ‱  Broken  Cryptography   ‱  Client  Side  InjecIon   ‱  Security  Decisions  Via  Untrusted  Inputs   ‱  Improper  Session  Handling   ‱  Lack  of  Binary  ProtecIons     Contributor : Nvisium Security, HP Fortify, Andreas Athanasoulias & Syntax IT, eSphere Security, Godfrey Nolan and RIIS (Research Into Internet Systems), Arxan Technologies Ref - https://www.owasp.org/index.php/Mobile_Top_Contributions
  • 29. Top  5  vulnerability   ‱  From  the  stats  of  eSphere  data  -­‐     0 10 20 30 40 50 60 70 80 90 100 Local Storage Sensitive Information stored in Logs/ Default OS Behaviour Copy/Paste enabled in sensitive fields - Privacy issue Cross Site Scripting SQL Injection over JSON or other streams
  • 31. Weak  Server  Side  Controls  
  • 32. Server  Side  Issues   ‱  Most  ApplicaIon  makes  server  side  calls  to   either  web  services  or  some  other   component.  Security  of  server  side   component  is  equally  important  as  client  side   ‱  Controls  to  be  tested  on  the  server  side  –   Security  Control  Categories  for  Server  Side   ApplicaIon–  AuthenIcaIon,  Access  Controls/ AuthorizaIon,  API  misuse,  Path  traversal,   SensiIve  informaIon  leakage,  
  • 33. Server  Side  Issues   ‱  Error  handling,  Session  management,   Protocol  abuse,  Input  validaIons,  XSS,  CSRF,   Logic  bypass,  Insecure  crypto,  DoS,  Malicious   Code  InjecIon,  SQL  injecIon,  XPATH  and   LDAP  injecIons,  OS  command  injecIon,   Parameter  manipulaIons,  BruteForce,  BuïŹ€er   OverïŹ‚ow,  HTTP  response  splimng,  HTTP   replay,  XML  injecIon,  CanonicalizaIon,   Logging  and  audiIng.    
  • 35. Insecure  Storage   ‱  How  a4acker  can  gain  access   ‱  WiïŹ     ‱  Default  password  aner  jail  breaking  (alpine)   ‱  Adb  over  wiïŹ   ‱  Physical  Then   ‱  Temporary  access  to  device    
  • 36. What   ‱  What  informaIon   –  AuthenIcaIon  CredenIals   –  AuthorizaIon  tokens   –  Financial  Statements   –  Credit  card  numbers   –  Owner’s  InformaIon  –  Physical  Address,  Name,   Phone  number   –  Social  Engineering  Sites  proïŹle/habbits   –  SQL  Queries  
  • 38. Insecure  Network  Channel   ‱  Easy  to  perform  MiM  a4acks  as  Mobile   devices  uses  untrusted  network  i.e  open/ Public  WiFi,  HotSpot,  Carrier’s  Network   ‱  ApplicaIon  deals  with  sensiIve  data  i.e.     ‱  AuthenIcaIon  credenIals   ‱  AuthorizaIon  token   ‱  PII  InformaIon  (Privacy  ViolaIon)  (Owner  Name,   Phone  number,  UDID)  
  • 39. Insecure  Network  Channel   ‱  Can  sniïŹ€  the  traïŹƒc  to  get  an  access  to   sensiIve  data   ‱  SSL  is  the  best  way  to  secure  communicaIon   channel   ‱  Common  Issues   ‱  Does  not  deprecate  HTTP  requests   ‱  Allowing  invalid  cerIïŹcates   ‱  SensiIve  informaIon  in  GET  requests  
  • 42. Unintended  Data  Leakage     ‱  Plagorm  issues  –  sandboxing  or  disable   controls   ‱  Cache   ‱  Logs,  Keystrokes,  screenshots  etc.   ‱  Temp Â ïŹles   ‱  3rd  Party  libs  (AD  networks  and  analyIcs)    
  • 43. Data  Leakage   ‱  Default  OS  behavior  aner  iOS  4.0  to  cache  all   the  URLS  (Request/Response)  in  the  local   storage  in Â ïŹle  named  cache.db Â ïŹle   ‱  Cache.db Â ïŹle  is  not  encrypted   ‱  By  default,  applicaIon  takes  last  screenshot   and  saves  it  in  to Â ïŹle  system  when  user   presses  home  bu4on  
  • 44. Poor  AuthorizaIon  and   AuthenIcaIon  
  • 45. AuthorizaIon  &  AuthenIcaIon   ‱  No  password  complexity  specially  on  mobile     ‱  Hidden/No  Logout  bu4on   ‱  Long  session  Ime  out   ‱  No  account  lock  out   ‱  AuthorizaIon Â ïŹ‚ags  or  based  on  the  local   storage  
  • 47. Cryptography   ‱  Broken  implementaIon   ‱  Hash/Encoding  used  in  place  of  encrypIon   ‱  Client  side  script  in  place  of  SSL  
  • 49. SQL  InjecIon  in  Local  database   ‱  Most  Mobile  plagorms  uses  SQLite  as   database  to  store  informaIon  on  the  device   ‱  Using  any  SQLite  Database  Browser,  it  is   possible  to  access  database  logs  which  has   queries  and  other  sensiIve  database   informaIon   ‱  In  case  applicaIon  is  not Â ïŹltering  input,  SQL   InjecIon  on  local  database  is  possible  
  • 50. Security  Decisions  Via  Untrusted   Inputs  
  • 51. Untrusted  Source   ‱  Any  input  from  client  side  which  can  be   modiïŹed     ‱  Mainly  authenIcaIon  and  authorizaIon   decisions  based  on  the  untrusted  input   ‱  Easiest  way  for  developer  to  solve  complex   issues/funcIonality     ‱  A4acker  can  get  this  informaIon  by  either   reverse  engineering  applicaIon  or  by   checking  local  storage  
  • 52. KeyChain  Dumper   ‱  Easy  as  running  a  command   ‱  Upload  on  to  server  in  /var  directory   ‱  Give  execute  permission   ‱  Chmod  +x  /var/keychain_dumper   ‱  Get  all  the  keys   ‱  ./keychain_dumper  
  • 54. Improper  Session   ‱  Session  is  key  for  any  applicaIon  for   authorizaIon       ‱  Session  is  stored  in  binary  format  but  can  be   easily  reversible   ‱  ApplicaIon  is  sending  sensiIve  informaIon   in  GET  request  (Be  it  on  HTTP  or  HTTPS)  
  • 55. Lack  of  Binary  protecIon  
  • 56. Lack  of  Binary  ProtecIon   ‱  Apple  signs  and  encrypts  all  the  binaries     ‱  SIll  strings  can  be  retrieved  from  the  binary     ‱  Storing  EncrypIon  and  DecrypIon  keys  in   the  client  side  is  sIll  a  problem      
  • 57. AutomaIon  in  ApplicaIon   Reviews  
  • 58. Manual  Review     ‱  Looking  for  informaIon  in  local  storage   manually  is  really  –     –  Time  Consuming   –  Tedious   –  Prone  to  be  false  negaIves  (how  accurately  you   can  check Â ïŹles  more  than  once  in  an  hour  and Â ïŹle   formats  are  diïŹ€erent)    
  • 60. What  do  we  need   ‱  AutomaIon!!!   ‱  AutomaIon!!!   ‱  AutomaIon!!!   ‱  AutomaIon!!!   ‱  AutomaIon!!!   ‱  Unfortunately  no  complete  automaIon  is   available  today  BUT  some  of  the  tools  which   can  be  handy  are  -­‐      
  • 61. Snoop-­‐it   ‱  The  only  tool  today  to  automate  iOS   applicaIon  reviews   ‱  Very  handy  and  gives  perfect  pointer  where   to  look  for   ‱  A  long  way  to  go  for  automaIon  like  web    
  • 62. Snoop-­‐it  (Cont
)   ‱  Snoop-­‐it  helps  you  monitor  –     –  File  system  access   –  Keychain  access   –  HTTP(S)  connecIons     –  Access  to  sensiIve  API   –  Debug  outputs   –  Tracing  App  internals  
  • 63. Snoop-­‐it  (Cont
)   ‱  Along  with  Monitoring,  snoop-­‐it  allows  to  -­‐     –  Fake  hardware  idenIïŹer   –  Fake  locaIon/GPS  data   –  Explore  and  force  display  of   available  ViewController   –  List  custom  URL  schemes   –  List  available  ObjecIve-­‐C  classes,  objects  and   methods   –  Bypass  basic  jailbreak  detecIon  mechanisms  
  • 65. iAppliScan   ‱  iAppliScan  allows  you  to  automate  iOS   applicaIon  review.     ‱  InteresIng  features  –     –   Look  for  sensiIve  informaIon  in Â ïŹles/directories   –  Find  whether  parIcular Â ïŹle  exist  or  not   –  Download Â ïŹle  for  further  analysis   –  Run  external  command    
  • 68. Reviewing  without  jailbreaking   ‱  Is  it  really  possible  to  review  applicaIon  with   out  jailbreaking  ?   ‱  “YES”   ‱  “YES”   ‱  “YES”   ‱  “YES”  
  • 69. Reviewing  without  jailbreaking   ‱  Plenty  of  tools  available  (Specially  for   Forensic)  to  brows  the  applicaIon  directory   without  jailbreaking.     ‱  iFunBox  allows  to  view Â ïŹles  on  the  device   without  jailbreak   ‱  Displays  applicaIon’s  permissions   ‱  Browse  the  installed  applicaIon  directory    
  • 70. Reviewing  without  jailbreaking   ‱  Copy    the  enIre  applicaIon  directory  mulIple   Imes   ‱  Look  for  sensiIve  informaIon  in  the Â ïŹles   ‱  Use  Proxy  on  non-­‐jailbreak  device  to  check  all   server  side  a4acks.  
  • 74. FSDroid   ‱  Leverages  SDK  Class  –  No  hacks  in  here!!!   ‱  FSDroid  can  –   –  Monitor Â ïŹle  system     –  Can  write Â ïŹlter  to  monitor  parIcular  directory   –  Can  save  last  5  reports  for  future  use   –  Does  not  need  mobile  device  –  can  run  on   Emulator  smoothly   –  Easy  to  run  (As  easy  as  giving  directory  name  and   pressing  start  bu4on)    
  • 76. Looking  in  to  Code  
  • 77. Static Code Analysis ‱  Introduce in Mac OS X v10.6, XCode 3.2, Clang analyzer merged into XCode. ‱  Memory leakage warning ‱  Run from Build->Analyze ‱  Innovative shows you complete flow of object start to end ‱  Configure as a automatic analysis during build process
  • 78. StaIc  Code  Analysis     PotenIal  Memory  Leak  
  • 79. StaIc  Code  Analysis     Dead  store  –  variable  never  used  
  • 80. Code  Analysis  with  AppCodeScan   ‱  Semi  automated  tool   ‱  Ability  to  expand  with  custom  rules   ‱  Simple  tracing  uIlity  to  verify  and  track   vulnerabiliIes   ‱  Simple  HTML  reporIng  which  can  be   converted  to  PDF    
  • 81. AppCodeScan   ‱  SophisIcated  tool  consist  of  two  components     ‱  Code  Scanning   ‱  Code  Tracer   ‱  Allows  you  to  trace  back  the  variable   ‱  AppCodeScan  is  not  complete  automated   staIc  code  analyzer.   ‱  It  only  relies  on  regex  and  lets  you Â ïŹnd   SOURCE  of  the  SINK  
  • 82. Rules  in  AppCodeScan   ‱  WriIng  rules  is  very  straight  forward   ‱  In  an  XML Â ïŹle  which  is  loaded  at  run  Ime   ‱  This  release  has  rules  for  iOS  and  Android  for   -­‐  Local  Storage,  Unsafe  APIs,  SQL  InjecIon,   Network  ConnecIon,  SSL  CerIïŹcate  Handling,   Client  Side  ExploitaIon,  URL  Handlers,   Logging,  CredenIal  Management  and   Accessing  PII.      
  • 83. Sample  Rules  -­‐  Android    
  • 85. Sample  Rules  -­‐  iOS    
  • 87. Debuggable Â ïŹ‚ag  in  Android   ‱  One  of  the  key  a4ribute  in  android  manifest   ïŹle   ‱  Under  “applicaIon”  secIon   ‱  Describes  debugging  in  enabled   ‱  If  “Debuggable”a4ribute  is  set  o  true,  the   applicaIon  will  try  to  connect  to  a  local  unix   socket  “@jdwp-­‐control”   ‱  Using  JDWP,  It  is  possible  to  gain  full  access  to   the  Java  process  and  execute  arbitrary  code  in   the  context  of  the  debugable  applicaIon  
  • 88. CheckDebuggable  Script   ‱  Checks  in  APK  whether  debuggable  is  enabled   ‱  Script  can  be  found  at  –  h4p:// www.espheresecurity.com/ resourcestools.html   ‱  Paper  can  be  found  at  -­‐  h4p:// www.espheresecurity.com/ CheckDebuggable.pdf   Â