Info security - mobile approach
1 like1,140 views
The document discusses mobile security assessment practices, highlighting emerging threats such as malware and vulnerabilities in mobile communication channels and applications. It covers detailed methods for assessing mobile device security, including source code reviews, application permission evaluations, and server-side controls. The increasing prevalence of machine-to-machine communication is noted, alongside an emphasis on the importance of identifying and mitigating risks in the fast-evolving mobile landscape.
Info security - mobile approach
- 1. INFOSECURITY 2013, BRUSSELS Security assessments in the mobile world
- 2. Agenda Introduction Mobile architecture ► An overview ► Perceived threats How to assess the threats ► General approach ► Mobile Devices ► Source Code review ► Sensitive files ► Application permissions ► Client side injections ► Data communication channel ► Server side controls Recap
- 3. Introduction Who am I? ► Tim Beyens ► Security Consultant focusing on mobile security and network security ► Working for Ernst & Young since 2009 ► Sector focus: Telecommunication ► Typical assignments: penetration testing, network security assignments, …. Technical security assessments
- 4. Introduction Trends within the mobile world On the end-user front…
- 5. Introduction Trends within the mobile world The Machine to Machine front is increasing as well… M2M mobile connections are expected to reach 12 billion by 2020 Industry Sector Smart meters enable efficient energy consumption and management by Utilities consumers and service providers Remote monitoring technologies can boost cost- and resource-efficient Healthcare healthcare provision and clinical collaboration Driver navigation and fleet management tools, on-demand in-vehicle entertainment result in intelligent route planning and greater consumer Automotive expenditure. Vehicle connectivity can bring new business models such as pay-as-you drive insurance Consumer Richer functionality and storage can improve product differentiation Electronics and customer centricity Sources: Ernst & Young research in 2012 – M2M
- 6. Introduction Trends within the mobile world On the other hand, malware is also being rapidly developed… October July August April July February (2013) ► Secret key combo auth ► ZITMO banking trojan ► Weakness in SSL cert ► NotCompatible gains ► LuckyCat opens a ► LockScreen of bypass (iOS) affects all mobile handling exposes data access to local network backdoor that allows iPhone can be devices to interception (iOS) preferences (Andriod) remote acces (Android) circumvented (iOS) 2011 2012 2013 March August September May July ► Trojannised apps found ► Google authentication ► HTC phone vulnerability ► FakeInst SMS Trojan ► SMSzombie that on Chinese app store details sent in clear text leaks personal data cost end-users 30 abuses china’s SMS (Android) (Android) (Android) Miljon dollars (Android) payment Android) Most of these vulnerabilities originate from: ► Jailbreaks, Rootkits, ... ► Faulty configured application settings ► Faulty downloaded applications (from sources not controlled by the device) ► User preferences for simple passwords ► User allows application to access personal unneeded information ► Reuse of passwords among different applications ► Social engineering (ie. Gaining physical access to the smart phone to steal data)
- 7. Introduction Trends within the mobile world … In numbers this means 2012 Malware targets Subscription to premium SMS 32% services 40% Information theft (banking apps) Botnet integration 28% Sources: ESET, Trends for 2013
- 8. Mobile Architecture An overview Public 1 Private 2 1. 1 Public APN ► APN’s used by end-users or machines ► Public, only requires a SIM card of the provider ► Less secure but cheaper ► E.g. Your own PDA connecting over 3G 2 2. Private APN ► Used by companies to easily communicate with field equipment (e.g. G4S transportation) ► Private, only accessible through specific SIM cards ► Securer but more expensive ► E.g. coco-cola vending machine providing statuses on available stock
- 9. Mobile Architecture Perceived threats – End Users 1 2 3 1. 1 Mobile phone ► Information disclosure (within the application source code) ► Data stored on the device contains personal information ► Insecure passwords usage 2. 2 Communication channel ► No encryption applied on the communication channel 3. 3 Server infrastructure ► Improper session, authorization and authentication handling ► Overall weak server side controls (e.g. server side injections)
- 10. Mobile Architecture Perceived threats -Machines 1 Next to the threats described on the previous page, the machine to machine communication has another threat that is easily overlooked…. 1 1. Machines ► What if the SIM card (of the machine) is inserted in USB-3G stick? This allows access to the private APN. Which on his turn provides access to a front-end system of the owner of the private APN… From that point onwards the a similar penetration testing approach can be used to exploit the front-end device. Possible pitfalls: some SIM-cards might disallowed outgoing data traffic…
- 11. How to assess the threats General approach Mobile Device Communication channel Server side controls Objective: Identify vulnerabilities on the Objective: Identify vulnerabilities in the Objective: Identify vulnerabilities on the applications installed on the devices data communication channel. server side of the mobile application. themselves. ► Reverse engineer the binary using tools ► Verify the application uses SSL/TSL ► Perform an attack and penetration such as: whenever sensitive information is being tests similar to other web application ► Clang (static code) transmitted. tests and use the information found on ► GDB the local device to leverage your ► iDA (Pro) successes. and investigate the source code for passwords, server-side keys, … but also learn how the application works! ► Look for sensitive data in databases, logs, back-ups, cached files, … ► Verify application’s permissions ► Perform security tests similar to other web applications tests (e.g. session management, authentication management, …)
- 12. How to assess the threats Mobile device – Source code review Source code review - Android ► The downloaded package (.apk) is actually a zip containers, unzipping it will reveal the actual content. ► Loads of files including classes.dex Dex2Jar Tools used Jd-GUI Dex2jar.sh classes.dex > classes.jar Steps to be taken Open the classes.jar file in JD-GUI (or Eclipse,…)
- 13. How to assess the threats Mobile Phone – Source code review Source code review - iPhone Before starting any tests on the iOS… Make sure to jailbreak the device and install: ► OpenSSH ► Mobile terminal ► Cydia = The mother of all tools on jailbroken iPhones! App store for jailbroken iOS. ► Other Linux based tools you want… Connect your iPhone to a (wireless) hotspot and SSH to it! alpine
- 14. How to assess the threats Mobile device – Source code review Source code review – iPhone (cont.) ► Not that easy… because most Apple applications are encrypted and signed Code segments look gibberish when simply reversed ► However the downloaded file (.ipa in iTunes or .app when transferring it from the jailbroken iOS) is still a zip container, unzipping it will reveal the actual content.
- 15. How to assess the threats Mobile device – Source code review Source code review – iPhone (cont.) ► Find the application file in the container and … check that the encryption is actually on! ► LC_Encryption_info values information: ► Cryptid ► 1 if the binary is encrypted ► 0 if the binary is not encrypted ► Cryptsize is to what point the application is being encrypted ► The iPhone will auto-decrypt it when the application runs on your phone
- 16. How to assess the threats Mobile device – Source code review Source code review – iPhone (cont.) C_Encryption_info; CryptID= 1 ► Automatic: one application: Clutch ► Manual: Use a hex editor to change the value to 0 ► No clear method to find where the crypt-ID is search for /system/Library/Frameworks within the hex… can take some time… ► Run the app and dump the code using GDB ► GDB – p <PID of the application> ► Dump memory of your application based on the cryptsize. ► @CLI: dump memory app.bin <<start of application code >> our case (0X0000) to <<cryptsize>> (our case: 0X9000)
- 17. How to assess the threats Mobile device – Source code review Source code review – iPhone (cont.) C_Encryption_info; CryptID= 0 ► …When it is not on… or you used the previous steps… use IDAPro to reverse the application It stays in Assembly! objc.idc
- 18. How to assess the threats Mobile device – Source code review Source code review (cont.) – What to look for ► Passwords ► Hardcoded URL’s ► Administrator bypasses ► Input filter classes ► … Anything you would search for in a normal reverse engineering test…
- 19. How to assess the threats Mobile Phone - Sensitive files Data stored on the device Applications store data on various locations: ► SQLite database ► Cached data, back-ups, … ► Log files of applications Easy to find using the SSH connection, and simply inspecting them either using the “cat” command or copying them locally on your computer and opening them using a viewer you like.
- 20. How to assess the threats Mobile Phone – Application permissions Incorrect authorization set for mobile applications Each application receives permissions that need to be reviewed because: ► Applications having access to extra functions might be abused (e.g. through client slide injection) by attackers to gain hold of extra information (low likelihood) ► End-users might not install the application (medium ? Likelihood) Can be reviewed only from iOS version 6 and reviewed iOS under the ‘Privacy settings’ tab Android Stored in the Manifest File
- 21. How to assess the threats Mobile Phone – Client side injections As with normal client applications, Mobile applications might by vulnerable to injections. Set-up of the above screenshots: vulnerable app1 (downloaded from http://www.veracode.com), and it contains a basic SQL injection to bypass authentication on the application.
- 22. How to assess the threats Communication channel Proxy, Proxy and Proxy again… Each device has the possibility to proxy its traffic through a proxy: iOS Android Once set-up the tests are identical to other web applications tests.
- 23. How to assess the threats Communication channel
- 24. How to assess the threats Server side controls Again… Proxy, Proxy and Proxy again… ► Assess the back-end server as any web service you would encounter: ► WSDL Assessment ► Extracting extra information by manipulating requests ► Injection testing ► SOAP attachments ► … ► Do not forget to assess the infrastructure itself!
- 25. Recap ► Mobile applications and mobile phones are on the rise ► Machine 2 machine is on the rise ► But malware is on the rise to capture sensitive files!
- 26. Ernst & Young Tim Beyens Assurance | Tax | Transactions | Advisory Tel.: +32 2 774 91 81 2013 Ernst & Young Transaction Advisory Services Mobile: +32 495 743 592 All rights reserved. Email: tim.beyens@be.ey.com About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com/be. Follow us: twitter.com/EY_Belgium