Is Your Mobile App Secure?
1 like867 views
The document discusses mobile application security, emphasizing the vulnerabilities in Android apps, such as the ability to sideload apps and the weaknesses of app signing. It covers the risks of decompiling apps to insert malicious code and highlights incidents like the DroidDream malware, which affected users through repackaged legitimate apps. Various countermeasures against these attacks, including the use of obfuscation techniques and the dangers of broken SSL in medical applications, are also presented.
Is Your Mobile App Secure?
- 1. Slides and projects at samsclass.info Is Your Mobile App Secure? DEF CON 23 Wall of Sheep Sat., Aug 8, 2015 3 pm Sam Bowne City College San Francisco
- 2. Slides and projects at samsclass.info Adding Trojans to Apps
- 3. Slides and projects at samsclass.info Android is #1 • 80% market share in 2014 – Link Ch 4a
- 4. Slides and projects at samsclass.info App Signing • All apps must be signed to be installed, BUT – Android allows self-signed certificates • Google Play is the "official" app store, BUT – Google doesn't police it well – Apps can be installed from email, Web pages, etc.
- 5. Slides and projects at samsclass.info Android Debug Bridge • Command-line tool • Allows you to communicate with a mobile device via a USB cable or an SVD running within an emulator • Connects to device's daemon running on TCP port 5037
- 6. Slides and projects at samsclass.info Useful ADB Commands • push – Copies a file from your computer to the mobile device • pull – Copies a file from the mobile device to your computer • logcat – Shows logging information on the console – Useful to see if an app or the OS is logging sensitive information
- 7. Slides and projects at samsclass.info Useful ADB Commands • install – Copies an application package file (APK) to the mobile device and installs the app – Useful for side-loading apps (so you don't have to use Google Play) • shell – Starts a remote shell on the mobile device – Allows you to execute arbitrary commands
- 8. Slides and projects at samsclass.info Decompiling and Disassembly
- 9. Slides and projects at samsclass.info Static Analysis • Source code is generally kept confidential by app developers • A binary, compiled app can be analyzed by disassembling or decompiling them, into – Smali assembly code (used by Dalvik VM), or – Java code
- 10. Slides and projects at samsclass.info
- 11. Slides and projects at samsclass.info TD Ameritrade • No obfuscation
- 12. Slides and projects at samsclass.info Bank of America • ProGuard Free Obfuscator – Worthless
- 13. Slides and projects at samsclass.info Java v. Smali Code
- 14. Slides and projects at samsclass.info Building & Signing an App
- 15. Slides and projects at samsclass.info Monitoring the Log
- 16. Slides and projects at samsclass.info ./adb logcat • Much better way to monitor log • Filter with grep
- 17. Slides and projects at samsclass.info Attacks via Decompiling and Disassembly • Insert Trojan code, like keyloggers • Find encryption methods & keys • Change variables to bypass client-side authentication or input validation • Cheat at games
- 18. Slides and projects at samsclass.info • Link Ch 4z43
- 19. Slides and projects at samsclass.info Step-by-Step: Bank of America
- 20. Slides and projects at samsclass.info Step-by-Step: Bank of America
- 21. Slides and projects at samsclass.info Step-by-Step: Bank of America
- 22. Slides and projects at samsclass.info Step-by-Step: Bank of America
- 23. Slides and projects at samsclass.info DEMO: Bank of America
- 24. Slides and projects at samsclass.info DEMO: The Bancorp
- 25. Slides and projects at samsclass.info DEMO: Capital One
- 26. Slides and projects at samsclass.info DEMO: SunTrust • Konylabs • Capture HTTP Parameters
- 27. Slides and projects at samsclass.info DEMO: TradeKing • App is patched! • "Verifier" detects the Trojan
- 28. Slides and projects at samsclass.info DroidDream (2011) • Was primarily distributed by the Google Play store • Legitimate apps were repackaged to include DroidDream and then put back in the Play store
- 29. Slides and projects at samsclass.info Google's Response • Google removed the repackaged apps from the Play Store • But 50,000 – 200,000 users were already infected
- 30. Slides and projects at samsclass.info Google Application Verification Service • Launched in 2012 • Tries to detect malicious apps • Much less effective than 3rd-party AV – Link Ch 5e
- 31. Slides and projects at samsclass.info Decompiling, Disassembly, and Repackaging Countermeasures • Every binary can be reverse-engineered – Given enough time and effort • Never store secrets on the client-side • Never rely on client-side authentication or client-side validation • Obfuscate source code – ProGuard (free) or Arxan (commercial)
- 32. Slides and projects at samsclass.info DashO – Powerful Obfuscator
- 33. Slides and projects at samsclass.info All Strings Concealed • BUT it costs $2000
- 34. Slides and projects at samsclass.info
- 35. Slides and projects at samsclass.info Broken SSL Repeating Old Work
- 36. Slides and projects at samsclass.info CERT's Test in 2014 • 23,667 vulnerable apps • All warned in 2014 by CERT
- 37. Slides and projects at samsclass.info Still Vulnerable
- 38. Slides and projects at samsclass.info Simple SSL Test • Route Android traffic through Burp Proxy • Don't install the PortSwigger root certificate • This is a MITM attack • The default browser detects it
- 39. Slides and projects at samsclass.info DEMO: PicsArt (100 Million)
- 40. Slides and projects at samsclass.info DEMO: InstaChat(100 Million)
- 41. Slides and projects at samsclass.info DEMO: OKCupid – FIXED!
- 42. Slides and projects at samsclass.info DEMO: Safeway (1 Million)
- 43. Slides and projects at samsclass.info DEMO: Safeway (1 Million)
- 44. Slides and projects at samsclass.info Broken SSL Medical Apps
- 45. Slides and projects at samsclass.info CERT found 265 Vulnerable Medical Apps
- 46. Slides and projects at samsclass.info HIPAA
- 47. Slides and projects at samsclass.info My Repeat of CERT Tests
- 48. Slides and projects at samsclass.info DEMO: GenieMD
- 49. Slides and projects at samsclass.info DEMO: LowestMed corporate
- 50. Slides and projects at samsclass.info LowestMed Response • Phone call to President of CCSF threatening a lawsuit • After I contacted their lawyer, he told me that there is no PII in the app beyond this point, so it is not a covered entity under HIPAA
- 51. Slides and projects at samsclass.info Broken SSL Testing New Apps
- 52. Slides and projects at samsclass.info Responsible Disclosure • I need to give these guys time to respond, so most of them are still confidential • I can discuss one, because they fixed it really fast!
- 53. Slides and projects at samsclass.info Blue Cross Blue Shield of North Carolina
- 54. Slides and projects at samsclass.info Leaked Blue Cross Credentials • Also leaked Facebook, Twitter, and YouTube credentials
- 55. Slides and projects at samsclass.info Fixed in Two Days • New version refuses to use invalid SSL certificates
- 56. Slides and projects at samsclass.info Security Products
- 57. Slides and projects at samsclass.info AIG MobileGuard Security app required for insurance coverage Removed from Google Play after my reports
- 58. Slides and projects at samsclass.info Already Trojaned ☺
- 59. Slides and projects at samsclass.info Local Storage of Sensitive Data Security Question Security Answer PIN
- 60. Slides and projects at samsclass.info DEMO: MobileSuperHero (10,000) • Logs the PIN • Last update 12-13-12
- 61. Slides and projects at samsclass.info DEMO: Virgin Mobile Rescue (100,000) • Logs the PIN • Last update 7-22-13 • Must uninstall Mobile Superhero to use it
- 62. Slides and projects at samsclass.info DEMO: Rebound (50) • Logs the PIN • Last update 7-16-13
- 63. Slides and projects at samsclass.info DEMO: Rebound Mobile Security (50) • Logs the PIN • Last updated 11-7-2013