SlideShare a Scribd company logo

Mobile Penetration Testing: Episode II - Attack of the Code

NowSecure, profile picture
NowSecure

The document provides an overview of mobile security challenges, particularly concerning data in transit and server-side vulnerabilities. It discusses technical issues like insecure communication, authentication flaws, and presents suggested tools for back-end testing, such as mitmproxy and Wireshark. Additionally, it emphasizes the importance of understanding the differences between authentication and authorization, as well as the risks associated with improper session handling.

Technology
Related topics:
Mobile Security Insights
1 of 30
Downloaded 76 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Episode II RETURN OF THE BACK-END/NETWORK
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Episode II RETURN OF THE NETWORK/BACK-END Episode I THE FORENSIC MENACE Episode III ATTACK OF THE CODE
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Connect Twitter: @NowSecureMobile — Subscribe to #MobSec5, our weekly mobile security news digest http://mobsec5.nowsecure.com/ — Web: nowsecure.com
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Michael Krueger Solutions Engineer | NowSecure
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents ● The Trilogy series overview ● Data-in-transit ● Server-side security ● Suggested tools to get started
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Mobile forensics & data recovery Network, web services & API testing Server-side penetration testing Reverse engineering & code analysis
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. “I can show you the ways of the [Force data in transit].” — Kylo Ren https://milnersblog.com/tag/the-characters-of-star-wars-the-force-awakens/
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Data in transit concerns ● Insecure communication ○ Certificate validation issues ○ Privacy leakage ● Insecure authentication ● Insecure authorization ○ Server accepting/responding to requests without authorization ○ Client-based authorization decisions
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Man-in-the-middle (MITM) ● Secretly intercept (modify) communications between systems believing they are communicating directly ● Aims to circumvent mutual authentication (or lack thereof) ● Use it to test for potential vulnerabilities and validate that app sends proper requests/intended data Who are you really talking to? Original connection Victim Attacker Presents fake certificate Server
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Lack of certificate validation Don’t implement your own crypto! It still happens because developers want to accept self-signed certificates or because code implementation is too complex
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Mitmproxy basic setup Device 192.168.10.15 Gateway set to 192.168.10.66 192.168.10.1 Server Laptop w/ mitmproxy Listening at ports 80 & 443 192.168.10.66 Mitmproxy CA certificate (optional)
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Android handset gateway configuration
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. IP forwarding 1 2 3 sysctl - w net.ipv4.ip_forward = 1 iptables - t nat - A PREROUTING - i eth0 - p tcp--dport 80 - j REDIRECT--to - port 8080 iptables - t nat - A PREROUTING - i eth0 - p tcp--dport 443 - j REDIRECT--to - port 8080
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Looking for HTTPS traffic
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Privacy leakage ● Email address ● Username/password ● Phone number ● IMEI/IMSI ● Home address ● And so much more See: “Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps” http://jots.pub/a/2015103001/ Sharing more than you intend Sharing of sensitive data by Android apps (left) to domains (right)
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Authentication vs. authorization Do you know the difference? Authentication The process of sending credentials in an attempt to connect Authorization Gaining access to a resource because configured permissions allow you access
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Insecure authentication ● Predictable session identifiers ● Failing to log users out ● Session lifetime risks ○ Sessions valid too long ○ Sessions valid across multiple channels ● Session fixation Who copied my house key???
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Insecure authorization I feel like being an administrator today.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.http://disney.wikia.com/wiki/Leia_Organa “Somebody has to save our [skins servers].” — Princess Leia
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Server-side issues ● Injection ○ SQL ○ XSS ○ Command ● Improper session handling ● Weak ciphers ● Many more...
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Weak cipher examples What do you accept? https://www.ssllabs.com/
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Weak cipher examples What do you accept?
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Intelligence Gathering ● What IP addresses does your app talk to? ● Query WHOIS to learn more about each IP address ● Use geolocation services to confirm IP address location
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Endpoint identification https://www.wireshark.org
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Suggested tools for back-end testing Rooted Android device I use a Google Nexus 5 Linux machine or VM w/ Android Studio tools May we recommend Santoku Linux? (Also, Kali Linux)
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Tools for testing Qualys SSL Labs https://www.ssllabs.com/ssltest/ Nmap https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html https://nmap.org/nsedoc/scripts/ssl-cert.html Mitmproxy http://docs.mitmproxy.org/en/stable/ Burp Suite https://support.portswigger.net/ IPFingerprints http://www.ipfingerprints.com/ Santoku Linux https://santoku-linux.com/ Wireshark https://www.wireshark.org
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Pointers to keep in mind during analysis Don’t just focus on the encrypted payload. Look at metadata. When searching for data in large files, command line tools are best: Try grep Try multiple tools. Find the one you’re most comfortable with. If you’re scanning a third-party server, get permission
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Vulnerable data exists in more than just the payload Try using both trusted and untrusted certificates when intercepting data in transit Don’t underestimate the time/effort involved in network-focused testing
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Episode III ATTACK OF THE CODE Thursday, January 19 11 a.m. CST / 9 a.m. PST REGISTER NOW: http://bit.ly/2gOPih8
Let’s talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 - a digest of the week’s mobile news that matters - http://mobsec5.nowsecure.com/

More Related Content

PDF
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
PDF
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
PDF
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
PDF
How to make Android apps secure: dos and don’ts
NowSecure
 
PDF
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
viaForensics
 
PDF
Via forensics thotcon-2013-mobile-security-with-santoku-linux
viaForensics
 
PDF
The fundamentals of Android and iOS app security
NowSecure
 
PDF
It's not about you: Mobile security in 2016
NowSecure
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
How to make Android apps secure: dos and don’ts
NowSecure
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
viaForensics
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
viaForensics
 
The fundamentals of Android and iOS app security
NowSecure
 
It's not about you: Mobile security in 2016
NowSecure
 

What's hot (20)

PDF
OWASP Mobile Top 10
NowSecure
 
PDF
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
PDF
How to scale mobile application security testing
NowSecure
 
PDF
Five mobile security challenges facing the enterprise
NowSecure
 
PPTX
Addressing the OWASP Mobile Security Threats using Xamarin
Alec Tucker
 
PDF
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
PDF
Mobile Hacking
Novizul Evendi
 
PPTX
Communication security 2021
MuhammadusmanRana10
 
PDF
Owasp Mobile Top 10 - M7 & M8
5h1vang
 
PDF
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
PDF
Cyber Kill Chain: Web Application Exploitation
Prathan Phongthiproek
 
PDF
Lookout pegasus-android-technical-analysis
Andrey Apuhtin
 
PDF
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
NowSecure
 
PDF
Webinar: Insights from Cyren's 2016 cyberthreat report
Cyren, Inc
 
PDF
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
PPTX
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Sina Manavi
 
PDF
Webinar: Is your web security broken? - 10 things you need to know
Cyren, Inc
 
PPTX
CeBIT 2015 Presentation
Cyren, Inc
 
PDF
Webinar: IT security at SMBs: 2016 benchmarking survey
Cyren, Inc
 
PPTX
The Threat Landscape in the Era of Directed Attacks - Webinar
Kaspersky
 
OWASP Mobile Top 10
NowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
How to scale mobile application security testing
NowSecure
 
Five mobile security challenges facing the enterprise
NowSecure
 
Addressing the OWASP Mobile Security Threats using Xamarin
Alec Tucker
 
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
Mobile Hacking
Novizul Evendi
 
Communication security 2021
MuhammadusmanRana10
 
Owasp Mobile Top 10 - M7 & M8
5h1vang
 
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
Cyber Kill Chain: Web Application Exploitation
Prathan Phongthiproek
 
Lookout pegasus-android-technical-analysis
Andrey Apuhtin
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
NowSecure
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Cyren, Inc
 
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Sina Manavi
 
Webinar: Is your web security broken? - 10 things you need to know
Cyren, Inc
 
CeBIT 2015 Presentation
Cyren, Inc
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Cyren, Inc
 
The Threat Landscape in the Era of Directed Attacks - Webinar
Kaspersky
 
Ad

Similar to Mobile Penetration Testing: Episode II - Attack of the Code (20)

PDF
The Datacenter Network You Wish You Had
Jeremy Schulman
 
PDF
The Datacenter Network You Wish You Had: It's yours for the taking.
All Things Open
 
PDF
Cybersecurity Fundamentals for Bar Associations
NowSecure
 
PDF
The Slow Death of Passwords
ForgeRock Identity Tech Talks
 
PDF
Identity Relationship Management - The Right Approach for a Complex Digital W...
ForgeRock
 
PDF
Security & Identity for the Internet of Things Webinar
ForgeRock
 
PPTX
OSX/Pirrit: The blue balls of OS X adware
Amit Serper
 
PDF
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
PDF
Pas d'IoT sans Identité!
Leonard Moustacchis
 
PDF
IOT Networks
Marc Nader
 
PDF
Recovering Your Customers From Ransomware Without Paying Ransom
Solarwinds N-able
 
PDF
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Canada
 
PPTX
Backstage Tour of Identity - London Identity Summit
ForgeRock
 
PDF
[IGC2018] 잔디소프트 윤세민 - HTML5 게임 어디까지 가능한가
강 민우
 
PDF
Hacking intranet websites
shehab najjar
 
PPTX
Financial Grade OAuth & OpenID Connect
Nat Sakimura
 
PDF
Security and Virtualization in the Data Center
Cisco Canada
 
PPTX
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
CODE BLUE
 
PDF
Android P Security Updates: What You Need to Know
NowSecure
 
PPTX
INTOSTREAM INTRO_2016_SEP
Sungil Woo
 
The Datacenter Network You Wish You Had
Jeremy Schulman
 
The Datacenter Network You Wish You Had: It's yours for the taking.
All Things Open
 
Cybersecurity Fundamentals for Bar Associations
NowSecure
 
The Slow Death of Passwords
ForgeRock Identity Tech Talks
 
Identity Relationship Management - The Right Approach for a Complex Digital W...
ForgeRock
 
Security & Identity for the Internet of Things Webinar
ForgeRock
 
OSX/Pirrit: The blue balls of OS X adware
Amit Serper
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
Pas d'IoT sans Identité!
Leonard Moustacchis
 
IOT Networks
Marc Nader
 
Recovering Your Customers From Ransomware Without Paying Ransom
Solarwinds N-able
 
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Canada
 
Backstage Tour of Identity - London Identity Summit
ForgeRock
 
[IGC2018] 잔디소프트 윤세민 - HTML5 게임 어디까지 가능한가
강 민우
 
Hacking intranet websites
shehab najjar
 
Financial Grade OAuth & OpenID Connect
Nat Sakimura
 
Security and Virtualization in the Data Center
Cisco Canada
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
CODE BLUE
 
Android P Security Updates: What You Need to Know
NowSecure
 
INTOSTREAM INTRO_2016_SEP
Sungil Woo
 
Ad

More from NowSecure (20)

PDF
iOS recon with Radare2
NowSecure
 
PDF
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
NowSecure
 
PDF
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
PDF
Debunking the Top 5 Myths About Mobile AppSec
NowSecure
 
PDF
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
NowSecure
 
PDF
Building a Mobile App Pen Testing Blueprint
NowSecure
 
PDF
Mobile App Security Predictions 2019
NowSecure
 
PDF
Jeff's Journey: Best Practices for Securing Mobile App DevOps
NowSecure
 
PDF
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 
PDF
iOS 12 Preview - What You Need To Know
NowSecure
 
PDF
5 Tips for Agile Mobile App Security Testing
NowSecure
 
PDF
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
PDF
5 Mobile App Security MUST-DOs in 2018
NowSecure
 
PDF
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
NowSecure
 
PDF
What attackers know about your mobile apps that you don’t: Banking & FinTech
NowSecure
 
PDF
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
PDF
Leaky Mobile Apps: What You Need to Know
NowSecure
 
PDF
Vetting Mobile Apps for Corporate Use: Security Essentials
NowSecure
 
PDF
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
NowSecure
 
PDF
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
NowSecure
 
iOS recon with Radare2
NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
NowSecure
 
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
NowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
NowSecure
 
Building a Mobile App Pen Testing Blueprint
NowSecure
 
Mobile App Security Predictions 2019
NowSecure
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
NowSecure
 
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 
iOS 12 Preview - What You Need To Know
NowSecure
 
5 Tips for Agile Mobile App Security Testing
NowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
5 Mobile App Security MUST-DOs in 2018
NowSecure
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
NowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
NowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
Leaky Mobile Apps: What You Need to Know
NowSecure
 
Vetting Mobile Apps for Corporate Use: Security Essentials
NowSecure
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
NowSecure
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
NowSecure
 

Recently uploaded (20)

PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Encapsulation theory and applications.pdf
gurumoop
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Teaching material agriculture food technology
LiaRayya
 
Approach and Philosophy of On baking technology
30anthuong17
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
MYSQL Presentation for SQL database connectivity
Swati270511
 

Mobile Penetration Testing: Episode II - Attack of the Code

  • 1. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Episode II RETURN OF THE BACK-END/NETWORK
  • 2. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Episode II RETURN OF THE NETWORK/BACK-END Episode I THE FORENSIC MENACE Episode III ATTACK OF THE CODE
  • 3. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Connect Twitter: @NowSecureMobile — Subscribe to #MobSec5, our weekly mobile security news digest http://mobsec5.nowsecure.com/ — Web: nowsecure.com
  • 4. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Michael Krueger Solutions Engineer | NowSecure
  • 5. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents ● The Trilogy series overview ● Data-in-transit ● Server-side security ● Suggested tools to get started
  • 6. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Mobile forensics & data recovery Network, web services & API testing Server-side penetration testing Reverse engineering & code analysis
  • 7. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. “I can show you the ways of the [Force data in transit].” — Kylo Ren https://milnersblog.com/tag/the-characters-of-star-wars-the-force-awakens/
  • 8. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Data in transit concerns ● Insecure communication ○ Certificate validation issues ○ Privacy leakage ● Insecure authentication ● Insecure authorization ○ Server accepting/responding to requests without authorization ○ Client-based authorization decisions
  • 9. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Man-in-the-middle (MITM) ● Secretly intercept (modify) communications between systems believing they are communicating directly ● Aims to circumvent mutual authentication (or lack thereof) ● Use it to test for potential vulnerabilities and validate that app sends proper requests/intended data Who are you really talking to? Original connection Victim Attacker Presents fake certificate Server
  • 10. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Lack of certificate validation Don’t implement your own crypto! It still happens because developers want to accept self-signed certificates or because code implementation is too complex
  • 11. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Mitmproxy basic setup Device 192.168.10.15 Gateway set to 192.168.10.66 192.168.10.1 Server Laptop w/ mitmproxy Listening at ports 80 & 443 192.168.10.66 Mitmproxy CA certificate (optional)
  • 12. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Android handset gateway configuration
  • 13. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. IP forwarding 1 2 3 sysctl - w net.ipv4.ip_forward = 1 iptables - t nat - A PREROUTING - i eth0 - p tcp--dport 80 - j REDIRECT--to - port 8080 iptables - t nat - A PREROUTING - i eth0 - p tcp--dport 443 - j REDIRECT--to - port 8080
  • 14. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Looking for HTTPS traffic
  • 15. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Privacy leakage ● Email address ● Username/password ● Phone number ● IMEI/IMSI ● Home address ● And so much more See: “Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps” http://jots.pub/a/2015103001/ Sharing more than you intend Sharing of sensitive data by Android apps (left) to domains (right)
  • 16. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Authentication vs. authorization Do you know the difference? Authentication The process of sending credentials in an attempt to connect Authorization Gaining access to a resource because configured permissions allow you access
  • 17. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Insecure authentication ● Predictable session identifiers ● Failing to log users out ● Session lifetime risks ○ Sessions valid too long ○ Sessions valid across multiple channels ● Session fixation Who copied my house key???
  • 18. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Insecure authorization I feel like being an administrator today.
  • 19. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.http://disney.wikia.com/wiki/Leia_Organa “Somebody has to save our [skins servers].” — Princess Leia
  • 20. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Server-side issues ● Injection ○ SQL ○ XSS ○ Command ● Improper session handling ● Weak ciphers ● Many more...
  • 21. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Weak cipher examples What do you accept? https://www.ssllabs.com/
  • 22. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Weak cipher examples What do you accept?
  • 23. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Intelligence Gathering ● What IP addresses does your app talk to? ● Query WHOIS to learn more about each IP address ● Use geolocation services to confirm IP address location
  • 24. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Endpoint identification https://www.wireshark.org
  • 25. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Suggested tools for back-end testing Rooted Android device I use a Google Nexus 5 Linux machine or VM w/ Android Studio tools May we recommend Santoku Linux? (Also, Kali Linux)
  • 26. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Tools for testing Qualys SSL Labs https://www.ssllabs.com/ssltest/ Nmap https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html https://nmap.org/nsedoc/scripts/ssl-cert.html Mitmproxy http://docs.mitmproxy.org/en/stable/ Burp Suite https://support.portswigger.net/ IPFingerprints http://www.ipfingerprints.com/ Santoku Linux https://santoku-linux.com/ Wireshark https://www.wireshark.org
  • 27. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Pointers to keep in mind during analysis Don’t just focus on the encrypted payload. Look at metadata. When searching for data in large files, command line tools are best: Try grep Try multiple tools. Find the one you’re most comfortable with. If you’re scanning a third-party server, get permission
  • 28. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Vulnerable data exists in more than just the payload Try using both trusted and untrusted certificates when intercepting data in transit Don’t underestimate the time/effort involved in network-focused testing
  • 29. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Episode III ATTACK OF THE CODE Thursday, January 19 11 a.m. CST / 9 a.m. PST REGISTER NOW: http://bit.ly/2gOPih8
  • 30. Let’s talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 - a digest of the week’s mobile news that matters - http://mobsec5.nowsecure.com/