Mobile security part 2

Mobile
Security
part-2
iOS apps
Pen-
testing
Null Mumbai
PuliyaWorkshop
27 January 2018
RomanshYadav
copyright 2018 | Romansh Yadav | All right reserved.

Content
What is mobile
Security
Types of mobile
security
what is ios
iOS secuirty
architecture
Process of app
development.
Android apps file
structure.
Tools for the app
pen testing setup a lab owasp top 10
Power of Drozer MobSF

The power of
smart phone
.
• Smartphones have change our life.As IOT is coming the
number of smartphone uses will increased.
• Smartphone is like our new part of body.
• Company know the next market of business will be IOT
devices.
• Here mobile apps play a great role.
• You need to make sure you customer can use your
mobile apps with confidence.

What is mobile security
• Mobile application security testing can help ensure there aren’t any
loopholes in the software that may cause data loss.
• The sets of tests are meant to attack the app to identify possible
threats and vulnerabilities that would allow external persons or
systems to access private information stored on the mobile device.

Types of mobile apps security testing
• Static mobile apps security testing.
• Dynamic mobile apps security testing.

Static mobile apps security testing
• In the static mobile apps security testing ,we do testing when the code is in
rest mode.
• We review the source code and check hashing algorithm used in the code.
• We analysis the manifest.xml file.

Dynamic mobile apps security testing
• In the dynamic testing we do testing when the app is running or we can say
at the run time label.
• We analysis the flow and try to call the activity and many more .

Platform
for mobile
security
testing
iOS Windows Android Blackberry etc

What is iOS
iOS is a mobile operating system
created and developed by Apple Inc.
exclusively for its hardware.
• Lasted version 11.2.5
• Written in C.C++,objective
C,swift,initial release june 2007
•

iOS Security architecture
• Software
• -Hardware key
• -App sandbox
• -user Partition
• -kernel
• Hardware
• -crypto Enging
• -Device Key
• -Group key
• -Apple root Certificate

iOs IDE • An Integrated Development Environment (IDE) is a
software application that provides comprehensive
facilities to computer programmers for software
development
•X-code

BasicTools for iOS apps
Pen testing
• Brup suite
• putil
• otool
• cycript
•

Vulnerable apps
DVIA
http://damnvulnerableiosapp.com
•

Insecure data storage

• Core data
• Plist
• keyChain
• NSUserDefaults
• Webkit Caching

coredata
• Sqlite is a file based database.
• Install sqlite client
• find . -name *.db
• find . -name *.sqlite3

plist
• use to store application and user setting
• Plutil is a tool for inspect the file and convert it into human readable format.
• Data is serliazed
• /var/mobile/Library/Caches
• find . -name *.plist
• vim com.apple.mobile.installation.plist
• Plutil –convert xml1 com.apple.mobile.installation.plist
• Cat com.apple.mobile.installation.plist

Keychain
• Data is encrypted.
• Secure password, tokes,certificated.
• Keychain_dumper

Jailbreak Detection

• Once a device is jailbroken, a lot of other files and applications are installed
on the devcice. Checking for these files in the filesystem can help us identify
whether the device is jailbroken or not.
• Dump the class information of this app.
• class-dump DamnVulnerableIOSApp

Demo
• Ps aux | grep “damn”
• Cycript -p pid
• UIApp
• JailbreakDetectionVC.messages['isJailbroken'] = function () {return NO};

Runtime Manipulation

• We can bypass the login page via runtime manipulation.
• Let's ssh into our device and hook into our application using cycript.
•

Demo
• Ps aux | grep “damn”
• Cycript -p pid
• UIApp
• RuntimeManipulationDetailsVC.messages['isLoginValidated'] = function()
{return
• YES};

Side channel data
Leakage

• This vulnerability also called the logging based vulnerability.
• This is a mistake on the part of the developer. Such logs should be removed
before submitting an application to
• the app store as it might reveal important information. Optionally, the user
should enable logs only when the
• application is being run in the debug mode.
-snapshots path : -/var/mobile/Library/Caches/Snapshots

Insufficient transport layer
protection

• Transfer data from client to server in plain text.
• Now a days most application prefer to send data over Secure Channel to
prevent interception and leaking to an malicious user.
• We can check this kind of vulnerability by any proxy tool.
• We will use burpsuite.

• Now we are going to set a proxy in our ios device.

For https traffic
• For https traffic we have to install the burp self sign certificate.
•

SSl Certificate Pinning
• It means hard-coding the certificate known to be used by the server in the
mobile application.The app can then ignore the device’s trust store and rely
on its own, and allow only SSL connections to hosts signed with certificates
stored inside the application.

client side injection

• Sql injection-simple as we used in web application(Boolean based )
• JavaScript Injection: - If you have yourGoogle account attached to device
• then you can use your Google account inAndroid Browser without
authentication.
•

• <script>alert(1)</script>
• <script>document.location='tel://1123456789'</script>
• <script>document.location='twitter://post?message=Hello%20World'</scrip
t>.
• In this case you must
make sure that the twitter application is installed on your device.

Conclusion

• Owasp top 10
• Burp suite
• Cycript
• Class-dump
• Plutil
• otool

Mobile security part 2

More Related Content

What's hot (20)

Similar to Mobile security part 2 (20)

Recently uploaded (20)

Mobile security part 2