SlideShare a Scribd company logo

Pentesting Mobile Applications (Prashant Verma)

ClubHack, profile picture
ClubHack

The document discusses penetration testing (pentesting) for mobile applications, covering both Android and iOS architectures, data storage, traffic capturing, and application reversal techniques. It highlights critical vulnerabilities and risks in mobile applications, including malware threats and insecure data handling practices. Best practices for securing mobile applications are also provided, such as encrypting data and avoiding hardcoding sensitive information.

Technology
1 of 34
Downloaded 355 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Pentesting Mobile Applications Prashant Verma Security Consultant & Competency Lead
Target Mobile
Types of Mobile Applications • Browser based Mobile Applications (WAP) • Installed Applications
Android architecture • DVM • ~JVM • dex files • Sandboxing • Apps run with its user, group • Apps may share data, if run with same user
iOS Architecture  Core OS & Core Services – Low level file handling, network Sockets etc. Include Technologies like Core Foundation, CFNetwork, SQLite etc Written in C  Media Layer – Supports audio and 2D and 3D video  Cocoa Touch Layer – Provides infrastructure used by applications. Contains the UIKit Framework Written in Objective-C
Pentesting Mobile Applications • Reading Stored Data • Capturing Requests • Reversing the Application Package • Platform Specific Issues
Reading Stored Data
Reading Stored Data • Mobile applications store data in local memory of handset • This data is stored by developers in files locally and is used by the application • Look out for the persistent stored information in the mobiles for sensitive data (pwd, keys, account details etc.) • This may involve hacking / jailbreaking the phone
Reading Stored Data: Android • Android Applications store the data in directory /data/data/[PACKAGE_NAME] • sharedpreferences • Context.MODE_PRIVATE • Context.MODE_WORLD_READABLE • Context.MODE_WORLD_WRITEABLE • Files may be stored using the filesystem at /data/data/[PACKAGE_NAME]/files/filenam • Storage in the SQLite databases • Can be read using SQLite browser
Reading Stored Data: Android • Demo 1 • Let us see how the stored data can be accessed in an Android phone • <Connect the phone via USB debugging mode, show the storage directory in Android, browser to show the different storage formats, read the files, read the databases using SQLite browser>
Reading Stored Data: iOS • iPhone too stores the data in the application directory • /private/var/mobile/Applications/ApplicationID/ • Plist files ..can be read using • Property List Editor • plutil • Sqlite databases • Same procedure to read as Android
Capturing the Traffic
Capturing The Traffic • Capture HTTP requests & responses • Carry out Parameter Manipulation and other attacks • Set up a proxy in between the server & the client to intercept. • This can be achieved by • Proxying the real devices • Proxying the emulators
Capturing The Traffic : Android • Proxying Android Device • Root your phone  • Install Superuser • Install a proxy tool like ProxyDroid or Auto Proxy • Set the proxy IP address & port no. • Emulators can also be proxied
Capturing The Traffic
Capturing The Traffic : iPhones • Proxying Apple iPhone / iPAD • Setup a proxy ipaddress and port for the wifi connection • Entire traffic is routed through this proxy • Proxying Simulators • Open the Simulator within the xcode IDE • GUI option to set proxy ipaddress and port
Capturing The Traffic: iPhones • Demo 2 • Let us now see how to proxy an iPhone device to capture the traffic • <connect the phone & laptop to the wifi, setup laptop as proxy for the phone, show the captured traffic in the laptop, demonstrate the parameter manipulation attack>
Capturing The Traffic: iPhones
Reversing the Application Package
Reversing the Application Package • Reverse Engineer the application logic and source code • Identify the flaws in the code base to exploit them • Look for sensitive data like passwords, encryption algorithms and keys • Nokia jar files & Android apk packages are easy to reverse
Reversing the Android Package • Two step process • apk to dex conversion • dex to java conversion
Reversing the Android Package • Demo 3 • Let us now see how to reverse engineer an Android application package • <Take a .apk Android Package, demonstrate the reversing process to convert it to readable java files, show the sample vulnerability in the java file>
Platform Specific Issues
Platform Specific Issues • Android the prime target of malwares • ZITMO • Android Market had malicious apps • Apple iOS • iOS URL Schemes • Screenshot Caching issue
Malware: ZITMO • User logs in to his banking application • ZITMO, in background, listens to the incoming SMS • ZITMO obtains the SMS • ZITMO forwards the SMS to the attacker’s web address • SMS contains the one time password (the second factor of the two factor authentication) • Attacker can use it to bypass the two factor authentication
Android Market • Recently, Google Android Market was in news for distributing Malicious Applications • Google had to remove these infected applications from the Market • Lack of Proper Vetting Process by Google, as opposed to Apple App Store • Experts have advised Google for establishing the same
iOS URL Schemes • iOS URL schemes • URL schemes are used for web server connections, without additional parameters • This involves sending the required parameters in the URL, which makes it a vulnerable implementation • Sometimes username-password is also send this way • Prefer other implementations, if easily possible without URL schemes
iOS Screenshot Caching • Whenever users press the Home button while using an Application • iOS takes screenshot of application • This is required for the zoom-out animation while leaving the app • This same screenshot used to simulate zoom-in animation while returning to app • This is store in the device memory and can be used by anyone having access to rooted device • Black out the View whenever Home button is pressed while using the application.
Securing Mobile Applications
Security Best Practices • Do not hardcode sensitive information • Do not store sensitive information locally • If required to be stored, do not store at easily readable location like memory card. • Encrypt the stored data • Implement SSL • Protect the webserver against application layer attacks
Security Best Practices • Sanitize inputs, use prepared statements (protection against client side injection) • Implement Proper Authentication. Do not use UDID or other hardware IDs for auth. • Prefer encryption over encoding or obfuscation
OWASP Mobile Top 10 Risks
References • Android official documentation • Apple iOS code guide • OWASP Mobile Top 10 Project • Palisade – The application security magazine • GoatDroid Project • iGoat Project
Thank you Prashant Verma Security Consultant & Competency Lead verma.prashantkumar@gmail.com

More Related Content

PDF
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
PPTX
Android pen test basics
OWASPKerala
 
PPTX
Pentesting Android Apps
Abdelhamid Limami
 
PPTX
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
PDF
Hacking android apps by srini0x00
srini0x00
 
PPT
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
PDF
Andriod Pentesting and Malware Analysis
n|u - The Open Security Community
 
PDF
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
Android pen test basics
OWASPKerala
 
Pentesting Android Apps
Abdelhamid Limami
 
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Hacking android apps by srini0x00
srini0x00
 
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
Andriod Pentesting and Malware Analysis
n|u - The Open Security Community
 
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 

What's hot (20)

PDF
Security testing in mobile applications
Jose Manuel Ortega Candel
 
PDF
My Null Android Penetration Session
Avinash Sinha
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
PDF
Android Hacking
antitree
 
PPTX
Hacking Mobile Apps
Sophos Benelux
 
PPTX
Android Hacking + Pentesting
Sina Manavi
 
PDF
Mobile Hacking
Novizul Evendi
 
PDF
Hacking your Android (slides)
Justin Hoang
 
PDF
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
PDF
Android Security Development
hackstuff
 
PDF
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
PDF
iOS Application Penetration Testing
n|u - The Open Security Community
 
PPTX
[Wroclaw #1] Android Security Workshop
OWASP
 
PPTX
iOS Security and Encryption
Urvashi Kataria
 
PDF
I Want More Ninja – iOS Security Testing
Jason Haddix
 
PDF
Android Security & Penetration Testing
Subho Halder
 
PDF
Android Security - Common Security Pitfalls in Android Applications
BlrDroid
 
PPTX
Owasp mobile top 10
Pawel Rzepa
 
PDF
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
PDF
Android system security
Chong-Kuan Chen
 
Security testing in mobile applications
Jose Manuel Ortega Candel
 
My Null Android Penetration Session
Avinash Sinha
 
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
Android Hacking
antitree
 
Hacking Mobile Apps
Sophos Benelux
 
Android Hacking + Pentesting
Sina Manavi
 
Mobile Hacking
Novizul Evendi
 
Hacking your Android (slides)
Justin Hoang
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
Android Security Development
hackstuff
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
iOS Application Penetration Testing
n|u - The Open Security Community
 
[Wroclaw #1] Android Security Workshop
OWASP
 
iOS Security and Encryption
Urvashi Kataria
 
I Want More Ninja – iOS Security Testing
Jason Haddix
 
Android Security & Penetration Testing
Subho Halder
 
Android Security - Common Security Pitfalls in Android Applications
BlrDroid
 
Owasp mobile top 10
Pawel Rzepa
 
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
Android system security
Chong-Kuan Chen
 
Ad

Viewers also liked (7)

PDF
Mobile Penetration Testing: Episode II - Attack of the Code
NowSecure
 
PDF
Gursev kalra _mobile_application_security_testing - ClubHack2009
ClubHack
 
PPT
iOS Application Pentesting
n|u - The Open Security Community
 
PPTX
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
PPTX
Pentesting iOS Applications
jasonhaddix
 
PPTX
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
PDF
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
Mobile Penetration Testing: Episode II - Attack of the Code
NowSecure
 
Gursev kalra _mobile_application_security_testing - ClubHack2009
ClubHack
 
iOS Application Pentesting
n|u - The Open Security Community
 
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Pentesting iOS Applications
jasonhaddix
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
Ad

Similar to Pentesting Mobile Applications (Prashant Verma) (20)

PDF
Info security - mobile approach
EY Belgium
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
PDF
CNIT 128 8: Mobile development security
Sam Bowne
 
PPTX
Virtue Security - The Art of Mobile Security 2013
Virtue Security
 
PPTX
Pentesting iPhone applications
Satish b
 
PDF
Mobile Application Security Code Reviews
Denim Group
 
PDF
Smart Bombs: Mobile Vulnerability and Exploitation
SecureState
 
PPTX
Building a Mobile Security Program
Denim Group
 
PDF
Designing Secure Mobile Apps
Denim Group
 
PPTX
Mobile application security
Shubhneet Goel
 
PPTX
Mobile Application Security
Ishan Girdhar
 
PDF
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 
PPT
Mobile Apps Security
Xavier Mertens
 
PDF
A tale of mobile threats
Vincenzo Iozzo
 
PDF
Mobile Threats and Owasp Top 10 Risks
Santosh Satam
 
PPTX
Android Security and Peneteration Testing
Surabaya Blackhat
 
PDF
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
Cellebrite
 
PPTX
How iOS and Android Handle Security Webinar
Denim Group
 
PPTX
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 
PDF
Les 10 risques liés aux applications mobiles
Bee_Ware
 
Info security - mobile approach
EY Belgium
 
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
CNIT 128 8: Mobile development security
Sam Bowne
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security
 
Pentesting iPhone applications
Satish b
 
Mobile Application Security Code Reviews
Denim Group
 
Smart Bombs: Mobile Vulnerability and Exploitation
SecureState
 
Building a Mobile Security Program
Denim Group
 
Designing Secure Mobile Apps
Denim Group
 
Mobile application security
Shubhneet Goel
 
Mobile Application Security
Ishan Girdhar
 
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 
Mobile Apps Security
Xavier Mertens
 
A tale of mobile threats
Vincenzo Iozzo
 
Mobile Threats and Owasp Top 10 Risks
Santosh Satam
 
Android Security and Peneteration Testing
Surabaya Blackhat
 
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
Cellebrite
 
How iOS and Android Handle Security Webinar
Denim Group
 
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 
Les 10 risques liés aux applications mobiles
Bee_Ware
 

More from ClubHack (20)

PDF
India legal 31 october 2014
ClubHack
 
PPTX
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
ClubHack
 
PPT
Cyber Insurance
ClubHack
 
PPTX
Summarising Snowden and Snowden as internal threat
ClubHack
 
PPTX
Fatcat Automatic Web SQL Injector by Sandeep Kamble
ClubHack
 
PDF
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
 
PDF
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
ClubHack
 
PPTX
Smart Grid Security by Falgun Rathod
ClubHack
 
PPTX
Legal Nuances to the Cloud by Ritambhara Agrawal
ClubHack
 
PPT
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
PDF
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
ClubHack
 
PPTX
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
PPTX
Critical Infrastructure Security by Subodh Belgi
ClubHack
 
PPTX
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
ClubHack
 
PDF
XSS Shell by Vandan Joshi
ClubHack
 
PDF
Clubhack Magazine Issue February 2012
ClubHack
 
PDF
ClubHack Magazine issue 26 March 2012
ClubHack
 
PDF
ClubHack Magazine issue April 2012
ClubHack
 
PDF
ClubHack Magazine Issue May 2012
ClubHack
 
PDF
ClubHack Magazine – December 2011
ClubHack
 
India legal 31 october 2014
ClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
ClubHack
 
Cyber Insurance
ClubHack
 
Summarising Snowden and Snowden as internal threat
ClubHack
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
ClubHack
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
ClubHack
 
Smart Grid Security by Falgun Rathod
ClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
ClubHack
 
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
ClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
Critical Infrastructure Security by Subodh Belgi
ClubHack
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
ClubHack
 
XSS Shell by Vandan Joshi
ClubHack
 
Clubhack Magazine Issue February 2012
ClubHack
 
ClubHack Magazine issue 26 March 2012
ClubHack
 
ClubHack Magazine issue April 2012
ClubHack
 
ClubHack Magazine Issue May 2012
ClubHack
 
ClubHack Magazine – December 2011
ClubHack
 

Recently uploaded (20)

PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
KodekX | Application Modernization Development
KodekX
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Cloud computing and distributed systems.
kkkkkhan
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 

Pentesting Mobile Applications (Prashant Verma)

  • 1. Pentesting Mobile Applications Prashant Verma Security Consultant & Competency Lead
  • 3. Types of Mobile Applications • Browser based Mobile Applications (WAP) • Installed Applications
  • 4. Android architecture • DVM • ~JVM • dex files • Sandboxing • Apps run with its user, group • Apps may share data, if run with same user
  • 5. iOS Architecture  Core OS & Core Services – Low level file handling, network Sockets etc. Include Technologies like Core Foundation, CFNetwork, SQLite etc Written in C  Media Layer – Supports audio and 2D and 3D video  Cocoa Touch Layer – Provides infrastructure used by applications. Contains the UIKit Framework Written in Objective-C
  • 6. Pentesting Mobile Applications • Reading Stored Data • Capturing Requests • Reversing the Application Package • Platform Specific Issues
  • 8. Reading Stored Data • Mobile applications store data in local memory of handset • This data is stored by developers in files locally and is used by the application • Look out for the persistent stored information in the mobiles for sensitive data (pwd, keys, account details etc.) • This may involve hacking / jailbreaking the phone
  • 9. Reading Stored Data: Android • Android Applications store the data in directory /data/data/[PACKAGE_NAME] • sharedpreferences • Context.MODE_PRIVATE • Context.MODE_WORLD_READABLE • Context.MODE_WORLD_WRITEABLE • Files may be stored using the filesystem at /data/data/[PACKAGE_NAME]/files/filenam • Storage in the SQLite databases • Can be read using SQLite browser
  • 10. Reading Stored Data: Android • Demo 1 • Let us see how the stored data can be accessed in an Android phone • <Connect the phone via USB debugging mode, show the storage directory in Android, browser to show the different storage formats, read the files, read the databases using SQLite browser>
  • 11. Reading Stored Data: iOS • iPhone too stores the data in the application directory • /private/var/mobile/Applications/ApplicationID/ • Plist files ..can be read using • Property List Editor • plutil • Sqlite databases • Same procedure to read as Android
  • 13. Capturing The Traffic • Capture HTTP requests & responses • Carry out Parameter Manipulation and other attacks • Set up a proxy in between the server & the client to intercept. • This can be achieved by • Proxying the real devices • Proxying the emulators
  • 14. Capturing The Traffic : Android • Proxying Android Device • Root your phone  • Install Superuser • Install a proxy tool like ProxyDroid or Auto Proxy • Set the proxy IP address & port no. • Emulators can also be proxied
  • 16. Capturing The Traffic : iPhones • Proxying Apple iPhone / iPAD • Setup a proxy ipaddress and port for the wifi connection • Entire traffic is routed through this proxy • Proxying Simulators • Open the Simulator within the xcode IDE • GUI option to set proxy ipaddress and port
  • 17. Capturing The Traffic: iPhones • Demo 2 • Let us now see how to proxy an iPhone device to capture the traffic • <connect the phone & laptop to the wifi, setup laptop as proxy for the phone, show the captured traffic in the laptop, demonstrate the parameter manipulation attack>
  • 20. Reversing the Application Package • Reverse Engineer the application logic and source code • Identify the flaws in the code base to exploit them • Look for sensitive data like passwords, encryption algorithms and keys • Nokia jar files & Android apk packages are easy to reverse
  • 21. Reversing the Android Package • Two step process • apk to dex conversion • dex to java conversion
  • 22. Reversing the Android Package • Demo 3 • Let us now see how to reverse engineer an Android application package • <Take a .apk Android Package, demonstrate the reversing process to convert it to readable java files, show the sample vulnerability in the java file>
  • 24. Platform Specific Issues • Android the prime target of malwares • ZITMO • Android Market had malicious apps • Apple iOS • iOS URL Schemes • Screenshot Caching issue
  • 25. Malware: ZITMO • User logs in to his banking application • ZITMO, in background, listens to the incoming SMS • ZITMO obtains the SMS • ZITMO forwards the SMS to the attacker’s web address • SMS contains the one time password (the second factor of the two factor authentication) • Attacker can use it to bypass the two factor authentication
  • 26. Android Market • Recently, Google Android Market was in news for distributing Malicious Applications • Google had to remove these infected applications from the Market • Lack of Proper Vetting Process by Google, as opposed to Apple App Store • Experts have advised Google for establishing the same
  • 27. iOS URL Schemes • iOS URL schemes • URL schemes are used for web server connections, without additional parameters • This involves sending the required parameters in the URL, which makes it a vulnerable implementation • Sometimes username-password is also send this way • Prefer other implementations, if easily possible without URL schemes
  • 28. iOS Screenshot Caching • Whenever users press the Home button while using an Application • iOS takes screenshot of application • This is required for the zoom-out animation while leaving the app • This same screenshot used to simulate zoom-in animation while returning to app • This is store in the device memory and can be used by anyone having access to rooted device • Black out the View whenever Home button is pressed while using the application.
  • 30. Security Best Practices • Do not hardcode sensitive information • Do not store sensitive information locally • If required to be stored, do not store at easily readable location like memory card. • Encrypt the stored data • Implement SSL • Protect the webserver against application layer attacks
  • 31. Security Best Practices • Sanitize inputs, use prepared statements (protection against client side injection) • Implement Proper Authentication. Do not use UDID or other hardware IDs for auth. • Prefer encryption over encoding or obfuscation
  • 32. OWASP Mobile Top 10 Risks
  • 33. References • Android official documentation • Apple iOS code guide • OWASP Mobile Top 10 Project • Palisade – The application security magazine • GoatDroid Project • iGoat Project
  • 34. Thank you Prashant Verma Security Consultant & Competency Lead verma.prashantkumar@gmail.com