SlideShare a Scribd company logo

Smart Bombs: Mobile Vulnerability and Exploitation

SecureState, profile picture
SecureState

This document discusses common vulnerabilities found in mobile applications. It begins by outlining the types of sensitive data stored on mobile devices and used by mobile apps. It then covers tools for analyzing the file system, application layer, and transport layer of mobile apps. Specific vulnerabilities are highlighted from the OWASP Mobile Top 10 list, including insecure data storage, weak server-side controls, and insufficient transport layer protection. Examples of vulnerabilities found in popular apps like Facebook, Evernote, MyFitnessPal, and LinkedIn are provided. The document concludes by emphasizing that mobile security issues go beyond just application vulnerabilities.

Technology
Related topics:
Mobile Security Insights
1 of 52
Downloaded 52 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Smart Bombs: Mobile Vulnerability and Exploitation Tom Eston
Grilled Smart Phones http://youtu.be/cir-MOzVggQ 2
Windows Mobile Wins! 3
Tom Eston • Manager, SecureState Profiling & Penetration Team • Blogger – SpyLogic.net • Infrequent Podcaster – Security Justice/Social Media Security • Zombie aficionado • I like to break new technology 4
What are we talking about today? • What’s at risk? • Tools, Testing and Exploitation • Common vulnerabilities found in popular apps (this is the fun part) • Special thanks to Kevin Johnson and John Sawyer who helped with this research! 5
What are Smart Bombs? • We’ve got powerful technology in the palm of our hands! • We store and transmit sensitive data • Mobile devices are being used by: – Major Businesses (PII) – Energy Companies (The Grid) – The Government(s) – Hospitals (PHI) – Your Mom (Scary) 6
That’s right…your Mom 7
Testing Mobile Apps • What are the three major areas for testing? – File System What are apps writing to the file system? How is data stored? – Application Layer How are apps communicating via HTTP and Web Services? SSL? – Transport Layer How are apps communicating over the network? TCP and Third-party APIs 8
OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 9
OWASP Top 10 Mobile Risks 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure 10
OWASP Mobile Security Project • You should get involved! • https://www.owasp.org/index.php/OWASP_Mobile_Security_Project 11
Other Issues • Privacy of your data! – Mobile apps talk to many third party APIs (ads) – What’s collected by Google/Apple/Microsoft? 12
Common Tools • SSH • VNC server • A compiler (gcc / agcc) • Android SDK (adb!) • Xcode • iExplorer (iOS GUI file explorer) • Jailbroken iDevice • Rooted Android Device 13
File System Analysis • Forensic approach – File system artifacts – Timeline analysis – Log analysis – Temp files 14
Forensic Tools • Mobile Forensic Tools – EnCase, FTK, Cellebrite • Free and/or Open Source – file, strings, less, dd, md5sum – The Sleuthkit (mactime, mac-robber) 15
Timelines • Timelines are awesome – Anyone know log2timeline? • Filesystem – mac-robber – mactime • Logs – Application- & OS-specific 16
Temp Files 17
Viewing & Searching Files • cat, less, vi, strings, grep • SQLite files – GUI browser, API (Ruby, Python, etc) • Android apps – ashell, aSQLiteManager, aLogViewer 18
Application Layer - HTTP • Tools Used: – Burp Suite – Burp Suite – oh yeah Burp Suite! 19
Why Look at the App Layer? • Very common in mobile platforms • Many errors are found within the application – And how it talks to the back end service • Able to use many existing tools 20
Misunderstanding Encryption 21
Base64 Encoding is NOT Encryption! • Really. It’s 2012. Base64: TXkgc3VwZXIgc2VjcmV0IGtleSE= Plaintext: My super secret key! 22
Want Credentials? Note: This is actually a hardcoded password in the UPS app… 23
Transport Layer - TCP • Tools Used: – Wireshark – Tcpdump – NetworkMiner 24
Why look at the transport layer? • Check to see how network protocols are handled in the app • Easily look for SSL certificate or other communication issues 25
NetworkMiner • Extracts files/images and more • Can pull out clear txt credentials • Quickly view parameters 26
27
TCP Lab Setup • Run tcpdump directly on the device • Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this) • Import PCAPs into NetworkMiner 28
App Vulnerabilities • Several examples that we’ve found • Many from the Top 25 downloaded apps 29
Facebook • OAuth Tokens Stored in PLIST file • Simply copy the PLIST file to another device, you’re logged in as them! • I’m finding OAuth tokens in lots of PLIST files…Dropbox and apps that use Dropbox like password managers… 30
Evernote • Notebooks are stored in the cloud • But…caches some files on the device… • OWASP M1: Insecure Data Storage 31
32
MyFitnessPal • Android app stores sensitive data on the device (too much data) 33
34
Password Keeper “Lite” • PIN and passwords stored in clear-text SQLite database • So much for the security of your passwords… 35
36
37
38
Draw Something • Word list stored on the device • Modify to mess with your friends 39
LinkedIn • SSL only for authentication • Session tokens and data sent over HTTP • Lots of apps do this • M3: Insufficient Transport Layer Protection • Note: This was fixed with the latest version of the app (for iOS at least) 40
Auth over SSL Data sent over HTTP 41
42
Pandora • Registration over HTTP • User name/Password and Registration info sent over clear text • Unfortunately…lots of apps do this 43
44
Hard Coded Passwords/Keys • Major Grocery Chain “Rewards” Android app • Simple to view the source, extract private key • OWASP M9: Broken Cryptography • Do developers really do this? 45
Why yes, they do! 46
Privacy Issues • Example: Draw Something App (Top 25) • UDID and more sent to the following third-party ad providers: – appads.com – mydas.mobi – greystripe.com – tapjoyads.com 47
What is UDID? • Alphanumeric string that uniquely identifies an Apple device 48
49
Pinterest and Flurry.com 50
51
Conclusions • Mobile devices are critically common • Most people use them without thinking of security • Developers seem to be repeating the past • Lots of issues besides Mobile Application Security – BYOD – The device itself (Jailbreaking/Rooting) – MDM and Enterprise Management – The list goes on… 52

More Related Content

PDF
Smart Bombs: Mobile Vulnerability and Exploitation
Tom Eston
 
PDF
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Tom Eston
 
PDF
Attacking and Defending Apple iOS Devices
Tom Eston
 
PDF
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
PPTX
Hacking Mobile Apps
Sophos Benelux
 
PDF
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
 
PPTX
iOS Security and Encryption
Urvashi Kataria
 
PDF
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Smart Bombs: Mobile Vulnerability and Exploitation
Tom Eston
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Tom Eston
 
Attacking and Defending Apple iOS Devices
Tom Eston
 
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
Hacking Mobile Apps
Sophos Benelux
 
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
 
iOS Security and Encryption
Urvashi Kataria
 
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 

What's hot (20)

PDF
Android Hacking
antitree
 
PDF
Mobile Hacking
Novizul Evendi
 
PDF
iOS backdoors attack points and surveillance mechanisms
Dario Caliendo
 
PPTX
Android Hacking + Pentesting
Sina Manavi
 
PPT
WhatsApp Forensic
Animesh Shaw
 
PDF
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
PDF
IoT security zigbee -- Null Meet bangalore
veerababu penugonda(Mr-IoT)
 
PPTX
User's Guide to Online Privacy
cdunk12
 
PDF
Cyber security
Arjun Chetry
 
PDF
Ruxmon April 2014 - Introduction to iOS Penetration Testing
eightbit
 
PPTX
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Sina Manavi
 
PDF
Cyber safety
Arjun Chetry
 
PDF
Hacking android apps by srini0x00
srini0x00
 
PPT
Mobile phone Data Hacking
Md Abu Syeem Dipu
 
PDF
CNIT 128 Ch 3: iOS
Sam Bowne
 
PPTX
An Introduction To IT Security And Privacy In Libraries
Blake Carver
 
PDF
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
PDF
Hacking your Android (slides)
Justin Hoang
 
PDF
Android system security
Chong-Kuan Chen
 
PPTX
An Introduction To IT Security And Privacy In Libraries & Anywhere
Blake Carver
 
Android Hacking
antitree
 
Mobile Hacking
Novizul Evendi
 
iOS backdoors attack points and surveillance mechanisms
Dario Caliendo
 
Android Hacking + Pentesting
Sina Manavi
 
WhatsApp Forensic
Animesh Shaw
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
IoT security zigbee -- Null Meet bangalore
veerababu penugonda(Mr-IoT)
 
User's Guide to Online Privacy
cdunk12
 
Cyber security
Arjun Chetry
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
eightbit
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Sina Manavi
 
Cyber safety
Arjun Chetry
 
Hacking android apps by srini0x00
srini0x00
 
Mobile phone Data Hacking
Md Abu Syeem Dipu
 
CNIT 128 Ch 3: iOS
Sam Bowne
 
An Introduction To IT Security And Privacy In Libraries
Blake Carver
 
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
Hacking your Android (slides)
Justin Hoang
 
Android system security
Chong-Kuan Chen
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
Blake Carver
 
Ad

Similar to Smart Bombs: Mobile Vulnerability and Exploitation (20)

PPT
Mobile Apps Security
Xavier Mertens
 
PDF
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
PDF
михаил дударев
apps4allru
 
PPTX
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 
PPT
Nomura UCCSC 2009
dnomura
 
PPTX
Null mumbai-reversing-IoT-firmware
Nitesh Malviya
 
PPTX
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
PDF
Internet security
Antony Mathew
 
PDF
Malware cryptomining uploadv3
Setia Juli Irzal Ismail
 
PDF
Brief Tour about Android Security
National Cheng Kung University
 
PDF
Luiz eduardo. introduction to mobile snitch
Yury Chemerkin
 
PPSX
Geek Night 15.0 - Touring the Dark-Side of the Internet
GeekNightHyderabad
 
PDF
Big Data Approaches to Cloud Security
Paul Morse
 
PDF
Hunting: Defense Against The Dark Arts v2
Spyglass Security
 
PDF
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
PDF
Top 10 Threats to Cloud Security
SBWebinars
 
PDF
All Your Security Events Are Belong to ... You!
Xavier Mertens
 
PDF
All your logs are belong to you!
Security BSides London
 
PPTX
Pentesting iPhone applications
Satish b
 
PPT
java-card20232024999999999999999999999999999999999999999999999999999999999999...
ouahibakellou
 
Mobile Apps Security
Xavier Mertens
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
михаил дударев
apps4allru
 
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 
Nomura UCCSC 2009
dnomura
 
Null mumbai-reversing-IoT-firmware
Nitesh Malviya
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
Internet security
Antony Mathew
 
Malware cryptomining uploadv3
Setia Juli Irzal Ismail
 
Brief Tour about Android Security
National Cheng Kung University
 
Luiz eduardo. introduction to mobile snitch
Yury Chemerkin
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
GeekNightHyderabad
 
Big Data Approaches to Cloud Security
Paul Morse
 
Hunting: Defense Against The Dark Arts v2
Spyglass Security
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
Top 10 Threats to Cloud Security
SBWebinars
 
All Your Security Events Are Belong to ... You!
Xavier Mertens
 
All your logs are belong to you!
Security BSides London
 
Pentesting iPhone applications
Satish b
 
java-card20232024999999999999999999999999999999999999999999999999999999999999...
ouahibakellou
 
Ad

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Teaching material agriculture food technology
LiaRayya
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
A Presentation on Artificial Intelligence
memembruh336
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Approach and Philosophy of On baking technology
30anthuong17
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 

Smart Bombs: Mobile Vulnerability and Exploitation

  • 1. Smart Bombs: Mobile Vulnerability and Exploitation Tom Eston
  • 4. Tom Eston • Manager, SecureState Profiling & Penetration Team • Blogger – SpyLogic.net • Infrequent Podcaster – Security Justice/Social Media Security • Zombie aficionado • I like to break new technology 4
  • 5. What are we talking about today? • What’s at risk? • Tools, Testing and Exploitation • Common vulnerabilities found in popular apps (this is the fun part) • Special thanks to Kevin Johnson and John Sawyer who helped with this research! 5
  • 6. What are Smart Bombs? • We’ve got powerful technology in the palm of our hands! • We store and transmit sensitive data • Mobile devices are being used by: – Major Businesses (PII) – Energy Companies (The Grid) – The Government(s) – Hospitals (PHI) – Your Mom (Scary) 6
  • 8. Testing Mobile Apps • What are the three major areas for testing? – File System What are apps writing to the file system? How is data stored? – Application Layer How are apps communicating via HTTP and Web Services? SSL? – Transport Layer How are apps communicating over the network? TCP and Third-party APIs 8
  • 9. OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 9
  • 10. OWASP Top 10 Mobile Risks 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure 10
  • 11. OWASP Mobile Security Project • You should get involved! • https://www.owasp.org/index.php/OWASP_Mobile_Security_Project 11
  • 12. Other Issues • Privacy of your data! – Mobile apps talk to many third party APIs (ads) – What’s collected by Google/Apple/Microsoft? 12
  • 13. Common Tools • SSH • VNC server • A compiler (gcc / agcc) • Android SDK (adb!) • Xcode • iExplorer (iOS GUI file explorer) • Jailbroken iDevice • Rooted Android Device 13
  • 14. File System Analysis • Forensic approach – File system artifacts – Timeline analysis – Log analysis – Temp files 14
  • 15. Forensic Tools • Mobile Forensic Tools – EnCase, FTK, Cellebrite • Free and/or Open Source – file, strings, less, dd, md5sum – The Sleuthkit (mactime, mac-robber) 15
  • 16. Timelines • Timelines are awesome – Anyone know log2timeline? • Filesystem – mac-robber – mactime • Logs – Application- & OS-specific 16
  • 18. Viewing & Searching Files • cat, less, vi, strings, grep • SQLite files – GUI browser, API (Ruby, Python, etc) • Android apps – ashell, aSQLiteManager, aLogViewer 18
  • 19. Application Layer - HTTP • Tools Used: – Burp Suite – Burp Suite – oh yeah Burp Suite! 19
  • 20. Why Look at the App Layer? • Very common in mobile platforms • Many errors are found within the application – And how it talks to the back end service • Able to use many existing tools 20
  • 22. Base64 Encoding is NOT Encryption! • Really. It’s 2012. Base64: TXkgc3VwZXIgc2VjcmV0IGtleSE= Plaintext: My super secret key! 22
  • 23. Want Credentials? Note: This is actually a hardcoded password in the UPS app… 23
  • 24. Transport Layer - TCP • Tools Used: – Wireshark – Tcpdump – NetworkMiner 24
  • 25. Why look at the transport layer? • Check to see how network protocols are handled in the app • Easily look for SSL certificate or other communication issues 25
  • 26. NetworkMiner • Extracts files/images and more • Can pull out clear txt credentials • Quickly view parameters 26
  • 27. 27
  • 28. TCP Lab Setup • Run tcpdump directly on the device • Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this) • Import PCAPs into NetworkMiner 28
  • 29. App Vulnerabilities • Several examples that we’ve found • Many from the Top 25 downloaded apps 29
  • 30. Facebook • OAuth Tokens Stored in PLIST file • Simply copy the PLIST file to another device, you’re logged in as them! • I’m finding OAuth tokens in lots of PLIST files…Dropbox and apps that use Dropbox like password managers… 30
  • 31. Evernote • Notebooks are stored in the cloud • But…caches some files on the device… • OWASP M1: Insecure Data Storage 31
  • 32. 32
  • 33. MyFitnessPal • Android app stores sensitive data on the device (too much data) 33
  • 34. 34
  • 35. Password Keeper “Lite” • PIN and passwords stored in clear-text SQLite database • So much for the security of your passwords… 35
  • 36. 36
  • 37. 37
  • 38. 38
  • 39. Draw Something • Word list stored on the device • Modify to mess with your friends 39
  • 40. LinkedIn • SSL only for authentication • Session tokens and data sent over HTTP • Lots of apps do this • M3: Insufficient Transport Layer Protection • Note: This was fixed with the latest version of the app (for iOS at least) 40
  • 41. Auth over SSL Data sent over HTTP 41
  • 42. 42
  • 43. Pandora • Registration over HTTP • User name/Password and Registration info sent over clear text • Unfortunately…lots of apps do this 43
  • 44. 44
  • 45. Hard Coded Passwords/Keys • Major Grocery Chain “Rewards” Android app • Simple to view the source, extract private key • OWASP M9: Broken Cryptography • Do developers really do this? 45
  • 46. Why yes, they do! 46
  • 47. Privacy Issues • Example: Draw Something App (Top 25) • UDID and more sent to the following third-party ad providers: – appads.com – mydas.mobi – greystripe.com – tapjoyads.com 47
  • 48. What is UDID? • Alphanumeric string that uniquely identifies an Apple device 48
  • 49. 49
  • 51. 51
  • 52. Conclusions • Mobile devices are critically common • Most people use them without thinking of security • Developers seem to be repeating the past • Lots of issues besides Mobile Application Security – BYOD – The device itself (Jailbreaking/Rooting) – MDM and Enterprise Management – The list goes on… 52