SlideShare a Scribd company logo

Smart Bombs: Mobile Vulnerability and Exploitation

Tom Eston, profile picture
Tom Eston

The document discusses mobile vulnerabilities and exploitation, highlighting common risks and areas for testing within mobile applications. It references the OWASP Top 10 mobile risks, including insecure data storage and insufficient transport layer protection, while outlining the importance of security in mobile device usage across various sectors. Additionally, it recommends tools for testing and forensics, and emphasizes the need for developers to prioritize security as mobile devices become increasingly prevalent.

Technology
Related topics:
Mobile Computing Overview Mobile App Insights
1 of 60
Downloaded 236 times
1
2
Most read
3
4
5
6
7
Most read
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Mobile Vulnerability and Exploitation John Sawyer – InGuardians Tom Eston – SecureState Kevin Johnson – Secure Ideas
John Sawyer  InGuardians, Inc. - Senior Security Analyst  DarkReading.com - Author/Blogger  1@stplace - Retired CTF packet monkey  Winners DEFCON 14 & 15  Avid Mountain Biker… in Florida.
Tom Eston  Manager, SecureState Profiling & Penetration Team  Blogger – SpyLogic.net  Infrequent Podcaster – Security Justice/Social Media Security  Zombie aficionado  I like to break new technology
Kevin Johnson  Father of Brenna and Sarah  Secure Ideas, Senior Security Consultant  SANS Instructor and Author  SEC542/SEC642/SEC571  Open-Source Bigot  SamuraiWTF, Yokoso, Laudanum etc  Ninja
What are we talking about today?  What’s at risk?  Tools, Testing and Exploitation  Common vulnerabilities found in popular apps (this is the fun part)
What are Smart Bombs?  We’ve got powerful technology in the palm of our hands!  We store and transmit sensitive data  Mobile devices are being used by:  Major Businesses (PII)  Energy Companies (The Grid)  The Government(s)  Hospitals (PHI)  Your Mom (Scary)
That’s right…your Mom
Testing Mobile Apps  What are the 3 major areas for testing?  File System What are apps writing to the file system? How is data stored?  Application Layer How are apps communicating via HTTP and Web Services? SSL?  Transport Layer How are apps communicating over the network? TCP and Third-party APIs
OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication
OWASP Top 10 Mobile Risks 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure
OWASP Mobile Security Project  You should get involved!  https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Other Issues  Privacy of your data!  Mobile apps talk to many third party APIs (ads)  What’s collected by Google/Apple/Microsoft?
Common Tools  SSH  VNC server  A compiler (gcc / agcc)  Android SDK (adb!)  XCode  Jailbroken iDevice  Rooted Android Device
Filesystem Analysis  Forensic approach  Filesystem artifacts  Timeline analysis  Log analysis  Temp files
Forensic Tools  Mobile Forensic Tools  EnCase, FTK, Cellebrite  Free and/or Open Source  file, strings, less, dd, md5sum  The Sleuthkit (mactime, mac-robber)
Timelines  Timelines are awesome  Anyone know log2timeline?  Filesystem  mac-robber  mactime  Logs  Application- & OS-specific
Filesystem Timelines  mac-robber  C app  free & open source  must be compiled to run on devices  mactime  Part of The Sleuthkit  runs on Mac, Win, Linux
Compiling mac-robber (Android)  Android  Install arm gcc toolchain  Compile & push via adb   I used Ubuntu, works on MobiSec & Backtrack  Detailed instructions: ○ http://www.darkreading.com/blog/232800148/quick-start- guide-compiling-mac-robber-for-android-vuln-research.html
Compiling mac-robber (iOS)  iOS (jailbroken)  Download & Install libgcc onto device  Install iphone-gcc  Download & Install C headers/libraries
Running mac-robber (iOS)  iOS & Android via SSH  Android via adb  Then, process each with mactime
Filesystem Timelines
Where is the data?
Temp Files
Gallery Lock Lite  “Protects” your images
Smart Bombs: Mobile Vulnerability and Exploitation
Viewing & Searching Files  cat, less, vi, strings, grep  SQLite files  GUI browser, API (Ruby, Python, etc)  Android apps  ashell, aSQLiteManager, aLogViewer
Application Layer - HTTP  Tools Used:  Burp Suite  Burp Suite  oh yeah Burp Suite!
Why Look at the App Layer?  Very common in mobile platforms  Many errors are found within the application  And how it talks to the back end service  Able to use many existing tools
Launching Burp Suite  Memory!
Misunderstanding Encryption
Want Credentials?
Transport Layer - TCP  Tools Used:  Wireshark  Tcpdump  Network Miner
Why look at the transport layer?  Check to see how network protocols are handled in the app  Easily look for SSL certificate or other communication issues
NetworkMiner  Extracts files/images and more  Can pull out clear txt credentials  Quickly view parameters
Smart Bombs: Mobile Vulnerability and Exploitation
TCP Lab Setup  Run tcpdump directly on the device  Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this)  Import PCAPs into NetworkMiner
App Vulnerabilities  Several examples that we’ve found  Many from the Top 25 downloaded apps
Evernote  Notebooks are stored in the cloud  But…caches some files on the device…  OWASP M1: Insecure Data Storage
Smart Bombs: Mobile Vulnerability and Exploitation
MyFitnessPal  Android app stores sensitive data on the device (too much data)
Smart Bombs: Mobile Vulnerability and Exploitation
Password Keeper “Lite”  PIN and passwords stored in clear-text SQLite database  So much for the security of your passwords…
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
Draw Something  Word list stored on the device  Modify to mess with your friends
LinkedIn  SSL only for authentication  Session tokens and data sent over HTTP  Lots of apps do this  M3: Insufficient Transport Layer Protection
Auth over SSL Data sent over HTTP
Smart Bombs: Mobile Vulnerability and Exploitation
Pandora  Registration over HTTP  User name/Password and Registration info sent over clear text  Unfortunately…lots of apps do this
Smart Bombs: Mobile Vulnerability and Exploitation
Hard Coded Passwords/Keys  Major Grocery Chain “Rewards” Android app  Simple to view the source, extract private key  OWASP M9: Broken Cryptography  Do developers really do this?
Why yes, they do!
Privacy Issues  Example: Draw Something App (Top 25)  UDID and more sent to the following third-party ad providers:  appads.com  mydas.mobi  greystripe.com  tapjoyads.com
What is UDID?  Alpha-numeric string that uniquely identifies an Apple device
Smart Bombs: Mobile Vulnerability and Exploitation
Pinterest and Flurry.com
Smart Bombs: Mobile Vulnerability and Exploitation
Conclusions  Mobile devices are critically common  Most people use them without thinking of security  Developers seem to be repeating the past  We need to secure this area
Contact Us  John Sawyer  Twitter: @johnhsawyer  john@inguardians.com  Tom Eston  Twitter: @agent0x0  teston@securestate.com  Kevin Johnson  Twitter: @secureideas  kjohnson@secureideas.net

More Related Content

PDF
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Tom Eston
 
PDF
Smart Bombs: Mobile Vulnerability and Exploitation
SecureState
 
PDF
Attacking and Defending Apple iOS Devices
Tom Eston
 
PDF
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
PDF
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
 
PPTX
iOS Security and Encryption
Urvashi Kataria
 
PPT
Jail breaking
Rokkam Reddy
 
PDF
Security Best Practices for Mobile Development
Salesforce Developers
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Tom Eston
 
Smart Bombs: Mobile Vulnerability and Exploitation
SecureState
 
Attacking and Defending Apple iOS Devices
Tom Eston
 
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
 
iOS Security and Encryption
Urvashi Kataria
 
Jail breaking
Rokkam Reddy
 
Security Best Practices for Mobile Development
Salesforce Developers
 

What's hot (20)

PPTX
Pentesting iPhone applications
Satish b
 
PDF
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
PPTX
Hacking Mobile Apps
Sophos Benelux
 
PDF
Android Hacking
antitree
 
PDF
Ruxmon April 2014 - Introduction to iOS Penetration Testing
eightbit
 
PPT
Mobile Security Assessment: 101
wireharbor
 
PDF
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
KEY
Jailbreaking iOS
Kai Aras
 
PDF
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
PPT
WhatsApp Forensic
Animesh Shaw
 
PDF
Yow connected developing secure i os applications
mgianarakis
 
PDF
Mobile Hacking
Novizul Evendi
 
PDF
Hacking your Android (slides)
Justin Hoang
 
PPTX
Android Hacking + Pentesting
Sina Manavi
 
PDF
BYOM Build Your Own Methodology (in Mobile Forensics)
Reality Net System Solutions
 
PPTX
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
PDF
Mobile Application Security Code Reviews
Denim Group
 
PDF
Let's Hack a House
Synack
 
PDF
Android system security
Chong-Kuan Chen
 
PDF
Android Security Development
hackstuff
 
Pentesting iPhone applications
Satish b
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
Hacking Mobile Apps
Sophos Benelux
 
Android Hacking
antitree
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
eightbit
 
Mobile Security Assessment: 101
wireharbor
 
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Jailbreaking iOS
Kai Aras
 
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
WhatsApp Forensic
Animesh Shaw
 
Yow connected developing secure i os applications
mgianarakis
 
Mobile Hacking
Novizul Evendi
 
Hacking your Android (slides)
Justin Hoang
 
Android Hacking + Pentesting
Sina Manavi
 
BYOM Build Your Own Methodology (in Mobile Forensics)
Reality Net System Solutions
 
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Mobile Application Security Code Reviews
Denim Group
 
Let's Hack a House
Synack
 
Android system security
Chong-Kuan Chen
 
Android Security Development
hackstuff
 
Ad

Viewers also liked (20)

PDF
The Android vs. Apple iOS Security Showdown
Tom Eston
 
PPT
GPS and Weapons Technology
Suchit Moon
 
PPTX
Stealth fighter technolgy
Abhishek Vishwakarma
 
PPT
Deepak e bomb
Deepak Mittal
 
PDF
Radar ppt
pratibha007
 
PPTX
Comparison of mobile os
asrf786
 
PPTX
Android vs iOS security
Sumanth Veera
 
PPTX
PCA General Assembly Report 2016
sandiferb
 
PPTX
real numbers
mukundapriya
 
PPTX
Ppt2 (1)
Lovely Lava Kishore
 
PDF
Naval Aircraft & Missiles Web
Lynn Seckinger
 
PPTX
India's advancement in missile defence system
Rajesh b.k.
 
PPS
China Railway Highspeed Train Jan 2015
Pradeep Kumar
 
PDF
Research on Comparative Study of Different Mobile Operating System_Part-1
Zulkar Naim
 
PPT
Ricky seminar
Ricky Vincent
 
PPTX
Ballistic missile defense system
MIT
 
PPTX
Railway coaches
noor patel
 
PPTX
Laser Guided Misiles
Amit Ghodke
 
PDF
SmartphoneHacking_Android_Exploitation
Malachi Jones
 
PPTX
Application of dc generator at railway coach
jjasdxjz
 
The Android vs. Apple iOS Security Showdown
Tom Eston
 
GPS and Weapons Technology
Suchit Moon
 
Stealth fighter technolgy
Abhishek Vishwakarma
 
Deepak e bomb
Deepak Mittal
 
Radar ppt
pratibha007
 
Comparison of mobile os
asrf786
 
Android vs iOS security
Sumanth Veera
 
PCA General Assembly Report 2016
sandiferb
 
real numbers
mukundapriya
 
Ppt2 (1)
Lovely Lava Kishore
 
Naval Aircraft & Missiles Web
Lynn Seckinger
 
India's advancement in missile defence system
Rajesh b.k.
 
China Railway Highspeed Train Jan 2015
Pradeep Kumar
 
Research on Comparative Study of Different Mobile Operating System_Part-1
Zulkar Naim
 
Ricky seminar
Ricky Vincent
 
Ballistic missile defense system
MIT
 
Railway coaches
noor patel
 
Laser Guided Misiles
Amit Ghodke
 
SmartphoneHacking_Android_Exploitation
Malachi Jones
 
Application of dc generator at railway coach
jjasdxjz
 
Ad

Similar to Smart Bombs: Mobile Vulnerability and Exploitation (20)

PPTX
Mobile security
Stefaan
 
PPTX
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
Avansa Mid- en Zuidwest
 
PPTX
Pentesting Android Apps
Abdelhamid Limami
 
PDF
Android App Hacking - Erez Metula, AppSec
DroidConTLV
 
PDF
DefCamp_2016_Chemerkin_Yury_--_publish.pdf
Yury Chemerkin
 
PPTX
Lecture about network and host security to NII students
Akiumi Hasegawa
 
DOCX
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
PPTX
Android– forensics and security testing
Santhosh Kumar
 
PDF
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension Inc.
 
PPTX
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
PDF
Hacking android apps by srini0x00
srini0x00
 
DOCX
Webinar Security: Apps of Steel transcription
Service2Media
 
PPTX
Securing Underprotected APIs - Deja vu Security
Deja vu Security
 
PPT
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
PPTX
Mobile application security
Shubhneet Goel
 
PPTX
Mobile Application Security
Ishan Girdhar
 
PPT
Introduction To Information Security
belsis
 
PPTX
Pentesting iOS Applications
jasonhaddix
 
PPTX
Secure Android Apps- nVisium Security
Jack Mannino
 
PPTX
Untitled 1
Sergey Kochergan
 
Mobile security
Stefaan
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
Avansa Mid- en Zuidwest
 
Pentesting Android Apps
Abdelhamid Limami
 
Android App Hacking - Erez Metula, AppSec
DroidConTLV
 
DefCamp_2016_Chemerkin_Yury_--_publish.pdf
Yury Chemerkin
 
Lecture about network and host security to NII students
Akiumi Hasegawa
 
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
Android– forensics and security testing
Santhosh Kumar
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension Inc.
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
Hacking android apps by srini0x00
srini0x00
 
Webinar Security: Apps of Steel transcription
Service2Media
 
Securing Underprotected APIs - Deja vu Security
Deja vu Security
 
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
Mobile application security
Shubhneet Goel
 
Mobile Application Security
Ishan Girdhar
 
Introduction To Information Security
belsis
 
Pentesting iOS Applications
jasonhaddix
 
Secure Android Apps- nVisium Security
Jack Mannino
 
Untitled 1
Sergey Kochergan
 

More from Tom Eston (15)

PDF
Privacy Exposed: Ramifications of Social Media and Mobile Technology
Tom Eston
 
PDF
Cash is King: Who's Wearing Your Crown?
Tom Eston
 
PDF
Social Zombies: Rise of the Mobile Dead
Tom Eston
 
PDF
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
PDF
Social Zombies Gone Wild: Totally Exposed and Uncensored
Tom Eston
 
PDF
Social Zombies II: Your Friends Need More Brains
Tom Eston
 
KEY
Enterprise Open Source Intelligence Gathering
Tom Eston
 
KEY
Staying Safe & Secure on Twitter
Tom Eston
 
KEY
New School Man-in-the-Middle
Tom Eston
 
KEY
Rise of the Autobots: Into the Underground of Social Network Bots
Tom Eston
 
PPT
Information Gathering With Maltego
Tom Eston
 
PPT
Automated Penetration Testing With Core Impact
Tom Eston
 
PPT
Automated Penetration Testing With The Metasploit Framework
Tom Eston
 
PPT
Physical Security Assessments
Tom Eston
 
PDF
Online Social Networks: 5 threats and 5 ways to use them safely
Tom Eston
 
Privacy Exposed: Ramifications of Social Media and Mobile Technology
Tom Eston
 
Cash is King: Who's Wearing Your Crown?
Tom Eston
 
Social Zombies: Rise of the Mobile Dead
Tom Eston
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Tom Eston
 
Social Zombies II: Your Friends Need More Brains
Tom Eston
 
Enterprise Open Source Intelligence Gathering
Tom Eston
 
Staying Safe & Secure on Twitter
Tom Eston
 
New School Man-in-the-Middle
Tom Eston
 
Rise of the Autobots: Into the Underground of Social Network Bots
Tom Eston
 
Information Gathering With Maltego
Tom Eston
 
Automated Penetration Testing With Core Impact
Tom Eston
 
Automated Penetration Testing With The Metasploit Framework
Tom Eston
 
Physical Security Assessments
Tom Eston
 
Online Social Networks: 5 threats and 5 ways to use them safely
Tom Eston
 

Recently uploaded (20)

PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 

Smart Bombs: Mobile Vulnerability and Exploitation

  • 1. Mobile Vulnerability and Exploitation John Sawyer – InGuardians Tom Eston – SecureState Kevin Johnson – Secure Ideas
  • 2. John Sawyer  InGuardians, Inc. - Senior Security Analyst  DarkReading.com - Author/Blogger  1@stplace - Retired CTF packet monkey  Winners DEFCON 14 & 15  Avid Mountain Biker… in Florida.
  • 3. Tom Eston  Manager, SecureState Profiling & Penetration Team  Blogger – SpyLogic.net  Infrequent Podcaster – Security Justice/Social Media Security  Zombie aficionado  I like to break new technology
  • 4. Kevin Johnson  Father of Brenna and Sarah  Secure Ideas, Senior Security Consultant  SANS Instructor and Author  SEC542/SEC642/SEC571  Open-Source Bigot  SamuraiWTF, Yokoso, Laudanum etc  Ninja
  • 5. What are we talking about today?  What’s at risk?  Tools, Testing and Exploitation  Common vulnerabilities found in popular apps (this is the fun part)
  • 6. What are Smart Bombs?  We’ve got powerful technology in the palm of our hands!  We store and transmit sensitive data  Mobile devices are being used by:  Major Businesses (PII)  Energy Companies (The Grid)  The Government(s)  Hospitals (PHI)  Your Mom (Scary)
  • 8. Testing Mobile Apps  What are the 3 major areas for testing?  File System What are apps writing to the file system? How is data stored?  Application Layer How are apps communicating via HTTP and Web Services? SSL?  Transport Layer How are apps communicating over the network? TCP and Third-party APIs
  • 9. OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication
  • 10. OWASP Top 10 Mobile Risks 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure
  • 11. OWASP Mobile Security Project  You should get involved!  https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  • 12. Other Issues  Privacy of your data!  Mobile apps talk to many third party APIs (ads)  What’s collected by Google/Apple/Microsoft?
  • 13. Common Tools  SSH  VNC server  A compiler (gcc / agcc)  Android SDK (adb!)  XCode  Jailbroken iDevice  Rooted Android Device
  • 14. Filesystem Analysis  Forensic approach  Filesystem artifacts  Timeline analysis  Log analysis  Temp files
  • 15. Forensic Tools  Mobile Forensic Tools  EnCase, FTK, Cellebrite  Free and/or Open Source  file, strings, less, dd, md5sum  The Sleuthkit (mactime, mac-robber)
  • 16. Timelines  Timelines are awesome  Anyone know log2timeline?  Filesystem  mac-robber  mactime  Logs  Application- & OS-specific
  • 17. Filesystem Timelines  mac-robber  C app  free & open source  must be compiled to run on devices  mactime  Part of The Sleuthkit  runs on Mac, Win, Linux
  • 18. Compiling mac-robber (Android)  Android  Install arm gcc toolchain  Compile & push via adb   I used Ubuntu, works on MobiSec & Backtrack  Detailed instructions: ○ http://www.darkreading.com/blog/232800148/quick-start- guide-compiling-mac-robber-for-android-vuln-research.html
  • 19. Compiling mac-robber (iOS)  iOS (jailbroken)  Download & Install libgcc onto device  Install iphone-gcc  Download & Install C headers/libraries
  • 20. Running mac-robber (iOS)  iOS & Android via SSH  Android via adb  Then, process each with mactime
  • 22. Where is the data?
  • 24. Gallery Lock Lite  “Protects” your images
  • 26. Viewing & Searching Files  cat, less, vi, strings, grep  SQLite files  GUI browser, API (Ruby, Python, etc)  Android apps  ashell, aSQLiteManager, aLogViewer
  • 27. Application Layer - HTTP  Tools Used:  Burp Suite  Burp Suite  oh yeah Burp Suite!
  • 28. Why Look at the App Layer?  Very common in mobile platforms  Many errors are found within the application  And how it talks to the back end service  Able to use many existing tools
  • 32. Transport Layer - TCP  Tools Used:  Wireshark  Tcpdump  Network Miner
  • 33. Why look at the transport layer?  Check to see how network protocols are handled in the app  Easily look for SSL certificate or other communication issues
  • 34. NetworkMiner  Extracts files/images and more  Can pull out clear txt credentials  Quickly view parameters
  • 36. TCP Lab Setup  Run tcpdump directly on the device  Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this)  Import PCAPs into NetworkMiner
  • 37. App Vulnerabilities  Several examples that we’ve found  Many from the Top 25 downloaded apps
  • 38. Evernote  Notebooks are stored in the cloud  But…caches some files on the device…  OWASP M1: Insecure Data Storage
  • 40. MyFitnessPal  Android app stores sensitive data on the device (too much data)
  • 42. Password Keeper “Lite”  PIN and passwords stored in clear-text SQLite database  So much for the security of your passwords…
  • 46. Draw Something  Word list stored on the device  Modify to mess with your friends
  • 47. LinkedIn  SSL only for authentication  Session tokens and data sent over HTTP  Lots of apps do this  M3: Insufficient Transport Layer Protection
  • 48. Auth over SSL Data sent over HTTP
  • 50. Pandora  Registration over HTTP  User name/Password and Registration info sent over clear text  Unfortunately…lots of apps do this
  • 52. Hard Coded Passwords/Keys  Major Grocery Chain “Rewards” Android app  Simple to view the source, extract private key  OWASP M9: Broken Cryptography  Do developers really do this?
  • 54. Privacy Issues  Example: Draw Something App (Top 25)  UDID and more sent to the following third-party ad providers:  appads.com  mydas.mobi  greystripe.com  tapjoyads.com
  • 55. What is UDID?  Alpha-numeric string that uniquely identifies an Apple device
  • 59. Conclusions  Mobile devices are critically common  Most people use them without thinking of security  Developers seem to be repeating the past  We need to secure this area
  • 60. Contact Us  John Sawyer  Twitter: @johnhsawyer  john@inguardians.com  Tom Eston  Twitter: @agent0x0  teston@securestate.com  Kevin Johnson  Twitter: @secureideas  kjohnson@secureideas.net