Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Mobile Application Security
!!
3/19/14 Daniel DeCloss
Principal Security Consultant, Penetration Tester - Veracode
Outline• Introduction
• Mobile Security concerns (application centric)
• Mobile malware discussion
• Mobile penetration testing
• “Safe” apps
• What can you do?
Introduction• Most of the market share consists of Android and
iOS
• Apple publishes apps only through the app store
• Android apps could really be obtained from anywhere
• Focus today on malicious apps and common flaws in “normal apps”
Some Statistics• Android hit 79% of market share in 2013*
!
!
!
!
* http://www.engadget.com/2014/01/29/strategy-analytics-2013-smartphone-share/
Mobile Security Concerns
–Ronald Reagan / Ancient Russian Proverb
“Trust, but verify.”
Mobile Malware• What does it do?
• access call logs, sms messages
• access/exfiltrate files
• forward SMS messages
• useful for OTP authentication mechanisms
• steal contacts, etc.
Dendroid• Some of the many features on offer include the
following:
• Delete call logs
• Call a phone number
• Open Web pages
• Record calls and audio
• Intercept text messages
• Take and upload photos and videos
• Open an application
• Initiate a HTTP flood (DoS) for a period of time
• Change the command-and-control (C&C) server
• “98.05% of all malware detected in 2013 targeted this platform [Android], confirming both the popularity of this mobile OS and the vulnerability of its architecture.”*
*https://www.securelist.com/en/analysis/204792326/Mobile_Malware_Evolution_2013
http://www.mcafee.com/us/security-awareness/articles/mobile-malware-growth-continuing-2013.aspx
Mobile Penetration Testing
• Shift gears from Malware to “normal apps”
• OWASP mobile top 10
• PT process
What do we look for and how?
Getting started• Test device must be rooted or jailbroken
• Proxy device traffic to client proxy (e.g. Burp)
• Network settings on iPhone and Windows
• ProxyDroid for Android
Audit data on filesystem• Android (via adb)
• /sdcard
• /data/data/<app_name>.apk
• /shared_prefs
• /databases (sqlite3)
• /files
• /caches
• logcat
Backup to SD Card
• iOS
• Application Directory
• /Library
• plist files
• databases (sqlite3)
• caches (e.g. screenshot caching)
• /var/log/*
• /Documents
• keychain dumper (iOS keychain)
Sneak Peak!!
Soon to be released. Congrats to Stephen Jensen, Principal Consultant with
Veracode, for developing a great tool!!
Check Application Permissions
• What is the app allowed to do?
• Are all permissions necessary?
Reverse Engineer Binary• iOS binaries ARM
architecture
• IDA ($$) or Hopper ($)
• Android use dex2jar or JEB ($$)
• JD-GUI or JAD
Audit Server Communications
• Most vulnerabilities found in this arena
• Insufficient authentication/authorization (i.e. session fixation, passwords in cleartext, etc.)
• Common web vulnerabilities like SQL injection, direct object reference, file disclosure
• XML attacks are very common
Top 10 Review
Case Study• Snapchat example
• Friend finder API abuse
• Could quickly enumerate all users
• Inappropriate behavior allowed by the app
• Exposed millions of clients that can now be targeted
What makes an app safe?• How does it handle data?
• Does it store sensitive information in an unprotected fashion
• Can it access things it shouldn’t need?
• Location
• Contacts
• Other web services
• Documents
What now?• Secure the configuration of your device
• Ensure you only install signed applications from trusted vendors
• Don’t install apps from shady repositories
• Lock the device!!!
• Establish anti-theft protection
• Investigate the security practices of the application developers
• Do they conduct assessments of their app?
• Is the app rated well on reputation services?
• What permissions does the app request/require?
• Malware detection apps (PREC)*
• AV?
*http://gadgets.ndtv.com/mobiles/news/new-tool-developed-to-detect-and-contain-android-root-exploit-malware-491834
References• https://www.securelist.com/en/analysis/204792326/Mobile_Malware_Evolution_2013
• http://www.f-secure.com/static/doc/labs_global/Research/Mobile_Threat_Report_Q3_2013.pdf
• http://www.juniper.net/us/en/local/pdf/additional-resources/3rd-jnpr-mobile-threats-report-exec-summary.pdf
• http://www.mcafee.com/us/security-awareness/articles/mobile-malware-growth-continuing-2013.aspx
• https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
• http://www.engadget.com/2014/01/29/strategy-analytics-2013-smartphone-share/
• http://securityaffairs.co/wordpress/22848/cyber-crime/dendroid-new-android-rat.html
• http://gadgets.ndtv.com/mobiles/news/new-tool-developed-to-detect-and-contain-android-root-exploit-malware-491834
• www.veracode.com :)