Mobile Application Security

!!

3/19/14 Daniel DeCloss

Principal Security Consultant, Penetration Tester - Veracode

Outline• Introduction

• Mobile Security concerns (application centric)

• Mobile malware discussion

• Mobile penetration testing

• “Safe” apps

• What can you do?

Introduction• Most of the market share consists of Android and

iOS

• Apple publishes apps only through the app store

• Android apps could really be obtained from anywhere

• Focus today on malicious apps and common flaws in “normal apps”

Some Statistics• Android hit 79% of market share in 2013*

!

!

!

!

* http://www.engadget.com/2014/01/29/strategy-analytics-2013-smartphone-share/

Mobile Security Concerns

–Ronald Reagan / Ancient Russian Proverb

“Trust, but verify.”

Mobile Malware• What does it do?

• access call logs, sms messages

• access/exfiltrate files

• forward SMS messages

• useful for OTP authentication mechanisms

• steal contacts, etc.

Dendroid• Some of the many features on offer include the

following:

• Delete call logs

• Call a phone number

• Open Web pages

• Record calls and audio

• Intercept text messages

• Take and upload photos and videos

• Open an application

• Initiate a HTTP flood (DoS) for a period of time

• Change the command-and-control (C&C) server

• “98.05% of all malware detected in 2013 targeted this platform [Android], confirming both the popularity of this mobile OS and the vulnerability of its architecture.”*

*https://www.securelist.com/en/analysis/204792326/Mobile_Malware_Evolution_2013

http://www.mcafee.com/us/security-awareness/articles/mobile-malware-growth-continuing-2013.aspx

Mobile Penetration Testing

• Shift gears from Malware to “normal apps”

• OWASP mobile top 10

• PT process

What do we look for and how?

Getting started• Test device must be rooted or jailbroken

• Proxy device traffic to client proxy (e.g. Burp)

• Network settings on iPhone and Windows

• ProxyDroid for Android

Audit data on filesystem• Android (via adb)

• /sdcard

• /data/data/<app_name>.apk

• /shared_prefs

• /databases (sqlite3)

• /files

• /caches

• logcat

Backup to SD Card

• iOS

• Application Directory

• /Library

• plist files

• databases (sqlite3)

• caches (e.g. screenshot caching)

• /var/log/*

• /Documents

• keychain dumper (iOS keychain)

Sneak Peak!!

Soon to be released. Congrats to Stephen Jensen, Principal Consultant with

Veracode, for developing a great tool!!

Check Application Permissions

• What is the app allowed to do?

• Are all permissions necessary?

Reverse Engineer Binary• iOS binaries ARM

architecture

• IDA ($$) or Hopper ($)

• Android use dex2jar or JEB ($$)

• JD-GUI or JAD

Audit Server Communications

• Most vulnerabilities found in this arena

• Insufficient authentication/authorization (i.e. session fixation, passwords in cleartext, etc.)

• Common web vulnerabilities like SQL injection, direct object reference, file disclosure

• XML attacks are very common

Top 10 Review

Case Study• Snapchat example

• Friend finder API abuse

• Could quickly enumerate all users

• Inappropriate behavior allowed by the app

• Exposed millions of clients that can now be targeted

What makes an app safe?• How does it handle data?

• Does it store sensitive information in an unprotected fashion

• Can it access things it shouldn’t need?

• Location

• Contacts

• Other web services

• Documents

What now?• Secure the configuration of your device

• Ensure you only install signed applications from trusted vendors

• Don’t install apps from shady repositories

• Lock the device!!!

• Establish anti-theft protection

• Investigate the security practices of the application developers

• Do they conduct assessments of their app?

• Is the app rated well on reputation services?

• What permissions does the app request/require?

• Malware detection apps (PREC)*

• AV?

*http://gadgets.ndtv.com/mobiles/news/new-tool-developed-to-detect-and-contain-android-root-exploit-malware-491834

References• https://www.securelist.com/en/analysis/204792326/Mobile_Malware_Evolution_2013

• http://www.f-secure.com/static/doc/labs_global/Research/Mobile_Threat_Report_Q3_2013.pdf

• http://www.juniper.net/us/en/local/pdf/additional-resources/3rd-jnpr-mobile-threats-report-exec-summary.pdf

• http://www.mcafee.com/us/security-awareness/articles/mobile-malware-growth-continuing-2013.aspx

• https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks

• http://www.engadget.com/2014/01/29/strategy-analytics-2013-smartphone-share/

• http://securityaffairs.co/wordpress/22848/cyber-crime/dendroid-new-android-rat.html

• http://gadgets.ndtv.com/mobiles/news/new-tool-developed-to-detect-and-contain-android-root-exploit-malware-491834

• www.veracode.com :)