Upload
nowsecure
View
446
Download
1
Embed Size (px)
Citation preview
Leaky mobile apps: What you need to know
July19th,2017
AboutMe
• JonPorterofHouseNowSecure-Mobileappsecuritysoftwarecompany
• EnthusiastofMobileSecurity/SeniorSE• BACompSci/MSInfoSec• SolveroftheRubik’sCube(s)• Drinkerof1000beers(1229tobeexact)
• Themobilesecurityproblem
• Thestateofmobileappsecurity
• 3-partmobileexploitdemo
• Whatcanwedoaboutit?
Agenda
THEMOBILESECURITYPROBLEM
MOBILEDEVICESHAVEUNSEATEDPCS
Source: Benedict Evans
SPENDINGMORETIMEWITHMOBILEAPPSTHANDESKTOPS
Source: Comscore by way of Benedict Evans
PRESSINGMOBILESECURITYISSUES
•Appsarevulnerableandleakingdata•Lackofadministrativeaccesstodevices•Complexecosystem
◦OEMs◦ OSdevelopers,carriers
• Innovationoutpacessecuritypractices• Legacysecuritystrategiesareineffective(“boltedon”)
Typicalsecuritydefensesfailinmobilese4ngsbecausetheyprotectboundariesratherthantheinforma7onitself,andmobileusersdonotrespecttradi7onalboundaries.Gartner
VULNERABILITIESINANDROIDANDIOS
Life[meAndroidCVEsbytype(130in2015) Life[meiOSCVEsbytype(375in2015)
Source: CVE DetailsSource: CVE Details
MOBILEDATAISVALUABLEANDAMARKETFORCOMPROMISEEXISTS • Governments
◦ Legi[mateneed
◦ Legalframework
◦ Willingnesstopayforit
• HackingTeamweaponizesmobile
securityflawsforsurveillance
• Zerodium
◦ Sellszero-dayexploits
◦ Offers$1millionforiOS
jailbreaks
• Maliciousactorswillingtopay
◦ Oppressiveregimes
◦ Roguestates
THEULTIMATESURVEILLANCETOOL?
Appscan: • Readpreciseloca[on
• Readphonelogs
• ReadSMS
• Recordaudio
• Usecamera
• Startonboot
• ConnecttoInternet
THESTATEOFMOBILEAPPLICATIONSECURITY
Wetested
400KApps
Source - 2016 NowSecure Mobile Security Report
25%
ofmobileappshaveatleastonehighrisksecurityorprivacyflaw
HIGHRISKISSUESEXISTWITHINEACHAPPCATEGORY
Source - 2016 NowSecure Mobile Security Report
Gamingapps: Businessapps: Socialapps:
1.5x 3x 4x
morelikelytoincludeahighriskvulnerability
morelikelytoleaklogincreden[als
morelikelytoleaklogincreden[alsoremailaddress
HIGHRISKISSUESINAPPSWITHMORETHAN1MDOWNLOADS
Source - 2016 NowSecure Mobile Security Report
LEAKYAPPSANDSOCIALENGINEERING
Source - 2016 NowSecure Mobile Security Report
• Informa[onleakedcanprovevaluabletoakackers
• Reconnaissancefortargetedsocialengineeringschemes
• E.g.,creden[alsleakedbyaproduc[vityapp
◦ Mightgrantanakackeraccesstoacacheofsensi[veinforma[on
◦ Usernames
◦ GPSloca[on
◦ Unlockothersensi[veinforma[onaboutauser
EXAMPLES
RemoteAkackSurface • Vungleprovidesin-appvideoadver[sing
• Applibraryserves>200Madseachmonth
• Remotecodeexecu[on
• Dataaboutthedeviceandtheuserfromtheapp
EXAMPLE:
“Vungleproductsprovidenecessary
infrastructureforappmone7za7onthroughvideoads.Morethan200millionpeopleworldwideseeVungleadseachmonth.”
POPULARAPPUSINGVUNGLE
RemoteAkackSurface • SDKdownloadsazipfileoverhkpwithoutTLS
orverifica[on
• Createa.dexfilethatcontainscodeyouwant
toexecute
• Addthe.dextotherequestedzipfile,modify
thenetworkresponseand,youcangain
remotecodeexecu[on
EXAMPLE:
“Anintegratedmobileadver7singplaEormenablingadver7sertoop7mizeadefficiencyandappdevelopertoacquirethehighestmedia
benefit.“
DEX
ADLIBRSCALE
POPULARAPPUSINGADLIB
• Anetwork-basedakackercan
modifytraffictogaincontrolof
thedeviceduetoaflawin
AdlibrSDK
• Theakackercanaccesscurrent
appdata,worldaccessibledata
andchainwithanexploitto
gainelevatedpermissions
SAMPLEDATALEAKED(HTTP)
• Manyadnetworkssenddatain
clear,includinggeoloca[on
• IDderivedfromhardwarecan
betrackedacross[meand
loca[ons
• Apppkgisiden[fied,enabling
akackertofindtarget
imei=352584060111000mac=f8:a9:c2:4f:f3:80androidid=88c8584b54bd9c00serial=062f2dfb344be87bconn=wificountry=USdm=Nexus+5dv=Android4.4.2lat=41.83720397949219long=-87.9613037109375mcc=310mnc=410mmdid=mmh_AC78B68BD2E528CC0FC78AFB342E58CF_9099A5181F956FCAFB4AC9946DF71CCACB322F59root=0pkid=com.ismaker.android.simsimipknm=SimSimiplugged=truesdkversion=5.1.0-13.08.12.aua=Dalvik%2F1.6.0+%28Linux%3B+U%3B+Android+4.4.2%3B+Nexus+5+Build%2FKOT49H%29
DATADESTINATIONS Destinationaddress IP Country
ad.adlibr.com 211.236.244.152 KR
ad.doubleclick.net 173.194.33.156 US
ads.mp.mydas.mobi 216.157.12.18 US
adtg.widerplanet.com 117.52.90.81 KR
androidsdk.ads.mp.mydas.mobi 211.110.212.68 KR
ajax.googleapis.com 74.125.28.95 US
androidsdk.ads.mp.mydas.mobi 216.157.12.18 US
app.simsimi.com 54.235.200.56 US
astg.widerplanet.com 117.52.90.85 KR
bank81.mi.ads.mp.mydas.mobi 216.157.13.15 US
capp.simsimi.com 174.129.197.187 US
cdn.millennialmedia.com 96.17.8.146 US
d.appsdt.com 52.6.198.255 US
dcys-en.ijinshan.com 114.112.93.204 CN
landingpages.millennialmedia.com 216.157.12.21 US
mtab.clickmon.co.kr 114.207.113.177 KR
once.unicornmedia.com 192.33.167.222 US
rtax.criteo.com 74.119.117.100 US
INSECUREMOBILEAPPSCREATEBUSINESSRISKFORENTERPRISES
StarbucksThievessiphonedmoneyoutof
users’accountsusingthemobileapp
viaUSAToday
Ola
India’slargeststartupwith$1.1Binfundingwashackedto
allowunlimitedfreerides
viaTheNextWeb
HuluandTinderAppvulnerabili[esofferedaccesstofreepremium
accounts
viaCNBC
DEMO
PART1:CRITICALVULNERABILITYINPRE-INSTALLEDKEYBOARDONSAMSUNGDEVICES
• CombiningCVE-2015-4640and
CVE-2015-4641
• Executearbitrarycodeinaprivilegedcontext
• Result:silentlyexecutemaliciouscodeon
targetdevice
• Es[matedimpact:600milliondevices
DEMO
PART2:INSTALLINGAMALICIOUSAPPLICATION
• Silentlyinstalledusingthepreviousexploit
• Communicatesdevice/userdatatoaC&C
server
• Evenifremoved,canbereinstalledbythe
akacker
• TheUIisjustfordemopurposes,and
wouldnotberequiredifusingthisinthe
wild
DEMO
PART3:EXPOSINGLEAKYAPPS
• Escalatetorootprivilegeusinganother
exploit
• Usetherootpermissiontolookfor
vulnerableapplica[on(orallapplica[ons)
• Compressandsendthedatabacktothe
C&Cserver
DEMO
WHATCANWEDOABOUTIT?
TIPSFORSECURINGYOURMOBILEDEVICE
1.Updateyouropera[ngsystemandappswhennewversionsareavailable.
2. Addapasscode,PIN,orpakernlock.
3. Usedifferentpasswordsforsitesandapps.
4. Logoutofyourapplica[ons.
5. OnlydownloadappsfromtheofficialAppStoreandGooglePlay.
6. Usetwo-factoruseriden[fica[onwhenavailable.
7. Knowwhatdataisbeingcollectedbyapplica[ons.
OTHERFREERESOURCES1.SecureMobileDevBestPrac[ces
2. MobileAppSecurityProgramManagementHandbook
3. MobileBankingApplica[ons:SecurityChallengesforBanks
4. MobileIncidentResponseE-book
SPONSOREDOPENSOURCEPROJECTS1.Frida-injectJavaScripttoexplorena[veappsonWindows,macOS,Linux,
iOS,Android,andQNX
2. Radare-completeframeworkforreverse-engineeringandanalyzing
binaries