Leaky Mobile Apps: What You Need to Know

Leaky mobile apps: What you need to know

July19th,2017

AboutMe

• JonPorterofHouseNowSecure-Mobileappsecuritysoftwarecompany

• EnthusiastofMobileSecurity/SeniorSE• BACompSci/MSInfoSec• SolveroftheRubik’sCube(s)• Drinkerof1000beers(1229tobeexact)

https://www.nowsecure.com/

• Themobilesecurityproblem

• Thestateofmobileappsecurity

• 3-partmobileexploitdemo

• Whatcanwedoaboutit?

Agenda

THEMOBILESECURITYPROBLEM

MOBILEDEVICESHAVEUNSEATEDPCS

Source: Benedict Evans

http://ben-evans.com/benedictevans/2016/3/29/presentation-mobile-ate-the-world

SPENDINGMORETIMEWITHMOBILEAPPSTHANDESKTOPS

Source: Comscore by way of Benedict Evans

http://ben-evans.com/benedictevans/2016/3/29/presentation-mobile-ate-the-world

PRESSINGMOBILESECURITYISSUES

•Appsarevulnerableandleakingdata•Lackofadministrativeaccesstodevices•Complexecosystem

◦OEMs◦ OSdevelopers,carriers

• Innovationoutpacessecuritypractices• Legacysecuritystrategiesareineffective(“boltedon”)

Typicalsecuritydefensesfailinmobilese4ngsbecausetheyprotectboundariesratherthantheinforma7onitself,andmobileusersdonotrespecttradi7onalboundaries.Gartner

http://www.gartner.com/document/3158326

VULNERABILITIESINANDROIDANDIOS

Life[meAndroidCVEsbytype(130in2015) Life[meiOSCVEsbytype(375in2015)

Source: CVE DetailsSource: CVE Details

http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49

http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49

MOBILEDATAISVALUABLEANDAMARKETFORCOMPROMISEEXISTS • Governments

◦ Legi[mateneed

◦ Legalframework

◦ Willingnesstopayforit

• HackingTeamweaponizesmobile

securityflawsforsurveillance

• Zerodium

◦ Sellszero-dayexploits

◦ Offers$1millionforiOS

jailbreaks

• Maliciousactorswillingtopay

◦ Oppressiveregimes

◦ Roguestates

THEULTIMATESURVEILLANCETOOL?

Appscan: • Readpreciseloca[on

• Readphonelogs

• ReadSMS

• Recordaudio

• Usecamera

• Startonboot

• ConnecttoInternet

THESTATEOFMOBILEAPPLICATIONSECURITY

Wetested

400KApps

Source - 2016 NowSecure Mobile Security Report

25%

ofmobileappshaveatleastonehighrisksecurityorprivacyflaw

https://www.nowsecure.com/resources/mobile-security-report/en/index.html

HIGHRISKISSUESEXISTWITHINEACHAPPCATEGORY


Gamingapps: Businessapps: Socialapps:

1.5x 3x 4x

morelikelytoincludeahighriskvulnerability

morelikelytoleaklogincreden[als

morelikelytoleaklogincreden[alsoremailaddress


HIGHRISKISSUESINAPPSWITHMORETHAN1MDOWNLOADS



LEAKYAPPSANDSOCIALENGINEERING


• Informa[onleakedcanprovevaluabletoakackers

• Reconnaissancefortargetedsocialengineeringschemes

• E.g.,creden[alsleakedbyaproduc[vityapp

◦ Mightgrantanakackeraccesstoacacheofsensi[veinforma[on

◦ Usernames

◦ GPSloca[on

◦ Unlockothersensi[veinforma[onaboutauser


EXAMPLES

RemoteAkackSurface • Vungleprovidesin-appvideoadver[sing

• Applibraryserves>200Madseachmonth

• Remotecodeexecu[on

• Dataaboutthedeviceandtheuserfromtheapp

EXAMPLE:

“Vungleproductsprovidenecessary

infrastructureforappmone7za7onthroughvideoads.Morethan200millionpeopleworldwideseeVungleadseachmonth.”

POPULARAPPUSINGVUNGLE

RemoteAkackSurface • SDKdownloadsazipfileoverhkpwithoutTLS

orverifica[on

• Createa.dexfilethatcontainscodeyouwant

toexecute

• Addthe.dextotherequestedzipfile,modify

thenetworkresponseand,youcangain

remotecodeexecu[on

EXAMPLE:

“Anintegratedmobileadver7singplaEormenablingadver7sertoop7mizeadefficiencyandappdevelopertoacquirethehighestmedia

benefit.“

DEX

ADLIBRSCALE

POPULARAPPUSINGADLIB

• Anetwork-basedakackercan

modifytraffictogaincontrolof

thedeviceduetoaflawin

AdlibrSDK

• Theakackercanaccesscurrent

appdata,worldaccessibledata

andchainwithanexploitto

gainelevatedpermissions

SAMPLEDATALEAKED(HTTP)

• Manyadnetworkssenddatain

clear,includinggeoloca[on

• IDderivedfromhardwarecan

betrackedacross[meand

loca[ons

• Apppkgisiden[fied,enabling

akackertofindtarget

imei=352584060111000mac=f8:a9:c2:4f:f3:80androidid=88c8584b54bd9c00serial=062f2dfb344be87bconn=wificountry=USdm=Nexus+5dv=Android4.4.2lat=41.83720397949219long=-87.9613037109375mcc=310mnc=410mmdid=mmh_AC78B68BD2E528CC0FC78AFB342E58CF_9099A5181F956FCAFB4AC9946DF71CCACB322F59root=0pkid=com.ismaker.android.simsimipknm=SimSimiplugged=truesdkversion=5.1.0-13.08.12.aua=Dalvik%2F1.6.0+%28Linux%3B+U%3B+Android+4.4.2%3B+Nexus+5+Build%2FKOT49H%29

DATADESTINATIONS Destinationaddress IP Country

ad.adlibr.com 211.236.244.152 KR

ad.doubleclick.net 173.194.33.156 US

ads.mp.mydas.mobi 216.157.12.18 US

adtg.widerplanet.com 117.52.90.81 KR

androidsdk.ads.mp.mydas.mobi 211.110.212.68 KR

ajax.googleapis.com 74.125.28.95 US

androidsdk.ads.mp.mydas.mobi 216.157.12.18 US

app.simsimi.com 54.235.200.56 US

astg.widerplanet.com 117.52.90.85 KR

bank81.mi.ads.mp.mydas.mobi 216.157.13.15 US

capp.simsimi.com 174.129.197.187 US

cdn.millennialmedia.com 96.17.8.146 US

d.appsdt.com 52.6.198.255 US

dcys-en.ijinshan.com 114.112.93.204 CN

landingpages.millennialmedia.com 216.157.12.21 US

mtab.clickmon.co.kr 114.207.113.177 KR

once.unicornmedia.com 192.33.167.222 US

rtax.criteo.com 74.119.117.100 US

http://ad.adlibr.com/

http://ad.doubleclick.net/

http://ads.mp.mydas.mobi/

http://adtg.widerplanet.com/

http://androidsdk.ads.mp.mydas.mobi/

http://ajax.googleapis.com/

http://androidsdk.ads.mp.mydas.mobi/

http://app.simsimi.com/

http://astg.widerplanet.com/

http://bank81.mi.ads.mp.mydas.mobi/

http://capp.simsimi.com/

http://cdn.millennialmedia.com/

http://d.appsdt.com/

http://dcys-en.ijinshan.com/

http://landingpages.millennialmedia.com/

http://mtab.clickmon.co.kr/

http://once.unicornmedia.com/

http://rtax.criteo.com/

INSECUREMOBILEAPPSCREATEBUSINESSRISKFORENTERPRISES

StarbucksThievessiphonedmoneyoutof

users’accountsusingthemobileapp

viaUSAToday

Ola

India’slargeststartupwith$1.1Binfundingwashackedto

allowunlimitedfreerides

viaTheNextWeb

HuluandTinderAppvulnerabili[esofferedaccesstofreepremium

accounts

viaCNBC

http://www.usatoday.com/story/tech/2015/05/15/starbucks-gift-card-hack/27370491/

http://thenextweb.com/insider/2015/03/23/how-i-hacked-indias-biggest-startup/

http://www.cnbc.com/2016/02/12/hackers-target-paid-applications-bluebox.html

DEMO

PART1:CRITICALVULNERABILITYINPRE-INSTALLEDKEYBOARDONSAMSUNGDEVICES

• CombiningCVE-2015-4640and

CVE-2015-4641

• Executearbitrarycodeinaprivilegedcontext

• Result:silentlyexecutemaliciouscodeon

targetdevice

• Es[matedimpact:600milliondevices

DEMO

PART2:INSTALLINGAMALICIOUSAPPLICATION

• Silentlyinstalledusingthepreviousexploit

• Communicatesdevice/userdatatoaC&C

server

• Evenifremoved,canbereinstalledbythe

akacker

• TheUIisjustfordemopurposes,and

wouldnotberequiredifusingthisinthe

wild

DEMO

PART3:EXPOSINGLEAKYAPPS

• Escalatetorootprivilegeusinganother

exploit

• Usetherootpermissiontolookfor

vulnerableapplica[on(orallapplica[ons)

• Compressandsendthedatabacktothe

C&Cserver

DEMO

WHATCANWEDOABOUTIT?

TIPSFORSECURINGYOURMOBILEDEVICE

1.Updateyouropera[ngsystemandappswhennewversionsareavailable.

2. Addapasscode,PIN,orpakernlock.

3. Usedifferentpasswordsforsitesandapps.

4. Logoutofyourapplica[ons.

5. OnlydownloadappsfromtheofficialAppStoreandGooglePlay.

6. Usetwo-factoruseriden[fica[onwhenavailable.

7. Knowwhatdataisbeingcollectedbyapplica[ons.

OTHERFREERESOURCES1.SecureMobileDevBestPrac[ces

2. MobileAppSecurityProgramManagementHandbook

3. MobileBankingApplica[ons:SecurityChallengesforBanks

4. MobileIncidentResponseE-book

SPONSOREDOPENSOURCEPROJECTS1.Frida-injectJavaScripttoexplorena[veappsonWindows,macOS,Linux,

iOS,Android,andQNX

2. Radare-completeframeworkforreverse-engineeringandanalyzing

binaries

https://www.nowsecure.com/ebooks/secure-mobile-development-best-practices/

https://info.nowsecure.com/mobile-appsec-program-handbook.html

http://www.apple.com


