Upload
ammar-wk
View
1.337
Download
2
Embed Size (px)
Citation preview
Ahmad Muammar WKFreelance IT Security Consultant/Pen-Tester
Certification: OSCE, OSCP, eMAPT
Founder echo.or.id (2003), ubuntulinux.or.id (2005), idsecconf.org (2008)
http://me.ammar.web.id
@y3dips
Image taken from: http://www.wired.com/gadgetlab/2012/02/meet-the-asus-padfone-the-phone-thats-a-tablet-thats-a-notebook/
Pegasus ExploitCVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.
CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.
Pegasus is developed by an American-owned NSO Group in Israel, which specialises in zero-days, obfuscation, encryption and kernel level exploitation.
The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information.
Pegasus Exploit
StageFright
"Stagefright" is the nickname given to a potential exploit.
vulnerability in libStageFright mechanism which helps Android process video files.
http://www.androidcentral.com/stagefright
M1. Weak Server Side Controls
OWASP Top 10
M2. Insecure Data Storage
M3. Insufficient Transport Layer
Protection M4. Unintended Data
Leakage
M5. Poor Authorization and Authentication
M6. Broken Cryptography
M7. Client Side Injection
M8. Security Decisions via Untrusted Inputs
M9. Improper Session Handling
M10. Lack of Binary Protections
OWASP Mobile top 10 2014 - https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
Mobile Pen-test
What pen-tester “normally" doing is static analysis, dynamic analysis
Static simply recompile, reversing, decrypt
Dynamic simply run the apps and see apps behaviour, logs, db updates, etc.
SecureBox AndroidManifest
Decompile Apps Using Apktool
See AndroidManifest.xml if nothing wrong continue…
We can try to access Activity Secure using Activity Manager tool
SecureBox Bypass$adb shell
root@android:/#am start -a android.intent.action.Secure -n inc.ammar.securebox/.Secure
\o/ w00t no passwd needed!
Inject valid Apps with MSFCreate Metasploit APK
Decompile Metasploit APK using Apktool
Decompile Legitimate applications using Apktool
Copy smali folder from Metasploit to smali folder in legitimate applications
Find “correct place” to inject and invoke Metasploit project
Recompile Applications
Sign and verify.
SurviveAnything that must truly remain private should not reside on the mobile device; Keep it on the server.
Design mobile client and the server following security best practice.
Design and implement all apps under the assumption that the users device will be lost or stolen.
Include mobile security Pen-test/Audit in software development life cycle.