Upload
nowsecure
View
227
Download
4
Embed Size (px)
Citation preview
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Episode IIRETURN OF THE
BACK-END/NETWORK
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Episode II
RETURN OF THE NETWORK/BACK-END
Episode I
THE FORENSIC MENACE
Episode III
ATTACK OFTHE CODE
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Connect
Twitter: @NowSecureMobile
—
Subscribe to #MobSec5, our weekly mobile security news digest
http://mobsec5.nowsecure.com/
—
Web: nowsecure.com
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Michael KruegerSolutions Engineer | NowSecure
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● The Trilogy series overview
● Data-in-transit
● Server-side security
● Suggested tools to get started
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Mobile forensics &
data recovery
Network, web services &API testing
Server-side penetration
testing
Reverse engineering & code analysis
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
“I can show you the ways of the [Force data in transit].” — Kylo Ren
https://milnersblog.com/tag/the-characters-of-star-wars-the-force-awakens/
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Data in transit concerns
● Insecure communication
○ Certificate validation issues
○ Privacy leakage
● Insecure authentication
● Insecure authorization
○ Server accepting/responding to
requests without authorization
○ Client-based authorization decisions
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Man-in-the-middle (MITM)
● Secretly intercept (modify) communications between systems believing they are communicating directly
● Aims to circumvent mutual authentication (or lack thereof)
● Use it to test for potential vulnerabilities and validate that app sends proper requests/intended data
Who are you really talking to?
Original connection
Victim
Attacker
Presents fake
certificate
Server
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Lack of certificate validation
Don’t implement your own crypto!It still happens because developers want to accept self-signed
certificates or because code implementation is too complex
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Mitmproxy basic setup
Device 192.168.10.15Gateway set to 192.168.10.66 192.168.10.1
Server
Laptop w/ mitmproxyListening at ports 80 & 443
192.168.10.66
Mitmproxy CA certificate(optional)
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Android handset gateway configuration
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
IP forwarding
1
2
3
sysctl - w net.ipv4.ip_forward = 1
iptables - t nat - A PREROUTING - i eth0 - p tcp--dport 80 - j REDIRECT--to - port 8080
iptables - t nat - A PREROUTING - i eth0 - p tcp--dport 443 - j REDIRECT--to - port 8080
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Looking for HTTPS traffic
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Privacy leakage
● Email address
● Username/password
● Phone number
● IMEI/IMSI
● Home address
● And so much more
See: “Who Knows What About Me? A Survey of Behind the
Scenes Personal Data Sharing to Third Parties by Mobile Apps”
http://jots.pub/a/2015103001/
Sharing more than you intend
Sharing of sensitive data byAndroid apps (left) to domains (right)
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Authentication vs. authorizationDo you know the difference?
AuthenticationThe process of sending
credentials in an attempt to connect
AuthorizationGaining access to a resource
because configured permissionsallow you access
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Insecure authentication
● Predictable session identifiers
● Failing to log users out
● Session lifetime risks
○ Sessions valid too long
○ Sessions valid across multiple channels
● Session fixation
Who copied my house key???
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Insecure authorizationI feel like being an administrator today.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.http://disney.wikia.com/wiki/Leia_Organa
“Somebody has to save our [skins servers].”— Princess Leia
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Server-side issues
● Injection
○ SQL
○ XSS
○ Command
● Improper session handling
● Weak ciphers
● Many more...
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Weak cipher examplesWhat do you accept?
https://www.ssllabs.com/
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Weak cipher examplesWhat do you accept?
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Intelligence Gathering
● What IP addresses does your app talk to?
● Query WHOIS to learn more about each IP address
● Use geolocation services to confirm IP address location
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Endpoint identification
https://www.wireshark.org
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Suggested tools for back-end testing
Rooted Android deviceI use a Google Nexus 5
Linux machine or VMw/ Android Studio tools
May we recommend Santoku Linux?(Also, Kali Linux)
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Tools for testing
Qualys SSL Labs https://www.ssllabs.com/ssltest/
Nmaphttps://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html https://nmap.org/nsedoc/scripts/ssl-cert.html
Mitmproxy http://docs.mitmproxy.org/en/stable/
Burp Suite https://support.portswigger.net/
IPFingerprints http://www.ipfingerprints.com/
Santoku Linux https://santoku-linux.com/
Wireshark https://www.wireshark.org
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Pointers to keep in mind during analysis
Don’t just focus on the encrypted
payload. Lookat metadata.
When searchingfor data in large files, command line tools
are best: Try grep
Try multiple tools. Find the one you’re most
comfortable with.
If you’re scanning a third-party server,
get permission
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Vulnerable data exists in more than just the payload
Try using both trusted and untrusted certificates when intercepting data in transit
Don’t underestimate the time/effort involved in network-focused testing
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Episode III
ATTACK OF THE CODE
Thursday, January 1911 a.m. CST / 9 a.m. PST
REGISTER NOW: http://bit.ly/2gOPih8
Let’s talk
NowSecure+1 312.878.1100
@NowSecureMobilewww.nowsecure.com
Subscribe to #MobSec5 - a digest of the week’s mobile news that matters - http://mobsec5.nowsecure.com/