Via forensics thotcon-2013-mobile-security-with-santoku-linux

*© Copyright 2013 viaForensics, LLC. Proprietary Information.

Mobile security, forensics & malware analysis with Santoku Linux


IN MEMORY OF

Alois Charles Hoog, Sr.(1920 - 2013)

HusbandFather of 5

Grandfather of 12Great Grandfather of 9

United States Army Air Corps (Retired)

And a true Master Craftsmanthat any Geek

would be proud to call Grandpa

We will miss you dearly.


PRESENTER

Andrew Hoog (CEO/Co-Founder)

Andrew is a published author, computer scientist, and mobile forensic/security researcher. He has several patents pending and does frequent presentations/briefings.

AdditionallyHe participated in many hack(y sack) circles in college instead of classes


VIAFORENSICS OVERVIEW

viaForensics is a mobile security companyfounded in 2009.

Bootstrapped with ~40 employees and a

10 person dedicated mobile security R&D team

Some of our f/oss:YAFFS2 in TSKAFLogical OSESantoku Linux

...


RECENT CONFERENCES


SANTOKU - WHY?

Desktop PC

Portable PC

Tablet

Smartphone# Units Shipped(millions)

2012Total: 1,201.1

2017 (Projected) Total: 2,250.3

1600

1200

700

200


SANTOKU - WHAT?


SANTOKU - HOW?—

Install Lubuntu 12.04 (precise) x86_64

—Santoku-ize it


You should get (after reboot)


A Different Kind of Hacking


The History of Footbag

The concept behind footbag – intercepting an object in flight and keeping it airborne by using all parts of the body except the hands and arms is not a new idea.

Rather, as surprising as it may seem, the roots of our modern-day kicking game are to be found in ancient Eastern cultures.

Shown here are people playing Sepak Takraw in the streets of Malaysia.


MOBILEFORENSICS


FORENSIC ACQUISITION TYPES

Logical File system Physical

DescriptionRead device data via backup, API or other

controlled access to data

Use casesFast

Data generally well structured

ChallengesOften very limited access to data

Usually requires unlocked passcode

DescriptionCopy of files of file system

Use casesMore data than logical

Re-creating encrypted file system

ChallengesRequires additional access to device

Many file system files not responsive on cases

DescriptionBit-by-bit copy of physical drive

Use casesMost forensically sound technique

Increases chance of deleted data recovery

ChallengesCannot pull hard drive on mobile devices

FTL may not provide bad blocks


iOS Logical

—Connect device (enter PIN if needed)

—ideviceback2 backup <backup dir>

—ideviceback2 unback <backup dir>

—View backup|unpacked backup


iOS Logical


iPhone Backup Analyzer


The History of FootbagWhile the co-operative kicking sport has ancient origins from China, Thailand, Native America and nearly every country. Hacky Sack or Footbag, as we know it today, is a modern American sport invented in 1972, by John Stalberger and Mike Marshall of Oregon City, Oregon.

Marshall had created a hand-made bean bag, that he was kicking around. Stalberger was recovering from knee surgery and was looking for a fun way to exercise his knees.

Together, they called the new game "Hackin' the Sack." The two decided to collaborate and market their new game under the trademark of "Hacky Sack®".

Mike Marshall died of a heart attack in 1975, at the age of twenty-eight. John Stalberger continued with the "Hacky Sack" cause and formed the National Hacky Sack Association. He later sold the rights for the Hacky Sack® Footbag to Kransco (operating under the Wham-O label), which also manufactured the Frisbee flying disc.


Android Logical

—AFLogical OSE

https://github.com/viaforensics/android-forensics

—Reads Content Providers

—Push to phone, run, store on SD Card

—Pull CSVs to Santoku for review


AFLogical OSE


Install, run, extract


The Benefits of Hacking to Hackers

What do most hackers do while they're hacking?

They sit!

You don't need a Ph.D in physiology or biomechanics to know that spending 8-16 hours in a chair is bad for you.


The Benefits of Hacking to Hackers

Hacky Sack:

Is Cooperative {much more fun in groups}

Is Legit Exercise {it will get your blood flowing}

Improves overall coordination

Can be played almost anywhere

Requires virtually no equipment other than sack


MOBILESECURITY



Category # apps reviewed

Finance 10

Lifestyle 11

Productivity 6

Travel 5

Social Networking 6

Security 6

Other 6

APP SELECTIONApps were selected based on popularity, number of

downloads, or potential sensitivity of dataApproximately 50 apps have been reviewed

and organized into categories


APP TESTING RESULTS

% With Issues

100%

~80%

~30%

~50%

~15%

Stored Username

Stored Password

Medium or High Risk

Failed MITM

StoredUsername

StoredPassword

OtherRisks

FailedMiTM



The "Rules" of Hacking

1. Cannot serve to self

2. Cannot say, "Sorry"

3. Cannot use hands

A Hack is one complete time around circle


Any.DO

—Business and personal task management app

iOS and Android

—Millions of users

—Many vulnerabilities, no response from company

—https://viaforensics.com/mobile-security/security-vulnerabilities-anydo-android.html


Any.DO Analysis - Forensics

—Locate Any.DO app directory

<path-to-backup>/var/mobile/Applications/com.anydo.AnyDO

—Examine binary plist file (Library/Preferences)

file com.anydo.AnyDO.plist -> Apple binary property list

—Convert binary plist

plutil -i com.anydo.AnyDO.plist -o com.anydo.AnyDO.plist.xml

—vi com.anydo.AnyDO.plist.xml


Any.DO Analysis - Forensics


Any.DO Analysis - Memory

—SSH into iPhone

iproxy ; ssh

—Find app PID

ps -ef | grep <app-name>

—Dump RAM using gdbScript to extract RAM

—Extract and analyze

scp ; grep


Any.DO Analysis - Memory


The Kicks and Tricks


MOBILEMALWAREANALYSIS


Bad News

—Android Malware, masquerades as an innocent advertising network

—Packaged in many legitimate apps, usually targeting the Russian market

—Has ability to download additional apps, and prompts the user to install them, posing

as "Critical Updates". Uses this mechanism to spread known malware, typically Premium Rate SMS fraud.

—For more information see the report by Lookout: https://blog.lookout.com/blog/2013/04/19/the-

bearer-of-badnews-malware-google-play/

https://blog.lookout.com/blog/2013/04/19/the-bearer-of-badnews-malware-google-play/




apktool—

apktool is a tool for reverse engineering Android apk, it disassembles the code to .smali files, decoding also the resources contained into the apk.

—It can also repackage the applications after you have modified them.

—We can run it on a Badnews sample:

—

$ apktool d ru.blogspot.playsib.savageknife.apk savage_knife_apktool/I: Baksmaling...

I: Loading resource table...I: Loaded.

I: Decoding AndroidManifest.xml with resources...I: Loading resource table from file: /home/santoku/apktool/framework/1.apk

I: Loaded.I: Regular manifest package...

I: Decoding file-resources...I: Decoding values */* XMLs...

I: Done.I: Copying assets and libs…

Source: https://code.google.com/p/android-apktool/

https://code.google.com/p/android-apktool/


apktool -> smali

—We can grep for known sensible method calls and strings

—

$ grep -R getDeviceId . ./smali/com/mobidisplay/advertsv1/AdvService.smali: invoke-virtual {v1}, Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String;

—

$ grep -R BOOT_COMPLETED ../AndroidManifest.xml: <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />./AndroidManifest.xml: <action android:name="android.intent.action.BOOT_COMPLETED" />./smali/com/mobidisplay/advertsv1/BootReceiver.smali: const-string v2, "android.intent.action.BOOT_COMPLETED"


apktool -> smali

—We can manually analyze the disassembled smali

code provided by apktool.—

For example here we see a broadcast receiver that will

listen for BOOT_COMPLETED

intents and react to them starting a service in the

application.


BadNews Malware Sample -> Dex2Jar -> JD-GUI

Contagio MiniDump Malware Repository

contagiominidump.blogspot.com

http://2.bp.blogspot.com/-DhAMD3KTbAI/ThucN-fB8NI/AAAAAAAACRc/KJVvoaz3oSg/s340/electrostationMila.jpg


A LITTLE HELP, PLEASE.

—HOWTOs

—New/existing tool development

—.deb package maintenance

—Forums, spreading the word


https://santoku-linux.com@SantokuLinux@viaForensics

DON'T PANIC

https://santoku-linux.com

https://santoku-linux.com

mailto:[email protected]

Technology

Via forensics thotcon-2013-mobile-security-with-santoku-linux