A short presentation on some of the many issues that play a role in mobile security.
Citation preview
1. THE ART OF MOBILESECURITY(ISC)2 NEW YORK METRO APRIL
2013Elliott Frantzhttp://www.virtuesecurity.com
2. Agenda Platform security Pentesting mobile applications
Identifying attack vectors Current events Changing culture and the
future of mobilesecurity
3. Mobile Platform Security Mobile platforms have a large gray
areabetween functionality and security issues. Many features of
mobile platforms createcached artifacts of runtime data.
Applications must properly defend againstthese functions to contain
sensitive data.
4. iOS Background Screen Cache Screenshots taken when userhits
the home button. Can be forensically recoveredfrom device. App
developers must properlyhandle background events tohide sensitive
data on screen.
5. iOS UITextFields Known as the iOS native keylogger iOS will
cache text entered in these fields Data can be forensically
recovered or easilyaccessed on a jailbroken
device/private/var/mobile/Library/Keyboard/UserDictionary.sqlite/private/var/mobile/Library/Keyboard/dynamic-text.dat
6. Android Content Providers Can act as a data store for
multiple applications Often used for single applications Must
properly restrict permissions for otherapplications Malicious apps
may attempt to read from yourprovider
7. Pentesting Mobile ApplicationsObjectives: Identify data
transmitted (Protocols, hosts, ports) MITM the client to attack
application layer Analysis of business logic and technologies used
Identify and subvert client side controls Static analysis of
application binary Identify cached data
8. Mobile Man-in-the-Middle Many ways to MITM apps go with
simplestconfiguration (often a HTTP proxy) Apps using custom
protocols must use networkproxies like Mallory A variety of
frameworks are available to bypasscertificate pinning.
9. Application Analysis Compare use of the application to the
datatransmitted to determine client side controls. Construct a
threat model for business logic What are the abuse cases that
relate to thebusiness?
10. Defeating Client Side Controls (Android) Android may be
easiest to modify code andrepackage apk. Tools such as Virtuous Ten
can perform thisquickly Apps can also be manipulated with
JavaDebugging methods (DDMS)
11. Defeating Client Side Controls (iOS) iOS Objective-C
runtime can be easilymanipulated with cycript/Mobile Substrate Can
jump to arbitrary points in theapplication, call functions, replace
code.
12. Code Patching Identify simple
logicIs_our_phone_jailbroken(){if// lengthy convoluted jailbreak
detectionreturn 1elsereturn 0} Only one byte needs to be
modified
14. Camera EXIF Data GPS data is often embedded in photos taken
Server side components must scrub EXIF data
15. WebViews Introduces web based vectors (XSS, CSRF, etc..)
WebView JS may be invoked and take parametersfrom native code Some
configurations can invoke native code fromJS Caching can be an
issue (NSURLConnection)
16. C Memory Management Dangerous functions should still be
avoided(strcpy(), strcmp()) Memory should still be properly cleaned
whenusing malloc(), free(), realloc(), etc..
17. Static Analysis (iOS) iOS IPAs can be decrypted with a
memory dumpat runtime. Examine archive and plist files. The binary
can be examined like traditionalcompiled binaries (Strings, dump
symboltable, etc..)
18. Static Analysis (Android) Android apps are packaged as APK
files. (Can beextracted with any zip utility) Inspect package for
build/debug artifacts Search code for hardcoded strings Useful to
reconstruct code as Java Check for native code in /libs Examine
AndroidManifest.xml
19. Personal Devices Consider how data can beleaked Consider
what apps caninvoke your application Consider what apps
yourapplication invokes
21. Carrier Concerns Owners of customized Android ROMs
mustdistribute updates themselves (they dont). Millions of users
are left with criticalvulnerabilities.
22. Where are we? Not everything is terrible! iOS and Android
provide ASLR, DEP, applicationsandboxes built in. ARMv8 introduces
64bit cpus
23. Where are we going? We are more functionality driven than
ever Threats are more malicious than ever World population is
growing Developing nations are increasingly technical