Moving Targets:

Assessing the Security of Mobile Devices

March 3rd, 2016

Kevin Johnson, CEO Secure Ideas

Conflict of Interest Kevin Johnson Has no real or apparent conflicts of interest to report.

Kevin Johnson • Founder and CEO of Secure Ideas • IANS Faculty • Course Author and Instructor

– Web Application and Mobile Testing – BlackHat, DerbyCon, OWASP

• Podcaster – Professionally Evil Perspective

• Open Source Project Lead – SamuraiWTF, Laudanum, Yokoso,

WeaponizedFlash, etc. • 501st Member - TR-42265 • Father, Husband and Christian 3

Agenda

• Mobile Security • Security Concerns • Testing Yourself

Learning Objectives • Describe the privacy and security issues around mobile devices

• Identify the various toolsets that can be used to assess risk and

discuss how they can be utilized

• Discuss how mobile devices play a role in various attack scenarios

Mobile Security • Mobile devices have come a long way

• It's not your parents' brick phone • Mobile devices have become a critical piece of our lives and business

• There are more cell phones in the US than people!

• Increasing computing power every day • More powerful than some computers

6

Mobile Aspects

• Mobile devices are the most common type of computing device

– And growing every day! • These devices contain our entire lives

– Address books, email, messages and more • This is made worse due to the applications

– More then just games!

7

Mobile Considerations

• The increased computing means increased data

• Phones and tablets are replacing computers • With the increased data comes larger

security concerns • Similar to laptops, but without the general

awareness • General lack of security controls and

protections • Users disable the ones that exist

8

Modern Systems

Mobile Risks • OWASP has long been associated with

application security – Started around web applications – Moved into mobile and IoT

• Provides tools and guidance – For builders and breakers

• https://www.owasp.org

Top 10 Mobile Issues

Communication Issues • Communication problems range through a number of

issues • Spoofed sites • Unencrypted communications • Man in the middle attacks

• All of these concerns can be found in the various platforms

• None of the platforms have solved the issue • Neither have the non-mobile platforms of course!

• An attacker can use these issues to wreak havoc on the user and the device

12

Third-party Sites • Many applications use backend systems

• From the author and others! • The others is a concern

• Not that the author isn't ;) • These sites are used for many purposes

• Advertising • Application functionality (Social Gaming) • Advertising • Stats • Advertising

13

Example: Third Party Data

• Intercepting traffic via a proxy is simple

• We used Burp

• This allowed us to see the sheer number of sites applications called

• We tested ~20 apps • iPhone and Android

• We saw ~24K requests • Most were for non-app data

14 14

Unencrypted Communications • Many applications do not use encryption

• Due to limited resources • Or the impression of limited resources

• Developers may also assume the traffic is not sensitive • "It's just a phone!"

• Many site applications use HTTP for communication • Even sites that recommend encryption in browsers • Facebook's application was guilty of this

• We also find applications using encoding instead! • BASE64 should be illegal

15

Example: To the Cloud!!! • This application uses HTTP to submit all data

• Registration and login included

• The developer used a GET • Which means the information is in the Apache logs

• But they encrypted it right? • Not really, the data is BASE64 encoded!

Testing This Yourself • Don't take our word for it

– Check out your applications yourself! • All applications should be examined before using them! • Keep in mind this is passive

– We are not actively attacking the application • Two methods

– Interception proxy – Network capture

17

Burp Suite

• Burp Suite is a complete collection of tools – Based around the interception proxy – Available at http://portswigger.net

• Each of the pieces can be used separately – But its power comes from combining them during a

test • Burp Suite is a commercial project

– There is a mostly functional free version • The free version is limited

– Missing features such as the scanner and search – Also prevents saving or restoring state

18

Burp Suite • Burp is now our old friend!

– Used in all forms of penetration testing involving HTTP/S

• It allows us to intercept the web calls

– If the application is using HTTP or HTTPS

• We can make use of its automatic features

– Fuzzing or scanning the back end applications

– Parsing and rewriting requests and responses

19

Intercepting Traffic • Intercepting traffic requires a bit of set up

– Which we can make the default • The proxy listener is bound to localhost

– We need to change this to allow incoming connections

• We also need to choose how to handle HTTPS

– Separate CA or a specific cert

20

Questions • Kevin Johnson

• CEO Secure Ideas

• kevin@secureideas.com

• @secureideas

• 904-403-8024