Mobile Security guest lecture

Mobile Securityy

OS3 Guest lecture – Offensive SecurityOS3 Guest lecture Offensive Security

April 2013

Marc Smeets

Why I am here

■ I pentest: infrastructures, mobile, networks, fun stuff!

■ KPMG is one of the ‘big four’ audit and advisory firms

■ One of main IT Security advisory companies globally

■ Information Protection Services team (48 fte in NL, large global network)

■ Security testing/ethical hacking, IT auditing, all fun things IT security

Why you are here

Learn abo t a ne topic■ Learn about a new topic:mobile security

■ Ask hard questions

1© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

■ Learn a bit about KPMG (in house day)

Th bilThe mobile landscape and termsterms Really that hard?

Apple, Blackberry, eggsbox_(360p).flv


Goodbye PC and pocket PC

Welcome iPhone, Android, tabs, ,

Apps & AppStoreQuestion:

Containerization

Are we more secure than before?

Cloud integration & online ID


Are we becoming more secure?

Yes, new mobile platforms are more secure in several aspects

■ Disk encryption built-in

■ Latest and greatest core security features

■ Strong ‘sandboxing’ of Apps

Tight down platforms with eco system■ Tight down platforms with eco-system

No, new platforms still fail at basic securityp y

■ Disk encryption optional or circumvented

■ Remote wipe ineffective

– When to give up and call for remote wipe?

■ Security update cycle

Wh t d t i t d d h ( l d)?


■ What data is stored, and where (cloud)?

■ Malware still exists

The mobile landscape – an overview

GO

OG

LE S

ER

VIC

CORPORATE EXCHANGE SERVICES

Corporate exchange environment

Mobile DeviceManagement

INTERNET

WIFI / UMTS / GPRS

CE

S

LOC

AL N

ETW

WIFI / USB / Bluetooth / NFC INTE

RN

ET S

ER

VI

WEB

WO

RK

SE

RV

ICE

S

NETWORK

ICE

S

CLOUD

ANDROID DEVICES

INTERNET

LOCAL STORAGECORPORATE / PRIVATE

CU

STO

M R

VE

ND

OR

SE

R

AND

RO

VE

RS

IO

ALTER

NA

TM

AR

KE

T


RO

MS

RV

ICE

S

OIDN

S

TIVE

TS

Mobile device security 101:

A d id & iOSAndroid & iOS

iOS background

iOS

■ Apple proprietary, derived from Mac OSX

■ Pillars: iOS, selected hardware, SDK and developer community, AppStore and iTunes

Software versions

■ Version 1 in 2007

■ Current release is 6.1.3

■ GM = Gold Master = for beta testers

Hardware models

■ iPhone (3GS, 4, 4S gen. supported, CMDA+GSM)

iPad (1st 2nd and 3rd gen supported CMDA+GSM)■ iPad (1st, 2nd and 3rd gen. supported, CMDA+GSM)

■ iPod Touch = iPhone – phone, GPS and compass (4th gen. supported)

■ AppleTV (2nd and 3rd supported, 1st gen. runs true OSX)


iOS from a security viewpoint – iOS layout

iOS fundamentals

■ Based on Mac OS X = UNIX

■ Two users: root (pw = alpine) and mobile. Apps run as mobile, deamons as root

■ Disk layout:y/ : boot partition -ro/private/var : user data ( linked /var to /private/var )

■ Binary Property lists store settings, properties and meta data. It is a binary xml file, read/write ith l tilwith plutil.

■ SQLite databases store data

■ Many DBs in /var/mobile/Library, i.e.:AddressBook.sqlitedb : All contact detailsCallHistory.db : recent history in DB, full history in fileCalendar.sqlitedb : all past and upcoming eventssms.db : all text messages, including deleted


Keychain.db : contain all passwords as normal keychain

iOS from a security viewpoint – iOS security features

iOS security features

■ OS support for:

– Exchange (2007), CalDAV, IMAP, LDAP

– Cisco VPN

– Hardware encryption (3Gs and up only)yp ( p y)

– Remote wipe functionality

– Configuration profiles

– SSL strict checks

■ Missing: hardware token possibility

■ App Sandboxingpp g

– Strict APIs for App.

– If App A wants resources of App B, then via API. E.g. Photo.app sending email, email.app not used


not used

■ AppStore “strictly” monitored

iOS from a hacker's perspective – iDevice boot sequence

Three boot modes

■ Normal mode

■ DFU mode - Device Firmware Upgrade: when device is unrecoverable

– Low level boot mode that uses a ramdisk for interaction with device

■ Restore mode: device is being upgraded by Apple’s ramdisk via iTunes

Boot sequence and signature checks

g pg y ppSignature checking:- Bypass results in code execution- The earlier in the boot sequence the better- @ Bootrom is in hardware

1. Power on with or without DFU-buttons

2. Bootrom is executed from VROM (Virtual Read Only Memory)

Normal: check and run LLB (Low Level Boot) and iBoot

@ Bootrom is in hardware- Different hacks for different CPUs

Normal: check and run LLB (Low Level Boot) and iBoot

Normal: boot loaders check kernel, kernel checks apps from flash

DFU: check and boot iBSS and iBEC boat loaders


DFU: boot loaders check and load kernel and ramdisk from USB connection

iOS from a hacker's perspective - jailbreaking

Removing Apple’s jail on the OS

■ Run non Apple signed Apps (e.g. Cydia.app, the alternative AppStore)

■ Get shell/SSH access to the device

■ Do all the funky stuff during a pentest Hacker’s prefered way as it can’t be fixed with new firmware

Different ways for jailbreaking

■ Tethered / untethered

■ Bootrom (e.g. limara1n)

– A4/A5/A6 chips require different approaches.

– A4 (iPhone < 4S, iPad < 2, iPod Touch) are easier( , , )

■ User land (e.g. Jailbreakme.com)

■ Kernel (e.g. Racoon configuration)


iOS from a hacker's perspective – Different layers of encryption

Disk encryption

■ Since iPhone 3Gs

■ Intended for fast wipe (1 key is used for encryption entire disk)

■ Decryption is done when device boots (also readable from ramdisk)

Data Protection

■ File level encryption when data at restyp

■ Meta data remains visible

■ Input = passcode + UID hardware key

■ It is up to the developer to use

– Mail.App is the only App from Apple


iOS from a hacker's perspective – keychain data

O l t hi th f h !!Only scratching the surface here!!

Keychain

■ Three protection classes – each being secured with own master key

– kSecAttrAccessibleWhenUnlocked

– kSecAttrAccessibleAfterFirstUnlock Also with *ThisDeviceOnly– kSecAttrAccessibleAlways

Master keys are stored in system keybag

■ /private/var/keybags/systembag.kbp y g y g

■ System keybag file is encrypted by Data Protection

■ Keybag payload is encrypted before writing to disk

■ Master keys are encrypted with device key and/or passcode key

Escrow keybag

■ For itunes to sync without passcode – stored on computer


y p p

■ Provide with same level of access as knowing the passcode

iOS from a hacker's perspective – The forensic recovery method

Getting access

1. Turn off device

– can be done without passcode knowledge

– Remote wipe commands don’t work anymore

2. Boot in DFU mode

– Disk encryption is already defeated at this moment

3. Upload custom firmware using jailbreak techniques

4. SSH over WIFI or USBMUX make iPhone image to work with

5. Crack passcode (on device!) or use escrow keybag

– On device: speed depends on hardware: p p

■ iPhone 4/iPad1 = ~6 cracks/second

■ iPhone 4S/iPad2 = ~10 cracks/second


6. Using passcode decrypt all the Data Protected data

iOS from a hacker's perspective – iTunes backup

iTunes stores backups every time you sync

■ \Users\%USERNAME%\AppData\Roaming\Apple Computer\MobileSync\Backup

■ ~/Library/Application Support/MobileSync/Backup/

■ Stored in encoded files, decode using plist file

Backup contains all user datap

■ Photos/music/address book/etc and keychain data! -> _not_ *ThisDeviceOnly

■ App developer can control if data is included in backup

B k b t dBackup can be encrypted

■ Using separate password

■ Security policy of iDevice can dictate if a password is used, not the length

■ Encryption is strong (10000 rounds of PBKDF2)

Decrypt and crack with tools


■ Elcomsoft Phone Password Breaker

■ iPhone Backup Extractor

iOS from a hacker's perspective – App security

App layout

■ /private/var/mobile/Applications/<APPID>/

■ /private/var/mobile/Library/<APPID>/

App code signaturepp g

■ Kernel requires signature verification to only allow approved Apps = Apps made by official App developer with an AppleID verified by Apple

■ Jailbreak patches signature *verification* out of the kernel but still signing is needed:■ Jailbreak patches signature verification out of the kernel, but still signing is needed:

– Self sign with Apple’s code sign utility -> any signature is allowed now

– Pseudo-sign -> generate the hashes that are checked by the kernel for approval

– Deactivate signing via “sysctl” command -> cripples iOS (not possible from iOS4.3 and up)

App encryption (DRM / Fairplay)

■ Same App is different binary on different iDevice

Easiest to use: no Mac needed & device still functional -> “ldid”-tool on iDevice


■ Same App is different binary on different iDevice

■ SC_Info (personalised for your purchase) + MAC address + iTunes keys

Binary analysis

On IOS most apps are encrypted (DRM/fairplay), check this using otool on device

otool -l APP| grep LC ENCRYPTION INFO| g p

LC_ENCRYPTION_INFO cmdsize 20 cryptoff 4096 cryptsize 1347584 cryptid 1

On runtime, the application gets decrypted. So…

Gdb –p <PROCESSID>

d d bi $(($C tOff 4096)) $(($C tSidump memory dump.bin $(($CryptOff + 4096)) $(($CryptSize + $CryptOff + 4096))

Wh th l ff t? U Cl t h d/ dC kM d > iN lWhy the manual effort? Use Clutch and/or poedCrackMod -> iNalyzer

Analyse using

■ IDA (ARM version) use ldone for changes to binaries


■ gdb

A d id d t ilAndroid details

Google services

Play/Market

Google Backup

Google contacts


Background

Version Name Release dates Specifics1.0 - 1.6 Cupcape / Donut 2008/20091.0 1.6 Cupcape / Donut 2008/20092.0 – 2.1 Eclair Oct 20092.2 Froyo May 20102 3 Gi b d D 20102.3 Gingerbread Dec 20103.0 Honeycomb Feb 2011 Tablet only4.0 Ice cream Sandwich Oct 20114.1 Jelly Bean June 20124.2 Jelly Bean Oct 2012


Software stack


Dalvik & Java

■ AndroidManifest.xml

■ Activities: An Activity is, generally, the code for a single, user-focused task (dispay UI)

■ Services: A service is a body of code that runs in the background.


■ Broadcast Receiver: receiver of intents (e.g. battery empty)

Linux Security

System drive read-only

Each app own UIDEach app own UID

Appdata in /data/data/<appname>

One app publisher can enforce different apps to the sameUID to share between his apps(!)

Sqlite files

DRMDRM

■ /data/app contains installer (.apk) for regular apps, accessible via adb


■ /data/app-private for drm apps

Application permissions

Apps are distributed as .apk files: Zipped file containing binary and AndroidManifest.xml

Install time check on permissions, user informedInstall time check on permissions, user informedof permissions


Device administration & policy management

Device Administration API

Introduced in Android 2.2

Multiple device administrators allowed

<device-admin xmlns:android="http://schemas.android.com/apk/res/android"><uses-policies><uses policies>

<limit-password /><watch-login /><reset-password /><force-lock /><force lock /><wipe-data /><expire-password /><encrypted-storage /><disable-camera /><disable camera />

</uses-policies></device-admin>

http://developer.android.com/guide/topics/admin/device-admin.htm


g

Device administration & policy managementAPI options

Policy option VersionPassword enabledMinimum password lengthAl h i d i dAlphanumeric password requiredComplex password required as of 3.0Minimum letters required in password as of 3.0Minimum lowercase letters required in password as of 3 0Minimum lowercase letters required in password as of 3.0Minimum non-letter characters required in password as of 3.0Minimum numerical digits required in password as of 3.0Minimum symbols required in password as of 3.0Minimum uppercase letters required in password as of 3.0Password expiration timeout as of 3.0Password history restriction as of 3.0Maximum failed password attemptsMaximum failed password attemptsMaximum inactivity time lockRequire storage encryption as of 3.0Disable camera as of 4.0


Android encryption

Implementation:

■ When init fails to mount /data, knows that volume is encrypted

■ Starts up framework and asks user password

■ After password login, restarts framework with /data mounted using password

Sidenote: As of android 4.0 a keychain API is provided


Adb & rooting

Requires enabling of debug mode on device

■ Adb –d shell – provides shell to the device

■ Adb –d push/pull for file transfers

On unrooted devices you are just a regular userOn unrooted devices you are just a regular user

Then use manual local exploit (e.g. for android 2.1/2.2 use rageagainstthecage.bin / CVE-2010-EASY/ zergrush)


App Analysis

Dynamic analysis of app using Droidbox

Hashes, network data, File operations, services/classes used etc etc

http://code.google.com/p/droidbox/

ddms (Dalvik debugger)ddms (Dalvik debugger)

■ Show device and process status (ps -x)

■ Dump heap (hprof) (on Android < 2.3) -> Memory Analysisp p ( p ) ( ) y y

But why not disassemble entirely?


SMALI/BAKSMALI

SMALI/BAKSMALI

Assembly level, quite good readable

Steps to analyze app

APKTOOL d <App>

Edit resources (XML/PNG) / Edit SMALIEdit resources (XML/PNG) / Edit SMALI

Const v0, “value”

Invoke-static (v0,0). Landroid/util/Log;-( , ) g>v(Ljava/lang/String; Ljava/lang/String);)I

APKTOOL b <DIR> <packagename.apk>

Si i J i d d b k t ( t f d id SDK)Sign using Jarsigner and debug.keystore (part of android SDK)

Uninstall old app, install new app (with adb or manual)


Misc

Directly starting Java classes or intents/activities

Check if state checks are adequately implemented (e.g. starting up an activity without logging in)logging in)

File permissions

getSharedPreferences, openFileOutput, or openOrCreateDatabase for storing preferences and data. Check if calls are made private/world-readable/world-writable


Break

In house day!

In house day @ KPMG Information Protection Services

What in house day

What (2) showing what we do in detail, challenge you with an assignment d tiand answer your questions

Who master students that have interest in (computer) security and related topics (as a research opportunity or job)p ( pp y j )

Why you may not know KPMG as a firm for information security

Why (2) there are free drinks at the end

When –DATE TO BE CONFIRMED– NOT 30 MAY!!

Interested ? write down your name and email address at the sheet

34© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International. 3

Mobile hacking:g--REMOVED--- PIN code cracking

MobileConfig- MobileConfig

Android PIN ‘guessing’

What happens after 5 incorrect tries?

Question: What are the problems for the hacker?

How to improve the attack?


Mobileconfig

Google searches everything

iOS Mobileconfig files contain what?

Googledork


© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member fi f th KPMG t k f i d d t bfirm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands.

The KPMG name, logo and ‘cutting through l it ’ i t d t d k f KPMGcomplexity’ are registered trademarks of KPMG

International.

Marc Smeetst @k [email protected]

+31 6 51 36 66 80

@MRAMSMEETS@MRAMSMEETS

Technology

Mobile Security guest lecture