Embed Size (px)
DESCRIPTION
ClubHack 2011 Hacking and Security Conference.Talk - Pentesting Mobile ApplicationsSpeaker - Prashant Verma
Citation preview
Pentesting Mobile Applications
Prashant Verma
Security Consultant & Competency Lead
Target Mobile
Types of Mobile Applications
• Browser based Mobile Applications (WAP)
• Installed Applications
Android architecture
• DVM
• ~JVM
• dex files
• Sandboxing
• Apps run
with its user,
group
• Apps may
share data, if
run with same
user
iOS Architecture
Core OS & Core Services –
Low level file handling, network
Sockets etc. Include Technologies
like Core Foundation, CFNetwork,
SQLite etc
Written in C
Media Layer – Supports audio and
2D and 3D video
Cocoa Touch Layer – Provides
infrastructure used by applications.
Contains the UIKit Framework
Written in Objective-C
Pentesting Mobile Applications
• Reading Stored Data
• Capturing Requests
• Reversing the Application Package
• Platform Specific Issues
Reading Stored Data
Reading Stored Data
• Mobile applications store data in local
memory of handset
• This data is stored by developers in files
locally and is used by the application
• Look out for the persistent stored
information in the mobiles for sensitive
data (pwd, keys, account details etc.)
• This may involve hacking / jailbreaking the
phone
Reading Stored Data: Android
• Android Applications store the data in
directory /data/data/[PACKAGE_NAME]
• sharedpreferences
• Context.MODE_PRIVATE
• Context.MODE_WORLD_READABLE
• Context.MODE_WORLD_WRITEABLE
• Files may be stored using the filesystem at
/data/data/[PACKAGE_NAME]/files/filenam
• Storage in the SQLite databases
• Can be read using SQLite browser
Reading Stored Data: Android
• Demo 1
• Let us see how the stored data can be
accessed in an Android phone
• <Connect the phone via USB debugging
mode, show the storage directory in Android,
browser to show the different storage formats,
read the files, read the databases using
SQLite browser>
Reading Stored Data: iOS
• iPhone too stores the data in the
application directory
• /private/var/mobile/Applications/ApplicationID/
• Plist files ..can be read using
• Property List Editor
• plutil
• Sqlite databases
• Same procedure to read as Android
Capturing the Traffic
Capturing The Traffic
• Capture HTTP requests & responses
• Carry out Parameter Manipulation and
other attacks
• Set up a proxy in between the server & the
client to intercept.
• This can be achieved by
• Proxying the real devices
• Proxying the emulators
Capturing The Traffic : Android
• Proxying Android Device
• Root your phone
• Install Superuser
• Install a proxy tool like ProxyDroid or Auto Proxy
• Set the proxy IP address & port no.
• Emulators can also be proxied
Capturing The Traffic
Capturing The Traffic : iPhones
• Proxying Apple iPhone / iPAD
• Setup a proxy ipaddress and port for the wifi
connection
• Entire traffic is routed through this proxy
• Proxying Simulators
• Open the Simulator within the xcode IDE
• GUI option to set proxy ipaddress and port
Capturing The Traffic: iPhones
• Demo 2
• Let us now see how to proxy an iPhone
device to capture the traffic
• <connect the phone & laptop to the wifi, setup
laptop as proxy for the phone, show the
captured traffic in the laptop, demonstrate the
parameter manipulation attack>
Capturing The Traffic: iPhones
Reversing the Application Package
Reversing the Application Package
• Reverse Engineer the application logic and
source code
• Identify the flaws in the code base to
exploit them
• Look for sensitive data like passwords,
encryption algorithms and keys
• Nokia jar files & Android apk packages are
easy to reverse
Reversing the Android Package
• Two step process
• apk to dex conversion
• dex to java conversion
Reversing the Android Package
• Demo 3
• Let us now see how to reverse engineer an
Android application package
• <Take a .apk Android Package, demonstrate
the reversing process to convert it to readable
java files, show the sample vulnerability in the
java file>
Platform Specific Issues
Platform Specific Issues
• Android the prime target of malwares
• ZITMO
• Android Market had malicious apps
• Apple iOS
• iOS URL Schemes
• Screenshot Caching issue
Malware: ZITMO
• User logs in to his banking application
• ZITMO, in background, listens to the incoming
SMS
• ZITMO obtains the SMS
• ZITMO forwards the SMS to the attacker’s web
address
• SMS contains the one time password (the
second factor of the two factor authentication)
• Attacker can use it to bypass the two factor
authentication
Android Market
• Recently, Google Android Market was in
news for distributing Malicious Applications
• Google had to remove these infected
applications from the Market
• Lack of Proper Vetting Process by Google,
as opposed to Apple App Store
• Experts have advised Google for
establishing the same
iOS URL Schemes
• iOS URL schemes
• URL schemes are used for web server
connections, without additional parameters
• This involves sending the required parameters
in the URL, which makes it a vulnerable
implementation
• Sometimes username-password is also send
this way
• Prefer other implementations, if easily
possible without URL schemes
iOS Screenshot Caching
• Whenever users press the Home button
while using an Application
• iOS takes screenshot of application
• This is required for the zoom-out animation while
leaving the app
• This same screenshot used to simulate zoom-in
animation while returning to app
• This is store in the device memory and can be
used by anyone having access to rooted device
• Black out the View whenever Home button
is pressed while using the application.
Securing Mobile Applications
Security Best Practices
• Do not hardcode sensitive information
• Do not store sensitive information locally
• If required to be stored, do not store at
easily readable location like memory card.
• Encrypt the stored data
• Implement SSL
• Protect the webserver against application
layer attacks
Security Best Practices
• Sanitize inputs, use prepared statements
(protection against client side injection)
• Implement Proper Authentication. Do not
use UDID or other hardware IDs for auth.
• Prefer encryption over encoding or
obfuscation
OWASP Mobile Top 10 Risks
References
• Android official documentation
• Apple iOS code guide
• OWASP Mobile Top 10 Project
• Palisade – The application security
magazine
• GoatDroid Project
• iGoat Project
