Mobile hacking. Marit Iren Rognli Tokle

Transcription

1 Mobile hacking Marit Iren Rognli Tokle

2 «Hacker boss Marit» Software Engineer at Sopra Steria Leading TG:Hack, Norways largest hacking competition Leading UiO-CTF with Laszlo Shared 1st place in the qualification round of Norwegian Cyber Security Championship 2018

3 Agenda Mobile security primer Attack surface OWASP Top 10 Mobile Tools

4 1.Mobile security primer

5 But mobile is safe right? 7 billion devices, 10 billion by million mobile devices stolen yearly 25% of mobile devices run into a threat monthly - - -

6 75% increase in malware yearly 75% apps fail basic security tests 56% IT admins admit unlikely to detect mobile threats malicious apps installed on employee devices - - -

7 Mobile security challenges Mobile and web Wide audience Rapid development Focus on security among developers Continuous network connectivity Traditional fat client applications Buffer management Local encryption Malware Unique to mobile Applications coming from unknown developers who should be considered untrusted

8 2.Attack Surface

9

10

11 3. OWASP Top 10 Mobile

12

13

14 Let s get started 1 2-3

15 With.. Android hacking

16 Three steps to get Java source code 1. Download from Google Play Store 2. Decompile APK 3. Extract source code

17 Downloading APK files from Google Play Store General In CTFs, they will usually provide you with the APK file Sometimes as a pentester, you will need to get the APK yourselves Protip: Use CMD (not Powershell) when using Windows Fetching Using gp-download Set environment variables: GOOGLE_LOGIN=<replace-with-real-value> GOOGLE_PASSWORD=<replace-with-real-value> ANDROID_ID=<replace-with-real-value>. You may find the id (GSF) using the Device ID app. Enable Allow less secure app`. $ gp-download package-name > package-name.apk

18

19

20

21 Decompile with apktool General An APK is a zipped folder containing.. Dalvik? What the...dex files Binary files Decompiling Using apktool $ apktool d appname.apk

22

23

24 Extract Java source code from APK General SMALI?! ~ Mobile app assembly code Extract Java source code Using jadx-gui $ jadx-gui appname.apk

25

26 Rebuild APK with apktool 1. Make changes to Smali code 2. Rebuild the app 3. Sign the app Using apktool $ apktool b /appfolder/ $ keytool $ jarsigner

27 Rebuild APK with apktool

28 Let s do some hacking

29 But first.. Android Debug Bridge adb is a very nice command line tool that lets you communicate with an emulator instance or with a connected Android device. adb commands adb shell adb logcat adb install <appname.apk> adb push <srcaddr> <destaddr> adb pull <srcaddr> <destaddr>

30 1. Insecure data storage General Critical data includes account credentials, PII, address, geolocation, IMEI, serial number, wifi info ++. Stored in SQLite DB Log files Plist files XML data stores or manifest files Binary data stores Cookies stores SD cards > Hacking Shared preferences SQLite database SD Card Any application can read contents of SD Card No file permissions on SD Card

31 > Shared preferences key-value pairs E.g. storage of user settings and application data Remember to run the app once!

32 Shared preferences

33 > SQLite database Often used in apps Open-source no need of server

34 > SQLite database Using SQLite from the command line Run $ sqlite3 \<dbname.db>.. and: To dump the schema:.schema List databases:.databases List tables:.tables Dump a table:.dump <tablename>

35 2. Insecure communication General Critical data includes account credentials, PII, address, geolocation, IMEI, serial number, wifi info and more. Security bugs include SSL/TLS certificate issues Poor handshake HTTP transfer of data in clear text Common developer mistakes Accepting self-signed certificates. Setting a permissive hostname verifier > Hacking MITM: capture, view, and modify traffic sent and received between app and server. Forging requests without MITM.

36 Man In The Middle - Burpsuite

37 Man In The Middle - Emulator

38 3. Extraneous functionality General Backdoors or security controls helpful during development Information examples back-end test, demo, staging or UAT environments administrative endpoints two-factor authentication bypass for dev/testing > Hacking Set debug flag Reading logs Find endpoints for devs/admin Other loopholes $ adb logcat [-b buffername] A very concerning 92% of Android apps tested have extraneous functionality issues while only a very small 2% of ios apps show these issues.

39 3. Extraneous functionality

40 3. Extraneous functionality Best practice DON T PUSH IT TO PRODUCTION!! Remove method calls to log class for release builds Disable ANDROID:DEBUGGABLE flag in production builds. On ios disable NSLog statements.

41 4.Tools

42 Tools list for workshop tomorrow! Mobile tools Android Studio (with emulator!) APKtool jadx-gui adb Frida keytool Vulnerable app InsecureBankv2 droid-insecurebankv2 MITM: Burpsuite Find more on my github:

43 Sources NowSecure online book about secure coding of mobile apps NowSecure short article intro on online book, containing links to best practices to prevent common security vulnerabilities. Blogpost Microsoft - Top 5 Mobile App Security Failures and How To Prevent Them Pluralsight, Ethical hacking: Hacking Mobile Platforms

44