Hacking a Moving Target

Transcription

1 Hacking a Moving Target Mobile ApplicaLon PenetraLon Chris Cuevas Senior Security Consultant ccuevas@secureideas.net Office Secure Ideas LLC hdp://

2 Chris Cuevas Security Consultant at Secure Ideas Open Source Advocate Contributor to SamuraiWTF and MobiSec Co- Author of Sec571: Mobile Device Security SANS Mentor SEC504 Incident Handling and Hacker Techniques I piss off large corporalons from Lme to Lme (shmoocon talk) 2012 Secure Ideas LLC hdp:// 2

3 What I'll be talking about today ios (yep I have one of those devices) Device Overview ADacks Android (yep I have one of those devices) Device Overview ADacks Blackberry (sorry not my area of experlse) ADacking Mobile ApplicaLons Demo 2012 Secure Ideas LLC hdp:// 3

4 Mobile Device Overview This is more important than some people think Understanding the adack surface is key to pulling off a successful adack What version of the underlying OS is running will draslcally alter what adack oplons I have to work with 2012 Secure Ideas LLC hdp:// 4

5 Apple Device Overview iphone 5 generalons of iphone Models 4 different storage capaciles 5 major versions of ios operalng system ipad 3 generalons of ipad models WiFi Only WiFi plus 3G WiFi plus 4GLTE 3 different storage capaciles 3 versions of ios operalng system

6 ios Version Overview Originally iphone OS for version 1 and 2 ios version 3 (release of ipad) Find my phone oplon added in mobileme HTML 5 support ios version 4 EncrypLon for user data Background localon Find my iphone ios version 5

7 ios App Store The ios App Store is the official store Released in July of 2008 Part of ios The App Store has over 500,000 apps 18 billion downloads As of October 2011 Accessible from a number of interfaces ios itunes Apple web site Apple vets applicalons before release They can revoke the applicalon

8 Android Device Overview Android runs on a wide variety of devices Chosen by the hardware manufacturer CPU Qualcomm, Tegra2, Snapdragon, Cortex A9 Storage From 512MB to 32GB The bootloader chosen by the carrier affects access Changes the image capabililes

9 Android Version Overview Android 2.2 Froyo Improved Exchange support Android 2.3 Gingerbread Switched from YAFFS to ext4 Android 3.0 Honeycomb Designed for Tablets Android 4.0 Ice Cream Sandwich Face Unlock Android Beam (NFC)

10 Android Markets Android has a number of marketplaces for applicalons Google Market Amazon App Store Vendor and Carrier Store fronts ApplicaLons can also be installed from the developer or a web site As with the variety of hardware, this variety of app sources causes difficulles DifficulLes for the developers and organizalons Controlling app sources is a problem Is the app installed the right one?

11 Mobile ADacks Let's look at some of the types of adacks we see on mobile devices today 2012 Secure Ideas LLC hdp:// 11

12 Malicious ApplicaLons Android Easy to anonymously sign apps to distribute through Android Market Google Bouncer (RootSmart for the bypass) ios More difficult to bypass vemng process, but not impossible RootSmart type bypass could work as well hdp://contagiominidump.blogspot.com/ (colleclon of mobile malware) 2012 Secure Ideas LLC hdp:// 12

13 Malicious Web Sites Malicious Javascript BeEF Hook Android browser has access to SDcard where applicalon data is stored HTML5 compliant browsers FTW J Web Workers Web Storage Firefox and Chrome Extensions 2012 Secure Ideas LLC hdp:// 13

14 Malicious Networks Lines are blurred over internal and external as the network is everywhere Cellular Data Plans slll connect you to the internet WiFi hotspots CredenLal HarvesLng MiTM ADacks Home Networks Sync OrganizaLonal Device to personal PC 2012 Secure Ideas LLC hdp:// 14

15 MiTM ADacks I have to be physically near the device Session Highjacking FaceNiff (FireSheep for Android) ARP Poisoning If I'm the gateway I control the flow of traffic Most apps communicate using hdp I love BURP 2012 Secure Ideas LLC hdp:// 15

16 Mobile ApplicaLon Discovery Mobile applicalon discovery is similar to web applicalons Most of the same flaws exist Slight differences in client- side adacks XSS has different targets for example The tools are similar Main focus is interceplng traffic

17 TesLng Techniques TesLng mobile applicalons can take many forms TesLng the back- end site or service Reverse engineering the applicalon Code analysis of the sopware We will focus on the first two As that is typically what penetralon tests include Mobile interfaces are open found during normal tests

18 Reverse Engineering A decompiler does not reconstruct the original source code But it gets us close enough There are many obstacles to overcome in reversing Mobile ApplicaLons ios applicalons are encrypted using Apple's binary encryplon scheme DecrypLng this format is not a new technique 2012 Secure Ideas LLC hdp:// 18

19 Android SDK A comprehensive set of development tools Includes a debugger, libraries, and an emulator Android applicalons are wriden in Java and packaged in.apk format contain.dex files which are compiled byte code files called Dalvik executables adb is our friend 2012 Secure Ideas LLC hdp:// 19

20 adb Android Debug Bridge (part of the SDK) lets you communicate with an emulator instance or connected Android- powered device You can push, pull, install, and remove files and apps using adb Secure Ideas LLC hdp:// 20

21 Xcode A suite of tools developed by Apple for developing sopware for OS X and ios The main applicalon is the Xcode IDE Apps are wriden in ObjecLve C An Object Oriented language that adds Smalltalk- style messaging to C Mach- O executable format which allows for "fat binaries" containing code for mullple architectures 2012 Secure Ideas LLC hdp:// 21

22 otool Displays specified parts of object files or libraries OpLons we are interested in - t Display the contents of the ( TEXT, text) seclon - o Display the contents of the OBJC segment used by the ObjecLve- C run- Lme system - V Display the disassembled operands symbolically hdp://pauldotcom.com/wiki/index.php/ Episode226#Guest_Tech_Segment:_Eric_MonL_on_iPhone_ ApplicaLon_Reversing_and_Rootkits 2012 Secure Ideas LLC hdp:// 22

23 dex2jar dex2jar is a tool for converlng Android's.dex format to Java's.class format dex- tool add support to DeObfuscate a jar dex- tool can also be used to modify an.apk Requires a decompiler to view the source Jd- gui JAD 2012 Secure Ideas LLC hdp:// 23

24 IntercepLon Tools IntercepLon is one of our main goals Can we get between the applicalon and the server IntercepLon tools do more then intercept They can analyze the traffic They can inject adacks 2012 Secure Ideas LLC hdp:// 24

25 isniff SSL man- in- the- middle tool Works on ios < devices vulnerable to CVE WriDen Redirect SSL traffic from NAT'd clients to isniff as follows iptables - t nat - A PREROUTING - p tcp - - deslnalon- port j REDIRECT - - to- ports Secure Ideas LLC hdp:// 25

26 Burp Suite Integrated plaworm for performing security teslng of web applicalons Some of the tools from the suite we will talk about today Burp IntercepLng Proxy Burp Intruder (fuzzing of applicalon requests) Burp Repeater (tool for manually modifying and reissuing individual HTTP requests) 2012 Secure Ideas LLC hdp:// 26

27 Mallory Mallory is a transparent proxy Proxies TCP and UDP This allows us to intercept traffic Without configuring the device with a proxy Great for older versions of Android

28 Mallory Mallory works with IPTables and the network adaptors Provides an access point for other devices It then tunnels the traffic through the Mallory system Allowing us to intercept and modify the traffic

29 Demo Decompile an Android.apk Unzip dex2jar Java decompiler Decompile an ios.ipa Yes I wish it was the beer too ;- ) Unzip otool 2012 Secure Ideas LLC hdp:// 29

30 Thank You To my family To SecureIdeas Special thanks to John H Sawyer for just being awesome 2012 Secure Ideas LLC hdp:// 30