Moving Targets: Assessing the Security of Mobile Devices. March 3 rd, 2016 Kevin Johnson, CEO Secure Ideas

Size: px

Start display at page:

Download "Moving Targets: Assessing the Security of Mobile Devices. March 3 rd, 2016 Kevin Johnson, CEO Secure Ideas"

Helena Cross
5 years ago
Views:

1 Moving Targets: Assessing the Security of Mobile Devices March 3 rd, 2016 Kevin Johnson, CEO Secure Ideas

2 Conflict of Interest Kevin Johnson Has no real or apparent conflicts of interest to report.

Podcaster Professionally Evil Perspective Open Source Project Lead SamuraiWTF,

3 Kevin Johnson Founder and CEO of Secure Ideas IANS Faculty Course Author and Instructor Web Application and Mobile Testing BlackHat, DerbyCon, OWASP Podcaster Professionally Evil Perspective Open Source Project Lead SamuraiWTF, Laudanum, Yokoso, WeaponizedFlash, etc. 501 st Member - TR Father, Husband and Christian 3

4 Agenda Mobile Security Security Concerns Testing Yourself

5 Learning Objectives Describe the privacy and security issues around mobile devices Identify the various toolsets that can be used to assess risk and discuss how they can be utilized Discuss how mobile devices play a role in various attack scenarios

6 Mobile Security Mobile devices have come a long way It's not your parents' brick phone Mobile devices have become a critical piece of our lives and business There are more cell phones in the US than people! Increasing computing power every day More powerful than some computers 6

7 Mobile Aspects Mobile devices are the most common type of computing device And growing every day! These devices contain our entire lives Address books, , messages and more This is made worse due to the applications More then just games! 7

Mobile Considerations The increased computing means increased data Phones and tablets are replacing computers With the increased data comes larger

8 Mobile Considerations The increased computing means increased data Phones and tablets are replacing computers With the increased data comes larger security concerns Similar to laptops, but without the general awareness General lack of security controls and protections Users disable the ones that exist 8

9 Modern Systems

10 Mobile Risks OWASP has long been associated with application security Started around web applications Moved into mobile and IoT Provides tools and guidance For builders and breakers

11 Top 10 Mobile Issues

12 Communication Issues Communication problems range through a number of issues Spoofed sites Unencrypted communications Man in the middle attacks All of these concerns can be found in the various platforms None of the platforms have solved the issue Neither have the non-mobile platforms of course! An attacker can use these issues to wreak havoc on the user and the device 12

13 Third-party Sites Many applications use backend systems From the author and others! The others is a concern Not that the author isn't ;) These sites are used for many purposes Advertising Application functionality (Social Gaming) Advertising Stats Advertising 13

14 Example: Third Party Data Intercepting traffic via a proxy is simple We used Burp This allowed us to see the sheer number of sites applications called We tested ~20 apps iphone and Android We saw ~24K requests Most were for non-app data 14 14

15 Unencrypted Communications Many applications do not use encryption Due to limited resources Or the impression of limited resources Developers may also assume the traffic is not sensitive "It's just a phone!" Many site applications use HTTP for communication Even sites that recommend encryption in browsers Facebook's application was guilty of this We also find applications using encoding instead! BASE64 should be illegal 15

16 Example: To the Cloud!!! This application uses HTTP to submit all data Registration and login included The developer used a GET Which means the information is in the Apache logs But they encrypted it right? Not really, the data is BASE64 encoded!

17 Testing This Yourself Don't take our word for it Check out your applications yourself! All applications should be examined before using them! Keep in mind this is passive We are not actively attacking the application Two methods Interception proxy Network capture 17

18 Burp Suite Burp Suite is a complete collection of tools Based around the interception proxy Available at Each of the pieces can be used separately But its power comes from combining them during a test Burp Suite is a commercial project There is a mostly functional free version The free version is limited Missing features such as the scanner and search Also prevents saving or restoring state 18

19 Burp Suite Burp is now our old friend! Used in all forms of penetration testing involving HTTP/S It allows us to intercept the web calls If the application is using HTTP or HTTPS We can make use of its automatic features Fuzzing or scanning the back end applications Parsing and rewriting requests and responses 19

Intercepting Traffic Intercepting traffic

incoming connections We also need to choose

20 Intercepting Traffic Intercepting traffic requires a bit of set up Which we can make the default The proxy listener is bound to localhost We need to change this to allow incoming connections We also need to choose how to handle HTTPS Separate CA or a specific cert 20

21 Questions Kevin Johnson CEO Secure

Injectable Exploits. New Tools for Pwning Web Apps and Browsers

Injectable Exploits. New Tools for Pwning Web Apps and Browsers Injectable Exploits New Tools for Pwning Web Apps and Browsers Kevin Johnson kevin@inguardians.com Justin Searle justin@inguardians.com Frank DiMaggio frank@secureideas.net 1 Who are we? Kevin Johnson