Mobile Hacking & Security. Ir. Arthur Donkers & Ralph Moonen, ITSX

Size: px

Start display at page:

Download "Mobile Hacking & Security. Ir. Arthur Donkers & Ralph Moonen, ITSX"

Violet Logan
5 years ago
Views:

1 Mobile Hacking & Security Ir. Arthur Donkers & Ralph Moonen, ITSX

2 Introduction Who we are: Ir. Arthur Donkers Ralph Moonen ITSX 2

3 Agenda Mobile Threats BYOD iphone and Android hacking 3

4 Threats Various: Lost or stolen device (responsible for 80% of data loss) As attack vector: use it to compromise network As attack surface: get at the data on the phone (think: TAN codes, certs, passwords) 4

5 Threats Or, if you are the maker of an app: How to protect the app itself How to protect the app s data How to protect the backend applications that the app talks to During our workshop in Malaysia, this turned out to be the most interesting topic! 5

Threats But it doesn t stop there: There are threats on the communications layer Prediction: amateur GSM/SMS tapping possible within a year using EUR 30

6 Threats But it doesn t stop there: There are threats on the communications layer Prediction: amateur GSM/SMS tapping possible within a year using EUR 30 devices and free software NFC-enabled phones allow new ways of interfacing with phone and the world around the phone Botnets and Trojans now seen in the wild 6

7 BYOD Lets take a closer look at a few topics: BYOD Is it a good idea? Well.. To be honest: probably not, in most cases. Allowing modified devices with a large amount of unknown applications that often live in hostile environments on your network requires a lot of thinking. 7

BYOD But we really want it: Need to isolate device Need to educate user Need to restrict access Do you want email attachments on

8 BYOD But we really want it: Need to isolate device Need to educate user Need to restrict access Do you want attachments on the phone Do you want server access from phone How to authenticate user and device? Jailbroken devices more susceptible to malware 8

iphone & Android hacking Android Is a far more open platform than ios; No App vetting in Google Play Multi vendor (roots @Google, now part of OHA, Open Handset Alliance, with

9 iphone & Android hacking Android Is a far more open platform than ios; No App vetting in Google Play Multi vendor now part of OHA, Open Handset Alliance, with over 50 participants); Uses a mix of open source and proprietary software environments; The basics are more or less the same across different vendors, main difference is in UI. 9

10 Android apps Android Uses the Dalvik Virtual Machine, that is capable of running different apps in parallel, each in their own VM. Interesting information is stored in Libraries, primarily in SQLite3 databases (similar to ios). These might be encrypted. These database can be stored on the internal flash or memory cards (SD, usd) 10

11 Data storage If data is stored on a memory card, extraction is easy. Connect phone via USB; Access memory card using forensics software (FTK imager) Make a forensics image; Analyse image (FAT32 filesystem); Phone often appears as a USB stick on computer 11

12 Data storage 12

13 Data storage What about the internal flash? Use dd to make image of primary flashdrive; Need root to be able to bypass permissions on phone Phone normally does not offer root level access, so phone needs to be rooted. This is device dependent and modifies the phone (forensic principles) 13

14 Data storage Needs USB debugging (to be able to control the device via USB port); Also needs to bypass lock screen (same old story); Sometimes additional apps are required. 14

15 Accessing data An example: Set up ADT (Android Development Tools); Put fresh sd card in phone; Connect phone to computer and run adb to test connectivity and USB debugging; Download asroot2 or su Run from adb 15

16 Reading data Finally, use normal forensic tools to analyse these images like: FTK File carving (foremost) Undelete files Read SQLite3 database for call & SMS log /data/data/com.android.providers.telephony/datab ases 16

17 Reverse engineering Simply put: figuring out how stuff works Need to get at the code in a readable form: Unencrypted Unobfusacted Decompiled 17

18 Looking at android apps Dalvik is encapsulated JAVA code Java code is bytecode compiled Therefore, Dalvik is easy to reverse engineer: Get.dex file Run dex2jar Decompile to.java files using JAD Load resulting Java files into Eclipse 18

19 iphone apps Iphone apps are stored in.ipa files These are.zip files: copy and rename to.zip Look in filestructure for interesting files and resources No easy way to decompile like Android apps 19

20 iphone apps Can be disassembled using otx and/or otool Unfortunately, is not easy and readable Often: measures taken such as stripping IDAPro also possible 20

21 Decoding apps What to look for: Connection strings Passwords (encrypted or not) Configuration files Certificates Security Bugs 21

22 Securing Apps Securing Apps has several aspects: Obfuscation Integrity checks on app Integrity checks on phone (am I jailbroken) Storage of secrets 22

23 Getting into the iphone The ramdisk needs to be booted through Jailbreak tools. Once booted, communications need to be multiplexed over the USB connection. Once that has been done, access can be obtained via SSH shell. 23

24 Demo time We need to bypass Unlock key (passcode) Can only be done by bruteforce (on kernel level): Passcode Complexity Bruteforce time 4 digits 18 minutes 4 alphanumeric 51 hours 5 alphanumeric 8 years 8 alphanumeric 13,000 years 24

25 Workshop 25

Ch 7: Mobile Device Management. CNIT 128: Hacking Mobile Devices. Updated

Ch 7: Mobile Device Management CNIT 128: Hacking Mobile Devices Updated 4-4-17 What is MDM? Frameworks that control, monitor, and manage mobile devices Deployed across enterprises or service providers