Mobile hacking Marit Iren Rognli Tokle 14.11.2018
«Hacker boss Marit» Software Engineer at Sopra Steria Leading TG:Hack, Norways largest hacking competition Leading UiO-CTF with Laszlo Shared 1st place in the qualification round of Norwegian Cyber Security Championship 2018
Agenda Mobile security primer Attack surface OWASP Top 10 Mobile Tools
1.Mobile security primer
But mobile is safe right? 7 billion devices, 10 billion by 2018 52 million mobile devices stolen yearly 25% of mobile devices run into a threat monthly - - -
75% increase in malware yearly 75% apps fail basic security tests 56% IT admins admit unlikely to detect mobile threats 2000+ malicious apps installed on employee devices - - -
Mobile security challenges Mobile and web Wide audience Rapid development Focus on security among developers Continuous network connectivity Traditional fat client applications Buffer management Local encryption Malware Unique to mobile Applications coming from unknown developers who should be considered untrusted
2.Attack Surface
3. OWASP Top 10 Mobile
Let s get started 1 2-3
With.. Android hacking
Three steps to get Java source code 1. Download from Google Play Store 2. Decompile APK 3. Extract source code
Downloading APK files from Google Play Store General In CTFs, they will usually provide you with the APK file Sometimes as a pentester, you will need to get the APK yourselves Protip: Use CMD (not Powershell) when using Windows Fetching Using gp-download Set environment variables: GOOGLE_LOGIN=<replace-with-real-value> GOOGLE_PASSWORD=<replace-with-real-value> ANDROID_ID=<replace-with-real-value>. You may find the id (GSF) using the Device ID app. Enable Allow less secure app`. https://myaccount.google.com/lesssecureapps $ gp-download package-name > package-name.apk
Decompile with apktool General An APK is a zipped folder containing.. Dalvik? What the...dex files Binary files Decompiling Using apktool $ apktool d appname.apk
Extract Java source code from APK General SMALI?! ~ Mobile app assembly code Extract Java source code Using jadx-gui $ jadx-gui appname.apk
Rebuild APK with apktool 1. Make changes to Smali code 2. Rebuild the app 3. Sign the app Using apktool $ apktool b /appfolder/ $ keytool $ jarsigner
Rebuild APK with apktool
Let s do some hacking
But first.. Android Debug Bridge adb is a very nice command line tool that lets you communicate with an emulator instance or with a connected Android device. adb commands adb shell adb logcat adb install <appname.apk> adb push <srcaddr> <destaddr> adb pull <srcaddr> <destaddr>
1. Insecure data storage General Critical data includes account credentials, PII, email address, geolocation, IMEI, serial number, wifi info ++. Stored in SQLite DB Log files Plist files XML data stores or manifest files Binary data stores Cookies stores SD cards > Hacking Shared preferences SQLite database SD Card Any application can read contents of SD Card No file permissions on SD Card
> Shared preferences key-value pairs E.g. storage of user settings and application data Remember to run the app once!
Shared preferences
> SQLite database Often used in apps Open-source no need of server
> SQLite database Using SQLite from the command line Run $ sqlite3 \<dbname.db>.. and: To dump the schema:.schema List databases:.databases List tables:.tables Dump a table:.dump <tablename>
2. Insecure communication General Critical data includes account credentials, PII, email address, geolocation, IMEI, serial number, wifi info and more. Security bugs include SSL/TLS certificate issues Poor handshake HTTP transfer of data in clear text Common developer mistakes Accepting self-signed certificates. Setting a permissive hostname verifier > Hacking MITM: capture, view, and modify traffic sent and received between app and server. Forging requests without MITM.
Man In The Middle - Burpsuite
Man In The Middle - Emulator
3. Extraneous functionality General Backdoors or security controls helpful during development Information examples back-end test, demo, staging or UAT environments administrative endpoints two-factor authentication bypass for dev/testing > Hacking Set debug flag Reading logs Find endpoints for devs/admin Other loopholes $ adb logcat [-b buffername] A very concerning 92% of Android apps tested have extraneous functionality issues while only a very small 2% of ios apps show these issues.
3. Extraneous functionality
3. Extraneous functionality Best practice DON T PUSH IT TO PRODUCTION!! Remove method calls to log class for release builds Disable ANDROID:DEBUGGABLE flag in production builds. On ios disable NSLog statements.
4.Tools
Tools list for workshop tomorrow! Mobile tools Android Studio (with emulator!) APKtool jadx-gui adb Frida keytool Vulnerable app InsecureBankv2 https://github.com/dineshshetty/an droid-insecurebankv2 MITM: Burpsuite Find more on my github: https://github.com/maritiren/ctf/wiki/android
Sources NowSecure online book about secure coding of mobile apps NowSecure short article intro on online book, containing links to best practices to prevent common security vulnerabilities. Blogpost Microsoft - Top 5 Mobile App Security Failures and How To Prevent Them Pluralsight, Ethical hacking: Hacking Mobile Platforms