Mobile hacking. Marit Iren Rognli Tokle

Similar documents
OWASP German Chapter Stammtisch Initiative/Ruhrpott. Android App Pentest Workshop 101

Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit) Alexander Subbotin OWASP Bucharest AppSec 2018

Abusing Android In-app Billing feature thanks to a misunderstood integration. Insomni hack 18 22/03/2018 Jérémy MATOS

Thursday, October 25, 12. How we tear into that little green man

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS. BRIAN LAWRENCE SENIOR SECURITY ENGINEER

Mobile Hacking & Security. Ir. Arthur Donkers & Ralph Moonen, ITSX

Manage Mobile Security Incidents Like A Boss

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Breaking and Securing Mobile Apps

Android security enforcements

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

Topics. Ensuring Security on Mobile Devices

ISACA Mobile Computing

Android Analysis Tools. Yuan Tian

AHNLAB 조주봉 (silverbug)

TECHNICAL WHITE PAPER Penetration Test. Penetration Test. We help you build security into your software at every stage. 1 Page

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

ME?

Mobile and Wireless Systems Programming

The Android security jungle: pitfalls, threats and survival tips. Scott

droidcon Greece Thessaloniki September 2015

Man-In-The-Browser Attacks. Daniel Tomescu

Security Specification

Bank Infrastructure - Video - 1

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

When providing a native mobile app ruins the security of your existing web solution. CyberSec Conference /11/2015 Jérémy MATOS

SECURITY TESTING. Towards a safer web world

hidden vulnerabilities

1 About Web Security. What is application security? So what can happen? see [?]

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

MBFuzzer - MITM Fuzzing for Mobile Applications

The digital copy of this thesis is protected by the Copyright Act 1994 (New Zealand).

Ethical Hacking. Content Outline: Session 1

Lab 4 In class Hands-on Android Debugging Tutorial

BUILDING A TEST ENVIRONMENT FOR ANDROID ANTI-MALWARE TESTS Hendrik Pilz AV-TEST GmbH, Klewitzstr. 7, Magdeburg, Germany

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Ch 7: Mobile Device Management. CNIT 128: Hacking Mobile Devices. Updated

Open Lecture Mobile Programming. Command Line Tools

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

ITG Software Engineering

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Mobile devices boon or curse

Hacking a Moving Target

Introspy Security Profiling for Blackbox ios and Android. Marc Blanchou Alban Diquet

Copyright

Hardcore PI System Hardening

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

How NOT To Get Hacked

How to secure your mobile application with RASP

McAfee MVISION Mobile Threat Detection Android App Product Guide

The missing link in the chain? Android network analysis. Rowland Yu Senior Threat Researcher II

Backdooring the Front Door

HACKING AND SECURING IOS APPLICATIONS

New World, New IT, New Security

10 FOCUS AREAS FOR BREACH PREVENTION

Android System Development Training 4-day session

MOBILE THREAT LANDSCAPE. February 2018

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

ESET ENDPOINT SECURITY FOR ANDROID

Advanced Diploma on Information Security

Web Applications Penetration Testing

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

WebSphere Puts Business In Motion. Put People In Motion With Mobile Apps

N different strategies to automate OWASP ZAP

Online Intensive Ethical Hacking Training

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Are You Avoiding These Top 10 File Transfer Risks?

ATC Android Application Development

SD Card with Eclipse/Emulator

Bachelor Thesis Project. Evaluating Dynamic Analysis Methods for Android Applications

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Deliver Strong Mobile App Security and the Ultimate User Experience

Practice Labs Ethical Hacker

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Ethical Hacker Foundation and Security Analysts Course Semester 2

Chapter 2 Setting Up for Development

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Developing Solutions for Google Cloud Platform (CPD200) Course Agenda

Evaluating the Security Risks of Static vs. Dynamic Websites

Getting over Ransomware - Plan your Strategy for more Advanced Threats

The Savage Curtain: Mobile SSL Failures

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Fejlessz biztonságos alkalmazást

Sichere Software vom Java-Entwickler

Copyright

McAfee Network Security Platform

Copyright ECSC Group plc 2017 ECSC - UNRESTRICTED

MOBILE THREAT PREVENTION

Android InsecureBankv2 Usage Guide. InsecureBankv2

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Troubleshooting and Cyber Protection Josh Wheeler

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

What Ails Our Healthcare Systems?

An Extensive Evaluation of the Internet s Open Proxies

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Chapter 2. Operating-System Structures

Transcription:

Mobile hacking Marit Iren Rognli Tokle 14.11.2018

«Hacker boss Marit» Software Engineer at Sopra Steria Leading TG:Hack, Norways largest hacking competition Leading UiO-CTF with Laszlo Shared 1st place in the qualification round of Norwegian Cyber Security Championship 2018

Agenda Mobile security primer Attack surface OWASP Top 10 Mobile Tools

1.Mobile security primer

But mobile is safe right? 7 billion devices, 10 billion by 2018 52 million mobile devices stolen yearly 25% of mobile devices run into a threat monthly - - -

75% increase in malware yearly 75% apps fail basic security tests 56% IT admins admit unlikely to detect mobile threats 2000+ malicious apps installed on employee devices - - -

Mobile security challenges Mobile and web Wide audience Rapid development Focus on security among developers Continuous network connectivity Traditional fat client applications Buffer management Local encryption Malware Unique to mobile Applications coming from unknown developers who should be considered untrusted

2.Attack Surface

3. OWASP Top 10 Mobile

Let s get started 1 2-3

With.. Android hacking

Three steps to get Java source code 1. Download from Google Play Store 2. Decompile APK 3. Extract source code

Downloading APK files from Google Play Store General In CTFs, they will usually provide you with the APK file Sometimes as a pentester, you will need to get the APK yourselves Protip: Use CMD (not Powershell) when using Windows Fetching Using gp-download Set environment variables: GOOGLE_LOGIN=<replace-with-real-value> GOOGLE_PASSWORD=<replace-with-real-value> ANDROID_ID=<replace-with-real-value>. You may find the id (GSF) using the Device ID app. Enable Allow less secure app`. https://myaccount.google.com/lesssecureapps $ gp-download package-name > package-name.apk

Decompile with apktool General An APK is a zipped folder containing.. Dalvik? What the...dex files Binary files Decompiling Using apktool $ apktool d appname.apk

Extract Java source code from APK General SMALI?! ~ Mobile app assembly code Extract Java source code Using jadx-gui $ jadx-gui appname.apk

Rebuild APK with apktool 1. Make changes to Smali code 2. Rebuild the app 3. Sign the app Using apktool $ apktool b /appfolder/ $ keytool $ jarsigner

Rebuild APK with apktool

Let s do some hacking

But first.. Android Debug Bridge adb is a very nice command line tool that lets you communicate with an emulator instance or with a connected Android device. adb commands adb shell adb logcat adb install <appname.apk> adb push <srcaddr> <destaddr> adb pull <srcaddr> <destaddr>

1. Insecure data storage General Critical data includes account credentials, PII, email address, geolocation, IMEI, serial number, wifi info ++. Stored in SQLite DB Log files Plist files XML data stores or manifest files Binary data stores Cookies stores SD cards > Hacking Shared preferences SQLite database SD Card Any application can read contents of SD Card No file permissions on SD Card

> Shared preferences key-value pairs E.g. storage of user settings and application data Remember to run the app once!

Shared preferences

> SQLite database Often used in apps Open-source no need of server

> SQLite database Using SQLite from the command line Run $ sqlite3 \<dbname.db>.. and: To dump the schema:.schema List databases:.databases List tables:.tables Dump a table:.dump <tablename>

2. Insecure communication General Critical data includes account credentials, PII, email address, geolocation, IMEI, serial number, wifi info and more. Security bugs include SSL/TLS certificate issues Poor handshake HTTP transfer of data in clear text Common developer mistakes Accepting self-signed certificates. Setting a permissive hostname verifier > Hacking MITM: capture, view, and modify traffic sent and received between app and server. Forging requests without MITM.

Man In The Middle - Burpsuite

Man In The Middle - Emulator

3. Extraneous functionality General Backdoors or security controls helpful during development Information examples back-end test, demo, staging or UAT environments administrative endpoints two-factor authentication bypass for dev/testing > Hacking Set debug flag Reading logs Find endpoints for devs/admin Other loopholes $ adb logcat [-b buffername] A very concerning 92% of Android apps tested have extraneous functionality issues while only a very small 2% of ios apps show these issues.

3. Extraneous functionality

3. Extraneous functionality Best practice DON T PUSH IT TO PRODUCTION!! Remove method calls to log class for release builds Disable ANDROID:DEBUGGABLE flag in production builds. On ios disable NSLog statements.

4.Tools

Tools list for workshop tomorrow! Mobile tools Android Studio (with emulator!) APKtool jadx-gui adb Frida keytool Vulnerable app InsecureBankv2 https://github.com/dineshshetty/an droid-insecurebankv2 MITM: Burpsuite Find more on my github: https://github.com/maritiren/ctf/wiki/android

Sources NowSecure online book about secure coding of mobile apps NowSecure short article intro on online book, containing links to best practices to prevent common security vulnerabilities. Blogpost Microsoft - Top 5 Mobile App Security Failures and How To Prevent Them Pluralsight, Ethical hacking: Hacking Mobile Platforms

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback