Breaking and Securing Mobile Apps

Similar documents
Introspy Security Profiling for Blackbox ios and Android. Marc Blanchou Alban Diquet

OWASP German Chapter Stammtisch Initiative/Ruhrpott. Android App Pentest Workshop 101

Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit) Alexander Subbotin OWASP Bucharest AppSec 2018

When providing a native mobile app ruins the security of your existing web solution. CyberSec Conference /11/2015 Jérémy MATOS

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

Android Analysis Tools. Yuan Tian

HACKING AND SECURING IOS APPLICATIONS

Coordinated Disclosure of Vulnerabilities in AVG Antivirus Free Android

Foreword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1

Coordinated Disclosure of Vulnerabilities in McAfee Security Android

Abusing Android In-app Billing feature thanks to a misunderstood integration. Insomni hack 18 22/03/2018 Jérémy MATOS

TECHNICAL WHITE PAPER Penetration Test. Penetration Test. We help you build security into your software at every stage. 1 Page

Mobile hacking. Marit Iren Rognli Tokle

10 FOCUS AREAS FOR BREACH PREVENTION

Security Philosophy. Humans have difficulty understanding risk

CTF Workshop. Crim Synopsys, Inc. 1

Social Engineering (SE)

Man in the Middle Attacks and Secured Communications

HACKING TIZEN THE OS OF EVERYTHING. AJIN

Evaluating the Security Risks of Static vs. Dynamic Websites

droidcon Greece Thessaloniki September 2015

Hackveda Training - Ethical Hacking, Networking & Security

MOBILE SECURITY OVERVIEW. Tim LeMaster

Ch 7: Mobile Device Management. CNIT 128: Hacking Mobile Devices. Updated

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Amsterdam April 12 th, 2018

The Android security jungle: pitfalls, threats and survival tips. Scott

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Mobile Hacking & Security. Ir. Arthur Donkers & Ralph Moonen, ITSX

Index. D, E Damn Vulnerable ios application (DVIA), Data Execution Prevention (DEP), 3 Data storage security,

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Solutions Business Manager Web Application Security Assessment

Securing ArcGIS Services

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

How to secure your mobile application with RASP

Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Securing ArcGIS Server Services An Introduction

Web Penetration Testing

C1: Define Security Requirements

Topics. Ensuring Security on Mobile Devices

Man-In-The-Browser Attacks. Daniel Tomescu

Thursday, October 25, 12. How we tear into that little green man

ME?

Holistic Database Security

HackMiami. HTML5 Threat Landscape: Past, Present, and Future Prepared for Devcon5 LA - December 2013 Alexander Heid

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Web Application Penetration Testing

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

RKN 2015 Application Layer Short Summary

NET 311 INFORMATION SECURITY

So Many Ways to Slap a YoHo: Hacking Facebook & YoVille

Advanced Android Security APIs. KeyStore and Crypto VPN

Vidder PrecisionAccess

AHNLAB 조주봉 (silverbug)

EasyCrypt passes an independent security audit

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

Hacking a Moving Target

Reverse Engineering Swift Apps. Michael Gianarakis Rootcon X 2016

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Quick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

Russ McRee Bryan Casper

Man in the middle attack on TextSecure Signal. David Wind IT SeCX 2015

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

How to build a multi-layer Security Architecture to detect and remediate threats in real time

BUILDING A TEST ENVIRONMENT FOR ANDROID ANTI-MALWARE TESTS Hendrik Pilz AV-TEST GmbH, Klewitzstr. 7, Magdeburg, Germany

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Staying Safe Online. My Best Internet Safety Tips. and the AgeWell Computer Education Center.

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Quick Heal Total Security for Android. Anti-Theft Security. Web Security. Backup. Real-Time Protection. Safe Online Banking & Shopping.

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

MBFuzzer - MITM Fuzzing for Mobile Applications

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Automated Generation of Event-Oriented Exploits in Android Hybrid Apps

Application. Security. on line training. Academy. by Appsec Labs

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

Becoming the Adversary

WebDocs 6.5. New Features and Functionality. An overview of the new features that increase functionality and ease of use including:

3. Apache Server Vulnerability Identification and Analysis

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

Mobile Devices prioritize User Experience

Welcome to the OWASP TOP 10

Advanced Threat Hunting:

Google Identity Services for work

Authentication in the Cloud. Stefan Seelmann


OWASP Top 10 The Ten Most Critical Web Application Security Risks

Application security : going quicker

Your Turn to Hack the OWASP Top 10!

Bank Infrastructure - Video - 1

Five steps to securing personal data online Gary Shipsey Managing Director

Transcription:

Breaking and Securing Mobile Apps Aditya Gupta @adi1391 adi@attify.com +91-9538295259

Who Am I? The Mobile Security Guy Attify Security Architecture, Auditing, Trainings etc. Ex Rediff.com Security Lead <3 Python Active Member at null meetups and Humlas - Bangalore and Mumbai

Learning Pentesting for Android

Previously Discovered vulns And more..

Also given trainings and talks at

Agenda Android and ios Security Overview Experiences over the past few years Finding vulnerabilities in Mobile Apps Automating Security Analysis AppWatch - The Community Edition

Why Smartphones? We are in the POST PC era

Why Smartphones? Present almost everywhere Contains the most sensitive information Not much attention paid to its security by enterprises People love apps ( There s an app for that ) AVs not that efficient

Android Security Architecture Two-tier security model : Linux and Android Each app in its own DVM App Sandbox

Android Security Overview Apps data stored at /data/data/[package-name]/ Apps stored in /data/app and /system/app AndroidManifest.xml plays an important role

Android Apps Security Primer Reversing using Apktool / Dex2Jar + JD-GUI / JEB Look for security issues in source code IDA Pro for Native Apps

Android Vulnerabilities Most of the applications vulnerable by default Developers don't often know how to secure mobile apps Apps get compromised, sensitive info leaked

Hard coded sensitive info Really common in many apps API Key / Username & Passwords / server credentials found in app code No Binary protection as well

Logging Sensitive Info

Logging Sensitive Info

Logging Sensitive Info Log.d("Facebook-authorize", "Login Success! access_token=" + getaccesstoken() + " expires=" + getaccessexpires());

Leaking Content Providers Used to share data between apps Few by default Apps could define their own By default exported

Leaking Content Providers

Leaking Content Providers

Dropbox

Dropbox

Adobe Reader

Insecure Data Storage

KeepSafe

KeepSafe

Dynamic App Analysis MitmProxy / Mallory / Fiddler / Burp Suite Bypassing SSL Pinning ( Android SSL TrustKiller) Data Storage Insecurities IPC based communications API Hooking - Cydia Substrate, Introspy etc Xposed Framework

Android Webview Vuln What's a Webview? Can the JS interact with the Java code What could possibly go wrong?

Malicious Things that could be done with Webview Take over the application's Java code Send SMS, Make calls etc Install new application Get a reverse shell Modify file system or steal something from the device

Some more tools AndroidAuditTools AndroGuard Agnitio Droidbox

Drozer Great tool for Android Security Assessment Could be used to find content provider leakage, injection based attacks, path traversal vulns Free and Pro version

Android Malwares Android Framework for Exploitation Infecting legitimate apps Crypting and Obfuscation

Android Malwares

ios Security Assessment ios Security Model Randomized folder names CA unlike Android Objective-C

ios Security Assessment Encrypted and Unencrypted Binaries Apps downloaded from AppStore are encrypted Two ways of decryption : GDB : Load the app, dump, hex edit, copy, package Clutch : Same stuff above, automated

ios Tools Class-Dump-Z (Gives class information) Clutch (Convert app to unencrypted to encrypted) objdump and otool Cycript (Bridge between Javascript and Java) Introspy (API Hooking based on Cydia Substrate)

Auditing Apps on ios Static : Class-Dump-Z + Hopper Dynamic : Cycript + Any Proxy

Auditing Apps on ios Static : Class-Dump-Z + Hopper Dynamic : Cycript + Any Proxy

Cycript Developed by Jay Freeman (Saurik) Bridge between Javascript and Objective-C Used to do runtime manipulation in ios apps ex: cy> UIApp.keyWindow.rootViewController.textlabel = "changed value" Cycript cheat sheet : http://iphonedevwiki.net/index.php/cycript_tricks

Bypassing app's password screen UIApp.keyWindow.rootViewController->isa.messages[method-name] = function(){return true; }

Getting around with Certificate Pinning App won't trust any other certificate than the original one How could be bypass it? Android Way of Decompiling, modifying the pin value, recompiling back API hooking Hook into the method which determines whether a certificate is true or not. Return true always.

Tools to use https://github.com/intrepidusgroup/trustme - gets around with SecTrustEvaluate iossslkillswitch - gets around with SecureTransportAPI

AppWatch Cloud based mobile security scanner For Android Apps now, ios to be added by next month both Static and Dynamic analysis of the apps Comes along with an easy to use API Reports in HTML and PDF format

We scanned Top 100 apps in Google Play Store with AppWatch automated scanner

Categories Business Medical Communication Music & Audio Education Finance Entertainment Shopping Media & Video Transportation

Security Vulns we identify Exported IPC Endpoints - Activities, Services, Broadcast Receivers Leaking Content Providers Insecure SSL Implementation Leaking sensitive info in network traffic Local Data Storage Vulnerabilities OWASP Mobile Top 10 Many more uncommon ones

Security Vulns we identify

Direct Google Play App Scan

And the Results...

Results of Top 100 Apps

AppWatch Demo

AppWatch API Demo

Get Access to AppWatch Community Edition http://attify.com/appwatch/

Get in Touch. Grab me after the talk @adi1391 adi@attify.com Skype: adi0x90 +91-9538295259

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback