The Attacker s POV Hacking Mobile Apps in Your Enterprise to Reveal Real Vulns and Protect the Business Tony Ramirez
AGENDA & SPEAKERS Introduction Attacks on Mobile Live Demo Recommendations Q&A Tony Ramirez Mobile Security Analyst
WHO WE ARE Books & Speaking Mobile threat research is in our DNA Open source Dream team of security researchers Every waking moment spent: Discovering critical vulns Identifying novel attack vectors Creating/maintaining renowned open-source mobile security tools/projects NowSecure Mission Save the world from unsafe mobile apps Educate enterprises on the latest mobile threats Maximize the security of apps enterprises develop, purchase and use 3
TAKING THE ATTACKER POV
MOBILE APPS ARE A GREAT ATTACK VECTOR 36% Have 35% Have 1% Android Apps at least 1 high risk flaw un-encrypted data transmission properly use Google SafetyNet Attestation API 85% 63% 50% 3rd Party AppStore Apps Violate OWASP MOBILE TOP 10 ios Apps Opting out of ATS exposing network risks Android Apps dynamically load code missed by static analysis Source: NowSecure Software and Research Data 2016-2017
REAL-WORLD VULNS IN THE NEWS 6
EXPLOITING THE MOBILE ATTACK SURFACE Data caching Data stored in application directory Decryption of keychain Data stored in log files Data cached in memory/ram Data stored in SD card OS data caching Passwords & data accessible No/Weak encryption TEE/Secure Enclave Processor Side channel leak SQLite database Emulator variance DATA AT REST CODE FUNCTIONALITY GPS spoofing Buffer overflow allowbackup Flag allowdebug Flag Code Obfuscation Configuration manipulation Escalated privileges Android rooting/ios jailbreak User-initiated code Confused deputy attack Multimedia/file format parsers Insecure 3rd party libraries World Writable Files World Writable Executables URL schemes GPS spoofing Integrity/tampering/repacking Side channel attacks App signing key unprotected JSON-RPC Automatic Reference Counting Dynamic runtime injection Unintended permissions UI overlay/pin stealing Intent hijacking Zip directory traversal Clipboard data World Readable Files Wi-Fi (no/weak encryption) Rogue access point Packet sniffing Man-in-the-middle Session hijacking DNS poisoning TLS Downgrade Fake TLS certificate Improper TLS validation HTTP Proxies VPNs Weak/No Local authentication App transport security Transmitted to insecure server Zip files in transit Cookie httponly flag Cookie secure flag DATA IN MOTION API BACKEND Platform vulnerabilities Server misconfiguration Cross-site scripting Cross-site request forgery Cross origin resource sharing Brute force attacks Side channel attacks SQL injection Privilege escalation Data dumping OS command execution Weak input validation Hypervisor attack VPN 7
ATTACKER POV FOR REAL-WORLD ATTACKS Malware Contact hijacking Buffer overflows ios APPS TARGET APP Take the the attacker POV to test across app, compiler, data at rest, data in transit, OS, HW & SW during and after running the mobile app ios FRAMEWORKS ios NATIVE LIBRARIES Dynamic code and assets MITM attacks ios HAL Race conditions Forensic artifacts ios Mach/XNU KERNEL HARDWARE Network & Cloud Services Data Center & App Backend
POST-EXPLOITATION: MOBILE HID ATTACK Pwned device Target
LIVE TOOLS AND SAMPLE ATTACKS 1 Decompiling Android Apps 2 MITM Attacks 3 Advanced Dynamic Analysis
REVERSING THE ANDROID APP COMPILATION PROCESS.java files Jar signer.apk files compiler.so files resources APK builder.class files dx tool.dex files
REVERSE ENGINEERING AN APK
RECREATE MITM ATTACKS
Write bootstrapper code into memory of Target process Host Target bootstrapper
Hijack existing thread in Target to execute bootstrapper Host Target bootstrapper-thread bootstrapper
Bootstrapper loads frida-agent into Target s memory space Host Target bootstrapper-thread bootstrapper frida-agent.so
Agent opens bi-directional channel between Debugger & Debuggee Host Target bootstrapper-thread bootstrapper Comms Channel frida-agent.so
Agent sets up its own thread, accepting instrumentation scripts from Debugger Host Target bootstrapper-thread Instrumentation scripts bootstrapper Comms Channel frida-agent.so JavaScript
Instrumentation probes target specific APIs & code logic of interest Host Target bootstrapper-thread Instrumentation scripts bootstrapper Comms Channel frida-agent.so JavaScript
Probe results streamed to debugger and parsed/redirected Host Target bootstrapper-thread probe results Instrumentation scripts bootstrapper Comms Channel frida-agent.so JavaScript
LIVE INSTRUMENTATION DEMO Inject FRIDA AGENT Inject NEW CODE Hook Into TCP SOCKETS TARGET APP ios APPS ios FRAMEWORKS ios NATIVE LIBRARIES Call Voice Synth when detect MITM Risk on PORT 80 ios HAL ios Mach/XNU KERNEL HARDWARE Network & Cloud Services Data Center & App Backend
TURNING ATTACKER POV INTO DEFENSE
ATTACKER POV FOR REAL-WORLD TESTING Behavioral to determine malware Dynamic to track interaction with contacts Behavioral to test active memory Dynamic to taint & trace sensor data from HAL Dynamic to test persistent storage ios APPS TARGET APP ios FRAMEWORKS ios NATIVE LIBRARIES ios HAL ios Mach/XNU KERNEL Dynamic to track interaction with Microphone Behavioral to to track interaction with Keychain Dynamic to test SSL Stripping Takes the the att across app, co acker POV t o test m data in transit, piler, data at res O and aft er runn S, H/W & S/W t, ing the during mobile app Dynamic to test MITM Dynamic to monitor dynamic code loading from the network Dynamic to track interaction with file system HARDWARE Dynamic & Behavioral to test Certificate Pinning Network & Cloud Services Data Center & App Backend
SUGGESTED BEST PRACTICES 1. Large mobile attack surface. Education is key! 2. Subscribe to our blog: https://www.nowsecure.com/blog 3. Check our our Secure Mobile Development Best Practices: https://bit.ly/2ymlqmm 4. Download our Mobile Threat Report: https://bit.ly/2fno1fb 5. Reach out if you have questions! aramirez@nowsecure.com
FAST & ACCURATE MOBILE AST NowSecure AUTO NowSecure INTEL OnDemand & Continuous Testing 15mins Fast for Dev, QA & Security teams AlwaysOn Risk Analysis of +8m Appstore Apps for EMM & Security teams NowSecure WORKSTATION NowSecure SERVICES Deep Pen Testing Analysis of Complex, High Risk Mobile Apps for Security Analysts Expert Pen Testing, Training & Mobile App Security Programs for App Owners & Security teams