The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Similar documents
RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS. BRIAN LAWRENCE SENIOR SECURITY ENGINEER

Endpoint Security - what-if analysis 1

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

C and C++ Secure Coding 4-day course. Syllabus

Bank Infrastructure - Video - 1

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Certified Secure Web Application Engineer

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Curso: Ethical Hacking and Countermeasures

1 About Web Security. What is application security? So what can happen? see [?]

CSWAE Certified Secure Web Application Engineer

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

MBFuzzer - MITM Fuzzing for Mobile Applications

Topics. Ensuring Security on Mobile Devices

RiskSense Attack Surface Validation for Web Applications

The Android security jungle: pitfalls, threats and survival tips. Scott

Web Application Penetration Testing

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Copyright

C1: Define Security Requirements

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

MOBILE SECURITY OVERVIEW. Tim LeMaster

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Ethical Hacking and Prevention

Deliver Strong Mobile App Security and the Ultimate User Experience

TIBCO Cloud Integration Security Overview

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

HACKING AND SECURING IOS APPLICATIONS

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

.NET Secure Coding for Client-Server Applications 4-Day hands on Course. Course Syllabus

Solutions Business Manager Web Application Security Assessment

Breaking and Securing Mobile Apps

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Scanning. Introduction to Hacking. Networking Concepts. Windows Hacking. Linux Hacking. Virus and Worms. Foot Printing.

Hackveda Training - Ethical Hacking, Networking & Security

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Managed Application Security trends and best practices in application security

Aguascalientes Local Chapter. Kickoff

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Your Turn to Hack the OWASP Top 10!

TECHNICAL WHITE PAPER Penetration Test. Penetration Test. We help you build security into your software at every stage. 1 Page

Mobile hacking. Marit Iren Rognli Tokle

Advanced Diploma on Information Security

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Host Website from Home Anonymously

RESEARCH INSIGHTS. How we are breaking in: Mobile Security. Author: Thomas Cannon

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

PRESENTED BY:

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Hunting Security Bugs

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Certified Vulnerability Assessor

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Application. Security. on line training. Academy. by Appsec Labs

COMPUTER NETWORK SECURITY

Zimperium Global Threat Data

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Android security enforcements

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

IEEE Sec Dev Conference

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

Evaluating the Security Risks of Static vs. Dynamic Websites

HP 2012 Cyber Security Risk Report Overview

POA Bridge. Security Assessment. Cris Neckar SECUREWARE.IO

Application security : going quicker

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

CHCSS. Certified Hands-on Cyber Security Specialist (510)

A novel runtime technique for identifying malicious applications

Ethical Hacker Foundation and Security Analysts Course Semester 2


Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Vidder PrecisionAccess

Cloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic

Getting Into Mobile Without Getting Into Trouble

ADC im Cloud - Zeitalter

Computer Security Exam 3 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Engineering Your Software For Attack

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Fortify Software Security Content 2017 Update 4 December 15, 2017

Understanding Cisco Cybersecurity Fundamentals

Ethical Hacking. Content Outline: Session 1

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

LET S TALK MONEY. Fahad Pervaiz. Sam Castle, Galen Weld, Franziska Roesner, Richard Anderson

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Transcription:

The Attacker s POV Hacking Mobile Apps in Your Enterprise to Reveal Real Vulns and Protect the Business Tony Ramirez

AGENDA & SPEAKERS Introduction Attacks on Mobile Live Demo Recommendations Q&A Tony Ramirez Mobile Security Analyst

WHO WE ARE Books & Speaking Mobile threat research is in our DNA Open source Dream team of security researchers Every waking moment spent: Discovering critical vulns Identifying novel attack vectors Creating/maintaining renowned open-source mobile security tools/projects NowSecure Mission Save the world from unsafe mobile apps Educate enterprises on the latest mobile threats Maximize the security of apps enterprises develop, purchase and use 3

TAKING THE ATTACKER POV

MOBILE APPS ARE A GREAT ATTACK VECTOR 36% Have 35% Have 1% Android Apps at least 1 high risk flaw un-encrypted data transmission properly use Google SafetyNet Attestation API 85% 63% 50% 3rd Party AppStore Apps Violate OWASP MOBILE TOP 10 ios Apps Opting out of ATS exposing network risks Android Apps dynamically load code missed by static analysis Source: NowSecure Software and Research Data 2016-2017

REAL-WORLD VULNS IN THE NEWS 6

EXPLOITING THE MOBILE ATTACK SURFACE Data caching Data stored in application directory Decryption of keychain Data stored in log files Data cached in memory/ram Data stored in SD card OS data caching Passwords & data accessible No/Weak encryption TEE/Secure Enclave Processor Side channel leak SQLite database Emulator variance DATA AT REST CODE FUNCTIONALITY GPS spoofing Buffer overflow allowbackup Flag allowdebug Flag Code Obfuscation Configuration manipulation Escalated privileges Android rooting/ios jailbreak User-initiated code Confused deputy attack Multimedia/file format parsers Insecure 3rd party libraries World Writable Files World Writable Executables URL schemes GPS spoofing Integrity/tampering/repacking Side channel attacks App signing key unprotected JSON-RPC Automatic Reference Counting Dynamic runtime injection Unintended permissions UI overlay/pin stealing Intent hijacking Zip directory traversal Clipboard data World Readable Files Wi-Fi (no/weak encryption) Rogue access point Packet sniffing Man-in-the-middle Session hijacking DNS poisoning TLS Downgrade Fake TLS certificate Improper TLS validation HTTP Proxies VPNs Weak/No Local authentication App transport security Transmitted to insecure server Zip files in transit Cookie httponly flag Cookie secure flag DATA IN MOTION API BACKEND Platform vulnerabilities Server misconfiguration Cross-site scripting Cross-site request forgery Cross origin resource sharing Brute force attacks Side channel attacks SQL injection Privilege escalation Data dumping OS command execution Weak input validation Hypervisor attack VPN 7

ATTACKER POV FOR REAL-WORLD ATTACKS Malware Contact hijacking Buffer overflows ios APPS TARGET APP Take the the attacker POV to test across app, compiler, data at rest, data in transit, OS, HW & SW during and after running the mobile app ios FRAMEWORKS ios NATIVE LIBRARIES Dynamic code and assets MITM attacks ios HAL Race conditions Forensic artifacts ios Mach/XNU KERNEL HARDWARE Network & Cloud Services Data Center & App Backend

POST-EXPLOITATION: MOBILE HID ATTACK Pwned device Target

LIVE TOOLS AND SAMPLE ATTACKS 1 Decompiling Android Apps 2 MITM Attacks 3 Advanced Dynamic Analysis

REVERSING THE ANDROID APP COMPILATION PROCESS.java files Jar signer.apk files compiler.so files resources APK builder.class files dx tool.dex files

REVERSE ENGINEERING AN APK

RECREATE MITM ATTACKS

Write bootstrapper code into memory of Target process Host Target bootstrapper

Hijack existing thread in Target to execute bootstrapper Host Target bootstrapper-thread bootstrapper

Bootstrapper loads frida-agent into Target s memory space Host Target bootstrapper-thread bootstrapper frida-agent.so

Agent opens bi-directional channel between Debugger & Debuggee Host Target bootstrapper-thread bootstrapper Comms Channel frida-agent.so

Agent sets up its own thread, accepting instrumentation scripts from Debugger Host Target bootstrapper-thread Instrumentation scripts bootstrapper Comms Channel frida-agent.so JavaScript

Instrumentation probes target specific APIs & code logic of interest Host Target bootstrapper-thread Instrumentation scripts bootstrapper Comms Channel frida-agent.so JavaScript

Probe results streamed to debugger and parsed/redirected Host Target bootstrapper-thread probe results Instrumentation scripts bootstrapper Comms Channel frida-agent.so JavaScript

LIVE INSTRUMENTATION DEMO Inject FRIDA AGENT Inject NEW CODE Hook Into TCP SOCKETS TARGET APP ios APPS ios FRAMEWORKS ios NATIVE LIBRARIES Call Voice Synth when detect MITM Risk on PORT 80 ios HAL ios Mach/XNU KERNEL HARDWARE Network & Cloud Services Data Center & App Backend

TURNING ATTACKER POV INTO DEFENSE

ATTACKER POV FOR REAL-WORLD TESTING Behavioral to determine malware Dynamic to track interaction with contacts Behavioral to test active memory Dynamic to taint & trace sensor data from HAL Dynamic to test persistent storage ios APPS TARGET APP ios FRAMEWORKS ios NATIVE LIBRARIES ios HAL ios Mach/XNU KERNEL Dynamic to track interaction with Microphone Behavioral to to track interaction with Keychain Dynamic to test SSL Stripping Takes the the att across app, co acker POV t o test m data in transit, piler, data at res O and aft er runn S, H/W & S/W t, ing the during mobile app Dynamic to test MITM Dynamic to monitor dynamic code loading from the network Dynamic to track interaction with file system HARDWARE Dynamic & Behavioral to test Certificate Pinning Network & Cloud Services Data Center & App Backend

SUGGESTED BEST PRACTICES 1. Large mobile attack surface. Education is key! 2. Subscribe to our blog: https://www.nowsecure.com/blog 3. Check our our Secure Mobile Development Best Practices: https://bit.ly/2ymlqmm 4. Download our Mobile Threat Report: https://bit.ly/2fno1fb 5. Reach out if you have questions! aramirez@nowsecure.com

FAST & ACCURATE MOBILE AST NowSecure AUTO NowSecure INTEL OnDemand & Continuous Testing 15mins Fast for Dev, QA & Security teams AlwaysOn Risk Analysis of +8m Appstore Apps for EMM & Security teams NowSecure WORKSTATION NowSecure SERVICES Deep Pen Testing Analysis of Complex, High Risk Mobile Apps for Security Analysts Expert Pen Testing, Training & Mobile App Security Programs for App Owners & Security teams

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback