Post on 07-Apr-2017
1© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Defense In i t iat ive Conference CDIC 2016-T IME TO TRUST
D o n ' t T r u st , A n d Ve r i f y - M o b i l e A p p l i c at i o n A ttac k s
M r . P r a t h a n P h o n g t h i p r o e k
M a n a g e m e n t C o n s u l t i n gK P M G P h o o m c h a i B u s i n e s s A d v i s o r y L t d .
2© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Prathan Phongthiproek
Manager, Information Protection and Business Resilience (IPBR)
T: +662 677 2000
E: prathan@kpmg.co.th
Background
Prathan is a Manager, Cybersecurity services for KPMG Thailand. He has more than 9 years of experience in leading Cybersecurity services including Security Analysis and Review, and Penetration testing.
Professional and industry experience
• Led the project team responsible for conducted security assessment services over 50 clients. This include Host & Network assessment, External/Internal network penetration testing, Web and Mobile application penetration testing, ATM /Kiosks security assessment including physical hacking.
• In charge of the penetration testing on Retail Point-of-Sale Payment Systems (POS, IPT, OPT, EPS, STC) in order to comply with PCI DSS v3.0 for a major petrochemical company in Malaysia.
• Performed source code review (Static and Dynamic code analysis) in order to analyze and identify potential risk in term of security and coding best practices for major banks.
• Conducted Mobile application penetration testing over 40 applications both Android and iOS for a major telecommunication company.
• Performed Digital Forensic and Investigate for a major financial company.• Carried out the regulatory authority compliance reviews/security configuration review, which provides in-depth risk and security
analysis system, database, and infrastructure components.• Analyzing the results of the security testing and assisting stakeholders by identifying viable remediation solutions for any
vulnerability identified. • Provided In-Depth security trainings and guidance of remediation to clients.• Created curriculum and conducted training courses in network, web and mobile application security, and Secure Coding for major
banks.• His industry experience includes Financial, Major Banks, Insurance Institute, Telecommunications, Health Care Provider, Automotive,
Trading Companies, Military Sectors, Energy Companies and Power plants, Oil & Gas, Resort, ISP and Government agencies.
Speaker Profile
3© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
A g e n d a
- O v e r v i e w- M o b i l e A p p l i c a t i o n A t t a c k V e c t o r- A t t a c k N a r r a t i v e- C o u n t e r m e a s u r e- R e f e r e n c e
4© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Overv iew
Mobile Marketing Statistics compilation
Source: http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/
Ownership of smartphone vs Desktop Mobile media time - App vs Mobile site usage
5© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Mobile/Tablet Operating System Market Share
NetMarketShare.com: Mobile/Tablet OS Market Share – October 2016
Android and iOS lead the market
Overv iew
6© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
IPC andApplication
Components
User Input
Data
Storage
Backend
Service
Comm.
Channel
Binary
File
• SQLite Injection• JavaScript Injection (XSS)• Local File Inclusion• WebView File Access Attack
• Android Components Permission and Vulnerability through:
o Activitieso Content Providerso Broadcast Receiverso Services
• Protocol Handlers Attack• Pasteboard/Clipboard• Application Backgrounding• Application Logs• Mobile App Framework
Vulnerability
• Plist/XML files• Sharepreference files• Database/NoSQL files• Keychain• Temp files• Cache files• SD Card storage• Unrestricted Backup file• Poor Key Management
• Excessive port opened• Security Misconfiguration• Control of Interaction Frequency• Weak Authentication• Business Logic flaws• Info. leakage through API
Response message• Web Application
Vulnerability
• Insecure Transport LayerProtocols (HTTP)
• Insecure and Deprecatedalgorithms
• Disabling Certificate Validation
• Lack of SSL pinning• Lack of End-to-end
Encryption• Sensitive data over network• Exposing Device Specific
Identifiers
• Reverse Engineering the App code• Patching Binary• Hard-coded credentials and Information
Leakage through binary• Debuggable mode• Runtime Manipulation and Instrumenting• Lack of Root/Jail-broken device checking
Mobi le Appl icat ion Attack Vector
7© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
User InputAndroid Application
• SQLite Injection
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
8© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
iOS Application
• SQLite Injection
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
User Input
9© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• WebView File Access
file:///data/data/jakhar.aseem.diva/shared_prefs/jakhar.aseem.diva_preferences.xml
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
User Input
10© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
User InputiOS Application
• JavaScript Injection (XSS)
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
<script>alert('Hello World');</script>
11© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Inter -Process Communicat ion ( IPC) and Appl icat ion Components
Android Application
• Abusing Android Activity Component for bypassing Client-side authentication (PIN).
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
12© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Case Study: CVE-2015-1835: Remote exploit of secondary configuration variables in Apache Cordova on Android
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
Inter -Process Communicat ion ( IPC) and Appl icat ion Components
13© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Abusing Android Content Provider for obtaining sensitive information from application database.
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
Sensitive Information
.DBContentProvider
Creating Malicious App to attack the sieve application
https://github.com/tanprathan/sievePWN/blob/master/sieveleak
Using Drozer to attack the android components
Inter -Process Communicat ion ( IPC) and Appl icat ion Components
14© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Abusing Android Content Provider for obtaining sensitive information from application database using SQL Injection technique.
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
Creating Malicious App to attack the sieve application using SQLi
https://github.com/tanprathan/sievePWN/tree/master/sievesqli
Using Drozer to attack the android components using SQLi
Inter -Process Communicat ion ( IPC) and Appl icat ion Components
15© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
iOS Application
• Attacking Protocols Handlers (URL Scheme) - Sea Surf
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
Identifying URL scheme on plist file, Using hopper to conduct reverse-engineering, create script for attack.
dvia://highaltitudehacks.com/call_number/?phone=1234567890
Inter -Process Communicat ion ( IPC) and Appl icat ion Components
16© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Side-Channel Data Leakage through Android Clipboard
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
iOS Application
• Side-Channel Data Leakage through iOS generalPasteboard
Using Drozer to perform clipboard monitoring
Using idb to perform pasteboard monitoring
Inter -Process Communicat ion ( IPC) and Appl icat ion Components
17© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Information Leakage through Application Log
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
iOS Application
• Information Leakage through Application Log
Application writes the entered password to the log when the user enters the password.
Case Study: HTTPS request and response were logged into application log which lead malware to obtain sensitive info.
Inter -Process Communicat ion ( IPC) and Appl icat ion Components
18© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Insecure Data Storage lead to Client-side based authentication flaw
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
iOS Application
• Insecure Data Storage lead to Client-side based authentication flaw
Data Storage
19© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Manipulating local storage file
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
iOS Application
• Manipulating local storage file
Data Storage
20© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• The default value of Android backup flag is “True”
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
iOS Application
• Extract Application storage from iTuneBackup using “iPhone Backup Extractor”
Data Storage
21© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Binary F i leAndroid Application
• Patching binary using apktool
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
iOS Application
• Patching binary using dumpdecrypted and Hopper
22© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Identifying hard-coded key using reverse engineering technique
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
iOS Application
• Identifying hard-coded key using reverse engineering technique
Hard-coded key was stored in resource/xml folder
Hard-coded key was stored in application source code
Hard-coded key used for accessing application encrypted database was found from JS file
Binary F i le
23© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Bypassing Root detection using RootcloakPlus
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
iOS Application
• Bypassing Jailbreak detection using Snoop-it and tsprotector
Binary F i le
24© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
Android Application
• Instrumenting Android Applications with Frida using Brute-Force technique
Binary F i le
25© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
iOS Application
• Runtime manipulation using Method Swizzling
Binary F i le
26© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android and iOS
• Sniffing HTTPS traffic by installing Proxy’CA certificate into device.
• Bypassing SSL Issuer and domain validation (Creating a Custom CA Certificate-https://portswigger.net/burp/help/proxy_options.html)
• Bypassing SSL Pinning
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
Communicat ion Channel
27© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android and iOS
• End-to-End Encryption (Application Layer Encryption)
• Exposing Device Specific Identifiers
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
Communicat ion Channel
28© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Backend Serv iceAndroid and iOS
• Information Exposure Through WSDL default service help page.
• Information Exposure through API response message
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
29© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Backend Serv iceAndroid and iOS
• Injection (SQL, Command, XXE)
• Improper Control of Interaction Frequency
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
30© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Backend Serv iceAndroid and iOS
• Business Logic Flaw #1
• Business Logic Flaw #2
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
31© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Case Study: Breaking Business Logic flaws and Bypassing End-to-end encryption
Android and iOS
Damage level:Estimated level of financial & reputational loss.
Threat level:Estimated level of activity and occurrence.
Damage Threat
Binary file was decrypted in order to obtain classes/methods using Classdump
The encryption and decryption classes were addresses
cy#
Encryption/Decryption classes were intercepted by hooking using custom Cycript scripts
HTTPS Request/Response were obtained
cy#
Custom script were created for replacing the XML request/response in order to break business logic flaws (E.g. Authentication/Authorization/Indirect Object Reference)
Communicat ion Channel
32© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Countermeasure
OWASP Mobile Top 10 Controls
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls
33© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Countermeasure
Mobile Application Coding Guidelines
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Secure_Mobile_Development
34© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.
• http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/
• https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=8&qpcustomd=1
• http://blog.mdsec.co.uk/2015/04/instrumenting-android-applications-with.html
• https://labs.mwrinfosecurity.com/system/assets/380/original/sieve.apk
• http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks
• https://github.com/payatu/diva-android
• https://github.com/prateek147/DVIA
• https://github.com/tanprathan/sievePWN
• https://portswigger.net/burp/proxy.html
Reference
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International Cooperative (KPMG International).
“This documentation is made by KPMG Phoomchai Business Advisory Ltd.,(KPMG), a Thai limited liability company and member firm of the KPMGnetwork of independent firms affiliated with KPMG International, a Swisscooperative, and is in all respects subject to the negotiation, agreement, andsigning of a specific engagement letter or contract. KPMG International providesno client services. No member firm has any authority to obligate or bind KPMGInternational or any other member firm vis-à-vis third parties, nor does KPMGInternational have any such authority to obligate or bind any member firm.
This document contains confidential or proprietary KPMG information. It is not to be disclosed, quoted or referred to, in whole or in part, without our prior written consent. The restriction pertains to all data and information throughout the entire document.