Attacking and Defending Mobile Applications
-
Upload
jerod-brennen -
Category
Technology
-
view
32.001 -
download
8
description
Transcript of Attacking and Defending Mobile Applications
![Page 1: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/1.jpg)
Attacking and Defending Mobile Applications
Jerod Brennen, Jacadis
![Page 2: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/2.jpg)
Agenda
• AppSec in the SDLC
• Mobile Apps From an Attacker’s POV
• Defensive Tools and Techniques
• Resources
![Page 4: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/4.jpg)
The Secret to Learning Code
“One of the best techniques to learn to code is
to reverse engineer existing code.”
From http://lifehacker.com/learn-to-code-by-breaking-someone-elses-code-1442438673 &
http://blog.teamtreehouse.com/the-secret-to-learning-code
![Page 5: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/5.jpg)
APPSEC IN THE SDLC
![Page 6: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/6.jpg)
Understand Your Environment
• What development methodologies do we follow?
• What programming languages do we use?
• What risk/security frameworks do we follow?
• What third-party libraries do we use?
• What stages in the development process
require approval from the security team?
![Page 7: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/7.jpg)
Understand Your Platform - iOS
• Sandbox directories in iOS
• Defend apps from one another
• Keychain data is stored outside of the sandbox
Image from https://developer.apple.com/library/ios/doc
umentation/iphone/conceptual/iphoneospr
ogrammingguide/TheiOSEnvironment/Thei
OSEnvironment.html
![Page 8: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/8.jpg)
Understand Your Platform - Android
Two android apps,
distinct sandboxes
Two android apps,
shared sandbox
![Page 9: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/9.jpg)
Understand Your Platform - BlackBerry
• QNX micro kernel
• Allocates virtual memory to each process
• Process manager functions like a traffic cop
• Need to explicitly grant data access to each app
Image from http://crackberry.com/history-qnx-and-
it%E2%80%99s-implementation-
blackberry-10
![Page 10: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/10.jpg)
Understand Your Platform - Windows
• Security provided by Windows 7
• Surface Shell manages apps, windows, orientation, and user sessions
• Surface and Windows Integration handles critical failures
Image from http://msdn.microsoft.com/en-
us/library/ff727809.aspx
![Page 11: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/11.jpg)
Three Key Security Checks
• Source Code Security Reviews – Manual Reviews – Reverse Binaries
• Security Tests in QA – Positive AND Negative Test Cases
• Analysis of “Deployed” Apps – Automated Scans – Manual Analysis
![Page 12: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/12.jpg)
Source Code Reviews (OWASP)
• Methodology (v1.1, current) – Preparation – Security Code Review in the SDLC – Security Code Review Coverage – Application Threat Modeling – Code Review Metrics
• Methodology (v2.0, due in January 2014) – Preparation – Application Threat Modeling – Understanding Code Layout/Design/Architecture – Reviewing by Technical Control – Reviewing by Vulnerability – Security Code Review for Agile Development
![Page 13: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/13.jpg)
The SQA Process
• Initiation
• Planning
• Tracking
• Training
• Reviews
• Issue Resolution
• Testing
• Audit
• Process Improvement
List from http://www.verndale.com/Our-Thinking/9-Steps-of-the-SQA-Process.aspx
![Page 14: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/14.jpg)
Test Cases
• Positive AND Negative
• Top 10 Negative Test Cases – Embedded Single Quote – Required Data Entry – Field Type Test – Field Size Test – Numeric Bounds Test – Numeric Limits Test – Date Bounds Test – Date Validity – Web Session Testing – Performance Changes
List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
![Page 15: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/15.jpg)
Application Analysis • Automated scanning tools and manual analysis
• OWASP Testing Guide (v3)
– Information Gathering – Configuration Management Testing – Authentication Testing – Session Management Testing – Authorization Testing – Business Logic Testing – Data Validation Testing – Testing for Denial of Service – Web Services Testing – AJAX Testing
• Version 4 in development (some material available)
![Page 16: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/16.jpg)
MOBILE APPS FROM AN ATTACKER’S POV
![Page 17: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/17.jpg)
There’s Gold in Them There Hills…
From Blue Coat Systems 2013 Mobile Malware Report
![Page 18: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/18.jpg)
OWASP Top 10 Mobile Risks
Image from https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_
Ten_Mobile_Risks
![Page 19: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/19.jpg)
Data at Rest - Deconstructing .ipa Files
• Download from app store – Mac OS X 10.7 Lion: ~/Music/iTunes/iTunes
Media/Mobile Applications/
– Mac OS X 10.6: ~/Music/iTunes/Mobile Applications/
– Windows 7: C:\Users\Username\My
Music\iTunes\iTunes Media\Mobile Applications\
• Extract app to folder using 7-zip
• Manually examine the files using Notepad++ or prgrep
• Look for sensitive info (integration points) – Connection strings
– Calls to Internet-facing web services
– Calls to other local resources
![Page 20: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/20.jpg)
Advanced App Analysis - iOS • otool (run on binary, get size of encrypted payload)
– https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/otool.1.html
• gdb (dump payload and payload size) – https://www.gnu.org/software/gdb/
• ldid (sign new binary) – http://gitweb.saurik.com/ldid.git
• IDA Pro with objc-helper – https://www.hex-rays.com/products/ida/support/download.shtml – https://code.google.com/p/zynamics/source/checkout?repo=objc-helper
• Class Dump
– http://cydia.saurik.com/info/class-dump/
• Theos – http://iphonedevwiki.net/index.php/Theos
![Page 21: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/21.jpg)
Data at Rest - Deconstructing .apk Files
• Download from app store – Copy .apk file from rooted Android device to
laptop via USB cable
– Send .apk file from non-rooted Android device to Dropbox via APK Extractor
– Alternately, you can download some .apk
files from .apk archive sites
• Extract app to folder using 7-zip
• Manually examine the files using Notepad++ or prgrep
• Look for sensitive info (integration points) – Connection strings
– Calls to Internet-facing web services
– Calls to other local resources
![Page 22: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/22.jpg)
Advanced App Analysis - Android • APKTool
– https://code.google.com/p/android-apktool/
• dex2jar – https://code.google.com/p/dex2jar/
• Smali – https://code.google.com/p/smali/
• androguard – https://code.google.com/p/androguard/
• APKManager – http://xdafileserver.nl/index.php?dir=Samsung%2FGalaxy+S
+III%2FCUSTOM+ROMS%2Fwanamlite%2FApkManager%2FV6.1
• Obfuscate your code with ProGuard and DexGuard
– http://proguard.sourceforge.net/ – ProGuard is included in Android SDK; DexGuard is not
![Page 23: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/23.jpg)
Data in Motion - Monitoring App Traffic
• Plug laptop into wired network connection
• Created an ad hoc wireless network on laptop
• Connect mobile device to ad hoc wireless network
• Start Wireshark on laptop
– Capture ALL packets between mobile device and server
• Use mobile device as a normal end user
• Analyze Wireshark traffic
– Unencrypted credentials
– Unencrypted account information
– Connection strings to servers (including third parties)
![Page 24: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/24.jpg)
DEFENSIVE TOOLS & TECHNIQUES
![Page 25: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/25.jpg)
Developer Training • OWASP Resources
– Top 10 Application Security Risks – Top 10 Mobile Security Risks
– WebGoat Project (Java)
– Mutillidae (PHP) – Bricks (PHP and MySQL)
• SANS Courses
– SEC542: Web App Penetration Testing and Ethical Hacking – DEV522: Defending Web Applications Security Essentials
– DEV541: Secure Coding in Java/JEE
– DEV544: Secure Coding in .NET
• Web Application Security Consortium
– Web Security Articles
– Web Security Glossary – Web Hacking Incidents Database (WHID)
– WASC Threat Classification v2
![Page 26: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/26.jpg)
Code Obfuscation Techniques • Implement anti-debug techniques
– Limit runtime manipulation – Write critical portions of code in low-level C
• Restrict debuggers – Tell the OS to prohibit debuggers from attaching to process – Android apps – android:debuggable=“false” in manifest
• Trace checking – When trace detected, take defensive action
• Optimizations – Hide complex logic with built-in compiler optimizations
• Stripping binaries – Strips the symbol table
List from https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development/code-complexity-obfuscation/
![Page 27: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/27.jpg)
Santoku Linux
• Sponsored by viaForensics
• ‘Three uses’
– Mobile Forensics • Firmware flashing tools • Imaging tools • Forensics tools (free + commercial)
– Mobile Malware Analysis
• Mobile device emulators
• Network service simulators • Decompilation and disassembly
tools • Access to malware databases
– Mobile Security Testing • Decompilation and disassembly
tools • Customized app analysis scripts
![Page 28: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/28.jpg)
MobiSec Linux
• More robust than Santoku
• Includes Blackberry tools
• Includes emulators and simulators
• Includes links to mobile infrastructure tools – BES Express
– Google Mobile Management – iPhone Configuration Tool
• Includes Smartphone
Pentest Framework (SPF)
![Page 29: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/29.jpg)
Windows App Security Tools
• Microsoft SDL Threat Modeling Tool
• FxCop – Static analyzer
• BinScope – Binary analyzer
• MiniFuzz File Fuzzer – Analyzes file-handling code
• Banned.h – Header file
– Remove banned functions from code
All five (5) tools can be downloaded from
http://msdn.microsoft.com/en-us/library/windowsphone/develop/ff402533(v=vs.105).aspx
![Page 30: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/30.jpg)
iOS AppSec Cheat Sheet
Image from https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet
![Page 31: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/31.jpg)
RESOURCES
![Page 32: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/32.jpg)
Resources - General • Secure Mobile Development: 42+ Best Practices for Secure iOS
and Android Development – https://viaforensics.com/mobile-security/secure-mobile-development-
42-practices-secure-ios-android-development.html
• Secure Mobile Application Development Reference – http://www.denimgroup.com/media/pdfs/MobileDevReference.pdf
• Developing Secure Mobile Applications – http://www.slideshare.net/denimgroup/developing-secure-mobile-
applications-17732256
• Security Assessment of BlackBerry Applications – http://resources.infosecinstitute.com/security-assessment-of-
blackberry-applications/
• Mobile App Security Code Reviews – http://www.slideshare.net/denimgroup/mobile-application-security-code-reviews
• OWASP Advanced Mobile Application Code Review Techniques – https://www.owasp.org/index.php/File:OWASP_Advanced_Mobile_Application_Co
de_Review_Techniques.pptx
• Santoku Linux – https://santoku-linux.com/
• MobiSec Linux – http://mobisec.secureideas.net/
![Page 33: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/33.jpg)
Resources - Android • Understanding Android’s Security Framework (Tutorial)
– http://siis.cse.psu.edu/android_sec_tutorial.html
• Android Developer Security Tips – http://developer.android.com/training/articles/security-
tips.html
• Understanding Security on Android – http://www.ibm.com/developerworks/library/x-
androidsecurity/
• Creating Secure (BlackBerry) Apps
– http://developer.blackberry.com/bbos/java/documentation/security_overview_1981777_11.html
• BlackBerry 10 Security Considerations – http://developer.blackberry.com/native/documentation/cascad
es/best_practices/security/
![Page 34: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/34.jpg)
Resources - Windows • Security for Windows Phone (includes tool links)
– http://msdn.microsoft.com/en-us/library/windowsphone/develop/ff402533(v=vs.105).aspx
• WebBrowser control security best practices for Windows Phone – http://msdn.microsoft.com/en-
us/library/windowsphone/develop/ff462081(v=vs.105).aspx
• Web service security for Windows Phone – http://msdn.microsoft.com/en-
us/library/windowsphone/develop/gg521147(v=vs.105).aspx
• How to encrypt data in a Windows Phone app – http://msdn.microsoft.com/en-
us/library/windowsphone/develop/hh487164(v=vs.105).aspx
• Data for Windows Phone – http://msdn.microsoft.com/en-
us/library/windowsphone/develop/ff402541(v=vs.105).aspx
• Hardening Windows 8 Apps for the Windows Store – http://www.youtube.com/watch?v=5pxfy5GyQ5g
![Page 35: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/35.jpg)
Resources - iOS • iOS Application Security tutorial series (pen testing)
– http://resources.infosecinstitute.com/ios-application-security-part-1-setting-up-a-mobile-pentesting-platform/
• iOS Introduction to Secure Coding Guide – https://developer.apple.com/library/ios/documentation/Securit
y/Conceptual/SecureCodingGuide/Introduction.html#//apple_ref/doc/uid/TP40002415
• iOS App Sandboxing – https://developer.apple.com/app-sandboxing/
• Reverse Engineering an iOS Application – http://dinezhshetty.blogspot.com/2013/01/reverse-
engineering-ios-application.html
• iOS Applications Reverse Engineering – http://media.hacking-
lab.com/scs3/scs3_pdf/SCS3_2011_Bachmann.pdf
• Secure Development on iOS – https://www.isecpartners.com/media/12985/secure_developm
ent_on_ios.pdf
![Page 36: Attacking and Defending Mobile Applications](https://reader034.fdocuments.in/reader034/viewer/2022051210/54b775684a7959df648b462c/html5/thumbnails/36.jpg)
Contact Info
Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
LinkedIn: http://www.linkedin/com/in/slandail
Twitter: https://twitter.com/slandail
http://www.jacadis.com/