Is My App Secure ?
-
Upload
herman-duarte -
Category
Mobile
-
view
551 -
download
0
Transcript of Is My App Secure ?
![Page 1: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/1.jpg)
Neo: Is my App Secure ?
Herman Duarte @hdontwit Cláudio André @clviper
1
![Page 2: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/2.jpg)
Agenda
● Who ● Objectives ● Approach ● Building blocks ● Analysis Statistics ● How we did it ● Interesting findings ● Q&A
2
![Page 3: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/3.jpg)
Who
Herman Duarte @hdontwit
3
![Page 4: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/4.jpg)
Who
Cláudio André @clviper
4
![Page 5: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/5.jpg)
Who
- We work @ Integrity S.A. - Awesome co-workers and awesome
workplace. - We identify security issues for our clients to
help them lower their security risks.
5
![Page 6: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/6.jpg)
![Page 7: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/7.jpg)
![Page 8: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/8.jpg)
![Page 9: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/9.jpg)
![Page 10: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/10.jpg)
![Page 11: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/11.jpg)
- Evaluate iOS and Android apps from a security point of view.
- Automate pentest tasks for both Android and
iOS - Share results. - Have fun :)
Objectives
11
![Page 12: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/12.jpg)
Approach
![Page 13: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/13.jpg)
13
![Page 14: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/14.jpg)
14
![Page 15: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/15.jpg)
15
![Page 16: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/16.jpg)
+50 Apps
![Page 17: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/17.jpg)
Client
17
![Page 18: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/18.jpg)
Network
18
![Page 19: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/19.jpg)
Server
19
![Page 20: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/20.jpg)
20
![Page 21: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/21.jpg)
21
![Page 22: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/22.jpg)
![Page 23: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/23.jpg)
Vulns by Owasp Risk
23
![Page 24: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/24.jpg)
Android Vulns by Owasp Risk
24
![Page 25: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/25.jpg)
iOS Vulns by Owasp Risk
25
![Page 26: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/26.jpg)
Insecure Data Storage
26
![Page 27: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/27.jpg)
Transport Layer Security
Android iOS
27
![Page 28: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/28.jpg)
Certificate Pinning
28
![Page 29: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/29.jpg)
iOS Background Screenshot
29
![Page 30: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/30.jpg)
Android Obfuscation
30
![Page 31: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/31.jpg)
Android Obfuscated Apps By Category
31
![Page 32: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/32.jpg)
iOS Binary Protection
All apps analyzed have the following security features enabled in the binary: ● PIE (Posi=on Independent Executable aka ASLR) ● ARC (Automa=c Reference Coun=ng) ● SSPRO (Stack Smashing Protec=on) ● Encrypted binary
32
![Page 33: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/33.jpg)
![Page 34: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/34.jpg)
34
![Page 35: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/35.jpg)
- iOS and Android Security Analyser Tools - Command line. - Way to mass analyse ipas and apks. - Search and Downloads apps (Android only) - Bulk decryption of apps (iOS only) - Bulk install, uninstall and backup of apps - Easy way to extend heuristics check (Android only,
for now)
35
iStat & Droidstat
![Page 36: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/36.jpg)
36
iStat
https://youtu.be/bOtosGya_G4
![Page 37: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/37.jpg)
37
https://youtu.be/zPKUj8rb_ok
Droidstat – Intro Video
![Page 38: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/38.jpg)
Droidstat - Checks Config File
38
![Page 39: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/39.jpg)
39
https://youtu.be/uWJZa0vgbQ4
Droidstat – Example Findings Video
![Page 40: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/40.jpg)
Interesting Findings
![Page 41: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/41.jpg)
Invoice Registration App (Android)
41
- Under 100.000 installs. - The credentials used for this service is used
on multiple Portuguese Government Public Services websites.
![Page 42: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/42.jpg)
Invoice Registration App (Android)
42
![Page 43: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/43.jpg)
Invoice Registration App (Android)
43
![Page 44: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/44.jpg)
Invoice Registration App (Android)
44
![Page 45: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/45.jpg)
Invoice Registration App
45
![Page 46: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/46.jpg)
Invoice Registration App
46
![Page 47: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/47.jpg)
Invoice Registration App (Android)
47
![Page 48: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/48.jpg)
Invoice Registration App (Android)
48
![Page 49: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/49.jpg)
Invoice Registration App (Android)
49
![Page 50: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/50.jpg)
Invoice Registration App
50
![Page 51: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/51.jpg)
Invoice Registration App (Android)
51
![Page 52: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/52.jpg)
Invoice Registration App (Android)
Recommendations: - Use right TLS implementations that correctly
validate TLS certificates. - Use strong cryptographic algorithms to store
sensitive information.
52
![Page 53: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/53.jpg)
Invoice Registration App – Dev Response
53
“As for the problems, although I think that both are difficult to replicate in a real case , I recognize that the app can be improved , taking this into account we will release an update until the weekend to solve the problems.” June 9
![Page 54: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/54.jpg)
Invoice Registration App – Dev Response
54
“As for the problems, although I think that both are difficult to replicate in a real case , I recognize that the app can be improved , taking this into account we will release an update until the weekend to solve the problems.” June 9 “The update of this weekend corrects the problems mentioned. Thanks again for the analysis.” June 22
![Page 55: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/55.jpg)
Shopping App (Android & iOS)
55
- Between 1M and 5M installs - More than 10M users.
![Page 56: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/56.jpg)
Shopping App (Android & iOS)
56
![Page 57: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/57.jpg)
Shopping App (Android & iOS)
57
![Page 58: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/58.jpg)
Shopping App (Android & iOS)
58
![Page 59: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/59.jpg)
Shopping App (Android & iOS)
59
![Page 60: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/60.jpg)
Shopping App (Android & iOS)
60
![Page 61: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/61.jpg)
Shopping App (Android & iOS)
61
![Page 62: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/62.jpg)
Shopping App (Android & iOS)
62
![Page 63: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/63.jpg)
Shopping App (Android & iOS)
Recommendations: - Correctly override TLS implementations or
use the framework’s default one, that correctly validate certificates chains.
63
![Page 64: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/64.jpg)
Mr.Smith: So, you’re asking me if your app is secure?
![Page 65: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/65.jpg)
M2 - Insecure Data Storage
● In iOS some applications still uses property list files (.plist), or NSUserDefaults (files created in the app Documents folder) to store sensitive information, instead of the keychain.
● In Android some applications store sensitive information
in shared preferences file and SQLite databases without any type of encryption.
65
![Page 66: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/66.jpg)
M3 - Insufficient Transport Layer Protection
● The OS’s framework already does the hard work in TLS, so what we have seen is that the majority of TLS is correctly implemented; Nonetheless when developers override the default implementation, most of the time bad things happen.
● We have seen that in Android, Certificate Pinning, is
more used that in iOS applications.
66
![Page 67: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/67.jpg)
M4 - Unintended Data Leakage
● In iOS the background screenshot information leakage happens most of the time, because it is a side effect of the OS behaviour, that most of developers are not aware of.
67
![Page 68: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/68.jpg)
M10 - Lack of Binary Protections
● Regarding Obfuscation we have seen in Android that there are not many apps obfuscated although the SDK comes with tools to do this out of the box.
● In iOS because of default configurations of XCode,
binary security features (e.g. PIE, ARC, SSPRO) are applied in all of the apps analyzed.
68
![Page 69: Is My App Secure ?](https://reader031.fdocuments.in/reader031/viewer/2022030318/5a6600b07f8b9ade0e8b4653/html5/thumbnails/69.jpg)
Q&A