Mobile Penetration Testing: Episode 1 - The Forensic Menace

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

Episode ITHE FORENSIC MENACE


Episode II

RETURN OF THE NETWORK/BACK-END

Episode I

THE FORENSIC MENACE

Episode III

ATTACK OFTHE CODE

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Connect

Twitter: @NowSecureMobile

—

Subscribe to #MobSec5, our weekly mobile security news digest

http://mobsec5.nowsecure.com/

—

Web: nowsecure.com

http://twitter.com/nowsecuremobile



https://www.nowsecure.com


Katie StrzempkaDirector of Mobile Services | NowSecure


Contents

● Areas of analysis/coverage

● Forensics deep dive: Mobile data at rest

● Approaching Android

● Approaching iOS


Your analysis checklist (a must have)

● Why a checklist?

○ Consistency across results & teams

○ Creates a minimum baseline for security

● Creating your checklist

○ Internal policies

○ OWASP Top 10, NIAP (for government), etc.

○ Group into high-level categories

○ Break-down categories into specific tests

● Allow analysts some leeway to get creative


A repeatable process drives consistency and metrics

● Establish testing requirements

● Identify areas for interpretation/creativity

● Help with on-boarding & training staff

● Show developers what and how you will test

● Explain what must be fixed & what’s accepted

● Ensure full coverage (more on that later)

● Repeatability allows for measurement

● Make reporting consistent

For inspiration, see:

OWASP Mobile Security Testing Guide

https://github.com/OWASP/owasp-mstg

https://github.com/OWASP/owasp-mstg


Mobile forensics &

data recovery

Network, web services, andAPI testing

Server-side penetration

testing

Reverse engineering & code analysis

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.https://www.bostonglobe.com/arts/2015/12/12/how-lightsaber-works/RY5A2SwWShmYiSORqdgMdN/story.html

“You know that [little droid leaking data] is going to cause me a lot of trouble.”


Where on a mobile device can data-at-rest be found?

SD card/Emulated SD card

(Android)

System log files

RAM

Source code (hardcoded)

Web cache/history (hybrid/web-wrapper apps)

Private application

folder

Keychain


What tools will allow you to achieve yourdata recovery and analysis objectives?

● Standard forensic acquisition software will recover file system

● But it won’t:

○ Decrypt Keychain to see if sensitive values are stored

○ Recover syslog files (requires a special Cydia package)

○ Extract memory for running app processes

● Command-line knowledge is required for open-source tools

● The wrong tools can lead you down a tedious, time-consuming path


Sharpest tools in the shed

Target Relevant tools and/or documentation

File system● Android: debug bridge (i.e., “adb pull” command)● iOS: libimobiledevice

System Log Files● Android: logcat command-line tool● iOS: Syslog (instructions for non-developers)

iOS Keychain ● iOS Keychain analyzer

RAM● Android: Android debug bridge (i.e., “adb dumpsys meminfo”)● iOS: heapdump-ios

A full suite of mobile tools: Santoku Linux

https://developer.android.com/studio/command-line/adb.html

https://github.com/libimobiledevice

https://developer.android.com/studio/command-line/logcat.html

https://www.theiphonewiki.com/wiki/System_Log#Detailed_instructions_for_non-developers

https://github.com/Foundstone/ios-keychain-analyzer

https://github.com/Foundstone/ios-keychain-analyzer

https://developer.android.com/studio/profile/investigate-ram.html

https://github.com/NetSPI/heapdump-ios

https://santoku-linux.com/


Prioritize findings by risk (likelihood+significance+value)

● Risk depends on location of data

● Take into consideration:

○ Sensitivity of the data

○ Likeliness of exploit

○ Remote vs. local attack

● Common Vulnerability Scoring System

(CVSS) is one framework for assigning

risk to vulnerabilities

Like

liho

od

Significance

https://www.first.org/cvss

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.https://en.wikipedia.org/wiki/Finn_(Star_Wars)

“[Droid Android], please!”


Requirements for Android forensic analysis

Rooted Android devicew/ USB cable

We’ll be using a Google Nexus 5

Linux machine or VMw/ Android Studio tools

May we recommend Santoku Linux?

https://www.nowsecure.com/open-source/santoku-linux/


Where does data “rest” on Android?

● Private application folder*

● SD Card / Emulated SD Card*

● System log files

● RAM

● Hard-coded data in source code

● Web cache/history (for hybrid/web wrapper apps)

Common storage areas


Step 1: Locate your app (adb)

Access the device shell:

Locate the app data directory:

Find the app’s private directory:


Step 2: Pull app data off phone

Pull data from the SD card/app directory:(adb pull <data-path-source> <destination>):


Step 3: Analyze app data

App files recovered from Any.do Android app:

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.http://www.officialpsds.com/Darth-Vader-PSD108098.html

“The [Emperor iOS] is not as forgiving as I am.”


Requirements for iOS forensic analysis

Linux machineor VM

Again, give Santoku Linux a try

Jailbroken iOS device(≤ 9.3.3) w/ USB cable

We’ll be using an iPhone 6

Remote connection (SSH)& secure copy/paste (SCP)

Instructions here

https://www.nowsecure.com/open-source/santoku-linux/

http://osxdaily.com/2011/08/04/ssh-to-iphone/


Where does data “rest” in iOS?Common storage areas

● Private application folder*

● Syslog

● RAM

● Keychain

● Hard-coded values

● Web cache/history (for hybrid/web wrapper apps)


Step 1: Locate your appRemotely connect to your iOS device

App bundles and data location:

App bundles location:

App data location:


Step 1 (continued): Locate your app

Sort by most recently installed:

Change into that directory/make sure it’s the target app:


Step 2: Pull app data off phone

/private/var/mobile/Containers/Data/Application/983FCB4E-E5B5-4C8C-A4AF-F9139FE74EC3 (for example)

Make note of the full path from the previous step:

Scp command to copy files from app folder:


Step 3: Analyze app data

App files recovered from Any.do iOS app:


Pointers to keep in mind during forensic analysis

SQLite databases, plist, and xml files are common: Find

your favorite viewers

When searchingfor data in large files, command line tools

are best: Try grep

Look for data stored as common hashes/encodings

(base64, md5, sha256, etc.)

iOS apps use the “Cache.db” file,

which often contains large amounts

of data

Don’t limit yourself: explore storage

locationsbeyond those

discussed today!

http://linuxcommand.org/man_pages/grep1.html


Create a checklist and document your process

Assign responsibility for various test coverage areas

Select the right tools to find/test for insecure data storage

Look for data in common areas (but don’t limit yourself)

If data is found, determine its value and the risk


Episode II

RETURN OF THE NETWORK/BACK-END

Next Thursday, December 151 p.m. CST / 11 a.m. PST

REGISTER NOW: http://bit.ly/2g7ZRXd

http://bit.ly/2g7ZRXd

Let’s talk

NowSecure+1 312.878.1100

@NowSecureMobilewww.nowsecure.com

Subscribe to #MobSec5 - a digest of the week’s mobile news that matters - http://mobsec5.nowsecure.com/


Mobile Penetration Testing: Episode 1 - The Forensic Menace

Technology

Transcript of Mobile Penetration Testing: Episode 1 - The Forensic Menace