Upload
vocong
View
251
Download
6
Embed Size (px)
Citation preview
Bojan Ždrnja, CISSP, GCIA, GCIH, [email protected]
INFIGO IShttp://www.infigo.hr
Who am I?
Senior information security consultant at INFIGO IS
Penetration testing (all sorts), IT/Security consulting, Splunk implementations
Various duties at SANSInternet Storm Center Handler
Mostly known for reverse engineering malware
SANS GREM (GIAC Reverse Engineering Malware) course co-author
Previously …Team Cymru Dragon Research Group member
University of Auckland honorary researcher
About INFIGO IS
Offices
Business linesCompliance consulting
Security assessmentsPenetration testing, strongest team in the region!
Security solutionsIPS, SIEM, NMS etc.
Strong security professionals team15+ SANS, ISC2, ISACA… cert. professionals
HQ Zagreb, Croatia
Web: www.infigo.hr
Subsidiaries:
Skopje, Macedonia
Sarajevo, Bosnia and Herzegovina
Tirana, Albania
Agenda
Threat landscapeOld and new attack vectors
The good, the bad and the ugly… and the 2014 version
Getting our hands dirtyTools and methods we use for hacking mobile applications
Mobile application vulnerabilitiesOverview of vulnerability classes we identified in our penetration testing engagements
Threat landscape
There are new security risks stemming from mobile devices
Small form factorEasy to lose, easy to steal
Security tools on mobile devices are very limited
Do you run an anti-virus on your mobile phone?Or a host based IPS?
These devices are constantly being connected to different networks
Wireless, 3G, 4G …
Data at rest
What data is used to authenticate userOr authorize transactions (when talking about Internet banking)?
Should be some kind of two factor authentication
Sensitive data/key crypto material should be appropriately protected on the device
If possible, use hardware encryption
Never store the PIN locally
SQLite databases are cool only for application data
Do not hard code “secret” stuff
Data in transit
Always use SSLIf possible perform certificate pinning
Properly validate SSL certificatesMobile devices connect to all sorts of unfriendly networks
Sessions are important
Allow the user to block/deny connections when something has gone amiss
Standard data validation requirementsInput/output
Especially important if platforms such as Apache Cordova are used
Not only on the client side!
Hacking mobile applications
Actually, it’s not that bad
But as always, the following three are here:
Hacking mobile applications
Actually, it’s not that bad
But as always, the following three are here:
Hacking mobile applications
This is what it looks like today:
Hacking mobile applications
The good
RISC architecture makes reverse engineering generally easier
Some platforms are “easier” to analyzeOn Android we can even get the source code back
In some cases
If not – there is always bytecode
There have been advantages in tools used for analysis/penetration testing/reverse engineering of mobile applications
Hacking mobile applications
The bad
Some platforms are impossible to analyzeWe need a jailbroken device
So far we’re goodThanks to Pangu, for iOS 8 too!
Available tools … could still use more development
Unstable environments
Debuggers that do not resolve symbols properly
It is getting better though
Hacking mobile banking applications
The ugly
On iOS we’re dealing with Objective-CApplications can combine this with C/C++
Makes analysis much more difficultBasically same as reverse engineering fat client applications
Obfuscation methods can make our work much more difficult
Typically used to prevent conversion back to source code
Very frequently used todayProGuard almost used by default
We often see commercial obfuscators
Getting ugly with obfuscation
Obfuscating class and method names is just annoying
Commercial obfuscators are adopting quickly
We can see anti-reversing techniques previously used on PCs
Dynamic class loading with reflection
Dynamic generation of function namesChar arrays over which various arithmetic-logic functions are performed
Encryption of classes/libraries
Usage of native code
Tools of trade (iOS)
otool for basic analysis
class-dump-z for class/header dumping
clutch/rasticrac for crackingremove encryption, easily done manually
IDA Pro for static analysisOr Hopper
Dynamic analysisgdb is (sometimes) your friend
cycript
snoop-it for easy visualization of activities
iNalyzer as a framework
Snoop-it (iOS)
Tools of trade (Android)
Reversing/decompiling toolsApktool
Smali/baksmali
Dex2jar, jd-gui
Apkanalyser
Androguard
Virtuos Ten Studio
Dynamic analysisDDMS (Dalvik Debug Monitor Services)
jdbCan be combined with Netbeans/Eclipse
Allows for easy debugging!
Netbeans (Android)
Tools of trade (network analysis)
We can easily sniff network trafficMake the device use our own wireless network
Tcpdump/Wireshark are great toolsUnless the traffic is encrypted
InterceptionTypically Burp Suite Professional is used
Can proxy SSL traffic easilyWe might have problems with certificate verification/pinning
Can be circumvented through run-time debugging if nothing else
Burp can even work as a transparent network proxy
Locally stored sensitive information
Worst case scenario: a mobile device gets stolen or lost
Do not store sensitive information locally
If you really need to do that, use a safe waySuch as keychain on iOS
Many badcases in the wild
Bugs in code
Event the strongest crypto can fail if incorrectly used
Where’s the error here?Is this strong crypto?
Data in transit
Almost all tested applications use SSLThat’s great
We need to defend against Man-in-the-Middle attacks
Generally done through certificate verification
Good applications will do certificate pinningDo it the “Google Chrome” way
Trust only one issuer, or verify the certificate’s hash
Client side attacks
Very rare, if not impossible against native applications
For “web based native” applications same rules apply as for web applications
Some very interestingcases here
XSS vulnerability ina mobile application?
… sure, why not?
Server side attacks
In all conducted tests, this was the weakest point
For some reason we travelled in time hereBack to 2000?
Very often we find that the server side controls are insufficient
Either the developers didn’t pay attention
Or too many technologies got integrated
But we saw some scary bugsProper test: modify every and any input parameter
Identify logical vulnerabilities, not only technicalThese are normally much more dangerous
The revolution is coming
Hacking of mobile applications has become both easier and more difficult
Obfuscation can make our lives (much) more difficult
Rapid growth guarantees there will be bugs
Complex technologies interweaved together guarantee there will be bugs
Sloppy developers guarantee there will be bugs
… and some of the bugs can be very, very scary!
Thank you for your attention!