Upload
others
View
13
Download
0
Embed Size (px)
Citation preview
Software Engineer at Sopra Steria
Leading TG:Hack, Norways’ largesthacking competition
Leading UiO-CTF with Laszlo
Shared 1st place in the qualificationround of Norwegian Cyber Security
Championship 2018
«Hacker boss Marit»
But mobile is safe…right?
7 billion devices, 10 billion by 2018
- -
52 million mobile devices stolen yearly
-
25% of mobile devices run into a
threat monthly
75% increase inmalware yearly
75% apps fail basic security tests
- -
2000+ malicious apps installed on employee devices
-
56% IT admins admit unlikely to detect
mobile threats
Unique to mobile
• Applications coming from unknown developers who should be considered “untrusted”
Mobile security challenges
Mobile and web
• Wide audience
• Rapid development
• Focus on security among developers
• Continuous network connectivity
• Traditional fat client applications• Buffer management
• Local encryption
• Malware
Three steps to get Java source code
1. Download from Google Play Store
2. Decompile APK
3. Extract source code
Downloading APK files from Google Play Store
General
• In CTFs, they will usually provide you with the APK file
• Sometimes as a pentester, you will need to get the APK yourselves
• Protip: Use CMD (not Powershell) when using Windows
Fetching
Using gp-download
• Set environment variables:• GOOGLE_LOGIN=<replace-with-real-value>
• GOOGLE_PASSWORD=<replace-with-real-value>
• ANDROID_ID=<replace-with-real-value>. You may find the id (GSF) using the Device ID app .
• Enable Allow less secure app`. https://myaccount.google.com/lesssecureapps
$ gp-download package-name > package-name.apk
Decompile with apktool
General
• An APK is a zipped folder containing..
• Dalvik? What the..• .dex files
• Binary files
Decompiling
Using apktool
$ apktool d appname.apk
Extract Java source code from APK
General
• SMALI?!• ~ Mobile app assembly code
Extract Java source code
Using jadx-gui
$ jadx-gui appname.apk
1. Make changes to Smali code
2. Rebuild the app
3. Sign the app
Using apktool
$ apktool b /appFolder/
$ keytool …
$ jarsigner …
Rebuild APK with apktool
But first.. Android Debug Bridge
adb is a very nice command line tool that lets you
communicate with an emulator instance or with a
connected Android device.
adb commands
• adb shell
• adb logcat
• adb install <appname.apk>
• adb push <srcaddr> <destaddr>
• adb pull <srcaddr> <destaddr>
General
• Critical data includes account credentials, PII, email address, geolocation, IMEI, serial number, wifi info ++.
• Stored in• SQLite DB
• Log files
• Plist files
• XML data stores or manifest files
• Binary data stores
• Cookies stores
• SD cards
> Hacking
• Shared preferences
• SQLite database
• SD Card• Any application can read contents of SD
Card
• No file permissions on SD Card
1. Insecure data storage
• key-value pairs
• E.g. storage of user settings and application data
• Remember to run the app once!
> Shared preferences
> SQLite database
Using SQLite from the command line
Run
$ sqlite3 \<dbname.db>
.. and:
• To dump the schema: .schema
• List databases: .databases
• List tables: .tables
• Dump a table: .dump <tablename>
General
• Critical data includes account credentials, PII, email address, geolocation, IMEI, serial number, wifi info and more.
• Security bugs include • SSL/TLS certificate issues
• Poor handshake
• HTTP transfer of data in clear text
Common developer mistakes
• Accepting self-signed certificates.
• Setting a permissive hostname verifier
> Hacking
• MITM: capture, view, and modify traffic sent and received between app and server.
• Forging requests without MITM.
2. Insecure communication
> Hacking
• Set debug flag
• Reading logs
• Find endpoints for devs/admin
• Other loopholes
$ adb logcat [-b buffername]
General
• Backdoors or security controls helpful during development
• Information examples• back-end test, demo, staging or
UAT environments
• administrative endpoints
• two-factor authentication bypass for dev/testing
“A very concerning 92% of Android apps tested have extraneous functionality issues while only a very small
2% of iOS apps show these issues.”
3. Extraneous functionality
Best practice
• DON’T PUSH IT TO PRODUCTION!!
• Remove method calls to log class for release builds
• Disable ‘ANDROID:DEBUGGABLE’ flag in production builds.
• On iOS disable NSLog statements.
3. Extraneous functionality
Mobile tools
• Android Studio (with emulator!)
• APKtool
• jadx-gui
• adb
• Frida
• keytool
Find more on my github: https://github.com/maritiren/CTF/wiki/android
Vulnerable app
• InsecureBankv2 https://github.com/dineshshetty/Android-InsecureBankv2
MITM:
• Burpsuite
Tools list for workshop tomorrow!
• NowSecure online book about secure coding of mobile apps
• NowSecure short article intro on online book, containing links to best practices to prevent common security vulnerabilities.
• Blogpost Microsoft - Top 5 Mobile App Security Failures and How To Prevent Them
• Pluralsight, Ethical hacking: Hacking Mobile Platforms
•
Sources