Mobile hackingMarit Iren Rognli Tokle

14.11.2018

Software Engineer at Sopra Steria

Leading TG:Hack, Norways’ largesthacking competition

Leading UiO-CTF with Laszlo

Shared 1st place in the qualificationround of Norwegian Cyber Security

Championship 2018

«Hacker boss Marit»

Mobile security primer

Attack surface

OWASP Top 10 Mobile

Tools

Agenda

Mobile security1.primer

But mobile is safe…right?

7 billion devices, 10 billion by 2018

- -

52 million mobile devices stolen yearly

-

25% of mobile devices run into a

threat monthly

75% increase inmalware yearly

75% apps fail basic security tests

- -

2000+ malicious apps installed on employee devices

-

56% IT admins admit unlikely to detect

mobile threats

Unique to mobile

• Applications coming from unknown developers who should be considered “untrusted”

Mobile security challenges

Mobile and web

• Wide audience

• Rapid development

• Focus on security among developers

• Continuous network connectivity

• Traditional fat client applications• Buffer management

• Local encryption

• Malware

Attack 2.Surface

3.

MobileTop 10

OWASP

1 – 2 - 3started

Let’s get

hackingAndroid

With..

Three steps to get Java source code

1. Download from Google Play Store

2. Decompile APK

3. Extract source code

Downloading APK files from Google Play Store

General

• In CTFs, they will usually provide you with the APK file

• Sometimes as a pentester, you will need to get the APK yourselves

• Protip: Use CMD (not Powershell) when using Windows

Fetching

Using gp-download

• Set environment variables:• GOOGLE_LOGIN=<replace-with-real-value>

• GOOGLE_PASSWORD=<replace-with-real-value>

• ANDROID_ID=<replace-with-real-value>. You may find the id (GSF) using the Device ID app .

• Enable Allow less secure app`. https://myaccount.google.com/lesssecureapps

$ gp-download package-name > package-name.apk

Decompile with apktool

General

• An APK is a zipped folder containing..

• Dalvik? What the..• .dex files

• Binary files

Decompiling

Using apktool

$ apktool d appname.apk

Extract Java source code from APK

General

• SMALI?!• ~ Mobile app assembly code

Extract Java source code

Using jadx-gui

$ jadx-gui appname.apk

1. Make changes to Smali code

2. Rebuild the app

3. Sign the app

Using apktool

$ apktool b /appFolder/

$ keytool …

$ jarsigner …

Rebuild APK with apktool

Rebuild APK with apktool

hackingsome

Let’s do

But first.. Android Debug Bridge

adb is a very nice command line tool that lets you

communicate with an emulator instance or with a

connected Android device.

adb commands

• adb shell

• adb logcat

• adb install <appname.apk>

• adb push <srcaddr> <destaddr>

• adb pull <srcaddr> <destaddr>

General

• Critical data includes account credentials, PII, email address, geolocation, IMEI, serial number, wifi info ++.

• Stored in• SQLite DB

• Log files

• Plist files

• XML data stores or manifest files

• Binary data stores

• Cookies stores

• SD cards

> Hacking

• Shared preferences

• SQLite database

• SD Card• Any application can read contents of SD

Card

• No file permissions on SD Card

1. Insecure data storage

• key-value pairs

• E.g. storage of user settings and application data

• Remember to run the app once!

> Shared preferences

Shared preferences

• Often used in apps

• Open-source no need of server

> SQLite database

> SQLite database

Using SQLite from the command line

Run

$ sqlite3 \<dbname.db>

.. and:

• To dump the schema: .schema

• List databases: .databases

• List tables: .tables

• Dump a table: .dump <tablename>

General

• Critical data includes account credentials, PII, email address, geolocation, IMEI, serial number, wifi info and more.

• Security bugs include • SSL/TLS certificate issues

• Poor handshake

• HTTP transfer of data in clear text

Common developer mistakes

• Accepting self-signed certificates.

• Setting a permissive hostname verifier

> Hacking

• MITM: capture, view, and modify traffic sent and received between app and server.

• Forging requests without MITM.

2. Insecure communication

Man In The Middle - Burpsuite

Man In The Middle - Emulator

> Hacking

• Set debug flag

• Reading logs

• Find endpoints for devs/admin

• Other loopholes

$ adb logcat [-b buffername]

General

• Backdoors or security controls helpful during development

• Information examples• back-end test, demo, staging or

UAT environments

• administrative endpoints

• two-factor authentication bypass for dev/testing

“A very concerning 92% of Android apps tested have extraneous functionality issues while only a very small

2% of iOS apps show these issues.”

3. Extraneous functionality

3. Extraneous functionality

Best practice

• DON’T PUSH IT TO PRODUCTION!!

• Remove method calls to log class for release builds

• Disable ‘ANDROID:DEBUGGABLE’ flag in production builds.

• On iOS disable NSLog statements.

3. Extraneous functionality

4.Tools

Mobile tools

• Android Studio (with emulator!)

• APKtool

• jadx-gui

• adb

• Frida

• keytool

Find more on my github: https://github.com/maritiren/CTF/wiki/android

Vulnerable app

• InsecureBankv2 https://github.com/dineshshetty/Android-InsecureBankv2

MITM:

• Burpsuite

Tools list for workshop tomorrow!

• NowSecure online book about secure coding of mobile apps

• NowSecure short article intro on online book, containing links to best practices to prevent common security vulnerabilities.

• Blogpost Microsoft - Top 5 Mobile App Security Failures and How To Prevent Them

• Pluralsight, Ethical hacking: Hacking Mobile Platforms

•

Sources