Don't Trust, And Verify - Mobile Application Attacks

1© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand.

Cyber Defense In i t iat ive Conference CDIC 2016-T IME TO TRUST

D o n ' t T r u st , A n d Ve r i f y - M o b i l e A p p l i c at i o n A ttac k s

M r . P r a t h a n P h o n g t h i p r o e k

M a n a g e m e n t C o n s u l t i n gK P M G P h o o m c h a i B u s i n e s s A d v i s o r y L t d .


Prathan Phongthiproek

Manager, Information Protection and Business Resilience (IPBR)

T: +662 677 2000

E: [email protected]

Background

Prathan is a Manager, Cybersecurity services for KPMG Thailand. He has more than 9 years of experience in leading Cybersecurity services including Security Analysis and Review, and Penetration testing.

Professional and industry experience

• Led the project team responsible for conducted security assessment services over 50 clients. This include Host & Network assessment, External/Internal network penetration testing, Web and Mobile application penetration testing, ATM /Kiosks security assessment including physical hacking.

• In charge of the penetration testing on Retail Point-of-Sale Payment Systems (POS, IPT, OPT, EPS, STC) in order to comply with PCI DSS v3.0 for a major petrochemical company in Malaysia.

• Performed source code review (Static and Dynamic code analysis) in order to analyze and identify potential risk in term of security and coding best practices for major banks.

• Conducted Mobile application penetration testing over 40 applications both Android and iOS for a major telecommunication company.

• Performed Digital Forensic and Investigate for a major financial company.• Carried out the regulatory authority compliance reviews/security configuration review, which provides in-depth risk and security

analysis system, database, and infrastructure components.• Analyzing the results of the security testing and assisting stakeholders by identifying viable remediation solutions for any

vulnerability identified. • Provided In-Depth security trainings and guidance of remediation to clients.• Created curriculum and conducted training courses in network, web and mobile application security, and Secure Coding for major

banks.• His industry experience includes Financial, Major Banks, Insurance Institute, Telecommunications, Health Care Provider, Automotive,

Trading Companies, Military Sectors, Energy Companies and Power plants, Oil & Gas, Resort, ISP and Government agencies.

Speaker Profile


A g e n d a

- O v e r v i e w- M o b i l e A p p l i c a t i o n A t t a c k V e c t o r- A t t a c k N a r r a t i v e- C o u n t e r m e a s u r e- R e f e r e n c e


Overv iew

Mobile Marketing Statistics compilation

Source: http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/

Ownership of smartphone vs Desktop Mobile media time - App vs Mobile site usage


Mobile/Tablet Operating System Market Share

NetMarketShare.com: Mobile/Tablet OS Market Share – October 2016

Android and iOS lead the market

Overv iew


IPC andApplication

Components

User Input

Data

Storage

Backend

Service

Comm.

Channel

Binary

File

• SQLite Injection• JavaScript Injection (XSS)• Local File Inclusion• WebView File Access Attack

• Android Components Permission and Vulnerability through:

o Activitieso Content Providerso Broadcast Receiverso Services

• Protocol Handlers Attack• Pasteboard/Clipboard• Application Backgrounding• Application Logs• Mobile App Framework

Vulnerability

• Plist/XML files• Sharepreference files• Database/NoSQL files• Keychain• Temp files• Cache files• SD Card storage• Unrestricted Backup file• Poor Key Management

• Excessive port opened• Security Misconfiguration• Control of Interaction Frequency• Weak Authentication• Business Logic flaws• Info. leakage through API

Response message• Web Application

Vulnerability

• Insecure Transport LayerProtocols (HTTP)

• Insecure and Deprecatedalgorithms

• Disabling Certificate Validation

• Lack of SSL pinning• Lack of End-to-end

Encryption• Sensitive data over network• Exposing Device Specific

Identifiers

• Reverse Engineering the App code• Patching Binary• Hard-coded credentials and Information

Leakage through binary• Debuggable mode• Runtime Manipulation and Instrumenting• Lack of Root/Jail-broken device checking

Mobi le Appl icat ion Attack Vector


User InputAndroid Application

• SQLite Injection

Damage level:Estimated level of financial & reputational loss.

Threat level:Estimated level of activity and occurrence.

Damage Threat


iOS Application

• SQLite Injection



Damage Threat

User Input


Android Application

• WebView File Access

file:///data/data/jakhar.aseem.diva/shared_prefs/jakhar.aseem.diva_preferences.xml



Damage Threat

User Input


User InputiOS Application

• JavaScript Injection (XSS)



Damage Threat

<script>alert('Hello World');</script>


Inter -Process Communicat ion ( IPC) and Appl icat ion Components

Android Application

• Abusing Android Activity Component for bypassing Client-side authentication (PIN).



Damage Threat


Android Application

• Case Study: CVE-2015-1835: Remote exploit of secondary configuration variables in Apache Cordova on Android



Damage Threat



Android Application

• Abusing Android Content Provider for obtaining sensitive information from application database.



Damage Threat

Sensitive Information

.DBContentProvider

Creating Malicious App to attack the sieve application

https://github.com/tanprathan/sievePWN/blob/master/sieveleak

Using Drozer to attack the android components



Android Application

• Abusing Android Content Provider for obtaining sensitive information from application database using SQL Injection technique.



Damage Threat

Creating Malicious App to attack the sieve application using SQLi

https://github.com/tanprathan/sievePWN/tree/master/sievesqli

Using Drozer to attack the android components using SQLi



iOS Application

• Attacking Protocols Handlers (URL Scheme) - Sea Surf



Damage Threat

Identifying URL scheme on plist file, Using hopper to conduct reverse-engineering, create script for attack.

dvia://highaltitudehacks.com/call_number/?phone=1234567890



Android Application

• Side-Channel Data Leakage through Android Clipboard



Damage Threat

iOS Application

• Side-Channel Data Leakage through iOS generalPasteboard

Using Drozer to perform clipboard monitoring

Using idb to perform pasteboard monitoring



Android Application

• Information Leakage through Application Log



Damage Threat

iOS Application

• Information Leakage through Application Log

Application writes the entered password to the log when the user enters the password.

Case Study: HTTPS request and response were logged into application log which lead malware to obtain sensitive info.



Android Application

• Insecure Data Storage lead to Client-side based authentication flaw



Damage Threat

iOS Application

• Insecure Data Storage lead to Client-side based authentication flaw

Data Storage


Android Application

• Manipulating local storage file



Damage Threat

iOS Application

• Manipulating local storage file

Data Storage


Android Application

• The default value of Android backup flag is “True”



Damage Threat

iOS Application

• Extract Application storage from iTuneBackup using “iPhone Backup Extractor”

Data Storage


Binary F i leAndroid Application

• Patching binary using apktool



Damage Threat

iOS Application

• Patching binary using dumpdecrypted and Hopper


Android Application

• Identifying hard-coded key using reverse engineering technique



Damage Threat

iOS Application

• Identifying hard-coded key using reverse engineering technique

Hard-coded key was stored in resource/xml folder

Hard-coded key was stored in application source code

Hard-coded key used for accessing application encrypted database was found from JS file

Binary F i le


Android Application

• Bypassing Root detection using RootcloakPlus



Damage Threat

iOS Application

• Bypassing Jailbreak detection using Snoop-it and tsprotector

Binary F i le




Damage Threat

Android Application

• Instrumenting Android Applications with Frida using Brute-Force technique

Binary F i le




Damage Threat

iOS Application

• Runtime manipulation using Method Swizzling

Binary F i le


Android and iOS

• Sniffing HTTPS traffic by installing Proxy’CA certificate into device.

• Bypassing SSL Issuer and domain validation (Creating a Custom CA Certificate-https://portswigger.net/burp/help/proxy_options.html)

• Bypassing SSL Pinning



Damage Threat

Communicat ion Channel


Android and iOS

• End-to-End Encryption (Application Layer Encryption)

• Exposing Device Specific Identifiers



Damage Threat



Backend Serv iceAndroid and iOS

• Information Exposure Through WSDL default service help page.

• Information Exposure through API response message



Damage Threat



• Injection (SQL, Command, XXE)

• Improper Control of Interaction Frequency



Damage Threat



• Business Logic Flaw #1

• Business Logic Flaw #2



Damage Threat


Case Study: Breaking Business Logic flaws and Bypassing End-to-end encryption

Android and iOS



Damage Threat

Binary file was decrypted in order to obtain classes/methods using Classdump

The encryption and decryption classes were addresses

cy#

Encryption/Decryption classes were intercepted by hooking using custom Cycript scripts

HTTPS Request/Response were obtained

cy#

Custom script were created for replacing the XML request/response in order to break business logic flaws (E.g. Authentication/Authorization/Indirect Object Reference)



Countermeasure

OWASP Mobile Top 10 Controls

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls


Countermeasure

Mobile Application Coding Guidelines

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Secure_Mobile_Development


• http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/

• https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=8&qpcustomd=1

• http://blog.mdsec.co.uk/2015/04/instrumenting-android-applications-with.html

• https://labs.mwrinfosecurity.com/system/assets/380/original/sieve.apk

• http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks

• https://github.com/payatu/diva-android

• https://github.com/prateek147/DVIA

• https://github.com/tanprathan/sievePWN

• https://portswigger.net/burp/proxy.html

Reference

© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

The KPMG name and logo are registered trademarks or trademarks of KPMG International Cooperative (KPMG International).

“This documentation is made by KPMG Phoomchai Business Advisory Ltd.,(KPMG), a Thai limited liability company and member firm of the KPMGnetwork of independent firms affiliated with KPMG International, a Swisscooperative, and is in all respects subject to the negotiation, agreement, andsigning of a specific engagement letter or contract. KPMG International providesno client services. No member firm has any authority to obligate or bind KPMGInternational or any other member firm vis-à-vis third parties, nor does KPMGInternational have any such authority to obligate or bind any member firm.

This document contains confidential or proprietary KPMG information. It is not to be disclosed, quoted or referred to, in whole or in part, without our prior written consent. The restriction pertains to all data and information throughout the entire document.