2. echo whoami
⢠Senior Security Analyst @SensePost
(awesome company BTW)
⢠7+ years in InfoSec
⢠Specialize in Web App & Network security
⢠Part time Reverse Engineer (is that even
possible???)
⢠Certified Ethical Hacker (as if it matters)
⢠Can do 50 Push-ups in one go (and faint)
3. ⢠Why does everyone rant about SmartPhone security
⢠Understanding iPhone Application layout
⢠Decrypting iPhone apps & what can we achieve
⢠Android Architecture
⢠Android Permission Model & Sandbox
⢠Analyzing Android Apps - Deep sea diving
⢠Practical Attacks on Android
⢠Demos
⢠And more Demos
⢠Introducing Manifestor.py
4. Why care???
⢠Smartphones are growing in popularity by
minute
⢠Windows 7 (Dell, HTC, LG etc.), iPhone
(Apple), Android (Google, HTC, Samsung,
Motorola etc.)
⢠means growth in mobile applications
(According to Juniper Research, mobile
application market is expected to reach $32
billion by 2015)
⢠means loads of mobile application
development (from barcode scanner to
angry birds to mobile BANKING)
⢠means tons of lines of code (plus bad
programming)
⢠equals to VULNERABILITIES -
programmatic, environmental,
configurational and so on
6. iPhone Binary Format
⢠IPA file - basically a zip archive
⢠Location of app binary on iPhone:
⣠Payload/MyApp.app/MyApp
⢠Based on Mach-O (Mach Object) file format
⢠Sandbox:
⣠Apps restricted to their own private directory and
memory pages
⢠Apps are encrypted
⣠Decrypted by iPhone loader on run-time
8. Decrypting iPhone Binary
⢠What do I need:
⣠Jailbroken iPhone (Yes, itâs a necessity of life)
⣠iPhone SDK (Otool)
⣠Hex Editor (0xED, HexWorkshop, etc. etc.)
⣠Ida Pro (Optional) - Version 5.2 - 5.6
⢠Finding an app root dir on iPhone
⣠sudo find / | grep iApp.app
⣠myApp.app contains iApp, actual binary
⢠âcryptâ load command responsible for decryption
⣠otool -l iApp | grep crypt
9. Decrypting iPhone Binary
⢠What do I need:
⣠Jailbroken iPhone (Yes, itâs a necessity of life)
⣠iPhone SDK (Otool)
⣠Hex Editor (0xED, HexWorkshop, etc. etc.)
⣠Ida Pro (Optional) - Version 5.2 - 5.6
⢠Finding an app root dir on iPhone
⣠sudo find / | grep iApp.app
⣠myApp.app contains iApp, actual binary
⢠âcryptâ load command responsible for decryption
⣠otool -l iApp | grep crypt
10. Decrypting iPhone Binary
⢠Locate âcryptidâ in actual binary, and flip it to â0â
⣠Do it, NOW
⢠âcryptidâ is now â0â. What does this mean?
⢠Not decrypted yet
⢠Next, run the app on iPhone and take a memory dump
⣠Actaul code starts at 0x2000
⣠Size of encrypted data - 942080 (0xE6000)
⣠So, we need to dump from 0x2000 to 0xE8000. Guess why? :-)
⢠Run app on iPhone, ssh into iPhone, use gdb
⣠gdb -p PID
⣠dump memory iApp.bin 0x2000 0xE8000
⢠Pull iApp.bin on local machine
⣠Overwrite bin file on initial binary file (where we âcryptidâ was set to â0â)
⣠Donât forget - âcryptoffâ was 4096 (0x1000)
⢠Sorted :-)
⢠For all technical details, please refer to SensePost blog:
⣠http://sensepost.com/blog/6254.html
11. I have an Android phone...
...and I love it :-)
13. Android Security Model
⢠Linux kernel
⢠Linux-Like permission model
⢠Applications run with their own uid:gid (something like multi-user
system)
⢠Applications may share a uid (must be signed with same key)
⢠App permissions are defined in AndroidManifest.xml
⢠Manually reviewed / accepted by user on install (Really??? What if I
am a runway model?)
⢠Applications can be self-signed.
14. AndroidManifest.xml
⢠One for each app
⢠Declares Java package name for the application
⢠Describes components of the application - activities, services, broadcast
receivers, content providers
⢠Declares permissions required to access protected parts of APIs
⢠Declares permissions required by other applications to interact
15. Activity
⢠User-focused task
⢠Almost always interacts with
user
⢠Displays a button, text box
etc.
⢠Runs within appâs process
⢠Stack based - new activity is
placed at top
⢠Activity states: active,
paused, stopped, resumed
16. Intents
⢠Basically messages between components such as activities, services
etc.
⢠Like passing parameters to API calls, except itâs asynchronous
⢠Run-time binding
⢠Start an activity with startActivity()
⢠Similarly sendBroadcast(), startService(Intent) and so on
Start
an
Activity
17. Broadcast Receiver
⢠Communication between Apps and System
⢠Messages sent as Intents
⢠Dynamic creation through context.registerReceiver()
⢠Static declaration through receiver tag in AndroidManifest.xml
⢠Can be exported with <intent-filter> tag in
AndroidManifest.xml
⢠Access permissions can be enforced by either sender or
receiver
⢠Apps can register to receive intents without special privileges
;-)
18. Service
⢠Long running background process
⢠Can run in its own process,
⢠Or in context of another applicationâs process
⢠Can be started with an intent
⢠Can be secured by adding a Permission check to their
<service> tag
⢠Careful while sending sensitive data
20. ⢠Apps run in Dalvik Virtual Machine - One DVM for each app
⢠DVM is register based, not stack based
⢠DVM ensures application isolation
⢠One application cannot access data of another application
⣠Hmmm, âcannotâ or âSHOULD notâ
⢠Unique UID for each application
⢠Apps written in Java, then compiled to Dalvik byte code
⣠No Solid code obfuscator for android platform
⣠Even if there is one, no-one uses it
⢠Permissions are declared in AndroidManifest.xml
⢠Permissions displayed to user on download - Accept or Reject. TRICKY!!!
⣠Everyone sitting in this room may care, what about others???
⣠What about installing via âadbâ - Cracked apps (âadb install malicious.apkâ)
⢠permission.INTERNET - Very common but thatâs all they need :-)
⢠Easy to publish malicious app on Android Market
21. APK File Format
⢠Application package file for Android
⢠Variant of JAR file format
⢠Contains (unzip AndroidApp.apk):
⢠AndroidManifest.xml
⢠META-INF directory
⢠Classes.dex
⢠Res directory
⢠resources.arsc
31. Lets Sum It Up
⢠FACTS:
⢠SmartPhone industry is rapidly growing and will continue to grow
⢠Provide plethora of features & functionalities
⢠Apps for anything & everything
⢠Developed by unexperienced young developers
⢠Whats Required:
⢠Standardization of application development
⢠In-built secure APIs within SDK
⢠Need for strong threat model
⢠Domain based testing