Boost Fertility New Invention Ups Success Rates.pdf
Virtue Security - The Art of Mobile Security 2013
1. THE ART OF MOBILE
SECURITY
(ISC)2 NEW YORK METRO APRIL 2013
Elliott Frantz
http://www.virtuesecurity.com
2. Agenda
• Platform security
• Pentesting mobile applications
• Identifying attack vectors
• Current events
• Changing culture and the future of mobile
security
3. Mobile Platform Security
• Mobile platforms have a large gray area
between functionality and security issues.
• Many features of mobile platforms create
cached artifacts of runtime data.
• Applications must properly defend against
these functions to contain sensitive data.
4. iOS Background Screen Cache
• Screenshots taken when user
hits the ‘home’ button.
• Can be forensically recovered
from device.
• App developers must properly
handle background events to
hide sensitive data on screen.
5. iOS UITextFields
• Known as the iOS “native keylogger”
• iOS will cache text entered in these fields
• Data can be forensically recovered or easily
accessed on a jailbroken device
/private/var/mobile/Library/Keyboard/UserDictionary.sqlite
/private/var/mobile/Library/Keyboard/dynamic-text.dat
6. Android Content Providers
• Can act as a data store for multiple applications
• Often used for single applications
• Must properly restrict permissions for other
applications
• Malicious apps may attempt to read from your
provider
7. Pentesting Mobile Applications
Objectives:
• Identify data transmitted (Protocols, hosts, ports)
• MITM the client to attack application layer
• Analysis of business logic and technologies used
• Identify and subvert client side controls
• Static analysis of application binary
• Identify cached data
8. Mobile Man-in-the-Middle
• Many ways to MITM apps – go with simplest
configuration (often a HTTP proxy)
• Apps using custom protocols must use network
proxies like Mallory
• A variety of frameworks are available to bypass
certificate pinning.
9. Application Analysis
• Compare use of the application to the data
transmitted to determine client side controls.
• Construct a threat model for business logic
• What are the abuse cases that relate to the
business?
10. Defeating Client Side Controls (Android)
• Android may be easiest to modify code and
repackage apk.
• Tools such as Virtuous Ten can perform this
quickly
• Apps can also be manipulated with Java
Debugging methods (DDMS)
11. Defeating Client Side Controls (iOS)
• iOS Objective-C runtime can be easily
manipulated with cycript/Mobile Substrate
• Can jump to arbitrary points in the
application, call functions, replace code.
12. Code Patching
• Identify “simple logic”
Is_our_phone_jailbroken()
{
if
// lengthy convoluted jailbreak detection
return 1
else
return 0
}
• Only one byte needs to be modified
14. Camera EXIF Data
• GPS data is often embedded in photos taken
• Server side components must scrub EXIF data
15. WebViews
• Introduces web based vectors (XSS, CSRF, etc..)
• WebView JS may be invoked and take parameters
from native code
• Some configurations can invoke native code from
JS
• Caching can be an issue (NSURLConnection)
16. C Memory Management
• Dangerous functions should still be avoided
(strcpy(), strcmp())
• Memory should still be properly cleaned when
using malloc(), free(), realloc(), etc..
17. Static Analysis (iOS)
• iOS IPAs can be decrypted with a memory dump
at runtime.
• Examine archive and plist files.
• The binary can be examined like traditional
compiled binaries (‘Strings’, dump symbol
table, etc..)
18. Static Analysis (Android)
• Android apps are packaged as APK files. (Can be
extracted with any zip utility)
• Inspect package for build/debug artifacts
• Search code for hardcoded strings
• Useful to reconstruct code as Java
• Check for native code in /libs
• Examine AndroidManifest.xml
19. Personal Devices
• Consider how data can be
leaked
• Consider what apps can
invoke your application
• Consider what apps your
application invokes
20. Hardware Concerns
• Huawei and ZTE
becoming popular
smartphone
manufacturers.
• Hardware is
increasingly easy to
manufacture.
21. Carrier Concerns
• Owners of customized Android ROMs must
distribute updates themselves (they don’t).
• Millions of users are left with critical
vulnerabilities.
22. Where are we?
• Not everything is terrible!
• iOS and Android provide ASLR, DEP, application
sandboxes built in.
• ARMv8 introduces 64bit cpus
23. Where are we going?
• We are more functionality driven than ever
• Threats are more malicious than ever
• World population is growing
• Developing nations are increasingly technical