Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Mobile Security Assessment: 101
1. Intro to Mobile Security Assessment:
Tools and Techniques
Copyright 2012 WireHarbor Security, Inc.
2. Who am I?
• Founder/President - WireHarbor Security, Inc.
• Previously:
Led Global Application Security for F500 Insurance co.
• Focus on:
Application Security, Mobile Security, Source Code Review
• Partnerships:
4. Objectives - Security Assessment
• Determine the correct path to Exploitation.
• Many Attacks, Weaknesses and Impacts.
5. RULE #1: Mobile Security
Perform sensitive/confidential/dangerous operations OFF-DEVICE...
...also, we still can’t trust user input.
6. Mobile Assessment: Key Difference
• User-access to runtime environment
DEVS: **New perspective allows us to see everything you are doing**
VS...
7. Jailbreak vs. Rooting
• Jailbreak (iOS) - Users can break out of sandbox, but are still
limited by the Apple kernel. (Your iPhone is still an iPhone)
• Rooting (Android) - Implement a new kernel, turn your phone
into ???
I
9. Security Controls
• Reduced Attack Surface
• Code Signing/App Store Approval Process - iOS
Android is more of a free-for-all
• Sandboxing
• NX Memory
• ASLR/PIE (compiler flag)
Rarely used in 3rd
party applications
• Certificate Verification
• Device Encryption
20. Techniques: XSS Injection
• XSS is in there too...
Be careful with WebKit. (UIWebView object)
“Of the 197 vulnerabilities, 142 are related to WebKit...”, ZDNet review of iOS
6
NSString *js = [[NSString alloc] initWithFormat:@”var v=”%@”;”, user];
[mywebView stringByEvauatingJavaScriptFromString:js];
22. Techniques: Event Handler Abuse
• Apps can register their own handlers via plist files.
o openURL:[NSURL URLWithString:@"myapp://?foo=urb&blerg=gah"];
26. Advanced Techniques: Objective-C (iOS) Primer
• Abstraction of Standard C
Based on Smalltalk
Designed to be “Object-oriented easy.”
The good old days:
Buffer Overflows, Format Strings, etc... RETURN!!!
27. Advanced Techniques: iOS Binary Inspection
• Object File display tool - otool (Xcode)
Display file headers (Mach-O and Universal)
Display Crypt segment info
Dump machine code
List Shared Libraries
• ARM Processors
RISC instruction set
Little-endian representation
28. Advanced Techniques: iOS Binary Inspection
• Universal Binaries
Contain multiple versions
o otool –f <file>
May be encrypted
o otool –l <file> | grep LC_ENCRYPTION_INFO
–B1 –A4
32. IDA Pro: What to look for?
• Using the Apple DEV reference
File Writes
Network Connections
Keychain Access
UI Form Fields
33. Advanced Techniques: iOS Runtime Manipulation
• Cycript - Javascript/Obj-C Interpreter
Hook active apps via Mobile Substrate
Interact with binaries in runtime using JS
http://www.cycript.org/
http://iphonedevwiki.net/index.php/Cycript_Tricks
37. • What can we do with this?
Application Tracing/Logging (filesystem, network, etc...)
Turn off Jailbreak detection
Fake GPS data... (think: location-aware security)
The possibilities get scarier as trust grows...
Advanced Techniques: iOS Runtime Manipulation