SlideShare uma empresa Scribd logo

Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)

TestDevLab
TestDevLab

A presentation about security of mobile apps by our senior quality assurance engineer Kristaps Felzenbergs. It was presented at TAPOST 2017 software testing conference.

Tecnologia
1 de 74
SECURITY VULNERABILITIES IN MOBILE APPLICATIONS Kristaps Felzenbergs Lead Security and Test Automation Engineer
ABOUT ME - Lead Security and Test Automation Engineer at TestDevLab Ltd - Certified Ethical Hacker - DSS 2016 Speaker
IN THIS TALK • Mobile apps in media • The situation • How do we test? (from outside to inside) • Android apps • iOS apps • Conclusions testdevlab.com
MOBILE APPS IN MEDIA
testdevlab.com MOBILE APPS IN MEDIA PICTURE SLIDE http://www.zdnet.com/article/this-android-infecting-trojan-malware-uses-your-phone-to-attack-your-router/ http://www.techrepublic.com/article/1-2-million-infected-android-malware-hummer-could-be-biggest-trojan-ever/
testdevlab.com Apple CEO Tim Cook released a statement arguing against the FBI's recent order to hack into the San Bernardino shooter's iPhone 5c. (Jhaan Elker/The Washington Post) By Ellen Nakashima February 17, 2016 https://www.washingtonpost.com/world/national-security/us-wants-apple-to-help-unlock-iphone-used-by-san-bernardino-shooter/2016/02/16/69b903ee-d4d9-11e5-9823-02b905009f99_story.html
testdevlab.com http://money.cnn.com/2016/03/28/news/companies/fbi-apple-iphone-case-cracked/index.html
testdevlab.com STATISTICS From Trustwave Global Security Report 2017: • 99.7% of tested apps displayed at least one vulnerability • 10% of vulnerabilities Trustwave detected and classified as high-risk critical • 67% of breaches targeted payment card data
testdevlab.com WHY THE SITUATION IS BAD? • Developers are focused on features and not security • Relying on your custom encryption might not be the best choice (reinventing the wheel) • Users are not well educated about security • Users are easy targets for social engineering attacks
ATTACK GLOALS Credentials (To the services that you use) Personal data • Name • Location • Contacts Credit card data Access to your device (Use your device for botnets and spamming) testdevlab.com
testdevlab.com HOW TO TEST APPS? move from outside to inside
LET’S START WITH ANDROID
APPLICATION PERMISSIONS • Check when installing the app • Additional security added since Android 6.0 (API level 23) testdevlab.com
TOOLS FOR ANDROID
testdevlab.com ANDROID DEBUG BRIDGE • A command-line utility • Can control device over USB • Copy files back and forth • Install and uninstall apps • Run shell commands • …
testdevlab.com LOGCAT • A command-line utility • Dumps: • a log of system messages • stack traces when the device throws and error • messages written in the app with Log class.
EXTRACT THE APP Extract the app for further investigation Who knows what you might find.. testdevlab.com
testdevlab.com HOW DO I EXTRACT? Two ways: 1. Extract using ADB 2. Use an app to extract the app
STEP 1 DETERMINE THE PACKAGE NAME Determine the package name of the app, e.g. “com.example.app”. testdevlab.com adb shell pm list packages
STEP 2 DETERMINE THE PATH Get the full path of the APK file for the desired package. testdevlab.com adb pm path com.example.app
STEP 3 PULL IT FROM DEVICE Pull the APK file from the Android device to your computer. testdevlab.com adb pull /data/app/com.example.app-1a.apk path/to/destination
OR EXTRACT USING AN APP FROM GOOGLE PLAY Might be faster if you don’t have ADB in your toolset testdevlab.com
NOW WHEN YOU HAVE THE APP.. several things can be discovered.. testdevlab.com
SIGNATURE Two application signing schemes • JAR signing (v1 scheme) • APK Signature Scheme v2 (v2 scheme) testdevlab.com
testdevlab.com JAR SIGNING ( v1 scheme ) • Does not protect some parts of the APK (such as ZIP metadata) • Offers a sizeable attack surface • Consumes more time and memory while verifying the signature
testdevlab.com APK SIGNATURE SCHEME V2 ( v2 scheme ) • Introduced in Android 7.0 Nougat • Contents of the entire APK are hashed and signed • Signature check across the entire file • Any modification to the APK invalidates the signature
HOW SHOULD I SIGN? v1 scheme + v2 scheme = good • v2 scheme speeds up the installation process in Android 7.0+ • Older platforms will ignore v2 signatures and will relay on v1 scheme instead testdevlab.com
testdevlab.com KNOW HOW IT IS SIGNED
WHAT’S NEXT? testdevlab.com
WHAT’S NEXT? Finding vulnerabilities! testdevlab.com
REVERSE ENGINEERING
testdevlab.com • You should know that APK is actually a valid ZIP archive • FIRST – UNZIP IT • NEXT – disassemble or decompile REVERSE ENGINEERING
testdevlab.com • The code decompiled will be in short form (i.e., how it’s interpreted by the JVM) • Might not be readable and won’t contain any comments • Tools: • Classy Shark by Google - https://github.com/google/android-classyshark • Dex2jar - https://github.com/pxb1988/dex2jar • JD-GUI - http://jd.benow.ca/ TO JAVA
testdevlab.com .dex <------------------> .smali <--------------------- java source code Smali is the most common human readable format for dex • Gives a readable code in smali language • Can be modified and repackaged to APK • Tools: • Apktool - https://ibotpeaches.github.io/Apktool/ TO SMALI
testdevlab.com APKTOOL
testdevlab.com take a closer look.. ONCE DISASSEMBLED..
testdevlab.com • HTTP Endpoints • Evaluate obfuscation • Authentication strings • Certificates PERFORM A STATIC ANALYSIS
testdevlab.com SEARCH FOR PLAIN HTTP ENDPOINTS
testdevlab.com Things to check for: • Developers code • Third party libs • Obfuscation level OBFUSCATION the action of making something obscure, unclear or unintelligible
testdevlab.com EXAMPLE OF NON- OBFUSCATED CODE
testdevlab.com EXAMPLE OF OBFUSCATED CODE
testdevlab.com • BASE64 strings • Tokens AUTHENTICATION SECRETS https://github.com/dxa4481/truffleHog
testdevlab.com Focus on: • HTTP Endpoints • Obfuscation • Authentication secrets STATIC ANALYSIS RECAP Try to look for: • Certificates • Misconfigurations in Android Manifest
LET’S GET TO THE ACTION
DYNAMIC RUNTIME ANALYSIS • STORAGE • NETWORK testdevlab.com
testdevlab.com UNLOCK YOUR DEVICE
STORAGE Where to look for things?.. • What data stores are available for an application? • Where secrets should not be stored? testdevlab.com
testdevlab.com • By default, files that are created on internal storage are accessible only to that application • Android implements this protection, and it’s sufficient for most applications USING INTERNAL STORAGE
testdevlab.com • Files created on external storage, such as SD cards, are globally readable and writable • External storage can be removed by the user and modified by any application USING EXTERNAL STORAGE this is not a place for sensitive data
USING CONTENT PROVIDERS An interface for sharing data between applications Exposes URI starting with “content://” testdevlab.com
testdevlab.com EXAMINE THE MANIFEST
NETWORK What to look for?.. • Plain data in transit • SSL Pinning testdevlab.com
testdevlab.com Techniques: • A tool: mitmproxy • Creating MiTM environment • Applying SSL stripping TECHNIQUES TO CATCH PLAIN DATA IN TRANSIT
testdevlab.com MITM ENVIRONMENT
testdevlab.com USE A PROXY SERVICE https://mitmproxy.org/
testdevlab.com MAKE IT SEAMLESS
testdevlab.com APPLY SSL STRIPPING https://tools.kali.org/information-gathering/sslstrip
testdevlab.com Assures that the app talks to what you think it talks to Prevents MiTM attacks SSL PINNING
testdevlab.com The process of associating a host with their expected X509 certificate or public key SSL PINNING https://drive.google.com
testdevlab.com Focus on: • Storage and what is stored • Network and data flowing RUNTIME ANALYSIS RECAP Try to look for: • Advanced measures like SSL pinning
testdevlab.com • Evaluate the app before installing ( check permissions ) • Prepare your environment • Get familiar with ADB • Use logcat to observe device activity • Decompile and get into source code, check misconfigurations • Run the app and check what is stored and transmitted over network SUMMARY FOR ANDROID
testdevlab.com TIME FOR iOS
testdevlab.com • iOS strictly enforces application boundaries and sandboxing • Apps cannot communicate directly • Written in native ObjectiveC or Swift A MUCH HARDER NUT TO CRACK
testdevlab.com • Involves finding an exploit in the kernel allowing to run unsigned code • Can be tethered, meaning you have to boot it while connected to a laptop and running the jailbreak code every time you restart • Untethered, meaning once its jail-broken, it will remain so after reboots JAIL-BREAKING IS JUST THE BEGINNING
testdevlab.com IPA is a valid zip file as well Might contain sensitive data outside the binary in case of poor programming STATIC ANALYSIS
REVERSE ENGINEERING
testdevlab.com Apps are native ARM Tools: • IDA Pro • Otool • Nm • Class-dump REVERSE ENGINEERING IOS APPS
testdevlab.com REVERSING WITH IDA PRO
testdevlab.com • SSH into a jail-broken device • Find the target application’s install folder and look for the Library/caches directory INVESTIGATE CACHES
testdevlab.com CHECK DATA IN KEYCHAIN
testdevlab.com • Most of the iOS apps are written in ObjectiveC and link to the ObjectiveC runtime • ObjectiveC is a superset of C, with macros to make a Smalltalk-like syntax • Its also a “reflective” language – it can alter itself at runtime • Harder to reverse, but WAY easier to hook • “Method Swizzling” is a feature of the ObjectiveC runtime • Allows to swap method implementations at runtime • What could possibly go wrong? RUNTIME ANALYSIS POSSIBLE? https://www.owasp.org/images/c/cf/ASDC12-Mobile_Application_Security_Who_how_and_why.pdf
testdevlab.com • Get familiar with contents of IPA archive • Setup tools and get familiar with debuggers and disassemblers • Hook into active running process • Run the app and check what is stored and transmitted over network SUMMARY FOR iOS
testdevlab.com FINAL THOUGHTS • Test the app on a jail-broken or rooted device to see what can be seen • Examine app package contents thoroughly • Get a clear view of what is stored and what is transmitted
www.testdevlab.com THANK YOU!

Recomendados

Quality Assurance and Software Testing
Quality Assurance and Software TestingQuality Assurance and Software Testing
Quality Assurance and Software Testingpingkapil
 
Automation testing strategy, approach & planning
Automation testing strategy, approach & planningAutomation testing strategy, approach & planning
Automation testing strategy, approach & planningSivaprasanthRentala1975
 
Testing and types of Testing
Testing and types of TestingTesting and types of Testing
Testing and types of TestingMunaam Munawar
 
Basic Guide to Manual Testing
Basic Guide to Manual TestingBasic Guide to Manual Testing
Basic Guide to Manual TestingHiral Gosani
 
JUnit Presentation
JUnit PresentationJUnit Presentation
JUnit Presentationpriya_trivedi
 
Structural and functional testing
Structural and functional testingStructural and functional testing
Structural and functional testingHimanshu
 
SOFTWARE TESTING UNIT-4
SOFTWARE TESTING UNIT-4 SOFTWARE TESTING UNIT-4
SOFTWARE TESTING UNIT-4 Mohammad Faizan
 
Mobile Application Testing Strategy
Mobile Application Testing StrategyMobile Application Testing Strategy
Mobile Application Testing StrategyankitQA
 

Recomendados

Quality Assurance and Software Testing
Quality Assurance and Software TestingQuality Assurance and Software Testing
Quality Assurance and Software Testingpingkapil
 
Automation testing strategy, approach & planning
Automation testing strategy, approach & planningAutomation testing strategy, approach & planning
Automation testing strategy, approach & planningSivaprasanthRentala1975
 
Testing and types of Testing
Testing and types of TestingTesting and types of Testing
Testing and types of TestingMunaam Munawar
 
Basic Guide to Manual Testing
Basic Guide to Manual TestingBasic Guide to Manual Testing
Basic Guide to Manual TestingHiral Gosani
 
JUnit Presentation
JUnit PresentationJUnit Presentation
JUnit Presentationpriya_trivedi
 
Structural and functional testing
Structural and functional testingStructural and functional testing
Structural and functional testingHimanshu
 
SOFTWARE TESTING UNIT-4
SOFTWARE TESTING UNIT-4 SOFTWARE TESTING UNIT-4
SOFTWARE TESTING UNIT-4 Mohammad Faizan
 
Mobile Application Testing Strategy
Mobile Application Testing StrategyMobile Application Testing Strategy
Mobile Application Testing StrategyankitQA
 
Unit Testing Android Applications
Unit Testing Android ApplicationsUnit Testing Android Applications
Unit Testing Android ApplicationsRody Middelkoop
 
C++ Unit Test with Google Testing Framework
C++ Unit Test with Google Testing FrameworkC++ Unit Test with Google Testing Framework
C++ Unit Test with Google Testing FrameworkHumberto Marchezi
 
05 junit
05 junit05 junit
05 junitmha4
 
Fundamentals of testing
Fundamentals of testingFundamentals of testing
Fundamentals of testingBugRaptors
 
Chapter 3 SOFTWARE TESTING PROCESS
Chapter 3 SOFTWARE TESTING PROCESSChapter 3 SOFTWARE TESTING PROCESS
Chapter 3 SOFTWARE TESTING PROCESSst. michael
 
Contract based testing
Contract based testingContract based testing
Contract based testingAlisa Petivotova
 
MonkeyTalk Automation Testing For Android Application
MonkeyTalk Automation Testing For Android ApplicationMonkeyTalk Automation Testing For Android Application
MonkeyTalk Automation Testing For Android ApplicationContusQA
 
Mobile App Testing Strategy by RapidValue Solutions
Mobile App Testing Strategy by RapidValue SolutionsMobile App Testing Strategy by RapidValue Solutions
Mobile App Testing Strategy by RapidValue SolutionsRapidValue
 
Control Flow Testing
Control Flow TestingControl Flow Testing
Control Flow TestingHirra Sultan
 
Software Testing Process
Software Testing ProcessSoftware Testing Process
Software Testing Processguest1f2740
 
Test Case Management Tools
Test Case Management ToolsTest Case Management Tools
Test Case Management ToolsMalang QA Community
 
UNIT TESTING PPT
UNIT TESTING PPTUNIT TESTING PPT
UNIT TESTING PPTsuhasreddy1
 
Introduction to java technology
Introduction to java technologyIntroduction to java technology
Introduction to java technologyIndika Munaweera Kankanamge
 
Testing concepts ppt
Testing concepts pptTesting concepts ppt
Testing concepts pptRathna Priya
 
Code review best practice
Code review best practiceCode review best practice
Code review best practiceOren Digmi
 
Win runner testing tool
Win runner testing toolWin runner testing tool
Win runner testing toolmansirajpara
 
Mobile Application Testing
Mobile Application Testing Mobile Application Testing
Mobile Application Testing Shivaraj R
 
TestNG Session presented in Xebia XKE
TestNG Session presented in Xebia XKETestNG Session presented in Xebia XKE
TestNG Session presented in Xebia XKEAbhishek Yadav
 
Java Unit Testing
Java Unit TestingJava Unit Testing
Java Unit TestingNayanda Haberty
 
Unit Testing with Jest
Unit Testing with JestUnit Testing with Jest
Unit Testing with JestMaayan Glikser
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application ExploitationPositive Hack Days
 

Mais conteúdo relacionado

Mais procurados

Unit Testing Android Applications
Unit Testing Android ApplicationsUnit Testing Android Applications
Unit Testing Android ApplicationsRody Middelkoop
 
C++ Unit Test with Google Testing Framework
C++ Unit Test with Google Testing FrameworkC++ Unit Test with Google Testing Framework
C++ Unit Test with Google Testing FrameworkHumberto Marchezi
 
05 junit
05 junit05 junit
05 junitmha4
 
Fundamentals of testing
Fundamentals of testingFundamentals of testing
Fundamentals of testingBugRaptors
 
Chapter 3 SOFTWARE TESTING PROCESS
Chapter 3 SOFTWARE TESTING PROCESSChapter 3 SOFTWARE TESTING PROCESS
Chapter 3 SOFTWARE TESTING PROCESSst. michael
 
MonkeyTalk Automation Testing For Android Application
MonkeyTalk Automation Testing For Android ApplicationMonkeyTalk Automation Testing For Android Application
MonkeyTalk Automation Testing For Android ApplicationContusQA
 
Mobile App Testing Strategy by RapidValue Solutions
Mobile App Testing Strategy by RapidValue SolutionsMobile App Testing Strategy by RapidValue Solutions
Mobile App Testing Strategy by RapidValue SolutionsRapidValue
 
Control Flow Testing
Control Flow TestingControl Flow Testing
Control Flow TestingHirra Sultan
 
Software Testing Process
Software Testing ProcessSoftware Testing Process
Software Testing Processguest1f2740
 
UNIT TESTING PPT
UNIT TESTING PPTUNIT TESTING PPT
UNIT TESTING PPTsuhasreddy1
 
Testing concepts ppt
Testing concepts pptTesting concepts ppt
Testing concepts pptRathna Priya
 
Code review best practice
Code review best practiceCode review best practice
Code review best practiceOren Digmi
 
Win runner testing tool
Win runner testing toolWin runner testing tool
Win runner testing toolmansirajpara
 
Mobile Application Testing
Mobile Application Testing Mobile Application Testing
Mobile Application Testing Shivaraj R
 
TestNG Session presented in Xebia XKE
TestNG Session presented in Xebia XKETestNG Session presented in Xebia XKE
TestNG Session presented in Xebia XKEAbhishek Yadav
 
Unit Testing with Jest
Unit Testing with JestUnit Testing with Jest
Unit Testing with JestMaayan Glikser
 

Mais procurados (20)

Unit Testing Android Applications
Unit Testing Android ApplicationsUnit Testing Android Applications
Unit Testing Android Applications
 
C++ Unit Test with Google Testing Framework
C++ Unit Test with Google Testing FrameworkC++ Unit Test with Google Testing Framework
C++ Unit Test with Google Testing Framework
 
05 junit
05 junit05 junit
05 junit
 
Fundamentals of testing
Fundamentals of testingFundamentals of testing
Fundamentals of testing
 
Chapter 3 SOFTWARE TESTING PROCESS
Chapter 3 SOFTWARE TESTING PROCESSChapter 3 SOFTWARE TESTING PROCESS
Chapter 3 SOFTWARE TESTING PROCESS
 
Contract based testing
Contract based testingContract based testing
Contract based testing
 
MonkeyTalk Automation Testing For Android Application
MonkeyTalk Automation Testing For Android ApplicationMonkeyTalk Automation Testing For Android Application
MonkeyTalk Automation Testing For Android Application
 
Mobile App Testing Strategy by RapidValue Solutions
Mobile App Testing Strategy by RapidValue SolutionsMobile App Testing Strategy by RapidValue Solutions
Mobile App Testing Strategy by RapidValue Solutions
 
Control Flow Testing
Control Flow TestingControl Flow Testing
Control Flow Testing
 
Software Testing Process
Software Testing ProcessSoftware Testing Process
Software Testing Process
 
Test Case Management Tools
Test Case Management ToolsTest Case Management Tools
Test Case Management Tools
 
UNIT TESTING PPT
UNIT TESTING PPTUNIT TESTING PPT
UNIT TESTING PPT
 
Introduction to java technology
Introduction to java technologyIntroduction to java technology
Introduction to java technology
 
Testing concepts ppt
Testing concepts pptTesting concepts ppt
Testing concepts ppt
 
Code review best practice
Code review best practiceCode review best practice
Code review best practice
 
Win runner testing tool
Win runner testing toolWin runner testing tool
Win runner testing tool
 
Mobile Application Testing
Mobile Application Testing Mobile Application Testing
Mobile Application Testing
 
TestNG Session presented in Xebia XKE
TestNG Session presented in Xebia XKETestNG Session presented in Xebia XKE
TestNG Session presented in Xebia XKE
 
Java Unit Testing
Java Unit TestingJava Unit Testing
Java Unit Testing
 
Unit Testing with Jest
Unit Testing with JestUnit Testing with Jest
Unit Testing with Jest
 

Semelhante a Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)

Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application codeSreenarayan A
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 

Semelhante a Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs) (20)

Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application code
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 

Último (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)

Notas do Editor

  1. Hi! My name is Kristaps and today I am going to talk about security vulnerabilities in mobile applications and things that you need to know to reveal them.
  2. I am currently employed by TestDevLab Ltd, the quality assurance company and I am working as Lead Security and Test Automation Engineer. My day-to-day work is related to test and test infrastructure development. I am Certified Ethical Hacker and Certified Security Analyst. I am Data Security Solutions 2016 speaker. I gave a speech about Security Risks and Common Mistakes in Mobile Application Development Besides that I am passionate about security so whenever there is a new product in my hands I am trying to evaluate its functionality in terms of security to see if I can find something interesting there by digging deeper. So today I am going to present you some ways to dig deeper and look under the hood of mobile applications.
  3. First we will have a short look at reported vulnerabilities for mobile applications in daily news. Then I am going to talk a bit about statistics of known and reported vulnerabilities After that I am going to dig into the main part where I will try to cover tips and tricks on how to test Android and iOS mobile applications for security vulnerabilities. Just please don’t mind if there will be a much more information on android apps compared to iOS as most of the experience that I am carrying is with Android. However, I will try to cover some interesting things that you can do with iOS as well so bear with me. And finally I will present my final thoughts about vulnerabilities and test strategies for Android and iOS mobile apps. So let’s get started.
  4. As I mentioned – let’s take a quick look at the current situation and see if we can find some major vulnerabilities reported in daily news.
  5. So after a really quick search it came up with some pretty interesting articles related to Android vulnerabilities. In the upper picture we see a Trojan which was infecting your Android phone to attack your router. OK. This seems pretty major. It was released on January 2017, so early this year. The lower picture shows article about Android malware named “Hummer” infecting 1.2 million devices. Was it the biggest Trojan ever? Could be! Release date is June 2016. What about iOS? Is it save and secured?
  6. Year 2015, San Bernardio shooting. FBI requested Apple to unlock terrorists iPhone. Of course Apple resisted to do so because if they do – would Apple users still trust them their data?
  7. Anyway, a short time later FBI claimed that they have gained access to the terrorist’s iPhone without Apple’s help. I don’t know more insights into this and cannot explain how they do it. It just makes me think that nothing is safe and everything can be hacked. It is just the matter of time and resources that you are willing to spend.
  8. So here are a few statistics which I extracted while reading Trustwave Global Security Report 2017. Trustwave issues such a report yearly so I consider this a good resource for security vulnerability and threats statistics. So it seems that almost 100% of their tested applications displayed at least one vulnerability 10% of vulnerabilities that they detected were classified as high-risk meaning that they might harm your personal data 67% of data breaches actually targeted payment card data
  9. Why the situation is as it is? Mostly because we always think new features first and only then security. Besides that there might be cases that you want to build something on your own that already exists. - I suggest that your never do that with encryption related things. Do not reinvent the wheel.. of course - if you don’t know exactly what are you doing. The other thing is that that users are still not well educated about security and they are easy targets for social engineering attacks.
  10. Let’s have a look at attack goals Top #1 – credentials. Everyone wants your credentials to the services that you use. Personal data – your name, your location, your daily directions, places you visit, your contacts and relationship. Credit card data - card number, expiration date and card verification value. That’s all that is needed to use your card in online purchases. And finally access to your device. Once it’s possible your device can be part of a botnet, spamming networks. And everything of this can be achieved by installing a single harmful mobile applications which fights it way through the system and infects your phone.
  11. So how do we test applications against security vulnerabilities? My suggestions is that you move from outside to inside. Meaning that – first evaluate what can be evaluated even before installing the app. Then proceed with installing, then dig deeper and proceed with next things.
  12. As I mentioned – let’s take a quick look at the current situation and see if we can find some major vulnerabilities reported in daily news.
  13. So first security check that can be performed is to see what kind of permissions are asked for user to accept prior installing the app. Android 6.0 implements additional security checks where developer needs to explicitly ask for user to accept given permission during the runtime of the application. Previous versions of Android will ask to accept all the required permissions before the installation of the app. On the right you can see the app which I always like to show as a bright example where the app asks for every possible permission but it’s just a flashlight and your personal data harvester. Don’t install it. OK. Before we move further let’s have a look at a couple of tools which you definitely want to use to dig deeper into investigating Android apps.
  14. As I mentioned – let’s take a quick look at the current situation and see if we can find some major vulnerabilities reported in daily news.
  15. ADB – Android debug bridge I hope that everyone of you know it and you are using it already. It’s a command line utility, you can install the apps, control your android device over USB, perform file transfers, run different shell commands and send keyboard inputs. You can get it by installing Android SDK from Google
  16. Logcat – another command line utility which is built into your Android operating system. You can access it via adb or once you are connected to your Android shell. It provides very verbose logging of different kinds of processes running on the Android device. Some of the important things that you might want to see are stack traces when the device throws and error or when the app crashes and messages that are written in the app code using the Log class.
  17. So the next thing that you want to do when you are familiar with the common android tools like adb and logcat is to extract the actual app from your Android device. The reason is that it might not be so effective to work with the app on the phone than on your computer. So let’s have a look into the strategies extracting the app from the phone
  18. Basically two very common ways of doing it First – extract using command line utility – android debug bridge Second – use an Android app to extract the Android App
  19. dsdsdsds
  20. dsdsdsds
  21. dsdsdsds
  22. As I mentioned – let’s take a quick look at the current situation and see if we can find some major vulnerabilities reported in daily news.
  23. dsdsdsds
  24. dsdsdsdshttp://jd.benow.ca/
  25. dsdsdsdshttp://jd.benow.ca/
  26. dsdsdsdshttp://jd.benow.ca/
  27. dsdsdsds
  28. dsdsdsdshttp://jd.benow.ca/
  29. dsdsdsdshttp://jd.benow.ca/
  30. dsdsdsdshttp://jd.benow.ca/ the action of making something obscure, unclear, or unintelligible
  31. dsdsdsdshttp://jd.benow.ca/
  32. dsdsdsdshttp://jd.benow.ca/
  33. dsdsdsdshttp://jd.benow.ca/ the action of making something obscure, unclear, or unintelligible
  34. dsdsdsdshttp://jd.benow.ca/
  35. now let’s move to the part where you are actually running the app
  36. dsdsdsdshttp://jd.benow.ca/
  37. dsdsdsdshttp://jd.benow.ca/ the action of making something obscure, unclear, or unintelligible
  38. dsdsdsdshttp://jd.benow.ca/ the action of making something obscure, unclear, or unintelligible
  39. dsdsdsdshttp://jd.benow.ca/
  40. dsdsdsdshttp://jd.benow.ca/
  41. dsdsdsdshttp://jd.benow.ca/
  42. dsdsdsdshttp://jd.benow.ca/
  43. dsdsdsdshttp://jd.benow.ca/
  44. dsdsdsdshttp://jd.benow.ca/
  45. dsdsdsdshttp://jd.benow.ca/ the action of making something obscure, unclear, or unintelligible
  46. dsdsdsdshttp://jd.benow.ca/ the action of making something obscure, unclear, or unintelligible
  47. dsdsdsdshttp://jd.benow.ca/
  48. dsdsdsdshttp://jd.benow.ca/
  49. dsdsdsdshttp://jd.benow.ca/
  50. dsdsdsdshttp://jd.benow.ca/
  51. dsdsdsdshttp://jd.benow.ca/
  52. dsdsdsdshttp://jd.benow.ca/
  53. As I mentioned – let’s take a quick look at the current situation and see if we can find some major vulnerabilities reported in daily news.
  54. dsdsdsdshttp://jd.benow.ca/
  55. dsdsdsdshttp://jd.benow.ca/
  56. dsdsdsdshttp://jd.benow.ca/
  57. dsdsdsdshttp://jd.benow.ca/
  58. dsdsdsdshttp://jd.benow.ca/
  59. dsdsdsdshttp://jd.benow.ca/