Mais conteúdo relacionado Semelhante a Mobile Penetration Testing: Episode 1 - The Forensic Menace (20) Mobile Penetration Testing: Episode 1 - The Forensic Menace1. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Episode I
THE FORENSIC MENACE
2. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Episode II
RETURN OF THE
NETWORK/BACK-END
Episode I
THE FORENSIC
MENACE
Episode III
ATTACK OF
THE CODE
3. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Connect
Twitter: @NowSecureMobile
—
Subscribe to #MobSec5, our weekly mobile security news digest
http://mobsec5.nowsecure.com/
—
Web: nowsecure.com
4. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Katie Strzempka
Director of Mobile Services | NowSecure
5. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● Areas of analysis/coverage
● Forensics deep dive: Mobile data at rest
● Approaching Android
● Approaching iOS
6. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Your analysis checklist (a must have)
● Why a checklist?
○ Consistency across results & teams
○ Creates a minimum baseline for security
● Creating your checklist
○ Internal policies
○ OWASP Top 10, NIAP (for government), etc.
○ Group into high-level categories
○ Break-down categories into specific tests
● Allow analysts some leeway to get creative
7. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
A repeatable process drives
consistency and metrics
● Establish testing requirements
● Identify areas for interpretation/creativity
● Help with on-boarding & training staff
● Show developers what and how you will test
● Explain what must be fixed & what’s accepted
● Ensure full coverage (more on that later)
● Repeatability allows for measurement
● Make reporting consistent
For inspiration, see:
OWASP Mobile Security Testing Guide
8. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Mobile
forensics &
data recovery
Network, web
services, and
API testing
Server-side
penetration
testing
Reverse
engineering &
code analysis
9. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
https://www.bostonglobe.com/arts/2015/12/12/how-lightsaber-works/RY5A2SwWShmYiSORqdgMdN/story.html
“You know that [little droid leaking data] is going to
cause me a lot of trouble.”
10. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Where on a mobile device can data-at-rest be found?
SD card/
Emulated SD card
(Android)
System log files
RAM
Source code
(hardcoded)
Web cache/history
(hybrid/web-
wrapper apps)
Private
application
folder
Keychain
11. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
What tools will allow you to achieve your
data recovery and analysis objectives?
● Standard forensic acquisition software will recover file system
● But it won’t:
○ Decrypt Keychain to see if sensitive values are stored
○ Recover syslog files (requires a special Cydia package)
○ Extract memory for running app processes
● Command-line knowledge is required for open-source tools
● The wrong tools can lead you down a tedious, time-consuming path
12. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Sharpest tools in the shed
Target Relevant tools and/or documentation
File system
● Android: debug bridge (i.e., “adb pull” command)
● iOS: libimobiledevice
System Log Files
● Android: logcat command-line tool
● iOS: Syslog (instructions for non-developers)
iOS Keychain ● iOS Keychain analyzer
RAM
● Android: Android debug bridge (i.e., “adb dumpsys meminfo”)
● iOS: heapdump-ios
A full suite of mobile tools: Santoku Linux
13. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Prioritize findings by risk
(likelihood+significance+value)
● Risk depends on location of data
● Take into consideration:
○ Sensitivity of the data
○ Likeliness of exploit
○ Remote vs. local attack
● Common Vulnerability Scoring System
(CVSS) is one framework for assigning
risk to vulnerabilities
Likelihood
Significance
14. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
https://en.wikipedia.org/wiki/Finn_(Star_Wars)
“[Droid Android], please!”
15. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Requirements for Android forensic analysis
Rooted Android device
w/ USB cable
We’ll be using a Google Nexus 5
Linux machine or VM
w/ Android Studio tools
May we recommend Santoku Linux?
16. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Where does data “rest” on Android?
● Private application folder*
● SD Card / Emulated SD Card*
● System log files
● RAM
● Hard-coded data in source code
● Web cache/history (for hybrid/web wrapper apps)
Common storage areas
17. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Step 1: Locate your app (adb)
Access the device shell:
Locate the app data directory:
Find the app’s private directory:
18. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Step 2: Pull app data off phone
Pull data from the SD card/app directory:
(adb pull <data-path-source> <destination>)
:
19. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Step 3: Analyze app data
App files recovered from Any.do Android app:
20. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.http://www.officialpsds.com/Darth-Vader-PSD108098.html
“The [Emperor iOS] is not as forgiving as I am.”
21. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Requirements for iOS forensic analysis
Linux machine
or VM
Again, give Santoku Linux a try
Jailbroken iOS device
(≤ 9.3.3) w/ USB cable
We’ll be using an iPhone 6
Remote connection (SSH)
& secure copy/paste (SCP)
Instructions here
22. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Where does data “rest” in iOS?
Common storage areas
● Private application folder*
● Syslog
● RAM
● Keychain
● Hard-coded values
● Web cache/history (for hybrid/web wrapper apps)
23. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Step 1: Locate your app
Remotely connect to your iOS device
App bundles and data location:
App bundles location:
App data location:
24. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Step 1 (continued): Locate your app
Sort by most recently installed:
Change into that directory/make sure it’s the target app:
25. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Step 2: Pull app data off phone
/private/var/mobile/Containers/Data/Application/983FCB4E-E5B5-4C8C-A4AF-F9139FE74EC3 (for example)
Make note of the full path from the previous step:
Scp command to copy files from app folder:
26. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Step 3: Analyze app data
App files recovered from Any.do iOS app:
27. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Pointers to keep in mind during forensic analysis
SQLite databases,
plist, and xml files
are common: Find
your favorite
viewers
When searching
for data in large files,
command line tools
are best: Try grep
Look for data
stored as common
hashes/encodings
(base64, md5,
sha256, etc.)
iOS apps use the
“Cache.db” file,
which often contains
large amounts
of data
Don’t limit yourself:
explore storage
locations
beyond those
discussed today!
28. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Create a checklist and document your process
Assign responsibility for various test coverage areas
Select the right tools to find/test for insecure data storage
Look for data in common areas (but don’t limit yourself)
If data is found, determine its value and the risk
29. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Episode II
RETURN OF THE
NETWORK/BACK-END
Next Thursday, December 15
1 p.m. CST / 11 a.m. PST
REGISTER NOW: http://bit.ly/2g7ZRXd