cdic 2013-mobile application pentest workshop

CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com

Advanced Mobile Penetration Testing

Application Attacks and Defense

27th – 28th February 2013, Centara Grand & Bangkok Convention Centre at Central World, Bangkok

www.cdicconference.com

Mr. Prathan PhongthiproekConsulting ManagerGIAC GPEN, E|CSA, C|EH, eCPPT, CPTS, CIW Security Analyst, CWNA, CWSP, Security+

http://www.cdicconference.com/




2

Speaker Profile

อ. ประธาน พงศ์�ทิ�พย์�ฤกษ์�

Mr. Prathan Phongthiproek

GIAC GPEN, E|CSA, C|EH, eCPPT, CPTS, CIW Security Analyst, CWNA, CWSP, Security+

ACIS Professional Center

E-mail: [email protected]



Let’s Talk and Workshop

Introduction

Attack Vectors for Pentest

Pentest iOS App

Pentest Android App

Workshop !!

3



INTRODUCTION

4



Past few years…..

Just Mobile phone

– Phone calls

– Sending text message or MMS

– Alarm clock

– Calculator

– Listen music

Edge for Surf internet !!

5



Now…

3G, 4G and WIFI support on Mobile network

Became more intelligent – Smart Phones

– Sending email

– Surf internet

– Check-in for flights

– Online Banking transactions

– Social network (Facebook, Twitter, Instagram)

6



Now…

Companies started creating mobile applications to offer services to clients

– Storing and synchronizing data files in the cloud

– Participating in social network sites

– As the data that stored, processed and transferred can often be considered sensitive.

7



ATTACK VECTORS FOR PENTEST

8



Three Attack Surfaces

9

Server Side Infrastructu

re

Comm. Chann

el

Client Softwar

e

Client Software on Mobile device

Communications Channel

Server Side Infrastructure



Client Software

Packages are typically downloaded from an AppStore, Google Play or provided via Company website

Testing requires a device that is rooted or jailbroken for access to all files and folders on the local file system

Be able to decompiled, tampered or reverse engineered

10



Client Software

Attention points

– Files on the local file system

– Application authentication & authorization

– Error Handling & Session Management

– Business logic

– Decompiling and analyzing

11



iExplorer for iPhone

12



Profile.properties and user_info.pref.xml

13



Plist files

14



Decompiled

15




Channel between the client and the server (HTTPs, Edge-3G)

Testing with HTTP Proxy (Burp, ZAP) to intercept and manipulate alter traffic

If the application does not use the HTTP protocol, can use transparent TCP and UDP proxy like Mallory

16




Attention points

– Replay attack vulnerabilities

– Secure transfer of sensitive information

– SSLStrip for HTTPS via Wifi

– Setup SSL for Proxy

17



Sniff traffic

18



Server-Side Infrastructure

The attack vectors for the web servers behind a mobile application is similar to those use for regular websites

Perform host and service scans on the target system to identify running services

19




Attention points

– OWASP Top 10 vulnerabilities (SQL Injection, XSS, ...)

– Running services and versions

– Infrastructure vulnerability scanning

20



Real Case Study: Mobile App Pentest

Client Software

– Found backend path in Localizable.strings


– Access to port 8080 (Tomcat)

– Logged in with default tomcat username and password

– Upload Malicious JSP code into webserver (Bypass Symantec AV)

– Access to configuration file that contain database credentials

– OWNED !! Database Server

– Capture the Flag !!

21



Localizable.strings

22



Logged in with Default Tomcat credentials

23



Upload Malicious code

24



Backend Compromised

25



Database Compromised

26



PENTEST IOS APPLICATION

Fast Track

27



iOS Application

Distributed as “.ipa” file (Simply zip file)

Deployed as “.app” directories (Same as Mac OSX)

Objective-C

Data storage

– Plist files

– SQLite

– Binary data files28



Fast and Furious Step

Preparing a Device

– Jailbreak

Install Tools on Device

– Cydia (OpenSSH, MobileTerminal, Etc)

Install Tools on Workstation

– SSH Client

– Plist Editor

– SQLite Database Browser

– Wireshark, Burp proxy29




Read application’s data files

30




Setup Proxy for Intercept and Manipulate traffic data

31




32



PENTEST ANDROID APPLICATION

Fast and Furious

33



Android Application

Distributed as “.apk” file (Simply zip file)

Multiuser OS running DalvikVM

Android runs .dex files on DalvikVM

Data storage

– XML files

– SQLite

34



Android Application

35



Android and Java

36



Preparation Tools for Pentest

Android SDK Tools

– AVD Manager and ADK Manager

Java 5,6, or 7

Eclipse for code review purpose

MITM proxy Tools such as Burp

Dex2jar, JD GUI

37



Setting up the environment

38




39




40



Adb install <apk path>

41



Configuring the proxy

42



Configuring the proxy

43



Adb shell

44



Access Database via adb shell

45



Android Debug Bridge (ADB)

Packaged with the Android Software Development Kit

Essential adb commands:

– Adb devices: returns serial number of device(s) attached

– Adb kill-server: shuts down the adb daemon

– Adb shell: remote terminal

– Adb push: moves files from the local workstation to device

– Adb pull: moves files from the device to local workstation

– Adb remount: remounts the system partition on the device as read-write or write, depending on switch

– Adb forward: forwards adb traffic from one port to another

– Adb –h: help file for adb commands

46



Source Code Review

Convert the .apk file into .zip

Extract the zipped file, Found classes.dex

Dex2jar for convert .dex to .jar

Using JD GUI to open JAR file and review source code

47



Decompiled Application

48



Java Decompiler

49



Tip!! Prevent Application Reverse Engineering

50

ProGuard (Free) and DexGuard

– Obfuscator for Android

– Encrypt strings

– Encrypt entire classes

– Add tamper detection



WORKSHOP !!

51



Thank You

www.cdicconference.com



cdic 2013-mobile application pentest workshop

Technology

infrastructure client

mobile network

infrastructure access

client software packages

mobile applications

communications channel

mobile phone phone calls

g testing