hacking(a(moving(target( - sans · pdf filehacking(a(moving(target ... •...
TRANSCRIPT
Chris Cuevas Senior Security Consultant [email protected] Office -‐ 904-‐639-‐6709
©2012 Secure Ideas LLC | hDp://www.secureideas.net
Hacking a Moving Target Mobile ApplicaLon PenetraLon
Chris Cuevas
• Security Consultant at Secure Ideas • Open Source Advocate – Contributor to SamuraiWTF and MobiSec
• Co-‐Author of Sec571: Mobile Device Security • SANS Mentor – SEC504 Incident Handling and Hacker Techniques
• I piss off large corporaLons from Lme to Lme – (shmoocon talk)
©2012 Secure Ideas LLC | hDp://www.secureideas.net 2
What I'll be talking about today
• iOS (yep I have one of those devices) – Device Overview – ADacks
• Android (yep I have one of those devices) – Device Overview – ADacks
• Blackberry (sorry not my area of experLse) • ADacking Mobile ApplicaLons • Demo
©2012 Secure Ideas LLC | hDp://www.secureideas.net 3
Mobile Device Overview
• This is more important than some people think
• Understanding the aDack surface is key to pulling off a successful aDack
• What version of the underlying OS is running will drasLcally alter what aDack opLons I have to work with
©2012 Secure Ideas LLC | hDp://www.secureideas.net 4
Apple Device Overview
• iPhone – 5 generaLons of iPhone Models – 4 different storage capaciLes – 5 major versions of iOS operaLng system
• iPad – 3 generaLons of iPad models
• WiFi Only • WiFi plus 3G • WiFi plus 4GLTE
– 3 different storage capaciLes – 3 versions of iOS operaLng system
iOS Version Overview
• Originally iPhone OS for version 1 and 2 • iOS version 3 (release of iPad) – Find my phone opLon added in mobileMe – HTML 5 support
• iOS version 4 – EncrypLon for user data – Background locaLon – Find my iPhone
• iOS version 5
iOS App Store
• The iOS App Store is the official store – Released in July of 2008 – Part of iOS 2.0.1
• The App Store has over 500,000 apps – 18 billion downloads
• As of October 2011
• Accessible from a number of interfaces – iOS – iTunes – Apple web site
• Apple vets applicaLons before release – They can revoke the applicaLon
Android Device Overview
• Android runs on a wide variety of devices – Chosen by the hardware manufacturer
• CPU – Qualcomm, Tegra2, Snapdragon, Cortex A9
• Storage – From 512MB to 32GB
• The bootloader chosen by the carrier affects access – Changes the image capabiliLes
Android Version Overview
• Android 2.2 – Froyo – Improved Exchange support
• Android 2.3 – Gingerbread – Switched from YAFFS to ext4
• Android 3.0 – Honeycomb – Designed for Tablets
• Android 4.0 – Ice Cream Sandwich – Face Unlock – Android Beam (NFC)
Android Markets
• Android has a number of marketplaces for applicaLons – Google Market – Amazon App Store – Vendor and Carrier Store fronts
• ApplicaLons can also be installed from the developer or a web site
• As with the variety of hardware, this variety of app sources causes difficulLes – DifficulLes for the developers and organizaLons – Controlling app sources is a problem – Is the app installed the right one?
Mobile ADacks
Let's look at some of the types of aDacks we see on mobile devices today
©2012 Secure Ideas LLC | hDp://www.secureideas.net 11
Malicious ApplicaLons
• Android – Easy to anonymously sign apps to distribute through Android Market
– Google Bouncer (RootSmart for the bypass) • iOS – More difficult to bypass vemng process, but not impossible
– RootSmart type bypass could work as well • hDp://contagiominidump.blogspot.com/ (collecLon of mobile malware)
©2012 Secure Ideas LLC | hDp://www.secureideas.net 12
Malicious Web Sites
• Malicious Javascript – BeEF Hook – Android browser has access to SDcard where applicaLon data is stored
• HTML5 compliant browsers FTW J – Web Workers – Web Storage
• Firefox and Chrome Extensions
©2012 Secure Ideas LLC | hDp://www.secureideas.net 13
Malicious Networks
• Lines are blurred over internal and external as the network is everywhere – Cellular Data Plans sLll connect you to the internet
• WiFi hotspots – CredenLal HarvesLng – MiTM ADacks
• Home Networks – Sync OrganizaLonal Device to personal PC
©2012 Secure Ideas LLC | hDp://www.secureideas.net 14
MiTM ADacks
• I have to be physically near the device • Session Highjacking – FaceNiff (FireSheep for Android)
• ARP Poisoning – If I'm the gateway I control the flow of traffic – Most apps communicate using hDp – I love BURP
©2012 Secure Ideas LLC | hDp://www.secureideas.net 15
Mobile ApplicaLon Discovery
• Mobile applicaLon discovery is similar to web applicaLons – Most of the same flaws exist
• Slight differences in client-‐side aDacks – XSS has different targets for example
• The tools are similar – Main focus is intercepLng traffic
TesLng Techniques
• TesLng mobile applicaLons can take many forms – TesLng the back-‐end site or service – Reverse engineering the applicaLon – Code analysis of the sopware
• We will focus on the first two – As that is typically what penetraLon tests include – Mobile interfaces are open found during normal tests
Reverse Engineering
• A decompiler does not reconstruct the original source code
• But it gets us close enough • There are many obstacles to overcome in reversing Mobile ApplicaLons – iOS applicaLons are encrypted using Apple's binary encrypLon scheme
– DecrypLng this format is not a new technique
©2012 Secure Ideas LLC | hDp://www.secureideas.net 18
Android SDK
• A comprehensive set of development tools • Includes a debugger, libraries, and an emulator
• Android applicaLons are wriDen in Java and packaged in .apk format
• contain .dex files which are compiled byte code files called Dalvik executables
• adb is our friend
©2012 Secure Ideas LLC | hDp://www.secureideas.net 19
adb
• Android Debug Bridge (part of the SDK) • lets you communicate with an emulator instance or connected Android-‐powered device
• You can push, pull, install, and remove files and apps using adb.
©2012 Secure Ideas LLC | hDp://www.secureideas.net 20
Xcode
• A suite of tools developed by Apple for developing sopware for OS X and iOS
• The main applicaLon is the Xcode IDE • Apps are wriDen in ObjecLve C – An Object Oriented language that adds Smalltalk-‐style messaging to C
• Mach-‐O executable format which allows for "fat binaries" containing code for mulLple architectures
©2012 Secure Ideas LLC | hDp://www.secureideas.net 21
otool
• Displays specified parts of object files or libraries • OpLons we are interested in
-‐t Display the contents of the (__TEXT,__text) secLon -‐o Display the contents of the __OBJC segment used by the ObjecLve-‐C run-‐Lme system
-‐V Display the disassembled operands symbolically
hDp://pauldotcom.com/wiki/index.php/Episode226#Guest_Tech_Segment:_Eric_MonL_on_iPhone_ApplicaLon_Reversing_and_Rootkits
©2012 Secure Ideas LLC | hDp://www.secureideas.net 22
dex2jar
• dex2jar is a tool for converLng Android's .dex format to Java's .class format
• dex-‐tool-‐0.0.9.8 add support to DeObfuscate a jar
• dex-‐tool can also be used to modify an .apk • Requires a decompiler to view the source – Jd-‐gui – JAD
©2012 Secure Ideas LLC | hDp://www.secureideas.net 23
IntercepLon Tools
• IntercepLon is one of our main goals – Can we get between the applicaLon and the server
• IntercepLon tools do more then intercept – They can analyze the traffic – They can inject aDacks
©2012 Secure Ideas LLC | hDp://www.secureideas.net 24
iSniff
• SSL man-‐in-‐the-‐middle tool • Works on iOS < 4.3.5 devices vulnerable to CVE-‐2011-‐0228
• WriDen by @hubert3 • Redirect SSL traffic from NAT'd clients to iSniff as follows – iptables -‐t nat -‐A PREROUTING -‐p tcp -‐-‐desLnaLon-‐port 443 -‐j REDIRECT -‐-‐to-‐ports 2000
©2012 Secure Ideas LLC | hDp://www.secureideas.net 25
Burp Suite
• Integrated plaworm for performing security tesLng of web applicaLons
• Some of the tools from the suite we will talk about today – Burp IntercepLng Proxy – Burp Intruder (fuzzing of applicaLon requests) – Burp Repeater (tool for manually modifying and reissuing individual HTTP requests)
©2012 Secure Ideas LLC | hDp://www.secureideas.net 26
Mallory
• Mallory is a transparent proxy – Proxies TCP and UDP
• This allows us to intercept traffic – Without configuring the device with a proxy – Great for older versions of Android
Mallory
• Mallory works with IPTables and the network adaptors – Provides an access point for other devices
• It then tunnels the traffic through the Mallory system – Allowing us to intercept and modify the traffic
Demo
• Decompile an Android .apk – Unzip – dex2jar – Java decompiler
• Decompile an iOS .ipa – Yes I wish it was the beer too ;-‐) – Unzip – otool
©2012 Secure Ideas LLC | hDp://www.secureideas.net 29
Thank You
To my family To SecureIdeas Special thanks to John H Sawyer for just being awesome
©2012 Secure Ideas LLC | hDp://www.secureideas.net 30