Attacking Mobile ApplicationsMarc Rogers, 20 June 2015

We are not winning the malware battle.

Total Malware

Two of the main drivers behind these numbers are:

1. It is really easy to make malware.2. It is really hard for antivirus to detect new

malware.

Lets look at the two main mobile platforms

AndroidiOS

Demo 1 – Building “0day” malware on Android

Building new Android malware is actually really easy and can be accomplished by anyone with a few basic java dev skills.

Step 1. Identify your target app – for this demo we will use a password manager app.

Step 2. Decompile the app using APK tool or something similar.Step 3. Edit the application to insert your hostile functionality.

- Keep it simple. For this example we will add an SMS receiver to intercept and relay any SMS the phone receives.

Step 4. Recompile.Step 5. Sign.

Android Malware 101 – Making Malware

Demo

Android Malware 101 - Results

In 5 simple steps we created a new piece of mobile malware.- Low barrier to entry, even a child could do this.- Requires user consent to install unless you have physical access.

- However most users just say yes.- Most importantly - it is undetectable by AV.

Many malware authors use this exact methodology in conjunction with purchasing a forgotten or unpopular app in the Play store.- Now you have malware in the play store- Bonus: it will be pushed out as an update to the existing users.- Google’s does look for this, but if the malware author is subtle when

changing ownership and inserting the code it is very hard to detect.

It’s good that Google validates developer accounts…..

Demo 2 – Building 0day malware on iOS

Demo 1 – Building 0day malware on Android

Making iOS malware is surprising similar to making Android malware.

Step 1. Identify your target app – for this demo we will use a password manager app.

Step 2. Decompress the ipaStep 3. Insert your dynamic library (dylib) containing your code.

- In this example we are injecting a menu to allow editing of application functionality during runtime.

Step 4. Edit the ipa headers to load your dylib.Step 5. re-sign the IPA

iOS Malware 101 – Making Malware

Demo

iOS Malware 101 – Additional resultsBy injecting dynamic libraries into Apple iOS IPA’s it is possible to “mess” with the application during run-time.

This exposes the “soft underbelly” of many apps, and more seriously the often completely unprotected back-end.

Example 1 – Employee mode.

Example 2 – Enable / Disable certificate checking

Example 3 – Bypass authentication

Example 4 – Dumping credentials

ConclusionsBoth Apple and Android are vulnerable to very similar attack techniques.

The much more mature Android techniques can now readily bypass both antivirus and application vetting. Apple iOS techniques are new but maturing fast.

However, It has been demonstrated that it is possible to inject malware in to BOTH stores.

Application developers are not taking adequate steps to protect their applications. Most are relying on device integrity to protect both their apps and the application servers. This is VERY bad.

iOS Malware 101 - ResultsThis method is VERY similar to the Android method.- This also creates malware that isn’t detected by Antivirus- Has to be re-signed with a developer certificate.

- User has to agree to trust the application as a result.- Will NOT pass Apple app approval.

Note: It is early days for iOS app hacking and most techniques are only a year or two old.

While it is not possible to get apps into the Apple store using this method, it is possible to do it by creating an app that hides its malicious functionality until after the apple approval process.

CloudFlare overviewMarc Rogers, 22 April 2015

CloudFlare’s mission

Build a better Internet.

CloudFlare quick facts• More than 2 million customers

• Adding 5,000+ new domains per day

• 5% of global web requests

• 5 PB of data per day

• 8 billion attacks per day

• Self-learning network that gets faster, safer and smarter with every request

• 33 pops globally today

• new pops added every few months

• 100 employees

• Offices in San Francisco, Washington D.C., London

• World Economic Forum Technology Pioneer

• Winner of Wall Street Journal’s “Most Innovative Internet Company” two years running

Essential edge functions

• Content delivery network (CDN) / Caching

• Front end optimization (FEO)

• WAN optimization

• Firewall / WAF

• Load balancing

• DDoS Mitigation

DDoS attacks are on the riseAttacks cause service disruptions and unhappy customers

Source: 9th annual Worldwide Infrastructure Security Report

Mitigating attacksCloudFlare has mitigated the nastiest and largest DDoS attacks

• 300 Gbps DNS amplification attack on Spamhaus

• 300 Gbps DNS amplification attack on Popvote.hk

• 400 Gbps NTP amplification attack on an anonymous CloudFlare customer

CloudFlare’s network

DDoS protection solutions by provider

On-Premise Solution

Scrubbing Solution CloudFlare

Mitigates volumetric attacks X a a

Always Online a X a

No HW/SW to install X a a

No added latency X X aSimple & easyimplementation X X a

No training required X X a

Security features overview• DDoS protection: Layer 3, 4, and 7 attack mitigation

• IP reputation database: Network effect of 2MM + websites, dynamic reputation scoring, real-time feedback

• Web Application Firewall (WAF): Runs OWASP ModSecurity Core Rule Set: • Custom WAF rules• Less than 1 millisecond latency

• SSL: Enable SSL with a single click, no configuration necessary • Custom SSL certificate• Wildcard certificates• Keyless SSL (beta testing)

IP reputation database

• Automatic learning from 2M+ websites and 1 billion+ unique IPs per month

• Suspicious activity anywhere on the network increases an IP’s Threat Score

• Configurable sensitivity for captchas

• Low false positive rate: 1 in every 50 million captcha pages successfully completed

Automatic learning: surge in traffic (green), identified as attack traffic (red) to be blocked

Global DDoS mitigation

The SSL challenge

• Elasticity and infinite scalability of the cloud make it a “no brainer” for edge services

• However, first generation edge services (e.g., CDNs) have struggled winning adoption from financial services

• Last hurdle is risk of revealing encryption keys

• CDNs traditionally designed for media companies

• Disney losing SSL key is bad

• Goldman Sachs losing SSL key has to be reported to the Federal Reserve

• Inherently has limited CDN market to approximately 10,000 customers

The solution: Keyless SSL

The solution: Keyless SSL

• Eliminates the number one objection from enterprises adopting CDN-like technologies

• Allows infinite scalability and elasticity of edge services without risking data integrity

• Last hurdle before mass migration of edge service to the cloud

• Broadly patented