mobile application security
DESCRIPTION
Presentation on Mobile Application Security at Null Delhi Meet on 25th Dec. 2011.By Ishan GirdharTRANSCRIPT
![Page 1: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/1.jpg)
Mobile Application Security
// …. and That’s all.
Ishan GirdharInfosec ConsultantAKS IT Services Pvt. Ltd
![Page 2: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/2.jpg)
#Fact: 1Mobile devices have the
potential tobecome the biggest threat for
leakage ofconfidential information.
![Page 3: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/3.jpg)
Overview
Part 1: Mobile Application Security
Part 2: Pentesting Mobile Application
Part 3: Owasp Top Ten Mobile Application Risk
Part 4: Case Study & Demonstrations.
![Page 4: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/4.jpg)
Part 1:Mobile Application Security
![Page 5: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/5.jpg)
Part 1: Overview
Introduction to Mobile Application Security.
Mobile Security Stack. Mobile Threat Model Modus Operandi for Mobile Application
Audit. Roadblocks Future of Mobile Application Security
![Page 6: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/6.jpg)
Introduction to Mobile Security Modern mobile applications run on mobile devices
that have the functionality of a desktop or laptop running a general purpose operating system.
In this respect many of the risks are similar to those of traditional spyware, Trojan software, and insecurely designed apps.
Mobile devices are designed around personal and communication functionality which makes the mobile application and mobile security risks different from the top traditional computing risks.
![Page 7: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/7.jpg)
Mobile Security Stack
Infrastructure Layer Lowest Layer Protocols▪ CDMA,GSM▪ GPS▪ SMS,MMS
Hardware Layer Smartphone/Tablet Firmware
Operating System Layer Symbian S40/S60 Froyo,Gingerbread
Application Layer
![Page 8: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/8.jpg)
Mobile Threat Model
![Page 9: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/9.jpg)
Modus Operandi
1. Dynamic Analysis1. Debug the Running App (on device or in emulator)2. Analyze Network Traffic3. Analyze Remote Services (Http/SOAP/etc)
2. Static Anlysis1. Get Application
1. Extract application from device2. Receive application package from developers
2. Source code review3. Reverse engineering4. Disassembly5. Patching
![Page 10: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/10.jpg)
… Apple & Android (Market Leader)
![Page 11: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/11.jpg)
…Yes, Few Road Blocks as well.
![Page 12: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/12.jpg)
Roadblocks
OWASP guidelines, procedures for testing are not yet available like Web applications.
Mobile application also includes vulnerabilities in the underlying architecture (OS & Vendor specific) unlike web application in which only application vulnerabilities are concerned.
Applications can use various modes of communications like SMS,MMS,EDGE, GPRS,3G and WiFi due to which security testing becomes difficult.
Simulator's have their own limitations: Can not simulate SMS communication (In case of communicating with SMS
Gateway ) though, they provide mechanism to send & receive sms between simulators.
Simulator’s don’t allow intercepting installed applications traffic. ( It has to be done, forcefully by interjecting an application into
running simulator to intercept network communication from that process)
![Page 13: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/13.jpg)
…But, there is a Good News!!!
![Page 14: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/14.jpg)
…Things are getting, Better!
![Page 15: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/15.jpg)
Future: Mobile Application Security
![Page 16: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/16.jpg)
There is A Lot More to come!!!
![Page 17: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/17.jpg)
…and, yet More…
![Page 18: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/18.jpg)
Part 2:Pentesting Mobile Application(Android)
![Page 19: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/19.jpg)
Part 2: Overview
Pen testing Mobile Application – Android Background. Setting up the Test Environment. Setting up a proxy. Android Application Penetration Testing Toolkit. Reverse Engineering Android Applications File Permissions in android
![Page 20: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/20.jpg)
Background
Android is a Linux based platform developed by Google and the open handset alliance.
Application programming for it is done exclusively in java.
The android operating system software stack consist of java applications running on a Dalvik virtual machine (DVK).
The current version as of august 2010 is 2.2. there are over 90,00 application available in the android market.
![Page 21: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/21.jpg)
…Getting Ready for the audit
![Page 22: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/22.jpg)
…Setting up Test Environment
There are several ways to test mobile application e.g: Using burp with a proxy. Using a phone emulator with a proxy. Using a phone to test and proxy outgoing phone
data to a PC. Requirements:
Computer running a Windows OS. Java 6 Eclipse SDk – Helios/Indigo Android 3.5 SDK Burp! Proxy
![Page 23: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/23.jpg)
Mobile Audit: Where to start?
![Page 24: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/24.jpg)
Setting up a Proxy…
If Application using is using HTTP(s), or is a website that you are testing on Android browser, the next step is to setup a proxy tool such as Burp!
There are 4 main ways of setting up such a proxy:
![Page 25: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/25.jpg)
Method: First
Specify the proxy details when starting the emulator using the command below. This command is to use a proxy listening on port 8080
Emulator -avd testavd -http-proxy http://localhost:8080
![Page 26: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/26.jpg)
Method: Second
The second option is to specify the proxy details in the emulator APN setting as shown below:
Home-> Menu-> Wireless & networks > Mobile Network -> Access Point Names
Update the following:
NAME: InternetAPN: InternetProxy: IP address of yourComputerUSERNAME: <N/A>PASSWORD:<N/A>
![Page 27: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/27.jpg)
Method: Third
The third option is to specify it using the adb shell using the export command to set an environment variable, for example:
Export HTTP_PROXY=http://localhost:8080
![Page 28: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/28.jpg)
Method: Four
Final alternative is by changing the proxy setting in the settings database from where the android web browser reads. The settings database uses SQLite.
Familiarity with basic SQL commands is recommended if your plan to use this method. Change the hostname and port information appropriately using the below command:
![Page 29: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/29.jpg)
…Let’s Dive in!
![Page 30: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/30.jpg)
Android Testing Tools Dynamic Analysis Tools▪ ADB▪ Manifest Explorer▪ Intent Sniffer▪ Busybox▪ Strace▪ Procrank
Static Analysis▪ Disassembly▪ Dex2jar▪ Baksmali
▪ Reverse Engineering▪ JD-GUI
![Page 31: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/31.jpg)
Dynamic Analysis
1. ADB2. Manifest Explorer3. Intent Sniffer4. Busy box5. Strace6. Procrank
![Page 32: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/32.jpg)
ADB
Android Debug Bridge: It is part of the Android SDK. It has it’s own shell, which allows you to execute linux commands such as ls –l . The android developer’s guide lists the full range of ADB commands but we highlight a few below:
ADB could be used to locate all the emulators and android devices connected to the computer to the computer using the command below:
adb devices
![Page 33: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/33.jpg)
ADB
In our case the command found one instance of the emulator running. If multiple instances are running you can use the –s option in order to run commands against a specific device or emulator.
Adb –s emulator-5554 install Foobar.apk
Another important provided by the adb is to push or pull files to and from the device/Emulator.
![Page 34: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/34.jpg)
Manifest Explorer
Every application running on android has an AndroidManifest.xml file. This file is very important from a security perspective as it defines the permission an application request. The Manifest Explorer tool is a utility that allows you to review this xml file with ease when testing it is important to verify that the application follows the principle of “Least privilege” and does not use permission that are ot required for it to function.
![Page 35: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/35.jpg)
Manifest Explorer
![Page 36: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/36.jpg)
Intent Sniffer
Intent is a mechanism in android to move data process. It forms the core of android’s Inter process Communication (IPC). Inetnts could indicate a number of actions such as startservice, sendbroadcast etc. The Intent Sniffer tool performs monitoring of Intents.
![Page 37: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/37.jpg)
Busybox
Busybox provides some linux commands that could be useful during the penetration testing process. It extends the capability of android’s toolbox. In order to install busybox you can go through the following steps:
Download the busybox
![Page 38: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/38.jpg)
Static Code Analysis
1. Disassembly1. Dex2jar2. Baksmali
2. Reverse Engineering1. Java Application Decompiler (JAD-
Gui)
![Page 39: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/39.jpg)
Terminogies
Dissembler: is a computer program that translate machine language into assembly language ( The inverse operating of an assembler). A dissembler differs from a decompiler which targets a high level language rather than an assembly language.
Reverse Engineering: Reverse engineering involves reversing a program's machine code (the string of 0s and 1s that are sent to the logic processor) back into the source code that it was written in, using program language statements.
![Page 40: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/40.jpg)
File Permissions in Android
Android file permission uses the same model as Linux, to check the permissions of a file, go to the ADB shell and type ls –l.
Every .apk file installed on the emulator has its own unique user ID.
This prevents one application from accessing the other application’s data, any file created by the application will be assigned that application’s user ID and will not normally accessible to other applications.
![Page 41: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/41.jpg)
What about other, “killer Apps”?
![Page 42: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/42.jpg)
..and yes, Android Malware’s.
![Page 43: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/43.jpg)
Part 3:
Owasp Top 10 Mobile Application Risk’s.
![Page 44: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/44.jpg)
Part 3: Overview
Owasp Top Ten Mobile Application Risk’s. M1: Insecure Data Storage M2: Weak Server Side Controls M3: Insufficient Transport Layer Protection M4:Client Side Injection M5: Poor Authorization & Authentication M6: Improper Session Handling M7: Security Decision Via Untrusted Inputs M8: Side channel Data Leakage M9: Broken Cryptography M10: Sensitive Information Disclosure.
![Page 45: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/45.jpg)
Part 4:
Case Study & Demonstrations
![Page 46: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/46.jpg)
Overview
Case Study: Facebook.apk : Pentesting a real world
Application
Demonstrations: Reverse Engineering a first Trojan for
Android Malware.
![Page 47: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/47.jpg)
…Provide Some Resources
1. Anant Srivastav Bloghttp://anantshri.info/
2. Ankur BhargavaHttp://www.hakers.info/site/
3. http://www.veracode.com
![Page 48: Mobile Application Security](https://reader033.vdocuments.us/reader033/viewer/2022061114/5462d795af795959378b869e/html5/thumbnails/48.jpg)
Questions!!!