mobile application security · mobile application security angriff von unterwegs tobias polley...
TRANSCRIPT
![Page 1: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/1.jpg)
Mobile Application Security Angriff von unterwegs
Tobias Polley ([email protected])
Thomas Bayer ([email protected])
predic8 GmbH
Moltkestr. 40
53177 Bonn
predic8.de
![Page 2: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/2.jpg)
Agenda
Ziele
Angriff
Schutz
Case Study: Ergo Direkt Versicherungen
![Page 3: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/3.jpg)
Web API
Firewall
B2B
Mobile
Web
Backend
App
API
![Page 4: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/4.jpg)
Firewall Backend
App
XML
Parser
API
![Page 5: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/5.jpg)
Firewall Backend
App
XML
Parser
API
![Page 6: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/6.jpg)
![Page 7: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/7.jpg)
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
![Page 8: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/8.jpg)
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
![Page 9: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/9.jpg)
<lolz>&lol9;</lolz>
<lolz>&lol8;&lol8;&lol8;&lol8;&lol
8;&lol8;&lol8;&lol8;&lol8;&lol8;
</lolz>
<lolz>
&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;
&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;
&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;
&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;
&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;
&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;
&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;
&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;
&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;
&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;
</lolz>
![Page 10: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/10.jpg)
Demo
1
0
![Page 11: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/11.jpg)
Membrane
Firewall Backend
Service Proxy App
XML
Parser
API
![Page 12: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/12.jpg)
Membrane
Firewall Backend
Service Proxy App
XML
Parser
API XML
Protection
![Page 13: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/13.jpg)
Demo
1
3
![Page 14: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/14.jpg)
![Page 15: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/15.jpg)
![Page 16: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/16.jpg)
Membrane
Firewall Backend
Service Proxy App
API
Daten-
bank
![Page 17: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/17.jpg)
"SELECT id FROM usernames
WHERE name = '“ + user +
"' and password = '" + password +
"’; "
![Page 18: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/18.jpg)
“SELECT id FROM usernames
WHERE name = ‘peter' and
password = ’pan';”
![Page 19: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/19.jpg)
Demo
![Page 20: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/20.jpg)
“SELECT id FROM usernames
WHERE name = 'peter' and
password = '' or '1' = '1';”
![Page 21: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/21.jpg)
Vertraue keiner Eingabe!
![Page 22: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/22.jpg)
Ablauf einer Attacke?
1. Intelligence
2. Zugang
3. Angriff
4. Einfluss
![Page 23: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/23.jpg)
Was kann ein Angreifer tun?
Informationen auslesen
Löschen
User anlegen
Passwörter ändern
Daten manipulieren
Rechenzeit stehlen
![Page 24: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/24.jpg)
Verteigigung
2
4
![Page 25: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/25.jpg)
Vorkompiliertes SQL
“SELECT id FROM usernames
WHERE name = ? and password = ?;”
![Page 26: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/26.jpg)
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
Backend
DB
![Page 27: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/27.jpg)
Membrane
Firewall Backend
Service Proxy App
API
Daten-
bank
Validation
![Page 28: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/28.jpg)
Demo
![Page 29: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/29.jpg)
Membrane
Firewall
Technische
Security
Validierung
ERGO Direkt
Erweiterung
Backend
Pflege & Reports
Service
Proxy
Service
Proxy
B2B
Mobile
Web
![Page 30: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/30.jpg)
Apps brauchen Zugang zum Backend
Backends brauchen Schutz
![Page 31: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/31.jpg)
: Tobias Polley, [email protected]
Thomas Bayer, [email protected]
www.predic8.de
www.membrane-soa.org
![Page 32: Mobile Application Security · Mobile Application Security Angriff von unterwegs Tobias Polley (polley@predic8.de) Thomas Bayer (bayer@predic8.de) predic8 GmbH Moltkestr. 40](https://reader034.vdocuments.us/reader034/viewer/2022042404/5f1bc042c1325910307fa856/html5/thumbnails/32.jpg)
Bildnachweise
http://www.istockphoto.com/vector/warning-attention-sign-yellow-triangular-shape-black-exclamation-mark-pictogram-24334588
http://www.istockphoto.com/photo/syringe-and-vaccination-11003167
http://www.istockphoto.com/photo/dynamic-duo-4413676
http://www.istockphoto.com/photo/bomb-in-old-style-with-a-burning-wick-11647534