please, please, please defend your mobile apps!
DESCRIPTION
Admit it: mobile is sexy. Unfortunately, companies are giving into corporate peer pressure and publishing mobile apps before integrating appsec into the mobile app development process. This gives attackers another venue of attack, one with the potential of circumventing the host, network, and application security controls that the security team has already implemented. The purpose of this presentation is to show attendees how attackers can deconstruct mobile apps to find these attack vectors and (more importantly) how to close these security holes before the apps are published to public app stores.TRANSCRIPT
#ISC2CongressStrengthening Cybersecurity Defenders
Please, Please, PLEASE! Defend Your Mobile Apps!
Jerod Brennen, CISSPCTO & Principal Security Consultant, Jacadis
2 #ISC2Congress
Agenda
» A Little Understanding Goes a Long Way» Mobile App Defense 101» Attacking Your Own Apps» Vetting Apps» Resources
4 #ISC2Congress
Understand Your Environment
» What development methodologies do we follow?» What programming languages do we use?» What risk/security frameworks do we follow?» What third-party libraries do we use?» What stages in the development process require
approval from the security team?
5 #ISC2Congress
Understand Your Platforms
» iOS» Android» BlackBerry» Windows
6 #ISC2Congress
Three Four Key Security Checks
» Defined Security Requirements– Project Plan– RFP, Contracts, etc.
» Source Code Security Reviews– Manual Reviews– Reverse Binaries
» Security Tests in QA• Positive AND Negative
Test Cases
» Analysis of “Deployed” Apps• Automated Scans• Manual Analysis
7 #ISC2Congress
Source Code Reviews (OWASP)» Methodology (v1.1, current)
• Preparation• Security Code Review in the SDLC• Security Code Review Coverage• Application Threat Modeling• Code Review Metrics
» Methodology (v2.0, in development)• Preparation• Application Threat Modeling• Understanding Code Layout/Design/Architecture• Reviewing by Technical Control• Reviewing by Vulnerability• Security Code Review for Agile Development
8 #ISC2Congress
QA Security Test Cases
» Positive AND Negative
» Top 10 Negative Test Cases• Embedded Single Quote• Required Data Entry• Field Type Test• Field Size Test• Numeric Bounds Test• Numeric Limits Test• Date Bounds Test• Date Validity• Web Session Testing• Performance Changes
List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
9 #ISC2Congress
Application Analysis
» Automated scanning tools and manual analysis
» OWASP Testing Guide (v3)• Information Gathering• Configuration Management Testing• Authentication Testing• Session Management Testing• Authorization Testing• Business Logic Testing• Data Validation Testing• Testing for Denial of Service• Web Services Testing• AJAX Testing
» 42+ Secure Mobile Development Best Practices (viaForensics)
10 #ISC2Congress
OWASP Top 10 Mobile Risks
Image from https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks
11 #ISC2Congress
Image from https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet
iOS AppSec Cheat Sheet
12 #ISC2Congress
» Download from app store• Mac OS X 10.7 Lion: ~/Music/iTunes/iTunes
Media/Mobile Applications/• Mac OS X 10.6: ~/Music/iTunes/Mobile
Applications/• Windows 7: C:\Users\Username\My Music\iTunes\
iTunes Media\Mobile Applications\
» Extract app to folder using 7-zip» Manually examine the files using
Notepad++ or prgrep» Look for sensitive info (integration points)
• Connection strings• Calls to Internet-facing web services• Calls to other local resources
Deconstructing .ipa Files
13 #ISC2Congress
iOS Target Files
File name/extension Description
.sinf Apple iOS digital rights management file
.supp Apple iOS file (archives)
.plist Apple property list XML file
.nib Apple Interface Builder user interface resources
.sqlite SQL Lite database file
AppName <no extension> App file itself
ChangeLog <no extension> No! Bad developer! Bad!
PkgInfo <no extension> 4b package type + 4b app signature
14 #ISC2Congress
» Download from app store• Copy .apk file from rooted Android device to
laptop via USB cable• Send .apk file from non-rooted Android
device to Dropbox via APK Extractor• Alternately, you can download some .apk
files from .apk archive sites
» Extract app to folder using 7-zip» Manually examine the files using
Notepad++ or prgrep» Look for sensitive info (integration
points)• Connection strings• Calls to Internet-facing web services• Calls to other local resources
Deconstructing .apk Files
15 #ISC2Congress
Android Target Files
File name/extension Description
Assets <folder> All your base are belong in here
Lib <folder> .so files (third party libraries)
META-INF <folder> .rsa, .fs, manifest.mf (hash values + certs = integrity)
Res <folder> XML files and supporting graphics (how the app draws the interface)
Templates <folder> Licenses, release notes, etc.
AndroidManifest.xml Info that the device needs before it can run the app
classes.dex Dalvik Executable (Exterminate! Exterminate!)
resources.arsc Compiled application resources (strings, images, etc.)
16 #ISC2Congress
Man-in-the-Middle
» Plug laptop into wired network connection» Created an ad hoc wireless network on laptop» Connect mobile device to ad hoc wireless network» Start Wireshark on laptop
• Capture ALL packets between mobile device and server
» Use mobile device as a normal end user» Analyze Wireshark traffic
• Unencrypted credentials• Unencrypted account information• Connection strings to servers (including third parties)
» Alternately, use a proxy like Mallory (TCP) or Charles/Burp (HTTP)
17 #ISC2Congress
Running iRET» Jailbreak your iDevice» Install supporting
utilities» Install the target app
on jailbroken iDevice» Open iRET app» Open the target app» Browse to http://deviceip:5555 from your laptop
Supporting Utilities» oTool» dumpDecrypted» Sqlite» Theos» Keychain_dumper» file» plutil» Class-dump-z
iOS Reverse Engineering Toolkit
18 #ISC2Congress
Vetting an App
» Encrypted communications
» Encrypted storage» Use of UUID» Analytics and ad
services» Location services» Data sharing
capabilities– Bluetooth
» Access to…• Address book• Calendar• Reminder• Photos• Microphone• Social media services• Lock screen images• Cloud-based file sharing
services
19 #ISC2Congress
Vetting Support
20 #ISC2Congress
Resources
» Wireshark• http://www.wireshark.org/
» SQLite Database Browser• http://sourceforge.net/projects/sqlitebrowser/
» iPhone Backup Analyzer• http://www.ipbackupanalyzer.com/
» iOS Reverse Engineering Toolkit• http://blog.veracode.com/2014/03/introducing-the-ios-revers
e-engineering-toolkit/
• https://www.veracode.com/iret-ios-reverse-engineering-toolkit
» Charles Web Debugging Proxy• http://www.charlesproxy.com/
21 #ISC2Congress
Resources
» AXMLPrinter2• https://code.google.com/p/android4me/downloads/list
» Android SDK + Android Developer Tools (ADT bundle)• http://developer.android.com/sdk/index.html
» dex2jar• https://code.google.com/p/dex2jar/
» Java Decompiler (JD-GUI)• http://jd.benow.ca/
» Step-by-Step Guide to Decompiling Android Apps• http
://slandail.net/step-by-step-guide-to-decompiling-android-apps/
22 #ISC2Congress
Resources
» Clueful• http://www.cluefulapp.com/
» viaProtect• https://www.viaprotect.com/
» Malwarebytes• https://www.malwarebytes.org/mobile/
» Lookout• https://www.lookout.com/
» MyPermissions• http://mypermissions.com/
23 #ISC2Congress
Questions?
Jerod Brennen, CISSPCTO & Principal Security Consultant, Jacadis
LinkedIn: http://www.linkedin/com/in/slandailTwitter: https://twitter.com/slandail
http://www.jacadis.com/[email protected]