SlideShare une entreprise Scribd logo

Info security - mobile approach

EY Belgium
EY Belgium

Information security assesment in a mobile world by EY_Belgium IT security consultant Tim Beyens. Presented during InfoSecurity seminar

Technologie
1  sur  26
Télécharger pour lire hors ligne
INFOSECURITY 2013, BRUSSELS Security assessments in the mobile world
Agenda Introduction Mobile architecture ► An overview ► Perceived threats How to assess the threats ► General approach ► Mobile Devices ► Source Code review ► Sensitive files ► Application permissions ► Client side injections ► Data communication channel ► Server side controls Recap
Introduction Who am I? ► Tim Beyens ► Security Consultant focusing on mobile security and network security ► Working for Ernst & Young since 2009 ► Sector focus: Telecommunication ► Typical assignments: penetration testing, network security assignments, …. Technical security assessments
Introduction Trends within the mobile world On the end-user front…
Introduction Trends within the mobile world The Machine to Machine front is increasing as well… M2M mobile connections are expected to reach 12 billion by 2020 Industry Sector Smart meters enable efficient energy consumption and management by Utilities consumers and service providers Remote monitoring technologies can boost cost- and resource-efficient Healthcare healthcare provision and clinical collaboration Driver navigation and fleet management tools, on-demand in-vehicle entertainment result in intelligent route planning and greater consumer Automotive expenditure. Vehicle connectivity can bring new business models such as pay-as-you drive insurance Consumer Richer functionality and storage can improve product differentiation Electronics and customer centricity Sources: Ernst & Young research in 2012 – M2M
Introduction Trends within the mobile world On the other hand, malware is also being rapidly developed… October July August April July February (2013) ► Secret key combo auth ► ZITMO banking trojan ► Weakness in SSL cert ► NotCompatible gains ► LuckyCat opens a ► LockScreen of bypass (iOS) affects all mobile handling exposes data access to local network backdoor that allows iPhone can be devices to interception (iOS) preferences (Andriod) remote acces (Android) circumvented (iOS) 2011 2012 2013 March August September May July ► Trojannised apps found ► Google authentication ► HTC phone vulnerability ► FakeInst SMS Trojan ► SMSzombie that on Chinese app store details sent in clear text leaks personal data cost end-users 30 abuses china’s SMS (Android) (Android) (Android) Miljon dollars (Android) payment Android) Most of these vulnerabilities originate from: ► Jailbreaks, Rootkits, ... ► Faulty configured application settings ► Faulty downloaded applications (from sources not controlled by the device) ► User preferences for simple passwords ► User allows application to access personal unneeded information ► Reuse of passwords among different applications ► Social engineering (ie. Gaining physical access to the smart phone to steal data)
Introduction Trends within the mobile world … In numbers this means 2012 Malware targets Subscription to premium SMS 32% services 40% Information theft (banking apps) Botnet integration 28% Sources: ESET, Trends for 2013
Mobile Architecture An overview Public 1 Private 2 1. 1 Public APN ► APN’s used by end-users or machines ► Public, only requires a SIM card of the provider ► Less secure but cheaper ► E.g. Your own PDA connecting over 3G 2 2. Private APN ► Used by companies to easily communicate with field equipment (e.g. G4S transportation) ► Private, only accessible through specific SIM cards ► Securer but more expensive ► E.g. coco-cola vending machine providing statuses on available stock
Mobile Architecture Perceived threats – End Users 1 2 3 1. 1 Mobile phone ► Information disclosure (within the application source code) ► Data stored on the device contains personal information ► Insecure passwords usage 2. 2 Communication channel ► No encryption applied on the communication channel 3. 3 Server infrastructure ► Improper session, authorization and authentication handling ► Overall weak server side controls (e.g. server side injections)
Mobile Architecture Perceived threats -Machines 1 Next to the threats described on the previous page, the machine to machine communication has another threat that is easily overlooked…. 1 1. Machines ► What if the SIM card (of the machine) is inserted in USB-3G stick? This allows access to the private APN. Which on his turn provides access to a front-end system of the owner of the private APN… From that point onwards the a similar penetration testing approach can be used to exploit the front-end device. Possible pitfalls: some SIM-cards might disallowed outgoing data traffic…
How to assess the threats General approach Mobile Device Communication channel Server side controls Objective: Identify vulnerabilities on the Objective: Identify vulnerabilities in the Objective: Identify vulnerabilities on the applications installed on the devices data communication channel. server side of the mobile application. themselves. ► Reverse engineer the binary using tools ► Verify the application uses SSL/TSL ► Perform an attack and penetration such as: whenever sensitive information is being tests similar to other web application ► Clang (static code) transmitted. tests and use the information found on ► GDB the local device to leverage your ► iDA (Pro) successes. and investigate the source code for passwords, server-side keys, … but also learn how the application works! ► Look for sensitive data in databases, logs, back-ups, cached files, … ► Verify application’s permissions ► Perform security tests similar to other web applications tests (e.g. session management, authentication management, …)
How to assess the threats Mobile device – Source code review Source code review - Android ► The downloaded package (.apk) is actually a zip containers, unzipping it will reveal the actual content. ► Loads of files including classes.dex Dex2Jar Tools used Jd-GUI Dex2jar.sh classes.dex > classes.jar Steps to be taken Open the classes.jar file in JD-GUI (or Eclipse,…)
How to assess the threats Mobile Phone – Source code review Source code review - iPhone Before starting any tests on the iOS… Make sure to jailbreak the device and install: ► OpenSSH ► Mobile terminal ► Cydia = The mother of all tools on jailbroken iPhones! App store for jailbroken iOS. ► Other Linux based tools you want… Connect your iPhone to a (wireless) hotspot and SSH to it! alpine
How to assess the threats Mobile device – Source code review Source code review – iPhone (cont.) ► Not that easy… because most Apple applications are encrypted and signed  Code segments look gibberish when simply reversed ► However the downloaded file (.ipa in iTunes or .app when transferring it from the jailbroken iOS) is still a zip container, unzipping it will reveal the actual content.
How to assess the threats Mobile device – Source code review Source code review – iPhone (cont.) ► Find the application file in the container and … check that the encryption is actually on! ► LC_Encryption_info values information: ► Cryptid ► 1 if the binary is encrypted ► 0 if the binary is not encrypted ► Cryptsize is to what point the application is being encrypted ► The iPhone will auto-decrypt it when the application runs on your phone
How to assess the threats Mobile device – Source code review Source code review – iPhone (cont.) C_Encryption_info; CryptID= 1 ► Automatic: one application: Clutch ► Manual: Use a hex editor to change the value to 0 ► No clear method to find where the crypt-ID is search for /system/Library/Frameworks within the hex… can take some time… ► Run the app and dump the code using GDB ► GDB – p <PID of the application> ► Dump memory of your application based on the cryptsize. ► @CLI: dump memory app.bin <<start of application code >> our case (0X0000) to <<cryptsize>> (our case: 0X9000)
How to assess the threats Mobile device – Source code review Source code review – iPhone (cont.) C_Encryption_info; CryptID= 0 ► …When it is not on… or you used the previous steps… use IDAPro to reverse the application It stays in Assembly! objc.idc
How to assess the threats Mobile device – Source code review Source code review (cont.) – What to look for ► Passwords ► Hardcoded URL’s ► Administrator bypasses ► Input filter classes ► … Anything you would search for in a normal reverse engineering test…
How to assess the threats Mobile Phone - Sensitive files Data stored on the device Applications store data on various locations: ► SQLite database ► Cached data, back-ups, … ► Log files of applications Easy to find using the SSH connection, and simply inspecting them either using the “cat” command or copying them locally on your computer and opening them using a viewer you like.
How to assess the threats Mobile Phone – Application permissions Incorrect authorization set for mobile applications Each application receives permissions that need to be reviewed because: ► Applications having access to extra functions might be abused (e.g. through client slide injection) by attackers to gain hold of extra information (low likelihood) ► End-users might not install the application (medium ? Likelihood) Can be reviewed only from iOS version 6 and reviewed iOS under the ‘Privacy settings’ tab Android Stored in the Manifest File
How to assess the threats Mobile Phone – Client side injections As with normal client applications, Mobile applications might by vulnerable to injections. Set-up of the above screenshots: vulnerable app1 (downloaded from http://www.veracode.com), and it contains a basic SQL injection to bypass authentication on the application.
How to assess the threats Communication channel Proxy, Proxy and Proxy again… Each device has the possibility to proxy its traffic through a proxy: iOS Android Once set-up the tests are identical to other web applications tests.
How to assess the threats Communication channel
How to assess the threats Server side controls Again… Proxy, Proxy and Proxy again… ► Assess the back-end server as any web service you would encounter: ► WSDL Assessment ► Extracting extra information by manipulating requests ► Injection testing ► SOAP attachments ► … ► Do not forget to assess the infrastructure itself!
Recap ► Mobile applications and mobile phones are on the rise ► Machine 2 machine is on the rise ► But malware is on the rise to capture sensitive files!
Ernst & Young Tim Beyens Assurance | Tax | Transactions | Advisory Tel.: +32 2 774 91 81 2013 Ernst & Young Transaction Advisory Services Mobile: +32 495 743 592 All rights reserved. Email: tim.beyens@be.ey.com About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com/be. Follow us: twitter.com/EY_Belgium

Recommandé

Review on mobile threats and detection techniques
Review on mobile threats and detection techniquesReview on mobile threats and detection techniques
Review on mobile threats and detection techniques
ijdpsjournal
 
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATIONAN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
IJCNCJournal
 
Entrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust IdentityGuard Mobile
Entrust IdentityGuard Mobile
Entrust Datacard
 
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
iosrjce
 
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROIDHONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
IJCNCJournal
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)
AP DealFlow
 
Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking
IJECEIAES
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec Technology and Consulting
 

Recommandé

Review on mobile threats and detection techniques
Review on mobile threats and detection techniquesReview on mobile threats and detection techniques
Review on mobile threats and detection techniques
ijdpsjournal
 
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATIONAN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
IJCNCJournal
 
Entrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust IdentityGuard Mobile
Entrust IdentityGuard Mobile
Entrust Datacard
 
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
iosrjce
 
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROIDHONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
IJCNCJournal
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)
AP DealFlow
 
Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking
IJECEIAES
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec Technology and Consulting
 
A Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackA Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits Attack
CSCJournals
 
Securing 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingSecuring 3-Mode Mobile Banking
Securing 3-Mode Mobile Banking
Jay McLaughlin
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Trend Micro
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revista
the_ro0t
 
Thought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking ApplicationsThought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking Applications
Infosys Finacle
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
Putra Wanda
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
TELKOMNIKA JOURNAL
 
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” World
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” WorldTrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” World
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” World
Infinigate Group
 
521 524
521 524521 524
521 524
Editor IJARCET
 
Jips v07 no1_paper17
Jips v07 no1_paper17Jips v07 no1_paper17
Jips v07 no1_paper17
Hai Nguyen
 
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
Trend Micro (EMEA) Limited
 
20120208 Strategical approach to tacle cybercrime & the botnet threat
20120208 Strategical approach to tacle cybercrime & the botnet threat20120208 Strategical approach to tacle cybercrime & the botnet threat
20120208 Strategical approach to tacle cybercrime & the botnet threat
Luc Beirens
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce Security
Lindsey Landolfi
 
P0704085089
P0704085089P0704085089
P0704085089
IJERD Editor
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec Technology and Consulting
 
Cybercriminals and security attacks
Cybercriminals and security attacksCybercriminals and security attacks
Cybercriminals and security attacks
GFI Software
 
IJSRED-V2I3P69
IJSRED-V2I3P69IJSRED-V2I3P69
IJSRED-V2I3P69
IJSRED
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information Protection
Symantec
 
F5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference ArchitectureF5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference Architecture
Peter Silva
 
Haptic technology
Haptic technologyHaptic technology
Haptic technology
jalan1234
 
Haptic technology ppt
Haptic technology pptHaptic technology ppt
Haptic technology ppt
ajaybabu1314
 
Quantum teleportation
Quantum teleportationQuantum teleportation
Quantum teleportation
Biswajit Pratihari
 

Contenu connexe

Tendances

A Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackA Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits Attack
CSCJournals
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
TELKOMNIKA JOURNAL
 
Jips v07 no1_paper17
Jips v07 no1_paper17Jips v07 no1_paper17
Jips v07 no1_paper17
Hai Nguyen
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information Protection
Symantec
 

Tendances (18)

A Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits AttackA Mitigation Technique For Internet Security Threat of Toolkits Attack
A Mitigation Technique For Internet Security Threat of Toolkits Attack
 
Securing 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingSecuring 3-Mode Mobile Banking
Securing 3-Mode Mobile Banking
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revista
 
Thought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking ApplicationsThought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking Applications
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
 
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” World
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” WorldTrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” World
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” World
 
521 524
521 524521 524
521 524
 
Jips v07 no1_paper17
Jips v07 no1_paper17Jips v07 no1_paper17
Jips v07 no1_paper17
 
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
 
20120208 Strategical approach to tacle cybercrime & the botnet threat
20120208 Strategical approach to tacle cybercrime & the botnet threat20120208 Strategical approach to tacle cybercrime & the botnet threat
20120208 Strategical approach to tacle cybercrime & the botnet threat
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce Security
 
P0704085089
P0704085089P0704085089
P0704085089
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
 
Cybercriminals and security attacks
Cybercriminals and security attacksCybercriminals and security attacks
Cybercriminals and security attacks
 
IJSRED-V2I3P69
IJSRED-V2I3P69IJSRED-V2I3P69
IJSRED-V2I3P69
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information Protection
 

En vedette

F5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference ArchitectureF5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference Architecture
Peter Silva
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
Saswat Padhi
 
Haptic Technology ppt
Haptic Technology pptHaptic Technology ppt
Haptic Technology ppt
Arun Sivaraj
 
Blue Eyes ppt
Blue Eyes pptBlue Eyes ppt
Blue Eyes ppt
deepu427
 

En vedette (11)

F5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference ArchitectureF5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference Architecture
 
Haptic technology
Haptic technologyHaptic technology
Haptic technology
 
Haptic technology ppt
Haptic technology pptHaptic technology ppt
Haptic technology ppt
 
Quantum teleportation
Quantum teleportationQuantum teleportation
Quantum teleportation
 
Haptic Technology
Haptic TechnologyHaptic Technology
Haptic Technology
 
Electronics seminar topics
Electronics seminar topicsElectronics seminar topics
Electronics seminar topics
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Black Box
Black BoxBlack Box
Black Box
 
Haptic Technology ppt
Haptic Technology pptHaptic Technology ppt
Haptic Technology ppt
 
Blue Eyes ppt
Blue Eyes pptBlue Eyes ppt
Blue Eyes ppt
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
 

Similaire à Info security - mobile approach

Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial View
Antiy Labs
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
Pragati Rai
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaper
Harsimran Walia
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 

Similaire à Info security - mobile approach (20)

Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial View
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Chapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptxChapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptx
 
Android Malware Detection Literature Review
Android Malware Detection Literature ReviewAndroid Malware Detection Literature Review
Android Malware Detection Literature Review
 
Mobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An IntroductionMobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An Introduction
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaper
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile Malware
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
 
A Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile MalwareA Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile Malware
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection Methods
 
Iot(security)
Iot(security)Iot(security)
Iot(security)
 
Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0
 
Smartphone
SmartphoneSmartphone
Smartphone
 
CS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptxCS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptx
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
 
Data Mining For Intrusion Detection in Mobile Systems
Data Mining For Intrusion Detection in Mobile SystemsData Mining For Intrusion Detection in Mobile Systems
Data Mining For Intrusion Detection in Mobile Systems
 

Plus de EY Belgium

Le pacte d’actionnaires
Le pacte d’actionnairesLe pacte d’actionnaires
Le pacte d’actionnaires
EY Belgium
 
Atelier 5 - Protection intellectuelle entre employeur et employé
Atelier 5 - Protection intellectuelle entre employeur et employéAtelier 5 - Protection intellectuelle entre employeur et employé
Atelier 5 - Protection intellectuelle entre employeur et employé
EY Belgium
 

Plus de EY Belgium (20)

Addressing the challenge of the new European Union Medical Device Regulation
Addressing the challenge of the new European Union Medical Device RegulationAddressing the challenge of the new European Union Medical Device Regulation
Addressing the challenge of the new European Union Medical Device Regulation
 
IFRS 15 - the new revenue recognition standard
IFRS 15 - the new revenue recognition standard IFRS 15 - the new revenue recognition standard
IFRS 15 - the new revenue recognition standard
 
EY financial accounting advisory services - Your partner in finance
EY financial accounting advisory services - Your partner in financeEY financial accounting advisory services - Your partner in finance
EY financial accounting advisory services - Your partner in finance
 
European banking barometer - Belgian results
European banking barometer - Belgian results European banking barometer - Belgian results
European banking barometer - Belgian results
 
Human Capital Alert - may 2014
Human Capital Alert - may 2014 Human Capital Alert - may 2014
Human Capital Alert - may 2014
 
Baromètre de l'Attractivité belge - résultats de perception
Baromètre de l'Attractivité belge - résultats de perception Baromètre de l'Attractivité belge - résultats de perception
Baromètre de l'Attractivité belge - résultats de perception
 
Barometer van de Belgische Attractiviteit 2014 - perceptieresultaten
Barometer van de Belgische Attractiviteit 2014 - perceptieresultaten Barometer van de Belgische Attractiviteit 2014 - perceptieresultaten
Barometer van de Belgische Attractiviteit 2014 - perceptieresultaten
 
Analyse des performances et évolution du tissu PME wallon
Analyse des performances et évolution du tissu PME wallonAnalyse des performances et évolution du tissu PME wallon
Analyse des performances et évolution du tissu PME wallon
 
EY global consumer banking survey - Western European highlights
EY global consumer banking survey - Western European highlights EY global consumer banking survey - Western European highlights
EY global consumer banking survey - Western European highlights
 
CFO Barometer - economische trends
CFO Barometer - economische trends CFO Barometer - economische trends
CFO Barometer - economische trends
 
EY Real Estate Asset Investment trend indicator 2014
EY Real Estate Asset Investment trend indicator 2014 EY Real Estate Asset Investment trend indicator 2014
EY Real Estate Asset Investment trend indicator 2014
 
EY seminarie: Uitkeringen en roerende voorheffing
EY seminarie: Uitkeringen en roerende voorheffingEY seminarie: Uitkeringen en roerende voorheffing
EY seminarie: Uitkeringen en roerende voorheffing
 
European Banking Barometer: Spring/Summer 2013 - Belgian focus
European Banking Barometer: Spring/Summer 2013 - Belgian focusEuropean Banking Barometer: Spring/Summer 2013 - Belgian focus
European Banking Barometer: Spring/Summer 2013 - Belgian focus
 
Le Baromètre 2013 de l'Attractivité Belge
Le Baromètre 2013 de l'Attractivité Belge Le Baromètre 2013 de l'Attractivité Belge
Le Baromètre 2013 de l'Attractivité Belge
 
Barometer van de Belgische Attractiviteit 2013
Barometer van de Belgische Attractiviteit 2013 Barometer van de Belgische Attractiviteit 2013
Barometer van de Belgische Attractiviteit 2013
 
Human Capital Fire Chat
Human Capital Fire ChatHuman Capital Fire Chat
Human Capital Fire Chat
 
EY barometer van de belgische attractiveness part 1 2013
EY barometer van de belgische attractiveness part 1 2013EY barometer van de belgische attractiveness part 1 2013
EY barometer van de belgische attractiveness part 1 2013
 
EY baromètre de l’attractivité belge partie 1 - 2013
EY baromètre de l’attractivité belge partie 1 - 2013EY baromètre de l’attractivité belge partie 1 - 2013
EY baromètre de l’attractivité belge partie 1 - 2013
 
Le pacte d’actionnaires
Le pacte d’actionnairesLe pacte d’actionnaires
Le pacte d’actionnaires
 
Atelier 5 - Protection intellectuelle entre employeur et employé
Atelier 5 - Protection intellectuelle entre employeur et employéAtelier 5 - Protection intellectuelle entre employeur et employé
Atelier 5 - Protection intellectuelle entre employeur et employé
 

Dernier

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Info security - mobile approach

  • 2. Agenda Introduction Mobile architecture ► An overview ► Perceived threats How to assess the threats ► General approach ► Mobile Devices ► Source Code review ► Sensitive files ► Application permissions ► Client side injections ► Data communication channel ► Server side controls Recap
  • 3. Introduction Who am I? ► Tim Beyens ► Security Consultant focusing on mobile security and network security ► Working for Ernst & Young since 2009 ► Sector focus: Telecommunication ► Typical assignments: penetration testing, network security assignments, …. Technical security assessments
  • 4. Introduction Trends within the mobile world On the end-user front…
  • 5. Introduction Trends within the mobile world The Machine to Machine front is increasing as well… M2M mobile connections are expected to reach 12 billion by 2020 Industry Sector Smart meters enable efficient energy consumption and management by Utilities consumers and service providers Remote monitoring technologies can boost cost- and resource-efficient Healthcare healthcare provision and clinical collaboration Driver navigation and fleet management tools, on-demand in-vehicle entertainment result in intelligent route planning and greater consumer Automotive expenditure. Vehicle connectivity can bring new business models such as pay-as-you drive insurance Consumer Richer functionality and storage can improve product differentiation Electronics and customer centricity Sources: Ernst & Young research in 2012 – M2M
  • 6. Introduction Trends within the mobile world On the other hand, malware is also being rapidly developed… October July August April July February (2013) ► Secret key combo auth ► ZITMO banking trojan ► Weakness in SSL cert ► NotCompatible gains ► LuckyCat opens a ► LockScreen of bypass (iOS) affects all mobile handling exposes data access to local network backdoor that allows iPhone can be devices to interception (iOS) preferences (Andriod) remote acces (Android) circumvented (iOS) 2011 2012 2013 March August September May July ► Trojannised apps found ► Google authentication ► HTC phone vulnerability ► FakeInst SMS Trojan ► SMSzombie that on Chinese app store details sent in clear text leaks personal data cost end-users 30 abuses china’s SMS (Android) (Android) (Android) Miljon dollars (Android) payment Android) Most of these vulnerabilities originate from: ► Jailbreaks, Rootkits, ... ► Faulty configured application settings ► Faulty downloaded applications (from sources not controlled by the device) ► User preferences for simple passwords ► User allows application to access personal unneeded information ► Reuse of passwords among different applications ► Social engineering (ie. Gaining physical access to the smart phone to steal data)
  • 7. Introduction Trends within the mobile world … In numbers this means 2012 Malware targets Subscription to premium SMS 32% services 40% Information theft (banking apps) Botnet integration 28% Sources: ESET, Trends for 2013
  • 8. Mobile Architecture An overview Public 1 Private 2 1. 1 Public APN ► APN’s used by end-users or machines ► Public, only requires a SIM card of the provider ► Less secure but cheaper ► E.g. Your own PDA connecting over 3G 2 2. Private APN ► Used by companies to easily communicate with field equipment (e.g. G4S transportation) ► Private, only accessible through specific SIM cards ► Securer but more expensive ► E.g. coco-cola vending machine providing statuses on available stock
  • 9. Mobile Architecture Perceived threats – End Users 1 2 3 1. 1 Mobile phone ► Information disclosure (within the application source code) ► Data stored on the device contains personal information ► Insecure passwords usage 2. 2 Communication channel ► No encryption applied on the communication channel 3. 3 Server infrastructure ► Improper session, authorization and authentication handling ► Overall weak server side controls (e.g. server side injections)
  • 10. Mobile Architecture Perceived threats -Machines 1 Next to the threats described on the previous page, the machine to machine communication has another threat that is easily overlooked…. 1 1. Machines ► What if the SIM card (of the machine) is inserted in USB-3G stick? This allows access to the private APN. Which on his turn provides access to a front-end system of the owner of the private APN… From that point onwards the a similar penetration testing approach can be used to exploit the front-end device. Possible pitfalls: some SIM-cards might disallowed outgoing data traffic…
  • 11. How to assess the threats General approach Mobile Device Communication channel Server side controls Objective: Identify vulnerabilities on the Objective: Identify vulnerabilities in the Objective: Identify vulnerabilities on the applications installed on the devices data communication channel. server side of the mobile application. themselves. ► Reverse engineer the binary using tools ► Verify the application uses SSL/TSL ► Perform an attack and penetration such as: whenever sensitive information is being tests similar to other web application ► Clang (static code) transmitted. tests and use the information found on ► GDB the local device to leverage your ► iDA (Pro) successes. and investigate the source code for passwords, server-side keys, … but also learn how the application works! ► Look for sensitive data in databases, logs, back-ups, cached files, … ► Verify application’s permissions ► Perform security tests similar to other web applications tests (e.g. session management, authentication management, …)
  • 12. How to assess the threats Mobile device – Source code review Source code review - Android ► The downloaded package (.apk) is actually a zip containers, unzipping it will reveal the actual content. ► Loads of files including classes.dex Dex2Jar Tools used Jd-GUI Dex2jar.sh classes.dex > classes.jar Steps to be taken Open the classes.jar file in JD-GUI (or Eclipse,…)
  • 13. How to assess the threats Mobile Phone – Source code review Source code review - iPhone Before starting any tests on the iOS… Make sure to jailbreak the device and install: ► OpenSSH ► Mobile terminal ► Cydia = The mother of all tools on jailbroken iPhones! App store for jailbroken iOS. ► Other Linux based tools you want… Connect your iPhone to a (wireless) hotspot and SSH to it! alpine
  • 14. How to assess the threats Mobile device – Source code review Source code review – iPhone (cont.) ► Not that easy… because most Apple applications are encrypted and signed  Code segments look gibberish when simply reversed ► However the downloaded file (.ipa in iTunes or .app when transferring it from the jailbroken iOS) is still a zip container, unzipping it will reveal the actual content.
  • 15. How to assess the threats Mobile device – Source code review Source code review – iPhone (cont.) ► Find the application file in the container and … check that the encryption is actually on! ► LC_Encryption_info values information: ► Cryptid ► 1 if the binary is encrypted ► 0 if the binary is not encrypted ► Cryptsize is to what point the application is being encrypted ► The iPhone will auto-decrypt it when the application runs on your phone
  • 16. How to assess the threats Mobile device – Source code review Source code review – iPhone (cont.) C_Encryption_info; CryptID= 1 ► Automatic: one application: Clutch ► Manual: Use a hex editor to change the value to 0 ► No clear method to find where the crypt-ID is search for /system/Library/Frameworks within the hex… can take some time… ► Run the app and dump the code using GDB ► GDB – p <PID of the application> ► Dump memory of your application based on the cryptsize. ► @CLI: dump memory app.bin <<start of application code >> our case (0X0000) to <<cryptsize>> (our case: 0X9000)
  • 17. How to assess the threats Mobile device – Source code review Source code review – iPhone (cont.) C_Encryption_info; CryptID= 0 ► …When it is not on… or you used the previous steps… use IDAPro to reverse the application It stays in Assembly! objc.idc
  • 18. How to assess the threats Mobile device – Source code review Source code review (cont.) – What to look for ► Passwords ► Hardcoded URL’s ► Administrator bypasses ► Input filter classes ► … Anything you would search for in a normal reverse engineering test…
  • 19. How to assess the threats Mobile Phone - Sensitive files Data stored on the device Applications store data on various locations: ► SQLite database ► Cached data, back-ups, … ► Log files of applications Easy to find using the SSH connection, and simply inspecting them either using the “cat” command or copying them locally on your computer and opening them using a viewer you like.
  • 20. How to assess the threats Mobile Phone – Application permissions Incorrect authorization set for mobile applications Each application receives permissions that need to be reviewed because: ► Applications having access to extra functions might be abused (e.g. through client slide injection) by attackers to gain hold of extra information (low likelihood) ► End-users might not install the application (medium ? Likelihood) Can be reviewed only from iOS version 6 and reviewed iOS under the ‘Privacy settings’ tab Android Stored in the Manifest File
  • 21. How to assess the threats Mobile Phone – Client side injections As with normal client applications, Mobile applications might by vulnerable to injections. Set-up of the above screenshots: vulnerable app1 (downloaded from http://www.veracode.com), and it contains a basic SQL injection to bypass authentication on the application.
  • 22. How to assess the threats Communication channel Proxy, Proxy and Proxy again… Each device has the possibility to proxy its traffic through a proxy: iOS Android Once set-up the tests are identical to other web applications tests.
  • 23. How to assess the threats Communication channel
  • 24. How to assess the threats Server side controls Again… Proxy, Proxy and Proxy again… ► Assess the back-end server as any web service you would encounter: ► WSDL Assessment ► Extracting extra information by manipulating requests ► Injection testing ► SOAP attachments ► … ► Do not forget to assess the infrastructure itself!
  • 25. Recap ► Mobile applications and mobile phones are on the rise ► Machine 2 machine is on the rise ► But malware is on the rise to capture sensitive files!
  • 26. Ernst & Young Tim Beyens Assurance | Tax | Transactions | Advisory Tel.: +32 2 774 91 81 2013 Ernst & Young Transaction Advisory Services Mobile: +32 495 743 592 All rights reserved. Email: tim.beyens@be.ey.com About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com/be. Follow us: twitter.com/EY_Belgium