2. INTRODUCTION MOBILE INSECURITY THE END
#WHOAMI
Penetration Tester or Pentester
Professor
Penetration Testing
Operating Systems
Computer Organization and Architecture
C Programming Language
(Next Semester) Development of Secure Mobile
Applications
(Lawless) Developer
Malware Reverse Engineering and CTF aficionado
3. INTRODUCTION MOBILE INSECURITY THE END
PRINCIPLES AND STUFF
"Hacker’s Ethics"
Hackers should be judged by their hacking, not bogus
criteria such as degrees, age, race, or position
4. INTRODUCTION MOBILE INSECURITY THE END
HISTORY
1908 -> Professor Albert Jahnke (First attempt to build a
physical wireless phone)
1907 -> Lewis Baumer (Forecasts for 1907)
5. INTRODUCTION MOBILE INSECURITY THE END
NOWADAYS...
War and (true)Hackers changed (almost) everything...
First there were the PDAs, then came the fusion with
cellphones that evolved into our useful devices
We have an incredible power of processing in our pockets
We can do almost everything we used to do on a PC on the
last decade or process through a mainframe on the 90s
with a single touch
6. INTRODUCTION MOBILE INSECURITY THE END
SEEMS OK BUT...
We share a lot of personal data through our devices
Pictures
Financial Data
Medical Information
Biometrics
Private or Sensitive Data
And so on...
7. INTRODUCTION MOBILE INSECURITY THE END
SEEMS OK BUT...
We share a lot of personal data through our devices
Pictures
Financial Data
Medical Information
Biometrics
Private or Sensitive Data
And so on...
And it’s far from being safe... :(
11. INTRODUCTION MOBILE INSECURITY THE END
CORE PROBLEMS
Assumptions on user’s behaviour
Low or null knowledge of the platform
(Mostly)Developed under pressure
Disinterest for InfoSec (must be functional before secure)
12. INTRODUCTION MOBILE INSECURITY THE END
OPEN WEB APPLICATION SECURITY PROJECT
Start operations on 2001
Becomes a foundation in 2004, in order to get resources to
their projects
OWASP depends on donations and the fees to their
associates, partners and companies
13. INTRODUCTION MOBILE INSECURITY THE END
WHAT IS RELEVANT FOR US
OWASP MOBILE TOP 10
Code Vulnerability
M1 Improper Platform Usage
M2 Insecure Data Storage
M3 Insecure Communication
M4 Insecure Authentication
M5 Insufficient Cryptography
M6 Insecure Authorization
M7 Client Code Quality
M8 Code Tampering
M9 Reverse Engineering
M10 Extraneous Functionality
15. INTRODUCTION MOBILE INSECURITY THE END
M1. IMPROPER PLATFORM USAGE
Android and iOS are Operating Systems
Mobile Applications are not Web Applications (at all)
16. INTRODUCTION MOBILE INSECURITY THE END
M1. IMPROPER PLATFORM USAGE
Android and iOS are Operating Systems
Mobile Applications are not Web Applications (at all)
OWASP TOP 10 (not mobile)
SQLi
XSS
XSRF
and so on...
17. INTRODUCTION MOBILE INSECURITY THE END
M2. INSECURE DATA STORAGE
A lot of information can be extracted from stolen phones
Sensitive data should not be saved in plain text...
18. INTRODUCTION MOBILE INSECURITY THE END
M2. INSECURE DATA STORAGE
A lot of information can be extracted from stolen phones
Sensitive data should not be saved in plain text... sensitive
data should not be saved on client’s side
Banking Apps asks for re authentication after some time of
null activity, and that is perfect!
19. INTRODUCTION MOBILE INSECURITY THE END
M2. INSECURE DATA STORAGE
A lot of information can be extracted from stolen phones
Sensitive data should not be saved in plain text... sensitive
data should not be saved on client’s side
Banking Apps asks for re authentication after some time of
null activity, and that is perfect!
20. INTRODUCTION MOBILE INSECURITY THE END
M3, M5 = INSECURE COMMUNICATION,
INSUFFICIENT CRYPTOGRAPHY
SSL/TLS is not only for WebPages
There is a general misconception of cryptography
21. INTRODUCTION MOBILE INSECURITY THE END
M3, M5 = INSECURE COMMUNICATION,
INSUFFICIENT CRYPTOGRAPHY
Cryptography Is Not the Solution
Cryptography Is Very Difficult
Cryptography Is the Easy Part
-Niels Fergusson, Bruce Schneier, Tayadoshi Kohno
(Cryptography Engineering)
Good implementations and understanding are needed...
22. INTRODUCTION MOBILE INSECURITY THE END
HOW DOES INSECURE COMMUNICATION AFFECTS
MY APP?
A Man in the Middle attack is always possible
If I am in your network, I can sniff your packets
If I used a proxy, I could intercept your requests
23. INTRODUCTION MOBILE INSECURITY THE END
M4, M6 = INSECURE AUTHENTICATION, INSECURE
AUTHORIZATION
Client Side Authentication (?)
Bad Semantics or "the ID in the petition manages it all"
No cookies or Token or anything to identify an user
Remember the AAA
Authentication
Authorization
Accounting
24. INTRODUCTION MOBILE INSECURITY THE END
MN. THE REST OF THE TOP VULNERABILITIES
Some frameworks are new, are cool and untested
Some functions are deprecated
Sometimes debugging is forgotten when activated
Sometimes there are weird reactions to certain actions
25. INTRODUCTION MOBILE INSECURITY THE END
POC
Turn off your camera
Thou shalt not speak about this PoC
This will not be public for the good of this fellow... (me)
27. INTRODUCTION MOBILE INSECURITY THE END
A WORD ON MOBILE INSECURITY
Know your Framework
Know your platform
Use well known cryptographic implementations
Secure Channels please! (certbot might help you get free
trusted certificates)
Look for deprecated functions
Care about debugging, but remember to disable it when
you finish debugging
28. INTRODUCTION MOBILE INSECURITY THE END
A WORD ON MOBILE INSECURITY II
The apps that you use, you wouldn’t like to see them
broken, exposing your information
If information gets leaked, you may face your client’s
anger (and the law...)
Care about Information Security
Do some penetration testing
29. INTRODUCTION MOBILE INSECURITY THE END
A WORD ON MOBILE INSECURITY II
The apps that you use, you wouldn’t like to see them
broken, exposing your information
If information gets leaked, you may face your client’s
anger (and the law...)
Care about Information Security
Do some penetration testing
Or hire a good pentester
30. INTRODUCTION MOBILE INSECURITY THE END
A WORD ON MOBILE INSECURITY II
The apps that you use, you wouldn’t like to see them
broken, exposing your information
If information gets leaked, you may face your client’s
anger (and the law...)
Care about Information Security
Do some penetration testing
Or hire a good pentester
Train!
31. INTRODUCTION MOBILE INSECURITY THE END
WHERE CAN I TRAIN?
Never pay expensive training (unless you really want it),
there are a lot of good free resources.
Click these to follow the training...
ANDROID -> InsecureBankingv2
iOS -> Damn Vulnerable iOS Application
Others -> You should solve both...
Devour the OWASP stuff
32. INTRODUCTION MOBILE INSECURITY THE END
DUDAS?
FYI:
http://fcastaneda.herokuapp.com/f/c/g/mobileday.pdf
@f99942 || @fcg99942
fernando.castaneda@cert.unam.mx
6665726e616e646f@gmail.com
33. INTRODUCTION MOBILE INSECURITY THE END
DUDAS?
FYI:
http://fcastaneda.herokuapp.com/f/c/g/mobileday.pdf
@f99942 || @fcg99942
fernando.castaneda@cert.unam.mx
6665726e616e646f@gmail.com
GRACIAS!!!!!!!!!!