SlideShare a Scribd company logo

Smart Bombs: Mobile Vulnerability and Exploitation

SecureState
SecureState

This document discusses common vulnerabilities found in mobile applications. It begins by outlining the types of sensitive data stored on mobile devices and used by mobile apps. It then covers tools for analyzing the file system, application layer, and transport layer of mobile apps. Specific vulnerabilities are highlighted from the OWASP Mobile Top 10 list, including insecure data storage, weak server-side controls, and insufficient transport layer protection. Examples of vulnerabilities found in popular apps like Facebook, Evernote, MyFitnessPal, and LinkedIn are provided. The document concludes by emphasizing that mobile security issues go beyond just application vulnerabilities.

Technology
1 of 52
Download to read offline
Smart Bombs: Mobile Vulnerability and Exploitation Tom Eston
Grilled Smart Phones http://youtu.be/cir-MOzVggQ 2
Windows Mobile Wins! 3
Tom Eston • Manager, SecureState Profiling & Penetration Team • Blogger – SpyLogic.net • Infrequent Podcaster – Security Justice/Social Media Security • Zombie aficionado • I like to break new technology 4
What are we talking about today? • What’s at risk? • Tools, Testing and Exploitation • Common vulnerabilities found in popular apps (this is the fun part) • Special thanks to Kevin Johnson and John Sawyer who helped with this research! 5
What are Smart Bombs? • We’ve got powerful technology in the palm of our hands! • We store and transmit sensitive data • Mobile devices are being used by: – Major Businesses (PII) – Energy Companies (The Grid) – The Government(s) – Hospitals (PHI) – Your Mom (Scary) 6
That’s right…your Mom 7
Testing Mobile Apps • What are the three major areas for testing? – File System What are apps writing to the file system? How is data stored? – Application Layer How are apps communicating via HTTP and Web Services? SSL? – Transport Layer How are apps communicating over the network? TCP and Third-party APIs 8
OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 9
OWASP Top 10 Mobile Risks 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure 10
OWASP Mobile Security Project • You should get involved! • https://www.owasp.org/index.php/OWASP_Mobile_Security_Project 11
Other Issues • Privacy of your data! – Mobile apps talk to many third party APIs (ads) – What’s collected by Google/Apple/Microsoft? 12
Common Tools • SSH • VNC server • A compiler (gcc / agcc) • Android SDK (adb!) • Xcode • iExplorer (iOS GUI file explorer) • Jailbroken iDevice • Rooted Android Device 13
File System Analysis • Forensic approach – File system artifacts – Timeline analysis – Log analysis – Temp files 14
Forensic Tools • Mobile Forensic Tools – EnCase, FTK, Cellebrite • Free and/or Open Source – file, strings, less, dd, md5sum – The Sleuthkit (mactime, mac-robber) 15
Timelines • Timelines are awesome – Anyone know log2timeline? • Filesystem – mac-robber – mactime • Logs – Application- & OS-specific 16
Temp Files 17
Viewing & Searching Files • cat, less, vi, strings, grep • SQLite files – GUI browser, API (Ruby, Python, etc) • Android apps – ashell, aSQLiteManager, aLogViewer 18
Application Layer - HTTP • Tools Used: – Burp Suite – Burp Suite – oh yeah Burp Suite! 19
Why Look at the App Layer? • Very common in mobile platforms • Many errors are found within the application – And how it talks to the back end service • Able to use many existing tools 20
Misunderstanding Encryption 21
Base64 Encoding is NOT Encryption! • Really. It’s 2012. Base64: TXkgc3VwZXIgc2VjcmV0IGtleSE= Plaintext: My super secret key! 22
Want Credentials? Note: This is actually a hardcoded password in the UPS app… 23
Transport Layer - TCP • Tools Used: – Wireshark – Tcpdump – NetworkMiner 24
Why look at the transport layer? • Check to see how network protocols are handled in the app • Easily look for SSL certificate or other communication issues 25
NetworkMiner • Extracts files/images and more • Can pull out clear txt credentials • Quickly view parameters 26
27
TCP Lab Setup • Run tcpdump directly on the device • Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this) • Import PCAPs into NetworkMiner 28
App Vulnerabilities • Several examples that we’ve found • Many from the Top 25 downloaded apps 29
Facebook • OAuth Tokens Stored in PLIST file • Simply copy the PLIST file to another device, you’re logged in as them! • I’m finding OAuth tokens in lots of PLIST files…Dropbox and apps that use Dropbox like password managers… 30
Evernote • Notebooks are stored in the cloud • But…caches some files on the device… • OWASP M1: Insecure Data Storage 31
32
MyFitnessPal • Android app stores sensitive data on the device (too much data) 33
34
Password Keeper “Lite” • PIN and passwords stored in clear-text SQLite database • So much for the security of your passwords… 35
36
37
38
Draw Something • Word list stored on the device • Modify to mess with your friends 39
LinkedIn • SSL only for authentication • Session tokens and data sent over HTTP • Lots of apps do this • M3: Insufficient Transport Layer Protection • Note: This was fixed with the latest version of the app (for iOS at least) 40
Auth over SSL Data sent over HTTP 41
42
Pandora • Registration over HTTP • User name/Password and Registration info sent over clear text • Unfortunately…lots of apps do this 43
44
Hard Coded Passwords/Keys • Major Grocery Chain “Rewards” Android app • Simple to view the source, extract private key • OWASP M9: Broken Cryptography • Do developers really do this? 45
Why yes, they do! 46
Privacy Issues • Example: Draw Something App (Top 25) • UDID and more sent to the following third-party ad providers: – appads.com – mydas.mobi – greystripe.com – tapjoyads.com 47
What is UDID? • Alphanumeric string that uniquely identifies an Apple device 48
49
Pinterest and Flurry.com 50
51
Conclusions • Mobile devices are critically common • Most people use them without thinking of security • Developers seem to be repeating the past • Lots of issues besides Mobile Application Security – BYOD – The device itself (Jailbreaking/Rooting) – MDM and Enterprise Management – The list goes on… 52

Recommended

Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 

Recommended

Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile HackingNovizul Evendi
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsDario Caliendo
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp ForensicAnimesh Shaw
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreveerababu penugonda(Mr-IoT)
 
User's Guide to Online Privacy
User's Guide to Online PrivacyUser's Guide to Online Privacy
User's Guide to Online Privacycdunk12
 
Cyber security
Cyber securityCyber security
Cyber securityArjun Chetry
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
Cyber safety
Cyber safetyCyber safety
Cyber safetyArjun Chetry
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00srini0x00
 
Mobile phone Data Hacking
Mobile phone Data HackingMobile phone Data Hacking
Mobile phone Data HackingMd Abu Syeem Dipu
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSSam Bowne
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In LibrariesBlake Carver
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
 
Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps SecurityXavier Mertens
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 

More Related Content

What's hot

Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsDario Caliendo
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
User's Guide to Online Privacy
User's Guide to Online PrivacyUser's Guide to Online Privacy
User's Guide to Online Privacycdunk12
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00srini0x00
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSSam Bowne
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In LibrariesBlake Carver
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
 

What's hot (20)

Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanisms
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
User's Guide to Online Privacy
User's Guide to Online PrivacyUser's Guide to Online Privacy
User's Guide to Online Privacy
 
Cyber security
Cyber securityCyber security
Cyber security
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
 
Cyber safety
Cyber safetyCyber safety
Cyber safety
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00
 
Mobile phone Data Hacking
Mobile phone Data HackingMobile phone Data Hacking
Mobile phone Data Hacking
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOS
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
Android system security
Android system securityAndroid system security
Android system security
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & Anywhere
 

Similar to Smart Bombs: Mobile Vulnerability and Exploitation

Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNitesh Malviya
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchYury Chemerkin
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeekNightHyderabad
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityPaul Morse
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud SecuritySBWebinars
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
java-card20232024999999999999999999999999999999999999999999999999999999999999...
java-card20232024999999999999999999999999999999999999999999999999999999999999...java-card20232024999999999999999999999999999999999999999999999999999999999999...
java-card20232024999999999999999999999999999999999999999999999999999999999999...ouahibakellou
 

Similar to Smart Bombs: Mobile Vulnerability and Exploitation (20)

Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmware
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Internet security
Internet securityInternet security
Internet security
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the Internet
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
java-card20232024999999999999999999999999999999999999999999999999999999999999...
java-card20232024999999999999999999999999999999999999999999999999999999999999...java-card20232024999999999999999999999999999999999999999999999999999999999999...
java-card20232024999999999999999999999999999999999999999999999999999999999999...
 

Recently uploaded

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Recently uploaded (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Smart Bombs: Mobile Vulnerability and Exploitation

  • 1. Smart Bombs: Mobile Vulnerability and Exploitation Tom Eston
  • 4. Tom Eston • Manager, SecureState Profiling & Penetration Team • Blogger – SpyLogic.net • Infrequent Podcaster – Security Justice/Social Media Security • Zombie aficionado • I like to break new technology 4
  • 5. What are we talking about today? • What’s at risk? • Tools, Testing and Exploitation • Common vulnerabilities found in popular apps (this is the fun part) • Special thanks to Kevin Johnson and John Sawyer who helped with this research! 5
  • 6. What are Smart Bombs? • We’ve got powerful technology in the palm of our hands! • We store and transmit sensitive data • Mobile devices are being used by: – Major Businesses (PII) – Energy Companies (The Grid) – The Government(s) – Hospitals (PHI) – Your Mom (Scary) 6
  • 8. Testing Mobile Apps • What are the three major areas for testing? – File System What are apps writing to the file system? How is data stored? – Application Layer How are apps communicating via HTTP and Web Services? SSL? – Transport Layer How are apps communicating over the network? TCP and Third-party APIs 8
  • 9. OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 9
  • 10. OWASP Top 10 Mobile Risks 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure 10
  • 11. OWASP Mobile Security Project • You should get involved! • https://www.owasp.org/index.php/OWASP_Mobile_Security_Project 11
  • 12. Other Issues • Privacy of your data! – Mobile apps talk to many third party APIs (ads) – What’s collected by Google/Apple/Microsoft? 12
  • 13. Common Tools • SSH • VNC server • A compiler (gcc / agcc) • Android SDK (adb!) • Xcode • iExplorer (iOS GUI file explorer) • Jailbroken iDevice • Rooted Android Device 13
  • 14. File System Analysis • Forensic approach – File system artifacts – Timeline analysis – Log analysis – Temp files 14
  • 15. Forensic Tools • Mobile Forensic Tools – EnCase, FTK, Cellebrite • Free and/or Open Source – file, strings, less, dd, md5sum – The Sleuthkit (mactime, mac-robber) 15
  • 16. Timelines • Timelines are awesome – Anyone know log2timeline? • Filesystem – mac-robber – mactime • Logs – Application- & OS-specific 16
  • 18. Viewing & Searching Files • cat, less, vi, strings, grep • SQLite files – GUI browser, API (Ruby, Python, etc) • Android apps – ashell, aSQLiteManager, aLogViewer 18
  • 19. Application Layer - HTTP • Tools Used: – Burp Suite – Burp Suite – oh yeah Burp Suite! 19
  • 20. Why Look at the App Layer? • Very common in mobile platforms • Many errors are found within the application – And how it talks to the back end service • Able to use many existing tools 20
  • 22. Base64 Encoding is NOT Encryption! • Really. It’s 2012. Base64: TXkgc3VwZXIgc2VjcmV0IGtleSE= Plaintext: My super secret key! 22
  • 23. Want Credentials? Note: This is actually a hardcoded password in the UPS app… 23
  • 24. Transport Layer - TCP • Tools Used: – Wireshark – Tcpdump – NetworkMiner 24
  • 25. Why look at the transport layer? • Check to see how network protocols are handled in the app • Easily look for SSL certificate or other communication issues 25
  • 26. NetworkMiner • Extracts files/images and more • Can pull out clear txt credentials • Quickly view parameters 26
  • 27. 27
  • 28. TCP Lab Setup • Run tcpdump directly on the device • Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this) • Import PCAPs into NetworkMiner 28
  • 29. App Vulnerabilities • Several examples that we’ve found • Many from the Top 25 downloaded apps 29
  • 30. Facebook • OAuth Tokens Stored in PLIST file • Simply copy the PLIST file to another device, you’re logged in as them! • I’m finding OAuth tokens in lots of PLIST files…Dropbox and apps that use Dropbox like password managers… 30
  • 31. Evernote • Notebooks are stored in the cloud • But…caches some files on the device… • OWASP M1: Insecure Data Storage 31
  • 32. 32
  • 33. MyFitnessPal • Android app stores sensitive data on the device (too much data) 33
  • 34. 34
  • 35. Password Keeper “Lite” • PIN and passwords stored in clear-text SQLite database • So much for the security of your passwords… 35
  • 36. 36
  • 37. 37
  • 38. 38
  • 39. Draw Something • Word list stored on the device • Modify to mess with your friends 39
  • 40. LinkedIn • SSL only for authentication • Session tokens and data sent over HTTP • Lots of apps do this • M3: Insufficient Transport Layer Protection • Note: This was fixed with the latest version of the app (for iOS at least) 40
  • 41. Auth over SSL Data sent over HTTP 41
  • 42. 42
  • 43. Pandora • Registration over HTTP • User name/Password and Registration info sent over clear text • Unfortunately…lots of apps do this 43
  • 44. 44
  • 45. Hard Coded Passwords/Keys • Major Grocery Chain “Rewards” Android app • Simple to view the source, extract private key • OWASP M9: Broken Cryptography • Do developers really do this? 45
  • 46. Why yes, they do! 46
  • 47. Privacy Issues • Example: Draw Something App (Top 25) • UDID and more sent to the following third-party ad providers: – appads.com – mydas.mobi – greystripe.com – tapjoyads.com 47
  • 48. What is UDID? • Alphanumeric string that uniquely identifies an Apple device 48
  • 49. 49
  • 51. 51
  • 52. Conclusions • Mobile devices are critically common • Most people use them without thinking of security • Developers seem to be repeating the past • Lots of issues besides Mobile Application Security – BYOD – The device itself (Jailbreaking/Rooting) – MDM and Enterprise Management – The list goes on… 52