SlideShare une entreprise Scribd logo

Smart Bombs: Mobile Vulnerability and Exploitation

Tom Eston
Tom Eston

Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization. This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.

Technologie
1  sur  60
Télécharger pour lire hors ligne
Mobile Vulnerability and Exploitation John Sawyer – InGuardians Tom Eston – SecureState Kevin Johnson – Secure Ideas
John Sawyer  InGuardians, Inc. - Senior Security Analyst  DarkReading.com - Author/Blogger  1@stplace - Retired CTF packet monkey  Winners DEFCON 14 & 15  Avid Mountain Biker… in Florida.
Tom Eston  Manager, SecureState Profiling & Penetration Team  Blogger – SpyLogic.net  Infrequent Podcaster – Security Justice/Social Media Security  Zombie aficionado  I like to break new technology
Kevin Johnson  Father of Brenna and Sarah  Secure Ideas, Senior Security Consultant  SANS Instructor and Author  SEC542/SEC642/SEC571  Open-Source Bigot  SamuraiWTF, Yokoso, Laudanum etc  Ninja
What are we talking about today?  What’s at risk?  Tools, Testing and Exploitation  Common vulnerabilities found in popular apps (this is the fun part)
What are Smart Bombs?  We’ve got powerful technology in the palm of our hands!  We store and transmit sensitive data  Mobile devices are being used by:  Major Businesses (PII)  Energy Companies (The Grid)  The Government(s)  Hospitals (PHI)  Your Mom (Scary)
That’s right…your Mom
Testing Mobile Apps  What are the 3 major areas for testing?  File System What are apps writing to the file system? How is data stored?  Application Layer How are apps communicating via HTTP and Web Services? SSL?  Transport Layer How are apps communicating over the network? TCP and Third-party APIs
OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication
OWASP Top 10 Mobile Risks 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure
OWASP Mobile Security Project  You should get involved!  https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Other Issues  Privacy of your data!  Mobile apps talk to many third party APIs (ads)  What’s collected by Google/Apple/Microsoft?
Common Tools  SSH  VNC server  A compiler (gcc / agcc)  Android SDK (adb!)  XCode  Jailbroken iDevice  Rooted Android Device
Filesystem Analysis  Forensic approach  Filesystem artifacts  Timeline analysis  Log analysis  Temp files
Forensic Tools  Mobile Forensic Tools  EnCase, FTK, Cellebrite  Free and/or Open Source  file, strings, less, dd, md5sum  The Sleuthkit (mactime, mac-robber)
Timelines  Timelines are awesome  Anyone know log2timeline?  Filesystem  mac-robber  mactime  Logs  Application- & OS-specific
Filesystem Timelines  mac-robber  C app  free & open source  must be compiled to run on devices  mactime  Part of The Sleuthkit  runs on Mac, Win, Linux
Compiling mac-robber (Android)  Android  Install arm gcc toolchain  Compile & push via adb   I used Ubuntu, works on MobiSec & Backtrack  Detailed instructions: ○ http://www.darkreading.com/blog/232800148/quick-start- guide-compiling-mac-robber-for-android-vuln-research.html
Compiling mac-robber (iOS)  iOS (jailbroken)  Download & Install libgcc onto device  Install iphone-gcc  Download & Install C headers/libraries
Running mac-robber (iOS)  iOS & Android via SSH  Android via adb  Then, process each with mactime
Filesystem Timelines
Where is the data?
Temp Files
Gallery Lock Lite  “Protects” your images
Viewing & Searching Files  cat, less, vi, strings, grep  SQLite files  GUI browser, API (Ruby, Python, etc)  Android apps  ashell, aSQLiteManager, aLogViewer
Application Layer - HTTP  Tools Used:  Burp Suite  Burp Suite  oh yeah Burp Suite!
Why Look at the App Layer?  Very common in mobile platforms  Many errors are found within the application  And how it talks to the back end service  Able to use many existing tools
Launching Burp Suite  Memory!
Misunderstanding Encryption
Want Credentials?
Transport Layer - TCP  Tools Used:  Wireshark  Tcpdump  Network Miner
Why look at the transport layer?  Check to see how network protocols are handled in the app  Easily look for SSL certificate or other communication issues
NetworkMiner  Extracts files/images and more  Can pull out clear txt credentials  Quickly view parameters
TCP Lab Setup  Run tcpdump directly on the device  Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this)  Import PCAPs into NetworkMiner
App Vulnerabilities  Several examples that we’ve found  Many from the Top 25 downloaded apps
Evernote  Notebooks are stored in the cloud  But…caches some files on the device…  OWASP M1: Insecure Data Storage
MyFitnessPal  Android app stores sensitive data on the device (too much data)
Password Keeper “Lite”  PIN and passwords stored in clear-text SQLite database  So much for the security of your passwords…
Draw Something  Word list stored on the device  Modify to mess with your friends
LinkedIn  SSL only for authentication  Session tokens and data sent over HTTP  Lots of apps do this  M3: Insufficient Transport Layer Protection
Auth over SSL Data sent over HTTP
Pandora  Registration over HTTP  User name/Password and Registration info sent over clear text  Unfortunately…lots of apps do this
Hard Coded Passwords/Keys  Major Grocery Chain “Rewards” Android app  Simple to view the source, extract private key  OWASP M9: Broken Cryptography  Do developers really do this?
Why yes, they do!
Privacy Issues  Example: Draw Something App (Top 25)  UDID and more sent to the following third-party ad providers:  appads.com  mydas.mobi  greystripe.com  tapjoyads.com
What is UDID?  Alpha-numeric string that uniquely identifies an Apple device
Pinterest and Flurry.com
Conclusions  Mobile devices are critically common  Most people use them without thinking of security  Developers seem to be repeating the past  We need to secure this area
Contact Us  John Sawyer  Twitter: @johnhsawyer  john@inguardians.com  Tom Eston  Twitter: @agent0x0  teston@securestate.com  Kevin Johnson  Twitter: @secureideas  kjohnson@secureideas.net

Recommandé

Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Jail breaking
Jail breakingJail breaking
Jail breakingRokkam Reddy
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 

Recommandé

Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Jail breaking
Jail breakingJail breaking
Jail breakingRokkam Reddy
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOSKai Aras
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp ForensicAnimesh Shaw
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile HackingNovizul Evendi
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown Tom Eston
 
GPS and Weapons Technology
GPS and Weapons TechnologyGPS and Weapons Technology
GPS and Weapons TechnologySuchit Moon
 

Contenu connexe

Tendances

Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOSKai Aras
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 

Tendances (20)

Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOS
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a House
 
Android system security
Android system securityAndroid system security
Android system security
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 

En vedette

The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown Tom Eston
 
GPS and Weapons Technology
GPS and Weapons TechnologyGPS and Weapons Technology
GPS and Weapons TechnologySuchit Moon
 
Comparison of mobile os
Comparison of mobile osComparison of mobile os
Comparison of mobile osasrf786
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS securitySumanth Veera
 
PCA General Assembly Report 2016
PCA General Assembly Report 2016PCA General Assembly Report 2016
PCA General Assembly Report 2016sandiferb
 
Frankfurt school culture industry
Frankfurt school culture industryFrankfurt school culture industry
Frankfurt school culture industryDeleuze78
 
Naval Aircraft & Missiles Web
Naval Aircraft & Missiles WebNaval Aircraft & Missiles Web
Naval Aircraft & Missiles WebLynn Seckinger
 
India's advancement in missile defence system
India's advancement in missile defence systemIndia's advancement in missile defence system
India's advancement in missile defence systemRajesh b.k.
 
China Railway Highspeed Train Jan 2015
China Railway Highspeed Train Jan 2015China Railway Highspeed Train Jan 2015
China Railway Highspeed Train Jan 2015Pradeep Kumar
 
Research on Comparative Study of Different Mobile Operating System_Part-1
Research on Comparative Study of Different Mobile Operating System_Part-1Research on Comparative Study of Different Mobile Operating System_Part-1
Research on Comparative Study of Different Mobile Operating System_Part-1Zulkar Naim
 
Ballistic missile defense system
Ballistic missile defense systemBallistic missile defense system
Ballistic missile defense systemMIT
 
Railway coaches
Railway coachesRailway coaches
Railway coachesnoor patel
 
Laser Guided Misiles
Laser Guided MisilesLaser Guided Misiles
Laser Guided MisilesAmit Ghodke
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 

En vedette (20)

The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
 
GPS and Weapons Technology
GPS and Weapons TechnologyGPS and Weapons Technology
GPS and Weapons Technology
 
Stealth fighter technolgy
Stealth fighter technolgyStealth fighter technolgy
Stealth fighter technolgy
 
Deepak e bomb
Deepak e bombDeepak e bomb
Deepak e bomb
 
Radar ppt
Radar pptRadar ppt
Radar ppt
 
Comparison of mobile os
Comparison of mobile osComparison of mobile os
Comparison of mobile os
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS security
 
PCA General Assembly Report 2016
PCA General Assembly Report 2016PCA General Assembly Report 2016
PCA General Assembly Report 2016
 
Frankfurt school culture industry
Frankfurt school culture industryFrankfurt school culture industry
Frankfurt school culture industry
 
real numbers
real numbersreal numbers
real numbers
 
Ppt2 (1)
Ppt2 (1)Ppt2 (1)
Ppt2 (1)
 
Naval Aircraft & Missiles Web
Naval Aircraft & Missiles WebNaval Aircraft & Missiles Web
Naval Aircraft & Missiles Web
 
India's advancement in missile defence system
India's advancement in missile defence systemIndia's advancement in missile defence system
India's advancement in missile defence system
 
China Railway Highspeed Train Jan 2015
China Railway Highspeed Train Jan 2015China Railway Highspeed Train Jan 2015
China Railway Highspeed Train Jan 2015
 
Research on Comparative Study of Different Mobile Operating System_Part-1
Research on Comparative Study of Different Mobile Operating System_Part-1Research on Comparative Study of Different Mobile Operating System_Part-1
Research on Comparative Study of Different Mobile Operating System_Part-1
 
Ricky seminar
Ricky seminarRicky seminar
Ricky seminar
 
Ballistic missile defense system
Ballistic missile defense systemBallistic missile defense system
Ballistic missile defense system
 
Railway coaches
Railway coachesRailway coaches
Railway coaches
 
Laser Guided Misiles
Laser Guided MisilesLaser Guided Misiles
Laser Guided Misiles
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 

Similaire à Smart Bombs: Mobile Vulnerability and Exploitation

Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)Avansa Mid- en Zuidwest
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecDroidConTLV
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00srini0x00
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionService2Media
 
Securing Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu SecuritySecuring Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu SecurityDeja vu Security
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 

Similaire à Smart Bombs: Mobile Vulnerability and Exploitation (20)

Mobile security
Mobile securityMobile security
Mobile security
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSec
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA Compliance
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 
Securing Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu SecuritySecuring Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu Security
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Super1
Super1Super1
Super1
 

Plus de Tom Eston

Privacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile TechnologyPrivacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile TechnologyTom Eston
 
Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Tom Eston
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadTom Eston
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredSocial Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredTom Eston
 
Social Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More BrainsSocial Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More BrainsTom Eston
 
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringEnterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringTom Eston
 
Staying Safe & Secure on Twitter
Staying Safe & Secure on TwitterStaying Safe & Secure on Twitter
Staying Safe & Secure on TwitterTom Eston
 
New School Man-in-the-Middle
New School Man-in-the-MiddleNew School Man-in-the-Middle
New School Man-in-the-MiddleTom Eston
 
Rise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsRise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsTom Eston
 
Information Gathering With Maltego
Information Gathering With MaltegoInformation Gathering With Maltego
Information Gathering With MaltegoTom Eston
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactTom Eston
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
Online Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safelyOnline Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safelyTom Eston
 

Plus de Tom Eston (15)

Privacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile TechnologyPrivacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile Technology
 
Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredSocial Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and Uncensored
 
Social Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More BrainsSocial Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More Brains
 
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringEnterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
 
Staying Safe & Secure on Twitter
Staying Safe & Secure on TwitterStaying Safe & Secure on Twitter
Staying Safe & Secure on Twitter
 
New School Man-in-the-Middle
New School Man-in-the-MiddleNew School Man-in-the-Middle
New School Man-in-the-Middle
 
Rise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsRise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network Bots
 
Information Gathering With Maltego
Information Gathering With MaltegoInformation Gathering With Maltego
Information Gathering With Maltego
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security Assessments
 
Online Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safelyOnline Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safely
 

Dernier

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 

Dernier (20)

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 

Smart Bombs: Mobile Vulnerability and Exploitation

  • 1. Mobile Vulnerability and Exploitation John Sawyer – InGuardians Tom Eston – SecureState Kevin Johnson – Secure Ideas
  • 2. John Sawyer  InGuardians, Inc. - Senior Security Analyst  DarkReading.com - Author/Blogger  1@stplace - Retired CTF packet monkey  Winners DEFCON 14 & 15  Avid Mountain Biker… in Florida.
  • 3. Tom Eston  Manager, SecureState Profiling & Penetration Team  Blogger – SpyLogic.net  Infrequent Podcaster – Security Justice/Social Media Security  Zombie aficionado  I like to break new technology
  • 4. Kevin Johnson  Father of Brenna and Sarah  Secure Ideas, Senior Security Consultant  SANS Instructor and Author  SEC542/SEC642/SEC571  Open-Source Bigot  SamuraiWTF, Yokoso, Laudanum etc  Ninja
  • 5. What are we talking about today?  What’s at risk?  Tools, Testing and Exploitation  Common vulnerabilities found in popular apps (this is the fun part)
  • 6. What are Smart Bombs?  We’ve got powerful technology in the palm of our hands!  We store and transmit sensitive data  Mobile devices are being used by:  Major Businesses (PII)  Energy Companies (The Grid)  The Government(s)  Hospitals (PHI)  Your Mom (Scary)
  • 8. Testing Mobile Apps  What are the 3 major areas for testing?  File System What are apps writing to the file system? How is data stored?  Application Layer How are apps communicating via HTTP and Web Services? SSL?  Transport Layer How are apps communicating over the network? TCP and Third-party APIs
  • 9. OWASP Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication
  • 10. OWASP Top 10 Mobile Risks 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure
  • 11. OWASP Mobile Security Project  You should get involved!  https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  • 12. Other Issues  Privacy of your data!  Mobile apps talk to many third party APIs (ads)  What’s collected by Google/Apple/Microsoft?
  • 13. Common Tools  SSH  VNC server  A compiler (gcc / agcc)  Android SDK (adb!)  XCode  Jailbroken iDevice  Rooted Android Device
  • 14. Filesystem Analysis  Forensic approach  Filesystem artifacts  Timeline analysis  Log analysis  Temp files
  • 15. Forensic Tools  Mobile Forensic Tools  EnCase, FTK, Cellebrite  Free and/or Open Source  file, strings, less, dd, md5sum  The Sleuthkit (mactime, mac-robber)
  • 16. Timelines  Timelines are awesome  Anyone know log2timeline?  Filesystem  mac-robber  mactime  Logs  Application- & OS-specific
  • 17. Filesystem Timelines  mac-robber  C app  free & open source  must be compiled to run on devices  mactime  Part of The Sleuthkit  runs on Mac, Win, Linux
  • 18. Compiling mac-robber (Android)  Android  Install arm gcc toolchain  Compile & push via adb   I used Ubuntu, works on MobiSec & Backtrack  Detailed instructions: ○ http://www.darkreading.com/blog/232800148/quick-start- guide-compiling-mac-robber-for-android-vuln-research.html
  • 19. Compiling mac-robber (iOS)  iOS (jailbroken)  Download & Install libgcc onto device  Install iphone-gcc  Download & Install C headers/libraries
  • 20. Running mac-robber (iOS)  iOS & Android via SSH  Android via adb  Then, process each with mactime
  • 22. Where is the data?
  • 24. Gallery Lock Lite  “Protects” your images
  • 25.
  • 26. Viewing & Searching Files  cat, less, vi, strings, grep  SQLite files  GUI browser, API (Ruby, Python, etc)  Android apps  ashell, aSQLiteManager, aLogViewer
  • 27. Application Layer - HTTP  Tools Used:  Burp Suite  Burp Suite  oh yeah Burp Suite!
  • 28. Why Look at the App Layer?  Very common in mobile platforms  Many errors are found within the application  And how it talks to the back end service  Able to use many existing tools
  • 32. Transport Layer - TCP  Tools Used:  Wireshark  Tcpdump  Network Miner
  • 33. Why look at the transport layer?  Check to see how network protocols are handled in the app  Easily look for SSL certificate or other communication issues
  • 34. NetworkMiner  Extracts files/images and more  Can pull out clear txt credentials  Quickly view parameters
  • 35.
  • 36. TCP Lab Setup  Run tcpdump directly on the device  Run Wireshark by sniffing traffic over wireless AP or network hub setup (lots of ways to do this)  Import PCAPs into NetworkMiner
  • 37. App Vulnerabilities  Several examples that we’ve found  Many from the Top 25 downloaded apps
  • 38. Evernote  Notebooks are stored in the cloud  But…caches some files on the device…  OWASP M1: Insecure Data Storage
  • 39.
  • 40. MyFitnessPal  Android app stores sensitive data on the device (too much data)
  • 41.
  • 42. Password Keeper “Lite”  PIN and passwords stored in clear-text SQLite database  So much for the security of your passwords…
  • 43.
  • 44.
  • 45.
  • 46. Draw Something  Word list stored on the device  Modify to mess with your friends
  • 47. LinkedIn  SSL only for authentication  Session tokens and data sent over HTTP  Lots of apps do this  M3: Insufficient Transport Layer Protection
  • 48. Auth over SSL Data sent over HTTP
  • 49.
  • 50. Pandora  Registration over HTTP  User name/Password and Registration info sent over clear text  Unfortunately…lots of apps do this
  • 51.
  • 52. Hard Coded Passwords/Keys  Major Grocery Chain “Rewards” Android app  Simple to view the source, extract private key  OWASP M9: Broken Cryptography  Do developers really do this?
  • 54. Privacy Issues  Example: Draw Something App (Top 25)  UDID and more sent to the following third-party ad providers:  appads.com  mydas.mobi  greystripe.com  tapjoyads.com
  • 55. What is UDID?  Alpha-numeric string that uniquely identifies an Apple device
  • 56.
  • 58.
  • 59. Conclusions  Mobile devices are critically common  Most people use them without thinking of security  Developers seem to be repeating the past  We need to secure this area
  • 60. Contact Us  John Sawyer  Twitter: @johnhsawyer  john@inguardians.com  Tom Eston  Twitter: @agent0x0  teston@securestate.com  Kevin Johnson  Twitter: @secureideas  kjohnson@secureideas.net