Talk given in Bsides Lisbon 2015 by me and Herman Duarte. Based on our experience on testing mobile applications, both on Android and iOS, we challenged ourselves on doing an assessment of both app stores' applications, using OWASP mobile top 10 as a reference in terms of vulnerabilities to search for. As a criteria for choosing the apps to test, we focused on the most common mobile applications available in the Portuguese Android and iOS app stores, from several categories such as finance, social media, medical and security. For this talk we expect to highlight the most interesting design choices both good and bad and what should be done to avoid such mistakes.

1. Neo: Is my App Secure ?
Herman Duarte @hdontwit
Cláudio André @clviper
1

2. Agenda
● Who
● Objectives
● Approach
● Building blocks
● Analysis Statistics
● How we did it
● Interesting findings
● Q&A
2

3. Who
Herman Duarte
@hdontwit
3

4. Who
Cláudio André
@clviper
4

5. Who
- We work @ Integrity S.A.
- Awesome co-workers and awesome
workplace.
- We identify security issues for our clients to
help them lower their security risks.
5

11. - Evaluate iOS and Android apps from a security
point of view.
- Automate pentest tasks for both Android and
iOS
- Share results.
- Have fun :)
Objectives
11

12. Approach

13. 13

14. 14

15. 15

16. +50
Apps

17. Client
17

18. Network
18

19. Server
19

20. 20

21. 21

23. Vulns by Owasp Risk
23

24. Android Vulns by Owasp Risk
24

25. iOS Vulns by Owasp Risk
25

26. Insecure Data Storage
26

27. Transport Layer Security
Android iOS
27

28. Certificate Pinning
28

29. iOS Background Screenshot
29

30. Android Obfuscation
30

31. Android Obfuscated Apps By Category
31

32. iOS Binary Protection
All
apps
analyzed
have
the
following
security
features
enabled
in
the
binary:
● PIE
(Posi=on
Independent
Executable
aka
ASLR)
● ARC
(Automa=c
Reference
Coun=ng)
● SSPRO
(Stack
Smashing
Protec=on)
● Encrypted
binary
32

34. 34

35. - iOS and Android Security Analyser Tools
- Command line.
- Way to mass analyse ipas and apks.
- Search and Downloads apps (Android only)
- Bulk decryption of apps (iOS only)
- Bulk install, uninstall and backup of apps
- Easy way to extend heuristics check (Android only,
for now)
35
iStat & Droidstat

36. 36
iStat
https://youtu.be/bOtosGya_G4

37. 37
https://youtu.be/zPKUj8rb_ok
Droidstat – Intro Video

38. Droidstat - Checks Config File
38

39. 39
https://youtu.be/uWJZa0vgbQ4
Droidstat – Example Findings Video

40. Interesting Findings

41. Invoice Registration App (Android)
41
- Under 100.000 installs.
- The credentials used for this service is used
on multiple Portuguese Government Public
Services websites.

42. Invoice Registration App (Android)
42

43. Invoice Registration App (Android)
43

44. Invoice Registration App (Android)
44

45. Invoice Registration App
45

46. Invoice Registration App
46

47. Invoice Registration App (Android)
47

48. Invoice Registration App (Android)
48

49. Invoice Registration App (Android)
49

50. Invoice Registration App
50

51. Invoice Registration App (Android)
51

52. Invoice Registration App (Android)
Recommendations:
- Use right TLS implementations that correctly
validate TLS certificates.
- Use strong cryptographic algorithms to store
sensitive information.
52

53. Invoice Registration App – Dev Response
53
“As for the problems, although I think that both
are difficult to replicate in a real case , I
recognize that the app can be improved , taking
this into account we will release an update until
the weekend to solve the problems.” June 9

54. Invoice Registration App – Dev Response
54
“As for the problems, although I think that both
are difficult to replicate in a real case , I
recognize that the app can be improved , taking
this into account we will release an update until
the weekend to solve the problems.” June 9
“The update of this weekend corrects the
problems mentioned. Thanks again for the
analysis.” June 22

55. Shopping App (Android & iOS)
55
- Between 1M and 5M installs
- More than 10M users.

56. Shopping App (Android & iOS)
56

57. Shopping App (Android & iOS)
57

58. Shopping App (Android & iOS)
58

59. Shopping App (Android & iOS)
59

60. Shopping App (Android & iOS)
60

61. Shopping App (Android & iOS)
61

62. Shopping App (Android & iOS)
62

63. Shopping App (Android & iOS)
Recommendations:
- Correctly override TLS implementations or
use the framework’s default one, that
correctly validate certificates chains.
63

64. Mr.Smith: So, you’re asking me if your
app is secure?

65. M2 - Insecure Data Storage
● In iOS some applications still uses property list files
(.plist), or NSUserDefaults (files created in the app
Documents folder) to store sensitive information,
instead of the keychain.
● In Android some applications store sensitive information
in shared preferences file and SQLite databases without
any type of encryption.
65

66. M3 - Insufficient Transport Layer
Protection
● The OS’s framework already does the hard work in TLS,
so what we have seen is that the majority of TLS is
correctly implemented; Nonetheless when developers
override the default implementation, most of the time
bad things happen.
● We have seen that in Android, Certificate Pinning, is
more used that in iOS applications.
66

67. M4 - Unintended Data Leakage
● In iOS the background screenshot information leakage
happens most of the time, because it is a side effect of
the OS behaviour, that most of developers are not
aware of.
67

68. M10 - Lack of Binary Protections
● Regarding Obfuscation we have seen in Android that
there are not many apps obfuscated although the SDK
comes with tools to do this out of the box.
● In iOS because of default configurations of XCode,
binary security features (e.g. PIE, ARC, SSPRO) are
applied in all of the apps analyzed.
68

69. Q&A