In this, the second, episode of our mobile penetration testing trilogy, NowSecure Solutions Engineer Michael Krueger takes you beyond the device. Michael will explain how to perform network and web services/API testing to capture data exposed in transit between apps and backend services -- some of the highest risk security flaws around. This high intensity 30-minute crash course covers: + Man-in-the-middle (MITM) attacks + Taking advantage of improper certificate validation + Demonstration of a privilege escalation exploit of a web back-end vulnerability Watch it here: https://youtu.be/bT1-7ZkSdNY

1. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Episode II
RETURN OF THE
BACK-END/NETWORK

2. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Episode II
RETURN OF THE
NETWORK/BACK-END
Episode I
THE FORENSIC
MENACE
Episode III
ATTACK OF
THE CODE

3. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Connect
Twitter: @NowSecureMobile
—
Subscribe to #MobSec5, our weekly mobile security news digest
http://mobsec5.nowsecure.com/
—
Web: nowsecure.com

4. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Michael Krueger
Solutions Engineer | NowSecure

5. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● The Trilogy series overview
● Data-in-transit
● Server-side security
● Suggested tools to get started

6. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Mobile
forensics &
data recovery
Network, web
services &
API testing
Server-side
penetration
testing
Reverse
engineering &
code analysis

7. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
“I can show you the ways of the [Force data in transit].”
— Kylo Ren
https://milnersblog.com/tag/the-characters-of-star-wars-the-force-awakens/

8. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Data in transit concerns
● Insecure communication
○ Certificate validation issues
○ Privacy leakage
● Insecure authentication
● Insecure authorization
○ Server accepting/responding to
requests without authorization
○ Client-based authorization decisions

9. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Man-in-the-middle (MITM)
● Secretly intercept (modify) communications between systems believing they are communicating directly
● Aims to circumvent mutual authentication (or lack thereof)
● Use it to test for potential vulnerabilities and validate that app sends proper requests/intended data
Who are you really talking to?
Original connection
Victim
Attacker
Presents fake
certificate
Server

10. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Lack of certificate validation
Don’t implement your own crypto!
It still happens because developers want to accept self-signed
certificates or because code implementation is too complex

11. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Mitmproxy basic setup
Device 192.168.10.15
Gateway set to 192.168.10.66 192.168.10.1
Server
Laptop w/ mitmproxy
Listening at ports 80 & 443
192.168.10.66
Mitmproxy CA certificate
(optional)

12. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Android handset gateway configuration

13. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
IP forwarding
1
2
3
sysctl - w net.ipv4.ip_forward = 1
iptables - t nat - A PREROUTING - i eth0 - p tcp--dport 80 - j REDIRECT--to - port 8080
iptables - t nat - A PREROUTING - i eth0 - p tcp--dport 443 - j REDIRECT--to - port 8080

14. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Looking for HTTPS traffic

15. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Privacy leakage
● Email address
● Username/password
● Phone number
● IMEI/IMSI
● Home address
● And so much more
See: “Who Knows What About Me? A Survey of Behind the
Scenes Personal Data Sharing to Third Parties by Mobile Apps”
http://jots.pub/a/2015103001/
Sharing more than you intend
Sharing of sensitive data by
Android apps (left) to domains (right)

16. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Authentication vs. authorization
Do you know the difference?
Authentication
The process of sending
credentials in an
attempt to connect
Authorization
Gaining access to a resource
because configured permissions
allow you access

17. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Insecure authentication
● Predictable session identifiers
● Failing to log users out
● Session lifetime risks
○ Sessions valid too long
○ Sessions valid across multiple channels
● Session fixation
Who copied my house key???

18. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Insecure authorization
I feel like being an administrator today.

19. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.http://disney.wikia.com/wiki/Leia_Organa
“Somebody has to save our [skins servers].”
— Princess Leia

20. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Server-side issues
● Injection
○ SQL
○ XSS
○ Command
● Improper session handling
● Weak ciphers
● Many more...

21. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Weak cipher examples
What do you accept?
https://www.ssllabs.com/

22. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Weak cipher examples
What do you accept?

23. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Intelligence Gathering
● What IP addresses does your app talk to?
● Query WHOIS to learn more about each IP address
● Use geolocation services to confirm IP address location

24. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Endpoint identification
https://www.wireshark.org

25. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Suggested tools for back-end testing
Rooted Android device
I use a Google Nexus 5
Linux machine or VM
w/ Android Studio tools
May we recommend Santoku Linux?
(Also, Kali Linux)

26. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Tools for testing
Qualys SSL Labs https://www.ssllabs.com/ssltest/
Nmap
https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
https://nmap.org/nsedoc/scripts/ssl-cert.html
Mitmproxy http://docs.mitmproxy.org/en/stable/
Burp Suite https://support.portswigger.net/
IPFingerprints http://www.ipfingerprints.com/
Santoku Linux https://santoku-linux.com/
Wireshark https://www.wireshark.org

27. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Pointers to keep in mind during analysis
Don’t just focus
on the encrypted
payload. Look
at metadata.
When searching
for data in large files,
command line tools
are best: Try grep
Try multiple tools.
Find the one
you’re most
comfortable with.
If you’re scanning a
third-party server,
get permission

28. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Vulnerable data exists in more than just the payload
Try using both trusted and untrusted certificates
when intercepting data in transit
Don’t underestimate the time/effort involved in
network-focused testing

29. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Episode III
ATTACK OF THE CODE
Thursday, January 19
11 a.m. CST / 9 a.m. PST
REGISTER NOW: http://bit.ly/2gOPih8

30. Let’s talk
NowSecure
+1 312.878.1100
@NowSecureMobile
www.nowsecure.com
Subscribe to #MobSec5 - a digest of the week’s mobile news
that matters - http://mobsec5.nowsecure.com/