Mobile Application Scan and Testing

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)

Mobile Applica,on Security – Effec,ve Methodology,

Effec,ve Tes,ng!


Who Am I? •  Hemil Shah – [email protected] •  Co-‐CEO & Director, Blueinfy Solu,ons •  Past experience

–  eSphere Security, HBO, KPMG, IL&FS, Net Square •  Interest

–  Web and mobile security research •  Published research

–  ArFcles / Papers – Packstroem, etc. –  Web Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. –  Mobile Tools – FSDroid, iAppliScan, DumpDroid

[email protected] hRp://www.blueinfy.com Blog – hRp://blog.blueinfy.com/


About

• Global experience worked clients based in USA, UAE, Europe and Asia-‐pac. • Clients/Partners include Fortune 100 companies. • Delivery model and support

• Blackbox and Whitebox – Scanners and Code Analyzers • Scanning tools and technology (15 years)

• Strong and tested with Fortune clients • Integrated in SDLC • Help client in miFgaFng or lowering down the Risk by improving process

• In house R&D team for last 7 years • Papers and PresentaFons at conference like RSA, Blackhat, HITB, OWASP etc. • Books wriRen and used as security guides

Know-‐How Methods & Approach

Global Delivery & Team

Technology

Ø BBC Ø Dark Readings Ø Bank Technology Ø SecurityWeek Ø MIT Technology Review

ApplicaFon Security


Enterprise Technology Trend •  2007. Web services would rocket from $1.6

billion in 2004 to $34 billion. [IDC] •  2008. Web Services or Service-Oriented

Architecture (SOA) would surge ahead. [Gartner]

•  2009. Enterprise 2.0 in action and penetrating deeper into the corporate environment

•  2010. Flex/HTML5/Cloud/API •  2012. HTML5/Mobile era.


Past, Present and Future

Cloud

2010

Focus


Mobile Infrastructure

www mail

intranet router DMZ

Internet

VPN

Dial-up

Other Offices

Exchange firewall

Database RAS


Mobile App Environment

Web Server

Static pages only (HTML,HTM, etc.) Web

Client

Scripted Web

Engine Dynamic pages

(ASP,DHTML, PHP, CGI, etc.)

ASP.NET on .Net Framework, J2EE App Server,

Web Services, etc.

Application Servers

And Integrated Framework

Internet DMZ Trusted

W E B S E R V I C E S

Mobile

SOAP/JSON etc.

DB

X

Internal/Corporate


Mobile Apps


Gartner Statistics


Gartner Statistics


Mobile Changes •  Application Infrastructure

Changing dimension Web Mobile (AI1) Protocols HTTP & HTTPS JSON, SOAP, REST etc. over

HTTP & HTTPS

(AI2) Information structures

HTML transfer JSON, JS Objects, XML, etc.

(AI3) Technology Java, DotNet, PHP, Python and so on

Cocoa, Java with Platform SDKs, HTML5

(AI4) Information Store/Process

Mainly on Server Side Client and Server Side


Mobile Changes •  Security Threats

Changing dimension Web Mobile

(T1) Entry points Structured Scattered and multiple

(T2) Dependencies Limited •  Multiple technologies •  Information sources •  Protocols

(T3) Vulnerabilities Server side [Typical injections]

•  Web services [Payloads] •  Client side [Local Storage]

(T4) Exploitation Server side exploitation Both server and client side exploitation


Black Review flow Architecture Review

Scoping

Server Side Application Footprinting

Mobile Application Footprinting

Application Threat Modeling

Application Deployment Assessment

Application Enumeration and Profiling

Application Discovery

Vulnerability Assessment

Mitigation Strategies

Application Security – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.

Mobile and Device Security • Insecure storage • Insecure network Communication - Carriers network security & WiFi network attacks • Unauthorized dialing & SMS • UI Impersonation/Spoofing • Activity monitoring and data retrieval • Sensitive data leakage • Hardcoded passwords/keys • Language issues • Timely application update • Jail breaking/Physical device theft • KeyBoard cache/ClipBoard issue • Reading information from SQLite database • Insecure Protocol Handler implementation • And few other loopholes

Reporting


Insecure Storage


Insecure Storage •  Why application needs to store data

– Ease of use for the user – Popularity – Competition – Activity with single click – Decrease Transaction time – Post/Get information to/from Social Sites

•  9 out of 10 applications have this vulnerability


Insecure Storage •  How attacker can gain access

– Wifi – Default password after jail breaking (alpine) – Physical Theft – Temporary access to device


Insecure Storage •  What information we usually find

– Authentication Credentials – Authorization tokens – Financial Statements – Credit card numbers – Owner’s Information – Physical Address,

Name, Phone number – Social Engineering Sites profile/habbits – SQL Queries


Local file access


Insecure Network Communication


Insecure Network Channel •  Easy to perform MiM attacks as Mobile

devices uses untrusted network i.e open/Public WiFi, HotSpot, Carrier’s Network

•  Application deals with sensitive data i.e. – Authentication credentials – Authorization token – PII Information (Privacy Violation) (Owner

Name, Phone number, UDID)


Insecure Network Channel •  Can sniff the traffic to get an access to

sensitive data •  SSL is the best way to secure

communication channel •  Common Issues

– Does not deprecate HTTP requests – Allowing invalid certificates – Sensitive information in GET requests


Session token


Unauthorized Dialing/SMS


Unauthorized Dialing/SMS •  Social Engineering using Mobile Devices •  Attacker plays with user’s mind •  User installs application •  Application sends premium rate SMS or a

premium rate phone call to unknown number

•  Used by Malware/Trojans


AndroidOS.FakePlayer •  August 2010 •  Sends costly International SMS •  One SMS Costs – 25 USD (INR 1250) •  Application Sends SMS to –

– 3353 & 3354 numbers in Russia


GGTracker •  June 2010 •  Another Application which sends

International SMS •  One SMS Costs – 40 USD (INR 2000) •  Application Sends Premium SMS to US

numbers


UI Impersonation


UI Impersonation •  Attack has been there since long •  On a mobile stack, known as UI

impersonation •  Other names are Phishing Attack,

ClickJacking •  Attacker plays with user’s mind and try to

impersonate as other user or other application


UI Impersonation •  Victim looses credit card information or

authentication credentials or secret •  One application can create local PUSH

notification as it is created from apple store

•  Flow in review process of AppStore – Anyone can name anything to their application


NetFlix •  Oct -2011 •  Steals users “netflix” account information •  Application shows error message to user “Compatibility issues with the user’s hardware” when user enters username and password

•  Once error message, application uninstalls itself


Activity Monitoring


Activity Monitoring •  Sending a blind carbon copy of each

email to attacker •  Listening all phone calls •  Email contact list, pictures to attacker •  Read all emails stored on the device •  Usual intension of Spyware/Trojans


Activity Monitoring •  Attacker can monitor –

– Audio Files – Video – Pictures – Location – Contact List – Call/Browser/SMS History – Data files


Android.Pjapps •  Early 2010 •  Steal/Change users information •  Application –

– Send and monitor incoming SMS messages – Read/write to the user's browsing history and

bookmarks –  Install packages and Open Sockets – Write to external storage – Read the phone's state


System Modification


System Modification •  Application will attempt to modify system

configuration to hide itself (Historically this is known as ROOTKIT)

•  Configuration changes makes certain attack possible i.e. – – Modifying device proxy to get user’s activity

monitoring – Configure BCC email sending to attacker


iKee – iPhone Worm •  “ikee” iPhone Worm

–  Change root password –  Change wallpaper to Ricky Martin.

After infected by “ikee“ iPhone look like this


PII Information Leakage


PII Information Leakage •  Application usually have access to user’s

private information i.e. Owner Name, Location, Physical Address, AppID, Phone Number

•  This information needs to be handled very carefully as per the law in some countries

•  Storing this information in plain text is not allowed in some countries


PII Information


Hardcoded Secrets


Hardcoded Secrets •  Easiest way for developer to solve

complex issues/functionality •  Attacker can get this information by either

reverse engineering application or by checking local storage


Keychain Dumper


Language Specific Issues


Language Specific Issues •  Application in iOS are developed in

Objective-C language which is derived from classic C language

•  Along with this derivation, it also derives security issues in C language i.e. overflow attacks

•  Using Dex2jar, source code of android application can be accessed


dexdump Convert dump .dex files:


SQL Injection in Local database


SQL Injection in Local database •  Most Mobile platforms uses SQLite as

database to store information on the device

•  Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensitive database information

•  In case application is not filtering input, SQL Injection on local database is possible


Injection…


Information in Common Services


Common Services •  KeyBoard, Clipboard are shared amongst

all the applications. •  Information stored in clipboard can be

accessed by all the application •  Sensitive information should not be

allowed to copy/paste in the application


Server Side Issues


Server Side Issues •  Most Application makes server side calls

to either web services or some other component. Security of server side component is equally important as client side

•  Controls to be tested on the server side – Security Control Categories for Server Side Application– Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage,


Server Side Issues Error handling, Session management, Protocol abuse, Input validations, XSS, CSRF, Logic bypass, Insecure crypto, DoS, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, BruteForce, Buffer Overflow, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.


Binary auditing


Using GDB


Mobile Top 10 - OWASP •  Insecure Data Storage •  Weak Server Side Controls •  Insufficient Transport Layer Protection •  Client Side Injection •  Poor Authorization and Authentication •  Improper Session Handling •  Security Decisions Via Untrusted Inputs •  Side Channel Data Leakage •  Broken Cryptography •  Sensitive Information Disclosure


Pen testing Check list (iOS Applications)


Pen testing Check list •  Fuzz all possible Inputs to the application

and validate output (Query String, POST data, external HTML, RSS Feed or database feed)

•  Audit traditional memory unsafe methods (strcpy, memcpy)

•  Watch out for format string vulnerabilities •  Look for hard coded credentials / secrets


Pen testing Check list •  Check network connection (grep for

NSURL, CFStream, NSStream) •  Check Database connection and queries

(grep SQL strings and SQLLite queries) •  Check only trusted certificate are allowed

(Look for setAllowsAnyHTTPSCertificate and didReceiveAuthenticationChallenge)

•  Check what is logged (grep NSLog)


Pen testing Check list

•  Check implementation of URLSchemes in handleOpenURL

•  Check what is stored in keychain (kSecAttrAccessibleWhenUnlocked or kSecAttrAccessibleAfterFirstUnlock attributes when calling SecItemAdd or SecItemUpdate) and the file system (NSDataWritingFileProtectionComplete).


Pen testing Check list •  Check how critical data is stored

(NSUserDefaults should not be used to store critical data)

•  Check Server Side controls •  Decrypt the binary and run strings to find

sensitive information


Pen testing Check list

•  Check whether application uses UIWebView (How application loads HTLM and where it is rendered from? Is URL visible?)

•  Check whether copy-paste functionality is enabled in sensitive fields (PII fields)

•  Install your favorite proxy to monitor + fuzz web traffic

•  Run the app using disassemble to monitor calls


Pen testing Check list •  Check whether critical data fields are

hidden in applicationWillTerminate and applicationWillEnterBackground to prevent screenshot caching

•  Check how application handles PII information


Conclusion/Ques,ons

Hemil Shah [email protected] +91 99790 55100

Mobile Application Scan and Testing

Software