Mobile security & security testing - Speaker at CSS Serminar
May 24, 2015
Speaker at CSS Serminar, Seoul National University of Science and Technology, Oct 28 2012
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
- 1. Smart Phone Overview 2012 30% 2014 40%
2. Smart Phone Overview 3. Mobile Service Trend 4. Financial Services - Smart Banking - Mobile Card - Smart Wallet - MTS(Mobile Trading Service) - Mobile Payment 5. Financial Services 6. 19 907 5,910 1,058 1,721 3,736 7,697 2008 2009 2010 2011 ( ) : : Financial Services 7. Threats & Vulnerabilities 8. Android -Spyware/SMSReplicator Android-Trojan/SmsSend Android-Spyware/Snake GPS . GPS Spy TapSnake Android-Spyware/Ewalls WinCE/TredDial WinCE/Duts Windows Mobile , Ike worm , ( ) Virus & Malware 9. Phishing 10. YTN, , ! (2011.6) (Android WebKit browser) IOS PDF Jail Break OS , 0-day , Linux Jailbreak Me 3.0 (2011.7) 0-day exploits 11. Google Wallet Vulnerability 12. APP , , APP () , E-mail , SMS, Integrity of App 13. Integrity of App - ( , , ) - - (Native Library) - - 14. Android Security Testing 15. Mobile Web Service , () ( ) , 16. Native App Mobile Web Hybrid App (Device , UI ) OS OS Native App , VS HTML ( , ) Device, OS (n ) , , , Mobile Web Service 17. Hybrid App Architecture Native (iOS/ Android) Hybrid App Framework WebView Device API HTML + JavaScript + etc Web Native Native 18. Hybrid App 19. Android Security Testing - Android Architecture 20. Android Security Testing - Multitasking - Sandbox(Rooting) - Permission - Codesign - Market, P2P - Code Audit 21. Android Security Testing - APK Decompile - Dynamic Debug - APK Repackage - Dynamic Analysis(File, Traffic) - Server side vulnerability 22. APK Decompile Tools : Apktools, dex2jar, JD-GUI, DDMS Extracting *.apk from Android 23. # *.apk *.zip, zip file extract # dex2jar c:classes.dex # jd-gui, open classes_dex2jar 24. ex) c:>apktool.bat d d [FileName.apk] [Folder] 25. AndroidManifest.xml 26. Resources 27. Dynamic Debug & APK Repackage # c:>apktool.bat d d [FileName.apk] [Folder] # AndroidManifest.xml - android:debuggable = "true" # c:>apktool.bat b d [Folder] Tools : Apktools, Sign-apk, Netbeans 28. # c:Sign.bat # install 29. # DDMS - Process 30. Netbeans [New Project] [java] [Java Project with Existing Source] 31. Add Source path 32. Jar file load(Android ver check) ex) Android 2.3.3 API 10 33. DDMS , Process click - Netbeans [Debug] [Attach Debugger] Debugger : JAVA Debugger, Host : 127.0.0.1, Port : 8700 34. Debug Mode 35. Dynamic Analysis(File) Tools : DDMS, SQLite Expert 36. Dynamic Analysis(Traffic) - Capture the air packet(Omnipeek, Airodump) - Arp Spoofing - Wireless Lancard Soft AP - WEB(Proxy) 37. Tools : Wireshark 38. Proxy : Paros 39. Threats & Vulnerabilities 40. NFC(Near Field Communication) Set of communication protocols based on RFID standards including ISO 14443 Operating range less than 4 cm 41. NFC Architecture 42. App Vulnerability u App Vulnerability Cloud Game Market u Finding Vulnerability 0-day exploit u Books & Papers iOS Hackers Handbook Hacking Exposed Web Applications Penetration Testing Android Application Kunjan Shah Penetration Testing iPhone / iPad Application Kunjan Shah 43. End
Related Documents
