Mobile Application - Scan, Attack and Exploit

Presented at DeepSec 2013 „Secrets, Failures, and Visions“, Unknown date/time (Unknown duration).

Mobile application hacking and its security is becoming a major concern in today's world specially with BYOD and user's jailbreaking/rooting their devices. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI Jacking, Tab Jacking, Traffic redirection, Logical attacks, hard coded keys and a few other. It is imperative to scan these applications before loading and launching for different platforms. Scanning and vulnerabilities detections are two major areas for mobile applications in current state. Attacking techniques and exploit delivery on different platform are evolving, protection is even tougher as code base are different. With all mobile platforms supporting HTML5 application, there is significant increase in the hybrid applications. At the same time Mobile applications are communicating with server side over HTTP/HTTPS, it opens up few possible attacks on Web Services, APIs, OAuth, REST etc. The server side applications can be attacked with Injections and critical logical exploitations. New technology stacks are evolving over Mobile like HTML5 and Silverlight, which opens up new attack surface. In this context it is imperative for IT professional and corporate application owners to understand these attack vectors to protect mobile infrastructure, user's privacy, security and company's intellectual property. The class features detail hands on for mobile attacks for different platforms, real life cases, live demos, scanning techniques, code analysis and defensive controls. The following topics will be covered during the class. Introduction to Mobile Applications • General Overview • Case studies of Vulnerable and old AppStore applications • Evaluation of Applications • Trend in Mobile application Security • Mobile Application Fundamental - What, Why, How and Where iOS Deep dive into iOS • Sand boxing • iOS Application Architecture • Understanding iOS platforms • iOS Structure • Application Structure • Application Distribution • Permissions • Installing application from IPA • Objective-C Basics for penetration testing • Cocoa/Cocoa touch Framework • Introduction to xCode • Running application in simulator • JailBreaking o What o Why o How o Who Set up Attack environment • Intercepting traffic o Configuring simulators to use proxy o Configuring device to use proxy o Overcoming SSL traffic interception challenges o DNS Kung fu • Analysis tools • Monitoring tools • Reverse engineering tools iOS Application Attacks & Reverse engineering • Attacking Insecure storage • Insecure network Communication • Unauthorized dialing, SMS using rootkit • UI Impersonation/Spoofing • Activity monitoring and data retrieval • Sensitive/Private data leakage • Hardcoded passwords/keys • Language issues • Jail breaking/Physical device theft • KeyBoard cache/ClipBoard issue in iPhone • Reading information from SQLite database • Insecure Protocol Handler implementation • Parsing client side binary files to get session cookie • Business Logical attacks • Using debugger to analyze iOS applications • Interesting things to look for after reverse engineering Securing iOS Applications and source code analyzer • Secure coding for iOS Application • How to incorporate secure design and coding principles for developing iOS applications • Safe/Unsafe APIs • Avoiding Buffer Overflows And Underflows • Validating Input And Inter process Communication • Race Conditions and Secure File Operations • Designing Secure User Interfaces • Static Code Analyzer for iOS Other Mobile/Smart TV Platforms Windows Phone • Understanding Windows Phone platforms (Windows phone 7 & Windows phone 8) o Windows file System o Application Distribution o Permission model • Windows phone development environment • Running windows phone binary in simulator • Intercepting traffic BlackBerry • Blackberry file System • Application Distribution • Permission model • Intercepting traffic Samsung smart TV applications • Architecture • Key component and browser stack • Application model and structure Android - Hacker friendly platform Understanding Android platforms • Android file System/Dalvik • Application Distribution • Permissions • Introduction to android SDK and useful files • Understanding android application key components • Running application in Android emulator • Key ADB commands to play with android emulator Set up Attack environment • Intercepting traffic o Configuring emulator to use proxy o Configuring device to use proxy o Overcoming SSL traffic interception challenges o DNS Kung fu • Analysis tools • Monitoring tools • Reverse engineering tools Attacking android applications • Insecure storage o Internal storage o External storage o Shared secret • Insecure network Communication - Carriers network security & WiFi network attacks • Unauthorized dialing, SMS • UI Impersonation/Spoofing • Activity monitoring and data retrieval • Sensitive data leakage • Hardcoded passwords/keys • KeyBoard cache/ClipBoard issue in iPhone • Reading information from SQLite database • Attacking Manifest file permission • Analyzing local storage with file system monitoring • Business Logical attacks • Using AFE to create malicious APK • Sending signals over wifi/mobile network • Decompiling Android Application • Attacking intellectual property by attacking android binaries Secure coding for Android Applications and source code analyzer • Secure coding for Android Application • Using randomization • Safe/Unsafe APIs • Validating Input And Inter process Communication • Controlling access with manifest • Static Code Analyzer for Android • Protecting intellectual property in android application HTML 5 Applications on Mobile stack Working with HTML5 applications on Mobile • HTML5 specs for mobile • Touch/Moving in mobile applications using HTMl5 • Hybrid applications and its permission model • HTML5 tags supported with mobile platforms HTML5 Attacks on Mobile • LocalStorage stealing • SQLite injections • Click/Tap Jacking • Business Logical attacks • JavaScript reverse engineering Hands-on: All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies. Mobile applications running on iPhone, Android and Hybrid will be provided for testing. Also, participants will be building a small application to capture important concepts of development as well.

Presenters:

  • Hemil Shah - eSphere Security Solutions Pvt Ltd
    Hemil Shah, CISSP, CSSLP, ACP is the founder and Director of eSphere Security, company that provides Professional services in Security Arena. He is on advisory board on number of security companies and regular trainers at some of the best security conferences. He has published several advisories, tools, and whitepapers, and has presented at numerous conferences. Hemil is expert in Mobile Application Security, Application Security, researching new methodologies and training designs. He has performed more than 1000 security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews and Mobile application security review.

Links:

Similar Presentations: