Presented at
DeepSec 2020 „The Masquerade“,
Unknown date/time
(Unknown duration)
A significant amount of confusion exists about what kind of damage is possible when vulnerabilities are found in mobile apps. This talk aims to solve this problem by providing a broad coverage of Android and iOS app vulnerabilities identified over multiple years of penetration testing. The purpose is to provide a comprehensive repertoire of security anti-patterns that penetration testers can look for and mobile app developers can watch out for to avoid.
If you are the kind of person who enjoys talks with practical information that you can immediately apply when you go back to work, this talk is for you. This talk is all action, no fluff :)
This talk is a comprehensive review of interesting security flaws that we have discovered over the years in many Android and iOS mobile apps: An entirely practical walkthrough that covers anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as password vaults and privacy browsers, security issues in government-mandated apps with considerable media coverage such as Smart Sheriff, apps that report human right abuse where a security flaw could get somebody killed in the real world, and more.
The talk offers a thorough review of interesting security anti-patterns and how they could be abused. This is very valuable information for those intending to defend or find vulnerabilities in mobile apps.
This talk is for those who are intending to broaden their knowledge of mobile security with actionable information derived from real-world penetration testing of mobile apps.
Examples will include very interesting scenarios of copy-paste attacks, calling premium numbers from the phone, custom URLs, Deep Links, XSS, SQLi, RCE, MitM attacks, path traversals, and data leak examples from real-world mobile apps, Apart from that, many other issues, including interesting scenarios chaining several vulnerabilities, such as achieving RCE via SQLi, persistent XSS, data exfiltration, etc. are also addressed.
Vulnerability chaining in mobile apps is covered not only for the fun of it but also to demonstrate impact: Mobile app findings are typically downplayed given their relative lower impact compared to server vulnerabilities (i.e. pwn 1 user vs. everybody).
Obviously, almost no modern mobile app stands offline nowadays, so this presentation would be incomplete without covering some nice attacks against those mobile APIs everybody forgot to test.
Please come caffeinated, the audience will be challenged to spot vulnerabilities at any moment and there may be giveaways to the winners :)
Keywords
- Mobile app security
- Static analysis
- Dynamic analysis
- File storage
- Instrumentation
- Repackaging
- Patching
- Root / Jailbreak detection bypasses
- Signing
- Pinning
- Man-in-the-Middle (MitM)
- Crypto
- Mobile app vulnerability patterns
- XSS
- SSRF
- SQLi
- RCE
- Data exfiltration
Presenters:
-
Abraham Aranguren
- 7ASecurity
After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version 1 (www.version1.com). Creator of "Practical Web Defense" - a hands-on eLearnSecurity attack / defense course (www.elearnsecurity.com/PWD), OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a\_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications
Links:
Similar Presentations: