Upload File

auditing mobile applications

91
*[ AUDITING MOBILE APPLICATIONS ] Author: Jose Selvi Date: 30/Jun/2011

Upload: eventos-creativos

Post on 28-Nov-2014

1.429 views

Category:

Technology


0 download

Report

DESCRIPTION

Charla impartida por José Selvi en el IV Curso de Verano de Seguridad Informática de la Universidad Europea de Madrid.

TRANSCRIPT

Page 1: Auditing Mobile Applications

*[ AUDITING MOBILE APPLICATIONS ]

Author: Jose SelviDate: 30/Jun/2011

Page 2: Auditing Mobile Applications

$ WHOIS JSELVI

Jose Selvihttp://twitter.com/JoseSelvi

[email protected]://www.pentester.es

[email protected]://www.s21sec.com

http://twitter.com/JoseSelvi
http://twitter.com/JoseSelvi
mailto:[email protected]
mailto:[email protected]
http://www.pentester.es
http://www.pentester.es
mailto:[email protected]
mailto:[email protected]
http://www.s21sec.com
http://www.s21sec.com
Page 3: Auditing Mobile Applications

INDEX

Apps Revolution

Divide & Conquer (D&C)

Mobile Networking

Server Side

Client Side

What’s Up with WhatsApp

Page 4: Auditing Mobile Applications

APPS REVOLUTION

Pág. 5

Page 5: Auditing Mobile Applications

“OLD SCHOOL” APPS

Page 6: Auditing Mobile Applications

“OLD SCHOOL” APPS

Page 7: Auditing Mobile Applications

WEBSITE FEVER

Page 8: Auditing Mobile Applications

WEBSITE FEVER

Page 9: Auditing Mobile Applications

WEBSITE FEVER

Page 10: Auditing Mobile Applications

MOBILE FEVER

Page 11: Auditing Mobile Applications

MOBILE FEVER

Page 12: Auditing Mobile Applications

MOBILE FEVER

Page 13: Auditing Mobile Applications

MOBILE FEVER

Page 14: Auditing Mobile Applications

MOBILE FEVER

Page 15: Auditing Mobile Applications

APPLICATIONS EVOLUTION 2010

Page 16: Auditing Mobile Applications

DIVIDE & CONQUER (D&C)

AND MORE

Pág. 5

Page 17: Auditing Mobile Applications

MOBILE LAB

Page 18: Auditing Mobile Applications

MOBILE LAB

CLIENT

Page 19: Auditing Mobile Applications

MOBILE LAB

CLIENT

SERVER

Page 20: Auditing Mobile Applications

MOBILE LAB

CLIENT

SERVER

Page 21: Auditing Mobile Applications

MOBILE LAB

CLIENT SERVER

Some ways

We’re able to control the network

Sometimes hard and expensive

Phone full control

SW full control

We’re able to change config and software

We CAN’T change the server

We CAN’T have a look to the software

Black Box Testing

NETWORK

Page 22: Auditing Mobile Applications

JAILBREAK / ROOTING

Sometimes emulator r00lz!• Android Emulator (SDK)• iOS Simulator (SDK)

But sometimes not...

We don’t have full built-in controlMaybe we should...• iOS Jailbreak• Android Rooting

Page 23: Auditing Mobile Applications

MOBILE NETWORKING

Pág. 5

Page 24: Auditing Mobile Applications

MULTI-CHANNEL!

Page 25: Auditing Mobile Applications

MOBILE LAB

Page 26: Auditing Mobile Applications

MAN-IN-THE-MIDDLE

msf auxiliary(fakedns) > [*] DNS bypass domain api.facebook.com resolved 66.220.146.36[*] DNS bypass domain iphone.facebook.com resolved 66.220.153.30[*] DNS bypass domain m.facebook.com resolved 66.220.158.26

http://www.google.com
http://www.google.com
http://www.google.com
http://www.google.com
Page 27: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

20.20.20.20 DNS SERVER

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

Page 28: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

20.20.20.20

¿whois www.google.com?

DNS SERVER

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

http://www.google.com
http://www.google.com
Page 29: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

20.20.20.20

¿whois www.google.com?

DNS SERVER

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

http://www.google.com
http://www.google.com
Page 30: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

20.20.20.20

¿whois www.google.com?

DNS SERVER

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

http://www.google.com
http://www.google.com
Page 31: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

20.20.20.20 DNS SERVER

www.google.com = 74.125.39.104

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

http://www.google.com
http://www.google.com
Page 32: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

20.20.20.20 DNS SERVER

www.google.com = 74.125.39.104

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

http://www.google.com
http://www.google.com
Page 33: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

20.20.20.20 DNS SERVER

www.google.com = 74.125.39.104

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

http://www.google.com
http://www.google.com
Page 34: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

20.20.20.20 DNS SERVER

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

Page 35: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

DNS SERVER

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

20.20.20.20

Page 36: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

¿whois api.facebook.com?

DNS SERVER

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

20.20.20.20

http://www.google.com
http://www.google.com
Page 37: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

¿whois api.facebook.com?

DNS SERVER

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

20.20.20.20

http://www.google.com
http://www.google.com
Page 38: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

DNS SERVER

api.facebook.com = 20.20.20.20

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

20.20.20.20

http://www.google.com
http://www.google.com
Page 39: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

DNS SERVER

api.facebook.com = 20.20.20.20

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

20.20.20.20

http://www.google.com
http://www.google.com
Page 40: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

DNS SERVER

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

20.20.20.20

Page 41: Auditing Mobile Applications

“FAKE” DNS

10.10.10.10

DNS SERVER

IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20

20.20.20.20

PROXY

Page 42: Auditing Mobile Applications

REDIRECT TRICK

10.10.10.10

PROXY

20.20.20.20IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8

Page 43: Auditing Mobile Applications

REDIRECT TRICK

10.10.10.10

PROXY

20.20.20.20IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8

Page 44: Auditing Mobile Applications

REDIRECT TRICK

10.10.10.10

PROXY

20.20.20.20IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8

Page 45: Auditing Mobile Applications

SSL/HTTPS

10.10.10.10

PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8

Page 46: Auditing Mobile Applications

SSL/HTTPS

10.10.10.10

PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8

CERT

Page 47: Auditing Mobile Applications

PKI: Public Key Infraestructure

CA

PUB PRIV

SERVER

PUB PRIV

CLIENTPUBPUBPUBPUB

CA1

Page 48: Auditing Mobile Applications

PKI: Public Key Infraestructure

CA

PUB PRIV

SERVER

PRIV

CLIENTPUBPUBPUBPUB

CA1

PUB

INFO CERT

Page 49: Auditing Mobile Applications

PKI: Public Key Infraestructure

CA

PUB PRIV

SERVER

PRIV

CLIENTPUBPUBPUBPUB

CA1

PUB

INFO CERT

Page 50: Auditing Mobile Applications

PKI: Public Key Infraestructure

CA

PUB PRIV

SERVER

PRIV

CLIENTPUBPUBPUBPUB

CA1

INFO CERT

PUB

Page 51: Auditing Mobile Applications

PKI: Public Key Infraestructure

CA

PUB PRIV

SERVER

PRIV

CLIENTPUBPUBPUBPUB

CA1

INFO CERT

PUB

DIGESTDIGEST

Page 52: Auditing Mobile Applications

PKI: Public Key Infraestructure

CA

PUB PRIV

SERVER

PRIV

CLIENTPUBPUBPUBPUB

CA1

INFO CERT

PUB

DIGEST

DIGEST

Page 53: Auditing Mobile Applications

PKI: Public Key Infraestructure

CA

PUB PRIV

SERVER

PRIV

CLIENTPUBPUBPUBPUB

CA1

INFO CERT

PUB

SIGNED DIGEST

DIGEST

Page 54: Auditing Mobile Applications

PKI: Public Key Infraestructure

CA

PUB PRIV

SERVER

PRIV

CLIENTPUBPUBPUBPUB

CA1

INFO CERT

PUB

SIGNED DIGEST

DIGEST

Page 55: Auditing Mobile Applications

PKI: Public Key Infraestructure

CA

PUB PRIV

SERVER

PRIV

CLIENTPUBPUBPUBPUB

CA1

INFO CERT

PUB

DIGEST

SIGNED DIGEST

Page 56: Auditing Mobile Applications

PKI: Public Key Infraestructure

CA

PUB PRIV

SERVER

PRIV

CLIENTPUBPUBPUBPUB

CA1

INFO CERT

PUB

DIGEST

SIGNED DIGEST

Page 57: Auditing Mobile Applications

PKI: Public Key Infraestructure

CA

PUB PRIV

SERVER

PRIV

CLIENTPUBPUBPUBPUB

CA1

INFO CERT

PUB

DIGEST

DIGEST’

Page 58: Auditing Mobile Applications

PKI: Public Key Infraestructure

CA

PUB PRIV

SERVER

PRIV

CLIENTPUBPUBPUBPUB

CA1

INFO CERT

PUB

DIGEST

DIGEST’

Page 59: Auditing Mobile Applications

Real Certificate Sample

Page 60: Auditing Mobile Applications

SSL/HTTPS

10.10.10.10

PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8

Page 61: Auditing Mobile Applications

SSL/HTTPS

10.10.10.10

PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8

CERT

Page 62: Auditing Mobile Applications

SSL/HTTPS

10.10.10.10

PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8

FAKECERT

CERT

FAKECA

Page 63: Auditing Mobile Applications

SSL/HTTPS

10.10.10.10

PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8

FAKECERT

CERT

Page 64: Auditing Mobile Applications

SSL/HTTPS

10.10.10.10

PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8

FAKECERT

CERT

Page 65: Auditing Mobile Applications

SSL/HTTPS

10.10.10.10

PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8

FAKECERT

CERT

Page 66: Auditing Mobile Applications

SSL/HTTPS

10.10.10.10

PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8

FAKECERT

CERT

Page 67: Auditing Mobile Applications

IMPORT CERTIFICATES

iPhone / iPad• Export from proxy (Burp, ...) o built (openssl, ...).• iPhone Configuration Utility

Android• Only VPN certs, not Web.• Hard...• Still Working...

Page 68: Auditing Mobile Applications

BINGO!

Page 69: Auditing Mobile Applications

SERVER SIDE

Pág. 5

Page 70: Auditing Mobile Applications

AS USUAL...

BrowserNessusQualysSQLMapMetasploitBacktrack...

Of course, your brain!

Page 71: Auditing Mobile Applications

CLIENT SIDE

Pág. 5

Page 72: Auditing Mobile Applications

iOS BINARY FORMAT

Page 73: Auditing Mobile Applications

iOS BINARY FORMAT

Page 74: Auditing Mobile Applications

iOS BINARY FORMAT

Page 75: Auditing Mobile Applications

iOS BINARY FORMAT

Page 76: Auditing Mobile Applications

iOS BINARY FORMAT

Page 77: Auditing Mobile Applications

ANDROID BINARY FORMAT

Page 78: Auditing Mobile Applications

ANDROID BINARY FORMAT

App.java

Page 79: Auditing Mobile Applications

ANDROID BINARY FORMAT

App.java App.class

Page 80: Auditing Mobile Applications

ANDROID BINARY FORMAT

App.java App.class App.dex

Page 81: Auditing Mobile Applications

ANDROID BINARY FORMAT

App.java App.class App.dex

Page 82: Auditing Mobile Applications

ANDROID BINARY FORMAT

App.java App.class App.dex

Page 83: Auditing Mobile Applications

PUT ALL TOGETHER!

Page 84: Auditing Mobile Applications

CRACKING VERIFYCERT

www.s21sec.com

Referencia: 2011010727 Título: Análisis de Infraestructura Good Cliente: Ankara Página: 34/51

CONFIDENCIAL

Debido a esta debilidad, un intruso que comprometiera alguno de los servidores del NOC de Good o cualquier elemento de electrónica de red de los ISP atravesados por el flujo de datos, sería capaz de enviar datos malformados para intentar explotar vulnerabilidades en el software y por tanto comprometer la red interna de Ankara. Por otro lado, el componente GMM comprueba la validez de los certificados a través de su firma (Infraestructura PKI). No se han podido encontrar evidencias de la existencia de la clave privada de la CA, como ocurrió en el caso anterior, por lo que para realizar el Man-in-the-

certificados como válidos), algo que evidentemente no podrá hacer un atacante que no tuviera previo control de la máquina pero que nos situa en la posición de un intruso que haya comprometido previamente el NOC de Good. En esta ocasión, dado que no se ha conseguido vulnerar los certificados SSL, NO bastaría con el compromiso de algunos de los routers internmedios, como SI ocurría en el caso anterior.

Page 85: Auditing Mobile Applications

WHAT’S UP WITH WHATSAPP?

Pág. 5

Page 86: Auditing Mobile Applications

WHAT’S UP WITH WHATSAPP?

Pág. 5

Page 87: Auditing Mobile Applications

KNOWN WHATSAPP ISSUES

Unencrypted Traffic• But using 443 tcp port...

Storing ALL conversation FOREVER

Storing GPS position!• WTF!!• Why??!!

Much more...

Great research from SecurityByDefault guys!

Page 88: Auditing Mobile Applications

WHATSAPP HIJACKING

Page 89: Auditing Mobile Applications

ALERT! SPAM!

SEC-560:Network Penetration Testing

and Ethical Hacking

Page 90: Auditing Mobile Applications

THANKS! QUESTIONS?

Jose Selvihttp://twitter.com/JoseSelvi

[email protected]://www.pentester.es

[email protected]://www.s21sec.com

http://twitter.com/JoseSelvi
http://twitter.com/JoseSelvi
mailto:[email protected]
mailto:[email protected]
http://www.pentester.es
http://www.pentester.es
mailto:[email protected]
mailto:[email protected]
http://www.s21sec.com
http://www.s21sec.com
Page 91: Auditing Mobile Applications

*[ THANKS! SEE YOU! ]

Pág. 7


HP Service Manager Mobile Applications User Guide · HP Service Manager Mobile Applications ... Mobile Applications for HP Service Manager Process Designer 68. ... Applications power

Auditing Applications, Part 1 - ISACA purpose of the audit is auditing proper Tommie W. Singleton, ... Auditing Applications, Part 1 Do you ... ABC application Data Transfer Accounting

Mobile Applications: What is Your Testing Strategy? Applications What is your T… · Mobile Applications Platforms Native mobile applications are directly installed on the mobile

Auditing ERP Applications and Cloud - TACS 2011

Computer Applications , Computer Operating System , Mobile Operating System , Mobile Applications

Ionic Mobile Applications - Hybrid Mobile Applications Without Compromises

Auditing User-developed Applications - The IIA

Mobile Marketing & Mobile Applications

Mobile Auditing and Archiving with Retain

Auditing Applications

Testing Mobile Applications - lateralsecurity.com · testing, security controls, policy and compliance) – Lifecycle auditing (design, pre prod, post prod) – Regular ongoing testing

A framework for auditing mobile devices - Baker · PDF fileA framework for auditing mobile devices . Learning objectives ˃ Understand different approaches for managing mobile devices

End-User Computing EUC Auditing Desktop Applications

Auditing Business Applications

Creating Mobile Applications with jQuery Mobile … · Creating Mobile Applications with jQuery Mobile and PhoneGap Build 3 ... Creating Mobile Applications with jQuery Mobile and

Mobile applications

Mobile Bootcamp - Building Mobile Applications

Auditing Aspnet Applications Pci Dss Compliance 33869

Auditing and securing PHP applications - FRHACK 2009

Mobile Web Applications. Outline of the Course Mobile Web and Mobile Web Applications Mobile Web Applications Markup Languages Developing Mobile

Mobile Applications: What is Your Testing Strategy?files.meetup.com/2625872/Mobile Applications What is your Test Strategy.pdf · Mobile Applications Platforms Native mobile applications

14 GTAG - Auditing User-Developed Applications

Mobile EHS and Quality Auditing - Lessons Learned

Teach Me Mobile Applications - TeachMeMobileApps - TMMA - Introduction to Mobile Applications

Auditing WebObjects applications

SAFE AND SOUND. INTRODUCTION Elements of Security Auditing Elements of Security Auditing Applications to Customers Network Applications to Customers Network

Auditing User-Developed Applications

iOS applications auditing - · PDF fileiOS applications auditing Julien Bachmann / [email protected] AppSec Forum Western Switzerland ... › No need to present the Top10. info gathering

Auditing PHP applications

Mobile Applications, Augmented Reality, Gesture … · Mobile Applications, Augmented Reality, ... Management and Marketing Section with Academic and Research ... mobile applications

Auditing Applications, Part 1 - Temple University...on fraud, IT/IS, IT auditing and IT governance have appeared in numerous publications. Auditing Applications, Part 1 Do you have

Mobile Applications applications operating on mobile devices, tablets, smartphones Mobile Applications