auditing mobile applications
DESCRIPTION
Charla impartida por José Selvi en el IV Curso de Verano de Seguridad Informática de la Universidad Europea de Madrid.TRANSCRIPT
*[ AUDITING MOBILE APPLICATIONS ]
Author: Jose SelviDate: 30/Jun/2011
$ WHOIS JSELVI
Jose Selvihttp://twitter.com/JoseSelvi
[email protected]://www.pentester.es
[email protected]://www.s21sec.com
INDEX
Apps Revolution
Divide & Conquer (D&C)
Mobile Networking
Server Side
Client Side
What’s Up with WhatsApp
APPS REVOLUTION
Pág. 5
“OLD SCHOOL” APPS
“OLD SCHOOL” APPS
WEBSITE FEVER
WEBSITE FEVER
WEBSITE FEVER
MOBILE FEVER
MOBILE FEVER
MOBILE FEVER
MOBILE FEVER
MOBILE FEVER
APPLICATIONS EVOLUTION 2010
DIVIDE & CONQUER (D&C)
AND MORE
Pág. 5
MOBILE LAB
MOBILE LAB
CLIENT
MOBILE LAB
CLIENT
SERVER
MOBILE LAB
CLIENT
SERVER
MOBILE LAB
CLIENT SERVER
Some ways
We’re able to control the network
Sometimes hard and expensive
Phone full control
SW full control
We’re able to change config and software
We CAN’T change the server
We CAN’T have a look to the software
Black Box Testing
NETWORK
JAILBREAK / ROOTING
Sometimes emulator r00lz!• Android Emulator (SDK)• iOS Simulator (SDK)
But sometimes not...
We don’t have full built-in controlMaybe we should...• iOS Jailbreak• Android Rooting
MOBILE NETWORKING
Pág. 5
MULTI-CHANNEL!
MOBILE LAB
MAN-IN-THE-MIDDLE
msf auxiliary(fakedns) > [*] DNS bypass domain api.facebook.com resolved 66.220.146.36[*] DNS bypass domain iphone.facebook.com resolved 66.220.153.30[*] DNS bypass domain m.facebook.com resolved 66.220.158.26
“FAKE” DNS
10.10.10.10
20.20.20.20 DNS SERVER
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
“FAKE” DNS
10.10.10.10
20.20.20.20
¿whois www.google.com?
DNS SERVER
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
“FAKE” DNS
10.10.10.10
20.20.20.20
¿whois www.google.com?
DNS SERVER
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
“FAKE” DNS
10.10.10.10
20.20.20.20
¿whois www.google.com?
DNS SERVER
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
“FAKE” DNS
10.10.10.10
20.20.20.20 DNS SERVER
www.google.com = 74.125.39.104
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
“FAKE” DNS
10.10.10.10
20.20.20.20 DNS SERVER
www.google.com = 74.125.39.104
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
“FAKE” DNS
10.10.10.10
20.20.20.20 DNS SERVER
www.google.com = 74.125.39.104
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
“FAKE” DNS
10.10.10.10
20.20.20.20 DNS SERVER
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
“FAKE” DNS
10.10.10.10
DNS SERVER
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
20.20.20.20
“FAKE” DNS
10.10.10.10
¿whois api.facebook.com?
DNS SERVER
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
20.20.20.20
“FAKE” DNS
10.10.10.10
¿whois api.facebook.com?
DNS SERVER
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
20.20.20.20
“FAKE” DNS
10.10.10.10
DNS SERVER
api.facebook.com = 20.20.20.20
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
20.20.20.20
“FAKE” DNS
10.10.10.10
DNS SERVER
api.facebook.com = 20.20.20.20
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
20.20.20.20
“FAKE” DNS
10.10.10.10
DNS SERVER
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
20.20.20.20
“FAKE” DNS
10.10.10.10
DNS SERVER
IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.1DNS: 20.20.20.20
20.20.20.20
PROXY
REDIRECT TRICK
10.10.10.10
PROXY
20.20.20.20IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8
REDIRECT TRICK
10.10.10.10
PROXY
20.20.20.20IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8
REDIRECT TRICK
10.10.10.10
PROXY
20.20.20.20IP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8
SSL/HTTPS
10.10.10.10
PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8
SSL/HTTPS
10.10.10.10
PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8
CERT
PKI: Public Key Infraestructure
CA
PUB PRIV
SERVER
PUB PRIV
CLIENTPUBPUBPUBPUB
CA1
PKI: Public Key Infraestructure
CA
PUB PRIV
SERVER
PRIV
CLIENTPUBPUBPUBPUB
CA1
PUB
INFO CERT
PKI: Public Key Infraestructure
CA
PUB PRIV
SERVER
PRIV
CLIENTPUBPUBPUBPUB
CA1
PUB
INFO CERT
PKI: Public Key Infraestructure
CA
PUB PRIV
SERVER
PRIV
CLIENTPUBPUBPUBPUB
CA1
INFO CERT
PUB
PKI: Public Key Infraestructure
CA
PUB PRIV
SERVER
PRIV
CLIENTPUBPUBPUBPUB
CA1
INFO CERT
PUB
DIGESTDIGEST
PKI: Public Key Infraestructure
CA
PUB PRIV
SERVER
PRIV
CLIENTPUBPUBPUBPUB
CA1
INFO CERT
PUB
DIGEST
DIGEST
PKI: Public Key Infraestructure
CA
PUB PRIV
SERVER
PRIV
CLIENTPUBPUBPUBPUB
CA1
INFO CERT
PUB
SIGNED DIGEST
DIGEST
PKI: Public Key Infraestructure
CA
PUB PRIV
SERVER
PRIV
CLIENTPUBPUBPUBPUB
CA1
INFO CERT
PUB
SIGNED DIGEST
DIGEST
PKI: Public Key Infraestructure
CA
PUB PRIV
SERVER
PRIV
CLIENTPUBPUBPUBPUB
CA1
INFO CERT
PUB
DIGEST
SIGNED DIGEST
PKI: Public Key Infraestructure
CA
PUB PRIV
SERVER
PRIV
CLIENTPUBPUBPUBPUB
CA1
INFO CERT
PUB
DIGEST
SIGNED DIGEST
PKI: Public Key Infraestructure
CA
PUB PRIV
SERVER
PRIV
CLIENTPUBPUBPUBPUB
CA1
INFO CERT
PUB
DIGEST
DIGEST’
PKI: Public Key Infraestructure
CA
PUB PRIV
SERVER
PRIV
CLIENTPUBPUBPUBPUB
CA1
INFO CERT
PUB
DIGEST
DIGEST’
Real Certificate Sample
SSL/HTTPS
10.10.10.10
PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8
SSL/HTTPS
10.10.10.10
PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8
CERT
SSL/HTTPS
10.10.10.10
PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8
FAKECERT
CERT
FAKECA
SSL/HTTPS
10.10.10.10
PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8
FAKECERT
CERT
SSL/HTTPS
10.10.10.10
PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8
FAKECERT
CERT
SSL/HTTPS
10.10.10.10
PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8
FAKECERT
CERT
SSL/HTTPS
10.10.10.10
PROXYIP: 20.20.20.10MASK: 255.255.255.0GW: 20.20.20.20DNS: 8.8.8.8
FAKECERT
CERT
IMPORT CERTIFICATES
iPhone / iPad• Export from proxy (Burp, ...) o built (openssl, ...).• iPhone Configuration Utility
Android• Only VPN certs, not Web.• Hard...• Still Working...
BINGO!
SERVER SIDE
Pág. 5
AS USUAL...
BrowserNessusQualysSQLMapMetasploitBacktrack...
Of course, your brain!
CLIENT SIDE
Pág. 5
iOS BINARY FORMAT
iOS BINARY FORMAT
iOS BINARY FORMAT
iOS BINARY FORMAT
iOS BINARY FORMAT
ANDROID BINARY FORMAT
ANDROID BINARY FORMAT
App.java
ANDROID BINARY FORMAT
App.java App.class
ANDROID BINARY FORMAT
App.java App.class App.dex
ANDROID BINARY FORMAT
App.java App.class App.dex
ANDROID BINARY FORMAT
App.java App.class App.dex
PUT ALL TOGETHER!
CRACKING VERIFYCERT
www.s21sec.com
Referencia: 2011010727 Título: Análisis de Infraestructura Good Cliente: Ankara Página: 34/51
CONFIDENCIAL
Debido a esta debilidad, un intruso que comprometiera alguno de los servidores del NOC de Good o cualquier elemento de electrónica de red de los ISP atravesados por el flujo de datos, sería capaz de enviar datos malformados para intentar explotar vulnerabilidades en el software y por tanto comprometer la red interna de Ankara. Por otro lado, el componente GMM comprueba la validez de los certificados a través de su firma (Infraestructura PKI). No se han podido encontrar evidencias de la existencia de la clave privada de la CA, como ocurrió en el caso anterior, por lo que para realizar el Man-in-the-
certificados como válidos), algo que evidentemente no podrá hacer un atacante que no tuviera previo control de la máquina pero que nos situa en la posición de un intruso que haya comprometido previamente el NOC de Good. En esta ocasión, dado que no se ha conseguido vulnerar los certificados SSL, NO bastaría con el compromiso de algunos de los routers internmedios, como SI ocurría en el caso anterior.
WHAT’S UP WITH WHATSAPP?
Pág. 5
WHAT’S UP WITH WHATSAPP?
Pág. 5
KNOWN WHATSAPP ISSUES
Unencrypted Traffic• But using 443 tcp port...
Storing ALL conversation FOREVER
Storing GPS position!• WTF!!• Why??!!
Much more...
Great research from SecurityByDefault guys!
WHATSAPP HIJACKING
ALERT! SPAM!
SEC-560:Network Penetration Testing
and Ethical Hacking
THANKS! QUESTIONS?
Jose Selvihttp://twitter.com/JoseSelvi
[email protected]://www.pentester.es
[email protected]://www.s21sec.com
*[ THANKS! SEE YOU! ]
Pág. 7