© Blueinfy Solutions
Mobile Security chess board -‐ A4acks & Defense
© Blueinfy Solutions
Who Am I? • Hemil Shah – [email protected] • Co-‐CEO & Director, Blueinfy Solu>ons • Past experience
– eSphere Security, HBO, KPMG, IL&FS, Net Square • Interest
– ApplicaIon security research • Published research
– ArIcles / Papers – Packstroem, etc. – Web Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. – Mobile Tools – FSDroid, iAppliScan, DumpDroid
[email protected] h4p://www.blueinfy.com Blog – h4p://blog.blueinfy.com/
© Blueinfy Solutions
About
• Global experience worked clients based in USA, UAE, Europe and Asia-‐pac. • Clients/Partners include Fortune 100 companies. • Delivery model and support
• Blackbox and Whitebox – Scanners and Code Analyzers • Scanning tools and technology (15 years)
• Strong and tested with Fortune clients • Integrated in SDLC • Help client in miIgaIng or lowering down the Risk by improving process
• In house R&D team for last 7 years • Papers and PresentaIons at conference like RSA, Blackhat, HITB, OWASP etc. • Books wri4en and used as security guides
Know-‐How Methods & Approach
Global Delivery & Team
Technology
Ø BBC Ø Dark Readings Ø Bank Technology Ø SecurityWeek Ø MIT Technology Review
ApplicaIon Security
© Blueinfy Solutions
Mobile Apps
© Blueinfy Solutions
Market Share
© Blueinfy Solutions
Mobile Top 10 -‐ OWASP • Weak Server Side Controls • Insecure Data Storage • Insufficient Transport Layer ProtecIon • Unintended Data Leakage • Poor AuthorizaIon and AuthenIcaIon • Broken Cryptography • Client Side InjecIon • Security Decisions Via Untrusted Inputs • Improper Session Handling • Lack of Binary ProtecIons Contributor : Nvisium Security, HP Fortify, Andreas
Athanasoulias & Syntax IT, eSphere Security, Godfrey Nolan and RIIS (Research Into Internet Systems), Arxan Technologies Ref - https://www.owasp.org/index.php/Mobile_Top_Contributions
© Blueinfy Solutions
Enterprise Mobile Cases
© Blueinfy Solutions
E-‐commerce
• Typical applicaIon making server side calls • Security issues and hacks
– Credit card and Private data storage with poor crypto – SQLite hacks – SQL injecIon over JSON – Ajax driven XSS – Several XSS with Blog component – Several informaIon leaks through JSON fuzzing
• Server side scan with tools/products failed
© Blueinfy Solutions
Banking ApplicaIon
• Scanning applicaIon for vulnerabiliIes • Typical banking running with middleware • VulnerabiliIes – Mobile interface
– Poor encoding to store SSN and PII informa>on locally
– Very sensi>ve transac>on informa>on stored locally
– Default OS Behavior leaking informa>on – CredenIals submi4ed in GET request – Keys/session stored in keychain file
© Blueinfy Solutions
Social ApplicaIon
• Social ApplicaIon on mulIple plagorms – ApplicaIon leverages browser component as part of the mobile
– Common code base for all plagorms – Vulnerable
• Bypass Profile validaIon (Logical) and unique device installaIon
• Screenshot revealing sensi>ve informa>on • Default OS Behavior leaking informa>on • PresentaIon layer (XSS and CSRF) • Unencrypted Communica>on channel
© Blueinfy Solutions
Postmortem
• One pa4ern in all the reviews -‐ SOME INFORMATION WAS STORED LOCALLY
• More than 99% of the applicaIon review has the LOCAL STORAGE issue as we saw in stats.
• Server side and logical issues are sIll hard to find but have biggest impact.
© Blueinfy Solutions
Mobile Threats and Risk
© Blueinfy Solutions
A4acks on Mobile • No JailBreak Required • Ease of attack -
Airports/Public places
© Blueinfy Solutions
Why should I worry?
• We have MDM in place • We do not allow any JailBreak or rooted device in our environment with MDM
• We have strict policy enforced and all our devices are forced to have password lock
• May or may not have BYOD • OS provides encrypIon
© Blueinfy Solutions
Mobile A4acks
• So What a4acks are we talking about? • Privacy becomes important along with the Security in mobile space
• It is MOBILE so chances of loosing device or someone gemng physical access to it is MUCH MUCH higher than the other devices
© Blueinfy Solutions
ExploitaIon
• Physical Then • Temporary physical access • Malware • Malicious ApplicaIons • Lack of standardize security review process • JailBreak/Rooted devices
© Blueinfy Solutions
What can be done???
• InformaIon found in local storage with default OS behavior –
• Changing OS behavior -‐ • Server side exploitaIon – • XSS in Mobile Hybrid applicaIon –
© Blueinfy Solutions
Technology Trends
© Blueinfy Solutions
Mobile Infrastructure
www mail
intranet router DMZ
Internet
VPN
Dial-up
Other Offices
Exchange firewall
Database RAS
© Blueinfy Solutions
Mobile App Environment
Web Server
Static pages only (HTML,HTM, etc.) Web
Client
Scripted Web
Engine Dynamic pages
(ASP,DHTML, PHP, CGI, etc.)
ASP.NET on .Net Framework, J2EE App Server,
Web Services, etc.
Application Servers
And Integrated Framework
Internet DMZ Trusted
W E B S E R V I C E S
Mobile
SOAP/JSON etc.
DB
X
Internal/Corporate
© Blueinfy Solutions
Mobile Architecture
Presentation Layer
Business Layer
Data Access Layer Authentication
Communication etc.
Runtime, Platform, Operating System Components
Server side Components
Client side Components (Browser)
• HTML 5
• DOM
• XHR
• WebSocket
• Storage • WebSQL
• Flash
• Flex
• AMF
• Silverlight • WCF
• XAML
• NET
• Storage
• JS
• Android
• iPhone/Pad
• Other Mobile
© Blueinfy Solutions
Game is complex – Chess
© Blueinfy Solutions
Challenges
© Blueinfy Solutions
Challenges
• Different code base • Achieve things with single click • Vendor review process -‐ Not transparent – Can we rely on it???
• Decrease transacIon Ime • CompeIIon • Rapid business requirement results in high frequency of updates
© Blueinfy Solutions
Frequency of updates
• Very High compare to Web ApplicaIons • Usually, 4-‐5 updates in a year for web applicaIons or even less at Imes
• Usually, 10-‐12 updates in mobile applicaIons or even more in some cases
• We all have accepted that applicaIon needs to be reviewed before going to producIon – DID WE???
© Blueinfy Solutions
Frequency of Updates
Application Name
Number of Releases in
iOS
Number of Releases in
Android Facebook 19 34
Twitter 22 25
Chase Bank 9 2
eBay 9 4
Amazon 10 3
Temple Run 2 12 10
FB Messenger 12 10
Whatsapp 4 154
skype 8 6
© Blueinfy Solutions
Mobile A4acks
• So What a4acks are we talking about? • Privacy becomes important along with the Security in mobile space
• It is MOBILE so chances of loosing device or someone gemng physical access to it is MUCH MUCH higher than the other devices
© Blueinfy Solutions
Mobile Top 10 -‐ OWASP • Weak Server Side Controls • Insecure Data Storage • Insufficient Transport Layer ProtecIon • Unintended Data Leakage • Poor AuthorizaIon and AuthenIcaIon • Broken Cryptography • Client Side InjecIon • Security Decisions Via Untrusted Inputs • Improper Session Handling • Lack of Binary ProtecIons Contributor : Nvisium Security, HP Fortify, Andreas
Athanasoulias & Syntax IT, eSphere Security, Godfrey Nolan and RIIS (Research Into Internet Systems), Arxan Technologies Ref - https://www.owasp.org/index.php/Mobile_Top_Contributions
© Blueinfy Solutions
Top 5 vulnerability
• From the stats of eSphere data -‐
0 10 20 30 40 50 60 70 80 90 100
Local Storage
Sensitive Information stored in Logs/Default OS Behaviour
Copy/Paste enabled in sensitive fields - Privacy issue
Cross Site Scripting
SQL Injection over JSON or other streams
© Blueinfy Solutions
Mobile A4acks
© Blueinfy Solutions
Weak Server Side Controls
© Blueinfy Solutions
Server Side Issues
• Most ApplicaIon makes server side calls to either web services or some other component. Security of server side component is equally important as client side
• Controls to be tested on the server side – Security Control Categories for Server Side ApplicaIon– AuthenIcaIon, Access Controls/AuthorizaIon, API misuse, Path traversal, SensiIve informaIon leakage,
© Blueinfy Solutions
Server Side Issues
• Error handling, Session management, Protocol abuse, Input validaIons, XSS, CSRF, Logic bypass, Insecure crypto, DoS, Malicious Code InjecIon, SQL injecIon, XPATH and LDAP injecIons, OS command injecIon, Parameter manipulaIons, BruteForce, Buffer Overflow, HTTP response splimng, HTTP replay, XML injecIon, CanonicalizaIon, Logging and audiIng.
© Blueinfy Solutions
Insecure Data Storage
© Blueinfy Solutions
Insecure Storage
• How a4acker can gain access • Wifi • Default password aner jail breaking (alpine) • Adb over wifi • Physical Then • Temporary access to device
© Blueinfy Solutions
What
• What informaIon – AuthenIcaIon CredenIals – AuthorizaIon tokens – Financial Statements – Credit card numbers – Owner’s InformaIon – Physical Address, Name, Phone number
– Social Engineering Sites profile/habbits – SQL Queries
© Blueinfy Solutions
Insufficient Transport Layer ProtecIon
© Blueinfy Solutions
Insecure Network Channel
• Easy to perform MiM a4acks as Mobile devices uses untrusted network i.e open/Public WiFi, HotSpot, Carrier’s Network
• ApplicaIon deals with sensiIve data i.e. • AuthenIcaIon credenIals • AuthorizaIon token • PII InformaIon (Privacy ViolaIon) (Owner Name,
Phone number, UDID)
© Blueinfy Solutions
Insecure Network Channel
• Can sniff the traffic to get an access to sensiIve data
• SSL is the best way to secure communicaIon channel
• Common Issues • Does not deprecate HTTP requests • Allowing invalid cerIficates • SensiIve informaIon in GET requests
© Blueinfy Solutions
Session token
© Blueinfy Solutions
Unintended Data Leakage
© Blueinfy Solutions
Unintended Data Leakage
• Plagorm issues – sandboxing or disable controls • Cache • Logs, Keystrokes, screenshots etc. • Temp files
• 3rd Party libs (AD networks and analyIcs)
© Blueinfy Solutions
Data Leakage
• Default OS behavior aner iOS 4.0 to cache all the URLS (Request/Response) in the local storage in file named cache.db file
• Cache.db file is not encrypted • By default, applicaIon takes last screenshot
and saves it in to file system when user presses home bu4on
© Blueinfy Solutions
Poor AuthorizaIon and AuthenIcaIon
© Blueinfy Solutions
AuthorizaIon & AuthenIcaIon
• No password complexity specially on mobile • Hidden/No Logout bu4on • Long session Ime out • No account lock out • AuthorizaIon flags or based on the local
storage
© Blueinfy Solutions
Broken Cryptography
© Blueinfy Solutions
Cryptography
• Broken implementaIon • Hash/Encoding used in place of encrypIon • Client side script in place of SSL
© Blueinfy Solutions
Client Side InjecIon
© Blueinfy Solutions
SQL InjecIon in Local database
• Most Mobile plagorms uses SQLite as database to store informaIon on the device
• Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensiIve database informaIon
• In case applicaIon is not filtering input, SQL InjecIon on local database is possible
© Blueinfy Solutions
Security Decisions Via Untrusted Inputs
© Blueinfy Solutions
Untrusted Source
• Any input from client side which can be modified
• Mainly authenIcaIon and authorizaIon decisions based on the untrusted input
• Easiest way for developer to solve complex issues/funcIonality
• A4acker can get this informaIon by either reverse engineering applicaIon or by checking local storage
© Blueinfy Solutions
KeyChain Dumper
• Easy as running a command • Upload on to server in /var directory • Give execute permission
• Chmod +x /var/keychain_dumper
• Get all the keys • ./keychain_dumper
© Blueinfy Solutions
Improper Session Handling
© Blueinfy Solutions
Improper Session
• Session is key for any applicaIon for authorizaIon
• Session is stored in binary format but can be easily reversible
• ApplicaIon is sending sensiIve informaIon in GET request (Be it on HTTP or HTTPS)
© Blueinfy Solutions
Lack of Binary protecIon
© Blueinfy Solutions
Lack of Binary ProtecIon • Apple signs and encrypts all the binaries • SIll strings can be retrieved from the binary • Storing EncrypIon and DecrypIon keys in
the client side is sIll a problem
© Blueinfy Solutions
AutomaIon in ApplicaIon Reviews
© Blueinfy Solutions
Manual Review
• Looking for informaIon in local storage manually is really – – Time Consuming – Tedious – Prone to be false negaIves (how accurately you can check files more than once in an hour and file formats are different)
© Blueinfy Solutions
Manual Review -‐ iOS
© Blueinfy Solutions
What do we need
• AutomaIon!!! • AutomaIon!!! • AutomaIon!!! • AutomaIon!!! • AutomaIon!!! • Unfortunately no complete automaIon is available today BUT some of the tools which can be handy are -‐
© Blueinfy Solutions
Snoop-‐it
• The only tool today to automate iOS applicaIon reviews
• Very handy and gives perfect pointer where to look for
• A long way to go for automaIon like web
© Blueinfy Solutions
Snoop-‐it (Cont…) • Snoop-‐it helps you monitor –
– File system access – Keychain access – HTTP(S) connecIons – Access to sensiIve API – Debug outputs – Tracing App internals
© Blueinfy Solutions
Snoop-‐it (Cont…) • Along with Monitoring, snoop-‐it allows to -‐
– Fake hardware idenIfier – Fake locaIon/GPS data – Explore and force display of available ViewController
– List custom URL schemes – List available ObjecIve-‐C classes, objects and methods
– Bypass basic jailbreak detecIon mechanisms
© Blueinfy Solutions
Snoop-‐it
© Blueinfy Solutions
iAppliScan
• iAppliScan allows you to automate iOS applicaIon review.
• InteresIng features – – Look for sensiIve informaIon in files/directories – Find whether parIcular file exist or not – Download file for further analysis – Run external command
© Blueinfy Solutions
iAppliScan
© Blueinfy Solutions
Review without JailBreak
© Blueinfy Solutions
Reviewing without jailbreaking
• Is it really possible to review applicaIon with out jailbreaking ?
• “YES” • “YES” • “YES” • “YES”
© Blueinfy Solutions
Reviewing without jailbreaking
• Plenty of tools available (Specially for Forensic) to brows the applicaIon directory without jailbreaking.
• iFunBox allows to view files on the device without jailbreak
• Displays applicaIon’s permissions • Browse the installed applicaIon directory
© Blueinfy Solutions
Reviewing without jailbreaking
• Copy the enIre applicaIon directory mulIple Imes
• Look for sensiIve informaIon in the files • Use Proxy on non-‐jailbreak device to check all server side a4acks.
© Blueinfy Solutions
Reviewing with iFunbox
© Blueinfy Solutions
AutomaIon in Android
© Blueinfy Solutions
Manual Review -‐ Android
© Blueinfy Solutions
FSDroid
• Leverages SDK Class – No hacks in here!!! • FSDroid can –
– Monitor file system – Can write filter to monitor parIcular directory – Can save last 5 reports for future use – Does not need mobile device – can run on Emulator smoothly
– Easy to run (As easy as giving directory name and pressing start bu4on)
© Blueinfy Solutions
File System Monitoring Demo
© Blueinfy Solutions
Looking in to Code
© Blueinfy Solutions
Static Code Analysis
• Introduce in Mac OS X v10.6, XCode 3.2, Clang analyzer merged into XCode. • Memory leakage warning • Run from Build->Analyze • Innovative shows you complete flow of
object start to end • Configure as a automatic analysis
during build process
© Blueinfy Solutions
StaIc Code Analysis
PotenIal Memory Leak
© Blueinfy Solutions
StaIc Code Analysis
Dead store – variable never used
© Blueinfy Solutions
Code Analysis with AppCodeScan
• Semi automated tool • Ability to expand with custom rules • Simple tracing uIlity to verify and track vulnerabiliIes
• Simple HTML reporIng which can be converted to PDF
© Blueinfy Solutions
AppCodeScan
• SophisIcated tool consist of two components • Code Scanning • Code Tracer
• Allows you to trace back the variable • AppCodeScan is not complete automated staIc code analyzer.
• It only relies on regex and lets you find SOURCE of the SINK
© Blueinfy Solutions
Rules in AppCodeScan
• WriIng rules is very straight forward • In an XML file which is loaded at run Ime • This release has rules for iOS and Android for -‐ Local Storage, Unsafe APIs, SQL InjecIon, Network ConnecIon, SSL CerIficate Handling, Client Side ExploitaIon, URL Handlers, Logging, CredenIal Management and Accessing PII.
© Blueinfy Solutions
Sample Rules -‐ Android
© Blueinfy Solutions
Android DEMO
© Blueinfy Solutions
Sample Rules -‐ iOS
© Blueinfy Solutions
iOS DEMO
© Blueinfy Solutions
Debuggable flag in Android • One of the key a4ribute in android manifest file
• Under “applicaIon” secIon • Describes debugging in enabled • If “Debuggable”a4ribute is set o true, the applicaIon will try to connect to a local unix socket “@jdwp-‐control”
• Using JDWP, It is possible to gain full access to the Java process and execute arbitrary code in the context of the debugable applicaIon
© Blueinfy Solutions
CheckDebuggable Script
• Checks in APK whether debuggable is enabled • Script can be found at – h4p://www.espheresecurity.com/resourcestools.html
• Paper can be found at -‐ h4p://www.espheresecurity.com/CheckDebuggable.pdf
© Blueinfy Solutions
Conclusion