manage mobile security incidents like a boss manage mobile security incidents like a boss ismail...
Post on 16-May-2020
Embed Size (px)
Manage Mobile Security Incidents Like A Boss
Kimberly Clark/Texas A&M
Legal Notice From My Lawyer
The opinions expressed in this presentation
represent my own and not my employers.
•Sr. Vulnerability Manager at Kimberly Clark. •Built and manages KCC's first vulnerability management program.
•Previously I worked at Yahoo! where I built and led global e- Crime investigations and incident response teams. I received Yahoo! Hackovation and Yahoo! Excellence awards for his innovative work in successful operations against fake customer care centers.
•Adjunct faculty at the Texas A&M University and teach computer science courses.
•Completed Master of Science in Computer science and hold degrees in Mathematics and Electronics engineer. Currently working towards MBA at UT Dallas.
•Mobile Industry In Numbers •Mobile Security In Numbers •Mobile Security vs PC Security •Mobile Vulnerability Triage
Mobile Industry In Numbers
• Google store has 1.6 million applications, and Apple store has 1.5 million applications.
• There are 102 billions mobile app download worldwide and 9 billions of them are paid apps.
• This generated 26 billions U.S. dollars..
NTX ISSA Cyber Security Conference – October 2-3, 2015 5
•Companies try to have mobile presence desperately and ask their IT departments or hire third parties to create mobile applications for their products, services and web sites.
• Companies would like to get their apps out as soon as possible like they wanted to have their websites without checking their security in 90s.
Mobile Security in Numbers
•# of software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185% in less than a year.
2007 2008 2009 2010 2011 2012 2013 2014 2015
2009 2010 2011 2012 2013 2014 2015
Mobile vs Traditional OS Vulnerability Type
iOS Vulnerabilities By Type
Windows 7 Vulnerabilities By Type
@NTXISSA #NTXISSACSC3 9
The Challenges For Incident Responders
•Vulnerability X works only in Android version Y and hardware is Samsung Model Z
•This could mean security teams needs to buy all those hardware.
•Another issue is lack of mobile security knowledge. Often security teams try to handle mobile security incidents as traditional web security incidents.
•These cause longer hours of work and potentially don’t help company to fix the issue.
Mobile vs PC Security
Lots of thing to figure out
Not capable tools
Harder. Old vulnerabilities
require new testing
Distributed No custom image
Good tools for testing
patch management tools,
Network Intrusion Harder LTE 4G 3G Established
e-Crime Apps store lots of
sensitive info including
birth date, banking credentials etc… CC is also stored
Similar to mobile
Physical Security Easy to steal Established
Mobile Vulnerability Triage
•Listening traffic •Web vulnerabilities, networking vulnerabilities
•SSL Vulnerabilities •SSL Validation •Hostname Mismatch
Mobile Vulnerability Triage
•Potential Solutions 1)Cloud Solutions
-Testroid -For pentest of apk files
-Not flexible -Networking issue to dump traffic (need to use VPN
otherwise no bridge mode for some corporate network )
Mobile Vulnerability Triage
•No need to install image/api/device images •Very flexible •Full emulator which actually runs on real firmware image. Other than hardware vulnerability we can find reproduce any vulnerability in our code
Creating Emulator and Virtual Devices
• AVD Manager
• The AVD Manager provides a graphical user interface in which you can create and manage Android Virtual Devices (AVDs), which are required by the Android Emulator.
• You can launch the AVD Manager in one of the following ways: • In Eclipse: select Window > Android Virtual Device Manager, or click the AVD
Manager icon in the toolbar. • In Android Studio: select Tools > Android > AVD Manager, or click the AVD
Manager icon in the toolbar. • In other IDEs: Navigate to your SDK's tools/ directory and execute android avd.
The Android SDK includes a mobile device emulator — a virtual mobile device that runs on your computer. The emulator lets you develop and test Android applications without using a physical device.
10.0.2.1 Router/gateway address
10.0.2.2 Special alias to your host loopback interface (i.e., 127.0.0.1 on your development machine)
10.0.2.3 First DNS server
10.0.2.4 / 10.0.2.5 / 10.0.2.6 Optional second, third and fourth DNS server (if any)
10.0.2.15 The emulated device's own network/ethernet interface
127.0.0.1 The emulated device's own loopback interface
• Sniff Traffic 1st way:
• $emulator -tcpdump pcapFile.pcap -avd myAvd
• Hints: There are other commands related with emulator: http://developer.android.com/tools/devices/emulator.html
• $telnet localhost portnumber • $network capture start pcapFile.pcap • $network capture stop
• Hints: There are other commands related telnet: • http://developer.android.com/tools/devices/emulator.html
Sniffing Traffic iOS Devices
• Connect iOS device into your Mac. • Find out iOS device’s UDID:
•Open iTunes •Find your device and find serial number •Click it, then you will see your UDID
• Go to your terminal and type ifconfig -l • Type rvictl –s UDID to start device • rvictl -s f2f587fcf78ff82dccff88fff7ab6db9e9b0bf94
• Starting device f2f587fcf78ff82dccff88fff7ab6db9e9b0bf94 • [SUCCEEDED] • Type ifconfig –l You will see new interface i.e. rvi0 • Go to wireshark or do tcpdump to dump the traffic • sudo tcpdump –i rvi0 –w dump.dump
Validating SSL Vulnerabilities
•Download burpsuite and configure like this: •Click proxy tab and then click intercept tab. Make sure intercept is off.
•Go to options tab (still under proxy tab). Under proxy listener add your network device (by default it is only listening on localhost)
• By default burpsuite is act man in the middle for https connections. That means it sends its own cert to your mobile device and have deal with original https site by itself. Look below:
• • Iphone-Encrypted with BurpsuiteCA---BurpSuite- EncryptedWithBankingSiteCA---BankingSite
• This means your app should recognize this is not a valid cert for the site it originally request i.e. banking site and drop the connection. At a minimum, you should receive a warning from the app, but ideally you see no traffic as well. Many apps will just fail silently or complain of connection issues, which isn't ideal, but not "insecure" per se
• If you see any traffic in Burp suite that means your app has a validation problem.
Second vulnerability: HostName Mismatch
• Is the certificate's hostname verified by your application? •For this you will need to acquire a valid