mobile penetration testing: episode ii - attack of the code

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

Episode IIRETURN OF THE

BACK-END/NETWORK


Episode II

RETURN OF THE NETWORK/BACK-END

Episode I

THE FORENSIC MENACE

Episode III

ATTACK OFTHE CODE

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Connect

Twitter: @NowSecureMobile

—

Subscribe to #MobSec5, our weekly mobile security news digest

http://mobsec5.nowsecure.com/

—

Web: nowsecure.com

http://twitter.com/nowsecuremobile



https://www.nowsecure.com


Michael KruegerSolutions Engineer | NowSecure


Contents

● The Trilogy series overview

● Data-in-transit

● Server-side security

● Suggested tools to get started


Mobile forensics &

data recovery

Network, web services &API testing

Server-side penetration

testing

Reverse engineering & code analysis


“I can show you the ways of the [Force data in transit].” — Kylo Ren

https://milnersblog.com/tag/the-characters-of-star-wars-the-force-awakens/


Data in transit concerns

● Insecure communication

○ Certificate validation issues

○ Privacy leakage

● Insecure authentication

● Insecure authorization

○ Server accepting/responding to

requests without authorization

○ Client-based authorization decisions


Man-in-the-middle (MITM)

● Secretly intercept (modify) communications between systems believing they are communicating directly

● Aims to circumvent mutual authentication (or lack thereof)

● Use it to test for potential vulnerabilities and validate that app sends proper requests/intended data

Who are you really talking to?

Original connection

Victim

Attacker

Presents fake

certificate

Server


Lack of certificate validation

Don’t implement your own crypto!It still happens because developers want to accept self-signed

certificates or because code implementation is too complex


Mitmproxy basic setup

Device 192.168.10.15Gateway set to 192.168.10.66 192.168.10.1

Server

Laptop w/ mitmproxyListening at ports 80 & 443

192.168.10.66

Mitmproxy CA certificate(optional)


Android handset gateway configuration


IP forwarding

1

2

3

sysctl - w net.ipv4.ip_forward = 1

iptables - t nat - A PREROUTING - i eth0 - p tcp--dport 80 - j REDIRECT--to - port 8080

iptables - t nat - A PREROUTING - i eth0 - p tcp--dport 443 - j REDIRECT--to - port 8080


Looking for HTTPS traffic


Privacy leakage

● Email address

● Username/password

● Phone number

● IMEI/IMSI

● Home address

● And so much more

See: “Who Knows What About Me? A Survey of Behind the

Scenes Personal Data Sharing to Third Parties by Mobile Apps”

http://jots.pub/a/2015103001/

Sharing more than you intend

Sharing of sensitive data byAndroid apps (left) to domains (right)




Authentication vs. authorizationDo you know the difference?

AuthenticationThe process of sending

credentials in an attempt to connect

AuthorizationGaining access to a resource

because configured permissionsallow you access


Insecure authentication

● Predictable session identifiers

● Failing to log users out

● Session lifetime risks

○ Sessions valid too long

○ Sessions valid across multiple channels

● Session fixation

Who copied my house key???


Insecure authorizationI feel like being an administrator today.

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.http://disney.wikia.com/wiki/Leia_Organa

“Somebody has to save our [skins servers].”— Princess Leia


Server-side issues

● Injection

○ SQL

○ XSS

○ Command

● Improper session handling

● Weak ciphers

● Many more...


Weak cipher examplesWhat do you accept?

https://www.ssllabs.com/




Weak cipher examplesWhat do you accept?


Intelligence Gathering

● What IP addresses does your app talk to?

● Query WHOIS to learn more about each IP address

● Use geolocation services to confirm IP address location


Endpoint identification

https://www.wireshark.org




Suggested tools for back-end testing

Rooted Android deviceI use a Google Nexus 5

Linux machine or VMw/ Android Studio tools

May we recommend Santoku Linux?(Also, Kali Linux)

https://www.nowsecure.com/open-source/santoku-linux/

https://www.kali.org/


Tools for testing

Qualys SSL Labs https://www.ssllabs.com/ssltest/

Nmaphttps://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html https://nmap.org/nsedoc/scripts/ssl-cert.html

Mitmproxy http://docs.mitmproxy.org/en/stable/

Burp Suite https://support.portswigger.net/

IPFingerprints http://www.ipfingerprints.com/

Santoku Linux https://santoku-linux.com/

Wireshark https://www.wireshark.org

https://www.ssllabs.com/ssltest/

https://www.ssllabs.com/ssltest/

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

https://nmap.org/nsedoc/scripts/ssl-cert.html

https://nmap.org/nsedoc/scripts/ssl-cert.html

http://docs.mitmproxy.org/en/stable/

http://docs.mitmproxy.org/en/stable/

https://support.portswigger.net/

https://support.portswigger.net/

http://www.ipfingerprints.com/

http://www.ipfingerprints.com/

https://santoku-linux.com/

https://santoku-linux.com/




Pointers to keep in mind during analysis

Don’t just focus on the encrypted

payload. Lookat metadata.

When searchingfor data in large files, command line tools

are best: Try grep

Try multiple tools. Find the one you’re most

comfortable with.

If you’re scanning a third-party server,

get permission

http://linuxcommand.org/man_pages/grep1.html


Vulnerable data exists in more than just the payload

Try using both trusted and untrusted certificates when intercepting data in transit

Don’t underestimate the time/effort involved in network-focused testing


Episode III

ATTACK OF THE CODE

Thursday, January 1911 a.m. CST / 9 a.m. PST

REGISTER NOW: http://bit.ly/2gOPih8

http://bit.ly/2gOPih8

Let’s talk

NowSecure+1 312.878.1100

@NowSecureMobilewww.nowsecure.com

Subscribe to #MobSec5 - a digest of the week’s mobile news that matters - http://mobsec5.nowsecure.com/


mobile penetration testing: episode ii - attack of the code

Technology