Info security - mobile approach
-
Upload
ey-belgium -
Category
Technology
-
view
835 -
download
5
description
Transcript of Info security - mobile approach
INFOSECURITY 2013, BRUSSELS Security assessments in the mobile world
Agenda Introduction
Mobile architecture ► An overview ► Perceived threats
How to assess the threats ► General approach ► Mobile Devices
► Source Code review ► Sensitive files ► Application permissions ► Client side injections
► Data communication channel ► Server side controls
Recap
Introduction Who am I?
►Tim Beyens
►Security Consultant focusing on mobile security and network security
►Working for Ernst & Young since 2009
►Sector focus: Telecommunication
►Typical assignments: penetration testing, network security assignments, …. Technical security assessments
Introduction Trends within the mobile world
On the end-user front…
Introduction Trends within the mobile world
The Machine to Machine front is increasing as well… M2M mobile connections are expected to reach 12 billion by 2020
Industry Sector
Utilities Smart meters enable efficient energy consumption and management by consumers and service providers
Healthcare Remote monitoring technologies can boost cost- and resource-efficient healthcare provision and clinical collaboration
Automotive
Driver navigation and fleet management tools, on-demand in-vehicle entertainment result in intelligent route planning and greater consumer expenditure. Vehicle connectivity can bring new business models such as pay-as-you drive insurance
Consumer Electronics
Richer functionality and storage can improve product differentiation and customer centricity
Sources: Ernst & Young research in 2012 – M2M
On the other hand, malware is also being rapidly developed… Most of these vulnerabilities originate from: ► Jailbreaks, Rootkits, ... ► Faulty configured application settings ► Faulty downloaded applications (from sources not controlled by the device) ► User preferences for simple passwords ► User allows application to access personal unneeded information ► Reuse of passwords among different applications ► Social engineering (ie. Gaining physical access to the smart phone to steal data)
Introduction Trends within the mobile world
2011
October ►Secret key combo auth
bypass (iOS)
August ►Google authentication
details sent in clear text (Android)
August ►Weakness in SSL cert
handling exposes data to interception (iOS)
July ►ZITMO banking trojan
affects all mobile devices
March ►Trojannised apps found
on Chinese app store (Android)
2012
September ►HTC phone vulnerability
leaks personal data (Android)
2013
April ►NotCompatible gains
access to local network preferences (Andriod)
February (2013) ►LockScreen of
iPhone can be circumvented (iOS)
July ►LuckyCat opens a
backdoor that allows remote acces (Android)
May ►FakeInst SMS Trojan
cost end-users 30 Miljon dollars (Android)
July ►SMSzombie that
abuses china’s SMS payment Android)
… In numbers this means
Introduction Trends within the mobile world
Sources: ESET, Trends for 2013
40%
28%
32%
2012 Malware targets
Subscription to premium SMS services Information theft (banking apps)
Botnet integration
1. Public APN ► APN’s used by end-users or machines ► Public, only requires a SIM card of the provider ► Less secure but cheaper ► E.g. Your own PDA connecting over 3G
2. Private APN
► Used by companies to easily communicate with field equipment (e.g. G4S transportation)
► Private, only accessible through specific SIM cards ► Securer but more expensive ► E.g. coco-cola vending machine providing statuses on available stock
Mobile Architecture An overview
2
1
Pub
lic
Priv
ate
2
1
1. Mobile phone
► Information disclosure (within the application source code) ► Data stored on the device contains personal information ► Insecure passwords usage
2. Communication channel ► No encryption applied on the communication channel
3. Server infrastructure ► Improper session, authorization and authentication handling ► Overall weak server side controls (e.g. server side injections)
Mobile Architecture Perceived threats – End Users
1 2 3
1
2
3
Next to the threats described on the previous page, the machine to machine communication has another threat that is easily overlooked…. 1. Machines
► What if the SIM card (of the machine) is inserted in USB-3G stick? This allows access to the private APN. Which on his turn provides access to a front-end system of the owner of the private APN… From that point onwards the a similar penetration testing approach can be used to exploit the front-end device. Possible pitfalls: some SIM-cards might disallowed outgoing data traffic…
Mobile Architecture Perceived threats -Machines
1
1
How to assess the threats General approach
Mobile Device
Objective: Identify vulnerabilities on the applications installed on the devices themselves. ► Reverse engineer the binary using tools
such as: ► Clang (static code) ► GDB ► iDA (Pro)
and investigate the source code for
passwords, server-side keys, … but also learn how the application works!
► Look for sensitive data in databases, logs, back-ups, cached files, …
► Verify application’s permissions
► Perform security tests similar to other web applications tests (e.g. session management, authentication management, …)
Server side controls
Objective: Identify vulnerabilities on the server side of the mobile application.
► Perform an attack and penetration
tests similar to other web application tests and use the information found on the local device to leverage your successes.
Communication channel
Objective: Identify vulnerabilities in the data communication channel.
► Verify the application uses SSL/TSL
whenever sensitive information is being transmitted.
How to assess the threats Mobile device – Source code review
Source code review - Android
► The downloaded package (.apk) is actually a zip containers, unzipping it will reveal the actual content.
► Loads of files including classes.dex
Tools used Dex2Jar Jd-GUI
Steps to be taken Dex2jar.sh classes.dex > classes.jar
Open the classes.jar file in JD-GUI (or Eclipse,…)
How to assess the threats Mobile Phone – Source code review
Source code review - iPhone Before starting any tests on the iOS… Make sure to jailbreak the device and install:
► OpenSSH ► Mobile terminal ► Cydia = The mother of all tools on jailbroken iPhones! App store for jailbroken iOS. ► Other Linux based tools you want…
Connect your iPhone to a (wireless) hotspot and SSH to it!
alpine
How to assess the threats Mobile device – Source code review
Source code review – iPhone (cont.)
► Not that easy… because most Apple applications are encrypted and signed Code segments look gibberish when simply reversed
► However the downloaded file (.ipa in iTunes or .app when transferring it from the jailbroken iOS) is still a zip container, unzipping it will reveal the actual content.
How to assess the threats Mobile device – Source code review
Source code review – iPhone (cont.)
► Find the application file in the container and … check that the encryption is actually on!
► LC_Encryption_info values information: ► Cryptid
► 1 if the binary is encrypted ► 0 if the binary is not encrypted ► Cryptsize is to what point the application is being encrypted
► The iPhone will auto-decrypt it when the application runs on your phone
How to assess the threats Mobile device – Source code review
Source code review – iPhone (cont.)
C_Encryption_info; CryptID= 1 ► Automatic: one application: Clutch ► Manual: Use a hex editor to change the value to 0
► No clear method to find where the crypt-ID is search for /system/Library/Frameworks within the hex… can take some time…
► Run the app and dump the code using GDB ► GDB – p <PID of the application> ► Dump memory of your application based on the cryptsize.
► @CLI: dump memory app.bin <<start of application code >> our case (0X0000) to <<cryptsize>> (our case: 0X9000)
objc.idc
How to assess the threats Mobile device – Source code review
Source code review – iPhone (cont.) C_Encryption_info; CryptID= 0
► …When it is not on… or you used the previous steps… use IDAPro to reverse the application
It stays in Assembly!
How to assess the threats Mobile device – Source code review
Source code review (cont.) – What to look for
► Passwords ► Hardcoded URL’s ► Administrator bypasses ► Input filter classes ► … Anything you would search for in a normal reverse engineering test…
How to assess the threats Mobile Phone - Sensitive files
Data stored on the device
Applications store data on various locations: ► SQLite database ► Cached data, back-ups, … ► Log files of applications
Easy to find using the SSH connection, and simply inspecting them either using the “cat” command or copying them locally on your computer and opening them using a viewer you like.
How to assess the threats Mobile Phone – Application permissions
Incorrect authorization set for mobile applications Each application receives permissions that need to be reviewed because:
► Applications having access to extra functions might be abused (e.g. through client slide
injection) by attackers to gain hold of extra information (low likelihood) ► End-users might not install the application (medium ? Likelihood)
iOS Can be reviewed only from iOS version 6 and reviewed under the ‘Privacy settings’ tab
Android Stored in the Manifest File
As with normal client applications, Mobile applications might by vulnerable to injections. Set-up of the above screenshots: vulnerable app1 (downloaded from http://www.veracode.com), and it contains a basic SQL injection to bypass authentication on the application.
How to assess the threats Mobile Phone – Client side injections
How to assess the threats Communication channel
Proxy, Proxy and Proxy again… Each device has the possibility to proxy its traffic through a proxy: iOS Android Once set-up the tests are identical to other web applications tests.
How to assess the threats Communication channel
How to assess the threats Server side controls
Again… Proxy, Proxy and Proxy again…
► Assess the back-end server as any web service you would encounter: ► WSDL Assessment ► Extracting extra information by manipulating requests ► Injection testing ► SOAP attachments ► …
► Do not forget to assess the infrastructure itself!
Recap
► Mobile applications and mobile phones are on the rise
► Machine 2 machine is on the rise
► But malware is on the rise to capture sensitive files!
Tim Beyens Tel.: +32 2 774 91 81 Mobile: +32 495 743 592 Email: [email protected]
Ernst & Young
Assurance | Tax | Transactions | Advisory 2013 Ernst & Young Transaction Advisory Services All rights reserved.
About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com/be. Follow us: twitter.com/EY_Belgium