Info security - mobile approach

26
INFOSECURITY 2013, BRUSSELS Security assessments in the mobile world

description

Information security assesment in a mobile world by EY_Belgium IT security consultant Tim Beyens. Presented during InfoSecurity seminar

Transcript of Info security - mobile approach

Page 1: Info security -  mobile approach

INFOSECURITY 2013, BRUSSELS Security assessments in the mobile world

Page 2: Info security -  mobile approach

Agenda Introduction

Mobile architecture ► An overview ► Perceived threats

How to assess the threats ► General approach ► Mobile Devices

► Source Code review ► Sensitive files ► Application permissions ► Client side injections

► Data communication channel ► Server side controls

Recap

Page 3: Info security -  mobile approach

Introduction Who am I?

►Tim Beyens

►Security Consultant focusing on mobile security and network security

►Working for Ernst & Young since 2009

►Sector focus: Telecommunication

►Typical assignments: penetration testing, network security assignments, …. Technical security assessments

Page 4: Info security -  mobile approach

Introduction Trends within the mobile world

On the end-user front…

Page 5: Info security -  mobile approach

Introduction Trends within the mobile world

The Machine to Machine front is increasing as well… M2M mobile connections are expected to reach 12 billion by 2020

Industry Sector

Utilities Smart meters enable efficient energy consumption and management by consumers and service providers

Healthcare Remote monitoring technologies can boost cost- and resource-efficient healthcare provision and clinical collaboration

Automotive

Driver navigation and fleet management tools, on-demand in-vehicle entertainment result in intelligent route planning and greater consumer expenditure. Vehicle connectivity can bring new business models such as pay-as-you drive insurance

Consumer Electronics

Richer functionality and storage can improve product differentiation and customer centricity

Sources: Ernst & Young research in 2012 – M2M

Page 6: Info security -  mobile approach

On the other hand, malware is also being rapidly developed… Most of these vulnerabilities originate from: ► Jailbreaks, Rootkits, ... ► Faulty configured application settings ► Faulty downloaded applications (from sources not controlled by the device) ► User preferences for simple passwords ► User allows application to access personal unneeded information ► Reuse of passwords among different applications ► Social engineering (ie. Gaining physical access to the smart phone to steal data)

Introduction Trends within the mobile world

2011

October ►Secret key combo auth

bypass (iOS)

August ►Google authentication

details sent in clear text (Android)

August ►Weakness in SSL cert

handling exposes data to interception (iOS)

July ►ZITMO banking trojan

affects all mobile devices

March ►Trojannised apps found

on Chinese app store (Android)

2012

September ►HTC phone vulnerability

leaks personal data (Android)

2013

April ►NotCompatible gains

access to local network preferences (Andriod)

February (2013) ►LockScreen of

iPhone can be circumvented (iOS)

July ►LuckyCat opens a

backdoor that allows remote acces (Android)

May ►FakeInst SMS Trojan

cost end-users 30 Miljon dollars (Android)

July ►SMSzombie that

abuses china’s SMS payment Android)

Page 7: Info security -  mobile approach

… In numbers this means

Introduction Trends within the mobile world

Sources: ESET, Trends for 2013

40%

28%

32%

2012 Malware targets

Subscription to premium SMS services Information theft (banking apps)

Botnet integration

Page 8: Info security -  mobile approach

1. Public APN ► APN’s used by end-users or machines ► Public, only requires a SIM card of the provider ► Less secure but cheaper ► E.g. Your own PDA connecting over 3G

2. Private APN

► Used by companies to easily communicate with field equipment (e.g. G4S transportation)

► Private, only accessible through specific SIM cards ► Securer but more expensive ► E.g. coco-cola vending machine providing statuses on available stock

Mobile Architecture An overview

2

1

Pub

lic

Priv

ate

2

1

Page 9: Info security -  mobile approach

1. Mobile phone

► Information disclosure (within the application source code) ► Data stored on the device contains personal information ► Insecure passwords usage

2. Communication channel ► No encryption applied on the communication channel

3. Server infrastructure ► Improper session, authorization and authentication handling ► Overall weak server side controls (e.g. server side injections)

Mobile Architecture Perceived threats – End Users

1 2 3

1

2

3

Page 10: Info security -  mobile approach

Next to the threats described on the previous page, the machine to machine communication has another threat that is easily overlooked…. 1. Machines

► What if the SIM card (of the machine) is inserted in USB-3G stick? This allows access to the private APN. Which on his turn provides access to a front-end system of the owner of the private APN… From that point onwards the a similar penetration testing approach can be used to exploit the front-end device. Possible pitfalls: some SIM-cards might disallowed outgoing data traffic…

Mobile Architecture Perceived threats -Machines

1

1

Page 11: Info security -  mobile approach

How to assess the threats General approach

Mobile Device

Objective: Identify vulnerabilities on the applications installed on the devices themselves. ► Reverse engineer the binary using tools

such as: ► Clang (static code) ► GDB ► iDA (Pro)

and investigate the source code for

passwords, server-side keys, … but also learn how the application works!

► Look for sensitive data in databases, logs, back-ups, cached files, …

► Verify application’s permissions

► Perform security tests similar to other web applications tests (e.g. session management, authentication management, …)

Server side controls

Objective: Identify vulnerabilities on the server side of the mobile application.

► Perform an attack and penetration

tests similar to other web application tests and use the information found on the local device to leverage your successes.

Communication channel

Objective: Identify vulnerabilities in the data communication channel.

► Verify the application uses SSL/TSL

whenever sensitive information is being transmitted.

Page 12: Info security -  mobile approach

How to assess the threats Mobile device – Source code review

Source code review - Android

► The downloaded package (.apk) is actually a zip containers, unzipping it will reveal the actual content.

► Loads of files including classes.dex

Tools used Dex2Jar Jd-GUI

Steps to be taken Dex2jar.sh classes.dex > classes.jar

Open the classes.jar file in JD-GUI (or Eclipse,…)

Page 13: Info security -  mobile approach

How to assess the threats Mobile Phone – Source code review

Source code review - iPhone Before starting any tests on the iOS… Make sure to jailbreak the device and install:

► OpenSSH ► Mobile terminal ► Cydia = The mother of all tools on jailbroken iPhones! App store for jailbroken iOS. ► Other Linux based tools you want…

Connect your iPhone to a (wireless) hotspot and SSH to it!

alpine

Page 14: Info security -  mobile approach

How to assess the threats Mobile device – Source code review

Source code review – iPhone (cont.)

► Not that easy… because most Apple applications are encrypted and signed Code segments look gibberish when simply reversed

► However the downloaded file (.ipa in iTunes or .app when transferring it from the jailbroken iOS) is still a zip container, unzipping it will reveal the actual content.

Page 15: Info security -  mobile approach

How to assess the threats Mobile device – Source code review

Source code review – iPhone (cont.)

► Find the application file in the container and … check that the encryption is actually on!

► LC_Encryption_info values information: ► Cryptid

► 1 if the binary is encrypted ► 0 if the binary is not encrypted ► Cryptsize is to what point the application is being encrypted

► The iPhone will auto-decrypt it when the application runs on your phone

Page 16: Info security -  mobile approach

How to assess the threats Mobile device – Source code review

Source code review – iPhone (cont.)

C_Encryption_info; CryptID= 1 ► Automatic: one application: Clutch ► Manual: Use a hex editor to change the value to 0

► No clear method to find where the crypt-ID is search for /system/Library/Frameworks within the hex… can take some time…

► Run the app and dump the code using GDB ► GDB – p <PID of the application> ► Dump memory of your application based on the cryptsize.

► @CLI: dump memory app.bin <<start of application code >> our case (0X0000) to <<cryptsize>> (our case: 0X9000)

Page 17: Info security -  mobile approach

objc.idc

How to assess the threats Mobile device – Source code review

Source code review – iPhone (cont.) C_Encryption_info; CryptID= 0

► …When it is not on… or you used the previous steps… use IDAPro to reverse the application

It stays in Assembly!

Page 18: Info security -  mobile approach

How to assess the threats Mobile device – Source code review

Source code review (cont.) – What to look for

► Passwords ► Hardcoded URL’s ► Administrator bypasses ► Input filter classes ► … Anything you would search for in a normal reverse engineering test…

Page 19: Info security -  mobile approach

How to assess the threats Mobile Phone - Sensitive files

Data stored on the device

Applications store data on various locations: ► SQLite database ► Cached data, back-ups, … ► Log files of applications

Easy to find using the SSH connection, and simply inspecting them either using the “cat” command or copying them locally on your computer and opening them using a viewer you like.

Page 20: Info security -  mobile approach

How to assess the threats Mobile Phone – Application permissions

Incorrect authorization set for mobile applications Each application receives permissions that need to be reviewed because:

► Applications having access to extra functions might be abused (e.g. through client slide

injection) by attackers to gain hold of extra information (low likelihood) ► End-users might not install the application (medium ? Likelihood)

iOS Can be reviewed only from iOS version 6 and reviewed under the ‘Privacy settings’ tab

Android Stored in the Manifest File

Page 21: Info security -  mobile approach

As with normal client applications, Mobile applications might by vulnerable to injections. Set-up of the above screenshots: vulnerable app1 (downloaded from http://www.veracode.com), and it contains a basic SQL injection to bypass authentication on the application.

How to assess the threats Mobile Phone – Client side injections

Page 22: Info security -  mobile approach

How to assess the threats Communication channel

Proxy, Proxy and Proxy again… Each device has the possibility to proxy its traffic through a proxy: iOS Android Once set-up the tests are identical to other web applications tests.

Page 23: Info security -  mobile approach

How to assess the threats Communication channel

Page 24: Info security -  mobile approach

How to assess the threats Server side controls

Again… Proxy, Proxy and Proxy again…

► Assess the back-end server as any web service you would encounter: ► WSDL Assessment ► Extracting extra information by manipulating requests ► Injection testing ► SOAP attachments ► …

► Do not forget to assess the infrastructure itself!

Page 25: Info security -  mobile approach

Recap

► Mobile applications and mobile phones are on the rise

► Machine 2 machine is on the rise

► But malware is on the rise to capture sensitive files!

Page 26: Info security -  mobile approach

Tim Beyens Tel.: +32 2 774 91 81 Mobile: +32 495 743 592 Email: [email protected]

Ernst & Young

Assurance | Tax | Transactions | Advisory 2013 Ernst & Young Transaction Advisory Services All rights reserved.

About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com/be. Follow us: twitter.com/EY_Belgium