Mobile Application – Scan, Attack and Exploit presented at DeepSec 2014

by Hemil Shah,

Summary : Mobile application hacking and its security is becoming a major concern in today’s world specially with BYOD and user’s jailbreaking/rooting their devices. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI Jacking, Tab Jacking, Traffic redirection, Logical attacks, hard coded keys and a few other. It is imperative to scan these applications before loading and launching for different platforms. Scanning and vulnerabilities detections are two major areas for mobile applications in current state. Attacking techniques and exploit delivery on different platform are evolving, protection is even tougher as code base are different. With all mobile platforms supporting HTML5 application, there is significant increase in the hybrid applications.
At the same time Mobile applications are communicating with server side over HTTP/HTTPS, it opens up few possible attacks on Web Services, APIs, OAuth, REST etc. The server side applications can be attacked with Injections and critical logical exploitations. New technology stacks are evolving over Mobile like HTML5 and Silverlight, which opens up new attack surface. In this context it is imperative for IT professional and corporate application owners to understand these attack vectors to protect mobile infrastructure, user’s privacy, security and company’s intellectual property. The class features detail hands on for mobile attacks for different platforms, real life cases, live demos, scanning techniques, code analysis and defensive controls. The following topics will be covered during the class.
Introduction to Mobile Applications
• General Overview
• Case studies of Vulnerable and old AppStore applications
• Evaluation of Applications
• Trend in Mobile application Security
• Mobile Application Fundamental – What, Why, How and Where
Deep dive into iOS
• Sand boxing
• iOS Application Architecture
• Understanding iOS platforms
• iOS Structure
• Application Structure
• Application Distribution
• Permissions
• Installing application from IPA
• Objective-C Basics for penetration testing
• Cocoa/Cocoa touch Framework
• Introduction to xCode
• Running application in simulator
• JailBreaking
o What
o Why
o How
o Who
Set up Attack environment
• Intercepting traffic
o Configuring simulators to use proxy
o Configuring device to use proxy
o Overcoming SSL traffic interception challenges
o DNS Kung fu
• Analysis tools
• Monitoring tools
• Reverse engineering tools
iOS Application Attacks & Reverse engineering
• Attacking Insecure storage
• Insecure network Communication
• Unauthorized dialing, SMS using rootkit
• UI Impersonation/Spoofing
• Activity monitoring and data retrieval
• Sensitive/Private data leakage
• Hardcoded passwords/keys
• Language issues
• Jail breaking/Physical device theft
• KeyBoard cache/ClipBoard issue in iPhone
• Reading information from SQLite database
• Insecure Protocol Handler implementation
• Parsing client side binary files to get session cookie
• Business Logical attacks
• Using debugger to analyze iOS applications
• Interesting things to look for after reverse engineering
Securing iOS Applications and source code analyzer
• Secure coding for iOS Application
• How to incorporate secure design and coding principles for developing iOS applications
• Safe/Unsafe APIs
• Avoiding Buffer Overflows And Underflows
• Validating Input And Inter process Communication
• Race Conditions and Secure File Operations
• Designing Secure User Interfaces
• Static Code Analyzer for iOS
Other Mobile/Smart TV Platforms
Windows Phone
• Understanding Windows Phone platforms (Windows phone 7 & Windows phone 8)
o Windows file System
o Application Distribution
o Permission model
• Windows phone development environment
• Running windows phone binary in simulator
• Intercepting traffic
• Blackberry file System
• Application Distribution
• Permission model
• Intercepting traffic
Samsung smart TV applications
• Architecture
• Key component and browser stack
• Application model and structure
Android – Hacker friendly platform
Understanding Android platforms
• Android file System/Dalvik
• Application Distribution
• Permissions
• Introduction to android SDK and useful files
• Understanding android application key components
• Running application in Android emulator
• Key ADB commands to play with android emulator
Set up Attack environment
• Intercepting traffic
o Configuring emulator to use proxy
o Configuring device to use proxy
o Overcoming SSL traffic interception challenges
o DNS Kung fu
• Analysis tools
• Monitoring tools
• Reverse engineering tools
Attacking android applications
• Insecure storage
o Internal storage
o External storage
o Shared secret
• Insecure network Communication – Carriers network security & WiFi network attacks
• Unauthorized dialing, SMS
• UI Impersonation/Spoofing
• Activity monitoring and data retrieval
• Sensitive data leakage
• Hardcoded passwords/keys
• KeyBoard cache/ClipBoard issue
• Reading information from SQLite database
• Attacking Manifest file permission
• Analyzing local storage with file system monitoring
• Business Logical attacks
• Using AFE to create malicious APK
• Sending signals over wifi/mobile network
• Decompiling Android Application
• Attacking intellectual property by attacking android binaries
Secure coding for Android Applications and source code analyzer
• Secure coding for Android Application
• Using randomization
• Safe/Unsafe APIs
• Validating Input And Inter process Communication
• Controlling access with manifest
• Static Code Analyzer for Android
• Protecting intellectual property in android application
HTML 5 Applications on Mobile stack
Working with HTML5 applications on Mobile
• HTML5 specs for mobile
• Touch/Moving in mobile applications using HTMl5
• Hybrid applications and its permission model
• HTML5 tags supported with mobile platforms
HTML5 Attacks on Mobile
• LocalStorage stealing
• SQLite injections
• Click/Tap Jacking
• Business Logical attacks
• JavaScript reverse engineering
Advance Review techniques
• Pentesting using automated tool – iAppliScan
• Reviewing iOS application without jailbreaking device
• Leveraging monitoring in android to review android application
• Exploiting XSS on WebView
• Modifying binary cookie file to steal session
• Leveraging AFE for the android exploitation
All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies. Mobile applications running on iPhone, Android and Hybrid will be provided for testing. Also, participants will be building a small application to capture important concepts of development as well.