Pentesting Mobile Applications

Similar documents
Pentesting iphone Applications. Satishb3

Penetration Testing for iphone Applications Part 1

ABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications

Pentesting iphone & ipad Apps Hack In Paris 2011 June 17

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

Mobile Applications: The True Potential Risks Where to look for information when performing a Pentest on a Mobile Application

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

Mobile Application Security and Penetration Testing Syllabus

Security Testing Guidelines for mobile Apps

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Advanced ANDROID & ios Hands-on Exploitation

Workday Mobile Security FAQ

Internet Banking System Web Application Penetration Test Report

Please Complete Speaker Feedback Surveys. SecurityTube.net

UNITED STATES OF AMERICA BEFORE THE FEDERAL TRADE COMMISSION. Julie Brill Maureen K. Ohlhausen Joshua D. Wright Terrell McSweeny

Ensuring the security of your mobile business intelligence

The Incident Response Playbook for Android and ios

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Configuration Guide BES12. Version 12.3

Topics in Network Security

Configuration Guide BES12. Version 12.2

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001

MASTER'S THESIS. Android Application Security with OWASP Mobile Top James King 2014

Introduction to Mobile Access Gateway Installation

Security Vulnerabilities in 3rd-Party ios Applications

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

Example of Standard API

Virtually Secure. a journey from analysis to remote root 0day on an industry leading SSL-VPN appliance

Research on Situation and Key Issues of Smart Mobile Terminal Security

Configuration Guide BES12. Version 12.1

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Sophos Mobile Control Technical guide

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

How To Protect Your Mobile Device From Attack

Pentesting Android Mobile Application

Administering Jive Mobile Apps

Clientless SSL VPN Users

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

Enterprise Application Security Workshop Series

BYOD Guidance: BlackBerry Secure Work Space

Basic Security Considerations for and Web Browsing

Legal notices. Legal notices. For legal notices, see

Secure your ios applications and uncover hidden vulnerabilities by conducting penetration tests

Locking down a Hitachi ID Suite server

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001

Achieving PCI Compliance Using F5 Products

Adobe Flash Player and Adobe AIR security

VPN: Virtual Private Network Setup Instructions

Configuration Guide. BES12 Cloud

BlackBerry 10.3 Work and Personal Corporate

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Access Your Cisco Smart Storage Remotely Via WebDAV

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

IDS and Penetration Testing Lab ISA656 (Attacker)

RDM+ Desktop for Windows Getting Started Guide

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Mobile Application Security: Who, How and Why

Project X Mass interception of encrypted connections

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback -

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

OWASP NZ Day 2011 Testing Mobile Applications

Best Practice Guide (SSL Implementation) for Mobile App Development 最 佳 行 事 指 引. Jointly published by. Publication version 1.

Cloud Security:Threats & Mitgations

Ensuring the security of your mobile business intelligence

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

Smartphone Pentest Framework v0.1. User Guide

Ethical Hacking as a Professional Penetration Testing Technique

TrustDefender Mobile Technical Brief

Frequently Asked Questions Enterprise Mobile Manager

What is Web Security? Motivation

CONTENTS. PCI DSS Compliance Guide

Intro to Firewalls. Summary

Salesforce1 Mobile Security Guide

mitmproxy.org How MITMproxy has been slaying SSL Dragons OWASP The OWASP Foundation

Mobile Admin Security

Threat Events: Software Attacks (cont.)

Exactly the Same, but Different

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Mobile Application Security

Android vs. Apple ios Security Showdown Tom Eston

Microsoft Lync Server 2010

Deploying iphone and ipad Security Overview

Penetration Testing for iphone / ipad Applications

Mobile Application Security Testing ASSESSMENT & CODE REVIEW

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

End User Devices Security Guidance: Apple OS X 10.10

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

Analysis of advanced issues in mobile security in android operating system

Spring Hill State Bank Mobile Banking FAQs

Transcription:

WEB 应 用 安 全 和 数 据 库 安 全 的 领 航 者! 安 恒 信 息 技 术 有 限 公 司 Pentesting Mobile Applications www.dbappsecurity.com.cn

Who am I l Frank Fan: CTO of DBAPPSecurity Graduated from California State University as a Computer Science PhD. With more than ten years of technical research and project management experience in world famous security companies Mr. Frank Fan researched deeply about online security, database security and auditing and compliance( such as SOX, PCI, ISO17799/27001). Became the first Chinese who made a speech in the World s top security conference BLACKHAT and he has certificates such as CISSP, CISA, GCIH, GCIA, etc. The vice president of OWASP China Member of 2008 Olympic Organizing Committee security group. Member of China Computer Society Branch Columnist of China Information Security 12-5-20 2

catalogue iphone&adriod Application Basics Pentesting iphone Applications Pentesting Andriod Applications Major Mobile Threats 12-5-20 3

Apple iphone Application Basics iphone first published in 2007. 12-5-20 4

Apple iphone Application Basics Browser Based Application HTML+CSS+JavaScript IOS Application Program Objective C&Cocoa Touch API Ø Super set of C, Compiles into native code (ARM) Apple Store(App Store) Centralized mechanism to distribute software Only Apple signed application are available Designed to protect the Apps from piracy & No malware 12-5-20 5

Apple iphone Application Basics Why to build iphone application - New business - Good ways to launch new services - Urgentcy of clients - Users want them - Fame (Angry Birds /Fruit Ninja) 12-5-20 6

Apple iphone Application Basics iphone Applications Package Suffix.ipa Running test on iphone emulator Testing with equipment Releasing at App Store ü The application program must subject to evaluation 12-5-20 7

Google Android Application Basics Andriod released the growth from January to September in 2011 12-5-20 8

Google Android Application Basics Andriod Holistic Architecture 12-5-20 9

Google Android Application Basics Android System Architecture - Application program - Application Frame - Program Library - Android Runtime Library - Linux Core 12-5-20 10

catalog iphone&adriodapplicationbasics PentestingiPhoneApplication PentestingAndriodApplication MajorMobileThreats 12-5-20 11

Pentesting iphone Application Areas of focus Include -Network Communication -Privacy -Application Data Storage -Reverse Engineering -URL Schemes -Push Notification 12-5-20 12

Pentesting iphone Application Jailbreak - iphone doesn`t allow unsigned applications - After Jailbreaking,full access to the device - To allow install unauthorized software - Tools: PwnageTool,redsn0w,Sn0wbreeze, Greenpois0n, jailbreakme - It makes our work easier. 12-5-20 13

Pentesting iphone Application Some useful Cydia for safety testing as follows. - OpenSSH:Allows us to connect to the iphone remotely over SSH Adv-cmds:Comes with a set of process commands like ps, kill, finger Sqlite3:Sqlite database client GNU Debugger:For run time analysis & reverse engineering Syslogd:To view iphone logs Veency:Allows to view the phone on the workstation with the help of veency client Tcpdump:To capture network traffic on phone com.ericasadun.utlities:plutil to view property list files Grep:For searching Odcctools:otool object file displaying tool Crackulous:Decrypt iphone apps Hackulous:To install decrypted apps 12-5-20 14

Pentesting iphone Application Connect the SSH to iphone From Cydia Install Open SSH Install SSH Client On PC By default, iphone has two users(root mobile) Ø Root and mobile (default password : alpine ) With root user through SSH connect to phone. SSHthroughWIFI >sshroot@iphoneip > password: alpine SSH through USB >./itunnel_mux --lport 1234 >ssh p1234root@127.0.0.1 >password:alpine 12-5-20 15

Pentesting iphone Application l Network communication ü Mobile application pentesting isn t really all that different. -It involves network communication ü Communication Mechanism -- Clear text Transmission (HTTP) -- Encrypted Transmission (HTTPS) -- Use of Custom or Proprietary protocols 12-5-20 16

Pentesting iphone Application Clear text Transmission Many applications still use clear text transport protocol by 2012.(HTTP) Be more vulnerable to the MITM attack. ü Most people by accessing WIFI, the same WiFi attackers can run like FireSheep tools of attacks To analyze HTTP traffic ü By manual proxy in iphone(set-wlan- manual) 12-5-20 17

Pentesting iphone Application 12-5-20 18

Pentesting iphone Application Encrypted Transmission HTTPS is used to transmission sensitive data With SSL communicate ü Applications may fail veridate SSL cert ü allowsanyhttpscertificateforhost An application of verifying certificate shouldn`t allow MITM To capture the traffic, it needs to loading proxy CA certificate to iphone. 12-5-20 19

Pentesting iphone Application 12-5-20 20

Pentesting iphone Application Custom Protocols Identify the communication protocol, Ø On SSH terminal > tcpdump -w traffic.pcap Ø Loading.pcap in wireshark and analyze May not respect iphone proxy settings. DNS Spoofing techniques to MITM 12-5-20 21

Pentesting iphone Application Privacy Issues - Every iphone has an unique device identifier called UDID - Application may collect device UDID. - With UDID Ø Maybe observe user`s browsing pattern Ø Determine user`s geographical position. Ø Such as Openfient : Mobile social game nets http://corte.si/posts/security/openfeint-udiddeanonymization/ Observe the network traffic to find out UDID transmission. 12-5-20 22

Pentesting iphone Application Application data storage - 76% of mobile applications store data on their phones - 10% of mobile applications store data transmitted on IP network. -TheReasonforstoringdataontheirphones Ø Forthepurposeofachievingbetterperformance. Ø AccessOffline Datastoragelocation a) Plist file b) Keychain c) Logs d) Screenshot e) Home catalogue 12-5-20 23

Pentesting iphone Application Application directory structure - Applications run in a sandbox of mobile ermission. - Each application get a private space of file system. 路 径 Appname.app 说 明 Contains the applica.on code and sta.c data Documents Library Data that may be shared with desktop through itunes Applica.on support files Library/Preferences App specific preferences Library/Caches/ tmp Data that should persist across successive launches of the applica.on but not needed to be backed up Temporary files that do not need to persist across successive launches of the applica.on 12-5-20 24

Reverse Engineering Static analysis Otool Class-dump Pentesting iphone Application Dynamicdebugging gdb l IDA + GDBServer 12-5-20 25

Pentesting iphone Application 12-5-20 26

Pentesting iphone Application 12-5-20 27

Pentesting iphone Application 12-5-20 28

Pentesting iphone Application 12-5-20 29

Pentesting iphone Application 12-5-20 30

catalog iphone&adriodapplicationbasics PentestingiPhoneApplication PentestingAndriodApplication MajorMobileThreats 12-5-20 31

Andriod Systerm Security Feature Andriod is based on Linux, which own its security feature. Process rights management separation, Andriod starts up application with separate account to doing. Each application uses different accounts, it is more effective and safer. Data directory permissions separation, the program data catalogue owners are exactly process users, each process is different, the process directory permissions are seperate, malicious processes can't directly modifiy other process documents. 12-5-20 32

Andriod Systerm Security Feature The application runs in the modified Java environment. It is difficult to attack application by overflowing. By default, the application cannot obtain root for changing key position of operating system. 12-5-20 33

Pentesting Andriod Application Highlights Include Attacking test based systerm Attacking test based application Attacking test based transmission link Attacking test based wap site 12-5-20 34

Pentesting Andriod Application To build a test environment Root device To obtain root ermission with root application program. (Local overflow program) Install busybox (include all kinds of useful system commands) Install rights management program,such as,superuser Instal ssh server Instal QuickSSHd To get root permission by Superuser 12-5-20 35

Pentesting Andriod Application l To build a test environment - To build a wireless link with device. - By QuickSSHd login into and manage equipment. 12-5-20 36

Pentesting Andriod Application l Attacking test based core Andirod is designed and developed based on linux core.meanwhile, retaining all kinds of linux core features,likewise,the way of attack linux core is also true for android system. Based on the core modules installed the rootkit, Linux core level by reforming the rootkit is easy to run in andriod system, and finish all kinds of the underlying operations. Using the development environment to compile corresponding version rootkit module. Using command insmod xxx.ko to install module and carry out backdoor function. 12-5-20 37

Pentesting Andriod Application l Attacking test based on core - Kernel overflow attack Andriod kernel based on C language development, there may be exist overflow vulnerabilities, through the spill that based on the kernel malware programs with the highest permission of the system, the part of the program is to use the principle to operate. 12-5-20 38

Pentesting Andriod Application Application attack testing Most of Andriod software developmented based on Java, which is difficult to overflow attack. But part of the program to improve efficiency or to achieve more advanced functions with developing dynamic module in C/C++, which is easy to overflow attacking. Though compared with traditional PC software, Andriod software`s function relatively simple, but it still there may be all kinds of logic security vulnerabilities Andriod use the default sqlite as a application database, but usually not for encryption, so part of the sensitive data easy to leak. Inquiresing the contents of sqlite database with sqlite3 Andriod Andriod application developmented with Java, which can get he corresponding source through the way of decompilation Through the use of dex2jar can programs into a jar file, 12-5-20 39

Pentesting Andriod Application l Transmission lines attack testing Considering the low configured phone, some application do not have the data link encryption, and sending all kinds of sensitive data in these unencrypted link Mobile phone software currently rarely have the function of through the hardware to sign encryption, so it is easy to attack and intercept the packet by intermediaries and modified. In some on-line transactions of applications, the problem is very serious. 12-5-20 40

Pentesting Andriod Application Capturing the application web packets and test after modifying, with man-in-the-middle tool. 12-5-20 41

Pentesting Andriod Application WAP site attack testing Most of wap sites consider to be compatible various kinds mobile phones (Most mobile phone do not support cookie function ),put session information into url,it is easy to make malicious website get session information and illegal log on though the referrer`s attack Set proxy or using man-in-the-middle attack and safety test for target wap site,find and attack wap vulnerability. 12-5-20 42

catalog iphone&adriodapplicationbasics PentestingiPhoneApplication PentestingAndriodApplication MajorMobileThreats 12-5-20 43

Major Mobile Threats It is easy to lost mobile phone. Equipment and password protection Sensitive files encryption When reboot the mobile, it only design to encrypt mobile data. Boot Rom exploits All files on devise can copy in 10 minutes. Password brute force 4 digits password has been cracked in 20 minutes Mobile App Risks Veracode Top 10 OWASP Mobile Top 10 12-5-20 44

WEB 应 用 安 全 和 数 据 库 安 全 的 领 航 者! 安 恒 信 息 技 术 有 限 公 司 www.dbappsecurity.com.cn

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information