$30 off During Our Annual Pro Sale. View Details »

Mobile Appsec from an attacker's perspective

Abhisek Datta
September 11, 2017
Technology
0
430

Mobile Appsec from an attacker's perspective

The talk is intended to set the context for a wider discussion on Mobile App Security with some background on web application security. This talk will briefly introduce the participants to the various tools and techniques available in the arsenal of a potential attacker with the objective of spreading security awareness.

Abhisek Datta

September 11, 2017
Tweet

More Decks by Abhisek Datta

See All by Abhisek Datta
Kubernetes from an Attacker's Perspective - fwd:CloudSec 2020
abhisek
0
330
Kubernetes 101 for Penetration Testers - null Mumbai
abhisek
5
3.6k
Securing Microservices at API Gateway using Cloud Native Solutions
abhisek
1
370
Kubernetes From an Attacker's Perspective
abhisek
4
7k
Application Security Workflow Automation using Docker and Kubernetes
abhisek
0
420
Application Security Workflow Automation using Docker and Kubernetes
abhisek
0
570
Towards Verifiable Infrastructure Security
abhisek
0
170
Your Internet Exposure the Makes You Vulnerable
abhisek
0
140
Towards Verifiable Infrastructure Security
abhisek
0
48

Other Decks in Technology

See All in Technology
CPOが開発する覚悟 〜コンパウンドスタートアップにおける、爆速の新規プロダクト開発スタイル〜
mosa_siru
5
2.6k
Data-Centric AI - 関連する学術分野と実践例 -
kzykmyzw
4
1.5k
LangChainやるならPythonよりTypeScriptの方がいんじゃね?
optimisuke
0
190
Garoon 開発チーム / Garoon development team
cybozuinsideout
PRO
0
2.2k
Honoが良さそう🔥
is_ryo
0
160
Railsアプリをコスパよく読むための環境整備
ikumatadokoro
1
130
負債と言わないことが負債と向き合うこと
kenchan
3
1.8k
3つの⽴場で考える技術的負債への組織的アプローチ
sansantech
PRO
15
4.6k
Self-RAG: Learning to Retrieve, Generate and Critique through Self-Reflections
peisuke
8
840
スクラムマスターやマネージャーのための信頼構築につながる傾聴の技術
kawagoi
6
2.8k
Java Language Future
chiroito
4
1.1k
開発組織の体制づくり、いつやるか問題
akiroom
0
240

Featured

See All Featured
Building an army of robots
kneath
299
41k
Embracing the Ebb and Flow
colly
77
3.8k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
0
1k
Typedesign – Prime Four
hannesfritz
35
1.8k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.3k
How to train your dragon (web standard)
notwaldorf
71
4.8k
4 Signs Your Business is Dying
shpigford
172
21k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
12
1k
Making the Leap to Tech Lead
cromwellryan
120
8.2k
Fashionably flexible responsive web design (full day workshop)
malarkey
396
64k
Ruby is Unlike a Banana
tanoku
93
10k
WebSockets: Embracing the real-time Web
robhawkes
58
6.6k

Transcript

  1. Mobile App Security
    From an Attackers Perspective
    Application Security Clinic
    Abhisek Datta | @abh1sek

    View Slide

  2. § Pragmatic, holistic, business-focused approach
    § Specialist Application Security company
    § Highly experienced and diverse team
    § Commercial
    § Security; Gold Standards
    About Appsecco
    Def Con
    speakers
    Assigned
    multiple CVEs
    Certified
    Hackers
    OWASP chapter
    leads

    View Slide

  3. Appsecco Application Security Clinic?
    WHY
    To set the stage for Q&A and Open Discussion among people
    seeking clear pragmatic answers for security problems.

    View Slide

  4. Appsecco Application Security Clinic?
    WHAT
    Ø Primer Talk to set the context
    Ø Curated Q&A
    Ø Open Discussion (BoF)

    View Slide

  5. Appsecco Application Security Clinic?
    Space & Time for
    Security Discussion

    View Slide

  6. How to Secure Stuff ?

    View Slide

  7. TRUST

    View Slide

  8. Think Trust - Linux Security
    THEN NOW
    • File system permissions
    • Chroot / Jails
    • Privilege Separation
    • File system permissions
    • Chroot / Jails
    • Privilege Separation
    • ASLR / KASLR
    • NX
    • Hardened Toolchain
    • Etc.

    View Slide

  9. Evolution of Trust – Linux to Android Sandbox
    • Android Security Model
    • Linux File System Permission
    • Linux Process Separation
    • Each app gets its own sandbox
    • Defense in Depth
    • Full Disk Encryption
    • ASLR / NX
    • Secure Boot

    View Slide

  10. Trust Model in iOS
    • iOS Security Model
    • App sandbox
    • App code signing
    • Defense in Depth
    • Full Disk Encryption
    • ASLR / NX
    • Secure Boot

    View Slide

  11. Can you trust the platform?

    View Slide

  12. Can you Trust the platform?
    Potentially exploitable WebView
    Android WebView addJavascriptInterface Remote Code Execution Exploit

    View Slide

  13. Can you Trust the platform?
    Malicious Javascript to execute arbitrary local command on phone
    Android WebView addJavascriptInterface Remote Code Execution Exploit

    View Slide

  14. The issue is fixed in Android
    API level 17+ (Android 4.2)
    Can you Trust the platform?
    Android WebView addJavascriptInterface Remote Code Execution Exploit

    View Slide

  15. Variation in Establishing Trust
    Facebook password reset code vulnerability:
    • Mitigated through rate limiting on www.facebook.com
    • Vulnerable in mbasic.beta.facebook.com
    • 6 digit reset code
    http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html

    View Slide

  16. Variation in Establishing Trust
    http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html
    So What? An attacker could reset password of any Facebook account
    identified by email address or mobile number by brute-forcing 6 digit
    recovery code.

    View Slide

  17. What does an attacker do?
    Try to find ways to break the TRUST

    View Slide

  18. What does an attacker do?
    Weak passwords?
    Weak validations?
    Open systems / endpoints?
    Public exploits
    0days !!

    View Slide

  19. API to Guess What?
    So What? Public re-use of restricted capability.

    View Slide

  20. API to Guess What?
    The TRUST or assumption that no one will
    look inside a compiled app (apk) was
    violated here.
    Pro Tip: Security by obscurity DOESN’T WORK

    View Slide

  21. .. Sometimes not so easy
    BROADPWN
    Remotely Compromising Android & iOS
    devices through a bug in Broadcom’s WiFi
    chipset
    https://blog.exodusintel.com/2017/07/26/broadpwn/

    View Slide

  22. Mobile App Attackers Arsenal

    View Slide

  23. Mobile App Attackers Arsenal
    The Proxy
    .. and few other tools really

    View Slide

  24. Attacker Setup – The Proxy

    View Slide

  25. Mobile App Attackers Arsenal
    An interception proxy such as Burp or
    OWASP ZAP gives tremendous insight –
    The ability to see whats up and whats out there ..

    View Slide

  26. Mobile App Attackers Arsenal
    Looking inside the app –
    say hello to Static Analysis
    • Hardcoded credentials
    • (Open?) API URLs
    • Request & response data model
    • Decompiled source code (?!?!?!?)

    View Slide

  27. Android App Static Analysis
    $ apktool d sample.apk AndroidManifest XML
    SMALICode
    $ unzip sample.apk
    $ d2j-dex2jar.sh classes.dex
    $ open -a "JD-GUI" classes-dex2jar.jar
    AndroidApk toJava Source Code

    View Slide

  28. View Slide

  29. Mobile Backend as a Service (MBaaS)
    AuthN & AuthZ
    Push Notification
    Business Logic

    API
    User Management

    View Slide

  30. Attack Surfaces ?
    AuthN & AuthZ
    Push Notification
    Business Logic

    API
    User Management
    Is the channel secure?

    View Slide

  31. What Next – Target the App
    • Hardcoded credentials
    • Insecure local storage
    • Insecure interfaces (Intent Handles, Broadcast Receivers etc.)
    • Etc.

    View Slide

  32. What Next – Target the Backend Services & Infra
    • Web vulnerabilities
    • Insecure API endpoints
    • Known vulnerable components
    • Security misconfiguration
    • Etc.

    View Slide

  33. Every component that takes an input directly or indirectly can
    have a potential attack surface.
    Security is implemented by reducing attack surface by
    enforcing trust or applying mitigations.
    How to Secure ?

    View Slide

  34. Building Secure Stuff – Where to start?
    • The OWASP Project
    • OWASP ASVS
    • OWASP Top 10
    • OWASP Mobile Top 10
    • OWASP Testers Guide
    • Think like a potential attacker
    • Attack surface?
    • What are the assumptions in the system?

    View Slide

  35. Thank You
    .. Let the discussions begin!
    @abh1sek
    abhisek
    @appseccouk

    View Slide

  36. Appsecco Application
    Security Clinic
    Q&A

    View Slide