Shadow Runners 2

Transcript

1. SHADOW RUNNERS 2 OWASP SAITAMA MTG #19, TALK #1

2. TEXT SESSION FLAGS ▸ ࿥ըɾ࿥Իɾެ։: OK Image by Nico Kaiser

   on flickr, CC-BY 2.0

3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) https://keybase.io/alterakey ▸

   Monolith Works Inc. Co-founder, CTO Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ ٬һݚڀһ

4. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps →Financial, Games, IoT related, etc. (>200) →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps →POS, RAD tools etc. ▸ Network/Web penetration testing →PCI-DSS etc. ▸ Search engine reconnaissance (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ DEF CON 25 Demo Labs (2017) DEF CON 27 AI Village (2019) CODE BLUE (2017, 2019) CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

6. CASE 1: IOS Image by Janitors on flickr, CC-BY 2.0

7. TEXT BACKGROUND ▸ iOSΞϓϦ ϦϦʔε࣌ΞϓϦϨϏϡʔͰ඼࣭୲อ ▸ API࢖༻ঢ়گϨϙʔτͷ֬ೝ ▸ ࣮ڍಈͷ֬ೝ ▸

   ಈతϩʔυͳͲ͸ʁ →࠷ۙΤϛϡϨʔλ͕ղېʹͳ͕ͬͨ… →App Review Guidelines, 2.5.2ʹΑΓېࢭ Image by Microsiervos on flickr, CC-BY 2.0

8. TEXT BACKGROUND ▸ ཧ༝ →ϨϏϡʔͷҙຯ͕ͳ͘ͳΔ͔Β ▸ …࣮ࡍʹ͸Ͳ͏ͳͷͩΖ͏͔ → ௐࠪ Image

   by Microsiervos on flickr, CC-BY 2.0

9. TEXT TOOLCHAINS ▸ Ghidra: Multiarch disassembler (NSA) - 10.3.2 ▸

   Trueseeing: Non-decompiling Android app vulnerability scanner (alterakey et al.) - 2.2.3 ▸ frida-ios-dump: Binary dumper (Alone_Monkey et al.) Swiss Army Knife on black by Edgar Pierce on flickr, CC-BY 2.0

10. TEXT TOOLCHAINS? ▸ trueseeing͸AndroidͷΈͳͷͰ͸ʁ ▸ 2.2ܥͰຐվ଄; தͰ΋: fi le format

    extension API, signature extension API ▸ ద੾ͳ fi le format handler+sigΛ༩͑Δ͜ͱͰ iOSΞϓϦղੳ΋े෼Մೳʢʂʣ ▸ ͓଴ͨͤ͠·ͨ͠… Image by _gift on flickr, CC-BY-NC-ND 2.0

11. TEXT CASE STUDY #1. FACEBOOK ▸ facebook Image by Kārlis

    Dambrāns on flickr, CC-BY 2.0

12. TEXT CASE STUDY #1. FACEBOOK ▸ facebook ▸ ಈతίʔυϩʔυ

13. TEXT CASE STUDY #1. FACEBOOK ▸ facebook ▸ ಈతίʔυϩʔυ ▸

    Stack-based VM

14. TEXT CASE STUDY #1. FACEBOOK ▸ facebook ▸ ಈతίʔυϩʔυ ▸

    Stack-based VM ▸ ϑΟʔυͷཏྻ

15. TEXT CASE STUDY #1. FACEBOOK ▸ facebook ▸ ಈతίʔυϩʔυ ▸

    Stack-based VM ▸ ϑΟʔυͷཏྻ ▸ ͞Βʹ: Ad͔Βϩʔυ͢ΔΑ͏ͳࣔࠦ

16. TEXT CASE STUDY #1. FACEBOOK -- BUSTED ▸ ໌֬ͳҧ൓ ▸

    ಛʹAd͔ΒίʔυΛ࣮ߦ͢Δ࢓૊Έ͸ߴϦεΫ ▸ …ͳͥ͜Μͳ΋ͷ͕໺์͠ʹʁ Image by Remy Sharp on flickr, CC-BY-SA 2.0

17. TEXT CASE STUDY #2. LINE ▸ LINE

18. TEXT CASE STUDY #2. LINE ▸ LINE ▸ ಈతίʔυϩʔυ

19. TEXT CASE STUDY #2. LINE ▸ LINE ▸ ಈతίʔυϩʔυ ▸

    ෆద੾ͳγεςϜίʔϧ: VMͷՄೳੑ ▸ ෆద੾ͳϥΠϒϥϦ

20. TEXT CASE STUDY #2. LINE -- BUSTED ▸ ҧ൓ͷՄೳੑ͕ߴ͍ ▸

    ߇͑Ίʹݴͬͯ΋ؾ࣋ͪѱ͍ ▸ syscall, fork ▸ MbedελοΫʹΑΔ҉߸ܥ࣮૷Λྲྀ༻ →ͱͯ΋҆શͱ͸͍͑ͳ͍࣮૷ Image by Cloudtail the Snow Leopard on flickr, CC-BY-NC-ND 2.0

21. TEXT CASE STUDY #3. GMAIL ▸ Gmail Image by Cairo

    on flickr, CC-BY-NC-ND 2.0

22. TEXT CASE STUDY #3. GMAIL ▸ Gmail ▸ ಈతίʔυϩʔυ →

    libGL (OK) ▸ ͕ͩͳͥ…

23. TEXT CASE STUDY #3. GMAIL ▸ Gmail ▸ ಈతίʔυϩʔυ →

    libGL (OK) ▸ …͜Ε͸

24. TEXT CASE STUDY #3. GMAIL -- QUESTIONABLE ▸ JVM +

    j2objcͷՄೳੑ ▸ 2.5.2͸͜Ε͚ͩͰ͸ҧ൓Ͱ͸ͳͦ͞͏͕ͩ: 2.3.1 (no hidden feature) ͔Β͸Ͳ͏ͳͷ͔ ▸ Ұൠͷ։ൃऀ͕΍ͬͨΒଟ෼reject͞ΕΔͩΖ͏ ͍ͣͿΜҟ࣭ͳߏ଄ Image by Bricknave on flickr, CC-BY-NC-ND 2.0

25. TEXT CASE STUDY #4. GOOGLE MAPS ▸ Google Maps Image

    by bluman on flickr, CC-BY-NC-ND 2.0

26. TEXT CASE STUDY #4. GOOGLE MAPS ▸ Google Maps ▸

    େྔͷre fl ection → ಈ࡞ͷൿಗͱ΋औΕΔ

27. TEXT CASE STUDY #4. GOOGLE MAPS -- QUESTIONABLE ▸ ੩తղੳճආͷՄೳੑ

    ▸ গʑͳΒre fl ection͸ී௨ʹग़ͯ͘Δ; ͭ·Γ: Ұൠͷ։ൃऀ͕͜ΕΛͯ͠΋ଟ෼reject͞Εͳ͍ → API࢖༻ύλʔϯΛ͋Δఔ౓ૢ࡞Ͱ͖Δࣔࠦ ▸ 2.3.1 (no hidden feature) ͔Β͸Ͳ͏ͳͷ͔ →ਓྗͰશͯݟൈ͘͜ͱ͸Ͱ͖ͳ͍ Image by Portraying Life, LLC on flickr, CC-BY-NC-ND 2.0

28. CASE 2: ANDROID Image by etnyk on flickr, CC-BY-NC-ND 2.0

29. TEXT BACKGROUND ▸ Android: σετϥοϓʹΑΔ҆શੑ୲อ ▸ ಈతϩʔυͳͲ΋໰୊ͳ͠ ▸ ո͍͠ڍಈͷ΋ͷ͸ͳ͍͸ͣ →

    ௐࠪ Image by Microsiervos on flickr, CC-BY 2.0

30. TEXT TOOLCHAINS ▸ Trueseeing: Non-decompiling Android app vulnerability scanner (alterakey

    et al.) - 2.2.3 ※awesome-android-securityϦετೖΓͨ͠… Swiss Army Knife on black by Edgar Pierce on flickr, CC-BY 2.0

31. TEXT ANALYSIS METHODOLOGY ▸ ੩తղੳ ▸ ಈతղੳ: τϥϑΟοΫղੳ

32. TEXT CASE STUDY #5. SHEIN ▸ SHEIN Image by Dick

    Thomas Johnson on flickr, CC-BY 2.0

33. TEXT FINDINGS ▸ ੩తղੳ ▸ ಈతdexϩʔυʢ೉ಡԽΫϥε͔Βʣ ▸ Wi-Fi BSSIDऔಘ͓Αͼ৴߸ڧ౓ܭࢉ ▸

    OkhttpܥΛܦ༝͢ΔτϥϑΟοΫʹ͓͚Δ ಠࣗDNSαʔϏεͷ࢖༻ (httpϕʔε; ॺ໊෇͖) ▸ ֤ݕ஌: σόοά/rooted/VPN/ϓϩΩγ ▸ σόοάݕ஌ϑϥάͷड͚౉͠

34. TEXT CASE STUDY #5 SHEIN -- BUSTED ▸ ेೋ෼ʹݏΒ͍͠… ▸

    ϓϥΠόγʔͱ͍͏֓೦͸ͳ͍ͷ͔ ಛʹTrustDefender: ୺຤ݻ༗৘ใ, Wi-Fi .. →कΒΕ͍ͯΔͷ͸ύϒϦογϟʔ ▸ ଟ෼ΫϨʔϜ্͕͕͍ͬͯͳ͍ͷͰ์ஔʁ ▸ ͜Ε΋͜ΕͰ͋Γ͕ͩ໰୊ͳӡ༻ ▸ Ұൠʹ͸EULAʹΑΓ෼ੳͰ͖ͳ͍ͨΊ Image by Mark Freeth on flickr, CC-BY 2.0

35. TEXT TAKEAWAYS ▸ iOS: ݐલ্ɺΞϓϦͰ͸ಈతίʔυϩʔυෆՄ ▸ ͕࣮ͩଶ͸: ܗ֚Խ͕ஶ͍͠ →ύϒϦογϟʔʹର͢Δ዁౓ͷՄೳੑ͕ු͖ூΓʹ ʢ͔ͭͯͷtiktok෼ੳճΛ͍֮͑ͯ·͔͢…ʣ

    ▸ ಈతίʔυϩʔυ͚ͩͰͳ͘ɺVMͳͲ΋ԣߦ େྔͷRe fl ectionʹΑΔ੩తղੳճආ΋͋Δ ▸ ਓྗϨϏϡʔ͸҆શੑʹد༩͠ͳ͍… Apple͸API࢖༻ύλʔϯ͚ͩͰͳ͘ίʔϧස౓΋ߟྀ ͢΂͖ Image by Cairo on flickr, CC-BY-NC-ND 2.0

36. TEXT TAKEAWAYS ▸ Android: มͳ͜ͱΛ͢Ε͹ίϩε ▸ ͕࣮ͩଶ͸: ͪ͜Β΋ܗ֚Խ͕ஶ͍͠ →ύϒϦογϟʔͷ΍Γ͍ͨ์୊, ͳͥͳΒ:

    →ҰൠϢʔβ͸EULAͰറΒΕ͍ͯΔͨΊ෼ੳࠔ೉ ▸ େྔͷ৘ใऩूɺࣥ፠ͳ୺຤؀ڥݕ஌ɺDNSͷૡ͍જΓɺ Re fl ectionʹΑΔ੩తղੳճආ… (ClipboardΞΫηεɺτϥϑΟοΫͷ౪ௌվ᜵ɺະॺ໊֎ ෦ίʔυͷϩʔυͳͲ; SDKܦ༝Ͱԣߦ) ▸ গͳ͘ͱ΋ൈ͖ଧͪݕࠪ͸ඞཁɺͰ͖Ε͹ఆ఺؍ଌ͢΂͖ Image by Cairo on flickr, CC-BY-NC-ND 2.0

37. STAY SAFE! Image by KaCey97078 on flickr, CC-BY-NC 2.0

38. FIN. 30.4.2024 TAKAHIRO YOSHIMURA (@ALTERAKEY)