Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Staring into chaos

Takahiro Yoshimura
June 28, 2022
Technology
0
8

Staring into chaos

Quick evaluation on security postures of iOS/Android app store. (OWASP Saitama MTG #8, talk #1)

Takahiro Yoshimura

June 28, 2022
Tweet

More Decks by Takahiro Yoshimura

See All by Takahiro Yoshimura
In The Middle Of Chatter #2
alterakey
0
10
Chaotic Channel
alterakey
0
27
In The Middle Of Chatter #1
alterakey
0
32
Shadow Runners 2
alterakey
0
6
Shadow Runners
alterakey
0
6
Looking Back: 2023
alterakey
0
8
Fill In The Blank
alterakey
0
8
Ticket To The Dark World
alterakey
0
11
Looking Back: 2022
alterakey
0
8

Other Decks in Technology

See All in Technology
DynamoDB でスロットリングが発生したとき_大盛りver/when_throttling_occurs_in_dynamodb_long
emiki
1
500
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
5
1.2k
【平成レトロ】へぇボタンハック👨🔧
vanchan2625
0
130
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
160
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
150
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
200
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
160
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
コンパウンド戦略に向けた技術選定とリアーキテクチャ
kworkdev
PRO
0
1.1k
『Firebase Dynamic Links終了に備える』 FlutterアプリでのAdjust導入とDeeplink最適化
techiro
1
250
A Tour of Anti-patterns for Functional Programming
guvalif
0
1.5k
Is Go A Good Language to Build Compilers?
kennethanceyer
0
100

Featured

See All Featured
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
A Philosophy of Restraint
colly
203
16k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
How STYLIGHT went responsive
nonsquared
95
5.2k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Teambox: Starting and Learning
jrom
133
8.8k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
960
4 Signs Your Business is Dying
shpigford
180
21k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k

Transcript

  1. STARING INTO CHAOS OWASP SAITAMA MTG #8, TALK #1 Image

    by ST1138 on flickr, CC-BY-NC-ND 2.0

  2. TEXT SESSION FLAGS ▸ ࿥ըɾ࿥Իɾެ։: OK Image by Nico Kaiser

    on flickr, CC-BY 2.0

  3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) https://keybase.io/alterakey ▸

    Monolith Works Inc. Co-founder, CTO Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ ٬һݚڀһ

  4. TEXT WHAT I DO ▸ Security research and development ▸

    iOS/Android Apps →Financial, Games, IoT related, etc. (>200) →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps →POS, RAD tools etc. ▸ Network/Web penetration testing →PCI-DSS etc. ▸ Search engine reconnaissance (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

  5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

    METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ DEF CON 25 Demo Labs (2017) DEF CON 27 AI Village (2019) CODE BLUE (2017, 2019) CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

  6. TEXT BACKGROUND ▸ ΞϓϦͷڍಈʹ͍ͭͯશͯ೺Ѳ͍ͯ͠·͔͢ʁ ▸ ඞͣ͠΋ਧௌ͍ͯ͠Δ௨ΓͰ͋Δඞཁ͸ͳ͍ →ॻ͖खͷࣗ༝ ▸ Ͱ΋Ϣʔβ͔Β͸ࠔΔ… Image

    by Sam Azgor on flickr, CC-BY 2.0

  7. TEXT ANDROID: STATIC ANALYSIS + DEATH TRAP ▸ ެ։࣌ʹࣗಈղੳΛࢪ͠ѱҙͷͳ͍͜ͱΛ֬ೝ ▸

    Ϣʔβ͔Βͷใࠂ͋Δ͍͸ൈ͖ଧͪݕࠪͰ ΞΧ΢ϯτBANॲஔ → σετϥοϓ ▸ ܯࠂ΋΄΅͠ͳ͍ ▸ ൓࿦΋΄΅ฉ͔ͳ͍ (HNͳͲʹࢮࢡྦྷʑ) ▸ نఆͷվఆʹ͸൓Ԡ͢Δ·Ͱެ։ఀࢭॲஔ ▸ େখ໰ΘͣͨͩͷҰϢʔβͰ͔͠ͳ͍ Image by Daniel Arrhakis - Visual Arts on flickr, CC-BY-NC 2.0

  8. TEXT IOS: MANUAL REVIEW ▸ ެ։࣌ʹਓ͕ؒΞϓϦΛ֬ೝ ▸ UIنఆҧ൓ͳͲ; ʮUIنఆʯͱ͍͍࣮࣭ͭͭతͳશମن཯ ▸

    ҧ൓ͨ͠৔߹reject ▸ ԟʑʹͯ͠ԇᅀͷࠜݯ ▸ ͋Δఔ౓ॊೈʹରԠͯ͘͠ΕΔ Image by Giåm on flickr, CC-BY-SA 2.0

  9. TEXT MANUAL REVIEWING IS SAFER..? ▸ iOSͷ৔߹Appleͷελοϑ͕ΞϓϦΛ֬ೝͯ͠ ͍ΔͷͰมͳΞϓϦ͸ೖͬͯ͜ͳ͍ʢͷͰ AndroidͳΜ͔ΑΓ҆શʣͱ͍͏Ұൠೝࣝ ▸

    ຊ౰ʹʁ Image by Glen Bledsoe on flickr, CC-BY 2.0

  10. TEXT A. REMOTE FLAGS TO CONTROL BEHAVIOR ▸ ࿈ܞ͢ΔAPIαʔόʹ͓͍ͯηʔϑͳ಺༰Λ౉͢ ͜ͱͰ৹ࠪΛ੾Γൈ͚Δख๏

    ▸ ໌Β͔ͳςετ؀ڥͩͱreject͞ΕΔ →ͦΕͳΓʹ੔͓͑ͯ͘ඞཁ͕͋Δ ▸ ΘΓͱྑ͘ݟ͔͚Δ ▸ ৹ࠪ༻؀ڥ/εςʔδϯά؀ڥ etc. Image by Vinicius | www.viniciuscvenancio.com.br on flickr, CC-BY-NC-ND 2.0

  11. TEXT CASE #0 ▸ ອըΞϓϦ ▸ ອը͸Ѫ͞Ε͍ͯΔ͕จԽతʹ᫁᫟Λྑ͘ੜΉ

  12. TEXT CASE #0 ▸ ੩తղੳ * Extract: checkra1n + frida-ios-dump

    * Analysis: Ghidra 10 ▸ APIαʔόΛܦ༝͢Δࣔࠦ ▸ ༨ஊ: DFUϞʔυʹೖΕΔ࣌ʹେมͳۤ࿑ →macOS͔Βͷׯব͕ଟ෼ݪҼ →checkra1n 0.12.4͸M1Ͱ͸ಈ࡞͠ͳ͍

  13. TEXT CASE #0 ▸ τϥϑΟοΫղੳ * Aggregation: StrongSwan 5.8 +

    iptables * Analysis: Burp Suite (transparent proxy) ※transparent proxy mode͕Ͱ͖Ε͹ZAP/ mitmproxyͳͲͰ΋໰୊ͳ͘Ͱ͖Δ ▸ APIαʔόͷԠ౴Ͱίϯτϩʔϧ͞ΕΔ؍ଌ

  14. TEXT CASE #0 ▸ APIαʔόʹڍಈΛ੍ޚ͞Ε͍ͯΔ →ʢݴ͍ํ͸ѱ͍͕ʣӅṭՄೳ ▸ ౰ͨΓલͱݴΘΕΕ͹ͦ͏͕ͩ… ▸ ৹ࠪظؒதʹมͳ΋ͷΛग़͢ॴҎ͸ͳ͍͸ͣ

  15. TEXT CASE #1: ਺ಠΞϓϦ ▸ Ұݟແ֐ͳɺ޿ࠂ෇͖ΞϓϦ ▸ ͦ΋ͦ΋4+

  16. TEXT CASE #1: ਺ಠΞϓϦ ▸ ͕… ޿ࠂͷ಺༰͕… ▸ ։ൃݩ͕޿ࠂιʔεઃఆΛม͑ͨՄೳੑ →ཧ༝͕ͳΜͰ͋Εෆద੾

    →޿ࠂ͕ݪҼͰreject͞ΕΔ͜ͱ͕౰વ͋Δ ▸ ࢠڙ༻ͷApple IDͰ͋Ε͹޿ࠂ಺༰͸ن੍͞Ε Δ͸͕ͣͩ… ࠅ͍޿ࠂओ͕᪎ᬚ͍ͯ͠Δ

  17. TEXT CASE #2: ੒ਓ޲͚ίϯςϯπ ▸ ͍ΘΏΔແमਖ਼ίϯςϯπΛ഑৴͍ͯ͠Δʁ →͜Ε͸͓͔͍͠ ▸ ͦ΋ͦ΋: iOS͸͜͏͍͏΋ͷΛڐ͍ͯ͠ͳ͍

    →δϣϒε࣌୅΋ΫοΫ࣌୅΋Ұ؏͍ͯ͠Δ ▸ ৹ࠪ࣌ʹӅṭͨ͠ͱߟ͑Δͷ͕ଥ౰Ͱ͸ͳ͍͔

  18. TEXT CASE #3: SNS ▸ ͔ͭͯΑΓWebίϯςϯπΛࣗ༝ʹදࣔͰ͖Δ ΋ͷ͸17+ͱ͍͏ن੍͕͋Δ ▸ SNSྨʹ͓͍ͯ΋ϝοηʔδͰࢦࣔ͞ΕͨURL͕ ։͚Δ→͜ͷϧʔϧ͕ద༻ʹͳΔͷͰ͸ͳ͍

    ͔ʁ Image by 5kul1k flickr, CC-BY 2.0

  19. TEXT CASE #3: SNS ▸ େ෦෼͕12+Ͱྲྀ௨; ࣌ྲྀʁ ▸ LINE: 12+

    ▸ Snapchat/Facebook/Instagram: 12+ ▸ TikTok: 12+ ▸ Twitter: 17+ (←ͳͥʁ) ▸ Telegram: 17+ (←ͳͥʁʁ)

  20. TEXT CASE #3: SNS ▸ Kakao Talk: 4+ʁʁʁ ▸ ઌྫʹͳΒ͑͹12+͕ଥ౰Ͱ͸ͳ͍ͷ͔

    ▸ ౰ॳػೳ͋Δ͍͸ن੍͕গͳ͔ͬͨ࣌ظʹ4+ ͰऔΓɺͦΕ͔Βͳ่͠͠తʹདྷͨՄೳੑʁ ʢi.e. มߋਃࠂ͍ͯ͠ͳ͍ʁʣ

  21. TEXT B. REVIEWERS MATTER ▸ ϨϏϡΞʔʮΨνϟʯΛ௨Δ·Ͱճͯ͠੾Γൈ͚ Δํ๏ ▸ App IDΛม͑ͯ੾Γൈ͚ͨྫ΋͋Δ

    ▸ ϨϏϡʔࣗମͦ΋ͦ΋ٕज़తʹ͸೉୊ ▸ େྔͷΞϓϦΛࡹ͔ͳͯ͘͸͍͚ͳ͍ ▸ ຊ֨తͳղੳΛߦͳ͏ʹ͸͕͔͔࣌ؒΔ ▸ ࣌ؒʹ௥ΘΕͳ͕Βେ࿮ͷ඼࣭Λݟ͍ͯΔͱ ͢Δͷ͕ଥ౰ Image by kleuske on flickr, CC-BY-SA 2.0
  22. None
  23. None
  24. None

  25. TEXT C. EXPEDITED REVIEW REQUESTED ▸ ಛٸϨϏϡʔΛཁٻ͠ѹྗΛֻ͚Δख๏ ▸ Ҏલ͸৽نΞϓϦʹ͸࢖༻Ͱ͖ͳ͔ͬͨ ▸

    Ӆ͠ػೳ΍ѱҙͷ͋ΔίʔυΛݟ͵͚Δ͔ʁ →࣮֬ͳݕ஌͸ෆೳͱԾఆ͢Δͷ͕ଥ౰ ▸ ৽نΞϓϦͰ͋Ε͹ؾΛ͚ͭΔͩΖ͏͕ɺ Ұ౓ΫϩʔϦϯάͨ͠ΞϓϦͰ͋ͬͨΒ… Image by foshydog on flickr, CC-BY-NC-ND 2.0

  26. TEXT CONCLUSION ▸ ਓྗϨϏϡʔ͸ࣗಈղੳ+σετϥοϓΑΓ΋༗ޮͱ ͸ܾͯ͠ݴ͑ͳ͍ ▸ iOS͸ਓ͕ؒݟ͍ͯΔ͔Β҆શͱ͍͏େऺ৴ڼʹ͸ શࠜ͘ڌ͕ͳ͍; Ή͠Ζةݥ (i.e.

    false sense of …) ▸ ͨͩͷҰ఺ͷঢ়ଶΛݕূ͍ͯ͠Δ͚ͩ →Androidํࣜʹ͸ࢍ൱྆࿦͋Δ͕༏ल ▸ ਓؒʹ͸ਓؒͷϛε; ར఺ͱͯ͠͸ײੑͷΈ →ݟམ͠ɺ৺ཧঢ়ଶͳͲ Image by chaim zvi on flickr, CC-BY-ND 2.0

  27. TEXT CONCLUSION ▸ Stay safe! Image by ▓▒░ TORLEY ░▒▓

    on flickr, CC-BY-SA 2.0

  28. Q?

  29. ONE MORE THING.. Image by mac-ash on flickr, CC-BY-NC-ND 2.0

  30. TEXT TIKTOK .. ▸ TikTok…͋Ε͔ΒͲ͏ͳͬͨͷ͔ ▸ iOS.. Pasteboardؔ࿈notif.͸Ͳ͏ͳͬͨͷ͔… ▸ Noti

    fi cation͸ݟͳ͘ͳͬͨ

  31. TEXT TIKTOK .. ▸ ݟͳ͘ͳͬͨཁҼ: iOS 14ʹ͓͍ͯܗࣜಛఆ༻API͕௥Ճ͞ΕͨͨΊ ▸ iOS 15:

    Secure Pasteboard; ΞΫςΟϒͳΞϓϦҎ֎ ͔ΒPasteboardΛಡΊͳ͍Α͏ʹվળˠAndroidͰ ͸લ͔Βۭ͋ͬͨ࣌త๷ޚػߏ ※iOS 14Ͱಋೖ͞ΕͨΑ͏ͳ௨஌͕Android 12Ͱ௥ Ճ͞Ε͍ͯΔ… ྲྀΕతʹ͸ෆཁͳ͸͕ͣͩʁ ▸ TikTok: ΍ΓํΛม͍͑ͯΔՄೳੑ →ͳΜΒ͔ͷճආํࡦʁݕূ͕ඞཁ

  32. FIN. 28.6.2022 TAKAHIRO YOSHIMURA (@ALTERAKEY)