Mobile Hacking

Transcript

1. Mobile Hacking Daiane Santos

2. ! Opinions expressed are solely my own and do not

   express the views or opinions of my employer. disclaimer

3. - about me - introduction - surface attack - server-side

   attacks - client-side attacks - reversing android - thanks Agenda

4. whoami Mobile Security Engineer @Nubank Player and Captain @RATF Autist

   - AH/SD Chess Player Neuroscience Enthusiast
5. None

6. surface attack

7. None
8. None

9. Server- Side- Attacks Static Analysis

10. mobile application architecture mobile device transport security server - auth

    and authz - webpages - apis database

11. server-side vulnerabilities Most of the communication between an application and

    a user occurs through a server, as it is the server that stores and processes all the data that enables the application to run: authentication data, business data, financial or transactional data, personal data, etc.

12. > Weak Server-Side Controls > Insecure Data Storage > Insufficient

    Transport Layer Protection > Poor Authentication and Authorization > Broken Cryptography > Security Decisions via Untrusted Inputs > Improper Session Handling server-side vulnerabilities

13. Client- Side- Attacks

14. > Injections > Local Storage > Web Messaging > WebSockets

    > ClickJacking > Cross-origin Resource Sharing (CORS) -> CSRF Client-Side Attacks

15. static application security testing

16. ! Content created only for educational purpose disclaimer II

17. reverse engineering

18. Tip: Rename the .apk file to .zip and use unzip

    to open ;)

19. API calls or endpoints understanding the way some security controls

    are implemented root detection -> SuperUser hardcoded sensitive information inside the code backdoor accounts, API keys and secrets, passwords... interesting strings points of encryption and obfuscation so we can decrypt and de-obfuscate What we are looking for? reversing

20. Activities: Components that provide a screen with which users can

    interact. Broadcast receivers: Components that receive and respond to broadcast messages from other apps or from the operating system. Services: Components that perform operations in the background. reversing

21. AndroidManifest.xml Includes package name, details about the app components, permissions,

    security settings...

22. AndroidManifest.xml

23. other files classes.dex resources.arsc This file contains the Dalvik Bytecode,

    this file is executed when an app runs. The file acts like an index of all mentioned resources.

24. other files lib/ assets/ res/ Directory with all resources, activities

    xmls, layouts, images... Composed by native libs of the application. Adicional libs and other files that are necessary to app.

25. mobSF

26. attacks on activities If an application has an activity that

    is exported, other applications can also invoke it. <activity android:label="@string/profile" android:name=".activities.ViewProfile" android:exported="true" /> This can be invoked by other malicious applications that are running on the device.

27. attacks on broadcast receivers That means any application will be

    able to send arbitrary, uncontrolled SMSs.

28. securing the application Set android:exported 1. attribute’s value to false

    false 2. Limit access with custom permissions

29. thank you! Contact: wh0isdxk.github.com github.com/wh0isdxk twitter.com/wh0isdxk instagram.com/wh0isdxk wh0isdxk.medium.com