Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Common crypto flaws in finance mobile apps

duongkai
January 08, 2016

Common crypto flaws in finance mobile apps

Tetcon 2016

duongkai

January 08, 2016
Tweet

More Decks by duongkai

Other Decks in Technology

Transcript

  1. Agenda  Why we have this talk?  How I

    do this?  Common crypto flaws I found?  Conclusion Disclaimer: It is my opinions, not my employer. 1/8/2016 2
  2. This talk started when  After some source code review

    projects, some flaws occurred repeatedly.  Learning crypto is a hard way.  The developers did not understand why they do due many reasons.  Google/Stackoverflow copy&paste patterns  Importantly, I am a customer. 1/8/2016 7
  3. Answer These Questions  Are they using HTTP/HTTPS API endpoint?

     Is HTTPS using correctly?  Do they use weak crypto primitives (AES/ECB, MD5, RSA/PKCS1.5)  Did they try to reinvent the wheel?  This is a ordinary source code review. No exploitation code here (although it can be). 1/8/2016 10
  4. It is a RE work  Get APK from Google

    Play services. PureAPK  Decompiling APK to source code by using LinkedIn Qark, JAD and APKTool  Assessing API Endpoint which were embedded in soure code by using Qualys SSL Test and Symantec CryptoReport.  Finding weak crypto primitives AES/ECB, MD5, DES, RSA/PKCS1.5  Finding something fun. 1/8/2016 11
  5. HTTPS API endpoint 1/8/2016 15 https://card.vietinbank.vn/mpos/payment (F) https://3dsecure.sacombank.com.vn/mpos-pp (C) https://www.mpos.vn

    (C) https://vcbmobilebankingp2.smartlink.com.vn (C) https://mobile.vietcapitalbank.com.vn (A) https://mpos.tpb.vn (A-) https://mobile.cyberpay.vn/ (C) https://ipay.vn (F) https://ebanking.vietinbank.vn/ (F) https://www.baokim.vn (A) https://id.vatgia.com (A) https://pay.vtc.vn/ (F) https://m.eximbank.com.vn (F) https://mobileapp.msb.com.vn/ (C) https://www.msacombank.com.vn/MBAWeb/FMB (A-) https://ebank.msb.com.vn/ (A-) https://ebanking.hdbank.vn (F) https://card.sacombank.com.vn (C) https://3dsecure.sacombank.com.vn/MP8092 (C) https://agribank.vnpay.vn (F)
  6. AES/ECB 1/8/2016 17 public static String doAESEncrypt(String paramString1, String paramString2)

    throws Exception { Key localKey = generateKey(paramString2); Cipher localCipher = Cipher.getInstance("AES"); localCipher.init(1, localKey); return new String(Base64.encodeBytes( localCipher.doFinal(paramString1.getBytes()))); } Notes: - Java Security Documentation doesn’t mention about this way. - Default in Oracle Java 6/Java 7 is AES/ECB/PKCS5Padding
  7. CBC Encryption mode 1/8/2016 22 IV is used to make

    the ciphertext different with a particular plaintext.
  8. SSL Connection in 1 min 1/8/2016 24 Do you know

    you have a safe connection when you are using mobile apps?
  9. The Most Dangerous Code in the World: Validating SSL Certificates

    in Non-Browser Software 1/8/2016 25 https://cs.utexas.edu/~shmat/shmat_ccs12.pdf
  10. 1/8/2016 29 Flag: ALLOW_ALL_HOSTNAME_VERIFIER is turn ON. And… “Use of

    AllowAllHostnameVerifier() or SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER essentially turns off hostname verification when using SSL connections. This is equivalent to trusting all certificates.”[6]
  11. Common Crypto Flaws  Using weak ciphers (MD5, DES) 

    Fixed key, fixed IV  HTTPS is not using correctly  No certificates validation  Design your own crypto schemes 1/8/2016 33