Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Latest trends in Mobile Security by Francois Pr...

OWASP Montréal
January 28, 2014
Programming
0
140

Latest trends in Mobile Security by Francois Proulx

OWASP Montreal - January 28th - Latest trends in Mobile Security

MAIN PRESENTER: Francois Proulx

ABSTRACT: Last AppSecUSA 2013 had a great line up of talks, especially regarding mobile applications. This session will be covering all the hottest presentations about mobile security by doing an overview from what see saw at AppSecUSA, all with some slides and snippets of presentations that was recorded at the event. Discussion will be encouraged within the audience as this will be more a dynamic event than a regular talk.

BIO: François Proulx is a senior mobile application developer who has worked on dozens of iOS applications since the very beginning of the Apple iOS platform. Over the past few years he has switched his focus to security. He spends a lot of his free time participating in Capture the Flag events (CTFs) and organizing the NorthSec security competition.

WHEN: January 28th 2014

CONTENT: YouTube playlist http://www.youtube.com/playlist?list=PLQtB2ug5xmvaQ9jeRWV53-F_T555GQfhW

OWASP Montréal

January 28, 2014
Tweet

More Decks by OWASP Montréal

See All by OWASP Montréal
OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf
owaspmontreal
0
150
Endpoint Bypass Charles Hamilton
owaspmontreal
0
140
Hybrid approach to security testing
owaspmontreal
0
220
Threat Modeling Toolkit
owaspmontreal
0
1.1k
NorthSec - Applied Security Event
owaspmontreal
0
210
Sécurité des applications : Les fondements
owaspmontreal
0
120
WORKSHOP ! Server Side Template Injection (SSTI)
owaspmontreal
1
1k
Ransomware and healthcare - Hacking Health
owaspmontreal
0
160
OWASP Montréal reçoit Mario Contestabile
owaspmontreal
0
270

Other Decks in Programming

See All in Programming
弊社の「意識チョット低いアーキテクチャ」10選
texmeijin
5
24k
Arm移行タイムアタック
qnighy
0
330
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
4
1.4k
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
Contemporary Test Cases
maaretp
0
140
Remix on Hono on Cloudflare Workers
yusukebe
1
290
WebフロントエンドにおけるGraphQL(あるいはバックエンドのAPI)との向き合い方 / #241106_plk_frontend
izumin5210
4
1.4k
Better Code Design in PHP
afilina
PRO
0
130
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
520
初めてDefinitelyTypedにPRを出した話
syumai
0
410
ActiveSupport::Notifications supporting instrumentation of Rails apps with OpenTelemetry
ymtdzzz
1
230
PHP でアセンブリ言語のように書く技術
memory1994
PRO
1
170

Featured

See All Featured
Adopting Sorbet at Scale
ufuk
73
9.1k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
4 Signs Your Business is Dying
shpigford
180
21k
Why Our Code Smells
bkeepers
PRO
334
57k
Designing for humans not robots
tammielis
250
25k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
410
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k

Transcript

  1. Latest Trends in Mobile Security OWASP Montreal Presented by François

    Proulx [email protected] January 28th 2014

  2. • François Proulx ◦ Security Engineer at ◦ VP Logistics

    for ◦ Proud member of the obnoxious ◦ Graduated from ÉTS in 2008 ◦ Worked in Paris for about 3 years ▪ Developed dozens of iOS applications for major european brands (SNCF, FNAC, etc.) ◦ Switched gears towards security more recently Your humble presenter

  3. Latest Trends in Mobile Security • Not as structured as

    other OWASP talks • An excuse to talk about Mobile Security ◦ AppSec USA 2013 - November 2013 ▪ Dozens and dozens of great talks ▪ About 10 talks related to Mobile apps / Web • Opportunity for OWASP to reach out to other great Montreal communities ◦ Android Montreal ◦ Cocoaheads Montreal (iOS)

  4. Mobile App / Web Security Primer • Mobile Web is

    no different than Web from the standpoint of security • Native mobile apps bring other challenges ◦ Many things in common with desktop security, but: ▪ More network oriented (social, etc.) ▪ A lot of REST API integration ▪ More geo-aware ▪ Fast turnaround / changing APIs / crazy competition • Often less attention to security

  5. Your experience with mobile apps • Quick survey ◦ Android

    / iOS / Windows Mobile / BB10 ? • Your experience with security in general?

  6. AppSec USA 2013 You can find the talks on YouTube

    https://www.youtube.com/playlist?list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU

  7. All the network is a stage, and the APKs merely

    players Daniel Peck https://www.youtube.com/watch?v=yh4-F90XONI • “Do the dumb thing first” ◦ Use standard tools will often give you great results • ProxyDroid ◦ Setup proxy on the device ◦ Setup Root CA TLS certificate for MiTM • Tools: Apktool, JD-GUI, SMALI • Demo of reversing a social networking app using OAUTH ◦ Extracting hardcoded private key 101 ▪ https://www.youtube.com/watch?v=yh4-F90XONI&t=20m14s ◦ Quick and dirty SMALI hacking ▪ https://www.youtube.com/watch?v=yh4-F90XONI&t=22m46s ◦ Playing with a reassembled JAR ▪ https://www.youtube.com/watch?v=yh4-F90XONI&t=27m15s

  8. BASHing iOS Applications Jason Haddix, Dawn Isabel https://www.youtube.com/watch?v=Ef_YeULnw1k • OWASP

    cheat sheet - tools ◦ https://www.youtube.com/watch?v=Ef_YeULnw1k&t=2m40s • OWASP Mobile Top 10 risks ◦ https://www.youtube.com/watch?v=Ef_YeULnw1k&t=3m38s • Ghetto source code scanning regexps ◦ https://www.youtube.com/watch?v=Ef_YeULnw1k&t=11m27s • Static binary analysis / forensics ◦ https://www.youtube.com/watch?v=Ef_YeULnw1k&t=13m21s • Tools ◦ dumpdecrypted, otool, strings, CookieReader, Keychain-Dumper, libimobiledevice, data protection class check, etc...

  9. PiOSoned POS - A Case Study in iOS based Mobile

    POS gone wrong Mike Park https://www.youtube.com/watch?v=CAtc7Z1VD2I • How not to do a POS based on iOS / Horror story • Weak authentication ◦ https://www.youtube.com/watch?v=CAtc7Z1VD2I&t=12m01s • Bad transaction handling ◦ TLS, but bad certificate check = MiTM for fun and profit $$$! ◦ Blindly trusts client to provide item price! ◦ https://www.youtube.com/watch?v=CAtc7Z1VD2I&t=15m48s • Bad CC handling ◦ https://www.youtube.com/watch?v=CAtc7Z1VD2I&t=18m20s • Swapping to rogue POS ◦ https://www.youtube.com/watch?v=CAtc7Z1VD2I&t=21m16s • Screen capture info leak ◦ https://www.youtube.com/watch?v=CAtc7Z1VD2I&t=26m11s • Tools ◦ iExplorer, sqlite3, Jailbreak, class-dump-z, MobileSubstrate, etc.

  10. Hacking Web Server Apps for iOS Bruno Oliveira https://www.youtube.com/watch?v=1oCRagEk31A •

    Looking at various file Sharing apps • Sharing using local HTTP daemon ◦ No TLS ◦ https://www.youtube.com/watch?v=1oCRagEk31A&t=4m51s • XSS in the title of shared files ◦ https://www.youtube.com/watch?v=1oCRagEk31A&t=9m14s • Path traversal ◦ https://www.youtube.com/watch?v=1oCRagEk31A&t=15m06s • mDNS / Bonjour ◦ https://www.youtube.com/watch?v=1oCRagEk31A&t=24m42s

  11. Mobile app analysis with Santoku Linux Andrew Hoog https://www.youtube.com/watch?v=cmVRCWbo0jU •

    Santoku == Backtrack / Kali of mobile pentests • Forensics 101 ◦ logical / file system / physical ◦ https://www.youtube.com/watch?v=cmVRCWbo0jU&t=9m37s • Android Logical forensics extraction ◦ https://www.youtube.com/watch?v=cmVRCWbo0jU&t=15m36s • 2013 app testing results ◦ https://www.youtube.com/watch?v=cmVRCWbo0jU&t=29m29s • Examples ◦ Worst mobile app they’ve looked at! Outch ▪ https://www.youtube.com/watch?v=cmVRCWbo0jU&t=32m58s ◦ Fake Antivirus / malware (NQ Mobile) ▪ https://www.youtube.com/watch?v=cmVRCWbo0jU&t=42m05s ◦ Korean Banking malware ▪ https://www.youtube.com/watch?v=cmVRCWbo0jU&t=45m50s

  12. Contain Yourself: Building Secure Containers for Mobile Devices Ron Gutierrez

    https://www.youtube.com/watch?v=siVS2jmPABM • Looking at BYOD • “Secure containers” ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=3m05s • “Application wrappers” ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=7m07s • Principles to live by ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=17m33s • Authentication online / offline design ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=26m10s • Example of brute force ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=29m19s • Subtle OS level caches ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=31m03s • Default cookie storage is plaintext ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=33m35s • Jailbreak detection / cat and mouse game… ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=38m05s

  13. iOS Application Defense - iMAS Gregg Ganley https://www.youtube.com/watch?v=TRDT8O2G56o • Presenting

    iMAS Secure Container framework ◦ https://www.youtube.com/watch?v=TRDT8O2G56o&t=6m43s • Security controls ◦ https://www.youtube.com/watch?v=TRDT8O2G56o&t=12m33s • Forced inline code for Objective C ◦ https://www.youtube.com/watch?v=TRDT8O2G56o&t=17m12s • MDM analysis ◦ https://www.youtube.com/watch?v=TRDT8O2G56o&t=24m19s

  14. Advanced Mobile Application Code Review Techniques Sreenarayan A. http://www.slideshare.net/dleyanlin/owasp-advanced- mobileapplicationcodereviewtechniquesv02

    • Looks at source code review • Not such a great talk, quite basic, does not go into details

  15. Bonus round Other stuff worth mentioning

  16. Introducing idb - Simplified Blackbox iOS App Pentesting Daniel A.

    Mayer https://speakerdeck.com/dmayer/introducing-idb-simplified-blackbox-ios-app- pentesting • From Schmoocon 2014 (just a week ago) • idb is a tool to automate common tasks when doing iOS blackbox pentests

  17. One last shameless plug • Hakin9 - December 2013 ◦

    Intro to iOS blackbox pentesting ◦ Page 43 - 49 ◦ https://www.dropbox.com/s/zhn3ovhfu8mw9b5/Hakin9_OPEN_05_2013.pdf

  18. Thank you Questions?