Latest trends in Mobile Security by Francois Proulx

Latest trends in Mobile Security by Francois Proulx

OWASP Montreal - January 28th - Latest trends in Mobile Security

MAIN PRESENTER: Francois Proulx

ABSTRACT: Last AppSecUSA 2013 had a great line up of talks, especially regarding mobile applications. This session will be covering all the hottest presentations about mobile security by doing an overview from what see saw at AppSecUSA, all with some slides and snippets of presentations that was recorded at the event. Discussion will be encouraged within the audience as this will be more a dynamic event than a regular talk.

BIO: François Proulx is a senior mobile application developer who has worked on dozens of iOS applications since the very beginning of the Apple iOS platform. Over the past few years he has switched his focus to security. He spends a lot of his free time participating in Capture the Flag events (CTFs) and organizing the NorthSec security competition.

WHEN: January 28th 2014

CONTENT: YouTube playlist http://www.youtube.com/playlist?list=PLQtB2ug5xmvaQ9jeRWV53-F_T555GQfhW

09905cce02942fb076f958f4b69fd8f6?s=128

OWASP Montréal

January 28, 2014
Tweet

Transcript

  1. Latest Trends in Mobile Security OWASP Montreal Presented by François

    Proulx francois.proulx@gmail.com January 28th 2014
  2. • François Proulx ◦ Security Engineer at ◦ VP Logistics

    for ◦ Proud member of the obnoxious ◦ Graduated from ÉTS in 2008 ◦ Worked in Paris for about 3 years ▪ Developed dozens of iOS applications for major european brands (SNCF, FNAC, etc.) ◦ Switched gears towards security more recently Your humble presenter
  3. Latest Trends in Mobile Security • Not as structured as

    other OWASP talks • An excuse to talk about Mobile Security ◦ AppSec USA 2013 - November 2013 ▪ Dozens and dozens of great talks ▪ About 10 talks related to Mobile apps / Web • Opportunity for OWASP to reach out to other great Montreal communities ◦ Android Montreal ◦ Cocoaheads Montreal (iOS)
  4. Mobile App / Web Security Primer • Mobile Web is

    no different than Web from the standpoint of security • Native mobile apps bring other challenges ◦ Many things in common with desktop security, but: ▪ More network oriented (social, etc.) ▪ A lot of REST API integration ▪ More geo-aware ▪ Fast turnaround / changing APIs / crazy competition • Often less attention to security
  5. Your experience with mobile apps • Quick survey ◦ Android

    / iOS / Windows Mobile / BB10 ? • Your experience with security in general?
  6. AppSec USA 2013 You can find the talks on YouTube

    https://www.youtube.com/playlist?list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU
  7. All the network is a stage, and the APKs merely

    players Daniel Peck https://www.youtube.com/watch?v=yh4-F90XONI • “Do the dumb thing first” ◦ Use standard tools will often give you great results • ProxyDroid ◦ Setup proxy on the device ◦ Setup Root CA TLS certificate for MiTM • Tools: Apktool, JD-GUI, SMALI • Demo of reversing a social networking app using OAUTH ◦ Extracting hardcoded private key 101 ▪ https://www.youtube.com/watch?v=yh4-F90XONI&t=20m14s ◦ Quick and dirty SMALI hacking ▪ https://www.youtube.com/watch?v=yh4-F90XONI&t=22m46s ◦ Playing with a reassembled JAR ▪ https://www.youtube.com/watch?v=yh4-F90XONI&t=27m15s
  8. BASHing iOS Applications Jason Haddix, Dawn Isabel https://www.youtube.com/watch?v=Ef_YeULnw1k • OWASP

    cheat sheet - tools ◦ https://www.youtube.com/watch?v=Ef_YeULnw1k&t=2m40s • OWASP Mobile Top 10 risks ◦ https://www.youtube.com/watch?v=Ef_YeULnw1k&t=3m38s • Ghetto source code scanning regexps ◦ https://www.youtube.com/watch?v=Ef_YeULnw1k&t=11m27s • Static binary analysis / forensics ◦ https://www.youtube.com/watch?v=Ef_YeULnw1k&t=13m21s • Tools ◦ dumpdecrypted, otool, strings, CookieReader, Keychain-Dumper, libimobiledevice, data protection class check, etc...
  9. PiOSoned POS - A Case Study in iOS based Mobile

    POS gone wrong Mike Park https://www.youtube.com/watch?v=CAtc7Z1VD2I • How not to do a POS based on iOS / Horror story • Weak authentication ◦ https://www.youtube.com/watch?v=CAtc7Z1VD2I&t=12m01s • Bad transaction handling ◦ TLS, but bad certificate check = MiTM for fun and profit $$$! ◦ Blindly trusts client to provide item price! ◦ https://www.youtube.com/watch?v=CAtc7Z1VD2I&t=15m48s • Bad CC handling ◦ https://www.youtube.com/watch?v=CAtc7Z1VD2I&t=18m20s • Swapping to rogue POS ◦ https://www.youtube.com/watch?v=CAtc7Z1VD2I&t=21m16s • Screen capture info leak ◦ https://www.youtube.com/watch?v=CAtc7Z1VD2I&t=26m11s • Tools ◦ iExplorer, sqlite3, Jailbreak, class-dump-z, MobileSubstrate, etc.
  10. Hacking Web Server Apps for iOS Bruno Oliveira https://www.youtube.com/watch?v=1oCRagEk31A •

    Looking at various file Sharing apps • Sharing using local HTTP daemon ◦ No TLS ◦ https://www.youtube.com/watch?v=1oCRagEk31A&t=4m51s • XSS in the title of shared files ◦ https://www.youtube.com/watch?v=1oCRagEk31A&t=9m14s • Path traversal ◦ https://www.youtube.com/watch?v=1oCRagEk31A&t=15m06s • mDNS / Bonjour ◦ https://www.youtube.com/watch?v=1oCRagEk31A&t=24m42s
  11. Mobile app analysis with Santoku Linux Andrew Hoog https://www.youtube.com/watch?v=cmVRCWbo0jU •

    Santoku == Backtrack / Kali of mobile pentests • Forensics 101 ◦ logical / file system / physical ◦ https://www.youtube.com/watch?v=cmVRCWbo0jU&t=9m37s • Android Logical forensics extraction ◦ https://www.youtube.com/watch?v=cmVRCWbo0jU&t=15m36s • 2013 app testing results ◦ https://www.youtube.com/watch?v=cmVRCWbo0jU&t=29m29s • Examples ◦ Worst mobile app they’ve looked at! Outch ▪ https://www.youtube.com/watch?v=cmVRCWbo0jU&t=32m58s ◦ Fake Antivirus / malware (NQ Mobile) ▪ https://www.youtube.com/watch?v=cmVRCWbo0jU&t=42m05s ◦ Korean Banking malware ▪ https://www.youtube.com/watch?v=cmVRCWbo0jU&t=45m50s
  12. Contain Yourself: Building Secure Containers for Mobile Devices Ron Gutierrez

    https://www.youtube.com/watch?v=siVS2jmPABM • Looking at BYOD • “Secure containers” ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=3m05s • “Application wrappers” ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=7m07s • Principles to live by ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=17m33s • Authentication online / offline design ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=26m10s • Example of brute force ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=29m19s • Subtle OS level caches ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=31m03s • Default cookie storage is plaintext ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=33m35s • Jailbreak detection / cat and mouse game… ◦ https://www.youtube.com/watch?v=siVS2jmPABM&t=38m05s
  13. iOS Application Defense - iMAS Gregg Ganley https://www.youtube.com/watch?v=TRDT8O2G56o • Presenting

    iMAS Secure Container framework ◦ https://www.youtube.com/watch?v=TRDT8O2G56o&t=6m43s • Security controls ◦ https://www.youtube.com/watch?v=TRDT8O2G56o&t=12m33s • Forced inline code for Objective C ◦ https://www.youtube.com/watch?v=TRDT8O2G56o&t=17m12s • MDM analysis ◦ https://www.youtube.com/watch?v=TRDT8O2G56o&t=24m19s
  14. Advanced Mobile Application Code Review Techniques Sreenarayan A. http://www.slideshare.net/dleyanlin/owasp-advanced- mobileapplicationcodereviewtechniquesv02

    • Looks at source code review • Not such a great talk, quite basic, does not go into details
  15. Bonus round Other stuff worth mentioning

  16. Introducing idb - Simplified Blackbox iOS App Pentesting Daniel A.

    Mayer https://speakerdeck.com/dmayer/introducing-idb-simplified-blackbox-ios-app- pentesting • From Schmoocon 2014 (just a week ago) • idb is a tool to automate common tasks when doing iOS blackbox pentests
  17. One last shameless plug • Hakin9 - December 2013 ◦

    Intro to iOS blackbox pentesting ◦ Page 43 - 49 ◦ https://www.dropbox.com/s/zhn3ovhfu8mw9b5/Hakin9_OPEN_05_2013.pdf
  18. Thank you Questions?