Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mobile Appsec from an attacker's perspective

Abhisek Datta
September 11, 2017

Mobile Appsec from an attacker's perspective

The talk is intended to set the context for a wider discussion on Mobile App Security with some background on web application security. This talk will briefly introduce the participants to the various tools and techniques available in the arsenal of a potential attacker with the objective of spreading security awareness.

Abhisek Datta

September 11, 2017
Tweet

More Decks by Abhisek Datta

Other Decks in Technology

Transcript

  1. § Pragmatic, holistic, business-focused approach § Specialist Application Security company

    § Highly experienced and diverse team § Commercial § Security; Gold Standards About Appsecco Def Con speakers Assigned multiple CVEs Certified Hackers OWASP chapter leads
  2. Appsecco Application Security Clinic? WHY To set the stage for

    Q&A and Open Discussion among people seeking clear pragmatic answers for security problems.
  3. Appsecco Application Security Clinic? WHAT Ø Primer Talk to set

    the context Ø Curated Q&A Ø Open Discussion (BoF)
  4. Think Trust - Linux Security THEN NOW • File system

    permissions • Chroot / Jails • Privilege Separation • File system permissions • Chroot / Jails • Privilege Separation • ASLR / KASLR • NX • Hardened Toolchain • Etc.
  5. Evolution of Trust – Linux to Android Sandbox • Android

    Security Model • Linux File System Permission • Linux Process Separation • Each app gets its own sandbox • Defense in Depth • Full Disk Encryption • ASLR / NX • Secure Boot
  6. Trust Model in iOS • iOS Security Model • App

    sandbox • App code signing • Defense in Depth • Full Disk Encryption • ASLR / NX • Secure Boot
  7. Can you Trust the platform? Potentially exploitable WebView Android WebView

    addJavascriptInterface Remote Code Execution Exploit
  8. Can you Trust the platform? Malicious Javascript to execute arbitrary

    local command on phone Android WebView addJavascriptInterface Remote Code Execution Exploit
  9. The issue is fixed in Android API level 17+ (Android

    4.2) Can you Trust the platform? Android WebView addJavascriptInterface Remote Code Execution Exploit
  10. Variation in Establishing Trust Facebook password reset code vulnerability: •

    Mitigated through rate limiting on www.facebook.com • Vulnerable in mbasic.beta.facebook.com • 6 digit reset code http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html
  11. Variation in Establishing Trust http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html So What? An attacker could

    reset password of any Facebook account identified by email address or mobile number by brute-forcing 6 digit recovery code.
  12. What does an attacker do? Weak passwords? Weak validations? Open

    systems / endpoints? Public exploits 0days !!
  13. API to Guess What? The TRUST or assumption that no

    one will look inside a compiled app (apk) was violated here. Pro Tip: Security by obscurity DOESN’T WORK
  14. .. Sometimes not so easy BROADPWN Remotely Compromising Android &

    iOS devices through a bug in Broadcom’s WiFi chipset https://blog.exodusintel.com/2017/07/26/broadpwn/
  15. Mobile App Attackers Arsenal An interception proxy such as Burp

    or OWASP ZAP gives tremendous insight – The ability to see whats up and whats out there ..
  16. Mobile App Attackers Arsenal Looking inside the app – say

    hello to Static Analysis • Hardcoded credentials • (Open?) API URLs • Request & response data model • Decompiled source code (?!?!?!?)
  17. Android App Static Analysis $ apktool d sample.apk AndroidManifest XML

    SMALICode $ unzip sample.apk $ d2j-dex2jar.sh classes.dex $ open -a "JD-GUI" classes-dex2jar.jar AndroidApk toJava Source Code
  18. Mobile Backend as a Service (MBaaS) AuthN & AuthZ Push

    Notification Business Logic … API User Management
  19. Attack Surfaces ? AuthN & AuthZ Push Notification Business Logic

    … API User Management Is the channel secure?
  20. What Next – Target the App • Hardcoded credentials •

    Insecure local storage • Insecure interfaces (Intent Handles, Broadcast Receivers etc.) • Etc.
  21. What Next – Target the Backend Services & Infra •

    Web vulnerabilities • Insecure API endpoints • Known vulnerable components • Security misconfiguration • Etc.
  22. Every component that takes an input directly or indirectly can

    have a potential attack surface. Security is implemented by reducing attack surface by enforcing trust or applying mitigations. How to Secure ?
  23. Building Secure Stuff – Where to start? • The OWASP

    Project • OWASP ASVS • OWASP Top 10 • OWASP Mobile Top 10 • OWASP Testers Guide • Think like a potential attacker • Attack surface? • What are the assumptions in the system?