Mobile Appsec from an attacker's perspective

Transcript

1. Mobile App Security From an Attackers Perspective Application Security Clinic

   Abhisek Datta | @abh1sek

2. § Pragmatic, holistic, business-focused approach § Specialist Application Security company

   § Highly experienced and diverse team § Commercial § Security; Gold Standards About Appsecco Def Con speakers Assigned multiple CVEs Certified Hackers OWASP chapter leads

3. Appsecco Application Security Clinic? WHY To set the stage for

   Q&A and Open Discussion among people seeking clear pragmatic answers for security problems.

4. Appsecco Application Security Clinic? WHAT Ø Primer Talk to set

   the context Ø Curated Q&A Ø Open Discussion (BoF)

5. Appsecco Application Security Clinic? Space & Time for Security Discussion

6. How to Secure Stuff ?

7. TRUST

8. Think Trust - Linux Security THEN NOW • File system

   permissions • Chroot / Jails • Privilege Separation • File system permissions • Chroot / Jails • Privilege Separation • ASLR / KASLR • NX • Hardened Toolchain • Etc.

9. Evolution of Trust – Linux to Android Sandbox • Android

   Security Model • Linux File System Permission • Linux Process Separation • Each app gets its own sandbox • Defense in Depth • Full Disk Encryption • ASLR / NX • Secure Boot

10. Trust Model in iOS • iOS Security Model • App

    sandbox • App code signing • Defense in Depth • Full Disk Encryption • ASLR / NX • Secure Boot

11. Can you trust the platform?

12. Can you Trust the platform? Potentially exploitable WebView Android WebView

    addJavascriptInterface Remote Code Execution Exploit

13. Can you Trust the platform? Malicious Javascript to execute arbitrary

    local command on phone Android WebView addJavascriptInterface Remote Code Execution Exploit

14. The issue is fixed in Android API level 17+ (Android

    4.2) Can you Trust the platform? Android WebView addJavascriptInterface Remote Code Execution Exploit

15. Variation in Establishing Trust Facebook password reset code vulnerability: •

    Mitigated through rate limiting on www.facebook.com • Vulnerable in mbasic.beta.facebook.com • 6 digit reset code http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html

16. Variation in Establishing Trust http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html So What? An attacker could

    reset password of any Facebook account identified by email address or mobile number by brute-forcing 6 digit recovery code.

17. What does an attacker do? Try to find ways to

    break the TRUST

18. What does an attacker do? Weak passwords? Weak validations? Open

    systems / endpoints? Public exploits 0days !!

19. API to Guess What? So What? Public re-use of restricted

    capability.

20. API to Guess What? The TRUST or assumption that no

    one will look inside a compiled app (apk) was violated here. Pro Tip: Security by obscurity DOESN’T WORK

21. .. Sometimes not so easy BROADPWN Remotely Compromising Android &

    iOS devices through a bug in Broadcom’s WiFi chipset https://blog.exodusintel.com/2017/07/26/broadpwn/

22. Mobile App Attackers Arsenal

23. Mobile App Attackers Arsenal The Proxy .. and few other

    tools really

24. Attacker Setup – The Proxy

25. Mobile App Attackers Arsenal An interception proxy such as Burp

    or OWASP ZAP gives tremendous insight – The ability to see whats up and whats out there ..

26. Mobile App Attackers Arsenal Looking inside the app – say

    hello to Static Analysis • Hardcoded credentials • (Open?) API URLs • Request & response data model • Decompiled source code (?!?!?!?)

27. Android App Static Analysis $ apktool d sample.apk AndroidManifest XML

    SMALICode $ unzip sample.apk $ d2j-dex2jar.sh classes.dex $ open -a "JD-GUI" classes-dex2jar.jar AndroidApk toJava Source Code
28. None

29. Mobile Backend as a Service (MBaaS) AuthN & AuthZ Push

    Notification Business Logic … API User Management

30. Attack Surfaces ? AuthN & AuthZ Push Notification Business Logic

    … API User Management Is the channel secure?

31. What Next – Target the App • Hardcoded credentials •

    Insecure local storage • Insecure interfaces (Intent Handles, Broadcast Receivers etc.) • Etc.

32. What Next – Target the Backend Services & Infra •

    Web vulnerabilities • Insecure API endpoints • Known vulnerable components • Security misconfiguration • Etc.

33. Every component that takes an input directly or indirectly can

    have a potential attack surface. Security is implemented by reducing attack surface by enforcing trust or applying mitigations. How to Secure ?

34. Building Secure Stuff – Where to start? • The OWASP

    Project • OWASP ASVS • OWASP Top 10 • OWASP Mobile Top 10 • OWASP Testers Guide • Think like a potential attacker • Attack surface? • What are the assumptions in the system?

35. Thank You .. Let the discussions begin! @abh1sek abhisek @appseccouk

36. Appsecco Application Security Clinic Q&A