SlideShare ist ein Scribd-Unternehmen logo
1 von 52
Downloaden Sie, um offline zu lesen
Mobile Application Pentest [Fast-Track]
 Just Mobile Phone
 Phone calls
 Sending text message or MMS
 Alarm clock
 Calculator
 Listen music
 Edge for Surf internet !!
 3G, 4G and WIFI support on Mobile network
 Became more intelligent – Smart Phone
 Sending email
 Surf internet
 Check-on for flights
 Online Banking transactions
 Social Network (Facebook, Twitter, Instagram, Etc)
 Companies started creating mobile applications to offer
services to clients
 Storing and synchronizing data files in the cloud
 Participating in social network sites
 As the data that stored, processed and transferred can often be
considered sensitive.
Mobile App Attack Surface
 Client Software on Mobile Device
 Communications Channel
 Server Side Infrastructure
Server Side
Infrastructure
Comm.
Channel
Client
Software
Mobile Phone
Internet
Application Server
Client Software
Communication Channel
Server Side
Infrastructure
 Packages are typically downloaded from an AppStore,
Google Play or provided via Company website
 Testing requires a device that is rooted or jailbroken for
access to all files and folders on the local file system
 Be able to decompiled, tampered or reverse engineered
 Attention points
 Files on the local file system
 Application authentication & authorization
 Error Handling & Session Management
 Business logic
 Decompiling and Analyzing
 Channel between the client and the server (HTTPs,
EDGE, 3G)
 Testing with HTTP Proxy (Burp, ZAP) to intercept and
manipulate alter traffic
 If the application does not use the HTTP protocol, can
use transparent TCP and UDP proxy like Mallory
 Attention points
 Sniff sensitive information
 Replay attack vulnerabilities
 Secure transfer of sensitive information
 The attack vectors for the web servers behind a mobile
application is similar to those use for regular websites
 Perform host and service scans on the target system to
identify running services
 Attention points
 OWASP Top 10 vulnerabilities (SQLi, XSS, …)
 Running services and version
 Infrastructure vulnerability scanning
Pentest iOS Application
 Insecure Storage
 Why application needs to store data
▪ Ease of use for user
▪ Popularity
▪ Activity with single click
▪ Decrease transaction time
▪ 9 out of 10 applications have this vulnerability
 How attacker can gain access
▪ Wifi
▪ Default password after jail breaking (alpine)
▪ Physical Theft
▪ Temporary access to device
▪ Backup File
 Insecure Storage
 Local Data Storage
▪ Plist and XML files
▪ NSuserDefaults
▪ Class provides a programmatic interface for interacting with default system
▪ Keep information in plist file
▪ SQLite data files
▪ Core Data Services
▪ Object Model, Relational Database
▪ SQLite Manage
▪ Table prefixed “z”
▪ Keychain
 Enumerate sensitive information from local files
 Wordpress iOS App (.plist) stored user & pass
 SQL Injection in Local Database
 Most Mobile platforms uses SQLite as database to store
information on the device
 Using any SQLite Database Browser, it is possible to access
database logs which has queries and other sensitive database
information
 In case application is not filtering input, SQL Injection on
local database is possible
 a” or “a”=“a
 Bad Code
NSString *uid = [myHTTPConnection getUID];
NSString *statement = [NSString StringWithFormat : @”SELECT username FROM users
where uid = ‘%@’”, uid];
const char *sql = [statement UTF8String];
 Good Code
Const char *sql = “SELECT username FROM users where uid = ?”;
sqlite3_prepare_v2(db, sql, -1, &selectUid, NULL);
Sqlite3_bind_int(selectUid, 1, uid);
int status = sqlite3_step(selectUid);
 Buffer Overflow
 When the input data is longer
than the buffer size, if it is accepted,
it will overwrite other data in memory.
 No protection by default in C,
Objective-C and C++
 Decrypt Application and find hardcoded secrets
 Applications from the AppStore is encrypted and Signed
 Decrypt Application and find hardcoded secrets
 Clutch
▪ Used for iOS application decryption
▪ Can be run from the command line
 Decrypt Application and find hardcoded secrets
 Runtime Analysis with GDB
▪ Use clutch
▪ View classdump-z output
▪ Set breakpoint
▪ Analyze objc_msgsend
▪ Find passcode
▪ Evade checks
 https://vimeo.com/66617415
 Poor or no encryption during transit
 Traffic over HTTP
 Token passing
 Device ID over poor channel
 UDID Privacy concerns (Can be used to track user)
 BurpSuite Proxy
 Apps communicate with backend web services
 OWASP Top 10 auditing
 Most communication using XML
 MitM and inject bad XML
 UIWebviews (Used to embed web content in app)
 Execute JavaScript (XSS)
 Fuzz data sent/received
 Client Software
 Found backend path in Localizable.strings
 Server-Side Infrastructure
 Access to port 8080 (Apache Tomcat)
 Logged in with default tomcat username and password
 Upload Malicious JSP code into webserver (Bypass Symantec)
 Access to configuration file that contain database credentials
 OWNed !! Database server
 Localizable.strings
 Logged in with Default Tomcat credentials
 Upload Malicious JSP code
 Backend Compromised
 Database Compromised
Pentest Android Application
 Local Data Storage flaws
 Weak encoding/encryption
 Insecure Storage
 Reverse Engineering
▪ APKtool to decode resources
▪ Convert the .apk file into .zip
▪ Extract the zipped file, Found classes.dex
▪ Dex2jar for convert .dex to .jar
▪ Using JD GUI to open JAR file and review source code
 Insecure Storage
 Reverse Engineering
 Insecure Storage
 Reverse Engineering
 BurpSuite Proxy
 Insecure Logging
 Identity Decloaking
 Apps communicate with backend web services
 OWASP Top 10 auditing
 Fuzz data sent/received
 Client Software
 Found backend path from Reverse Engineering
 Found FTP username and password
 Communication Channel
 Found Mail’s credentials
 Server-Side Infrastructure
 Access FTP Server
 Access Terminal Service
 Logged in with FTP credential
 PWNed !! Backend server
 Compromised internal server
 Reverse Engineering
 Logged in with FTP credential
 100 porn images found !!
 Burp Proxy
 Access Mail
 Backend Compromised
 Authors: ZeQ3uL and diF
 http://www.exploit-db.com/papers/26620/
Local Storage Internet
Sniff Traffic

Weitere ähnliche Inhalte

Was ist angesagt?

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
My Null Android Penetration Session
My Null  Android Penetration Session My Null  Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Hacking Android [MUC:SEC 20.05.2015]
Hacking Android [MUC:SEC 20.05.2015]Hacking Android [MUC:SEC 20.05.2015]
Hacking Android [MUC:SEC 20.05.2015]Angelo Rüggeberg
 

Was ist angesagt? (20)

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android Aapplications
 
My Null Android Penetration Session
My Null  Android Penetration Session My Null  Android Penetration Session
My Null Android Penetration Session
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
Android Security
Android SecurityAndroid Security
Android Security
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 
Android security
Android securityAndroid security
Android security
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Hacking Android [MUC:SEC 20.05.2015]
Hacking Android [MUC:SEC 20.05.2015]Hacking Android [MUC:SEC 20.05.2015]
Hacking Android [MUC:SEC 20.05.2015]
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 

Andere mochten auch

CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopPrathan Phongthiproek
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
PTES: PenTest Execution Standard
PTES: PenTest Execution StandardPTES: PenTest Execution Standard
PTES: PenTest Execution StandardSource Conference
 
Bringing SDR to the pentest community - BlackHat USA 2014
Bringing SDR to the pentest community - BlackHat USA 2014Bringing SDR to the pentest community - BlackHat USA 2014
Bringing SDR to the pentest community - BlackHat USA 2014jmichel.p
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareAmmar WK
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
Reference Projects KyotoCooling V4 March 2010
Reference Projects KyotoCooling V4 March 2010Reference Projects KyotoCooling V4 March 2010
Reference Projects KyotoCooling V4 March 2010Rimgaudas Baltrunas
 
Predstavljanje poslovanja - press konferencija 15.06.12
Predstavljanje poslovanja - press konferencija 15.06.12Predstavljanje poslovanja - press konferencija 15.06.12
Predstavljanje poslovanja - press konferencija 15.06.12TDR d.o.o Rovinj
 
Manual de selección de medicamentos Minsal Chile 2010
Manual de selección de medicamentos Minsal Chile 2010Manual de selección de medicamentos Minsal Chile 2010
Manual de selección de medicamentos Minsal Chile 2010MANUEL RIVERA
 

Andere mochten auch (20)

CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
PTES: PenTest Execution Standard
PTES: PenTest Execution StandardPTES: PenTest Execution Standard
PTES: PenTest Execution Standard
 
Bringing SDR to the pentest community - BlackHat USA 2014
Bringing SDR to the pentest community - BlackHat USA 2014Bringing SDR to the pentest community - BlackHat USA 2014
Bringing SDR to the pentest community - BlackHat USA 2014
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 
Reference Projects KyotoCooling V4 March 2010
Reference Projects KyotoCooling V4 March 2010Reference Projects KyotoCooling V4 March 2010
Reference Projects KyotoCooling V4 March 2010
 
Predstavljanje poslovanja - press konferencija 15.06.12
Predstavljanje poslovanja - press konferencija 15.06.12Predstavljanje poslovanja - press konferencija 15.06.12
Predstavljanje poslovanja - press konferencija 15.06.12
 
แบบนำเสนอผลงานวิชาการ
แบบนำเสนอผลงานวิชาการแบบนำเสนอผลงานวิชาการ
แบบนำเสนอผลงานวิชาการ
 
Aws
AwsAws
Aws
 
ความสัมพันธ์ทางเศรษฐกิจ
ความสัมพันธ์ทางเศรษฐกิจความสัมพันธ์ทางเศรษฐกิจ
ความสัมพันธ์ทางเศรษฐกิจ
 
Digit Roman
Digit RomanDigit Roman
Digit Roman
 
TEMA2AVocabulary
TEMA2AVocabularyTEMA2AVocabulary
TEMA2AVocabulary
 
Digital pr & Web Reputation
Digital pr & Web ReputationDigital pr & Web Reputation
Digital pr & Web Reputation
 
Manual de selección de medicamentos Minsal Chile 2010
Manual de selección de medicamentos Minsal Chile 2010Manual de selección de medicamentos Minsal Chile 2010
Manual de selección de medicamentos Minsal Chile 2010
 
SEB
SEBSEB
SEB
 

Ähnlich wie Mobile Application Pentest [Fast-Track]

Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecDroidConTLV
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
OWASP zabezpieczenia aplikacji - Top 10 ASR
OWASP zabezpieczenia aplikacji - Top 10 ASROWASP zabezpieczenia aplikacji - Top 10 ASR
OWASP zabezpieczenia aplikacji - Top 10 ASRLaravel Poland MeetUp
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
ADF Mobile: Implementing Data Caching and Synching
ADF Mobile: Implementing Data Caching and SynchingADF Mobile: Implementing Data Caching and Synching
ADF Mobile: Implementing Data Caching and SynchingSteven Davelaar
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Vasan Ramadoss
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World MongoDB
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilitiesAleksandar Bozinovski
 

Ähnlich wie Mobile Application Pentest [Fast-Track] (20)

Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSec
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
OWASP zabezpieczenia aplikacji - Top 10 ASR
OWASP zabezpieczenia aplikacji - Top 10 ASROWASP zabezpieczenia aplikacji - Top 10 ASR
OWASP zabezpieczenia aplikacji - Top 10 ASR
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud apps
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
ADF Mobile: Implementing Data Caching and Synching
ADF Mobile: Implementing Data Caching and SynchingADF Mobile: Implementing Data Caching and Synching
ADF Mobile: Implementing Data Caching and Synching
 
Web Security
Web SecurityWeb Security
Web Security
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 seba
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
 

Mehr von Prathan Phongthiproek

The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationPrathan Phongthiproek
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationPrathan Phongthiproek
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksPrathan Phongthiproek
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingPrathan Phongthiproek
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetPrathan Phongthiproek
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityPrathan Phongthiproek
 

Mehr von Prathan Phongthiproek (20)

The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team Operation
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
 
Owasp Top 10 Mobile Risks
Owasp Top 10 Mobile RisksOwasp Top 10 Mobile Risks
Owasp Top 10 Mobile Risks
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Tisa mobile forensic
Tisa mobile forensicTisa mobile forensic
Tisa mobile forensic
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile Security
 
Tisa social and mobile security
Tisa social and mobile securityTisa social and mobile security
Tisa social and mobile security
 
Operation outbreak
Operation outbreakOperation outbreak
Operation outbreak
 

Kürzlich hochgeladen

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 

Kürzlich hochgeladen (20)

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 

Mobile Application Pentest [Fast-Track]

  • 2.  Just Mobile Phone  Phone calls  Sending text message or MMS  Alarm clock  Calculator  Listen music  Edge for Surf internet !!
  • 3.  3G, 4G and WIFI support on Mobile network  Became more intelligent – Smart Phone  Sending email  Surf internet  Check-on for flights  Online Banking transactions  Social Network (Facebook, Twitter, Instagram, Etc)
  • 4.  Companies started creating mobile applications to offer services to clients  Storing and synchronizing data files in the cloud  Participating in social network sites  As the data that stored, processed and transferred can often be considered sensitive.
  • 6.  Client Software on Mobile Device  Communications Channel  Server Side Infrastructure Server Side Infrastructure Comm. Channel Client Software
  • 7. Mobile Phone Internet Application Server Client Software Communication Channel Server Side Infrastructure
  • 8.  Packages are typically downloaded from an AppStore, Google Play or provided via Company website  Testing requires a device that is rooted or jailbroken for access to all files and folders on the local file system  Be able to decompiled, tampered or reverse engineered
  • 9.  Attention points  Files on the local file system  Application authentication & authorization  Error Handling & Session Management  Business logic  Decompiling and Analyzing
  • 10.  Channel between the client and the server (HTTPs, EDGE, 3G)  Testing with HTTP Proxy (Burp, ZAP) to intercept and manipulate alter traffic  If the application does not use the HTTP protocol, can use transparent TCP and UDP proxy like Mallory
  • 11.  Attention points  Sniff sensitive information  Replay attack vulnerabilities  Secure transfer of sensitive information
  • 12.  The attack vectors for the web servers behind a mobile application is similar to those use for regular websites  Perform host and service scans on the target system to identify running services
  • 13.  Attention points  OWASP Top 10 vulnerabilities (SQLi, XSS, …)  Running services and version  Infrastructure vulnerability scanning
  • 15.  Insecure Storage  Why application needs to store data ▪ Ease of use for user ▪ Popularity ▪ Activity with single click ▪ Decrease transaction time ▪ 9 out of 10 applications have this vulnerability  How attacker can gain access ▪ Wifi ▪ Default password after jail breaking (alpine) ▪ Physical Theft ▪ Temporary access to device ▪ Backup File
  • 16.  Insecure Storage  Local Data Storage ▪ Plist and XML files ▪ NSuserDefaults ▪ Class provides a programmatic interface for interacting with default system ▪ Keep information in plist file ▪ SQLite data files ▪ Core Data Services ▪ Object Model, Relational Database ▪ SQLite Manage ▪ Table prefixed “z” ▪ Keychain
  • 17.  Enumerate sensitive information from local files
  • 18.  Wordpress iOS App (.plist) stored user & pass
  • 19.  SQL Injection in Local Database  Most Mobile platforms uses SQLite as database to store information on the device  Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensitive database information  In case application is not filtering input, SQL Injection on local database is possible
  • 20.  a” or “a”=“a
  • 21.  Bad Code NSString *uid = [myHTTPConnection getUID]; NSString *statement = [NSString StringWithFormat : @”SELECT username FROM users where uid = ‘%@’”, uid]; const char *sql = [statement UTF8String];  Good Code Const char *sql = “SELECT username FROM users where uid = ?”; sqlite3_prepare_v2(db, sql, -1, &selectUid, NULL); Sqlite3_bind_int(selectUid, 1, uid); int status = sqlite3_step(selectUid);
  • 22.  Buffer Overflow  When the input data is longer than the buffer size, if it is accepted, it will overwrite other data in memory.  No protection by default in C, Objective-C and C++
  • 23.  Decrypt Application and find hardcoded secrets  Applications from the AppStore is encrypted and Signed
  • 24.  Decrypt Application and find hardcoded secrets  Clutch ▪ Used for iOS application decryption ▪ Can be run from the command line
  • 25.  Decrypt Application and find hardcoded secrets  Runtime Analysis with GDB ▪ Use clutch ▪ View classdump-z output ▪ Set breakpoint ▪ Analyze objc_msgsend ▪ Find passcode ▪ Evade checks  https://vimeo.com/66617415
  • 26.  Poor or no encryption during transit  Traffic over HTTP  Token passing  Device ID over poor channel  UDID Privacy concerns (Can be used to track user)
  • 28.  Apps communicate with backend web services  OWASP Top 10 auditing  Most communication using XML  MitM and inject bad XML  UIWebviews (Used to embed web content in app)  Execute JavaScript (XSS)  Fuzz data sent/received
  • 29.  Client Software  Found backend path in Localizable.strings  Server-Side Infrastructure  Access to port 8080 (Apache Tomcat)  Logged in with default tomcat username and password  Upload Malicious JSP code into webserver (Bypass Symantec)  Access to configuration file that contain database credentials  OWNed !! Database server
  • 31.  Logged in with Default Tomcat credentials
  • 36.  Local Data Storage flaws
  • 38.  Insecure Storage  Reverse Engineering ▪ APKtool to decode resources ▪ Convert the .apk file into .zip ▪ Extract the zipped file, Found classes.dex ▪ Dex2jar for convert .dex to .jar ▪ Using JD GUI to open JAR file and review source code
  • 39.  Insecure Storage  Reverse Engineering
  • 40.  Insecure Storage  Reverse Engineering
  • 44.  Apps communicate with backend web services  OWASP Top 10 auditing  Fuzz data sent/received
  • 45.  Client Software  Found backend path from Reverse Engineering  Found FTP username and password  Communication Channel  Found Mail’s credentials  Server-Side Infrastructure  Access FTP Server  Access Terminal Service  Logged in with FTP credential  PWNed !! Backend server  Compromised internal server
  • 47.  Logged in with FTP credential
  • 48.  100 porn images found !!
  • 52.  Authors: ZeQ3uL and diF  http://www.exploit-db.com/papers/26620/ Local Storage Internet Sniff Traffic