SlideShare ist ein Scribd-Unternehmen logo

Webinar–Mobile Application Hardening Protecting Business Critical Apps

Synopsys Software Integrity Group
Synopsys Software Integrity Group

During this talk, we looked at some of the typical controls that Android/iOS applications exhibit, how they work, how to spot them, and how to sidestep them. We’ll demonstrate analysis and techniques using free open source tooling such as Radare and Frida, and for some parts, we’ll use IDA Pro. And since “automation” is the buzzword of the year, we’ll discuss how to automate some of these activities, which typically take up most of the assessment window. For more information, please visit our website at www.synopsys.com/software

Software
1 von 34
Grant Douglas, Mobile Practice Director at Synopsys Nikola Cucakovic, Senior Security Consultant at Synopsys Protecting Business-Critical Apps Mobile Application Hardening
© 2020 Synopsys, Inc. 2Synopsys Confidential Information Who are we? Grant Douglas (@Hexploitable) Mobile Practice Director Synopsys, SIG Nikola Cucakovic (@ArbitraryRW) Senior Security Consultant Synopsys, SIG © 2019 Synopsys, Inc. 2Synopsys Confidential Information Who are we? Grant Douglas (@Hexploitable) Mobile Practice Director Synopsys, SIG Nikola Cucakovic (@ArbitraryRW) Senior Security Consultant Synopsys, SIG
© 2020 Synopsys, Inc. 3Synopsys Confidential Information • Historically a “hardware company” • Branched into “software integrity” a few years back • Acquired a number of popular security companies: • Coverity • Codenomicon (Heartbleed?) • Cigital (who we worked for) • Black Duck • We do a lot of security activities, not just pen testing Who is Synopsys? Secure software Pen testing Code review Mobile security Architecture analysis Training
© 2020 Synopsys, Inc. 4Synopsys Confidential Information Agenda What is business critical? Breaking these controls Overview of designing hardened apps Common hardening techniques
© 2020 Synopsys, Inc. 5Synopsys Confidential Information What makes it business critical? SPII IP
Static analysis Identify data of value. Identify code of value. Identify controls of interest. Dynamic analysis Identify data of value. Identify code of value. Identify controls of interest. What will threat actors do?
Develop bypasses Defeat any required controls. Automate. Build payloads Build payloads depending on end goal. Distribute payloads Possibly: distribute malicious copies of the app, or payloads that target the app on rooted/jailbroken devices.
• Static analysis—using common tools such as Radare (r2), JEB, IDA Pro, Hopper disassembler, etc. • Look for interesting signatures: • Strings • Class names • Method names • Look for the use of interesting APIs (e.g., file IO APIs or networking APIs) • Look for known vulnerable components or dependencies • Additionally, an attacker might actually patch the application statically: • Patch out important instruction(s) • Modify execution flow to circumvent controls Initial analysis
Decompiled Objective-C Decompilation Objective-C
Decompiled Kotlin/Java Decompilation Kotlin
Obfuscation (renaming)
• Process of making an application’s logic difficult to understand by reverse engineering without altering its overall functionality • It's a bit like bad directions… • Example variants: • Function splicing • Function merging • Function in-lining • Junk insertion • Many more Part A Part B Part X Function Function login() selectTheme() updateBio() App void example() { someCall() securityCheck(); doMath(); securityCheck(); return; } void doMath() { int a = 5, b = 6; securityCheck(); } void securityCheck() { if (app_is_hacked) { exit(-1); } } void example() { someCall() doMath(); return; } void doMath() { int a = 5, b = 6; if (app_is_hacked) { exit(-1); } if (app_is_hacked) { exit(-1); } if (app_is_hacked) { exit(-1); } Control flow obfuscation
• Frida is a dynamic binary instrumentation (DBI) framework for multiple platforms • Rich API provided for multiple languages • Python • C • JavaScript • Can be used to inspect and modify memory, including dynamic replacement of code • Multiple modes of operation for iOS/Android: • Server: rooted device is required • Gadget: rooted device is not required Introducing Frida
• Interceptor is a Frida API for replacing code inside a given process • Allows you to sniff/log inputs and return values of functions • Allows you to modify all those too Frida Interceptor
APP LIBRARY access() function Function code 1. App calls access() function A) Function executes B) Execution returns to app 2. Attacker hooks access() with Frida A) Frida inserts a trampoline into access() 3. App calls access() again A) Execution jumps to replacement code B) Execution returns to access() C) Then back to the app Trampoline Replacement Function Trampolines
• Rooting or jailbreaking is a process to gain more control over the device • Usually security researchers find and exploit real vulnerabilities in the device • Payloads typically disable a bunch of security features • Allows you to run untrusted code • Allows you to do some pretty cool things Jailbroken devices
• Some apps take it upon themselves to block jailbroken devices • Why? • How do they know? • Filesystem changes • API behavioral differences • Absence of expected controls • Presence of installed app/packages Jailbreak detection
Jailbreak detection
1. Grab the app. 2. Decompile the app and any libraries. 3. Identify target functionality. 4. Write some Frida-based attack payloads. 5. Easily circumvent basic copy-pasted controls. Recap
• A system call (syscall) is a way for userland code to invoke specific functionality inside kernel space • You don’t typically use syscalls directly, but instead you call APIs in the std lib • For example, calling the standard library’s exit() function will in turn invoke the exit syscall on the system (there are over 500 in total) • We know that attackers will target the standard library (e.g., exit() or access()) to prevent us detecting them or crashing • Ergo, let’s skip the standard library and invoke the exit syscall from our code directly Syscalls
Static automation using Radare
1000 500 200 130 90 75 5 5 1 0 0 Numberofsyscalls Apps scanned (banking, games, medical) Some Numbers Some numbers
Frida…
• Detection of Frida in the loaded libraries • Detection of Frida artefacts on disk • E.g., config files, Frida server • Detection of Frida in memory • Signatures (e.g., strings, functions) • Detection of Frida network activity (e.g., ports) Basic Frida detection
Bypassing Frida detection
access() after hooking: 0x182f17668 <+0>: ldr x16, #8 0x182f1766c <+4>: br x16 0x182f17670 <+8>: .long 0x020c7474 0x182f17674 <+12>: .long 0x00000001 0x182f17678 <+16>: mov x29, sp 0x182f1767c <+20>: bl 0x182f16dc0 … open() after hooking: 0x182f2ea34 <+0>: ldr x16, #8 0x182f2ea38 <+4>: br x16 0x182f2ea3c <+8>: .long 0x001f35f4 0x182f2ea40 <+12>: .long 0x00000001 0x182f2ea44 <+16>: mov sp, x29 0x182f2ea48 <+20>: ldp x29, x30, [sp], #16 0x182f2ea4c <+24>: ret open() without hooking: 0x182f2ea34 <+0>: stp x29, x30, [sp, #-16]! 0x182f2ea38 <+4>: mov x29, sp 0x182f2ea3c <+8>: ldr x2, [x29, #16] 0x182f2ea40 <+12>: bl 0x182f2fc88 0x182f2ea44 <+16>: mov sp, x29 0x182f2ea48 <+20>: ldp x29, x30, [sp], #16 0x182f2ea4c <+24>: ret Example trampoline
Trampoline demo
• Inconsistency is favorable • Distribute and randomize controls • Consider adding entropy to controls • E.g., execute N% of the time instead of 100% • React in a multitude of different ways • Layer your controls, protect controls with controls, etc. • Today was just an intro. Many areas worth thinking about: • Code packers, debugger prevention, emulation of code, patch prevention, keylogging, etc. Secure design considerations
• App hardening is a cat-and-mouse game • The controls presented are not comprehensive • Raise the bar of difficulty • It’s not about making it impossible—it’s about making it not worth the time investment • App hardening is not easy—consider using commercial products Closing remarks
Thank You

Empfohlen

Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
Synopsys Software Integrity Group
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What?
Synopsys Software Integrity Group
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 

Empfohlen

Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
Synopsys Software Integrity Group
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What?
Synopsys Software Integrity Group
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
Synopsys Software Integrity Group
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
Synopsys Software Integrity Group
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
A Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingA Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product Testing
Kevin Fealey
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
Synopsys Software Integrity Group
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Black Duck by Synopsys
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Black Duck by Synopsys
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Black Duck by Synopsys
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
Black Duck by Synopsys
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Software Integrity Group
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
Mail.ru Group
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck by Synopsys
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Black Duck by Synopsys
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Black Duck by Synopsys
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Black Duck by Synopsys
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
Tunde Ogunkoya
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
wireharbor
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Tom Keetch
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
abend_cve_9999_0001
 

Weitere ähnliche Inhalte

Was ist angesagt?

Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
A Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingA Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product Testing
Kevin Fealey
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Black Duck by Synopsys
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
Black Duck by Synopsys
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Black Duck by Synopsys
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Black Duck by Synopsys
 

Was ist angesagt? (19)

Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
 
A Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingA Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product Testing
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 

Ähnlich wie Webinar–Mobile Application Hardening Protecting Business Critical Apps

openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 

Ähnlich wie Webinar–Mobile Application Hardening Protecting Business Critical Apps (20)

Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
Wahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash CourseWahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash Course
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failure
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 

Mehr von Synopsys Software Integrity Group

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
Synopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Synopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Synopsys Software Integrity Group
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Synopsys Software Integrity Group
 

Mehr von Synopsys Software Integrity Group (20)

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 

Kürzlich hochgeladen

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
software pro Development
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 

Kürzlich hochgeladen (20)

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 

Webinar–Mobile Application Hardening Protecting Business Critical Apps

  • 1. Grant Douglas, Mobile Practice Director at Synopsys Nikola Cucakovic, Senior Security Consultant at Synopsys Protecting Business-Critical Apps Mobile Application Hardening
  • 2. © 2020 Synopsys, Inc. 2Synopsys Confidential Information Who are we? Grant Douglas (@Hexploitable) Mobile Practice Director Synopsys, SIG Nikola Cucakovic (@ArbitraryRW) Senior Security Consultant Synopsys, SIG © 2019 Synopsys, Inc. 2Synopsys Confidential Information Who are we? Grant Douglas (@Hexploitable) Mobile Practice Director Synopsys, SIG Nikola Cucakovic (@ArbitraryRW) Senior Security Consultant Synopsys, SIG
  • 3. © 2020 Synopsys, Inc. 3Synopsys Confidential Information • Historically a “hardware company” • Branched into “software integrity” a few years back • Acquired a number of popular security companies: • Coverity • Codenomicon (Heartbleed?) • Cigital (who we worked for) • Black Duck • We do a lot of security activities, not just pen testing Who is Synopsys? Secure software Pen testing Code review Mobile security Architecture analysis Training
  • 4. © 2020 Synopsys, Inc. 4Synopsys Confidential Information Agenda What is business critical? Breaking these controls Overview of designing hardened apps Common hardening techniques
  • 5. © 2020 Synopsys, Inc. 5Synopsys Confidential Information What makes it business critical? SPII IP
  • 6. Static analysis Identify data of value. Identify code of value. Identify controls of interest. Dynamic analysis Identify data of value. Identify code of value. Identify controls of interest. What will threat actors do?
  • 7. Develop bypasses Defeat any required controls. Automate. Build payloads Build payloads depending on end goal. Distribute payloads Possibly: distribute malicious copies of the app, or payloads that target the app on rooted/jailbroken devices.
  • 8. • Static analysis—using common tools such as Radare (r2), JEB, IDA Pro, Hopper disassembler, etc. • Look for interesting signatures: • Strings • Class names • Method names • Look for the use of interesting APIs (e.g., file IO APIs or networking APIs) • Look for known vulnerable components or dependencies • Additionally, an attacker might actually patch the application statically: • Patch out important instruction(s) • Modify execution flow to circumvent controls Initial analysis
  • 12. • Process of making an application’s logic difficult to understand by reverse engineering without altering its overall functionality • It's a bit like bad directions… • Example variants: • Function splicing • Function merging • Function in-lining • Junk insertion • Many more Part A Part B Part X Function Function login() selectTheme() updateBio() App void example() { someCall() securityCheck(); doMath(); securityCheck(); return; } void doMath() { int a = 5, b = 6; securityCheck(); } void securityCheck() { if (app_is_hacked) { exit(-1); } } void example() { someCall() doMath(); return; } void doMath() { int a = 5, b = 6; if (app_is_hacked) { exit(-1); } if (app_is_hacked) { exit(-1); } if (app_is_hacked) { exit(-1); } Control flow obfuscation
  • 13.
  • 14.
  • 15. • Frida is a dynamic binary instrumentation (DBI) framework for multiple platforms • Rich API provided for multiple languages • Python • C • JavaScript • Can be used to inspect and modify memory, including dynamic replacement of code • Multiple modes of operation for iOS/Android: • Server: rooted device is required • Gadget: rooted device is not required Introducing Frida
  • 16. • Interceptor is a Frida API for replacing code inside a given process • Allows you to sniff/log inputs and return values of functions • Allows you to modify all those too Frida Interceptor
  • 17. APP LIBRARY access() function Function code 1. App calls access() function A) Function executes B) Execution returns to app 2. Attacker hooks access() with Frida A) Frida inserts a trampoline into access() 3. App calls access() again A) Execution jumps to replacement code B) Execution returns to access() C) Then back to the app Trampoline Replacement Function Trampolines
  • 18. • Rooting or jailbreaking is a process to gain more control over the device • Usually security researchers find and exploit real vulnerabilities in the device • Payloads typically disable a bunch of security features • Allows you to run untrusted code • Allows you to do some pretty cool things Jailbroken devices
  • 19. • Some apps take it upon themselves to block jailbroken devices • Why? • How do they know? • Filesystem changes • API behavioral differences • Absence of expected controls • Presence of installed app/packages Jailbreak detection
  • 21.
  • 22. 1. Grab the app. 2. Decompile the app and any libraries. 3. Identify target functionality. 4. Write some Frida-based attack payloads. 5. Easily circumvent basic copy-pasted controls. Recap
  • 23.
  • 24. • A system call (syscall) is a way for userland code to invoke specific functionality inside kernel space • You don’t typically use syscalls directly, but instead you call APIs in the std lib • For example, calling the standard library’s exit() function will in turn invoke the exit syscall on the system (there are over 500 in total) • We know that attackers will target the standard library (e.g., exit() or access()) to prevent us detecting them or crashing • Ergo, let’s skip the standard library and invoke the exit syscall from our code directly Syscalls
  • 26. 1000 500 200 130 90 75 5 5 1 0 0 Numberofsyscalls Apps scanned (banking, games, medical) Some Numbers Some numbers
  • 28. • Detection of Frida in the loaded libraries • Detection of Frida artefacts on disk • E.g., config files, Frida server • Detection of Frida in memory • Signatures (e.g., strings, functions) • Detection of Frida network activity (e.g., ports) Basic Frida detection
  • 30. access() after hooking: 0x182f17668 <+0>: ldr x16, #8 0x182f1766c <+4>: br x16 0x182f17670 <+8>: .long 0x020c7474 0x182f17674 <+12>: .long 0x00000001 0x182f17678 <+16>: mov x29, sp 0x182f1767c <+20>: bl 0x182f16dc0 … open() after hooking: 0x182f2ea34 <+0>: ldr x16, #8 0x182f2ea38 <+4>: br x16 0x182f2ea3c <+8>: .long 0x001f35f4 0x182f2ea40 <+12>: .long 0x00000001 0x182f2ea44 <+16>: mov sp, x29 0x182f2ea48 <+20>: ldp x29, x30, [sp], #16 0x182f2ea4c <+24>: ret open() without hooking: 0x182f2ea34 <+0>: stp x29, x30, [sp, #-16]! 0x182f2ea38 <+4>: mov x29, sp 0x182f2ea3c <+8>: ldr x2, [x29, #16] 0x182f2ea40 <+12>: bl 0x182f2fc88 0x182f2ea44 <+16>: mov sp, x29 0x182f2ea48 <+20>: ldp x29, x30, [sp], #16 0x182f2ea4c <+24>: ret Example trampoline
  • 32. • Inconsistency is favorable • Distribute and randomize controls • Consider adding entropy to controls • E.g., execute N% of the time instead of 100% • React in a multitude of different ways • Layer your controls, protect controls with controls, etc. • Today was just an intro. Many areas worth thinking about: • Code packers, debugger prevention, emulation of code, patch prevention, keylogging, etc. Secure design considerations
  • 33. • App hardening is a cat-and-mouse game • The controls presented are not comprehensive • Raise the bar of difficulty • It’s not about making it impossible—it’s about making it not worth the time investment • App hardening is not easy—consider using commercial products Closing remarks