Real Mobile Applications Pentesting Scinarios (The Weird, the bad and the ugly)
1. THE WEIRD, THE BAD
AND THE UGLY
MOBILE DEVELOPER WEEKEND
AHMED YOSSEF
2. ROAD MAP
▸ Mobile Apps vs Web Apps
▸ Mobile Apps Pentesting Environment
▸ The Weird - Gov app
▸ The bad - eCommerce app
▸ The ugly - that looked pretty
3. whoami
▸ Software Developer since 2007
▸ Desktop, Web, iOS, Android and JME
▸ Penetration Testing since 2015
▸ Applications Security Specialist Solution
Architect and Trainer
5. THE WEIRD, THE BAD AND THE UGLY
FIRST THINGS FIRST ..
During a penetration test,
what is the first thing to look for ?
SQL Injection ?
Cross Site Scripting ?
6. THE WEIRD, THE BAD AND THE UGLY
WHERE SOFTWARE LIVES
OS
FTP
Server
Mail
Server
Web
Server
Web
Application
2
3
4
1
3
7. THE WEIRD, THE BAD AND THE UGLY
WHY MOBILE APPS SECURITY MATTERS !
Custom built software
New Platform*
Local storage
Sometimes reversible
Needed ASAP
LimitedTampering**
* New with respect to Web Applications Security and definitely to Network Security
** Limited user access gives a very misleading sense of security to developers
9. THE WEIRD, THE BAD AND THE UGLY
BASIC ENVIRONMENT SETUP
Physical or Emulator
(genymotion)
HTTP Proxy (BurpSuite
or ZAP)
Backend Server (nvm)
it is already there
10. THE WEIRD, THE BAD AND THE UGLY
BASIC STEPS
1
2
3
Start the proxy and intercept the traffic
Identify parameters and API end points
Tamper Data and mess with the logic
17. THE WEIRD, THE BAD AND THE UGLY
ABOUT THE APP
It is an eCommerce App
With mobile payment and online
purchase enabled
18. THE WEIRD, THE BAD AND THE UGLY
ISSUES FOUND
Mobile Application Connects to the API
without access token
Auto Increment User Ids
Reset password API doesn’t require
current password
19. THE WEIRD, THE BAD AND THE UGLY
WHAT I DID
Python script with single for loop calling
the getProfile service
Dump personal data of 170K+ users
20. THE WEIRD, THE BAD AND THE UGLY
WHAT I DID NOT DO
Python script with single for loop calling
the resetPassword service
Reset passwords of all system’s users
21. THE WEIRD, THE BAD AND THE UGLY
WHAT I DID NOT DO
Use API to add items to someone’s
shopping cart
Edit his shipping to mine
Call the checkout service
Get free expensive products
23. THE WEIRD, THE BAD AND THE UGLY
ABOUT THE APP
It is restaurants chain app
App seemed secure at the first glance !
24. THE WEIRD, THE BAD AND THE UGLY
ISSUES FOUND
Token Based Authentication .. so far so
good
App apples Authentication without
Authorisation
Log in to your account
Get a token that can be used to access
others’ accounts
25. THE WEIRD, THE BAD AND THE UGLY
WHAT I DID
Dump Other users’ data
Data Manipulation
27. THE WEIRD, THE BAD AND THE UGLY
REMEMBER
1 Mobile App Interface is not the only interface to be used
2 Authentication using user id is not authentication
3 It is not enough to authorise the login screen only
4 Injection attacks are dangerous but logic attacks even even worse
5 For a pentester; brain and patience are the most important tools
28. The END
Thanks for your time :)
me@ayossef.net
linkedin.com/in/ayossef
facebook.com/ahmedabdallah21