SlideShare ist ein Scribd-Unternehmen logo

Outsmarting SmartPhones

Als PPT, PDF herunterladen
S
saurabhharit

Mobile Application Security Talk @SensePost ZA

Mobil
1 von 33
OutSmarting SmartPhones saurabh@sensepost.com @s_harit
echo whoami • Senior Security Analyst @SensePost (awesome company BTW) • 7+ years in InfoSec • Specialize in Web App & Network security • Part time Reverse Engineer (is that even possible???) • Certified Ethical Hacker (as if it matters) • Can do 50 Push-ups in one go (and faint)
• Why does everyone rant about SmartPhone security • Understanding iPhone Application layout • Decrypting iPhone apps & what can we achieve • Android Architecture • Android Permission Model & Sandbox • Analyzing Android Apps - Deep sea diving • Practical Attacks on Android • Demos • And more Demos • Introducing Manifestor.py
Why care??? • Smartphones are growing in popularity by minute • Windows 7 (Dell, HTC, LG etc.), iPhone (Apple), Android (Google, HTC, Samsung, Motorola etc.) • means growth in mobile applications (According to Juniper Research, mobile application market is expected to reach $32 billion by 2015) • means loads of mobile application development (from barcode scanner to angry birds to mobile BANKING) • means tons of lines of code (plus bad programming) • equals to VULNERABILITIES - programmatic, environmental, configurational and so on
I once had an iPhone...
iPhone Binary Format • IPA file - basically a zip archive • Location of app binary on iPhone: ‣ Payload/MyApp.app/MyApp • Based on Mach-O (Mach Object) file format • Sandbox: ‣ Apps restricted to their own private directory and memory pages • Apps are encrypted ‣ Decrypted by iPhone loader on run-time
Reverse Engineering iPhone Apps
Decrypting iPhone Binary • What do I need: ‣ Jailbroken iPhone (Yes, it’s a necessity of life) ‣ iPhone SDK (Otool) ‣ Hex Editor (0xED, HexWorkshop, etc. etc.) ‣ Ida Pro (Optional) - Version 5.2 - 5.6 • Finding an app root dir on iPhone ‣ sudo find / | grep iApp.app ‣ myApp.app contains iApp, actual binary • “crypt” load command responsible for decryption ‣ otool -l iApp | grep crypt
Decrypting iPhone Binary • What do I need: ‣ Jailbroken iPhone (Yes, it’s a necessity of life) ‣ iPhone SDK (Otool) ‣ Hex Editor (0xED, HexWorkshop, etc. etc.) ‣ Ida Pro (Optional) - Version 5.2 - 5.6 • Finding an app root dir on iPhone ‣ sudo find / | grep iApp.app ‣ myApp.app contains iApp, actual binary • “crypt” load command responsible for decryption ‣ otool -l iApp | grep crypt
Decrypting iPhone Binary • Locate “cryptid” in actual binary, and flip it to “0” ‣ Do it, NOW • “cryptid” is now “0”. What does this mean? • Not decrypted yet • Next, run the app on iPhone and take a memory dump ‣ Actaul code starts at 0x2000 ‣ Size of encrypted data - 942080 (0xE6000) ‣ So, we need to dump from 0x2000 to 0xE8000. Guess why? :-) • Run app on iPhone, ssh into iPhone, use gdb ‣ gdb -p PID ‣ dump memory iApp.bin 0x2000 0xE8000 • Pull iApp.bin on local machine ‣ Overwrite bin file on initial binary file (where we “cryptid” was set to “0”) ‣ Don’t forget - “cryptoff” was 4096 (0x1000) • Sorted :-) • For all technical details, please refer to SensePost blog: ‣ http://sensepost.com/blog/6254.html
I have an Android phone... ...and I love it :-)
Android Architecture
Android Security Model • Linux kernel • Linux-Like permission model • Applications run with their own uid:gid (something like multi-user system) • Applications may share a uid (must be signed with same key) • App permissions are defined in AndroidManifest.xml • Manually reviewed / accepted by user on install (Really??? What if I am a runway model?) • Applications can be self-signed.
AndroidManifest.xml • One for each app • Declares Java package name for the application • Describes components of the application - activities, services, broadcast receivers, content providers • Declares permissions required to access protected parts of APIs • Declares permissions required by other applications to interact
Activity • User-focused task • Almost always interacts with user • Displays a button, text box etc. • Runs within app’s process • Stack based - new activity is placed at top • Activity states: active, paused, stopped, resumed
Intents • Basically messages between components such as activities, services etc. • Like passing parameters to API calls, except it’s asynchronous • Run-time binding • Start an activity with startActivity() • Similarly sendBroadcast(), startService(Intent) and so on Start an Activity
Broadcast Receiver • Communication between Apps and System • Messages sent as Intents • Dynamic creation through context.registerReceiver() • Static declaration through receiver tag in AndroidManifest.xml • Can be exported with <intent-filter> tag in AndroidManifest.xml • Access permissions can be enforced by either sender or receiver • Apps can register to receive intents without special privileges ;-)
Service • Long running background process • Can run in its own process, • Or in context of another application’s process • Can be started with an intent • Can be secured by adding a Permission check to their <service> tag • Careful while sending sensitive data
Understanding Android App
• Apps run in Dalvik Virtual Machine - One DVM for each app • DVM is register based, not stack based • DVM ensures application isolation • One application cannot access data of another application ‣ Hmmm, “cannot” or “SHOULD not” • Unique UID for each application • Apps written in Java, then compiled to Dalvik byte code ‣ No Solid code obfuscator for android platform ‣ Even if there is one, no-one uses it • Permissions are declared in AndroidManifest.xml • Permissions displayed to user on download - Accept or Reject. TRICKY!!! ‣ Everyone sitting in this room may care, what about others??? ‣ What about installing via “adb” - Cracked apps (“adb install malicious.apk”) • permission.INTERNET - Very common but that’s all they need :-) • Easy to publish malicious app on Android Market
APK File Format • Application package file for Android • Variant of JAR file format • Contains (unzip AndroidApp.apk): • AndroidManifest.xml • META-INF directory • Classes.dex • Res directory • resources.arsc
Decompiling Android Apps
Analyzing HTTP Traffic
Bypassing Lock Pattern
Insecure Data Storage
All your data is Mine
Manifestor.py
Manifestor
Lets Sum It Up • FACTS: • SmartPhone industry is rapidly growing and will continue to grow • Provide plethora of features & functionalities • Apps for anything & everything • Developed by unexperienced young developers • Whats Required: • Standardization of application development • In-built secure APIs within SDK • Need for strong threat model • Domain based testing
•QUESTIONS
References • http://www.juniperresearch.com/shop/products/whitepaper/pdf/M AS10_White%20Paper.pdf • http://developer.apple.com/library/mac/#documentation/Develop erTools/Conceptual/MachORuntime/Reference/reference.html • http://developer.android.com/guide/basics/what-is-android.html • www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • https://www.owasp.org/index.php/OWASP_Mobile_Security_Pro ject#tab=Top_Ten_Mobile_Risks • developer.android.com/sdk/ • code.google.com/p/android-apktool/ • https://www.facebook.com/HTC/posts/10150307320018084

Empfohlen

CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)Sam Bowne
 
CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)Sam Bowne
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraOWASP Delhi
 
Flare - tech-intro-for-paris-hackathon
Flare - tech-intro-for-paris-hackathonFlare - tech-intro-for-paris-hackathon
Flare - tech-intro-for-paris-hackathonCisco DevNet
 
OSMC 2021 | Contributing to open source with the example of icinga (1)
OSMC 2021 | Contributing to open source with the example of icinga (1)OSMC 2021 | Contributing to open source with the example of icinga (1)
OSMC 2021 | Contributing to open source with the example of icinga (1)NETWAYS
 
Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Sandeep Jayashankar
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)PrashantDhakol
 
Hassle-Free Continuous Integration with Real Device Testing
Hassle-Free Continuous Integration with Real Device TestingHassle-Free Continuous Integration with Real Device Testing
Hassle-Free Continuous Integration with Real Device TestingBitbar
 

Empfohlen

CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)Sam Bowne
 
CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)Sam Bowne
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraOWASP Delhi
 
Flare - tech-intro-for-paris-hackathon
Flare - tech-intro-for-paris-hackathonFlare - tech-intro-for-paris-hackathon
Flare - tech-intro-for-paris-hackathonCisco DevNet
 
OSMC 2021 | Contributing to open source with the example of icinga (1)
OSMC 2021 | Contributing to open source with the example of icinga (1)OSMC 2021 | Contributing to open source with the example of icinga (1)
OSMC 2021 | Contributing to open source with the example of icinga (1)NETWAYS
 
Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Sandeep Jayashankar
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)PrashantDhakol
 
Hassle-Free Continuous Integration with Real Device Testing
Hassle-Free Continuous Integration with Real Device TestingHassle-Free Continuous Integration with Real Device Testing
Hassle-Free Continuous Integration with Real Device TestingBitbar
 
OpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDOpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDSparsh Raj
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsBlack Duck by Synopsys
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...FINOS
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]RootedCON
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: Black Duck by Synopsys
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)ClubHack
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open SourceBlack Duck by Synopsys
 
2 1
2 12 1
2 1itzel-cachirules
 
Opening and managing a bank account
Opening and managing a bank accountOpening and managing a bank account
Opening and managing a bank accountvshackley
 
Question 4 p1 compressed
Question 4 p1 compressedQuestion 4 p1 compressed
Question 4 p1 compressedclattwood
 
Video 1 circulatory system
Video 1 circulatory systemVideo 1 circulatory system
Video 1 circulatory systemManasa Dokonivalu
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)ijceronline
 
Tecnologia E Informatica Segundo Periodo
Tecnologia E Informatica Segundo PeriodoTecnologia E Informatica Segundo Periodo
Tecnologia E Informatica Segundo Periodojulian vega
 
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...MedicineAndFamily
 
Oscar
OscarOscar
Oscarobema
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 

Weitere ähnliche Inhalte

Was ist angesagt?

OpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDOpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDSparsh Raj
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsBlack Duck by Synopsys
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...FINOS
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]RootedCON
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: Black Duck by Synopsys
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)ClubHack
 

Was ist angesagt? (13)

OpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDOpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATED
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source:
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open Source
 

Andere mochten auch

Opening and managing a bank account
Opening and managing a bank accountOpening and managing a bank account
Opening and managing a bank accountvshackley
 
Question 4 p1 compressed
Question 4 p1 compressedQuestion 4 p1 compressed
Question 4 p1 compressedclattwood
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)ijceronline
 
Tecnologia E Informatica Segundo Periodo
Tecnologia E Informatica Segundo PeriodoTecnologia E Informatica Segundo Periodo
Tecnologia E Informatica Segundo Periodojulian vega
 
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...MedicineAndFamily
 
Oscar
OscarOscar
Oscarobema
 

Andere mochten auch (8)

2 1
2 12 1
2 1
 
Opening and managing a bank account
Opening and managing a bank accountOpening and managing a bank account
Opening and managing a bank account
 
Question 4 p1 compressed
Question 4 p1 compressedQuestion 4 p1 compressed
Question 4 p1 compressed
 
Video 1 circulatory system
Video 1 circulatory systemVideo 1 circulatory system
Video 1 circulatory system
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
 
Tecnologia E Informatica Segundo Periodo
Tecnologia E Informatica Segundo PeriodoTecnologia E Informatica Segundo Periodo
Tecnologia E Informatica Segundo Periodo
 
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
 
Oscar
OscarOscar
Oscar
 

Ähnlich wie Outsmarting SmartPhones

Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Introduction to android sessions new
Introduction to android sessions newIntroduction to android sessions new
Introduction to android sessions newJoe Jacob
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Android development
Android developmentAndroid development
Android developmentmkpartners
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...Area41
 
Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA NITIN GUPTA
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 

Ähnlich wie Outsmarting SmartPhones (20)

Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Introduction to android sessions new
Introduction to android sessions newIntroduction to android sessions new
Introduction to android sessions new
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
Android development
Android developmentAndroid development
Android development
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 
Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 

Kürzlich hochgeladen

BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRnishacall1
 
Leading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfLeading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfCWS Technology
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPsychicRuben LoveSpells
 
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Servicenishacall1
 

Kürzlich hochgeladen (6)

BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 
Leading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfLeading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdf
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
 
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
 

Outsmarting SmartPhones

  • 2. echo whoami • Senior Security Analyst @SensePost (awesome company BTW) • 7+ years in InfoSec • Specialize in Web App & Network security • Part time Reverse Engineer (is that even possible???) • Certified Ethical Hacker (as if it matters) • Can do 50 Push-ups in one go (and faint)
  • 3. • Why does everyone rant about SmartPhone security • Understanding iPhone Application layout • Decrypting iPhone apps & what can we achieve • Android Architecture • Android Permission Model & Sandbox • Analyzing Android Apps - Deep sea diving • Practical Attacks on Android • Demos • And more Demos • Introducing Manifestor.py
  • 4. Why care??? • Smartphones are growing in popularity by minute • Windows 7 (Dell, HTC, LG etc.), iPhone (Apple), Android (Google, HTC, Samsung, Motorola etc.) • means growth in mobile applications (According to Juniper Research, mobile application market is expected to reach $32 billion by 2015) • means loads of mobile application development (from barcode scanner to angry birds to mobile BANKING) • means tons of lines of code (plus bad programming) • equals to VULNERABILITIES - programmatic, environmental, configurational and so on
  • 5. I once had an iPhone...
  • 6. iPhone Binary Format • IPA file - basically a zip archive • Location of app binary on iPhone: ‣ Payload/MyApp.app/MyApp • Based on Mach-O (Mach Object) file format • Sandbox: ‣ Apps restricted to their own private directory and memory pages • Apps are encrypted ‣ Decrypted by iPhone loader on run-time
  • 8. Decrypting iPhone Binary • What do I need: ‣ Jailbroken iPhone (Yes, it’s a necessity of life) ‣ iPhone SDK (Otool) ‣ Hex Editor (0xED, HexWorkshop, etc. etc.) ‣ Ida Pro (Optional) - Version 5.2 - 5.6 • Finding an app root dir on iPhone ‣ sudo find / | grep iApp.app ‣ myApp.app contains iApp, actual binary • “crypt” load command responsible for decryption ‣ otool -l iApp | grep crypt
  • 9. Decrypting iPhone Binary • What do I need: ‣ Jailbroken iPhone (Yes, it’s a necessity of life) ‣ iPhone SDK (Otool) ‣ Hex Editor (0xED, HexWorkshop, etc. etc.) ‣ Ida Pro (Optional) - Version 5.2 - 5.6 • Finding an app root dir on iPhone ‣ sudo find / | grep iApp.app ‣ myApp.app contains iApp, actual binary • “crypt” load command responsible for decryption ‣ otool -l iApp | grep crypt
  • 10. Decrypting iPhone Binary • Locate “cryptid” in actual binary, and flip it to “0” ‣ Do it, NOW • “cryptid” is now “0”. What does this mean? • Not decrypted yet • Next, run the app on iPhone and take a memory dump ‣ Actaul code starts at 0x2000 ‣ Size of encrypted data - 942080 (0xE6000) ‣ So, we need to dump from 0x2000 to 0xE8000. Guess why? :-) • Run app on iPhone, ssh into iPhone, use gdb ‣ gdb -p PID ‣ dump memory iApp.bin 0x2000 0xE8000 • Pull iApp.bin on local machine ‣ Overwrite bin file on initial binary file (where we “cryptid” was set to “0”) ‣ Don’t forget - “cryptoff” was 4096 (0x1000) • Sorted :-) • For all technical details, please refer to SensePost blog: ‣ http://sensepost.com/blog/6254.html
  • 11. I have an Android phone... ...and I love it :-)
  • 13. Android Security Model • Linux kernel • Linux-Like permission model • Applications run with their own uid:gid (something like multi-user system) • Applications may share a uid (must be signed with same key) • App permissions are defined in AndroidManifest.xml • Manually reviewed / accepted by user on install (Really??? What if I am a runway model?) • Applications can be self-signed.
  • 14. AndroidManifest.xml • One for each app • Declares Java package name for the application • Describes components of the application - activities, services, broadcast receivers, content providers • Declares permissions required to access protected parts of APIs • Declares permissions required by other applications to interact
  • 15. Activity • User-focused task • Almost always interacts with user • Displays a button, text box etc. • Runs within app’s process • Stack based - new activity is placed at top • Activity states: active, paused, stopped, resumed
  • 16. Intents • Basically messages between components such as activities, services etc. • Like passing parameters to API calls, except it’s asynchronous • Run-time binding • Start an activity with startActivity() • Similarly sendBroadcast(), startService(Intent) and so on Start an Activity
  • 17. Broadcast Receiver • Communication between Apps and System • Messages sent as Intents • Dynamic creation through context.registerReceiver() • Static declaration through receiver tag in AndroidManifest.xml • Can be exported with <intent-filter> tag in AndroidManifest.xml • Access permissions can be enforced by either sender or receiver • Apps can register to receive intents without special privileges ;-)
  • 18. Service • Long running background process • Can run in its own process, • Or in context of another application’s process • Can be started with an intent • Can be secured by adding a Permission check to their <service> tag • Careful while sending sensitive data
  • 20. • Apps run in Dalvik Virtual Machine - One DVM for each app • DVM is register based, not stack based • DVM ensures application isolation • One application cannot access data of another application ‣ Hmmm, “cannot” or “SHOULD not” • Unique UID for each application • Apps written in Java, then compiled to Dalvik byte code ‣ No Solid code obfuscator for android platform ‣ Even if there is one, no-one uses it • Permissions are declared in AndroidManifest.xml • Permissions displayed to user on download - Accept or Reject. TRICKY!!! ‣ Everyone sitting in this room may care, what about others??? ‣ What about installing via “adb” - Cracked apps (“adb install malicious.apk”) • permission.INTERNET - Very common but that’s all they need :-) • Easy to publish malicious app on Android Market
  • 21. APK File Format • Application package file for Android • Variant of JAR file format • Contains (unzip AndroidApp.apk): • AndroidManifest.xml • META-INF directory • Classes.dex • Res directory • resources.arsc
  • 25.
  • 26.
  • 28. All your data is Mine
  • 31. Lets Sum It Up • FACTS: • SmartPhone industry is rapidly growing and will continue to grow • Provide plethora of features & functionalities • Apps for anything & everything • Developed by unexperienced young developers • Whats Required: • Standardization of application development • In-built secure APIs within SDK • Need for strong threat model • Domain based testing
  • 33. References • http://www.juniperresearch.com/shop/products/whitepaper/pdf/M AS10_White%20Paper.pdf • http://developer.apple.com/library/mac/#documentation/Develop erTools/Conceptual/MachORuntime/Reference/reference.html • http://developer.android.com/guide/basics/what-is-android.html • www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • https://www.owasp.org/index.php/OWASP_Mobile_Security_Pro ject#tab=Top_Ten_Mobile_Risks • developer.android.com/sdk/ • code.google.com/p/android-apktool/ • https://www.facebook.com/HTC/posts/10150307320018084