Building A Mobile App Pen Testing Blueprint

1y ago

31 Views

1 Downloads

6.89 MB

36 Pages

Report/dmca

Download PDF

Transcription

AGENDASPEAKERWHO WE AREWHY MOBILE MATTERSTOOLS OF THE TRADECOMMON FINDINGSTONY RAMIREZSHARING WITH STAKEHOLDERSMOBILE SECURITY ANALYSTQUESTIONS2 Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

NOWSECURE DEEP MOBILE SECURITY EXPERTISEBooks & SpeakingMOBILE SECURITY RESEARCH IS IN OUR DNADream team of security researchersDiscovering critical vulnsIdentifying novel attack vectorsCreating/maintaining renowned open-source mobile security tools/projectsExpert team of security pen testersPen tested thousands of mobile appsComprehensive experience and testing blueprintCertified some of the worlds most complex, high security appsOpen sourceTHE NOWSECURE MISSIONSave the world from unsafe mobile appsEducate enterprises on the latest mobile threatsMaximize the security of apps enterprises develop, purchase and use3 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

TOOLS OF THE TRADE1. Terminal of choice2. Jailbroken/rooted iOS and Android devices3. Network interception tools4. Developer tools5. Reverse engineering tools6. Patience, creativity, and attention to detail6 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

MOBILE VULNERABILITY AREAS – THE ATTACK SURFACEForensics/Data-at-RestClient Code QualityNetwork TrafficBackend/API7 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

INSIDE THE MOBILE ATTACK SURFACECODE FUNCTIONALITYiOSAPPSTESTAPP GPS spoofingBuffer overflowallowBackup FlagallowDebug FlagCode ObfuscationConfiguration manipulationEscalated privileges URL schemesGPS LeakingIntegrity/tampering/repackingSide channel attacksApp signing key unprotectedJSON-RPCAutomatic Reference CountingAndroid rooting/iOS jailbreakUser-initiated codeConfused deputy attackMedia/file format parsersInsecure 3rd party librariesWorld Writable FilesWorld Writable Executables Dynamic runtime injectionUnintended permissionsUI overlay/pin stealingIntent hijackingZip directory traversalClipboard dataWorld Readable Files HTTP ProxiesVPNsWeak/No Local authenticationApp transport securityTransmitted to insecure serverZip files in transitCookie “httpOnly” flagCookie “secure” flagiOS FRAMEWORKSiOS NATIVE LIBRARIESiOS HALiOS Mach/XNU KERNELDATA AT REST Data caching Data stored in application directory Decryption of keychain Data stored in log filesData cached in memory/RAM Data stored in SD card DATA IN MOTIONOS data cachingPasswords & data accessibleNo/Weak encryptionTEE/Secure Enclave ProcessorSide channel leakSQLite databaseEmulator varianceHARDWARENetwork &Cloud Services8 Wi-Fi (no/weak encryption)Rogue access pointPacket sniffingMan-in-the-middleSession hijackingDNS poisoningTLS DowngradeFake TLS certificateImproper TLS validationData Center& App Backend Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

COMMON FORENSICS ISSUESSensitive data on the device73%Credentialsof Android AppsLeak Sensitive Data toSystem LogsPII (SSNs, addresses, phone numbers)Session tokensCryptographic keys and IVsData in insecure locationsSystem LogsEmulated Storage / SD CardArbitrary Code on SD Card18%of iOS AppsLeak Sensitive Data toSystem Logs10 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

TESTING FORENSICS/DATA-AT-RESTThe search for sensitive valuesRainbow tables helpPrivateapplicationfolderregex and grepSD card (Android)KeychainRAMJailbroken/Rooted devicesBackupsGreat for testing private folders and keychainSystem log filesNot necessary for backups, logs, and SDCardExercise the app!Different data before and after log out11 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

REAL-WORLD EXAMPLEIoT app with wearable hardwareMonitors users healthRequires updatesSyncs with mobile device via appWriting to insecure data storageIdentifying health data on SD cardFirmware binary stored on SD card12 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

REMEDIATIONS1. Avoid writing sensitive dataa. Use encryptioni. No custom crypto2. Avoid writing to SD card3. Avoid writing to system logs13 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

COMMON CODE-LEVEL ISSUESHardcoded crypto keys and IVsHardcoded credentialsClient side logicVulnerable SDKs and librariesFree security featuresBackdoor methods15 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

TESTING CODE QUALITY Black-box testing approach Reverse Engineering: Zip files - AndroidManifest.xml, Info.plist Disassemblers / Decompilers (Radare2, apktool, procyon) Dynamic binary instrumentation (Frida) Developer tool (Android Studio, Xcode) Source code analysis Android - Java, Kotlin iOS - Objective-C, Swift “strings” and “grep”, otool etc.16 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

REMEDIATIONS1. If you don’t want it seen, don’thardcode ita. Keys, IVs, creds, and othersensitive data2. Authentication and Authorization mustbe performed server side3. Use free securitya. Client side flags protect users4. Remove extraneous functionality20 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

COMMON NETWORK SECURITY ISSUESHTTP TrafficMITM Issues1 in 5Certificate ValidationAndroid Apps useinsecure HTTPHostname VerificationCertificate PinningThird Party EndpointsVulnerable Network Libraries1 in 7iOS Apps useinsecure HTTP22 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

TESTING NETWORK INTERACTIONSUse different MiTM environmentsDifferent types of certsTest before and after login processBe prepared to launch the proxy during different stagesExercise the entire appThird party API or other contentLook for sensitive data and interesting content typesLess work when testing the web API23 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

INTERCEPTION PROXY BASIC SETUPMitmproxy CA certificate(optional)Device 192.168.10.15Gateway set to 192.168.10.66Laptop w/ mitmproxyListening at ports 80 & 443192.168.10.66Backend Server192.168.10.124 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

REAL-WORLD EXAMPLEWebViews with MiTM issuesIn-app browserArbitrary contentJavaScriptFAQ page can become a phishing vector25 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

REMEDIATIONS1. Always use HTTPS because it’s 20192. Ensure proper verification of certificates3. Implement certificate pinning whentransmitting highly sensitive PII over thenetwork4. Use up-to-date network libraries5. Test your third party API requests26 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

COMMON BACKEND/API ISSUESInsecure authenticationInsecure authorizationSession token issuesLack of rate limitingGeneral web backend issues28 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

TESTING BACKEND/API Manipulate network traffic using interception proxy Attempt to brute force important fields in the network request Input arbitrary values and inspect server response (stack traces) Fuzz URL for directory traversal etc. Exercise authentication and authorization functionalities Test for session token replay, expiration Try default admin credentials29 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

REAL-WORLD EXAMPLESImproper access control on Facebook external access tokens - Unauthorized k-login/manually-build-a-login-flow#checktoken31 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

REMEDIATIONS1. Perform rate limiting on endpoints2. Ensure proper session handling3. Follow web backend best :OWASP Backend Security Project32 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

COMMUNICATING THE ISSUESReport needs to make sense to everyoneSecurity, Developers, and ManagementAttack ScenarioRemediation33 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

TOP 5 TAKEAWAYS1. Unnecessary data storage on device (writing to external storage or logs)2. HTTP network traffic3. Lack of hostname verification /certificate validation4. Client-side logic5. Mobile API security34 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

TRUSTED BY THE WORLD’S HIGHEST SECURITY ORGANIZATIONSAutomated Mobile AppSec Testing SoftwareExpert Pen Testing & Security ServicesPowers Security in Agile & DevOps TeamsWorld-Class Security Research Team(builders of FRIDA & RADARE)Advanced Engineering & DevOps Teamsfrom High Frequency Trading CompaniesWrote the book on mobile forensics35 Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

INSIDE THE MOBILE ATTACK SURFACE iOS APPS iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE CODE FUNCTIONALITY DATA AT REST DATA IN MOTION Data Center & App Backend Network & Cloud Services TEST APP GPS spoofing Buffer overflow allowBackup Flag allowDebug Flag Code Obfuscation Configuration manipulation