際際滷

際際滷Share a Scribd company logo

Outsmarting SmartPhones

Download as PPT, PDF
S
saurabhharit

This document discusses smartphone security and analyzing Android apps. It begins with an introduction of the speaker and their background. It then covers topics like decrypting and reverse engineering iPhone apps, the Android architecture and permission model, analyzing HTTP traffic, bypassing lock patterns, and insecure data storage in Android apps. The document promotes analyzing apps to find vulnerabilities and demonstrates a tool called Manifestor.py for app analysis. It encourages standardizing development and stronger security practices to improve smartphone security.

1 of 33
Downloaded 18 times
OutSmarting SmartPhones saurabh@sensepost.com @s_harit
echo whoami Senior Security Analyst @SensePost (awesome company BTW) 7+ years in InfoSec Specialize in Web App & Network security Part time Reverse Engineer (is that even possible???) Certified Ethical Hacker (as if it matters) Can do 50 Push-ups in one go (and faint)
Why does everyone rant about SmartPhone security Understanding iPhone Application layout Decrypting iPhone apps & what can we achieve Android Architecture Android Permission Model & Sandbox Analyzing Android Apps - Deep sea diving Practical Attacks on Android Demos And more Demos Introducing Manifestor.py
Why care??? Smartphones are growing in popularity by minute Windows 7 (Dell, HTC, LG etc.), iPhone (Apple), Android (Google, HTC, Samsung, Motorola etc.) means growth in mobile applications (According to Juniper Research, mobile application market is expected to reach $32 billion by 2015) means loads of mobile application development (from barcode scanner to angry birds to mobile BANKING) means tons of lines of code (plus bad programming) equals to VULNERABILITIES - programmatic, environmental, configurational and so on
I once had an iPhone...
iPhone Binary Format IPA file - basically a zip archive Location of app binary on iPhone: Payload/MyApp.app/MyApp Based on Mach-O (Mach Object) file format Sandbox: Apps restricted to their own private directory and memory pages Apps are encrypted Decrypted by iPhone loader on run-time
Reverse Engineering iPhone Apps
Decrypting iPhone Binary What do I need: Jailbroken iPhone (Yes, its a necessity of life) iPhone SDK (Otool) Hex Editor (0xED, HexWorkshop, etc. etc.) Ida Pro (Optional) - Version 5.2 - 5.6 Finding an app root dir on iPhone sudo find / | grep iApp.app myApp.app contains iApp, actual binary crypt load command responsible for decryption otool -l iApp | grep crypt
Decrypting iPhone Binary What do I need: Jailbroken iPhone (Yes, its a necessity of life) iPhone SDK (Otool) Hex Editor (0xED, HexWorkshop, etc. etc.) Ida Pro (Optional) - Version 5.2 - 5.6 Finding an app root dir on iPhone sudo find / | grep iApp.app myApp.app contains iApp, actual binary crypt load command responsible for decryption otool -l iApp | grep crypt
Decrypting iPhone Binary Locate cryptid in actual binary, and flip it to 0 Do it, NOW cryptid is now 0. What does this mean? Not decrypted yet Next, run the app on iPhone and take a memory dump Actaul code starts at 0x2000 Size of encrypted data - 942080 (0xE6000) So, we need to dump from 0x2000 to 0xE8000. Guess why? :-) Run app on iPhone, ssh into iPhone, use gdb gdb -p PID dump memory iApp.bin 0x2000 0xE8000 Pull iApp.bin on local machine Overwrite bin file on initial binary file (where we cryptid was set to 0) Dont forget - cryptoff was 4096 (0x1000) Sorted :-) For all technical details, please refer to SensePost blog: http://sensepost.com/blog/6254.html
I have an Android phone... ...and I love it :-)
Android Architecture
Android Security Model Linux kernel Linux-Like permission model Applications run with their own uid:gid (something like multi-user system) Applications may share a uid (must be signed with same key) App permissions are defined in AndroidManifest.xml Manually reviewed / accepted by user on install (Really??? What if I am a runway model?) Applications can be self-signed.
AndroidManifest.xml One for each app Declares Java package name for the application Describes components of the application - activities, services, broadcast receivers, content providers Declares permissions required to access protected parts of APIs Declares permissions required by other applications to interact
Activity User-focused task Almost always interacts with user Displays a button, text box etc. Runs within apps process Stack based - new activity is placed at top Activity states: active, paused, stopped, resumed
Intents Basically messages between components such as activities, services etc. Like passing parameters to API calls, except its asynchronous Run-time binding Start an activity with startActivity() Similarly sendBroadcast(), startService(Intent) and so on Start an Activity
Broadcast Receiver Communication between Apps and System Messages sent as Intents Dynamic creation through context.registerReceiver() Static declaration through receiver tag in AndroidManifest.xml Can be exported with <intent-filter> tag in AndroidManifest.xml Access permissions can be enforced by either sender or receiver Apps can register to receive intents without special privileges ;-)
Service Long running background process Can run in its own process, Or in context of another applications process Can be started with an intent Can be secured by adding a Permission check to their <service> tag Careful while sending sensitive data
Understanding Android App
Apps run in Dalvik Virtual Machine - One DVM for each app DVM is register based, not stack based DVM ensures application isolation One application cannot access data of another application Hmmm, cannot or SHOULD not Unique UID for each application Apps written in Java, then compiled to Dalvik byte code No Solid code obfuscator for android platform Even if there is one, no-one uses it Permissions are declared in AndroidManifest.xml Permissions displayed to user on download - Accept or Reject. TRICKY!!! Everyone sitting in this room may care, what about others??? What about installing via adb - Cracked apps (adb install malicious.apk) permission.INTERNET - Very common but thats all they need :-) Easy to publish malicious app on Android Market
APK File Format Application package file for Android Variant of JAR file format Contains (unzip AndroidApp.apk): AndroidManifest.xml META-INF directory Classes.dex Res directory resources.arsc
Decompiling Android Apps
Analyzing HTTP Traffic
Bypassing Lock Pattern
Outsmarting SmartPhones
Outsmarting SmartPhones
Insecure Data Storage
All your data is Mine
Manifestor.py
Manifestor
Lets Sum It Up FACTS: SmartPhone industry is rapidly growing and will continue to grow Provide plethora of features & functionalities Apps for anything & everything Developed by unexperienced young developers Whats Required: Standardization of application development In-built secure APIs within SDK Need for strong threat model Domain based testing
Q雨掘皆意鴛或鰻皆
References http://www.juniperresearch.com/shop/products/whitepaper/pdf/M AS10_White%20Paper.pdf http://developer.apple.com/library/mac/#documentation/Develop erTools/Conceptual/MachORuntime/Reference/reference.html http://developer.android.com/guide/basics/what-is-android.html www.slideshare.net/JackMannino/owasp-top-10-mobile-risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Pro ject#tab=Top_Ten_Mobile_Risks developer.android.com/sdk/ code.google.com/p/android-apktool/ https://www.facebook.com/HTC/posts/10150307320018084

Recommended

CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
Sam Bowne
CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)
Sam Bowne
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh Mishra
OWASP Delhi
Flare - tech-intro-for-paris-hackathon
Flare - tech-intro-for-paris-hackathonFlare - tech-intro-for-paris-hackathon
Flare - tech-intro-for-paris-hackathon
Cisco DevNet
OSMC 2021 | Contributing to open source with the example of icinga (1)
OSMC 2021 | Contributing to open source with the example of icinga (1)OSMC 2021 | Contributing to open source with the example of icinga (1)
OSMC 2021 | Contributing to open source with the example of icinga (1)
NETWAYS
Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)
Sandeep Jayashankar
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
PrashantDhakol
Hassle-Free Continuous Integration with Real Device Testing
Hassle-Free Continuous Integration with Real Device TestingHassle-Free Continuous Integration with Real Device Testing
Hassle-Free Continuous Integration with Real Device Testing
Bitbar
OpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDOpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATED
Sparsh Raj
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
Black Duck by Synopsys
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
FINOS
Jos辿 Vila - 多Otro parche m叩s? No, por favor. [rooted2018]
Jos辿 Vila - 多Otro parche m叩s? No, por favor. [rooted2018]Jos辿 Vila - 多Otro parche m叩s? No, por favor. [rooted2018]
Jos辿 Vila - 多Otro parche m叩s? No, por favor. [rooted2018]
RootedCON
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source:
Black Duck by Synopsys
Owasp zap
Owasp zapOwasp zap
Owasp zap
ColdFusionConference
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)
ClubHack
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open Source
Black Duck by Synopsys
2 12 1
2 1
itzel-cachirules
Opening and managing a bank account
Opening and managing a bank accountOpening and managing a bank account
Opening and managing a bank account
vshackley
Question 4 p1 compressed
Question 4 p1 compressedQuestion 4 p1 compressed
Question 4 p1 compressed
clattwood
Video 1 circulatory system
Video 1 circulatory systemVideo 1 circulatory system
Video 1 circulatory system
Manasa Dokonivalu
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
ijceronline
Tecnologia E Informatica Segundo PeriodoTecnologia E Informatica Segundo Periodo
Tecnologia E Informatica Segundo Periodo
julian vega
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
MedicineAndFamily
OscarOscar
Oscar
obema
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
SensePost

More Related Content

What's hot (13)

OpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDOpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATED
Sparsh Raj
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
Black Duck by Synopsys
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
FINOS
Jos辿 Vila - 多Otro parche m叩s? No, por favor. [rooted2018]
Jos辿 Vila - 多Otro parche m叩s? No, por favor. [rooted2018]Jos辿 Vila - 多Otro parche m叩s? No, por favor. [rooted2018]
Jos辿 Vila - 多Otro parche m叩s? No, por favor. [rooted2018]
RootedCON
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source:
Black Duck by Synopsys
Owasp zap
Owasp zapOwasp zap
Owasp zap
ColdFusionConference
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)
ClubHack
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open Source
Black Duck by Synopsys
OpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDOpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATED
Sparsh Raj
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
Black Duck by Synopsys
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
FINOS
Jos辿 Vila - 多Otro parche m叩s? No, por favor. [rooted2018]
Jos辿 Vila - 多Otro parche m叩s? No, por favor. [rooted2018]Jos辿 Vila - 多Otro parche m叩s? No, por favor. [rooted2018]
Jos辿 Vila - 多Otro parche m叩s? No, por favor. [rooted2018]
RootedCON
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source:
Black Duck by Synopsys
Owasp zap
Owasp zapOwasp zap
Owasp zap
ColdFusionConference
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)
ClubHack
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open Source
Black Duck by Synopsys

Viewers also liked (8)

2 12 1
2 1
itzel-cachirules
Opening and managing a bank account
Opening and managing a bank accountOpening and managing a bank account
Opening and managing a bank account
vshackley
Question 4 p1 compressed
Question 4 p1 compressedQuestion 4 p1 compressed
Question 4 p1 compressed
clattwood
Video 1 circulatory system
Video 1 circulatory systemVideo 1 circulatory system
Video 1 circulatory system
Manasa Dokonivalu
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
ijceronline
Tecnologia E Informatica Segundo PeriodoTecnologia E Informatica Segundo Periodo
Tecnologia E Informatica Segundo Periodo
julian vega
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
MedicineAndFamily
OscarOscar
Oscar
obema
2 12 1
2 1
itzel-cachirules
Opening and managing a bank account
Opening and managing a bank accountOpening and managing a bank account
Opening and managing a bank account
vshackley
Question 4 p1 compressed
Question 4 p1 compressedQuestion 4 p1 compressed
Question 4 p1 compressed
clattwood
Video 1 circulatory system
Video 1 circulatory systemVideo 1 circulatory system
Video 1 circulatory system
Manasa Dokonivalu
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
ijceronline
Tecnologia E Informatica Segundo PeriodoTecnologia E Informatica Segundo Periodo
Tecnologia E Informatica Segundo Periodo
julian vega
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
Endeavor IV-A Randomized Comparison of a Zotarolimus-Eluting Stent Endeavor...
MedicineAndFamily
OscarOscar
Oscar
obema

Similar to Outsmarting SmartPhones (20)

Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
SensePost
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
ClubHack
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
Virtue Security
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
Mohammed Adam
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
ClubHack
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
Introduction to android sessions new
Introduction to android sessions newIntroduction to android sessions new
Introduction to android sessions new
Joe Jacob
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
OWASP
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
Denim Group
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
Justin Hoang
Android development
Android developmentAndroid development
Android development
mkpartners
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
Satish b
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
Android_Malware_IOAsis_2014_Analysis.pdf
Android_Malware_IOAsis_2014_Analysis.pdfAndroid_Malware_IOAsis_2014_Analysis.pdf
Android_Malware_IOAsis_2014_Analysis.pdf
jjb117343
Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA
NITIN GUPTA
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
Sam Bowne
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
SensePost
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
ClubHack
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
Virtue Security
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
Mohammed Adam
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
ClubHack
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
Introduction to android sessions new
Introduction to android sessions newIntroduction to android sessions new
Introduction to android sessions new
Joe Jacob
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
OWASP
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
Denim Group
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
Justin Hoang
Android development
Android developmentAndroid development
Android development
mkpartners
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
Satish b
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
Android_Malware_IOAsis_2014_Analysis.pdf
Android_Malware_IOAsis_2014_Analysis.pdfAndroid_Malware_IOAsis_2014_Analysis.pdf
Android_Malware_IOAsis_2014_Analysis.pdf
jjb117343
Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA
NITIN GUPTA
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
Sam Bowne
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions

Outsmarting SmartPhones

  • 2. echo whoami Senior Security Analyst @SensePost (awesome company BTW) 7+ years in InfoSec Specialize in Web App & Network security Part time Reverse Engineer (is that even possible???) Certified Ethical Hacker (as if it matters) Can do 50 Push-ups in one go (and faint)
  • 3. Why does everyone rant about SmartPhone security Understanding iPhone Application layout Decrypting iPhone apps & what can we achieve Android Architecture Android Permission Model & Sandbox Analyzing Android Apps - Deep sea diving Practical Attacks on Android Demos And more Demos Introducing Manifestor.py
  • 4. Why care??? Smartphones are growing in popularity by minute Windows 7 (Dell, HTC, LG etc.), iPhone (Apple), Android (Google, HTC, Samsung, Motorola etc.) means growth in mobile applications (According to Juniper Research, mobile application market is expected to reach $32 billion by 2015) means loads of mobile application development (from barcode scanner to angry birds to mobile BANKING) means tons of lines of code (plus bad programming) equals to VULNERABILITIES - programmatic, environmental, configurational and so on
  • 5. I once had an iPhone...
  • 6. iPhone Binary Format IPA file - basically a zip archive Location of app binary on iPhone: Payload/MyApp.app/MyApp Based on Mach-O (Mach Object) file format Sandbox: Apps restricted to their own private directory and memory pages Apps are encrypted Decrypted by iPhone loader on run-time
  • 8. Decrypting iPhone Binary What do I need: Jailbroken iPhone (Yes, its a necessity of life) iPhone SDK (Otool) Hex Editor (0xED, HexWorkshop, etc. etc.) Ida Pro (Optional) - Version 5.2 - 5.6 Finding an app root dir on iPhone sudo find / | grep iApp.app myApp.app contains iApp, actual binary crypt load command responsible for decryption otool -l iApp | grep crypt
  • 9. Decrypting iPhone Binary What do I need: Jailbroken iPhone (Yes, its a necessity of life) iPhone SDK (Otool) Hex Editor (0xED, HexWorkshop, etc. etc.) Ida Pro (Optional) - Version 5.2 - 5.6 Finding an app root dir on iPhone sudo find / | grep iApp.app myApp.app contains iApp, actual binary crypt load command responsible for decryption otool -l iApp | grep crypt
  • 10. Decrypting iPhone Binary Locate cryptid in actual binary, and flip it to 0 Do it, NOW cryptid is now 0. What does this mean? Not decrypted yet Next, run the app on iPhone and take a memory dump Actaul code starts at 0x2000 Size of encrypted data - 942080 (0xE6000) So, we need to dump from 0x2000 to 0xE8000. Guess why? :-) Run app on iPhone, ssh into iPhone, use gdb gdb -p PID dump memory iApp.bin 0x2000 0xE8000 Pull iApp.bin on local machine Overwrite bin file on initial binary file (where we cryptid was set to 0) Dont forget - cryptoff was 4096 (0x1000) Sorted :-) For all technical details, please refer to SensePost blog: http://sensepost.com/blog/6254.html
  • 11. I have an Android phone... ...and I love it :-)
  • 13. Android Security Model Linux kernel Linux-Like permission model Applications run with their own uid:gid (something like multi-user system) Applications may share a uid (must be signed with same key) App permissions are defined in AndroidManifest.xml Manually reviewed / accepted by user on install (Really??? What if I am a runway model?) Applications can be self-signed.
  • 14. AndroidManifest.xml One for each app Declares Java package name for the application Describes components of the application - activities, services, broadcast receivers, content providers Declares permissions required to access protected parts of APIs Declares permissions required by other applications to interact
  • 15. Activity User-focused task Almost always interacts with user Displays a button, text box etc. Runs within apps process Stack based - new activity is placed at top Activity states: active, paused, stopped, resumed
  • 16. Intents Basically messages between components such as activities, services etc. Like passing parameters to API calls, except its asynchronous Run-time binding Start an activity with startActivity() Similarly sendBroadcast(), startService(Intent) and so on Start an Activity
  • 17. Broadcast Receiver Communication between Apps and System Messages sent as Intents Dynamic creation through context.registerReceiver() Static declaration through receiver tag in AndroidManifest.xml Can be exported with <intent-filter> tag in AndroidManifest.xml Access permissions can be enforced by either sender or receiver Apps can register to receive intents without special privileges ;-)
  • 18. Service Long running background process Can run in its own process, Or in context of another applications process Can be started with an intent Can be secured by adding a Permission check to their <service> tag Careful while sending sensitive data
  • 20. Apps run in Dalvik Virtual Machine - One DVM for each app DVM is register based, not stack based DVM ensures application isolation One application cannot access data of another application Hmmm, cannot or SHOULD not Unique UID for each application Apps written in Java, then compiled to Dalvik byte code No Solid code obfuscator for android platform Even if there is one, no-one uses it Permissions are declared in AndroidManifest.xml Permissions displayed to user on download - Accept or Reject. TRICKY!!! Everyone sitting in this room may care, what about others??? What about installing via adb - Cracked apps (adb install malicious.apk) permission.INTERNET - Very common but thats all they need :-) Easy to publish malicious app on Android Market
  • 21. APK File Format Application package file for Android Variant of JAR file format Contains (unzip AndroidApp.apk): AndroidManifest.xml META-INF directory Classes.dex Res directory resources.arsc
  • 28. All your data is Mine
  • 31. Lets Sum It Up FACTS: SmartPhone industry is rapidly growing and will continue to grow Provide plethora of features & functionalities Apps for anything & everything Developed by unexperienced young developers Whats Required: Standardization of application development In-built secure APIs within SDK Need for strong threat model Domain based testing
  • 33. References http://www.juniperresearch.com/shop/products/whitepaper/pdf/M AS10_White%20Paper.pdf http://developer.apple.com/library/mac/#documentation/Develop erTools/Conceptual/MachORuntime/Reference/reference.html http://developer.android.com/guide/basics/what-is-android.html www.slideshare.net/JackMannino/owasp-top-10-mobile-risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Pro ject#tab=Top_Ten_Mobile_Risks developer.android.com/sdk/ code.google.com/p/android-apktool/ https://www.facebook.com/HTC/posts/10150307320018084
AboutCopyright
息 2025 際際滷