ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

Auditing Mobile Apps

?
?
J
jselvi

The document discusses auditing mobile applications. It covers dividing auditing efforts between client-side and server-side testing. On the client side, it discusses approaches like jailbreaking or rooting phones to gain more access. It also covers techniques like man-in-the-middle attacks by manipulating DNS or SSL certificates. The document recommends standard tools for assessing the server-side but also analyzing the mobile app binaries like dex files on Android and iOS formats. It highlights privacy issues found in WhatsApp and potential hijacking risks if traffic is not encrypted.

1 of 91
*[ AUDITING MOBILE APPLICATIONS ] Author: Jose Selvi Date: 30/Jun/2011
$ WHOIS JSELVI Jose Selvi http://twitter.com/JoseSelvi jselvi@s21sec.com jselvi@pentester.es http://www.s21sec.com http://www.pentester.es
INDEX Apps Revolution Divide & Conquer (D&C) Mobile Networking Server Side Client Side What¡¯s Up with WhatsApp
APPS REVOLUTION P¨¢g. 5
¡°OLD SCHOOL¡± APPS
¡°OLD SCHOOL¡± APPS
WEBSITE FEVER
WEBSITE FEVER
WEBSITE FEVER
MOBILE FEVER
MOBILE FEVER
MOBILE FEVER
MOBILE FEVER
MOBILE FEVER
APPLICATIONS EVOLUTION 2010
DIVIDE & CONQUER (D&C) AND MORE P¨¢g. 5
MOBILE LAB
MOBILE LAB CLIENT
MOBILE LAB SERVER CLIENT
MOBILE LAB SERVER CLIENT
MOBILE LAB NETWORK CLIENT SERVER Phone full control Some ways We CAN¡¯T change the server SW full control We¡¯re able to control the We CAN¡¯T have a network look to the We¡¯re able to software change config and software Sometimes hard and expensive Black Box Testing
JAILBREAK / ROOTING Sometimes emulator r00lz! ? Android Emulator (SDK) ? iOS Simulator (SDK) But sometimes not... We don¡¯t have full built-in control Maybe we should... ? iOS Jailbreak ? Android Rooting
MOBILE NETWORKING P¨¢g. 5
MULTI-CHANNEL!
MOBILE LAB
MAN-IN-THE-MIDDLE msf auxiliary(fakedns) > [*] DNS bypass domain api.facebook.com resolved 66.220.146.36 [*] DNS bypass domain iphone.facebook.com resolved 66.220.153.30 [*] DNS bypass domain m.facebook.com resolved 66.220.158.26
¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
¡°FAKE¡± DNS ?whois www.google.com? IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 ?whois www.google.com? 20.20.20.20 DNS SERVER
¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 ?whois www.google.com? 20.20.20.20 DNS SERVER
¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 www.google.com = 74.125.39.104 20.20.20.20 DNS SERVER
¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 www.google.com = 74.125.39.104 20.20.20.20 DNS SERVER
¡°FAKE¡± DNS www.google.com = 74.125.39.104 IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
¡°FAKE¡± DNS ?whois api.facebook.com? IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 ?whois api.facebook.com? 20.20.20.20 DNS SERVER
¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 api.facebook.com = 20.20.20.20 20.20.20.20 DNS SERVER
¡°FAKE¡± DNS api.facebook.com = 20.20.20.20 IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 PROXY 20.20.20.20 DNS SERVER
REDIRECT TRICK IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 20.20.20.20 GW: 20.20.20.20 DNS: 8.8.8.8 PROXY
REDIRECT TRICK IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 20.20.20.20 GW: 20.20.20.20 DNS: 8.8.8.8 PROXY
REDIRECT TRICK IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 20.20.20.20 GW: 20.20.20.20 DNS: 8.8.8.8 PROXY
SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8
SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 CERT 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8
PKI: Public Key Infraestructure SERVER PUB PRIV CA PUB PRIV CLIENT PUB PUB PUB PUB CA1
PKI: Public Key Infraestructure SERVER CA PUB PRIV PUB PRIV INFO CERT CLIENT PUB PUB PUB PUB CA1
PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB CA1
PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB CA1
PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT DIGEST PUB PUB PUB PUB CA1
PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV DIGEST INFO CERT PUB CLIENT DIGEST PUB PUB PUB PUB CA1
PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV SIGNED DIGEST INFO CERT PUB CLIENT DIGEST PUB PUB PUB PUB CA1
PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT DIGEST SIGNED DIGEST PUB PUB PUB PUB CA1
PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT DIGEST SIGNED DIGEST PUB PUB PUB PUB CA1
PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB DIGEST CA1 SIGNED DIGEST
PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB DIGEST CA1 DIGEST¡¯
PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB DIGEST CA1 DIGEST¡¯
Real Certificate Sample
SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8
SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 CERT 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8
SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8 FAKE CA
SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8
SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8
SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8
SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8
IMPORT CERTIFICATES iPhone / iPad ? Export from proxy (Burp, ...) o built (openssl, ...). ? iPhone Configuration Utility Android ? Only VPN certs, not Web. ? Hard... ? Still Working...
BINGO!
SERVER SIDE P¨¢g. 5
AS USUAL... Browser Nessus Qualys SQLMap Metasploit Backtrack ... Of course, your brain!
CLIENT SIDE P¨¢g. 5
iOS BINARY FORMAT
iOS BINARY FORMAT
iOS BINARY FORMAT
iOS BINARY FORMAT
iOS BINARY FORMAT
ANDROID BINARY FORMAT
ANDROID BINARY FORMAT App.java
ANDROID BINARY FORMAT App.java App.class
ANDROID BINARY FORMAT App.java App.class App.dex
ANDROID BINARY FORMAT App.java App.class App.dex
ANDROID BINARY FORMAT App.java App.class App.dex
PUT ALL TOGETHER!
Man-in-the- CRACKING VERIFYCERT certificados como v¨¢lidos), algo que evidentemente no podr¨¢ hacer un atacante que no tuviera previo control de la m¨¢quina pero que nos situa en la posici¨®n de un intruso que haya comprometido previamente el NOC de Good. En esta ocasi¨®n, dado que no se ha conseguido vulnerar los certificados SSL, NO bastar¨ªa con el compromiso de algunos de los routers internmedios, como SI ocurr¨ªa en el caso anterior. www.s21sec.c
WHAT¡¯S UP WITH WHATSAPP? P¨¢g. 5
WHAT¡¯S UP WITH WHATSAPP? P¨¢g. 5
KNOWN WHATSAPP ISSUES Unencrypted Traffic ? But using 443 tcp port... Storing ALL conversation FOREVER Storing GPS position! ? WTF!! ? Why??!! Much more... Great research from SecurityByDefault guys!
WHATSAPP HIJACKING
ALERT! SPAM! SEC-560: Network Penetration Testing and Ethical Hacking
THANKS! QUESTIONS? Jose Selvi http://twitter.com/JoseSelvi jselvi@s21sec.com jselvi@pentester.es http://www.s21sec.com http://www.pentester.es
*[ THANKS! SEE YOU! ] P¨¢g. 7

More Related Content

Auditing Mobile Apps

  • 1. *[ AUDITING MOBILE APPLICATIONS ] Author: Jose Selvi Date: 30/Jun/2011
  • 2. $ WHOIS JSELVI Jose Selvi http://twitter.com/JoseSelvi jselvi@s21sec.com jselvi@pentester.es http://www.s21sec.com http://www.pentester.es
  • 3. INDEX Apps Revolution Divide & Conquer (D&C) Mobile Networking Server Side Client Side What¡¯s Up with WhatsApp
  • 4. APPS REVOLUTION P¨¢g. 5
  • 16. DIVIDE & CONQUER (D&C) AND MORE P¨¢g. 5
  • 18. MOBILE LAB CLIENT
  • 19. MOBILE LAB SERVER CLIENT
  • 20. MOBILE LAB SERVER CLIENT
  • 21. MOBILE LAB NETWORK CLIENT SERVER Phone full control Some ways We CAN¡¯T change the server SW full control We¡¯re able to control the We CAN¡¯T have a network look to the We¡¯re able to software change config and software Sometimes hard and expensive Black Box Testing
  • 22. JAILBREAK / ROOTING Sometimes emulator r00lz! ? Android Emulator (SDK) ? iOS Simulator (SDK) But sometimes not... We don¡¯t have full built-in control Maybe we should... ? iOS Jailbreak ? Android Rooting
  • 23. MOBILE NETWORKING P¨¢g. 5
  • 26. MAN-IN-THE-MIDDLE msf auxiliary(fakedns) > [*] DNS bypass domain api.facebook.com resolved 66.220.146.36 [*] DNS bypass domain iphone.facebook.com resolved 66.220.153.30 [*] DNS bypass domain m.facebook.com resolved 66.220.158.26
  • 27. ¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  • 28. ¡°FAKE¡± DNS ?whois www.google.com? IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  • 29. ¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 ?whois www.google.com? 20.20.20.20 DNS SERVER
  • 30. ¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 ?whois www.google.com? 20.20.20.20 DNS SERVER
  • 31. ¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 www.google.com = 74.125.39.104 20.20.20.20 DNS SERVER
  • 32. ¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 www.google.com = 74.125.39.104 20.20.20.20 DNS SERVER
  • 33. ¡°FAKE¡± DNS www.google.com = 74.125.39.104 IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  • 34. ¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  • 35. ¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  • 36. ¡°FAKE¡± DNS ?whois api.facebook.com? IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  • 37. ¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 ?whois api.facebook.com? 20.20.20.20 DNS SERVER
  • 38. ¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 api.facebook.com = 20.20.20.20 20.20.20.20 DNS SERVER
  • 39. ¡°FAKE¡± DNS api.facebook.com = 20.20.20.20 IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  • 40. ¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 20.20.20.20 DNS SERVER
  • 41. ¡°FAKE¡± DNS IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 GW: 20.20.20.1 DNS: 20.20.20.20 PROXY 20.20.20.20 DNS SERVER
  • 42. REDIRECT TRICK IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 20.20.20.20 GW: 20.20.20.20 DNS: 8.8.8.8 PROXY
  • 43. REDIRECT TRICK IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 20.20.20.20 GW: 20.20.20.20 DNS: 8.8.8.8 PROXY
  • 44. REDIRECT TRICK IP: 20.20.20.10 10.10.10.10 MASK: 255.255.255.0 20.20.20.20 GW: 20.20.20.20 DNS: 8.8.8.8 PROXY
  • 45. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8
  • 46. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 CERT 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8
  • 47. PKI: Public Key Infraestructure SERVER PUB PRIV CA PUB PRIV CLIENT PUB PUB PUB PUB CA1
  • 48. PKI: Public Key Infraestructure SERVER CA PUB PRIV PUB PRIV INFO CERT CLIENT PUB PUB PUB PUB CA1
  • 49. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB CA1
  • 50. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB CA1
  • 51. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT DIGEST PUB PUB PUB PUB CA1
  • 52. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV DIGEST INFO CERT PUB CLIENT DIGEST PUB PUB PUB PUB CA1
  • 53. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV SIGNED DIGEST INFO CERT PUB CLIENT DIGEST PUB PUB PUB PUB CA1
  • 54. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT DIGEST SIGNED DIGEST PUB PUB PUB PUB CA1
  • 55. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT DIGEST SIGNED DIGEST PUB PUB PUB PUB CA1
  • 56. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB DIGEST CA1 SIGNED DIGEST
  • 57. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB DIGEST CA1 DIGEST¡¯
  • 58. PKI: Public Key Infraestructure SERVER CA PUB PRIV PRIV INFO CERT PUB CLIENT PUB PUB PUB PUB DIGEST CA1 DIGEST¡¯
  • 60. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8
  • 61. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 CERT 10.10.10.10 GW: 20.20.20.20 DNS: 8.8.8.8
  • 62. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8 FAKE CA
  • 63. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8
  • 64. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8
  • 65. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8
  • 66. SSL/HTTPS PROXY IP: 20.20.20.10 MASK: 255.255.255.0 FAKE CERT 10.10.10.10 CERT GW: 20.20.20.20 DNS: 8.8.8.8
  • 67. IMPORT CERTIFICATES iPhone / iPad ? Export from proxy (Burp, ...) o built (openssl, ...). ? iPhone Configuration Utility Android ? Only VPN certs, not Web. ? Hard... ? Still Working...
  • 69. SERVER SIDE P¨¢g. 5
  • 70. AS USUAL... Browser Nessus Qualys SQLMap Metasploit Backtrack ... Of course, your brain!
  • 71. CLIENT SIDE P¨¢g. 5
  • 80. ANDROID BINARY FORMAT App.java App.class App.dex
  • 81. ANDROID BINARY FORMAT App.java App.class App.dex
  • 82. ANDROID BINARY FORMAT App.java App.class App.dex
  • 84. Man-in-the- CRACKING VERIFYCERT certificados como v¨¢lidos), algo que evidentemente no podr¨¢ hacer un atacante que no tuviera previo control de la m¨¢quina pero que nos situa en la posici¨®n de un intruso que haya comprometido previamente el NOC de Good. En esta ocasi¨®n, dado que no se ha conseguido vulnerar los certificados SSL, NO bastar¨ªa con el compromiso de algunos de los routers internmedios, como SI ocurr¨ªa en el caso anterior. www.s21sec.c
  • 85. WHAT¡¯S UP WITH WHATSAPP? P¨¢g. 5
  • 86. WHAT¡¯S UP WITH WHATSAPP? P¨¢g. 5
  • 87. KNOWN WHATSAPP ISSUES Unencrypted Traffic ? But using 443 tcp port... Storing ALL conversation FOREVER Storing GPS position! ? WTF!! ? Why??!! Much more... Great research from SecurityByDefault guys!
  • 89. ALERT! SPAM! SEC-560: Network Penetration Testing and Ethical Hacking
  • 90. THANKS! QUESTIONS? Jose Selvi http://twitter.com/JoseSelvi jselvi@s21sec.com jselvi@pentester.es http://www.s21sec.com http://www.pentester.es
  • 91. *[ THANKS! SEE YOU! ] P¨¢g. 7