Neo: Is my App Secure ?

Herman Duarte @hdontwit Cláudio André @clviper

1

Agenda

●  Who ●  Objectives ●  Approach ●  Building blocks ●  Analysis Statistics ●  How we did it ●  Interesting findings ●  Q&A

2

Who

Herman Duarte @hdontwit

3

Who

Cláudio André @clviper

4

Who

-  We work @ Integrity S.A. -  Awesome co-workers and awesome

workplace. -  We identify security issues for our clients to

help them lower their security risks.

5

-  Evaluate iOS and Android apps from a security point of view.

-  Automate pentest tasks for both Android and

iOS -  Share results. -  Have fun :)

Objectives

11

Approach

13

14

15

+50  Apps  

Client

17

Network

18

Server

19

20

21

Vulns by Owasp Risk

23

Android Vulns by Owasp Risk

24

iOS Vulns by Owasp Risk

25

Insecure Data Storage

26

Transport Layer Security

Android iOS

27

Certificate Pinning

28

iOS Background Screenshot

29

Android Obfuscation

30

Android Obfuscated Apps By Category

31

iOS Binary Protection

All  apps  analyzed  have  the  following  security  features  enabled  in  the  binary:    ●  PIE  (Posi=on  Independent  Executable  aka  ASLR)  ●  ARC  (Automa=c  Reference  Coun=ng)  ●  SSPRO  (Stack  Smashing  Protec=on)  ●  Encrypted  binary  

32

34

-  iOS and Android Security Analyser Tools -  Command line. -  Way to mass analyse ipas and apks. -  Search and Downloads apps (Android only) -  Bulk decryption of apps (iOS only) -  Bulk install, uninstall and backup of apps -  Easy way to extend heuristics check (Android only,

for now)

35

iStat & Droidstat

36

iStat

https://youtu.be/bOtosGya_G4

37

https://youtu.be/zPKUj8rb_ok

Droidstat – Intro Video

Droidstat - Checks Config File

38

39

https://youtu.be/uWJZa0vgbQ4

Droidstat – Example Findings Video

Interesting Findings

Invoice Registration App (Android)

41

-  Under 100.000 installs. -  The credentials used for this service is used

on multiple Portuguese Government Public Services websites.

Invoice Registration App (Android)

42

Invoice Registration App (Android)

43

Invoice Registration App (Android)

44

Invoice Registration App

45

Invoice Registration App

46

Invoice Registration App (Android)

47

Invoice Registration App (Android)

48

Invoice Registration App (Android)

49

Invoice Registration App

50

Invoice Registration App (Android)

51

Invoice Registration App (Android)

Recommendations: -  Use right TLS implementations that correctly

validate TLS certificates. -  Use strong cryptographic algorithms to store

sensitive information.

52

Invoice Registration App – Dev Response

53

“As for the problems, although I think that both are difficult to replicate in a real case , I recognize that the app can be improved , taking this into account we will release an update until the weekend to solve the problems.” June 9

Invoice Registration App – Dev Response

54

“As for the problems, although I think that both are difficult to replicate in a real case , I recognize that the app can be improved , taking this into account we will release an update until the weekend to solve the problems.” June 9 “The update of this weekend corrects the problems mentioned. Thanks again for the analysis.” June 22

Shopping App (Android & iOS)

55

-  Between 1M and 5M installs -  More than 10M users.

Shopping App (Android & iOS)

56

Shopping App (Android & iOS)

57

Shopping App (Android & iOS)

58

Shopping App (Android & iOS)

59

Shopping App (Android & iOS)

60

Shopping App (Android & iOS)

61

Shopping App (Android & iOS)

62

Shopping App (Android & iOS)

Recommendations: -  Correctly override TLS implementations or

use the framework’s default one, that correctly validate certificates chains.

63

Mr.Smith: So, you’re asking me if your app is secure?

M2 - Insecure Data Storage

●  In iOS some applications still uses property list files (.plist), or NSUserDefaults (files created in the app Documents folder) to store sensitive information, instead of the keychain.

●  In Android some applications store sensitive information

in shared preferences file and SQLite databases without any type of encryption.

65

M3 - Insufficient Transport Layer Protection

●  The OS’s framework already does the hard work in TLS, so what we have seen is that the majority of TLS is correctly implemented; Nonetheless when developers override the default implementation, most of the time bad things happen.

●  We have seen that in Android, Certificate Pinning, is

more used that in iOS applications.

66

M4 - Unintended Data Leakage

●  In iOS the background screenshot information leakage happens most of the time, because it is a side effect of the OS behaviour, that most of developers are not aware of.

67

M10 - Lack of Binary Protections

●  Regarding Obfuscation we have seen in Android that there are not many apps obfuscated although the SDK comes with tools to do this out of the box.

●  In iOS because of default configurations of XCode,

binary security features (e.g. PIE, ARC, SSPRO) are applied in all of the apps analyzed.

68

Q&A