mobile application pentest [fast-track]
TRANSCRIPT
![Page 1: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/1.jpg)
![Page 2: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/2.jpg)
Just Mobile Phone
Phone calls Sending text message or MMS Alarm clock Calculator Listen music
Edge for Surf internet !!
![Page 3: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/3.jpg)
3G, 4G and WIFI support on Mobile network
Became more intelligent – Smart Phone Sending email Surf internet Check-on for flights Online Banking transactions Social Network (Facebook, Twitter, Instagram, Etc)
![Page 4: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/4.jpg)
Companies started creating mobile applications to offer services to clients Storing and synchronizing data files in the cloud Participating in social network sites As the data that stored, processed and transferred can often be
considered sensitive.
![Page 5: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/5.jpg)
Mobile App Attack Surface
![Page 6: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/6.jpg)
Client Software on Mobile Device Communications Channel Server Side Infrastructure
Server Side Infrastructure
Comm. Channel
Client Software
![Page 7: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/7.jpg)
Mobile Phone
Internet
Application Server
Client Software
Communication Channel
Server Side Infrastructure
![Page 8: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/8.jpg)
Packages are typically downloaded from an AppStore, Google Play or provided via Company website
Testing requires a device that is rooted or jailbroken for access to all files and folders on the local file system
Be able to decompiled, tampered or reverse engineered
![Page 9: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/9.jpg)
Attention points Files on the local file system Application authentication & authorization Error Handling & Session Management Business logic Decompiling and Analyzing
![Page 10: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/10.jpg)
Channel between the client and the server (HTTPs, EDGE, 3G)
Testing with HTTP Proxy (Burp, ZAP) to intercept and manipulate alter traffic
If the application does not use the HTTP protocol, can use transparent TCP and UDP proxy like Mallory
![Page 11: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/11.jpg)
Attention points Sniff sensitive information Replay attack vulnerabilities Secure transfer of sensitive information
![Page 12: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/12.jpg)
The attack vectors for the web servers behind a mobile application is similar to those use for regular websites
Perform host and service scans on the target system to identify running services
![Page 13: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/13.jpg)
Attention points OWASP Top 10 vulnerabilities (SQLi, XSS, …)
Running services and version
Infrastructure vulnerability scanning
![Page 14: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/14.jpg)
Pentest iOS Application
![Page 15: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/15.jpg)
Insecure Storage Why application needs to store data
▪ Ease of use for user ▪ Popularity ▪ Activity with single click ▪ Decrease transaction time ▪ 9 out of 10 applications have this vulnerability
How attacker can gain access
▪ Wifi ▪ Default password after jail breaking (alpine) ▪ Physical Theft ▪ Temporary access to device ▪ Backup File
![Page 16: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/16.jpg)
Insecure Storage Local Data Storage
▪ Plist and XML files ▪ NSuserDefaults
▪ Class provides a programmatic interface for interacting with default system ▪ Keep information in plist file
▪ SQLite data files ▪ Core Data Services
▪ Object Model, Relational Database ▪ SQLite Manage ▪ Table prefixed “z”
▪ Keychain
![Page 17: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/17.jpg)
Enumerate sensitive information from local files
![Page 18: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/18.jpg)
Wordpress iOS App (.plist) stored user & pass
![Page 19: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/19.jpg)
SQL Injection in Local Database Most Mobile platforms uses SQLite as database to store
information on the device Using any SQLite Database Browser, it is possible to access
database logs which has queries and other sensitive database information
In case application is not filtering input, SQL Injection on local database is possible
![Page 20: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/20.jpg)
a” or “a”=“a
![Page 21: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/21.jpg)
Bad Code
NSString *uid = [myHTTPConnection getUID]; NSString *statement = [NSString StringWithFormat : @”SELECT username FROM users where uid = ‘%@’”, uid]; const char *sql = [statement UTF8String];
Good Code
Const char *sql = “SELECT username FROM users where uid = ?”; sqlite3_prepare_v2(db, sql, -1, &selectUid, NULL); Sqlite3_bind_int(selectUid, 1, uid); int status = sqlite3_step(selectUid);
![Page 22: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/22.jpg)
Buffer Overflow
When the input data is longer than the buffer size, if it is accepted, it will overwrite other data in memory. No protection by default in C, Objective-C and C++
![Page 23: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/23.jpg)
Decrypt Application and find hardcoded secrets Applications from the AppStore is encrypted and Signed
![Page 24: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/24.jpg)
Decrypt Application and find hardcoded secrets Clutch
▪ Used for iOS application decryption ▪ Can be run from the command line
![Page 25: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/25.jpg)
Decrypt Application and find hardcoded secrets Runtime Analysis with GDB
▪ Use clutch ▪ View classdump-z output ▪ Set breakpoint ▪ Analyze objc_msgsend ▪ Find passcode ▪ Evade checks
https://vimeo.com/66617415
![Page 26: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/26.jpg)
Poor or no encryption during transit Traffic over HTTP Token passing Device ID over poor channel UDID Privacy concerns (Can be used to track user)
![Page 27: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/27.jpg)
BurpSuite Proxy
![Page 28: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/28.jpg)
Apps communicate with backend web services OWASP Top 10 auditing Most communication using XML MitM and inject bad XML UIWebviews (Used to embed web content in app) Execute JavaScript (XSS)
Fuzz data sent/received
![Page 29: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/29.jpg)
Client Software Found backend path in Localizable.strings
Server-Side Infrastructure Access to port 8080 (Apache Tomcat) Logged in with default tomcat username and password Upload Malicious JSP code into webserver (Bypass Symantec) Access to configuration file that contain database credentials OWNed !! Database server
![Page 30: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/30.jpg)
Localizable.strings
![Page 31: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/31.jpg)
Logged in with Default Tomcat credentials
![Page 32: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/32.jpg)
Upload Malicious JSP code
![Page 33: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/33.jpg)
Backend Compromised
![Page 34: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/34.jpg)
Database Compromised
![Page 35: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/35.jpg)
Pentest Android Application
![Page 36: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/36.jpg)
Local Data Storage flaws
![Page 37: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/37.jpg)
Weak encoding/encryption
![Page 38: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/38.jpg)
Insecure Storage Reverse Engineering
▪ APKtool to decode resources ▪ Convert the .apk file into .zip ▪ Extract the zipped file, Found classes.dex ▪ Dex2jar for convert .dex to .jar ▪ Using JD GUI to open JAR file and review source code
![Page 39: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/39.jpg)
Insecure Storage Reverse Engineering
![Page 40: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/40.jpg)
Insecure Storage Reverse Engineering
![Page 41: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/41.jpg)
BurpSuite Proxy
![Page 42: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/42.jpg)
Insecure Logging
![Page 43: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/43.jpg)
Identity Decloaking
![Page 44: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/44.jpg)
Apps communicate with backend web services OWASP Top 10 auditing Fuzz data sent/received
![Page 45: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/45.jpg)
Client Software Found backend path from Reverse Engineering Found FTP username and password
Communication Channel Found Mail’s credentials
Server-Side Infrastructure Access FTP Server Access Terminal Service Logged in with FTP credential PWNed !! Backend server Compromised internal server
![Page 46: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/46.jpg)
Reverse Engineering
![Page 47: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/47.jpg)
Logged in with FTP credential
![Page 48: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/48.jpg)
100 porn images found !!
![Page 49: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/49.jpg)
Burp Proxy
![Page 50: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/50.jpg)
Access Mail
![Page 51: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/51.jpg)
Backend Compromised
![Page 52: Mobile Application Pentest [Fast-Track]](https://reader037.vdocument.in/reader037/viewer/2022100304/555ab263d8b42a405b8b4ea5/html5/thumbnails/52.jpg)
Authors: ZeQ3uL and diF http://www.exploit-db.com/papers/26620/
Local Storage Internet
Sniff Traffic