mobile application security testing - clubhack... © 2008, mcafee, inc. agenda introduction browser...
TRANSCRIPT
![Page 1: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/1.jpg)
Mobile Application
Security Testing
Gursev Kalra
Dec 5, 2009
![Page 2: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/2.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
Agenda
►Introduction
►Browser Based Mobile Applications
►Installable Mobile Applications
►Intercepting Application Traffic
►Various Traffic Interception Schemes
►Mobile Traffic and SSL
►Conclusion
![Page 3: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/3.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
Introduction
►Who am I?
■ Senior Security Consultant – Foundstone
Professional Services
■ Web Applications, Networks…
![Page 4: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/4.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
►Mobile Applications
■ Tremendous growth in consumer and business
mobile applications
■ Many new players
■ Security aspects might get overlooked
Introduction
![Page 5: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/5.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
Browser Based Mobile Applications
![Page 6: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/6.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
Installable Mobile Applications
![Page 7: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/7.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
Intercepting Application Traffic for
Nokia S40 Series Phones
• Set up a custom web proxy and obtain its IP and port
• Edit the configuration WML and change proxy IP and port to the custom web proxy
• Compile WML to a provisioning (WBXML) file
• Transfer the new settings to S40 mobile phone
• Activate custom settings and access the Internet using new settings
![Page 8: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/8.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
Intercepting Application Traffic for
Nokia S60 Series Phones
• Set up a custom web proxy and obtain its IP and port
• Create duplicate of existing Access Point settings
• For the copy created, change the proxy IP and port to the custom proxy
• Access Internet using custom proxy settings
![Page 9: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/9.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
W1.X2.Y3.Z4
Public IP: W1.X2.Y3.Z4
Paros/Fiddler/Burp/Charles: Web
Proxy running on port 8888
Internet
Phone with Application
Access Point: Service provider default settings
Proxy Server Address: W1.X2.Y3.Z4 (Public IP)
Port Number: 8888
Proxy With Public IP Address
![Page 10: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/10.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
192.168.30.101
192.168.30.102
SSID: PenTest
IP: 192.168.30.100
Phone with Application
WLAN Netw. Name: PenTest
WLAN Mode: WPA2
Proxy Server Address:
192.168.30.102
Port Number: 8888
Paros/Fiddler/Burp/Charles:
Web Proxy running on port
8888
Internet
Proxy On WLAN
![Page 11: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/11.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
Phone with Application
Phone as a Modem
Access Point: Service provider default
settings
Proxy Server Address: W1.X2.Y3.Z4
Port Number: 8888
W1.X2.Y3.Z4
Internet
Public IP - Connected to Internet
via Mobile Phone Modem
Paros/Fiddler/Burp/Charles:
Web Proxy running on port 8888
Proxy With One Phone
![Page 12: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/12.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
Phone with Application
Access Point: Service provider default
settings
Proxy Server Address: W1.X2.Y3.Z4
Port Number: 8888
W1.X2.Y3.Z4
Public IP - Connected to Internet
via Mobile Phone Modem
Paros/Fiddler/Burp/Charles:
Web Proxy running on port
8888
Internet
USB Modem
Proxy With External Internet
Connection
![Page 13: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/13.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
Mobile Traffic Interception and SSL
• Export your web proxy’s certificated in DER format
• Copy the certificate file to a web server
• Set the MIME type of the directory to which the certificate is copied to application/x-x509-ca-cert
• Use the mobile web browser to browse to the certificate file
• Import the certificate when prompted
• Delete the un-trusted certificate after testing
![Page 14: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/14.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
Conclusion
►Mobile applications extend traditional
network boundaries and introduce new
avenues of attack
►They often have access to sensitive
business and personal information
►They are constantly challenging and
extending their reach
►Security is critical and should be part of
SDLC!!
![Page 15: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/15.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
Queries
![Page 16: Mobile Application Security Testing - ClubHack... © 2008, McAfee, Inc. Agenda Introduction Browser Based Mobile Applications Installable Mobile Applications Intercepting Application](https://reader030.vdocument.in/reader030/viewer/2022041021/5ed1800d48fb170eb7435e0d/html5/thumbnails/16.jpg)
www.foundstone.com
© 2008, McAfee, Inc.
Thank You
Gursev Kalra
gursev(dot)kalra(at)foundstone(dot)com