Page | 1

ExploitMe Mobile

Defective Mobile Application for your

hacking pleasures!

An ExploitMe Series Production

Version 0.93

Page | 2

The ExploitMe Series

This document is for informational purposes only. Security Compass MAKES NO WARRANTIES, EXPRESS, IMPLIED,

OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

This document is provided ―as-is. Information and views expressed in this document, including URL and other

Internet Web site references, may change without notice. You bear the risk of using it.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Copyright © 2012 Security Compass Inc. All rights reserved.

Page | 1

ExploitMe Mobile (EMM) is a Security

Compass open source project demonstrating

common mobile application vulnerabilities in

the iOS and Android platforms. ExploitMe

Mobile is a training platform built based on the

common mobile application security pitfalls.

The entire source of the project can be found

on github - github.com/SecurityCompass

The objectives of the ExploitMe Mobile training

platform are:

Capture the common security related

mobile application development pitfalls

within a mobile application for iOS and

Android platforms.

Build in intentionally vulnerable client and

server side code to illustrate business level

impact of technical mobile application

vulnerabilities.

Develop a learning platform that can

educate developers on secure coding

practices.

Create an openly available platform that

encourages community collaboration.

All the vulnerabilities featured in the ExploitMe

Mobile training platform are inspired by the

results of mobile application security

assessments performed by Security Compass

consultants across various industry verticals.

The iPhone and Android versions of ExploitMe

Mobile feature the top 80% of all Medium, High

and Critical risk mobile application

vulnerabilities in the following broad categories:

Parameter manipulation

Protocol encryption

Password lock screens

File system access permissions

Insecure storage of files

Insecure logging

TECHNICAL DETAILS

ExploitMe Mobile training platform is built on

client-server model. The server component is

shared between the iOS and Android client and

can be used simultaneously. The diagram below

outlines the architecture of the ExploitMe

Mobile platform.

EMM LAB SERVER

The ExploitMe Mobile Lab Server component is

the heart of the platform. The server contains

the backend business logic that the mobile

client applications are designed to

communicate with. In order to maintain

simplicity, the Lab Server component is

designed as a simple HTTP REST server that

returns JSON arrays. The Lab Server is built

using Python Flask micor-framework and is

easily extensible to add functionality to the

application. For further details on the Lab

Server component, please visit Security

Compass’s Github page -

https://github.com/SecurityCompass

Lab Server

EMM Android

Client

EMM iOS Client

Page | 2

EMM ANDROID & IOS CLIENTS

ExploitMe Mobile is primarily a Mobile Banking

application designed in native code for the iOS

and Android platform. The functionality of the

application is identical across both platforms.

This client application communicates with the

lab Server component to authenticate, retrieve

data, perform transactions etc. All the

ExploitMe Mobile hands-on labs are designed to

hack the client applications and train

developers to code securely on both the

platforms.

EXPLOITME MOBILE LABS

ExploitMe Mobile features hands-on lab

exercises to guide users to hunt for

vulnerabilities within the application. In order

to set your environment up to execute the labs,

please refer to the following documentation

pages hosted on GitHub:

iOS Labs Setup -

http://securitycompass.github.com/iPhoneL

abs/setup.html

Android Labs Setup -

http://securitycompass.github.com/Androi

dLabs/setup.html

IOS LAB 1 - SECURE CONNECTIONS

In the first lab, we will use a proxy server such

as Charles to proxy the ExploitMe Mobile client-

server communication channel. This guide

assumes you have configured your environment

by following the steps outlined in the above

links.

1. iOS Lab Launch the lab server:

python app.py

2. Launch the application in the simulator.

3. Launch your favorite proxy and ensure that

MacOSX is set up to use the proxy server.

The iPhone simulator obeys the OSX

settings for a proxy. You can configure it in

Preferences -> Network & Sharing ->

Proxies.

4. Ensure that your proxy is correctly

accepting network traffic and then run

the iPhone ExploitMe Mobile lab in the

simulator. Once the simulator is

running, login using the standard login

and password jdoe/password for the

user, or if you’ve already logged in

before, enter your local password you

configured on first run.

Page | 3

5. It is clear that the application is using

clear-text at this point and that HTTP

traffic can be trapped and modified.

This is often the first step to attacking

any mobile application and if you’ve

made it this far, you now are able to

fully act as a man in the middle against

any iPhone application.

6. In the following screenshot, we can see

that EMM sends user credentials upon

first entry to the application in clear-

text. The username and password is

clearly shown.

7. You can achieve the same effect by

using wireshark. Since both the

simulator and the server are running on

the same server, we need to monitor

the loopback interface (lo0) to view

communication between your

computer and itself.

IOS LAB 1 SECURE CONNECTIONS - SOLUTION

1. We want to encrypt the communication

between the client and server so that

we can’t so easily man-in-the-middle it.

Since we are using HTTP for

communication, all we have to do is

change the protocol to HTTPS and thus

enable SSL/TLS.

2. We re-launch the server in ssl mode

and run it on port 8443:

python app.pyt --ssl --port

8443

3. In the iPhone simulator, under Settings

-> Base we change the URL to

http://localhost:8443:

4. Now, we can see in Wireshark that the

communication is encrypted:

Page | 4

5. We can still use Charles (or another

proxy) to intercept SSL traffic as long as

we accept the Charles SSL certificate in

the iOS simulator. More information on

how to do that here.

6. When using a proxy that intercepts SSL,

we can see the decrypted traffic:

7. Above, Charles can decrypt the SSL-

encrypted traffic for us since we

accepted the Charles certificate as valid

in the simulator.

ANDROID LAB 1

The android apk that we’ll use for most labs is

the base.apk

This is a simple lab, but it demonstrates a key

point that sometimes is forgotten, which is that

mobile device traffic can still be sniffed. The

Android emulator has a built in setting to

capture network traffic which makes it much

easier for us to sniff data from android

applications.

1. To run, we perform:

emulator.exe -avd emu -tcpdump

test.cap

2. Now, we have to run the Lab Server:

python app.py

3. Now, launch the Lab APK file and install

it to the emulator through any IDE of

your choice, in our case, we’ll use

Eclipse.

4. Upon first launch, the lab will ask for a

username and password to your

banking account. This, like in a real

application could either be done

securely (encrypted) or insecurely.

Page | 5

5. The first lab is about network

encryption, so clearly we’ll have to look

at the network TCP dump to see how

the application is performing

authentication.

6. Let’s analyze how the application

performed the login procedure. Open

up the cap file in Wireshark. Find the

HTTP stream where the application logs

in within the packet history. You’ll see it

highlighted by HTTP and green.

ANDROID LAB 1 - SOLUTION

We want to enable HTTPS so that the

connection can’t be snooped. We do this by

first running the server in SSL mode:

python app.py --ssl --port 8443

Then, we enable HTTPS in the preferences of

the client application:

Page | 6

LAB 2 PARAMETER MANIPULATION

The parameter manipulation lab is contained

within the bank transfer section.

The purpose of this lab is to demonstrate that

many common iPhone applications still rely on

traditional web architectures or REST interfaces

in the back end to perform their tasks. Often, if

you’re able to trap the request, you can make

the application or server act in ways it may not

have felt possible.

1. First, enter the bank money transfer

screen within the ExploitMe Mobile

application.

2. There are a number of accounts

preconfigured in EMM’s default Lab

server configuration. We’ve logged in

before using the jdoe account. The two

usernames we have preconfigured and

their bank account numbers are:

jdoe / password

o Debit: 123456789

o Credit: 987654321

bsmith / password

o Debit: 111111111

o Credit: 22222222

3. In this lab, we’ll try to transfer money

between accounts on the server by

intercepting the EMM app request.

Again, this traditionally isn’t any

different from web exploits, but most

apps work in the same manner so it’ll

be good to see how it works on the

mobile app space.

Page | 7

4. Fill in the transfer screen and ensure

your proxy is trapping the request.

LAB 2 - SOLUTION

The solution here is the same as it would be in a

regular web app, we have to perform some

validation on the server.

#validate that accounts

belong to user:

if to_account.user !=

session.user or

from_account.user !=

session.user: return

error("E6")

#validate that amount is

positive

if total_cents < 0:

return error("E5")

OTHER LABS

In addition to the above labs, ExploitMe Mobile

features more hands-on exercises to walk

through the various mobile application security

vulnerabilities designed into the application.

Please refer to the following GitHub pages for

detailed documentation on all the iOS and

Android labs.

iOS Labs -

http://securitycompass.github.com/iPhoneL

abs/index.html

Android Labs -

http://securitycompass.github.com/Androi

dLabs/index.html

More on mobile security course is available

from

http://labs.securitycompass.com/mobile/ne

w-mobile-security-course-and-exploitme-

mobile/

OTHER RESOURCES

Security Compass’s Blog –

http://labs.securitycompass.com

Security Compass’s Mobile Case Study –

http://securitycompass.com/company/case

-studies.html#!/mobile-security-assessment

Security Compass’s Mobile Assessment –

http://securitycompass.com/services/mobil

e-security-assessment.html

Page | 8

What can we do for you?

We understand application security and strive to provide

you with the best consulting & training experience for

you and your organization.

Our consultants are helping our clients manage real

world security risks. Our experience in managing these

same risks enables us to deliver training material with the

latest threats and vulnerabilities seen in every day

engagements.

What does that mean? It means that we are here to help

you and your staff to respond with forward thinking

concepts to securing your business.

Here to help.

Reach out to Security Compass’ advisors who can help by

emailing us at GuideMe@securitycompass.com.