1. THE ART OF MOBILESECURITY(ISC)2 NEW YORK METRO APRIL 2013Elliott Frantzhttp://www.virtuesecurity.com

2. Agenda Platform security Pentesting mobile applications Identifying attack vectors Current events Changing culture and the future of mobilesecurity

3. Mobile Platform Security Mobile platforms have a large gray areabetween functionality and security issues. Many features of mobile platforms createcached artifacts of runtime data. Applications must properly defend againstthese functions to contain sensitive data.

4. iOS Background Screen Cache Screenshots taken when userhits the home button. Can be forensically recoveredfrom device. App developers must properlyhandle background events tohide sensitive data on screen.

5. iOS UITextFields Known as the iOS native keylogger iOS will cache text entered in these fields Data can be forensically recovered or easilyaccessed on a jailbroken device/private/var/mobile/Library/Keyboard/UserDictionary.sqlite/private/var/mobile/Library/Keyboard/dynamic-text.dat

6. Android Content Providers Can act as a data store for multiple applications Often used for single applications Must properly restrict permissions for otherapplications Malicious apps may attempt to read from yourprovider

7. Pentesting Mobile ApplicationsObjectives: Identify data transmitted (Protocols, hosts, ports) MITM the client to attack application layer Analysis of business logic and technologies used Identify and subvert client side controls Static analysis of application binary Identify cached data

8. Mobile Man-in-the-Middle Many ways to MITM apps go with simplestconfiguration (often a HTTP proxy) Apps using custom protocols must use networkproxies like Mallory A variety of frameworks are available to bypasscertificate pinning.

9. Application Analysis Compare use of the application to the datatransmitted to determine client side controls. Construct a threat model for business logic What are the abuse cases that relate to thebusiness?

10. Defeating Client Side Controls (Android) Android may be easiest to modify code andrepackage apk. Tools such as Virtuous Ten can perform thisquickly Apps can also be manipulated with JavaDebugging methods (DDMS)

11. Defeating Client Side Controls (iOS) iOS Objective-C runtime can be easilymanipulated with cycript/Mobile Substrate Can jump to arbitrary points in theapplication, call functions, replace code.

12. Code Patching Identify simple logicIs_our_phone_jailbroken(){if// lengthy convoluted jailbreak detectionreturn 1elsereturn 0} Only one byte needs to be modified

13. Attack Vectors SMS/MMS Baseband / WiFi APNS/GCM (Push notifications) Interapp Comm. (Intents, URL Schemes) Lost/Stolen device Technology misconfigurations (OAuth, etc) Many more

14. Camera EXIF Data GPS data is often embedded in photos taken Server side components must scrub EXIF data

15. WebViews Introduces web based vectors (XSS, CSRF, etc..) WebView JS may be invoked and take parametersfrom native code Some configurations can invoke native code fromJS Caching can be an issue (NSURLConnection)

16. C Memory Management Dangerous functions should still be avoided(strcpy(), strcmp()) Memory should still be properly cleaned whenusing malloc(), free(), realloc(), etc..

17. Static Analysis (iOS) iOS IPAs can be decrypted with a memory dumpat runtime. Examine archive and plist files. The binary can be examined like traditionalcompiled binaries (Strings, dump symboltable, etc..)

18. Static Analysis (Android) Android apps are packaged as APK files. (Can beextracted with any zip utility) Inspect package for build/debug artifacts Search code for hardcoded strings Useful to reconstruct code as Java Check for native code in /libs Examine AndroidManifest.xml

19. Personal Devices Consider how data can beleaked Consider what apps caninvoke your application Consider what apps yourapplication invokes

20. Hardware Concerns Huawei and ZTEbecoming popularsmartphonemanufacturers. Hardware isincreasingly easy tomanufacture.

21. Carrier Concerns Owners of customized Android ROMs mustdistribute updates themselves (they dont). Millions of users are left with criticalvulnerabilities.

22. Where are we? Not everything is terrible! iOS and Android provide ASLR, DEP, applicationsandboxes built in. ARMv8 introduces 64bit cpus

23. Where are we going? We are more functionality driven than ever Threats are more malicious than ever World population is growing Developing nations are increasingly technical

24. Questions?

25. References http://iphonedevwiki.net/index.php/MobileSubstrate http://www.cycript.org/ http://code.google.com/p/networkpx/wiki/class_dump_z http://www.virtuous-ten-studio.com/ http://developer.android.com/guide/topics/providers/content-provider-basics.html http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/Huawei-ZTE%20Investigative%20Report%20%28FINAL%29.pdf http://intrepidusgroup.com/insight/mallory/ https://isecpartners.com/tools/mobile-security http://www.virtuesecurity.com/