SlideShare a Scribd company logo

Don't Trust, And Verify - Mobile Application Attacks

Prathan Phongthiproek
Prathan Phongthiproek

Prathan Phongthiproek, a manager at KPMG Thailand, gave a presentation on mobile application attacks at the Cyber Defense Initiative Conference (CDIC) 2016. The presentation covered various attack vectors for both Android and iOS applications, including user input attacks, abusing application components, insecure data storage, manipulating binary and storage files, bypassing root/jailbreak detection, and intercepting network traffic. For each attack vector, the presentation estimated the potential damage level and threat level. The goal was to help organizations better understand mobile application security risks and implement proper countermeasures.

Related slideshows

Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
 
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
 
Presentation cisco iron port web usage controls
Presentation cisco iron port web usage controlsPresentation cisco iron port web usage controls
Presentation cisco iron port web usage controls
 
1 of 35
Download to read offline
1 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Cyber Defense Initiative Conference CDIC 2016-TIME TO TRUST Don't Trust, And Verify - Mobile Application Attacks M r . P r a t h an P h o n gt h ip roek M a n ageme n t C o n su ltin g K P M G P h o om ch ai B u s in ess A d v isory L t d .
2 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Prathan Phongthiproek Manager, Information Protection and Business Resilience (IPBR) T: +662 677 2000 E: prathan@kpmg.co.th Background Prathan is a Manager, Cybersecurity services for KPMG Thailand. He has more than 9 years of experience in leading Cybersecurity services including Security Analysis and Review, and Penetration testing. Professional and industry experience • Led the project team responsible for conducted security assessment services over 50 clients. This include Host & Network assessment, External/Internal network penetration testing, Web and Mobile application penetration testing, ATM /Kiosks security assessment including physical hacking. • In charge of the penetration testing on Retail Point-of-Sale Payment Systems (POS, IPT, OPT, EPS, STC) in order to comply with PCI DSS v3.0 for a major petrochemical company in Malaysia. • Performed source code review (Static and Dynamic code analysis) in order to analyze and identify potential risk in term of security and coding best practices for major banks. • Conducted Mobile application penetration testing over 40 applications both Android and iOS for a major telecommunication company. • Performed Digital Forensic and Investigate for a major financial company. • Carried out the regulatory authority compliance reviews/security configuration review, which provides in-depth risk and security analysis system, database, and infrastructure components. • Analyzing the results of the security testing and assisting stakeholders by identifying viable remediation solutions for any vulnerability identified. • Provided In-Depth security trainings and guidance of remediation to clients. • Created curriculum and conducted training courses in network, web and mobile application security, and Secure Coding for major banks. • His industry experience includes Financial, Major Banks, Insurance Institute, Telecommunications, Health Care Provider, Automotive, Trading Companies, Military Sectors, Energy Companies and Power plants, Oil & Gas, Resort, ISP and Government agencies. SpeakerProfile
3 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Agenda - Overview - Mobile Application Attack Vector - Attack Narrative - Countermeasure - Reference
4 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Overview Mobile Marketing Statistics compilation Source: http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/ Ownership of smartphone vs Desktop Mobile media time - App vs Mobile site usage
5 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Mobile/Tablet Operating System Market Share NetMarketShare.com: Mobile/Tablet OS Market Share – October 2016 Android and iOS lead the market Overview
6 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. IPC and Application Components User Input Data Storage Backend Service Comm. Channel Binary File • SQLite Injection • JavaScript Injection (XSS) • Local File Inclusion • WebView File Access Attack • Android Components Permission and Vulnerability through: o Activities o Content Providers o Broadcast Receivers o Services • Protocol Handlers Attack • Pasteboard/Clipboard • Application Backgrounding • Application Logs • Mobile App Framework Vulnerability • Plist/XML files • Sharepreference files • Database/NoSQL files • Keychain • Temp files • Cache files • SD Card storage • Unrestricted Backup file • Poor Key Management • Excessive port opened • Security Misconfiguration • Control of Interaction Frequency • Weak Authentication • Business Logic flaws • Info. leakage through API Response message • Web Application Vulnerability • Insecure Transport Layer Protocols (HTTP) • Insecure and Deprecated algorithms • Disabling Certificate Validation • Lack of SSL pinning • Lack of End-to-end Encryption • Sensitive data over network • Exposing Device Specific Identifiers • Reverse Engineering the App code • Patching Binary • Hard-coded credentials and Information Leakage through binary • Debuggable mode • Runtime Manipulation and Instrumenting • Lack of Root/Jail-broken device checking Mobile Application Attack Vector
7 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. User Input Android Application • SQLite Injection Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat
8 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. iOS Application • SQLite Injection Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat User Input
9 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • WebView File Access file:///data/data/jakhar.aseem.diva/shared_prefs/jakhar.aseem.diva_preferences.xml Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat User Input
10 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. User Input iOS Application • JavaScript Injection (XSS) Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat <script>alert('Hello World');</script>
11 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Inter-Process Communication (IPC) and Application Components Android Application • Abusing Android Activity Component for bypassing Client-side authentication (PIN). Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat
12 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Case Study: CVE-2015-1835: Remote exploit of secondary configuration variables in Apache Cordova on Android Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Inter-Process Communication (IPC) and Application Components
13 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Abusing Android Content Provider for obtaining sensitive information from application database. Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Sensitive Information .DBContentProvider Creating Malicious App to attack the sieve application https://github.com/tanprathan/sievePWN/blob/master/sieveleak Using Drozer to attack the android components Inter-Process Communication (IPC) and Application Components
14 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Abusing Android Content Provider for obtaining sensitive information from application database using SQL Injection technique. Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Creating Malicious App to attack the sieve application using SQLi https://github.com/tanprathan/sievePWN/tree/master/sievesqli Using Drozer to attack the android components using SQLi Inter-Process Communication (IPC) and Application Components
15 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. iOS Application • Attacking Protocols Handlers (URL Scheme) - Sea Surf Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Identifying URL scheme on plist file, Using hopper to conduct reverse-engineering, create script for attack. dvia://highaltitudehacks.com/ call_number/?phone=1234567890 Inter-Process Communication (IPC) and Application Components
16 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Side-Channel Data Leakage through Android Clipboard Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Side-Channel Data Leakage through iOS generalPasteboard Using Drozer to perform clipboard monitoring Using idb to perform pasteboard monitoring Inter-Process Communication (IPC) and Application Components
17 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Information Leakage through Application Log Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Information Leakage through Application Log Application writes the entered password to the log when the user enters the password. Case Study: HTTPS request and response were logged into application log which lead malware to obtain sensitive info. Inter-Process Communication (IPC) and Application Components
18 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Insecure Data Storage lead to Client-side based authentication flaw Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Insecure Data Storage lead to Client-side based authentication flaw Data Storage
19 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Manipulating local storage file Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Manipulating local storage file Data Storage
20 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • The default value of Android backup flag is “True” Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Extract Application storage from iTune Backup using “iPhone Backup Extractor” Data Storage
21 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Binary File Android Application • Patching binary using apktool Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Patching binary using dumpdecrypted and Hopper
22 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Identifying hard-coded key using reverse engineering technique Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Identifying hard-coded key using reverse engineering technique Hard-coded key was stored in resource/xml folder Hard-coded key was stored in application source code Hard-coded key used for accessing application encrypted database was found from JS file Binary File
23 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Bypassing Root detection using Rootcloak Plus Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Bypassing Jailbreak detection using Snoop-it and tsprotector Binary File
24 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Android Application • Instrumenting Android Applications with Frida using Brute-Force technique Binary File
25 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Runtime manipulation using Method Swizzling Binary File
26 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android and iOS • Sniffing HTTPS traffic by installing Proxy’CA certificate into device. • Bypassing SSL Issuer and domain validation (Creating a Custom CA Certificate-https://portswigger.net/burp/help/proxy_options.html) • Bypassing SSL Pinning Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Communication Channel
27 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android and iOS • End-to-End Encryption (Application Layer Encryption) • Exposing Device Specific Identifiers Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Communication Channel
28 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Backend Service Android and iOS • Information Exposure Through WSDL default service help page. • Information Exposure through API response message Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat
29 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Backend Service Android and iOS • Injection (SQL, Command, XXE) • Improper Control of Interaction Frequency Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat
30 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Backend Service Android and iOS • Business Logic Flaw #1 • Business Logic Flaw #2 Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat
31 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Case Study: Breaking Business Logic flaws and Bypassing End-to-end encryption Android and iOS Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Binary file was decrypted in order to obtain classes/methods using Classdump The encryption and decryption classes were addresses cy# Encryption/Decryption classes were intercepted by hooking using custom Cycript scripts HTTPS Request/Response were obtained cy# Custom script were created for replacing the XML request/response in order to break business logic flaws (E.g. Authentication/Authorization/Indirect Object Reference) Communication Channel
32 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Countermeasure OWASP Mobile Top 10 Controls https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls
33 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Countermeasure Mobile Application Coding Guidelines https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Secure_Mobile_Development
34 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. • http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/ • https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=8&qpcustomd=1 • http://blog.mdsec.co.uk/2015/04/instrumenting-android-applications-with.html • https://labs.mwrinfosecurity.com/system/assets/380/original/sieve.apk • http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • https://github.com/payatu/diva-android • https://github.com/prateek147/DVIA • https://github.com/tanprathan/sievePWN • https://portswigger.net/burp/proxy.html Reference
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International Cooperative (KPMG International). “This documentation is made by KPMG Phoomchai Business Advisory Ltd., (KPMG), a Thai limited liability company and member firm of the KPMG network of independent firms affiliated with KPMG International, a Swiss cooperative, and is in all respects subject to the negotiation, agreement, and signing of a specific engagement letter or contract. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. This document contains confidential or proprietary KPMG information. It is not to be disclosed, quoted or referred to, in whole or in part, without our prior written consent. The restriction pertains to all data and information throughout the entire document.

More Related Content

Don't Trust, And Verify - Mobile Application Attacks

  • 1. 1 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Cyber Defense Initiative Conference CDIC 2016-TIME TO TRUST Don't Trust, And Verify - Mobile Application Attacks M r . P r a t h an P h o n gt h ip roek M a n ageme n t C o n su ltin g K P M G P h o om ch ai B u s in ess A d v isory L t d .
  • 2. 2 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Prathan Phongthiproek Manager, Information Protection and Business Resilience (IPBR) T: +662 677 2000 E: prathan@kpmg.co.th Background Prathan is a Manager, Cybersecurity services for KPMG Thailand. He has more than 9 years of experience in leading Cybersecurity services including Security Analysis and Review, and Penetration testing. Professional and industry experience • Led the project team responsible for conducted security assessment services over 50 clients. This include Host & Network assessment, External/Internal network penetration testing, Web and Mobile application penetration testing, ATM /Kiosks security assessment including physical hacking. • In charge of the penetration testing on Retail Point-of-Sale Payment Systems (POS, IPT, OPT, EPS, STC) in order to comply with PCI DSS v3.0 for a major petrochemical company in Malaysia. • Performed source code review (Static and Dynamic code analysis) in order to analyze and identify potential risk in term of security and coding best practices for major banks. • Conducted Mobile application penetration testing over 40 applications both Android and iOS for a major telecommunication company. • Performed Digital Forensic and Investigate for a major financial company. • Carried out the regulatory authority compliance reviews/security configuration review, which provides in-depth risk and security analysis system, database, and infrastructure components. • Analyzing the results of the security testing and assisting stakeholders by identifying viable remediation solutions for any vulnerability identified. • Provided In-Depth security trainings and guidance of remediation to clients. • Created curriculum and conducted training courses in network, web and mobile application security, and Secure Coding for major banks. • His industry experience includes Financial, Major Banks, Insurance Institute, Telecommunications, Health Care Provider, Automotive, Trading Companies, Military Sectors, Energy Companies and Power plants, Oil & Gas, Resort, ISP and Government agencies. SpeakerProfile
  • 3. 3 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Agenda - Overview - Mobile Application Attack Vector - Attack Narrative - Countermeasure - Reference
  • 4. 4 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Overview Mobile Marketing Statistics compilation Source: http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/ Ownership of smartphone vs Desktop Mobile media time - App vs Mobile site usage
  • 5. 5 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Mobile/Tablet Operating System Market Share NetMarketShare.com: Mobile/Tablet OS Market Share – October 2016 Android and iOS lead the market Overview
  • 6. 6 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. IPC and Application Components User Input Data Storage Backend Service Comm. Channel Binary File • SQLite Injection • JavaScript Injection (XSS) • Local File Inclusion • WebView File Access Attack • Android Components Permission and Vulnerability through: o Activities o Content Providers o Broadcast Receivers o Services • Protocol Handlers Attack • Pasteboard/Clipboard • Application Backgrounding • Application Logs • Mobile App Framework Vulnerability • Plist/XML files • Sharepreference files • Database/NoSQL files • Keychain • Temp files • Cache files • SD Card storage • Unrestricted Backup file • Poor Key Management • Excessive port opened • Security Misconfiguration • Control of Interaction Frequency • Weak Authentication • Business Logic flaws • Info. leakage through API Response message • Web Application Vulnerability • Insecure Transport Layer Protocols (HTTP) • Insecure and Deprecated algorithms • Disabling Certificate Validation • Lack of SSL pinning • Lack of End-to-end Encryption • Sensitive data over network • Exposing Device Specific Identifiers • Reverse Engineering the App code • Patching Binary • Hard-coded credentials and Information Leakage through binary • Debuggable mode • Runtime Manipulation and Instrumenting • Lack of Root/Jail-broken device checking Mobile Application Attack Vector
  • 7. 7 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. User Input Android Application • SQLite Injection Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat
  • 8. 8 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. iOS Application • SQLite Injection Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat User Input
  • 9. 9 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • WebView File Access file:///data/data/jakhar.aseem.diva/shared_prefs/jakhar.aseem.diva_preferences.xml Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat User Input
  • 10. 10 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. User Input iOS Application • JavaScript Injection (XSS) Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat <script>alert('Hello World');</script>
  • 11. 11 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Inter-Process Communication (IPC) and Application Components Android Application • Abusing Android Activity Component for bypassing Client-side authentication (PIN). Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat
  • 12. 12 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Case Study: CVE-2015-1835: Remote exploit of secondary configuration variables in Apache Cordova on Android Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Inter-Process Communication (IPC) and Application Components
  • 13. 13 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Abusing Android Content Provider for obtaining sensitive information from application database. Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Sensitive Information .DBContentProvider Creating Malicious App to attack the sieve application https://github.com/tanprathan/sievePWN/blob/master/sieveleak Using Drozer to attack the android components Inter-Process Communication (IPC) and Application Components
  • 14. 14 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Abusing Android Content Provider for obtaining sensitive information from application database using SQL Injection technique. Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Creating Malicious App to attack the sieve application using SQLi https://github.com/tanprathan/sievePWN/tree/master/sievesqli Using Drozer to attack the android components using SQLi Inter-Process Communication (IPC) and Application Components
  • 15. 15 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. iOS Application • Attacking Protocols Handlers (URL Scheme) - Sea Surf Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Identifying URL scheme on plist file, Using hopper to conduct reverse-engineering, create script for attack. dvia://highaltitudehacks.com/ call_number/?phone=1234567890 Inter-Process Communication (IPC) and Application Components
  • 16. 16 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Side-Channel Data Leakage through Android Clipboard Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Side-Channel Data Leakage through iOS generalPasteboard Using Drozer to perform clipboard monitoring Using idb to perform pasteboard monitoring Inter-Process Communication (IPC) and Application Components
  • 17. 17 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Information Leakage through Application Log Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Information Leakage through Application Log Application writes the entered password to the log when the user enters the password. Case Study: HTTPS request and response were logged into application log which lead malware to obtain sensitive info. Inter-Process Communication (IPC) and Application Components
  • 18. 18 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Insecure Data Storage lead to Client-side based authentication flaw Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Insecure Data Storage lead to Client-side based authentication flaw Data Storage
  • 19. 19 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Manipulating local storage file Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Manipulating local storage file Data Storage
  • 20. 20 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • The default value of Android backup flag is “True” Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Extract Application storage from iTune Backup using “iPhone Backup Extractor” Data Storage
  • 21. 21 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Binary File Android Application • Patching binary using apktool Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Patching binary using dumpdecrypted and Hopper
  • 22. 22 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Identifying hard-coded key using reverse engineering technique Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Identifying hard-coded key using reverse engineering technique Hard-coded key was stored in resource/xml folder Hard-coded key was stored in application source code Hard-coded key used for accessing application encrypted database was found from JS file Binary File
  • 23. 23 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android Application • Bypassing Root detection using Rootcloak Plus Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Bypassing Jailbreak detection using Snoop-it and tsprotector Binary File
  • 24. 24 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Android Application • Instrumenting Android Applications with Frida using Brute-Force technique Binary File
  • 25. 25 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat iOS Application • Runtime manipulation using Method Swizzling Binary File
  • 26. 26 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android and iOS • Sniffing HTTPS traffic by installing Proxy’CA certificate into device. • Bypassing SSL Issuer and domain validation (Creating a Custom CA Certificate-https://portswigger.net/burp/help/proxy_options.html) • Bypassing SSL Pinning Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Communication Channel
  • 27. 27 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Android and iOS • End-to-End Encryption (Application Layer Encryption) • Exposing Device Specific Identifiers Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Communication Channel
  • 28. 28 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Backend Service Android and iOS • Information Exposure Through WSDL default service help page. • Information Exposure through API response message Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat
  • 29. 29 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Backend Service Android and iOS • Injection (SQL, Command, XXE) • Improper Control of Interaction Frequency Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat
  • 30. 30 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Backend Service Android and iOS • Business Logic Flaw #1 • Business Logic Flaw #2 Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat
  • 31. 31 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Case Study: Breaking Business Logic flaws and Bypassing End-to-end encryption Android and iOS Damage level: Estimated level of financial & reputational loss. Threat level: Estimated level of activity and occurrence. Damage Threat Binary file was decrypted in order to obtain classes/methods using Classdump The encryption and decryption classes were addresses cy# Encryption/Decryption classes were intercepted by hooking using custom Cycript scripts HTTPS Request/Response were obtained cy# Custom script were created for replacing the XML request/response in order to break business logic flaws (E.g. Authentication/Authorization/Indirect Object Reference) Communication Channel
  • 32. 32 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Countermeasure OWASP Mobile Top 10 Controls https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls
  • 33. 33 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Countermeasure Mobile Application Coding Guidelines https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Secure_Mobile_Development
  • 34. 34 © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. • http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/ • https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=8&qpcustomd=1 • http://blog.mdsec.co.uk/2015/04/instrumenting-android-applications-with.html • https://labs.mwrinfosecurity.com/system/assets/380/original/sieve.apk • http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • https://github.com/payatu/diva-android • https://github.com/prateek147/DVIA • https://github.com/tanprathan/sievePWN • https://portswigger.net/burp/proxy.html Reference
  • 35. © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International Cooperative (KPMG International). “This documentation is made by KPMG Phoomchai Business Advisory Ltd., (KPMG), a Thai limited liability company and member firm of the KPMG network of independent firms affiliated with KPMG International, a Swiss cooperative, and is in all respects subject to the negotiation, agreement, and signing of a specific engagement letter or contract. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. This document contains confidential or proprietary KPMG information. It is not to be disclosed, quoted or referred to, in whole or in part, without our prior written consent. The restriction pertains to all data and information throughout the entire document.