Don't Trust, And Verify - Mobile Application Attacks
- 1. 1
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Defense Initiative Conference
CDIC 2016-TIME TO TRUST
Don't Trust, And Verify - Mobile Application
Attacks
M r . P r a t h an P h o n gt h ip roek
M a n ageme n t C o n su ltin g
K P M G P h o om ch ai B u s in ess A d v isory L t d .
- 2. 2
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Prathan Phongthiproek
Manager, Information Protection and Business Resilience (IPBR)
T: +662 677 2000
E: prathan@kpmg.co.th
Background
Prathan is a Manager, Cybersecurity services for KPMG Thailand. He has more than 9 years of experience in leading Cybersecurity services
including Security Analysis and Review, and Penetration testing.
Professional and industry experience
• Led the project team responsible for conducted security assessment services over 50 clients. This include Host & Network
assessment, External/Internal network penetration testing, Web and Mobile application penetration testing, ATM /Kiosks security
assessment including physical hacking.
• In charge of the penetration testing on Retail Point-of-Sale Payment Systems (POS, IPT, OPT, EPS, STC) in order to comply with PCI
DSS v3.0 for a major petrochemical company in Malaysia.
• Performed source code review (Static and Dynamic code analysis) in order to analyze and identify potential risk in term of security
and coding best practices for major banks.
• Conducted Mobile application penetration testing over 40 applications both Android and iOS for a major telecommunication
company.
• Performed Digital Forensic and Investigate for a major financial company.
• Carried out the regulatory authority compliance reviews/security configuration review, which provides in-depth risk and security
analysis system, database, and infrastructure components.
• Analyzing the results of the security testing and assisting stakeholders by identifying viable remediation solutions for any
vulnerability identified.
• Provided In-Depth security trainings and guidance of remediation to clients.
• Created curriculum and conducted training courses in network, web and mobile application security, and Secure Coding for major
banks.
• His industry experience includes Financial, Major Banks, Insurance Institute, Telecommunications, Health Care Provider, Automotive,
Trading Companies, Military Sectors, Energy Companies and Power plants, Oil & Gas, Resort, ISP and Government agencies.
SpeakerProfile
- 3. 3
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Agenda
- Overview
- Mobile Application Attack Vector
- Attack Narrative
- Countermeasure
- Reference
- 4. 4
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Overview
Mobile Marketing Statistics compilation
Source: http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/
Ownership of smartphone vs Desktop Mobile media time - App vs Mobile site usage
- 5. 5
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Mobile/Tablet Operating System Market Share
NetMarketShare.com: Mobile/Tablet OS Market Share – October 2016
Android and iOS lead the market
Overview
- 6. 6
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
IPC and
Application
Components
User Input
Data
Storage
Backend
Service
Comm.
Channel
Binary
File
• SQLite Injection
• JavaScript Injection (XSS)
• Local File Inclusion
• WebView File Access Attack
• Android Components
Permission and Vulnerability
through:
o Activities
o Content Providers
o Broadcast Receivers
o Services
• Protocol Handlers Attack
• Pasteboard/Clipboard
• Application Backgrounding
• Application Logs
• Mobile App Framework
Vulnerability
• Plist/XML files
• Sharepreference files
• Database/NoSQL files
• Keychain
• Temp files
• Cache files
• SD Card storage
• Unrestricted Backup file
• Poor Key Management
• Excessive port opened
• Security Misconfiguration
• Control of Interaction Frequency
• Weak Authentication
• Business Logic flaws
• Info. leakage through API
Response message
• Web Application
Vulnerability
• Insecure Transport Layer
Protocols (HTTP)
• Insecure and Deprecated
algorithms
• Disabling Certificate
Validation
• Lack of SSL pinning
• Lack of End-to-end
Encryption
• Sensitive data over network
• Exposing Device Specific
Identifiers
• Reverse Engineering the App code
• Patching Binary
• Hard-coded credentials and Information
Leakage through binary
• Debuggable mode
• Runtime Manipulation and Instrumenting
• Lack of Root/Jail-broken device checking
Mobile Application Attack Vector
- 7. 7
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
User Input
Android Application
• SQLite Injection
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
- 8. 8
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
iOS Application
• SQLite Injection
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
User Input
- 9. 9
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• WebView File Access
file:///data/data/jakhar.aseem.diva/shared_prefs/jakhar.aseem.diva_preferences.xml
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
User Input
- 10. 10
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
User Input
iOS Application
• JavaScript Injection (XSS)
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
<script>alert('Hello World');</script>
- 11. 11
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Inter-Process Communication (IPC) and
Application Components
Android Application
• Abusing Android Activity Component for bypassing Client-side authentication (PIN).
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
- 12. 12
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Case Study: CVE-2015-1835: Remote exploit of secondary configuration variables in Apache
Cordova on Android
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
Inter-Process Communication (IPC) and
Application Components
- 13. 13
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Abusing Android Content Provider for obtaining sensitive information from application database.
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
Sensitive
Information
.DBContentProvider
Creating Malicious App to attack the sieve application
https://github.com/tanprathan/sievePWN/blob/master/sieveleak
Using Drozer to attack the android components
Inter-Process Communication (IPC) and
Application Components
- 14. 14
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Abusing Android Content Provider for obtaining sensitive information from application database
using SQL Injection technique.
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
Creating Malicious App to attack the sieve application using SQLi
https://github.com/tanprathan/sievePWN/tree/master/sievesqli
Using Drozer to attack the android components using SQLi
Inter-Process Communication (IPC) and
Application Components
- 15. 15
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
iOS Application
• Attacking Protocols Handlers (URL Scheme) - Sea Surf
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
Identifying URL scheme on plist file, Using hopper to conduct reverse-engineering, create script for attack.
dvia://highaltitudehacks.com/
call_number/?phone=1234567890
Inter-Process Communication (IPC) and
Application Components
- 16. 16
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Side-Channel Data Leakage through Android
Clipboard
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
iOS Application
• Side-Channel Data Leakage through iOS
generalPasteboard
Using Drozer to perform clipboard monitoring
Using idb to perform pasteboard
monitoring
Inter-Process Communication (IPC) and
Application Components
- 17. 17
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Information Leakage through Application
Log
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
iOS Application
• Information Leakage through Application
Log
Application writes the entered password to the log when the
user enters the password.
Case Study: HTTPS request and response were logged into
application log which lead malware to obtain sensitive info.
Inter-Process Communication (IPC) and
Application Components
- 18. 18
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Insecure Data Storage lead to Client-side
based authentication flaw
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
iOS Application
• Insecure Data Storage lead to Client-side
based authentication flaw
Data Storage
- 19. 19
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Manipulating local storage file
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
iOS Application
• Manipulating local storage file
Data Storage
- 20. 20
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• The default value of Android backup flag is
“True”
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
iOS Application
• Extract Application storage from iTune
Backup using “iPhone Backup Extractor”
Data Storage
- 21. 21
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Binary File
Android Application
• Patching binary using apktool
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
iOS Application
• Patching binary using dumpdecrypted and
Hopper
- 22. 22
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Identifying hard-coded key using reverse
engineering technique
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
iOS Application
• Identifying hard-coded key using reverse
engineering technique
Hard-coded key was stored in resource/xml folder
Hard-coded key was stored in application source code
Hard-coded key used for accessing application encrypted
database was found from JS file
Binary File
- 23. 23
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android Application
• Bypassing Root detection using Rootcloak
Plus
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
iOS Application
• Bypassing Jailbreak detection using Snoop-it
and tsprotector
Binary File
- 24. 24
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
Android Application
• Instrumenting Android Applications with Frida using Brute-Force technique
Binary File
- 25. 25
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
iOS Application
• Runtime manipulation using Method Swizzling
Binary File
- 26. 26
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android and iOS
• Sniffing HTTPS traffic by installing Proxy’CA certificate into device.
• Bypassing SSL Issuer and domain validation
(Creating a Custom CA Certificate-https://portswigger.net/burp/help/proxy_options.html)
• Bypassing SSL Pinning
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
Communication Channel
- 27. 27
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Android and iOS
• End-to-End Encryption (Application Layer Encryption)
• Exposing Device Specific Identifiers
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
Communication Channel
- 28. 28
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Backend Service
Android and iOS
• Information Exposure Through WSDL default service help page.
• Information Exposure through API response message
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
- 29. 29
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Backend Service
Android and iOS
• Injection (SQL, Command, XXE)
• Improper Control of Interaction Frequency
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
- 30. 30
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Backend Service
Android and iOS
• Business Logic Flaw #1
• Business Logic Flaw #2
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
- 31. 31
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Case Study: Breaking Business Logic flaws and Bypassing End-to-end encryption
Android and iOS
Damage level:
Estimated level of financial
& reputational loss.
Threat level:
Estimated level of activity
and occurrence.
Damage Threat
Binary file was decrypted in
order to obtain classes/methods
using Classdump
The encryption and
decryption classes
were addresses
cy#
Encryption/Decryption
classes were intercepted
by hooking using custom
Cycript scripts
HTTPS
Request/Response
were obtained
cy#
Custom script were created for replacing the XML
request/response in order to break business logic flaws (E.g.
Authentication/Authorization/Indirect Object Reference)
Communication Channel
- 32. 32
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Countermeasure
OWASP Mobile Top 10 Controls
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls
- 33. 33
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
Countermeasure
Mobile Application Coding Guidelines
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Secure_Mobile_Development
- 34. 34
© 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG
International, a Swiss cooperative. All rights reserved. Printed in Thailand.
• http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/
• https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=8&qpcustomd=1
• http://blog.mdsec.co.uk/2015/04/instrumenting-android-applications-with.html
• https://labs.mwrinfosecurity.com/system/assets/380/original/sieve.apk
• http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks
• https://github.com/payatu/diva-android
• https://github.com/prateek147/DVIA
• https://github.com/tanprathan/sievePWN
• https://portswigger.net/burp/proxy.html
Reference
- 35. © 2016 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability
company and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (‘KPMG
International’), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of
KPMG International Cooperative (KPMG International).
“This documentation is made by KPMG Phoomchai Business Advisory Ltd.,
(KPMG), a Thai limited liability company and member firm of the KPMG
network of independent firms affiliated with KPMG International, a Swiss
cooperative, and is in all respects subject to the negotiation, agreement, and
signing of a specific engagement letter or contract. KPMG International provides
no client services. No member firm has any authority to obligate or bind KPMG
International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm.
This document contains confidential or proprietary KPMG information. It is not
to be disclosed, quoted or referred to, in whole or in part, without our prior
written consent. The restriction pertains to all data and information throughout
the entire document.