SlideShare a Scribd company logo

Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014

viaForensics
viaForensics

This document summarizes a presentation on mobile forensics and security analysis techniques. It introduces the Santoku Linux distribution for mobile forensics work. It then describes methods for acquiring data from iOS and Android devices, both logically and physically. It also analyzes specific mobile apps like Any.Do for security vulnerabilities and stored private data. Finally, it demonstrates malware analysis techniques on samples like NQ Mobile and BadNews, using tools like apktool to disassemble apps and analyze the smali code.

Related slideshows

It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
 
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...
 
1 of 36
Download to read offline
SESSION ID: Mobile Analysis Kung Fu, Santoku Style ANF-W03 Andrew Hoog CEO/Co-founder viaForensics @ahoog42 Sebastián Guerrero Mobile Security Analyst viaForensics @0xroot
#RSAC Agenda  Santoku Intro  Mobile Forensics Kung Fu  Mobile Security Kung Fu  Mobile Malware Analysis Kung Fu 2
Santoku Intro
#RSAC Santoku – Why? 0 200 400 600 800 1000 1200 1400 1600 2012 2017 (Projected) Desktop PC Portable PC Tablet Smartphone 4
#RSAC https://santoku-linux.com/ - It’s Free! 5
#RSAC Santoku – What? 6
#RSAC Santoku – How?  Install Lubuntu 12.04 (precise) x86_64  Santoku-ize it 7
#RSAC You should get (after reboot) 8
Mobile Forensics Kung Fu
#RSAC Forensic Acquisition Types 10
#RSAC iOS Logical  Connect device (Enter PIN if needed)  Ideviceback2 backup <backup dir>  Ideviceback2 unback <backup dir>  View backup|unpacked backup 11
#RSAC iOS Logical 12
#RSAC iPhone Backup Analyzer 13
#RSAC Android Logical  AFLogical OSE (https://github.com/viaforensics/android-forensics)  Reads Content-Providers  Push to phone, run, store on SD-Card  Pull CSVs to Santoku for review 14
#RSAC AFLogical OSE 15
#RSAC Install, run, extract 16
#RSAC viaExtract 17
Mobile Security Kung Fu
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
#RSAC App Selection  Apps were selected based on popularity, number of downloads, or potential sensitivity of data  Approximately 80 apps have been reviewed and organized into categories 20
#RSAC 2013 App testing result  81 tested apps, 32 iOS, 49 Android 21 0% 20% 40% 60% 80% Failed MiTM or SSL Stored Password (Plaintext or hashed) Stored sensitive app data on memory At least one 'High risk' rating iOS Android
#RSAC 22
#RSAC Any.Do  Business and personal task management app iOS and Android  Millions of users  Many vulnerabilities, no response from company  https://viaforensics.com/mobile-security/security-vulnerabilities- anydo-android.html 23
#RSAC Any.Do Analysis - Forensics  Locat Any.DO app directory  Adb pull /data/data/com.anydo  Examine database/binary files  Capture network traffic 24
#RSAC Any.Do Analysis - Forensics 25
Mobile Malware Analysis Kung Fu
#RSAC NQ Mobile 27
#RSAC Bad News  Android Malware, masquerades as an innocent advertising network  Packaged in many legitimate apps, usually targeting Russian market  Has ability to download additional apps, and propmts the user to install them, posing as “Critical Updates”. Uses this mechanism to spread known malware, typically Premium Rate SMS fraud.  For more information see the report by Lookout: https://blog.lookout.com/blog/2013/04/19/the-bearer-of-badnews-malware-google-play/ 28
#RSAC apktool  Tool for reverse engineering Android apk  Dissasembles code to smali files, also decodes resources contained into the apk.  It can also repackage the applications after you have modified them  We can run it on Badnews Badnews Sample 29
#RSAC From apktool to smali  We can grep for known sensible method calls and strings 30
#RSAC From apktool to smali  We can manually analyze the disassembled smali coded provided by apktool  For example here we see a broadcast receiver that will listen for BOOT_COMPLETED intents and react to them starting a service in the application 31
#RSAC Badnews sample – Dex2Jar - JDGui 32
#RSAC Korean Banking Malware 33
#RSAC Korean Banking Malware (Analysis) 34
#RSAC A little help fu, please  HOWTOs  New/existing tool development  .deb package maintenance  Forums, spreading the word 35
#RSAC Q&A | Contact | Feedback  Thanks for listening… @0xroot / @ahoog42 github/0xroot / github/viaforensics sguerrero@viaforensics.com / ahoog@viaforensics.com 36

More Related Content

Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014

  • 1. SESSION ID: Mobile Analysis Kung Fu, Santoku Style ANF-W03 Andrew Hoog CEO/Co-founder viaForensics @ahoog42 Sebastián Guerrero Mobile Security Analyst viaForensics @0xroot
  • 2. #RSAC Agenda  Santoku Intro  Mobile Forensics Kung Fu  Mobile Security Kung Fu  Mobile Malware Analysis Kung Fu 2
  • 4. #RSAC Santoku – Why? 0 200 400 600 800 1000 1200 1400 1600 2012 2017 (Projected) Desktop PC Portable PC Tablet Smartphone 4
  • 7. #RSAC Santoku – How?  Install Lubuntu 12.04 (precise) x86_64  Santoku-ize it 7
  • 8. #RSAC You should get (after reboot) 8
  • 11. #RSAC iOS Logical  Connect device (Enter PIN if needed)  Ideviceback2 backup <backup dir>  Ideviceback2 unback <backup dir>  View backup|unpacked backup 11
  • 13. #RSAC iPhone Backup Analyzer 13
  • 14. #RSAC Android Logical  AFLogical OSE (https://github.com/viaforensics/android-forensics)  Reads Content-Providers  Push to phone, run, store on SD-Card  Pull CSVs to Santoku for review 14
  • 16. #RSAC Install, run, extract 16
  • 20. #RSAC App Selection  Apps were selected based on popularity, number of downloads, or potential sensitivity of data  Approximately 80 apps have been reviewed and organized into categories 20
  • 21. #RSAC 2013 App testing result  81 tested apps, 32 iOS, 49 Android 21 0% 20% 40% 60% 80% Failed MiTM or SSL Stored Password (Plaintext or hashed) Stored sensitive app data on memory At least one 'High risk' rating iOS Android
  • 23. #RSAC Any.Do  Business and personal task management app iOS and Android  Millions of users  Many vulnerabilities, no response from company  https://viaforensics.com/mobile-security/security-vulnerabilities- anydo-android.html 23
  • 24. #RSAC Any.Do Analysis - Forensics  Locat Any.DO app directory  Adb pull /data/data/com.anydo  Examine database/binary files  Capture network traffic 24
  • 25. #RSAC Any.Do Analysis - Forensics 25
  • 28. #RSAC Bad News  Android Malware, masquerades as an innocent advertising network  Packaged in many legitimate apps, usually targeting Russian market  Has ability to download additional apps, and propmts the user to install them, posing as “Critical Updates”. Uses this mechanism to spread known malware, typically Premium Rate SMS fraud.  For more information see the report by Lookout: https://blog.lookout.com/blog/2013/04/19/the-bearer-of-badnews-malware-google-play/ 28
  • 29. #RSAC apktool  Tool for reverse engineering Android apk  Dissasembles code to smali files, also decodes resources contained into the apk.  It can also repackage the applications after you have modified them  We can run it on Badnews Badnews Sample 29
  • 30. #RSAC From apktool to smali  We can grep for known sensible method calls and strings 30
  • 31. #RSAC From apktool to smali  We can manually analyze the disassembled smali coded provided by apktool  For example here we see a broadcast receiver that will listen for BOOT_COMPLETED intents and react to them starting a service in the application 31
  • 32. #RSAC Badnews sample – Dex2Jar - JDGui 32
  • 33. #RSAC Korean Banking Malware 33
  • 34. #RSAC Korean Banking Malware (Analysis) 34
  • 35. #RSAC A little help fu, please  HOWTOs  New/existing tool development  .deb package maintenance  Forums, spreading the word 35
  • 36. #RSAC Q&A | Contact | Feedback  Thanks for listening… @0xroot / @ahoog42 github/0xroot / github/viaforensics sguerrero@viaforensics.com / ahoog@viaforensics.com 36