Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
- 1. SESSION ID:
Mobile Analysis Kung Fu, Santoku Style
ANF-W03
Andrew Hoog
CEO/Co-founder
viaForensics
@ahoog42
Sebastián Guerrero
Mobile Security Analyst
viaForensics
@0xroot
- 2. #RSAC
Agenda
Santoku Intro
Mobile Forensics Kung Fu
Mobile Security Kung Fu
Mobile Malware Analysis Kung Fu
2
- 4. #RSAC
Santoku – Why?
0
200
400
600
800
1000
1200
1400
1600
2012
2017 (Projected)
Desktop PC
Portable PC
Tablet
Smartphone
4
- 7. #RSAC
Santoku – How?
Install Lubuntu 12.04 (precise) x86_64
Santoku-ize it
7
- 11. #RSAC
iOS Logical
Connect device (Enter PIN if needed)
Ideviceback2 backup <backup dir>
Ideviceback2 unback <backup dir>
View backup|unpacked backup
11
- 14. #RSAC
Android Logical
AFLogical OSE (https://github.com/viaforensics/android-forensics)
Reads Content-Providers
Push to phone, run, store on SD-Card
Pull CSVs to Santoku for review
14
- 20. #RSAC
App Selection
Apps were selected based on popularity, number of downloads, or potential sensitivity of data
Approximately 80 apps have been reviewed and organized into categories
20
- 21. #RSAC
2013 App testing result
81 tested apps, 32 iOS, 49 Android
21
0%
20%
40%
60%
80%
Failed MiTM
or SSL
Stored
Password
(Plaintext or
hashed)
Stored
sensitive app
data on
memory
At least one
'High risk'
rating
iOS
Android
- 23. #RSAC
Any.Do
Business and personal task management app iOS and Android
Millions of users
Many vulnerabilities, no response from company
https://viaforensics.com/mobile-security/security-vulnerabilities- anydo-android.html
23
- 24. #RSAC
Any.Do Analysis - Forensics
Locat Any.DO app directory
Adb pull /data/data/com.anydo
Examine database/binary files
Capture network traffic
24
- 28. #RSAC
Bad News
Android Malware, masquerades as an innocent advertising network
Packaged in many legitimate apps, usually targeting Russian market
Has ability to download additional apps, and propmts the user to install them, posing as “Critical Updates”. Uses this mechanism to spread known malware, typically Premium Rate SMS fraud.
For more information see the report by Lookout: https://blog.lookout.com/blog/2013/04/19/the-bearer-of-badnews-malware-google-play/
28
- 29. #RSAC
apktool
Tool for reverse engineering Android apk
Dissasembles code to smali files, also decodes resources contained into the apk.
It can also repackage the applications after you have modified them
We can run it on Badnews
Badnews Sample
29
- 30. #RSAC
From apktool to smali
We can grep for known sensible method calls and strings
30
- 31. #RSAC
From apktool to smali
We can manually analyze the disassembled smali coded provided by apktool
For example here we see a broadcast receiver that will listen for BOOT_COMPLETED intents and react to them starting a service in the application
31
- 35. #RSAC
A little help fu, please
HOWTOs
New/existing tool development
.deb package maintenance
Forums, spreading the word
35
- 36. #RSAC
Q&A | Contact | Feedback
Thanks for listening…
@0xroot / @ahoog42
github/0xroot / github/viaforensics
sguerrero@viaforensics.com / ahoog@viaforensics.com
36