SlideShare a Scribd company logo
CDIC 2013 : Cyber Defense Initiative Conference 2013                                                                         www.cdicconference.com




                                          27 th – 28 th February 2013, Centara Grand & Bangkok Convention Centre at Central World, Bangkok




                                Advanced Mobile
                               Penetration Testing
                             Application Attacks and Defense


    Mr. Prathan Phongthiproek
    Consulting Manager
    GIAC GPEN, E|CSA, C|EH, eCPPT, CPTS, CIW Security Analyst, CWNA, CWSP, Security+
CDIC 2013 : Cyber Defense Initiative Conference 2013         www.cdicconference.com




                                           Speaker Profile

              .

          Mr. Prathan Phongthiproek

          GIAC GPEN, E|CSA, C|EH, eCPPT, CPTS, CIW
          Security Analyst, CWNA, CWSP, Security+

          ACIS Professional Center


          E-mail: Prathan@acisonline.net

                                                                               2
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




                     Let’s Talk and Workshop

               Introduction
               Attack Vectors for Pentest
               Pentest iOS App
               Pentest Android App
               Workshop !!




                                                                         3
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




           INTRODUCTION




                                                                         4
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




                                  Past few years…..

          Just Mobile phone
                – Phone calls
                – Sending text message or MMS
                – Alarm clock
                – Calculator
                – Listen music
          Edge for Surf internet !!

                                                                         5
CDIC 2013 : Cyber Defense Initiative Conference 2013              www.cdicconference.com




                                                       Now…

          3G, 4G and WIFI support on Mobile network
          Became more intelligent – Smart Phones
                – Sending email
                – Surf internet
                – Check-in for flights
                – Online Banking transactions
                – Social network (Facebook, Twitter, Instagram)

                                                                                    6
CDIC 2013 : Cyber Defense Initiative Conference 2013                  www.cdicconference.com




                                                       Now…

          Companies started creating mobile applications to
           offer services to clients
                – Storing and synchronizing data files in the cloud
                – Participating in social network sites
                – As the data that stored, processed and transferred can
                  often be considered sensitive.




                                                                                        7
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




           ATTACK VECTORS FOR PENTEST




                                                                         8
CDIC 2013 : Cyber Defense Initiative Conference 2013                             www.cdicconference.com




                          Three Attack Surfaces

          Client Software on Mobile device
          Communications Channel
          Server Side Infrastructure                             Client
                                                                 Software



                                                       Comm.
                                                       Channel

                                                                      Server Side
                                                                     Infrastructure



                                                                                                   9
CDIC 2013 : Cyber Defense Initiative Conference 2013         www.cdicconference.com




                                       Client Software

          Packages are typically downloaded from an
           AppStore, Google Play or provided via Company
           website
          Testing requires a device that is rooted or
           jailbroken for access to all files and folders on the
           local file system
          Be able to decompiled, tampered or reverse
           engineered
                                                                              10
CDIC 2013 : Cyber Defense Initiative Conference 2013           www.cdicconference.com




                                       Client Software

          Attention points
                – Files on the local file system
                – Application authentication & authorization
                – Error Handling & Session Management
                – Business logic
                – Decompiling and analyzing



                                                                                11
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




                              iExplorer for iPhone




                                                                        12
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




                              Profile.properties and
                               user_info.pref.xml




                                                                        13
CDIC 2013 : Cyber Defense Initiative Conference 2013                 www.cdicconference.com




                                                       Plist files




                                                                                      14
CDIC 2013 : Cyber Defense Initiative Conference 2013        www.cdicconference.com




                                               Decompiled




                                                                             15
CDIC 2013 : Cyber Defense Initiative Conference 2013     www.cdicconference.com




                   Communications Channel

          Channel between the client and the server (HTTPs,
           Edge-3G)
          Testing with HTTP Proxy (Burp, ZAP) to intercept
           and manipulate alter traffic
          If the application does not use the HTTP protocol,
           can use transparent TCP and UDP proxy like Mallory



                                                                          16
CDIC 2013 : Cyber Defense Initiative Conference 2013         www.cdicconference.com




                   Communications Channel

          Attention points
                – Replay attack vulnerabilities
                – Secure transfer of sensitive information
                – SSLStrip for HTTPS via Wifi
                – Setup SSL for Proxy




                                                                              17
CDIC 2013 : Cyber Defense Initiative Conference 2013            www.cdicconference.com




                                                Sniff traffic




                                                                                 18
CDIC 2013 : Cyber Defense Initiative Conference 2013        www.cdicconference.com




                Server-Side Infrastructure

          The attack vectors for the web servers behind a
           mobile application is similar to those use for regular
           websites
          Perform host and service scans on the target
           system to identify running services




                                                                             19
CDIC 2013 : Cyber Defense Initiative Conference 2013                   www.cdicconference.com




                Server-Side Infrastructure

          Attention points
                – OWASP Top 10 vulnerabilities (SQL Injection, XSS, ...)
                – Running services and versions
                – Infrastructure vulnerability scanning




                                                                                        20
CDIC 2013 : Cyber Defense Initiative Conference 2013                               www.cdicconference.com




         Real Case Study: Mobile App Pentest

               Client Software
                – Found backend path in Localizable.strings
               Server-Side Infrastructure
                – Access to port 8080 (Tomcat)
                – Logged in with default tomcat username and password
                – Upload Malicious JSP code into webserver (Bypass Symantec AV)
                – Access to configuration file that contain database credentials
                – OWNED !! Database Server
                – Capture the Flag !!


                                                                                                    21
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




                                 Localizable.strings




                                                                        22
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




             Logged in with Default Tomcat
                      credentials




                                                                        23
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




                         Upload Malicious code




                                                                        24
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




                        Backend Compromised




                                                                        25
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




                      Database Compromised




                                                                        26
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




           PENTEST IOS APPLICATION


           Fast Track


                                                                        27
CDIC 2013 : Cyber Defense Initiative Conference 2013            www.cdicconference.com




                                              iOS Application

          Distributed as “.ipa” file (Simply zip file)
          Deployed as “.app” directories (Same as Mac OSX)
          Objective-C
          Data storage
                – Plist files
                – SQLite
                – Binary data files

                                                                                 28
CDIC 2013 : Cyber Defense Initiative Conference 2013       www.cdicconference.com




                                   Fast and Furious Step

               Preparing a Device
                – Jailbreak
               Install Tools on Device
                – Cydia (OpenSSH, MobileTerminal, Etc)
               Install Tools on Workstation
                – SSH Client
                – Plist Editor
                – SQLite Database Browser
                – Wireshark, Burp proxy

                                                                            29
CDIC 2013 : Cyber Defense Initiative Conference 2013       www.cdicconference.com




                                   Fast and Furious Step

          Read application’s data files




                                                                            30
CDIC 2013 : Cyber Defense Initiative Conference 2013       www.cdicconference.com




                                   Fast and Furious Step

          Setup Proxy for Intercept and Manipulate traffic
           data




                                                                            31
CDIC 2013 : Cyber Defense Initiative Conference 2013       www.cdicconference.com




                                   Fast and Furious Step




                                                                            32
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




           PENTEST ANDROID APPLICATION


           Fast and Furious


                                                                        33
CDIC 2013 : Cyber Defense Initiative Conference 2013        www.cdicconference.com




                                      Android Application

          Distributed as “.apk” file (Simply zip file)
          Multiuser OS running DalvikVM
          Android runs .dex files on DalvikVM
          Data storage
                – XML files
                – SQLite


                                                                             34
CDIC 2013 : Cyber Defense Initiative Conference 2013        www.cdicconference.com




                                      Android Application




                                                                             35
CDIC 2013 : Cyber Defense Initiative Conference 2013         www.cdicconference.com




                                          Android and Java




                                                                              36
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




                      Preparation Tools for Pentest

          Android SDK Tools
                – AVD Manager and ADK Manager
          Java 5,6, or 7
          Eclipse for code review purpose
          MITM proxy Tools such as Burp
          Dex2jar, JD GUI


                                                                        37
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




                         Setting up the environment




                                                                        38
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




                         Setting up the environment




                                                                        39
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




                         Setting up the environment




                                                                        40
CDIC 2013 : Cyber Defense Initiative Conference 2013     www.cdicconference.com




                                Adb install <apk path>




                                                                          41
CDIC 2013 : Cyber Defense Initiative Conference 2013      www.cdicconference.com




                                  Configuring the proxy




                                                                           42
CDIC 2013 : Cyber Defense Initiative Conference 2013      www.cdicconference.com




                                  Configuring the proxy




                                                                           43
CDIC 2013 : Cyber Defense Initiative Conference 2013               www.cdicconference.com




                                                       Adb shell




                                                                                    44
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




                     Access Database via adb shell




                                                                        45
CDIC 2013 : Cyber Defense Initiative Conference 2013                                       www.cdicconference.com




                       Android Debug Bridge (ADB)

               Packaged with the Android Software Development Kit
               Essential adb commands:
                – Adb devices: returns serial number of device(s) attached
                – Adb kill-server: shuts down the adb daemon
                – Adb shell: remote terminal
                – Adb push: moves files from the local workstation to device
                – Adb pull: moves files from the device to local workstation
                – Adb remount: remounts the system partition on the device as read-write or write,
                  depending on switch
                – Adb forward: forwards adb traffic from one port to another
                – Adb –h: help file for adb commands

                                                                                                            46
CDIC 2013 : Cyber Defense Initiative Conference 2013      www.cdicconference.com




                                     Source Code Review

          Convert the .apk file into .zip
          Extract the zipped file, Found classes.dex
          Dex2jar for convert .dex to .jar
          Using JD GUI to open JAR file and review source
           code




                                                                           47
CDIC 2013 : Cyber Defense Initiative Conference 2013    www.cdicconference.com




                               Decompiled Application




                                                                         48
CDIC 2013 : Cyber Defense Initiative Conference 2013         www.cdicconference.com




                                           Java Decompiler




                                                                              49
CDIC 2013 : Cyber Defense Initiative Conference 2013      www.cdicconference.com




                              Tip!! Prevent Application
                                Reverse Engineering

          ProGuard (Free) and DexGuard
                – Obfuscator for Android
                – Encrypt strings
                – Encrypt entire classes
                – Add tamper detection




                                                                           50
CDIC 2013 : Cyber Defense Initiative Conference 2013   www.cdicconference.com




           WORKSHOP !!




                                                                        51
CDIC 2013 : Cyber Defense Initiative Conference 2013                     www.cdicconference.com




                                            Thank You

                                                www.cdicconference.com

More Related Content

What's hot (20)

PDF
Python Final
Rich Helton
 
PDF
Python For Droid
Rich Helton
 
PPTX
Android pen test basics
OWASPKerala
 
PDF
Security testing in mobile applications
Jose Manuel Ortega Candel
 
PPTX
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
CODE BLUE
 
PPTX
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
PPTX
[OPD 2019] Inter-application vulnerabilities
OWASP
 
PDF
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
idsecconf
 
PDF
Sperasoft talks: Android Security Threats
Sperasoft
 
PDF
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
PDF
Spring Roo Rev005
Rich Helton
 
PPTX
Mobile security
Stefaan
 
PPTX
From Reversing to Exploitation: Android Application Security in Essence
Satria Ady Pradana
 
PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
PDF
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
CODE BLUE
 
PDF
[OPD 2019] Life after pentest
OWASP
 
PDF
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp
 
PDF
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
aditi agarwal
 
PDF
Android Security - Common Security Pitfalls in Android Applications
BlrDroid
 
PPTX
[Wroclaw #1] Android Security Workshop
OWASP
 
Python Final
Rich Helton
 
Python For Droid
Rich Helton
 
Android pen test basics
OWASPKerala
 
Security testing in mobile applications
Jose Manuel Ortega Candel
 
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
CODE BLUE
 
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
[OPD 2019] Inter-application vulnerabilities
OWASP
 
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
idsecconf
 
Sperasoft talks: Android Security Threats
Sperasoft
 
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
Spring Roo Rev005
Rich Helton
 
Mobile security
Stefaan
 
From Reversing to Exploitation: Android Application Security in Essence
Satria Ady Pradana
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
CODE BLUE
 
[OPD 2019] Life after pentest
OWASP
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp
 
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
aditi agarwal
 
Android Security - Common Security Pitfalls in Android Applications
BlrDroid
 
[Wroclaw #1] Android Security Workshop
OWASP
 

Viewers also liked (20)

PDF
iOS app security
Hokila Jan
 
PPT
Mobile application security and threat modeling
Shantanu Mitra
 
PDF
Breaking iOS Apps using Cycript
n|u - The Open Security Community
 
PPTX
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
PDF
Mobile Application Security Code Reviews
Denim Group
 
PDF
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
PPTX
PTES: PenTest Execution Standard
Source Conference
 
PDF
Bringing SDR to the pentest community - BlackHat USA 2014
jmichel.p
 
PDF
Reverse Engineering iOS apps
Max Bazaliy
 
PDF
Developing Secure Mobile Applications
Denim Group
 
PDF
Security Testing Mobile Applications
Denim Group
 
PDF
Mobile hacking, pentest, and malware
Ammar WK
 
PPTX
Pentesting iOS Applications
jasonhaddix
 
PDF
Internal Pentest: from z3r0 to h3r0
marcioalma
 
PDF
Pentest with Metasploit
M.Syarifudin, ST, OSCP, OSWP
 
PPT
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
DOCX
Windows profile how do i
proser tech
 
PDF
Muhammad Yustan CV
Muhammad Yustan
 
PPTX
DealinDougCommunity.com - ArapahoeOnline.com; 2009 AAA Traffic Safety Index
Dealin Doug
 
PDF
Anexo ás normas, calendario previo (aprobado)
oscargaliza
 
iOS app security
Hokila Jan
 
Mobile application security and threat modeling
Shantanu Mitra
 
Breaking iOS Apps using Cycript
n|u - The Open Security Community
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
Mobile Application Security Code Reviews
Denim Group
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
PTES: PenTest Execution Standard
Source Conference
 
Bringing SDR to the pentest community - BlackHat USA 2014
jmichel.p
 
Reverse Engineering iOS apps
Max Bazaliy
 
Developing Secure Mobile Applications
Denim Group
 
Security Testing Mobile Applications
Denim Group
 
Mobile hacking, pentest, and malware
Ammar WK
 
Pentesting iOS Applications
jasonhaddix
 
Internal Pentest: from z3r0 to h3r0
marcioalma
 
Pentest with Metasploit
M.Syarifudin, ST, OSCP, OSWP
 
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
Windows profile how do i
proser tech
 
Muhammad Yustan CV
Muhammad Yustan
 
DealinDougCommunity.com - ArapahoeOnline.com; 2009 AAA Traffic Safety Index
Dealin Doug
 
Anexo ás normas, calendario previo (aprobado)
oscargaliza
 
Ad

Similar to CDIC 2013-Mobile Application Pentest Workshop (20)

PDF
APT Webinar
Joseph Schorr
 
PDF
Securing UC Borders with Acme Packet
AcmePacket
 
PDF
Cidway Banking 02 2011
lfilliat
 
PDF
S series presentation
Sergey Marunich
 
PDF
Xfocus xcon 2008_aks_oknock
ownerkhan
 
PPT
Next Generation Security
neoma329
 
PPT
Cio ciso security_strategyv1.1
Anindya Ghosh,
 
PDF
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
Aditya K Sood
 
PDF
Advanced Malware Analysis
Prathan Phongthiproek
 
PDF
Cat6500 Praesentation
Sophan_Pheng
 
PDF
Enterprise Appstore webinar FEB13
Peter J. Melander
 
PDF
Hacking Exposed Live: Mobile Targeted Threats
CrowdStrike
 
PDF
CBI Threat Landscape Webinar
Joseph Schorr
 
PDF
Cisco tec chris young - security intelligence operations
Cisco Public Relations
 
PDF
CDN and Cloud - PHPFest 2011
Junho Choi
 
PDF
Master ppt v10 ulevitch-print
agershon
 
PDF
Umbrella Webcast: Redefining Security for the Nomadic Worker
OpenDNS
 
PDF
iScan Online - PCI DSS Mobile Task Force
MAX Risk Intelligence by LOGICnow
 
PDF
Is the Web at Risk?
Carlos Serrao
 
PDF
Data security in cloud
Interop
 
APT Webinar
Joseph Schorr
 
Securing UC Borders with Acme Packet
AcmePacket
 
Cidway Banking 02 2011
lfilliat
 
S series presentation
Sergey Marunich
 
Xfocus xcon 2008_aks_oknock
ownerkhan
 
Next Generation Security
neoma329
 
Cio ciso security_strategyv1.1
Anindya Ghosh,
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
Aditya K Sood
 
Advanced Malware Analysis
Prathan Phongthiproek
 
Cat6500 Praesentation
Sophan_Pheng
 
Enterprise Appstore webinar FEB13
Peter J. Melander
 
Hacking Exposed Live: Mobile Targeted Threats
CrowdStrike
 
CBI Threat Landscape Webinar
Joseph Schorr
 
Cisco tec chris young - security intelligence operations
Cisco Public Relations
 
CDN and Cloud - PHPFest 2011
Junho Choi
 
Master ppt v10 ulevitch-print
agershon
 
Umbrella Webcast: Redefining Security for the Nomadic Worker
OpenDNS
 
iScan Online - PCI DSS Mobile Task Force
MAX Risk Intelligence by LOGICnow
 
Is the Web at Risk?
Carlos Serrao
 
Data security in cloud
Interop
 
Ad

More from Prathan Phongthiproek (20)

PDF
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
PDF
The CARzyPire - Another Red Team Operation
Prathan Phongthiproek
 
PDF
Cyber Kill Chain: Web Application Exploitation
Prathan Phongthiproek
 
PDF
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
PDF
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
PDF
The Hookshot: Runtime Exploitation
Prathan Phongthiproek
 
PDF
Understanding ransomware
Prathan Phongthiproek
 
PDF
Owasp Top 10 Mobile Risks
Prathan Phongthiproek
 
PDF
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
PDF
OWASP Thailand-Beyond the Penetration Testing
Prathan Phongthiproek
 
PPTX
Hack and Slash: Secure Coding
Prathan Phongthiproek
 
PDF
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
PDF
Tisa mobile forensic
Prathan Phongthiproek
 
PDF
Tisa-Social Network and Mobile Security
Prathan Phongthiproek
 
PDF
Tisa social and mobile security
Prathan Phongthiproek
 
PDF
Operation outbreak
Prathan Phongthiproek
 
PDF
The Operation CloudBurst Attack
Prathan Phongthiproek
 
PDF
The Art of Grey-Box Attack
Prathan Phongthiproek
 
PDF
Full MSSQL Injection PWNage
Prathan Phongthiproek
 
PDF
Wi-Foo Ninjitsu Exploitation
Prathan Phongthiproek
 
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
The CARzyPire - Another Red Team Operation
Prathan Phongthiproek
 
Cyber Kill Chain: Web Application Exploitation
Prathan Phongthiproek
 
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
The Hookshot: Runtime Exploitation
Prathan Phongthiproek
 
Understanding ransomware
Prathan Phongthiproek
 
Owasp Top 10 Mobile Risks
Prathan Phongthiproek
 
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
OWASP Thailand-Beyond the Penetration Testing
Prathan Phongthiproek
 
Hack and Slash: Secure Coding
Prathan Phongthiproek
 
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
Tisa mobile forensic
Prathan Phongthiproek
 
Tisa-Social Network and Mobile Security
Prathan Phongthiproek
 
Tisa social and mobile security
Prathan Phongthiproek
 
Operation outbreak
Prathan Phongthiproek
 
The Operation CloudBurst Attack
Prathan Phongthiproek
 
The Art of Grey-Box Attack
Prathan Phongthiproek
 
Full MSSQL Injection PWNage
Prathan Phongthiproek
 
Wi-Foo Ninjitsu Exploitation
Prathan Phongthiproek
 

Recently uploaded (20)

PPTX
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
Per Axbom: The spectacular lies of maps
Nexer Digital
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PPTX
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
Per Axbom: The spectacular lies of maps
Nexer Digital
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
The Future of Artificial Intelligence (AI)
Mukul
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 

CDIC 2013-Mobile Application Pentest Workshop

  • 1. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com 27 th – 28 th February 2013, Centara Grand & Bangkok Convention Centre at Central World, Bangkok Advanced Mobile Penetration Testing Application Attacks and Defense Mr. Prathan Phongthiproek Consulting Manager GIAC GPEN, E|CSA, C|EH, eCPPT, CPTS, CIW Security Analyst, CWNA, CWSP, Security+
  • 2. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Speaker Profile . Mr. Prathan Phongthiproek GIAC GPEN, E|CSA, C|EH, eCPPT, CPTS, CIW Security Analyst, CWNA, CWSP, Security+ ACIS Professional Center E-mail: [email protected] 2
  • 3. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Let’s Talk and Workshop  Introduction  Attack Vectors for Pentest  Pentest iOS App  Pentest Android App  Workshop !! 3
  • 4. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com INTRODUCTION 4
  • 5. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Past few years…..  Just Mobile phone – Phone calls – Sending text message or MMS – Alarm clock – Calculator – Listen music  Edge for Surf internet !! 5
  • 6. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Now…  3G, 4G and WIFI support on Mobile network  Became more intelligent – Smart Phones – Sending email – Surf internet – Check-in for flights – Online Banking transactions – Social network (Facebook, Twitter, Instagram) 6
  • 7. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Now…  Companies started creating mobile applications to offer services to clients – Storing and synchronizing data files in the cloud – Participating in social network sites – As the data that stored, processed and transferred can often be considered sensitive. 7
  • 8. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com ATTACK VECTORS FOR PENTEST 8
  • 9. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Three Attack Surfaces  Client Software on Mobile device  Communications Channel  Server Side Infrastructure Client Software Comm. Channel Server Side Infrastructure 9
  • 10. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Client Software  Packages are typically downloaded from an AppStore, Google Play or provided via Company website  Testing requires a device that is rooted or jailbroken for access to all files and folders on the local file system  Be able to decompiled, tampered or reverse engineered 10
  • 11. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Client Software  Attention points – Files on the local file system – Application authentication & authorization – Error Handling & Session Management – Business logic – Decompiling and analyzing 11
  • 12. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com iExplorer for iPhone 12
  • 13. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Profile.properties and user_info.pref.xml 13
  • 14. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Plist files 14
  • 15. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Decompiled 15
  • 16. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Communications Channel  Channel between the client and the server (HTTPs, Edge-3G)  Testing with HTTP Proxy (Burp, ZAP) to intercept and manipulate alter traffic  If the application does not use the HTTP protocol, can use transparent TCP and UDP proxy like Mallory 16
  • 17. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Communications Channel  Attention points – Replay attack vulnerabilities – Secure transfer of sensitive information – SSLStrip for HTTPS via Wifi – Setup SSL for Proxy 17
  • 18. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Sniff traffic 18
  • 19. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Server-Side Infrastructure  The attack vectors for the web servers behind a mobile application is similar to those use for regular websites  Perform host and service scans on the target system to identify running services 19
  • 20. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Server-Side Infrastructure  Attention points – OWASP Top 10 vulnerabilities (SQL Injection, XSS, ...) – Running services and versions – Infrastructure vulnerability scanning 20
  • 21. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Real Case Study: Mobile App Pentest  Client Software – Found backend path in Localizable.strings  Server-Side Infrastructure – Access to port 8080 (Tomcat) – Logged in with default tomcat username and password – Upload Malicious JSP code into webserver (Bypass Symantec AV) – Access to configuration file that contain database credentials – OWNED !! Database Server – Capture the Flag !! 21
  • 22. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Localizable.strings 22
  • 23. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Logged in with Default Tomcat credentials 23
  • 24. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Upload Malicious code 24
  • 25. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Backend Compromised 25
  • 26. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Database Compromised 26
  • 27. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com PENTEST IOS APPLICATION Fast Track 27
  • 28. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com iOS Application  Distributed as “.ipa” file (Simply zip file)  Deployed as “.app” directories (Same as Mac OSX)  Objective-C  Data storage – Plist files – SQLite – Binary data files 28
  • 29. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Fast and Furious Step  Preparing a Device – Jailbreak  Install Tools on Device – Cydia (OpenSSH, MobileTerminal, Etc)  Install Tools on Workstation – SSH Client – Plist Editor – SQLite Database Browser – Wireshark, Burp proxy 29
  • 30. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Fast and Furious Step  Read application’s data files 30
  • 31. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Fast and Furious Step  Setup Proxy for Intercept and Manipulate traffic data 31
  • 32. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Fast and Furious Step 32
  • 33. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com PENTEST ANDROID APPLICATION Fast and Furious 33
  • 34. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Android Application  Distributed as “.apk” file (Simply zip file)  Multiuser OS running DalvikVM  Android runs .dex files on DalvikVM  Data storage – XML files – SQLite 34
  • 35. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Android Application 35
  • 36. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Android and Java 36
  • 37. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Preparation Tools for Pentest  Android SDK Tools – AVD Manager and ADK Manager  Java 5,6, or 7  Eclipse for code review purpose  MITM proxy Tools such as Burp  Dex2jar, JD GUI 37
  • 38. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Setting up the environment 38
  • 39. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Setting up the environment 39
  • 40. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Setting up the environment 40
  • 41. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Adb install <apk path> 41
  • 42. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Configuring the proxy 42
  • 43. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Configuring the proxy 43
  • 44. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Adb shell 44
  • 45. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Access Database via adb shell 45
  • 46. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Android Debug Bridge (ADB)  Packaged with the Android Software Development Kit  Essential adb commands: – Adb devices: returns serial number of device(s) attached – Adb kill-server: shuts down the adb daemon – Adb shell: remote terminal – Adb push: moves files from the local workstation to device – Adb pull: moves files from the device to local workstation – Adb remount: remounts the system partition on the device as read-write or write, depending on switch – Adb forward: forwards adb traffic from one port to another – Adb –h: help file for adb commands 46
  • 47. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Source Code Review  Convert the .apk file into .zip  Extract the zipped file, Found classes.dex  Dex2jar for convert .dex to .jar  Using JD GUI to open JAR file and review source code 47
  • 48. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Decompiled Application 48
  • 49. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Java Decompiler 49
  • 50. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Tip!! Prevent Application Reverse Engineering  ProGuard (Free) and DexGuard – Obfuscator for Android – Encrypt strings – Encrypt entire classes – Add tamper detection 50
  • 51. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com WORKSHOP !! 51
  • 52. CDIC 2013 : Cyber Defense Initiative Conference 2013 www.cdicconference.com Thank You www.cdicconference.com