SlideShare a Scribd company logo
Mobile Application Security – Effective
           Methodology,
         Effective Testing!




     OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
hemil@espheresecurity.net
                                                                http://www.espheresecurity.com

         Who Am I?
•   Hemil Shah – hemil@espheresecurity.net
•   Past experience
      – HBO, KPMG, IL&FS, Net Square
•   Interest
      – Application security research (Web & Mobile)
•   Published research
      – Articles / Papers – Packstroem, etc.
      – Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.




                     OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Past, Present and Future
                                                                 Focus



                                                     2010
                                                     Cloud




   OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Enterprise Technology Trend
• 2007. Web services would rocket from
  $1.6 billion in 2004 to $34 billion. [IDC]
• 2008. Web Services or Service-Oriented
  Architecture (SOA) would surge ahead.
  [Gartner]
• 2009. Enterprise 2.0 in action and
  penetrating deeper into the corporate
  environment
• 2010. Flex/HTML5/Cloud/API/Mobile era.
          OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Mobile Infrastructure
                           Other
                           Office
                           s



                                           Internet
  Exchange
                firewall


                                         DMZ
Dial-up
                   router
          VPN                                                                     intranet


  www           mail
                               RAS
                 Database India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
                 OWASP InfoSec
Mobile App Environment
  Internet                         DMZ                                          Trusted



                                                SOAP/JSON etc.

Mobile                                                                                     W
                                                                                           E
                                            Scripted                    Application        B
                             Web             Web                         Servers           S
                            Server          Engine                         And             E
                           Static pages only
Web                                          Dynamic pages
                          (HTML,HTM, etc.) (ASP,DHTML, PHP,             Integrated         R
Client                                         CGI, etc.)               Framework          V


                                               X
                                                                                           I
                                                                          ASP.NET on       C
                                                                        .Net Framework,    E
                                                                        J2EE App Server,   S
                                                                         Web Services,
                                               DB                             etc.


                                      Internal/Corporate
             OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Mobile Apps




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Gartner Statistics




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Gartner Statistics




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Mobile Changes
• Application Infrastructure

   Changing dimension                       Web                             Mobile
  (AI1) Protocols                HTTP & HTTPS                   JSON, SOAP, REST etc. over
                                                                   HTTP & HTTPS

  (AI2) Information              HTML transfer                  JSON, JS Objects, XML, etc.
     structures
  (AI3) Technology               Java, DotNet, PHP,             Cocoa, Java with Platform
                                     Python and so on              SDKs, HTML5

  (AI4) Information              Mainly on Server Side          Client and Server Side
     Store/Process




                    OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Mobile Changes
• Security Threats

 Changing dimension                      Web                               Mobile
 (T1) Entry points          Structured                          Scattered and multiple

 (T2) Dependencies          Limited                              Multiple technologies
                                                                 Information sources
                                                                 Protocols

 (T3) Vulnerabilities       Server side [Typical                 Web services [Payloads]
                            injections]                          Client side [Local Storage]

 (T4) Exploitation          Server side exploitation            Both server and client side
                                                                exploitation




                 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Black Review flow
                                            Mobile and Device Security
        Architecture Review                 •Insecure storage
                                            •Insecure network Communication - Carriers network security & WiFi network attacks
                                            •Unauthorized dialing & SMS
               Scoping                      •UI Impersonation/Spoofing
                                            •Activity monitoring and data retrieval
 Server Side Application Footprinting       •Sensitive data leakage
                                            •Hardcoded passwords/keys
                                            •Language issues
  Mobile Application Footprinting           •Timely application update
                                            •Jail breaking/Physical device theft
                                            •KeyBoard cache/ClipBoard issue
       Application Discovery                •Reading information from SQLite database
                                            •Insecure Protocol Handler implementation
                                            •And few other loopholes
    Application Threat Modeling


Application Deployment Assessment
                                              Application Security – Authentication,
                                              Access Controls/Authorization, API misuse, Path traversal,
Application Enumeration and Profiling         Sensitive information leakage, Error handling, Session management,
                                              Protocol abuse, Input validations, Cross Site Scripting (XSS),
                                              Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto,
      Vulnerability Assessment
                                              Denial of Services, Malicious Code Injection, SQL injection,
                                              XPATH and LDAP injections, OS command injection,
        Mitigation Strategies                 Parameter manipulations, Bruteforce, Buffer Overflow,
                                              Format string, HTTP response splitting, HTTP replay,
                                              XML injection, Canonicalization, Logging and auditing.
             Reporting

                                OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
White Review flow
                                       Mobile and Device Security
  Architecture Review                  •Insecure storage
                                       •Insecure network Communication - Carriers network security & WiFi network attacks
                                       •Unauthorized dialing & SMS
         Scoping                       •UI Impersonation/Spoofing
                                       •Activity monitoring and data retrieval
                                       •Sensitive data leakage
    Threat Modeling                    •Hardcoded passwords/keys
                                       •Language issues
   Code Enumeration                    •Timely application update
                                       •Jail breaking/Physical device theft
                                       •KeyBoard cache/ClipBoard issue
   Code Mapping and
                                       •Reading information from SQLite database
     Functionality                     •Insecure Protocol Handler implementation
                                       •And few other loopholes
Security Controls & Cases

                                       Sample Security Control Categories – Authentication,
 Entry Point Discoveries
                                       Access Controls/Authorization, API misuse, Path traversal,
Class, Function & Variable             Sensitive information leakage, Error handling, Session management,
         Tracing                       Protocol abuse, Input validations, Cross Site Scripting (XSS),
                                       Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto,
 Vulnerability Detection               Denial of Services, Malicious Code Injection, SQL injection,
                                       XPATH and LDAP injections, OS command injection,
   Mitigation Controls                 Parameter manipulations, Bruteforce, Buffer Overflow,
                                       Format string, HTTP response splitting, HTTP replay,
        Reporting                      XML injection, Canonicalization, Logging and auditing.
                             OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Mobile Top 10 - OWASP
•   Insecure Data Storage
•   Weak Server Side Controls
•   Insufficient Transport Layer Protection
•   Client Side Injection
•   Poor Authorization and Authentication
•   Improper Session Handling
•   Security Decisions Via Untrusted Inputs
•   Side Channel Data Leakage
•   Broken Cryptography
•   Sensitive Information Disclosure

               OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Insecure Storage




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Insecure Storage
• Why application needs to store data
  – Ease of use for the user
  – Popularity
  – Competition
  – Activity with single click
  – Decrease Transaction time
  – Post/Get information to/from Social Sites
• 9 out of 10 applications have this
  vulnerability
           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Insecure Storage
• How attacker can gain access
  – Wifi
  – Default password after jail breaking (alpine)
  – Physical Theft
  – Temporary access to device




           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Insecure Storage
• What information we usually find
  – Authentication Credentials
  – Authorization tokens
  – Financial Statements
  – Credit card numbers
  – Owner’s Information – Physical Address,
    Name, Phone number
  – Social Engineering Sites profile/habbits
  – SQL Queries
           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Local file access




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Insecure Network
              Communication




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Insecure Network Channel
• Easy to perform MiM attacks as Mobile
  devices uses untrusted network i.e
  open/Public WiFi, HotSpot, Carrier’s
  Network
• Application deals with sensitive data i.e.
  – Authentication credentials
  – Authorization token
  – PII Information (Privacy Violation) (Owner
    Name, Phone number, UDID)
           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Insecure Network Channel
• Can sniff the traffic to get an access to
  sensitive data
• SSL is the best way to secure
  communication channel
• Common Issues
  – Does not deprecate HTTP requests
  – Allowing invalid certificates
  – Sensitive information in GET requests

           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Session token




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Unauthorized Dialing/SMS




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Unauthorized Dialing/SMS
• Social Engineering using Mobile Devices
• Attacker plays with user’s mind
• User installs application
• Application sends premium rate SMS or a
  premium rate phone call to unknown
  number
• Used by Malware/Trojans


          OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
AndroidOS.FakePlayer
•   August 2010
•   Sends costly International SMS
•   One SMS Costs – 25 USD (INR 1250)
•   Application Sends SMS to –
    – 3353 & 3354 numbers in Russia




            OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
GGTracker
• June 2010
• Another Application which sends
  International SMS
• One SMS Costs – 40 USD (INR 2000)
• Application Sends Premium SMS to US
  numbers



         OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
UI Impersonation




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
UI Impersonation
• Attack has been there since long
• On a mobile stack, known as UI
  impersonation
• Other names are Phishing Attack,
  ClickJacking
• Attacker plays with user’s mind and try to
  impersonate as other user or other
  application

           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
UI Impersonation
• Victim looses credit card information or
  authentication credentials or secret
• One application can create local PUSH
  notification as it is created from apple
  store
• Flow in review process of AppStore –
  Anyone can name anything to their
  application

           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
NetFlix
• Oct -2011
• Steals users “netflix” account information
• Application shows error message to user
  “Compatibility issues with the user’s
  hardware” when user enters username
  and password
• Once error message, application uninstalls
  itself

          OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Activity Monitoring




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Activity Monitoring
• Sending a blind carbon copy of each
  email to attacker
• Listening all phone calls
• Email contact list, pictures to attacker
• Read all emails stored on the device
• Usual intension of Spyware/Trojans



           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Activity Monitoring
• Attacker can monitor –
  – Audio Files
  – Video
  – Pictures
  – Location
  – Contact List
  – Call/Browser/SMS History
  – Data files

          OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Android.Pjapps
• Early 2010
• Steal/Change users information
• Application –
  – Send and monitor incoming SMS messages
  – Read/write to the user's browsing history and
    bookmarks
  – Install packages and Open Sockets
  – Write to external storage
  – Read the phone's state
           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
System Modification




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
System Modification
• Application will attempt to modify system
  configuration to hide itself (Historically this
  is known as ROOTKIT)
• Configuration changes makes certain
  attack possible i.e. –
  – Modifying device proxy to get user’s activity
    monitoring
  – Configure BCC email sending to attacker


           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
iKee – iPhone Worm
• “ikee” iPhone Worm
                                                                    After infected by “ikee“
  – Change root password                                            iPhone look like this
  – Change wallpaper to Ricky Martin.




            OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
PII Information Leakage




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
PII Information Leakage
• Application usually have access to user’s
  private information i.e. Owner Name,
  Location, Physical Address, AppID, Phone
  Number
• This information needs to be handled very
  carefully as per the law in some countries
• Storing this information in plain text is not
  allowed in some countries

           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
PII Information




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Hardcoded Secrets




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Hardcoded Secrets
• Easiest way for developer to solve
  complex issues/functionality
• Attacker can get this information by either
  reverse engineering application or by
  checking local storage




           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Keychain Dumper




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Language Specific Issues




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Language Specific Issues
• Application in iOS are developed in
  Objective-C language which is derived
  from classic C language
• Along with this derivation, it also derives
  security issues in C language i.e. overflow
  attacks
• Using Dex2jar, source code of android
  application can be accessed

           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
dexdump
Convert dump .dex files:




        OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
SQL Injection in Local database




  OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
SQL Injection in Local database
• Most Mobile platforms uses SQLite as
  database to store information on the
  device
• Using any SQLite Database Browser, it is
  possible to access database logs which
  has queries and other sensitive database
  information
• In case application is not filtering input,
  SQL Injection on local database is
  possible OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Injection…




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Information in Common
           Services




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Common Services
• KeyBoard, Clipboard are shared amongst
  all the applications.
• Information stored in clipboard can be
  accessed by all the application
• Sensitive information should not be
  allowed to copy/paste in the application



          OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Server Side Issues




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Server Side Issues
• Most Application makes server side calls
  to either web services or some other
  component. Security of server side
  component is equally important as client
  side
• Controls to be tested on the server side –
  Security Control Categories for Server
  Side Application– Authentication, Access
  Controls/Authorization, API misuse, Path
  traversal, Sensitive information leakage,
          OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Server Side Issues
Error handling, Session management,
Protocol abuse, Input validations, XSS,
CSRF, Logic bypass, Insecure crypto, DoS,
Malicious Code Injection, SQL injection,
XPATH and LDAP injections, OS command
injection, Parameter manipulations,
BruteForce, Buffer Overflow, HTTP
response splitting, HTTP replay, XML
injection, Canonicalization, Logging and
auditing.
          OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Binary auditing




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Using GDB




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Pen testing Check list
        (iOS Applications)




OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Pen testing Check list
• Fuzz all possible Inputs to the application
  and validate output (Query String, POST
  data, external HTML, RSS Feed or
  database feed)
• Audit traditional memory unsafe methods
  (strcpy, memcpy)
• Watch out for format string vulnerabilities
• Look for hard coded credentials / secrets

           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Pen testing Check list
• Check network connection (grep for
  NSURL, CFStream, NSStream)
• Check Database connection and queries
  (grep SQL strings and SQLLite queries)
• Check only trusted certificate are allowed
  (Look for setAllowsAnyHTTPSCertificate
  and didReceiveAuthenticationChallenge)
• Check what is logged (grep NSLog)

          OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Pen testing Check list
• Check implementation of URLSchemes in
  handleOpenURL
• Check what is stored in keychain
  (kSecAttrAccessibleWhenUnlocked or
  kSecAttrAccessibleAfterFirstUnlock
  attributes when calling SecItemAdd or
  SecItemUpdate) and the file system
  (NSDataWritingFileProtectionComplete).

         OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Pen testing Check list
• Check how critical data is stored
  (NSUserDefaults should not be used to
  store critical data)
• Check Server Side controls
• Decrypt the binary and run strings to find
  sensitive information



           OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Pen testing Check list
• Check whether application uses
  UIWebView (How application loads HTLM
  and where it is rendered from? Is URL
  visible?)
• Check whether copy-paste functionality is
  enabled in sensitive fields (PII fields)
• Install your favorite proxy to monitor +
  fuzz web traffic
• Run the app using disassemble to monitor
  calls   OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Pen testing Check list
• Check whether critical data fields are
  hidden in applicationWillTerminate and
  applicationWillEnterBackground to
  prevent screenshot caching
• Check how application handles PII
  information




          OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Thank you

                                                    Hemil Shah
                                              hemil@espheresecurity.net
                                                  +91 99790 55100
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)

More Related Content

What's hot (20)

PDF
Security Testing Mobile Applications
Denim Group
 
ODP
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
PDF
Challenges in Testing Mobile App Security
Cygnet Infotech
 
PPTX
Security testing of mobile applications
GTestClub
 
PDF
Mobile Threats and Trends Changing Mobile App Security
DevOps.com
 
PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
PPTX
Web application penetration testing
Imaginea
 
PPTX
Pentesting With Web Services in 2012
Ishan Girdhar
 
PPTX
Penetrating Android Aapplications
Roshan Thomas
 
PDF
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
PPT
Get Ready for Web Application Security Testing
Alan Kan
 
PDF
Axoss Web Application Penetration Testing Services
Bulent Buyukkahraman
 
PPTX
Network penetration testing
Imaginea
 
PPTX
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
PPT
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
PPTX
Android pen test basics
OWASPKerala
 
PDF
VSEC Sourcecode Review Service Profile
Vietnamese Network Security J.S.C
 
PDF
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
PPTX
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
PDF
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
Sam Bowne
 
Security Testing Mobile Applications
Denim Group
 
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
Challenges in Testing Mobile App Security
Cygnet Infotech
 
Security testing of mobile applications
GTestClub
 
Mobile Threats and Trends Changing Mobile App Security
DevOps.com
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
Web application penetration testing
Imaginea
 
Pentesting With Web Services in 2012
Ishan Girdhar
 
Penetrating Android Aapplications
Roshan Thomas
 
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
Get Ready for Web Application Security Testing
Alan Kan
 
Axoss Web Application Penetration Testing Services
Bulent Buyukkahraman
 
Network penetration testing
Imaginea
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
Android pen test basics
OWASPKerala
 
VSEC Sourcecode Review Service Profile
Vietnamese Network Security J.S.C
 
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
Sam Bowne
 

Viewers also liked (19)

PDF
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Idexcel Technologies
 
PDF
Mobile Application Security
cclark_isec
 
PDF
Gursev kalra _mobile_application_security_testing - ClubHack2009
ClubHack
 
PDF
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
PPTX
Mobile Application Security
Ishan Girdhar
 
PPTX
Mobile Application Security Testing (Static Code Analysis) of Android App
Abhilash Venkata
 
PPTX
Cybersecurity Best Practices in Financial Services
John Rapa
 
PDF
How to scale mobile application security testing
NowSecure
 
ODP
Mobile Apps Security Testing -3
Krisshhna Daasaarii
 
PPTX
Basic Guide For Mobile Application Testing
Sourabh Kasliwal
 
PDF
Segurança no Desenvolvimento de App`s
Onyo
 
PDF
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
GuardSquare
 
PDF
iOS Masque Attack
Minded Security
 
PDF
Linkedin.com DomXss 04-08-2014
Giorgio Fedon
 
PDF
Concrete5 Sendmail RCE Advisory
Minded Security
 
PDF
Concrete5 Multiple Reflected XSS Advisory
Minded Security
 
PDF
Comparing DOM XSS Tools On Real World Bug
Stefano Di Paola
 
PDF
Mobile Banking Security: Challenges, Solutions
Cognizant
 
PDF
Advanced JS Deobfuscation
Minded Security
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Idexcel Technologies
 
Mobile Application Security
cclark_isec
 
Gursev kalra _mobile_application_security_testing - ClubHack2009
ClubHack
 
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
Mobile Application Security
Ishan Girdhar
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Abhilash Venkata
 
Cybersecurity Best Practices in Financial Services
John Rapa
 
How to scale mobile application security testing
NowSecure
 
Mobile Apps Security Testing -3
Krisshhna Daasaarii
 
Basic Guide For Mobile Application Testing
Sourabh Kasliwal
 
Segurança no Desenvolvimento de App`s
Onyo
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
GuardSquare
 
iOS Masque Attack
Minded Security
 
Linkedin.com DomXss 04-08-2014
Giorgio Fedon
 
Concrete5 Sendmail RCE Advisory
Minded Security
 
Concrete5 Multiple Reflected XSS Advisory
Minded Security
 
Comparing DOM XSS Tools On Real World Bug
Stefano Di Paola
 
Mobile Banking Security: Challenges, Solutions
Cognizant
 
Advanced JS Deobfuscation
Minded Security
 
Ad

Similar to Mobile application security – effective methodology, efficient testing! hemil shah (20)

PPT
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
 
PDF
Find me if you can – smart fuzzing and discovery! shreeraj shah
owaspindia
 
PDF
Shreeraj-Hacking_Web_2
guest66dc5f
 
PDF
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
 
PDF
Shreeraj - Hacking Web 2 0 - ClubHack2007
ClubHack
 
PDF
Cloud & The Mobile Stack
Subbu Ramanathan
 
PDF
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Shreeraj Shah
 
PDF
Is the Web at Risk?
Carlos Serrao
 
PDF
Amish Umesh - Future Of Web App Testing - ClubHack2007
ClubHack
 
PDF
Eva flex java_1_slides
Michael Chaize
 
PDF
ITCamp 2012 - Adam Granicz - Web development with WebSharper in F#
ITCamp
 
PDF
Pervasive Web Application Architecture
UC San Diego
 
PDF
Dharmes Mistry Tony De Bree S O A Business Persp V1b
SOA Symposium
 
PDF
Poly Source It Profile
moseskhedi
 
PDF
Polysource It Profile
elenarys
 
PDF
Ibrussels For Stedenlink
Koen Delvaux
 
PDF
Polysource-IT Profile
Helen
 
PDF
Polysource-IT Profile
Helen
 
PPTX
IBM Worklight-Overview
IBM WebSphereIndia
 
PDF
Cluedin JavaOne 2009
aegloff
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
 
Find me if you can – smart fuzzing and discovery! shreeraj shah
owaspindia
 
Shreeraj-Hacking_Web_2
guest66dc5f
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
ClubHack
 
Cloud & The Mobile Stack
Subbu Ramanathan
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Shreeraj Shah
 
Is the Web at Risk?
Carlos Serrao
 
Amish Umesh - Future Of Web App Testing - ClubHack2007
ClubHack
 
Eva flex java_1_slides
Michael Chaize
 
ITCamp 2012 - Adam Granicz - Web development with WebSharper in F#
ITCamp
 
Pervasive Web Application Architecture
UC San Diego
 
Dharmes Mistry Tony De Bree S O A Business Persp V1b
SOA Symposium
 
Poly Source It Profile
moseskhedi
 
Polysource It Profile
elenarys
 
Ibrussels For Stedenlink
Koen Delvaux
 
Polysource-IT Profile
Helen
 
Polysource-IT Profile
Helen
 
IBM Worklight-Overview
IBM WebSphereIndia
 
Cluedin JavaOne 2009
aegloff
 
Ad

More from owaspindia (7)

PDF
Real time evaluation of national network exposure to emerging threats - fyodo...
owaspindia
 
PDF
Public exploit held private – penetration testing the researcher’s way tama...
owaspindia
 
PDF
New and improved hacking oracle from web apps sumit sidharth
owaspindia
 
PDF
International approaches to critical information infrastructure protection ...
owaspindia
 
PDF
Getting the end point security right! - k. k. mookhey
owaspindia
 
PDF
From app sec to malsec malware hooked, criminal crooked alok gupta
owaspindia
 
PDF
The magic of passive web vulnerability analysis lava kumar
owaspindia
 
Real time evaluation of national network exposure to emerging threats - fyodo...
owaspindia
 
Public exploit held private – penetration testing the researcher’s way tama...
owaspindia
 
New and improved hacking oracle from web apps sumit sidharth
owaspindia
 
International approaches to critical information infrastructure protection ...
owaspindia
 
Getting the end point security right! - k. k. mookhey
owaspindia
 
From app sec to malsec malware hooked, criminal crooked alok gupta
owaspindia
 
The magic of passive web vulnerability analysis lava kumar
owaspindia
 

Recently uploaded (20)

PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
July Patch Tuesday
Ivanti
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PDF
What Makes Contify’s News API Stand Out: Key Features at a Glance
Contify
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PDF
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
PDF
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PPTX
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
DOCX
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
July Patch Tuesday
Ivanti
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
What Makes Contify’s News API Stand Out: Key Features at a Glance
Contify
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 

Mobile application security – effective methodology, efficient testing! hemil shah

  • 1. Mobile Application Security – Effective Methodology, Effective Testing! OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 2. [email protected] http://www.espheresecurity.com Who Am I? • Hemil Shah – [email protected] • Past experience – HBO, KPMG, IL&FS, Net Square • Interest – Application security research (Web & Mobile) • Published research – Articles / Papers – Packstroem, etc. – Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 3. Past, Present and Future Focus 2010 Cloud OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 4. Enterprise Technology Trend • 2007. Web services would rocket from $1.6 billion in 2004 to $34 billion. [IDC] • 2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead. [Gartner] • 2009. Enterprise 2.0 in action and penetrating deeper into the corporate environment • 2010. Flex/HTML5/Cloud/API/Mobile era. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 5. Mobile Infrastructure Other Office s Internet Exchange firewall DMZ Dial-up router VPN intranet www mail RAS Database India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) OWASP InfoSec
  • 6. Mobile App Environment Internet DMZ Trusted SOAP/JSON etc. Mobile W E Scripted Application B Web Web Servers S Server Engine And E Static pages only Web Dynamic pages (HTML,HTM, etc.) (ASP,DHTML, PHP, Integrated R Client CGI, etc.) Framework V X I ASP.NET on C .Net Framework, E J2EE App Server, S Web Services, DB etc. Internal/Corporate OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 7. Mobile Apps OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 8. Gartner Statistics OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 9. Gartner Statistics OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 10. Mobile Changes • Application Infrastructure Changing dimension Web Mobile (AI1) Protocols HTTP & HTTPS JSON, SOAP, REST etc. over HTTP & HTTPS (AI2) Information HTML transfer JSON, JS Objects, XML, etc. structures (AI3) Technology Java, DotNet, PHP, Cocoa, Java with Platform Python and so on SDKs, HTML5 (AI4) Information Mainly on Server Side Client and Server Side Store/Process OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 11. Mobile Changes • Security Threats Changing dimension Web Mobile (T1) Entry points Structured Scattered and multiple (T2) Dependencies Limited  Multiple technologies  Information sources  Protocols (T3) Vulnerabilities Server side [Typical  Web services [Payloads] injections]  Client side [Local Storage] (T4) Exploitation Server side exploitation Both server and client side exploitation OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 12. Black Review flow Mobile and Device Security Architecture Review •Insecure storage •Insecure network Communication - Carriers network security & WiFi network attacks •Unauthorized dialing & SMS Scoping •UI Impersonation/Spoofing •Activity monitoring and data retrieval Server Side Application Footprinting •Sensitive data leakage •Hardcoded passwords/keys •Language issues Mobile Application Footprinting •Timely application update •Jail breaking/Physical device theft •KeyBoard cache/ClipBoard issue Application Discovery •Reading information from SQLite database •Insecure Protocol Handler implementation •And few other loopholes Application Threat Modeling Application Deployment Assessment Application Security – Authentication, Access Controls/Authorization, API misuse, Path traversal, Application Enumeration and Profiling Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Vulnerability Assessment Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Mitigation Strategies Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing. Reporting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 13. White Review flow Mobile and Device Security Architecture Review •Insecure storage •Insecure network Communication - Carriers network security & WiFi network attacks •Unauthorized dialing & SMS Scoping •UI Impersonation/Spoofing •Activity monitoring and data retrieval •Sensitive data leakage Threat Modeling •Hardcoded passwords/keys •Language issues Code Enumeration •Timely application update •Jail breaking/Physical device theft •KeyBoard cache/ClipBoard issue Code Mapping and •Reading information from SQLite database Functionality •Insecure Protocol Handler implementation •And few other loopholes Security Controls & Cases Sample Security Control Categories – Authentication, Entry Point Discoveries Access Controls/Authorization, API misuse, Path traversal, Class, Function & Variable Sensitive information leakage, Error handling, Session management, Tracing Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Vulnerability Detection Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Mitigation Controls Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, Reporting XML injection, Canonicalization, Logging and auditing. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 14. Mobile Top 10 - OWASP • Insecure Data Storage • Weak Server Side Controls • Insufficient Transport Layer Protection • Client Side Injection • Poor Authorization and Authentication • Improper Session Handling • Security Decisions Via Untrusted Inputs • Side Channel Data Leakage • Broken Cryptography • Sensitive Information Disclosure OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 15. Insecure Storage OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 16. Insecure Storage • Why application needs to store data – Ease of use for the user – Popularity – Competition – Activity with single click – Decrease Transaction time – Post/Get information to/from Social Sites • 9 out of 10 applications have this vulnerability OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 17. Insecure Storage • How attacker can gain access – Wifi – Default password after jail breaking (alpine) – Physical Theft – Temporary access to device OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 18. Insecure Storage • What information we usually find – Authentication Credentials – Authorization tokens – Financial Statements – Credit card numbers – Owner’s Information – Physical Address, Name, Phone number – Social Engineering Sites profile/habbits – SQL Queries OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 19. Local file access OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 20. Insecure Network Communication OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 21. Insecure Network Channel • Easy to perform MiM attacks as Mobile devices uses untrusted network i.e open/Public WiFi, HotSpot, Carrier’s Network • Application deals with sensitive data i.e. – Authentication credentials – Authorization token – PII Information (Privacy Violation) (Owner Name, Phone number, UDID) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 22. Insecure Network Channel • Can sniff the traffic to get an access to sensitive data • SSL is the best way to secure communication channel • Common Issues – Does not deprecate HTTP requests – Allowing invalid certificates – Sensitive information in GET requests OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 23. Session token OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 24. Unauthorized Dialing/SMS OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 25. Unauthorized Dialing/SMS • Social Engineering using Mobile Devices • Attacker plays with user’s mind • User installs application • Application sends premium rate SMS or a premium rate phone call to unknown number • Used by Malware/Trojans OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 26. AndroidOS.FakePlayer • August 2010 • Sends costly International SMS • One SMS Costs – 25 USD (INR 1250) • Application Sends SMS to – – 3353 & 3354 numbers in Russia OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 27. GGTracker • June 2010 • Another Application which sends International SMS • One SMS Costs – 40 USD (INR 2000) • Application Sends Premium SMS to US numbers OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 28. UI Impersonation OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 29. UI Impersonation • Attack has been there since long • On a mobile stack, known as UI impersonation • Other names are Phishing Attack, ClickJacking • Attacker plays with user’s mind and try to impersonate as other user or other application OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 30. UI Impersonation • Victim looses credit card information or authentication credentials or secret • One application can create local PUSH notification as it is created from apple store • Flow in review process of AppStore – Anyone can name anything to their application OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 31. NetFlix • Oct -2011 • Steals users “netflix” account information • Application shows error message to user “Compatibility issues with the user’s hardware” when user enters username and password • Once error message, application uninstalls itself OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 32. Activity Monitoring OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 33. Activity Monitoring • Sending a blind carbon copy of each email to attacker • Listening all phone calls • Email contact list, pictures to attacker • Read all emails stored on the device • Usual intension of Spyware/Trojans OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 34. Activity Monitoring • Attacker can monitor – – Audio Files – Video – Pictures – Location – Contact List – Call/Browser/SMS History – Data files OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 35. Android.Pjapps • Early 2010 • Steal/Change users information • Application – – Send and monitor incoming SMS messages – Read/write to the user's browsing history and bookmarks – Install packages and Open Sockets – Write to external storage – Read the phone's state OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 36. System Modification OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 37. System Modification • Application will attempt to modify system configuration to hide itself (Historically this is known as ROOTKIT) • Configuration changes makes certain attack possible i.e. – – Modifying device proxy to get user’s activity monitoring – Configure BCC email sending to attacker OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 38. iKee – iPhone Worm • “ikee” iPhone Worm After infected by “ikee“ – Change root password iPhone look like this – Change wallpaper to Ricky Martin. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 39. PII Information Leakage OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 40. PII Information Leakage • Application usually have access to user’s private information i.e. Owner Name, Location, Physical Address, AppID, Phone Number • This information needs to be handled very carefully as per the law in some countries • Storing this information in plain text is not allowed in some countries OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 41. PII Information OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 42. Hardcoded Secrets OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 43. Hardcoded Secrets • Easiest way for developer to solve complex issues/functionality • Attacker can get this information by either reverse engineering application or by checking local storage OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 44. Keychain Dumper OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 45. Language Specific Issues OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 46. Language Specific Issues • Application in iOS are developed in Objective-C language which is derived from classic C language • Along with this derivation, it also derives security issues in C language i.e. overflow attacks • Using Dex2jar, source code of android application can be accessed OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 47. dexdump Convert dump .dex files: OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 48. SQL Injection in Local database OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 49. SQL Injection in Local database • Most Mobile platforms uses SQLite as database to store information on the device • Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensitive database information • In case application is not filtering input, SQL Injection on local database is possible OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 50. Injection… OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 51. Information in Common Services OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 52. Common Services • KeyBoard, Clipboard are shared amongst all the applications. • Information stored in clipboard can be accessed by all the application • Sensitive information should not be allowed to copy/paste in the application OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 53. Server Side Issues OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 54. Server Side Issues • Most Application makes server side calls to either web services or some other component. Security of server side component is equally important as client side • Controls to be tested on the server side – Security Control Categories for Server Side Application– Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 55. Server Side Issues Error handling, Session management, Protocol abuse, Input validations, XSS, CSRF, Logic bypass, Insecure crypto, DoS, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, BruteForce, Buffer Overflow, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 56. Binary auditing OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 57. Using GDB OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 58. Pen testing Check list (iOS Applications) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 59. Pen testing Check list • Fuzz all possible Inputs to the application and validate output (Query String, POST data, external HTML, RSS Feed or database feed) • Audit traditional memory unsafe methods (strcpy, memcpy) • Watch out for format string vulnerabilities • Look for hard coded credentials / secrets OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 60. Pen testing Check list • Check network connection (grep for NSURL, CFStream, NSStream) • Check Database connection and queries (grep SQL strings and SQLLite queries) • Check only trusted certificate are allowed (Look for setAllowsAnyHTTPSCertificate and didReceiveAuthenticationChallenge) • Check what is logged (grep NSLog) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 61. Pen testing Check list • Check implementation of URLSchemes in handleOpenURL • Check what is stored in keychain (kSecAttrAccessibleWhenUnlocked or kSecAttrAccessibleAfterFirstUnlock attributes when calling SecItemAdd or SecItemUpdate) and the file system (NSDataWritingFileProtectionComplete). OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 62. Pen testing Check list • Check how critical data is stored (NSUserDefaults should not be used to store critical data) • Check Server Side controls • Decrypt the binary and run strings to find sensitive information OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 63. Pen testing Check list • Check whether application uses UIWebView (How application loads HTLM and where it is rendered from? Is URL visible?) • Check whether copy-paste functionality is enabled in sensitive fields (PII fields) • Install your favorite proxy to monitor + fuzz web traffic • Run the app using disassemble to monitor calls OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 64. Pen testing Check list • Check whether critical data fields are hidden in applicationWillTerminate and applicationWillEnterBackground to prevent screenshot caching • Check how application handles PII information OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 65. Thank you Hemil Shah [email protected] +91 99790 55100 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)