Leaky Mobile Apps: What You Need to Know

Post on 23-Jan-2018

446 views 1 download

Preview:

Click to see full reader
Report this document
SHARE

transcript

Leaky mobile apps: What you need to know

July19th,2017

AboutMe

• JonPorterofHouseNowSecure-Mobileappsecuritysoftwarecompany

• EnthusiastofMobileSecurity/SeniorSE• BACompSci/MSInfoSec• SolveroftheRubik’sCube(s)• Drinkerof1000beers(1229tobeexact)

https://www.nowsecure.com/

• Themobilesecurityproblem

• Thestateofmobileappsecurity

• 3-partmobileexploitdemo

• Whatcanwedoaboutit?

Agenda

THEMOBILESECURITYPROBLEM

MOBILEDEVICESHAVEUNSEATEDPCS

Source: Benedict Evans

http://ben-evans.com/benedictevans/2016/3/29/presentation-mobile-ate-the-world

SPENDINGMORETIMEWITHMOBILEAPPSTHANDESKTOPS

Source: Comscore by way of Benedict Evans

http://ben-evans.com/benedictevans/2016/3/29/presentation-mobile-ate-the-world

PRESSINGMOBILESECURITYISSUES

•Appsarevulnerableandleakingdata•Lackofadministrativeaccesstodevices•Complexecosystem

◦OEMs◦ OSdevelopers,carriers

• Innovationoutpacessecuritypractices• Legacysecuritystrategiesareineffective(“boltedon”)

Typicalsecuritydefensesfailinmobilese4ngsbecausetheyprotectboundariesratherthantheinforma7onitself,andmobileusersdonotrespecttradi7onalboundaries.Gartner

http://www.gartner.com/document/3158326

VULNERABILITIESINANDROIDANDIOS

Life[meAndroidCVEsbytype(130in2015) Life[meiOSCVEsbytype(375in2015)

Source: CVE DetailsSource: CVE Details

http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49
http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49

MOBILEDATAISVALUABLEANDAMARKETFORCOMPROMISEEXISTS • Governments

◦ Legi[mateneed

◦ Legalframework

◦ Willingnesstopayforit

• HackingTeamweaponizesmobile

securityflawsforsurveillance

• Zerodium

◦ Sellszero-dayexploits

◦ Offers$1millionforiOS

jailbreaks

• Maliciousactorswillingtopay

◦ Oppressiveregimes

◦ Roguestates

THEULTIMATESURVEILLANCETOOL?

Appscan: • Readpreciseloca[on

• Readphonelogs

• ReadSMS

• Recordaudio

• Usecamera

• Startonboot

• ConnecttoInternet

THESTATEOFMOBILEAPPLICATIONSECURITY

Wetested

400KApps

Source - 2016 NowSecure Mobile Security Report

25%

ofmobileappshaveatleastonehighrisksecurityorprivacyflaw

https://www.nowsecure.com/resources/mobile-security-report/en/index.html

HIGHRISKISSUESEXISTWITHINEACHAPPCATEGORY

Source - 2016 NowSecure Mobile Security Report

Gamingapps: Businessapps: Socialapps:

1.5x 3x 4x

morelikelytoincludeahighriskvulnerability

morelikelytoleaklogincreden[als

morelikelytoleaklogincreden[alsoremailaddress

https://www.nowsecure.com/resources/mobile-security-report/en/index.html

HIGHRISKISSUESINAPPSWITHMORETHAN1MDOWNLOADS

Source - 2016 NowSecure Mobile Security Report

https://www.nowsecure.com/resources/mobile-security-report/en/index.html

LEAKYAPPSANDSOCIALENGINEERING

Source - 2016 NowSecure Mobile Security Report

• Informa[onleakedcanprovevaluabletoakackers

• Reconnaissancefortargetedsocialengineeringschemes

• E.g.,creden[alsleakedbyaproduc[vityapp

◦ Mightgrantanakackeraccesstoacacheofsensi[veinforma[on

◦ Usernames

◦ GPSloca[on

◦ Unlockothersensi[veinforma[onaboutauser

https://www.nowsecure.com/resources/mobile-security-report/en/index.html

EXAMPLES

RemoteAkackSurface • Vungleprovidesin-appvideoadver[sing

• Applibraryserves>200Madseachmonth

• Remotecodeexecu[on

• Dataaboutthedeviceandtheuserfromtheapp

EXAMPLE:

“Vungleproductsprovidenecessary

infrastructureforappmone7za7onthroughvideoads.Morethan200millionpeopleworldwideseeVungleadseachmonth.”

POPULARAPPUSINGVUNGLE

RemoteAkackSurface • SDKdownloadsazipfileoverhkpwithoutTLS

orverifica[on

• Createa.dexfilethatcontainscodeyouwant

toexecute

• Addthe.dextotherequestedzipfile,modify

thenetworkresponseand,youcangain

remotecodeexecu[on

EXAMPLE:

“Anintegratedmobileadver7singplaEormenablingadver7sertoop7mizeadefficiencyandappdevelopertoacquirethehighestmedia

benefit.“

DEX

ADLIBRSCALE

POPULARAPPUSINGADLIB

• Anetwork-basedakackercan

modifytraffictogaincontrolof

thedeviceduetoaflawin

AdlibrSDK

• Theakackercanaccesscurrent

appdata,worldaccessibledata

andchainwithanexploitto

gainelevatedpermissions

SAMPLEDATALEAKED(HTTP)

• Manyadnetworkssenddatain

clear,includinggeoloca[on

• IDderivedfromhardwarecan

betrackedacross[meand

loca[ons

• Apppkgisiden[fied,enabling

akackertofindtarget

imei=352584060111000mac=f8:a9:c2:4f:f3:80androidid=88c8584b54bd9c00serial=062f2dfb344be87bconn=wificountry=USdm=Nexus+5dv=Android4.4.2lat=41.83720397949219long=-87.9613037109375mcc=310mnc=410mmdid=mmh_AC78B68BD2E528CC0FC78AFB342E58CF_9099A5181F956FCAFB4AC9946DF71CCACB322F59root=0pkid=com.ismaker.android.simsimipknm=SimSimiplugged=truesdkversion=5.1.0-13.08.12.aua=Dalvik%2F1.6.0+%28Linux%3B+U%3B+Android+4.4.2%3B+Nexus+5+Build%2FKOT49H%29

DATADESTINATIONS Destinationaddress IP Country

ad.adlibr.com 211.236.244.152 KR

ad.doubleclick.net 173.194.33.156 US

ads.mp.mydas.mobi 216.157.12.18 US

adtg.widerplanet.com 117.52.90.81 KR

androidsdk.ads.mp.mydas.mobi 211.110.212.68 KR

ajax.googleapis.com 74.125.28.95 US

androidsdk.ads.mp.mydas.mobi 216.157.12.18 US

app.simsimi.com 54.235.200.56 US

astg.widerplanet.com 117.52.90.85 KR

bank81.mi.ads.mp.mydas.mobi 216.157.13.15 US

capp.simsimi.com 174.129.197.187 US

cdn.millennialmedia.com 96.17.8.146 US

d.appsdt.com 52.6.198.255 US

dcys-en.ijinshan.com 114.112.93.204 CN

landingpages.millennialmedia.com 216.157.12.21 US

mtab.clickmon.co.kr 114.207.113.177 KR

once.unicornmedia.com 192.33.167.222 US

rtax.criteo.com 74.119.117.100 US

http://ad.adlibr.com/
http://ad.doubleclick.net/
http://ads.mp.mydas.mobi/
http://adtg.widerplanet.com/
http://androidsdk.ads.mp.mydas.mobi/
http://ajax.googleapis.com/
http://androidsdk.ads.mp.mydas.mobi/
http://app.simsimi.com/
http://astg.widerplanet.com/
http://bank81.mi.ads.mp.mydas.mobi/
http://capp.simsimi.com/
http://cdn.millennialmedia.com/
http://d.appsdt.com/
http://dcys-en.ijinshan.com/
http://landingpages.millennialmedia.com/
http://mtab.clickmon.co.kr/
http://once.unicornmedia.com/
http://rtax.criteo.com/

INSECUREMOBILEAPPSCREATEBUSINESSRISKFORENTERPRISES

StarbucksThievessiphonedmoneyoutof

users’accountsusingthemobileapp

viaUSAToday

Ola

India’slargeststartupwith$1.1Binfundingwashackedto

allowunlimitedfreerides

viaTheNextWeb

HuluandTinderAppvulnerabili[esofferedaccesstofreepremium

accounts

viaCNBC

http://www.usatoday.com/story/tech/2015/05/15/starbucks-gift-card-hack/27370491/
http://thenextweb.com/insider/2015/03/23/how-i-hacked-indias-biggest-startup/
http://www.cnbc.com/2016/02/12/hackers-target-paid-applications-bluebox.html

DEMO

PART1:CRITICALVULNERABILITYINPRE-INSTALLEDKEYBOARDONSAMSUNGDEVICES

• CombiningCVE-2015-4640and

CVE-2015-4641

• Executearbitrarycodeinaprivilegedcontext

• Result:silentlyexecutemaliciouscodeon

targetdevice

• Es[matedimpact:600milliondevices

DEMO

PART2:INSTALLINGAMALICIOUSAPPLICATION

• Silentlyinstalledusingthepreviousexploit

• Communicatesdevice/userdatatoaC&C

server

• Evenifremoved,canbereinstalledbythe

akacker

• TheUIisjustfordemopurposes,and

wouldnotberequiredifusingthisinthe

wild

DEMO

PART3:EXPOSINGLEAKYAPPS

• Escalatetorootprivilegeusinganother

exploit

• Usetherootpermissiontolookfor

vulnerableapplica[on(orallapplica[ons)

• Compressandsendthedatabacktothe

C&Cserver

DEMO

WHATCANWEDOABOUTIT?

TIPSFORSECURINGYOURMOBILEDEVICE

1.Updateyouropera[ngsystemandappswhennewversionsareavailable.

2. Addapasscode,PIN,orpakernlock.

3. Usedifferentpasswordsforsitesandapps.

4. Logoutofyourapplica[ons.

5. OnlydownloadappsfromtheofficialAppStoreandGooglePlay.

6. Usetwo-factoruseriden[fica[onwhenavailable.

7. Knowwhatdataisbeingcollectedbyapplica[ons.

OTHERFREERESOURCES1.SecureMobileDevBestPrac[ces

2. MobileAppSecurityProgramManagementHandbook

3. MobileBankingApplica[ons:SecurityChallengesforBanks

4. MobileIncidentResponseE-book

SPONSOREDOPENSOURCEPROJECTS1.Frida-injectJavaScripttoexplorena[veappsonWindows,macOS,Linux,

iOS,Android,andQNX

2. Radare-completeframeworkforreverse-engineeringandanalyzing

binaries

https://www.nowsecure.com/ebooks/secure-mobile-development-best-practices/
https://info.nowsecure.com/mobile-appsec-program-handbook.html
http://www.apple.com
http://www.apple.com
http://www.apple.com
http://www.apple.com

Top related

NSA Slides - Angry Birds and leaky phone apps targeted by NSA and GCHQ for user data
Technology
88 Apps Every Smart Business Should Know About
Technology
Title: Know About Business of Reskinning Apps - AppnGameReskin.COM
Technology
Church Apps: What to Know Before You Buy
Mobile
11 apps your staff should know about
Healthcare
It’s Leaky...
Documents
Know, Share, Do - Custom Apps
Software
9 Things you must know before developing mobile apps
Mobile
Apps You Should Know
Documents
Smartphone Apps You May Not Know
Technology
What every developer should know about building trustworthy apps
Documents
Leaky Bucket
Documents
5 apps parents need to know about
Social Media
Leaky Gut, Leaky Brain2018/Friday...Leaky Gut, Leaky Brain: The Emerging Role of Intestinal Permeability and Mental Health David J. Scheiderer, MD, MBA, DFAPA Director of Education
Documents
Coupon Apps You Should Know
Technology
Future of the Apps: what startups need to know
Small Business & Entrepreneurship
Dr. John Brimhall & Associatesfmtrainingcenter.s3.amazonaws.com/blood_chemistry...Mar 02, 2011  · LEAKY GUT • Leaky Gut = Leaky Brain • Allergies, digestive problems, brainAllergies,
Documents
THE LEAKY GUT PROTOCOL - The Healers Biblethehealersbible.com/uploads/1/2/9/0/12907633/_ugc_leaky_gut... · the leaky gut protocol for leaky gut syndrome. leaky gut protocol for leaky
Documents
Technology, apps, and websites you need to know about
Technology
WHAT ISYOUR GUT TELLING YOU? · LEAKY GUT • You can leaky gut even without gut symptoms! • Inflammatory Processes are causing you to have leaky gut! • Causes of Leaky Gut: •
Documents

Copyright © 2018 DOCUMENTS