+ All Categories
Home > Technology > Avalanche Disclosure

Avalanche Disclosure

Date post: 14-Jan-2015
Category:
Upload: hackapp
View: 1,783 times
Download: 2 times
Share this document with a friend
Description:
Story about static analysis of 15k mobile Apps.
Popular Tags:
34
Avalanche Disclosure Story about static analysis of 15k mobile Apps
Transcript
Page 1: Avalanche Disclosure

Avalanche Disclosure Story about static analysis of 15k mobile Apps

Page 2: Avalanche Disclosure

Who am I?

• Work hard on defense

• Have fun in offensive

• Break things

Alexey Troshichev

@pl0lq

[email protected]

#ZeroNights2013 hackapp.com 2

Page 3: Avalanche Disclosure

What’s wrong with an App ?

Insecure transfer

Injections

Insecure storage

Architecture flaws

Mobile OWASP for bla-bla-bla …

hackapp.com 3 #ZeroNights2013

Page 4: Avalanche Disclosure

Common Attacks

hackapp.com 4 #ZeroNights2013

Page 5: Avalanche Disclosure

On-device analysis ?

Unlock Device

Remove DRM

Setup research environment

Dynamic analysis

Time & Brains

hackapp.com 5 #ZeroNights2013

Page 6: Avalanche Disclosure

Why should we waste time attacking one user, when we can just break into

backend to get them all ?

hackapp.com 6 #ZeroNights2013

Why always just binary file?

App is dangerous for user, but what’s about vendor ?

Page 7: Avalanche Disclosure

What App can tell us?

Testing environment disclosure

Third party services authentication data

Built-in accounts

Something you can’t even imagine =)

hackapp.com 7 #ZeroNights2013

Page 8: Avalanche Disclosure

Why it’s interesting?

Installation is not important

Finally, we are just searching strings…

…and it could be automated =)

hackapp.com 8 #ZeroNights2013

Page 9: Avalanche Disclosure

Let’s build a Grinder !

#ZeroNights2013 hackapp.com 9

Page 10: Avalanche Disclosure

AWK, STRINGS, GREP ?

Not suitable for binary containers

Too many garbage

hackapp.com 10 #ZeroNights2013

Page 11: Avalanche Disclosure

DRM

hackapp.com 11 #ZeroNights2013

“Typical” Application

Page 12: Avalanche Disclosure

Actual Application

hackapp.com 12 #ZeroNights2013

Page 13: Avalanche Disclosure

Steps

Containers recursive traversal

“Unusual” files search

Selective GREP

Structure validation

hackapp.com 13 #ZeroNights2013

Page 14: Avalanche Disclosure

Let’s take ~15k iOS Apps from iTunes Finance section…

…I like Finance

hackapp.com 14 #ZeroNights2013

Page 15: Avalanche Disclosure

What’s inside ?

hackapp.com 15 #ZeroNights2013

224061 files of 1396 types

Page 16: Avalanche Disclosure

Low hanging fruits 94452 files = 42% of whole

#ZeroNights2013 hackapp.com 16

Page 17: Avalanche Disclosure

Shared authentication

#ZeroNights2013 hackapp.com 17

Page 18: Avalanche Disclosure

“Secure” communication

#ZeroNights2013 hackapp.com 18

Page 19: Avalanche Disclosure

Third party services

#ZeroNights2013 hackapp.com 19

Page 20: Avalanche Disclosure

Third party services

#ZeroNights2013 hackapp.com 20

Page 21: Avalanche Disclosure

Access to user data

#ZeroNights2013 hackapp.com 21

AWS-secret:eyH0aw7IW7wdL8z2eSyK/A8q7rIF7uEMVpvQkbwC

You “publish” your contacts and photos by installing the app… =(

Page 22: Avalanche Disclosure

Not identified • RSA private key:MIICeQIBADANBgkqhkiG9w6xmHVejkTokPs68ow== • secret:164AC36F64FCC2D5 • secret:33728B17A93A4A92 • secret:4711429DAE3C6F7C • secret:62ebd594bc903feeea5ee459715e08fa • secret:6508E621E259AC4A • secret:697E46CE13AA557B • secret:76a863da0821f58ecb13e31cb761c573 • secret:a7df64e1d5a33a93c12b06fa0f8c6f47 • secret_android:2859389F73072C90 • secret_android:3D05E67E03216A9B • secret_android:66549A9BB401AF56 • secret_android:678649CED531B8E8 • secret_android:745A209380630940

(and more, and more, and more…)

#ZeroNights2013 hackapp.com 22

Page 23: Avalanche Disclosure

4% Apps released

with hardcoded credentials

#ZeroNights2013 hackapp.com 23

Page 24: Avalanche Disclosure

DEV Environment

svn://mokah.siab01.com/ https://test.freerange360.com/ http://test.mmf.berlingskemedia.net http://test.informatel.com http://test.improveagency.com http://test.appswiz.com https://test.freerange360. https://dev.magtab.com:8888 http://dev.touchpublisher.com http://dev.pressrun.com/ http://dev.openstreetmap.de/ http://dev.aleph-labs.com (and more, and more… )

#ZeroNights2013 hackapp.com 24

Page 25: Avalanche Disclosure

Mad Stuff

#ZeroNights2013 hackapp.com 25

Page 26: Avalanche Disclosure

Shocking configs

#ZeroNights2013 hackapp.com 26

SMS gateway

OpenVpn config

Page 27: Avalanche Disclosure

Unpredictable

#ZeroNights2013 hackapp.com 27

Page 28: Avalanche Disclosure

Developers Certificates P12 containers, most are encrypted, but..

#ZeroNights2013 hackapp.com 28

Page 29: Avalanche Disclosure

HAVE NO TIME TO EXPLAIN

#ZeroNights2013 hackapp.com 29

Page 30: Avalanche Disclosure

Is there an App for that?

http://hackapp.com/

hackapp.com 30 #ZeroNights2013

Page 31: Avalanche Disclosure

Dashboard

#ZeroNights2013 hackapp.com 31

Page 32: Avalanche Disclosure

Report

#ZeroNights2013 hackapp.com 32

Page 33: Avalanche Disclosure

Details

#ZeroNights2013 hackapp.com 33

Page 34: Avalanche Disclosure

Questions ?

URL: http://hackapp.com/

Twitter: @hackapp

Mail: [email protected]

hackapp.com 34 #ZeroNights2013


Recommended