Threats
Various:
• Lost or stolen device (responsible for 80% of data
loss)
• As attack vector: use it to compromise network
• As attack surface: get at the data on the phone
(think: TAN codes, certs, passwords)
4
Threats
Or, if you are the maker of an app:
• How to protect the app itself
• How to protect the app’s data
• How to protect the backend applications that the app
talks to
During our workshop in Malaysia, this turned out to be the
most interesting topic!
5
Threats
But it doesn’t stop there:
• There are threats on the communications layer
• Prediction: amateur GSM/SMS tapping possible
within a year using EUR 30 devices and free
software
• NFC-enabled phones allow new ways of interfacing
with phone and the world around the phone
• Botnets and Trojans now seen in the wild
6
BYOD
Lets take a closer look at a few topics:
• BYOD
• Is it a good idea?
• Well…..
• To be honest: probably not, in most cases.
• Allowing modified devices with a large amount of
unknown applications that often ‘live’ in hostile
environments on your network requires a lot of
thinking.
7
BYOD
But we really want it:
• Need to isolate device
• Need to educate user
• Need to restrict access
• Do you want email attachments on the phone
• Do you want server access from phone
• How to authenticate user and device?
• Jailbroken devices more susceptible to malware
8
iPhone & Android hacking
Android
• Is a far more open platform than iOS;
• No App vetting in Google Play
• Multi vendor (roots @Google, now part of OHA, Open
Handset Alliance, with over 50 participants);
• Uses a mix of open source and proprietary software
environments;
• The basics are more or less the same across
• different vendors, main difference is in UI.
9
Android apps
Android
• Uses the Dalvik Virtual Machine, that is capable of
running different apps in parallel, each in their own
VM.
• Interesting information is stored in Libraries,
primarily in SQLite3 databases (similar to iOS).
These might be encrypted.
• These database can be stored on the internal flash or
memory cards (SD, uSD)
10
Data storage
If data is stored on a memory card, extraction is easy.
• Connect phone via USB;
• Access memory card using forensics software (FTK
imager)
• Make a forensics image;
• Analyse image (FAT32 filesystem);
Phone often appears as a USB stick on computer
11
Data storage
What about the internal flash?
• Use dd to make image of primary flashdrive;
• Need root to be able to bypass permissions on
phone
Phone normally does not offer root level access, so phone
needs to be rooted.
This is device dependent and modifies the phone (forensic
principles)
13
Data storage
Needs USB debugging (to be able to control the device via
USB port);
Also needs to bypass lock screen (same old story);
Sometimes additional apps are required.
14
Accessing data
An example:
• Set up ADT (Android Development Tools);
• Put fresh sd card in phone;
• Connect phone to computer and run adb to test
connectivity and USB debugging;
• Download asroot2 or ‘su’
• Run from adb
15
Reading data
Finally, use normal forensic tools to analyse these images
like:
• FTK
• File carving (foremost)
• Undelete files
• Read SQLite3 database for call & SMS log
• /data/data/com.android.providers.telephony/datab
ases
16
Reverse engineering
Simply put: figuring out how stuff works
Need to get at the code in a readable form:
• Unencrypted
• Unobfusacted
• Decompiled
17
Looking at android apps
Dalvik is encapsulated JAVA code
Java code is bytecode compiled
Therefore, Dalvik is easy to reverse engineer:
• Get .dex file
• Run dex2jar
• Decompile to .java files using JAD
• Load resulting Java files into Eclipse
18
iPhone apps
Iphone apps are stored in .ipa files
These are .zip files: copy and rename to .zip
Look in filestructure for interesting files and resources
No easy way to decompile like Android apps
19
iPhone apps
Can be disassembled using ‘otx’ and/or ‘otool’
Unfortunately, is not easy and readable
Often: measures taken such as stripping
IDAPro also possible
20
Decoding apps
What to look for:
• Connection strings
• Passwords (encrypted or not)
• Configuration files
• Certificates
• Security Bugs
21
Securing Apps
Securing Apps has several aspects:
• Obfuscation
• Integrity checks on app
• Integrity checks on phone (am I jailbroken)
• Storage of secrets
22
Getting into the iPhone
The ramdisk needs to be booted through Jailbreak tools.
Once booted, communications need to be multiplexed over
the USB connection.
Once that has been done, access can be obtained via SSH
shell.
23
Demo time
We need to bypass Unlock key (passcode)
Can only be done by bruteforce (on kernel level):
Passcode Complexity Bruteforce time
4 digits 18 minutes
4 alphanumeric 51 hours
5 alphanumeric 8 years
8 alphanumeric 13,000 years
24