2015 - Luke Drakeford - Detect & Protect Securing financial applications in hostile environments

again thank you coming too drunk to again just like to say a special thanks to Luke or drape that opinion at last minute as you'll notice from the main program we have to to remove one of the talks the reasons you asked about cosmology so Luke's going to step in I'm not quite sure that talks about it's a running theme today where I'm quite don't quite know what to talk about so I'm going to look

Wow

gloucester you guys so i kinda just said I'm not currently in a better I'm not doing talk about recitals instead of really talking about securing mobile apps in your style environments this doesn't sound like a floaty boat and that's cool it has 13 I won't be offended but otherwise our guests after that so what is the problem the problem is one that software developers application developers have seen a lot over the years which is the they spend a lot of time after building applications putting together than my source code and then building a binary which they have to release for their users DS the problem is once you put your application together and distributed it to your

users they're free to do whatever they like and free to start putting in the path there for you to start modifying it you're distributing it and this is really what we implying it out of style in line I mean its environment that you can assume nothing about the only thing you can release you is that someone will probably at some point writing maliciously analyze your application so the solution the solution I propose is to go pardon up which identify 10 days left in such a way and then whole execution in time so who I I'm Luke drinkers again sorry not angsting taylor and i work with MWR for a couple of years a lot that time has been spent

working in software that life cycle with clients helping them to hardin MO asians from the kinds of analysis techniques and attack subscribe so hopefully you're really thinking about answers to the following questions or maybe have answers to all your questions by a presentation or the impacts of distributing insufficiently heart naps and how can have to fend themselves from the car stuff that I'm going to scribe so a quick overview I'll start off by talking about mobile threats the sort state of the mobile malware landscape then I'm going to take an imaginary application and start my way along with of attack methodology and then I'm going to take the same application we're going to add some hardening measures then when

you go through the same methodology and then we're going to see how to form an attackers perspective and yeah my husband to the survivors sir to spot off mobile friends and typically when someone has asked what is the most of all operating system or what operating system has the highest infection rate windows usually pops to mind however there was a report in 2014 by motive security of apps that most of the infection rate on our house in Windows host and they came up with some interesting statistics showing actually android windows the sort of head head for infection rate and at some points and were actually took over from windows and although there was a little bit of

conscious controversy regarding these statistics they definitely industry is a thing it is happening and in some cases proliferate more than people might think so according to kaspersky sixty percent of malware has financial objectives and targeted malware is pretty rare but we have seen some examples there was fake token this was a piece of malware which had which based on users desktop and after a web application for some of these a banking application they also have a mobile counterparts a tener phone and this is those two factor authentication tokens in order to attempt to make payments seamlessly without use another device or listening and Vanessa mrs. there's a lot of impersonation stations we've seen German banking applications and

personated South Korea banking applications I'm sure there's plenty of others it was yes Felipe this was a weird one this this piece of malware would attempt to a fingerprint a fingerprint the devices that infected it was searched on devices looking for package names that were hard coded in malware which was to do with financial application banking application stuff like that it would then send that information back to it so it never appeared to do anything to anything with this information and but it's definitely a worrying trend but as article about it and they said on the agenda and like I said although targeted now there is pretty rare it's important to realize that financial applications are

desirable targets when time is attacks to happen financial apps are certainly in the ones they come after especially if your goal is to make money or to steal me some credentials in make money as such it's important to keep the level of security they keep the bar high and answer to try and two attackers and not get Latin and that for Highland applications on harmless and also it's important to realize that at can't be retro actively hardened or patched yes if you are there to file and releasing application and update its and then you on to the App Store you download it it's all fixed that's awesome if you release an application that hasn't been hardened effectively as

some other worse engineers it understands how your application works they put that information forever you can end pardon your application with the knowledge of how it functions on the hood is exactly the same that information is lost unless you want to completely replication which without many people did so insufficient by this is an acknowledged problem instantly bottom sections is listed in our top 10 mobile threats and they say that's not having sufficient hardly fishes makes way for people to reverse engineering application and to modify our application redistributed is as well as for intellectual property that comes in and buy our security controls essentially conduct further attacks against your assets so broadly we have two kinds of attacks nessebar syntax

these are the color ones that we see environment the goal to steal money or usual users financial data in order to steal money and in order to do this kind of thing they are fishing users and popping up saying I'm legit application please download me which is piece of malware or they may impersonate applications dress themselves up to look like your banking application and doing users and spitting in their credentials or maybe there's some malware which might exploit low-hanging fruit steal information from this not being with taking information desk which shouldn't either more of us tax will recall this exactly the same it's to steal money a user's financial data however more advanced attacks are likely

to see attackers reverse engineering applications to try identify vulnerabilities which they could then packaged into malware distribute the malware which would avoid normal routine computer detected and also more worryingly attackers my modified my applications in order to facilitate further attacks against an organization's infrastructure or a server with a really valuable assets are the you know it's always wonderful that's where i miss the fact is gonna get these are the kind of attacks I'm going to be considering this presentation and I consider them into two broad small rivers the first scenario is this world where I said reverse engineers five-burner abilities make malware and distribute it I'm going to all other the local client scenario this is where you're just attacking

going on up and nothing else and then multiplying a client application in order to carry out attacks against server may be sending arbitrary requests the server fuzzing it whatever whoever mobile server so sorry so here we have a kill chain and if your team in context of this presentation is really just a high all set of steps a methodology attacker would take to carry on us and our a preset this this here is a source except for the mobile clients not I'm talking about the kill chain further down you move along these steps or the further down at a community down these steps the more risk they're posing to an organization or a company the closer

they are to the bottom the more likely they are to complete their objectives and ultimately steal one group's aliza data when attacking the robot fire they follow the steps such as reconnaissance where they identify some boy in route to the app weaponization where they create a piece of malware though they're distributed may be more efficient campaign gets downloaded exploitable a realtor can be objective our second scenario was the mobile server here we come kill chain mobile server and the first two steps are very similar to the previous steps they were all reconnaissance and weaponization against the mobile client where instead of identifying vulnerability is this time we're now looking to identify where some security controllers in place and

weaponization were then disabling a security control to facilitate further attacks against the server once you've gone through those first two steps you're been free to move into a traditional web service testing methodology or web application assessment against the against the web service uses you can move through because of fertilization delivery but this time now doing it's the server a bit we're all the really good stuff is and as I'm sure you see in the first two steps are exactly the same we can slow down or stop attacks in this stage we stand to gain in this versity steps I'm really talking about who you actually and which I'm we go through mode so let's consider

application and interview all ends of your pace and marginal application does exist but it allows users to pay for online purchases subscriptions transfer money to one another sort of normal procedures of a cell banking application it has two factor authentication we enforce a good password policy there's various custom encryption on top of us so and it's obviously has as a server counterpart overall it's a pretty secure application or going to do now is go through those precautions of optimization steps in our heads and just see how I attack affairs at the bottom of each of these sections I've got a perceived effort by an attacker this is really just or drawing experience it's quite fun to play so we're stuck in

reverse engineering this is where we take the application binary and we try and get it back into some form of human readable code in the case of Android is written in java this is very easy and it is possible to take an application and get back to somewhere near the source code that was used to originally build the app in something like I office is a definite little harder because we will be analyzing machine code however a lot of attackers are quite familiar with analyzing this machine code and obviously very good tool for visualizing it and so doesn't stop attackers from conducting engineer and after this reason I've given their effort of a one out of five

this is something a lot of factors are very familiar with as I'm sure already know so now reverse engineer the application maybe we have identified by some security controls are in place on anything identifiable mobility of the process we're also start interacting with the application at runtime we want to do some more bad stuff I don't want to do that we'll probably be in high privileges on the device so what we're going to do as an attacker I'm going to take my device and I'm going to run a regrettably the exploits are usually freely available on the internet they're usually pretty easy to use point click to the point where there are lots of non-technical mobile users out there

that are using their phones it's really quite simple for this reason I give it enough of one out of five right exactly now as reef resort we're still enroute cousins we're kind of moving into mechanization we're going to start debugging the application this is where we can sort analyze the application at long time we can see some of the sensitive routines as they run maybe some of our custom encryption was talking about before we can see comparisons that happening inside the application we can really feel for how stuff is has started working inside the app this is definitely a lot more involved process than just a tacky and I see some colors doing however lots of people that are

involved in software development and also attackers a very familiar with the process which is so now we're really into the sort recognization sections that are those keychains this is where we're now saw the skull would wear some security control is in place and we want to start modifying applications insanely so that we have application that does what we wanted to do to start tacking the server in order to do that we might hook the application it says where we alter the program flow of the application do we want to do if we take an example of Sally ssl fitting routine that says is this certificate legit yes whoa we can now just replace it with yes

certificate is legit continue let's not worry about that anymore and there are publicly available tools for this purpose they are it is definitely a more involved process than debugging however these tools are very well documented and there's a variety of them of that reason I'm given eight o'clock five is a second sailor than the voting steps finally it cooking didn't be the job and this is definitely more applicable or something like my application you may want start a career binary this is where we just start over writing sections on the application where we think that some security control and will seem to save it this is definitely not something that particularly easy to do in order to get it working exactly how

we want to get working any application not just crashing launcher it requires some decent knowledge of operating systems and definitely a decent one which of the instruction set used in order to build your replacement wrote actually I do with and this is where the sort of intellectual property theft stage has happened and for those reasons of three

so without at the end of our reconnaissance step and what has what has an attacker achieved what we achieved well we gained an understanding of the custom protocols we've understood those customers own routines whether we when we did that by reverse engineering or debugging application in some cases we make our own vulnerabilities and we have more if I the application when our own position we're going to start assessing their servers and start assessing the bits that we really care about wicked stuff is so let's consider another application this time we have some of those hardly measures in place that I was talking about earlier we have brute checking we now have checks or if we're going to vote for me hooked or if

we make moving talent patch and also some sort code obfuscation as well let's go through reconnaissance of organization just like it before and then we'll see how they compare so the start of with reverse engineering we do exactly what we did before we take the application we won't get it back to some human readable form of code we take our android application we didn't compile ever get it back into Java source it's at this time none of the function names mean anything the variable thing is really confusing all the program flow is heavily altered is really hard to follow what this means is that previously when it may have only taken us a couple of

hours to determine exactly where everything was the application it may not take us weeks if we even succeed at all maybe now we have any idea where these things are but we really don't know how they're being committed in any detail it's definitely still possible to gain an understanding the code because obviously it functions exactly the same way that it before except now it probably takes hours with pen and paper or working out exactly how the whole thing is has been acquired is a really arduous process it sounds an effort by an attacker I've given this sort of five up five the reason for that being usually if your face could start of or heavy code obfuscation it's often

easier to move on than it is to sit there trying to reverse engineer on thing in terms of the implementation effort are introduced in every operating point oh I've introduced an implementation effort which is sorta seed effort to implement this Hardman control our implementation effort for kohler confiscation is really simple one at five and the reason for this being that there are lots of prepackaged solutions out there the jeans are going for you a free point-and-click a smart so we had a bit ahead of it when we were trying to reverse engineer we couldn't really understand the weather security controls were implemented so what we want to do is we will start being what dynamic and really have a look at the

application must be closed so we want to escalate uh privileges just like we did before we downloaded root exploit we get a written device we run the application it's at this time the application crashes after little head scratching we work out that we think there's some sort of retention that's going as an attacker have a good idea how that room detection white being prevented so I started working my way through all of those different ways modifying the environment the application is expects accusing within in order to try and get the application to work this is a blind process it's also just exhausted i just have to work through more different ways and it's sometimes it may not be

possible to know if one of the ways that my environment has actually one effect on the application well it's definitely possible to bypass which is why i'm giving an effort for our five jacket but it is now increased time cost an example implementation of how you would implement some sort of intersection would require some amount of custom codes implemented within your apps however this could be as simple as looking for files on your device that are associated with reforming exploits and Rick packages for the reason that you to implement some of your own code two out of five but it is it is what still can be so after some time and effort reimagining the application

running final rooted device without as a debugging we're trying to debug it but an application crashes again it'll return about breakpoints we can't do any of the seeing how it worked a lot it executes slightly before again good idea how this control might have implemented but we had to go through systematically modifying our environment in order to try and get easier to run it takes a large amount of time and but it's certainly not impossible to bypass and without reason or five in terms of an example implementation there are various ways that you can check whether like your applications behavior bugged you can check if you are the child process as a long process or you can query the

proc file system to see some faces about yourself in order to verify whether or not you're being to vote and and again this will require some degree or the custom implementation within application identify this which is why i'm giving it difficulty to up five button in your paper section so let's say we came up with you by doing but remained with Ruth detection the reverse engineer wasn't very fruitful we have a rough idea where this application areas or maybe we've worked out function name and we're going to try to cook it and we need to try and return true and SSL opinion function is really causing us a headache we just want to be able to see the request more than

finding so would get reverses company we're trying to open application just like we did before using a torment that lived near that such as substrate exposed but the application crashes again again exactly the same as the previous one we have to go through either tampering with binary or multiplying our environmental to get the application to run and the effort is four up five in terms of implementing this control and it's definitely someone parlor given the different ways that the different hooking packages are implemented an example would be in android movies a verifier in class earlier asked the question groove on me and where they come from after this reason or because of the reason that

they're all packages operator ways 395

so hooking wasn't really getting us anywhere we're getting really frustrated hours but all this time more violence gets up able to run we're just going to start overwriting sections of the binary that we think are related to some security controllers causing this hassle we do this just like the previous step we run the application and they have fission crashes again the reason why crashes is because the application is verifying its integrity of all time parts of the application are checking other parts of the application against pre-owned values and saying does this look like how it should look like and if it doesn't then I should Horrocks occasion only in terms of bypassing this as an attacker depending on how its

implemented it can be really quite hard if you have multiple that these checks that happening in your application and they kind of God one another then you may not send remorse in famously and this would be particularly are for an attack particularly if the application is obfuscated it in terms of implementing this kind of protection is also definitely very hard the only reason why I haven't given it a 5 out of 5 is because there are off the shelf solutions that you can buy commercial products the world offer this card protection and it's definitely a lot more effective on native libraries or iOS applications

so we're now on quadric reconnaissance and recognization in them what is the type of cheat on the second hardened application well if they made it this far then they've achieved all the same things they achieve before they learn how the application has its message encryption or crypto Bertie's they've multiplied the application and they're now free to start up sending arbitrary request the server if they got this far then they spent a large amount of time patching the environment modifying application in order to get us wrong and the question really is why bother investing time and this is really point of this presentation it's not about introducing these controls makes your application unlike the wall app proof

can we all know that that's not true it doesn't exist but what it what these controls do do is increase the cost effectiveness two attackers beyond which could reasonably be expected of them previously when they can quickly get to those steps but I can conduct application security assessments or web application security assessments now we have to go through all these hurdles all these steps to even get to a point where they can identify it was vulnerable and why would they do that as particularly if there's a whole bunch other applications out there which don't happen in place by slowing attackers down in our reconnaissance and weaponization steps it means that attackers can never get to that position where they can say

all this application is volatile it may be enacted in the case of our mobile server kill chain methodology that showed you earlier then we spent all this time there for days weeks months getting to the point where we can start assessing the server once we get to that boy we realized up the river all abilities we have and as we told this was just all a massive waste of time and for this reason it particularly attractive to the tactics so at this point you might be wondering well which of these should i implement or which one of these should people be implemented in terms of cost effectiveness code obfuscation is definitely up there it's very easy to implement and is a real

pain cause a lot of time effort on the part of the attackers the ideal answer is driven as many as possible these protections are to God whatever for example if I wanted to get rid of some of the root section routines that having an application by patching the binary then the integrity checking you're introduced will stop us from doing that and make the whole thing of a high as well as possible offended so we have to weigh it up there are definitely pros and cons to these car approached and the pros of implementing these how I'm in controls and harden your applications integrates the family gets four words written talked about earlier intellectual property theft by

modification of your application identification of vulnerabilities or vulnerabilities in your server which altima tlie need to rev immunol your reputation baggage cons of implementing these protections is that implementing all of them in such a way that an application doesn't crash with legitimate users can definitely sometimes be quite hard particularly our forum such as android where there are so many different devices and operating system versions doing something like taboo thing or checking files on the device might not always be an honest and effective and they make for a whole new experience so hopefully you're thinking about following things now what are the impacts of distributing those especially on that well all those business for expressed I just described intellectual

property damage in certain property theft and reputation damage and also that point laminated beginning about activity Halloween your apps because they're out there and some was about how it works the damage is already done how complications defend themselves against this kind of advanced attacks well they can do so by implementing those protections I described that antioquia anti-tamper education so sure that was sorry done short sweet but thanks very much and you have any questions defenses are no wonder are more likely to cause of doing it aha i would say probably it depends how advanced your reception methods go in some cases you may want to implement on really specific route detection methods like all of us this

particular thing then you're consistent either Michael I've seen a suspicious or there's some flag that I said oh there's this real property profile system maybe they maybe they've patched the color or module or something I'm your flight a suspicious it's obviously good if you want to make a really secure app that make sure that you're running around representative environment highly advise is where OEM manufacturers can multiply these things that might i would say in my experience an english section is a polymer there was also one of the more common ones that we see with affection is quite common possession occurs have seen yep he was describing as sort of a new trend to ahead Paris

Reuters a protection how if you put a lot in common device I can you effectively protect

so the question was how

and so you can you talking about or within application but it is definitely some form of encryption would be the best method of keeping a private I mean if you expel them that was going to find out what's inside obviously for applications that need to run off buying all the time those keypad to be in the application and could be pulled out by reverse engineering or something so i guess this or gold standard is to always make sure the other server require some server authentication or to pull down some keys you'll see that you can use the information that's exporter is that possible

absolutely I mean you certainly that's definitely a good idea through if you're implementing these protections there's a really good idea to notify your server actually people are trying to bypass this someone is trying to attack me therefore even when be aware however in terms of letting them then continue with this organ asus they were conducting I guess it is also beneficial to just poor execution entirely extrem after communicating the server will be ideal approach then was there some stuff like timing problems that might occur it's about what I guess it depends how much you'll to know about it compared to how I would you are that they can find out so I'm secretly don't wanna tonight

yeah I mean there is obviously a small business decision in organization Saturday because by saying we can't run devices means that they're cutting our party Elizabeth like you say some institutions have decided that's a risk that's not worth taking and someone decided actually using it and made it a user experience that decision is really just for people relative editing applications in terms of the risk exposed during application assessments a large percentage of the kind of attacks that we carry out are usually require me to access anyway so although maybe running on a rooted device doesn't necessarily put your immediate risk it definitely facilitates further attacks that you previously may not protect against all of these methods are sort of

a part of the defense in depth approach it's just about reducing that risk me a little bit harder you mentioned often sketch of the code to make article in our foursome wouldn't that make a part for anyone working in the program so the question was have you been here it would offer skating your application code make harder for people in your own organization to work on the code I'd like to say that in most cases no because you applying for sketching to like compiled libraries not within the source code prior to compiling it it has the effect that when you tend to decompile it the deep layers will then see it it was sort of nonsensical way

rather than

that's a lot

you