PW - Are your secrets safe - How mobile applications are leaking millions of credentials

good afternoon everybody and welcome to bsize Las Vegas we are here for the password con appreciate you coming to hear from Mackenzie Jackson who's going to be talking about are your secrets safe no they're not we know they're not finding millions of credentials and mobile apps just a few things we want to say thank you to our sponsors especially the diamond sponsors Adobe and our gold P prise Primus Prisma sorry Cloud blue coat Toyota and conductor one is there report along with yours that makes this what it is cell phones please turn them off we don't want to hear it if somebody's calling it better be God also if you have any questions save them for the end because we she he doesn't want to be interrupted so on that note let's get started McKenzie all yours thank [Applause] you that was that introduction is probably like going to be the highlight of this talk so but thank you all for coming here I'm really excited exed to be presenting at bides Las Vegas um this has been one of the one of my goals to be able to present at this conference I have a funny story before we start is uh last year I was a volunteer and I was on the registration desk um and I was chatting to the people on the registration desk to me and I was with three other cisos so if cisos are the people that are volunteering here I'm kind of terrified to know what the audience members are but I'm uh really happy to uh to be presenting here so my name is McKenzie a little bit about me before we get started uh I'm from Aro New Zealand uh but today I live in the Netherlands and I work for a French company so there's a range of uh of uh of countries there you can find me anywhere on social media the handle advocat uh and I also am the host of the security repo podcast it's my mom's favorite podcast she hasn't missed an episode uh and it would be really great she she recommends it to you uh if you want live dangerously there's a QR code scan at your own risk uh to take you to that all right we'll get into the the topic so what we're going to talk about uh in this session is really discovering secrets so we're going to talk originally initially about kind of Secrets now we're in passwords con so I don't need to spend too much time about this why there a problem then we're going to look at discovering secrets and source code I'm not going to spend too much time about this because the presentation after me is actually going to go deeper into it but this is kind of what kicked off uh my interest in mobile apps specifically and then we're going to talk about discovering secrets in these compiled applications downloading them and finding them uh finally we'll talk a little bit about how to securely store secrets and then we'll we'll have a go some questions all right so just quickly um I'm sure everyone here is familiar so but just in case to get everyone on the same page what do I mean when I'm talking about secrets so I'm talking about digital authentication credentials uh these can be things like API Keys security certificates credential peers and the key difference here is that these are made to be used programmatically and generally machine to machine right so I have yet to successfully memorize an API key um and use it these are meant to be used by our systems to authenticate themselves now why that's important is because when things are made to be used programmatically they often end up hardcoded or in the wrong place because humans still handle them even though machines use them and so that's really what we're going to be talking about now is identifying where they've kind of leaked out of where they're where they're meant to be uh how we can identify them and how we can use them so why do Secrets exist a question I ask myself every day um but if we take just a kind of a a modern application a mobile application um you know secrets are used because of a shift in how we build our software you our applications aren't monoliths that do everything we connect to lots of different services so you know the easy one to talk about is something like OCTA where are you going to build your own authentication or do you Outsource that to a service that has has is doing doing just that you know that or do you use algolia for search do you do your own credit card processing or do you Outsource that to stripe especially if you're trying to get around the 30% fees that the app stores charge um but um applications quickly end up of these are compiled of these different services and they all communicate with Secrets but it doesn't stop there because we have to have backend infrastructure we have to have testing we have code that we need to deal with so then our infrastructure also uses lots of these secrets now our mobile application needs to talk to these as well uh potentially through the back end but they still exist as secrets and then it doesn't stop there because we want to monitor it we we need to have monitoring of it perhaps we want to have crash logs being sent somewhere from the app so they we need secrets to be able to do that and get information and these are all potential access points and we haven't even talked about the microservices that we create so your simple little mobile application very quickly turns into a collection of all these different Services all doing different things and we need to authenticate with each them and we do this through Secrets but every single one of these points if I'm an attacker this is a potential entry if I can gain access to to something even if it doesn't seem that interesting you may not think that me getting access to a slack channel is important I'm going to talk about that EXA exact example later but as an attacker I can do lots of different things to be able to abuse that and leverage that to elevate my privileges and gain access into you know lots of different areas all right so how should Secrets be stored this is going to be a very very simplistic example um but just before we get into all the bad things that happen we'll talk about how it's meant to happen so we have our front-facing applications for Android this is an APK for Apple this is an IPA uh we shouldn't have any secrets in these now unsurprisingly we we we're going to discover that there's lots of secrets in here but this is we really shouldn't we should have our secret stored in our back end you know perhaps through a secret manager um or just in our Cloud infrastructure they often have Secret manager we want them loaded into our local memory and that's what communicates with the third party services and sends our data securely to our application this is how it should be set up um but often lots of things uh change people cut corners or they feel like they doing it more efficiently although come up with lots of arguments as to why the insecure way they're doing it is actually secure I'll talk through some of them uh as we go through but this is really how it should be done but it's not often how it is done in practice so let's get into the first part of this uh finding secrets and source code as I said I'm not going to like go too deep into this uh if you're really interested the talk after me will go deeper uh but I want to address this because this is really what made me start thinking about Secrets inside source Cod inside mobile applications uh based on some initial research I was doing in source code so to give an idea the state of secret scoll is a report that GG Guardian the company I work for uh releases every year and one of the things that we do is we monitor public uh uh code repositories to try and identify if secrets are leaked in there um now the biggest one is obviously GitHub so GitHub has huge amounts of information there was more than a billion commits or contributions made to public repositories in GitHub last year uh and we scanned every single one of those to try and identify uh how many secrets out there in public repositories so last year we found 10 million so 10 million secrets and we validate a lot of these so this isn't 10 million random hopy strings that look like Secrets but are just you URLs or unique identifiers now this is 10 million secrets that we're fairly confident um are true positives so this is a huge amount of information uh if you want to win some candy if you remember this number for the next presentation it's going to come up um but we looked at the file extensions that we had and I got an interest cuz we were going through lots of information and I wondered how many of these how many mobile applications how many of these would actually concern mobile applications because I had heard a lot about mobile applications being breached pastors being found in here so I wanted to use this research and this information to get a deeper understanding of how these mobile applications are actually using Secrets now truth be told I'm not a mobile div um I've I've I've D in this into this topic uh from a security perspective and learned along the way but there's a bunch of uh files that really are specific to mobile applications that kept coming up in our research so if we look at some of them the dot properties now obviously these aren't only exclusive to mobile applications but ones that we when looking into they frequently related to mobile applications XML files were often related to uh mobile applications and the pist file which is nearly always related to iOS uh development and so when I had a look into these I did some further research to find out how many of these uh contain secrets and what are the some of the file names that we had so if we're looking just at Android applications the main one that we were discovering secrets in was the Android manifest.xml we found 23,000 nearly 24,000 secrets in this one XML file um you know other ones as well strings.xml was a big one that was related to Android developments uh there's a long list of EX of of these files that we can go down here are some of them and just the last one I always like to add in a funny one uh API key. properties feels like something that probably shouldn't be in a public G repository uh definitely not but we still find you know 65 of these uh Keys being leaked uh so this is interesting we found similar results when we looked at iOS uh Android application specific the main one that we found was the Google services- info. pist uh this is a uh a file that's generally always related to Google services and namely Firebase um Now by default this shouldn't really be that sensitive because it should only contain your Firebase ID which might be useful for attacker but not really but then people started doing really weird things they started adding secret Keys into this file as well I guess maybe it's handy to have both of them together uh and we started seeing lots of weird Secrets inside these and also lots of other ones and again API keys. list feels like something that shouldn't be in a git repository uh but often is so when we looked at all of these files it it really got me got me thinking is to if these are the types of files that are containing secrets in public git repositories then it really has to be that in private git repositories the problem is much worse and if this is the flow that means that the application at the the end is going to have those secrets in it so looking at this source code uh really got me thinking of to that ultimately these secrets are going to end up in the mobile application um and so that's what kind of started me off of this first I want to talk about exploiting uh secrets in these in these public source code I'm not going to spend too long about it but just bring it up how would an attacker that's specifically looking at exploiting a mobile application uh be able to discover these types of files in public places like GitHub so generally when Secrets leak for applications they not they don't leak in a official repository they leak in a repository attached to an employee that maybe accidentally leaked something uh or is starting their own project that doesn't realize there secrets in the history that belong to the organization but there's a couple of of ways so firstly this is a kind of my least favorite way but I'll talk about it briefly because it's the easiest you can just use the GitHub search feature what we call GitHub doing so we know that the Android manifest.xml has lots of files so if I'm looking for to exploit an Android application I might narrow this down to uh specific keywords I'm looking for an API key and there's lots of different types of these dos uh that we could do this isn't a great method the reason why most of the secrets that you find in source code are in the git history when you're using the GitHub search feature it doesn't search the history it just searches the top level or the kind of the latest version on the main branch so there's a much better way that we can programmatically try and find these keys inside mobile applications and that's using the GitHub API so we have this uh uh a events API if you anyone can go to it you can do it on your phone right now it's api. github.com events everything that happens publicly on GitHub is on this Ledger is on this uh API so what we can do is we can start using uh the public events and the push events to try and find uh code that or code for for things that shouldn't be in GitHub for instance narrowing it down to the Android manifest and strings this is a huge amount of information to digest but if you're uh trying to exploit a mobile application if you know that it's going to be an Android manifest XML or strings.xml that's going to give you your most amount of uh most amount of prizes then we can narrow it down and all of a sudden this fire hose starts becoming digestible uh so this is really some of the ways that we can do it and also if I'm trying to exploit a specific mobile application then what I might do is I might discover what employees are working for that if they have personal GitHub accounts and then abusing this API to try and find uh files that relate to this specifically for them uh but that's enough about source code all of this sent me off down this journey of trying to figure out how mobile applications can be breached um Can can they can we find the secrets inside of them and exactly how do we go about doing that uh all right so let's get into that so firstly uh on the Play Store you this is probably something of what you see and we look at these and we trying to figure out what are mobile applications in their raw form if I how can you download it so uh most people make the mistake that nonhuman readable means secure so when we submit an APK file to the Android play store or an IPA file to the uh to the Apple Play Store we all think that okay this is this or a lot of people seem to think that this is a some kind of black box it's not human readable you can't really extract any information from it from just that file so that means it must be secure it's totally unhackable uh but that's absolutely wrong with so many things uh like this uh same with packages same with containers uh so what we started doing is trying to first step is to turn these files back into something that's human readable and it's very easy so there's two types of files when we're looking at mobile applications so the first file that we we have is the IPA from Apple and the second file is the APK uh from Android and so what are these These are basically glorified zip folders that we can use to extract the source code and once we've extracted the source code from them then we can uh we can start looking into them to try and find any sensitive information that may be in here so how do we actually uh find these secrets so I'm going to run through quickly uh if you guys all say a prayer to the demo Gods I'm going to hopefully uh this will all work uh but the first thing that I want to do is I just want to show you how easy it is to extract these files so here I have two I have my Android app.apk and my iOS app. IA these are real files that I've downloaded from the respective Play Stores um or app store so uh that I've kind of chosen at random but I've removed their name because there's some sensitive information uh inside here so I don't want to get in trouble for disclosing uh let give me a minute okay so the first step is we need to try and get this back to something that's uh human readable so to do this well I guess the first step is we need to download it so you'll notice that you can't download these on your computer you need to use some kind of uh mirror or some kind of tool so there's an easy one for Android applications called uh gplay downloader so I use that to download the application then I'm going to use a different tool called uh J deex to which is a decompiler to get this back to its original form so just to show you what that looks like uh it's just going to take a few seconds um and then that's going to be able to spit out and take me back to the source code because once you have the source code then really you can actually uh start doing some interesting things and and and looking for uh some files so now that we've done that let's open up uh what we've just created here so this here is the s code uh of the of the application that we've downloaded so here you'll see the Android manifest we've talked about this file so this is where I can already start to find some interesting information and go through and here and also we know that the there are some other files uh very interesting like the strings.xml uh which we can find uh in various files um here to try and get information about uh and see if there's any strings hidden in there the the problem with this is that these are really massive files and buried under all of this maybe something interesting maybe uh and hackers or at least I am uh very lazy uh so we're always going to find a better way to do it so what I want to do now is just show you what I would do in real life um is this is what I is just scan this file uh for secret so I'm using a tool called GG Shield uh fear warning this is a tool that uh GG Guardian my employee creates so I'm wildly biased as to why I I use this uh but it's definitely the best totally um whenever I'm on stage I forget how to spell the most basic words I told you I was just checking to see if everyone's away you know making sure everyone's paying attention feels wrong but uh let's give it a go all right so this is going to take uh just a little bit of time uh oh huh okay this is going to take just a little bit of time to scan so I want to uh go back to something else so I've easily shown you how to extract the um the the Android application now I do want to warn you the iOS application is much more complicated uh so I hope you pay close attention and take lots of notes as to how we can do this so what we need to do in our Android application is we take here our IPA and we change this to zip and we have a look in here and we have our source code from this so hopefully you hopefully you took uh lots of notes on how to do that I can't do it again um but yeah that's really how so when I mentioned that these are glorified zip folders particularly for the iOS version I'm like absolutely dead serious these are literally glorified zip folders so now that we have the source code we've extracted that it's really easy if there's a hard-coded secret in in your source code it's going to end up in your application uh and we can easily extract it using simple tools or in the case of iOS not even using any tools uh at all so I'll try and see what my scanning is doing uh we'll wait a little bit these are all okay we're all done so we'll go up to the top and these are some of the secrets that we've found I want to stress again this is a real application downloaded from the Play Store um but I have hidden all the secrets so you can't do anything malicious with it so the first sec