Mobile Hacking

Los Angeles and a board member or um he's also one of the reviewers for S mobile device V mobile device class classes um he's here to talk to us about easy mobile hacking so uh there will be a test at the end of these all the talks throughout the day well not technically a talk but there'll be there'll be fre excellent good that giving away um so the speakers will have aou questions theend the so listen up and have a chance to here for us with that please join me and welcome Eric

just make sure you guys can hear me you guys can hear me in the back good cuz I have two mics up here okay I'm G to have to stay static from what I heard so I'll stay here it's kind of early for me it's about 7: a.m. my time I to wake up you know caffeine has my back so it's re why I'm up here um but um so yeah I'm going to be talking about um mobile say let's say the offensive side of of mobile assessments and uh the easy findings and within Frameworks within Android within iOS uh how many of you guys are let's say mobile pent testers or researchers or let's say web pent

testers anybody do application security pen testing okay a few okay good so I'm going to go through some Basics so you guys won't be left in the dark uh some fundamentals between uh iOS uh Android as well as hybrid Frameworks if you guys aren't aware what hybrid means or uh what that entails so we'll start with a little dance for the morning so again my name is Aaron Guzman uh that's my Twitter handle I'll be tweeting out the slides afterwards uh so no need to take pictures or anything like that and then here is my uh email address if you guys need to contact me afterwards um so I'm a from I contribute to the OAS mobile uh security project

for the OAS testing guide as well as like the top 10 that's coming out other things as uh Mark said I I was a technical reviewer for Sans defending mobile application Security Essentials course uh that's in beta I'm the board member for uh or a board member for OAS Los Angeles as well as the president for cloud security Alliance Southern California and then again based in Los Angeles so quite a ways to get here Augusta is not an easy place to get to took me about I left at noon yesterday got here at almost midnight and I was like wow just to go to Augusta but it's been great yeah definitely worth it so again just

we're going to go over the fundamentals like I said hybrid apps uh some of the common findings that you guys can find within your next assessment or researching or even to Kickstart you to get your interest into Mobile security very very simple I promise you guys we'll leave with something that you guys didn't know about or even tools some of the tools I'll show you uh will help at say with 75 80% at least with your Android assessment um iOS is more moob uh more manual but still you'll leave with a good chunk of knowledge uh which is the demonstration part and then the tools that I use and the automation pieces and then we'll finish up with

questions here so Android it's purely uh Java based or or C C++ but uh mostly everybody interfaces with with Java for Android uh the runtime uh for Android is uh art uh which which is a new one Android runtime or dvic VMS so that's that's the Java virtual machine is what uh converts the Java classes over to uh Dex bite code to run on the Android devices which we'll get to in just a little bit but the core components of an uh an Android device and an application are activities intents Services broadcast receivers and content providers um activities are just the goys that you see uh the the pages when you click you have a new user interface

that's activity uh an intent basically serves as a an action so if you want to log into an application uh you'll have an activity and you have an intent to log in uh an intent you also check for like validation whether it checks whether the user logged in or not um Services run in the background they don't have the user interface so let's say uh downloading um something that's in the background in the app still runs that's what a service can be uh broadcast receivers are are notifications and content providers basically expose like the file system of the uh application sandbox or let's say uh like a sqlite a sqlite database for credentials if you want to share that

between applications shareed applications and the basics of of uh the Google Play let's say review uh when you you submit an application is a Google bounce and what the Google bouncer does is just analyze the application for U let's say vulnerable or malicious activity it throws it in a v in a virtual machine uh the application uh it looks for anomalous behavior for like I said malicious or back doors it's not as stringent as the iOS Apple Store uh App Store uh but we'll get to that in a minute and again and it doesn't go into uh strict low-level um I say application Behavior but it does look at some things like uh vulnerable libraries like op SSL for

example uh if there's if there's an application utilizing a vulnerable open hell Library um the uh Play Store will flag that and let the uh developer know the first place to look at and basically like the core um uh kind of configuration file within an Android uh application is the Android manifest and this is where it's kind of small you might not be able to see it here um but this is where all the the activities the uh all the permissions are set all the uh the intents the content providers all the core components that I listed in the previous slide uh will all be defined within the Android manifest and if there's any they

can also uh Define custom permissions too uh for whatever the developers liking you also see uh like secret codes um let's say enter one to 45 in your phone opens up a secret menu and whatever the application developer uh defines but this is where um that that is uh listed as kind of like the the configuration file in the first place to look so you get an idea of what uh the application is running and I forgot to mention you can um you can uh let's say open up to thirdparty Applications these components the activities content providers uh Services broadcast receivers to a completely different application um by exporting it and when you export it you'll Define in here uh

whenever the um whenever the activity so let's say the activity here you'll Define export equals true would be right here and that's basically letting a third party application access your activity uh and the same thing for Content providers and same thing for uh broadcast receivers and again that's that's dangerous right if if there's an activity that's post authenticated after you know someone puts puts their credential in and it's exposed to another application obviously you know say a banking application that you can see uh personal uh personal information then obviously that's a big risk so those are things you test for if it's exported you want to make sure that there are validations in place by the

application but again we'll get to that in a bit this is kind of just defining first place to look at within an Android application uh when you when you uh decompile an app so here's the Android framework and I'm not going to list I'm not going to talk through the whole the whole stack here but I'm going to focus more on the Linux kernel and what defines I guess for the most part uh and separates uh a regular Linux kernel to an Android L Linux kernel is the the binder which is for inprocess communication and also uh paranoid networking and paranoid networking basically checks permissions based off of the group ID and the socket to see if the application has access to

um send Network traffic so that's also defined in the in the uh Android permissions within the uh Android manifest in the previous slide um but generally just to kind of go over the Android framework they're just um they're just Java classes that are uh that are used for the Android um Android system that are exposed like apis basically um that that say like Bluetooth they're exposed via manager so they have Bluetooth manager and Bluetooth service for example um those access the lower level uh kernel here uh to get access to Bluetooth but um again this Java classes Java talks to uh the Java native interface uh which is for native code so it converts again from java classes to

bite code and then over to native code uh but again just to Focus back on here uh binder for interprocess communication meaning another app wants wants to access another application's uh data for whatever purpose whatever reason whether it's uh a application signed by the same developer or total different app just malicious app trying to get access to uh an exported activity service whatever it may be is all handled out the kernel level uh through binder and um it's kind of like a proxy between between process a and process B and I'll show you in just a second but what it checks is uh the process ID and the user ID so every time an application

is installed within your Android device uh a user ID is defined or is set a unique user ID so that's kind of the um let's say the sandboxing and again we'll get to that in just a second but here's here is kind of how how binder works and again like a proxy here and it checks between um again the process ID and the user ID to see whether they have access or the correct access and permission to talk to each process so process a talks to the proxy which is basically an interface between b a binder and this is all done within the kernel and uh again process B uh also wants to check that as well wants to see

if it can get access to process a and the binder is what's doing the verification here and then obviously giving the okay because now process B can access process a information because it has access um and let's say it the permissions are defined correctly and uh so all permissions uh within an Android device are all defined within an XML file everything's kind of a a a compiled XML file uh so if you go on an Android device and and uh you do let's say via ADB Android debug Bridge um you can get a command line access you can do PM list to list the packages so package manager is PM and then ser service list uh service space list

defines every service that's defined within uh binder so any service that can talk in a process communication uh is is defined as a service it's kind of background information but again binder does the heavy lifting for inprocess communication with an Android just keep that in mind uh and binder is based upon open binder so again Android's kind of Open Source uh at its core and a lot of components are uh based upon open Source technology so again uh process ID just remember binder process ID and user ID is what it checks and that's at the kernel level so the sandbox and I kind of mentioned it already and it's it's similar to uh the Linux type of

permissions uh again discretionary Access Control not mandatory Access Control meaning mandatory Access Control can be more stringent like SE Linux for example uh discretionary means uh if you allow uh the user ID uh 1 2 3 4 5 to access 9 9876 then that'll be allowed if you allow it explicitly otherwise by default it's not allowed so again it's separated by user IDs and these are these are both uh different applications as you can tell different user IDs and they can't uh access each other's information unless they explicitly allow that uh but by default definitely not and this is what is within the application samp box of Android applications so database could be a sqlite database internal storage um

could be cache whatever it may be preferences is also another XML file um can be used for uh I see it for a lot of things it's usually for insecure data storage I see it more for that than anything else where people are storing passwords and clear text but we'll look at that in just a bit so don't worry but if you if you have an application um Android application the file extension is APK um and within an APK F APK file it's just a zip file and uh if you rename the zip uh I mean the APK to a zip extracted here's the file structure the basic file structure that's actually supposed to be

the Android manifest I typo that but again Android manifest is supposed to be here assets classes.dex and this is where this is the bik code that the dvic VM uh runs basically Al binary so this is kind of the the basics of of of how Android works with permissions uh with components uh and basic basic things to look at when you first get uh get into and decompile an application but again this is just an idea so you guys have a a a foundation to uh to understand what I'm going to show later on so we'll jump to the iOS side of things uh where it's based upon the primary language is objective c and it's a messaging language um and if

you were to use a debugger you would hook uh Objective C message send and that sends it over to uh basically to be processed by by iOS there also Swift as well uh the only app that I know that's completely written on Swift is Lyft and uh it's it's written in layers and again it exposes apis um iOS does does a good job or apple does a good job of providing the documentation for that but primary language is objective c and then the App Store view that that I noted earlier uh again much more strict uh it takes about a few days two three days for an application to be uh uh deployed and you got to keep that in

mind as well uh because with uh Google same day you upload it it'll be it'll be published but with iOS it's kind of a paino for some people or some and Enterprises or manufacturers um and that's partially the reason why uh obviously depending on usability but that people choose mobile uh hybrid Frameworks and again we'll talk about hybrid Frameworks in a bit but you don't have to resubmit it over to the App Store in order to make changes or updates which is kind of scary so the equivalent to the Android manifest in iOS or in in iOS applications is the the info pist um and this is the xcode version it's really just uh another XML file um

when you decompile an app and uh I believe I might have in the next slide I'm not too sure but what's defined in here and this is from um uh a Keo app so I've do a lot of iot research and anything that has a mobile app and it's connected to the network I'm going to look at it whether it's my car whether it's my lock or there's my light bulbs but this is my my new toy that I got uh but within um iOS and the info. pist um even here Apple requires um an application to Define why it needs a permission so this one specifically is always uh is always on always use your

location when the application is running or even when the application is not running and it it defines a reason as to why it needs that permission and apple reads this otherwise they'll send it back to you and tell and ask you uh why you need these sort of permissions and uh for what purpose and why does the application have to function that way um but for inprocess communication within um iOS applications you have URL schemes um and and not like IPC but with URL schemes it's like you know HTTP col4 slash in this example it's Koo colon for/ slash or Facebook will have theirs defined here as FB col for/ for slash in order to call it so any application can

theoretically call another application within the iOS device if they use this schema and it's up to the application to provide verification and validation um for uh in a process communication um but again kind of permissions are set theoretically from for iOS here in the info.plist um as well as IPC inpress communication communicating with other thirdparty applications within a device and then also any type of um basic let's say what the device is is or what what the application is targeted for what device so uh this one specifically is uh iOS 8.3 or 8.4 I'm sorry uh so that way it's it's only targeted for newer type of apis but again first place to look again

similar to Android manifest within an iOS application and again I'm not going to go through the whole thing here as far as uh the architecture of iOS but I'll note a few few things um secure boot chain for for Apple iOS so it's basically burned into uh the images uh the iOS images from uh Factory I'm also going to note secure element and secure Enclave uh secure element is where uh Apple pay any type of financial transactions um and then secure Enclave uh would be Touch ID uh keychain which is Secure Storage which is any type of credentials tokens should all be uh stored within the secure enclave and we'll get to the sandbox in just a

minute here uh which is the next slide but again secure element uh secure element secure Enclave are basically Secure Storage uh while secure Enclave Secure Storage for any type of credentials or sensitive info even if it's not credentials and the only um way a an attacker can get access to that is if the device is jailbroken so sometimes if uh there is something really sensitive some people usually hash or encrypts and then put it into the keychain uh just something to keep in mind so the sandbox within oh doesn't look too great but the sandbox within iOS uh they're Unique Home directories again similar to kind of Linux based a little bit um and they have their own uh

data container uh which is totally separate from the bundler container and then if if the application has iCloud features enabled you also have another container for that but these are all separate directories as well unique separate directories at that uh when the when the device um when the application is installed onto the device so the uh file extension for uh iOS applications uh and an IPA so app. IA and again zip files as well rename it to a zip and here's kind of the basic structure any type of application that you rename to a zip and you extract it's always going to have this payload so let's say I decompile or I extract uh that Keo app I I extract uh

another let's say like Instagram or something uh I will have k. apppp and I'll have instagram.app in this same folder in the same payload folder it'll be extracted into the same exact structure uh but where the meat of uh where you want to look is in inside of this directory here Thea folder is where the application binary is at um so by default when you submit an application into the App Store uh the apps are encrypted uh by Apple's um DRM it's called Fairplay DRM but uh let's say let's look at it from a uh pentesters perspective where a client is going to give me an IPA file it's not going to be encrypted so again

it's just uh a zip file and from there I can just look into this directory drop it into Ida find the Buy drop it into Ida and then I can see all the client side code very very simple uh not too hard and I'll have a couple examples afterwards uh but these are kind of just other metadata but I kind of wanted you to just take Point here is where this is the the main the main item to look at um within um the uh decompiling or extracting of of an IOS app so let's talk about hybrid Frameworks anybody heard of hybrid Frameworks before a few okay we'll talk about it uh so what hybrid is is basically

iOS the web and Android crossplatform Works between all three you can have one codebase uh obviously that doesn't sound too great um well at least for me because that exposes HTML 5 JavaScript and then other native vulnerabilities native API vulnerabilities within each platform but again some of the the keys about hybrid is uh you can update without redeploying because it's JavaScript you own the web server you own the application server all it is is just uh what's called a web view um and what that web view does basically it's inapp browser an inapp browser for an application and it basically dyn dynamically runs code executes code so like a web app like I said HTML

5 and HTML 5 has its own issues uh which what's on note and just a bit but a lot of these applications are uh heavy on JavaScript and uh with that you also have to keep in mind that people think they can store secrets in JavaScript like you can't decompile it it's in clear text but uh again something to note and one code base here and and it's odd and another huge like area that needs to be researched I just don't have the time is each hybrid mobile framework has its own Marketplace and plugins um and whether they provide code reviews or not or Security reviews which I doubt um they all have their own

marketplaces so think about Google Play think about App Store Apple's App Store um but now these Frameworks have their own marketplaces with thousands of plugins and thousands of apps that kind of piggyback and third party code that's not even being reviewed or researched and even to upload that is very very simple and I'll talk about uh one instance for um for a mobile framework that um a hybrid framework that we'll talk about one of the most common ones um and I was talking about web view but the it basically renders the the the web page and it could either use webkit or crosswalk two different web web run times is what it is the native code like I said you have

your own native vulnerabilities uh Objective C with iOS there are plenty of let's say for the URL schemas for the inprocess communication there are Legacy uh apis that have since been deprecated but are still being used by applications that are not that doesn't validate certain parameters for example uh Swift Java C C++ with Native you kind of have more control over the

application then like I was saying with HTML 5 you have your own issues with websockets local storage um these are basically Onis disk persistent storage people store cookies uh onto an iOS device into local storage which is on disk and can never be deleted Ed not even by the application you have web workers uh access to the file system via the file system API web RTC realtime communication for chat video communication and there's plenty more but again this opens up a whole new attack surface um with mobile hybrid Frameworks so the most common here is Apache Cordova which is also known as phone Gap and a lot of these other hybrid Frameworks piggyback on Cordova

uh big Enterprises corporations use Cordova uh whether it be Banks whether it be uh private companies public companies and again it's most common and you can choose the uh the Reb one Reb web runtime but it chose uh Cordova recently switched over to crosswalk so and again I talked about the plugins here for um for the mobile hybrid Frameworks and uh the risky things with it but uh they actually call it out within their documentation um so it says a plugin is a package of injected code that allows the Cordova web view within which the app renders to communicate with the native platform on which it runs so it's basically cross-site scripting JavaScript injection uh that that's what

a plugin is so you can name a plugin whatever you want calendar. JS and maybe do some legitimate things but also do some some fun mischievous things spyware things um but this is so easy to publish a plugin they give you step-by-step instructions and it's up into their uh into their repositories mpm is what is what uh Cordova uses uh for their plugins and again very very easy to uh to publish a plugin within Cordova within the within the ecosystem and again it's injected code and it's going to run within the web view so again like a web application same thing I think of it as crossy scripting um and again the the review process with this is just there's

basically none and it's kind of just on your own due diligence is what they're looking for developers to do but again who does that here's the code review process stuff to look for test for error conditions explicit errors for bad user input uh I don't know what that is but have labels but there's not much to it it tells you how how to submit it it's basically the process but there's no b no denying no going back to developers because npm is its own entity and they're not in charge basically of how uh node.js or JavaScript runs again a huge area to be researched uh if anybody has a time or anybody wants to work on

it um this is just for Cordova uh every other mobile hybrid framework has their own kind of plugin in Marketplace um literally like you go into and you you just kind of Click install and it goes into your application very very simple an example of when um let's say like node.js for example um there was a uh developer who basically took their uh dependencies or their packages off of npm because of uh say kick I think kick the messaging service had some kind of copyright issue with how that uh repository was named so the guy got mad took off his uh his um his uh repository and it basic and all all all his code

did was 17 lines of code was basically add padding to the left side of of of the page and it broke everybody's build because uh node.js and JavaScript is is dependency heavy but node.js runs on npm as well so there's no verification again validation or anything so anybody can kind of uh submit and take these uh these injected plugins or JavaScript code uh and you can do some pretty good damage this one was just taken off a repository but I could only imagine uh if you're running some malicious code what can happen again for the mpm registry here and here are some of the uh advisories just within the year uh for Cordova this was a remote exploit of

secondary configuration variables in Apache Cordova on Android and again rated at has a high in severity this one was last September so last year another plugin vulnerability not going to go through you I'm just going to show you just within the last year how how many vulnerabilities and how many are high and and remote code execution for example um that these uh hybrid Frameworks expose that's a medium here you can't really see it much but again just within the last year this one was in April and this one was also a high bypass of access restrictions in Apache Cordova iOS another high here Cordova cross application scripting via Android intent URLs crossy scripting in other

words this is within the the framework itself so keep that in mind bet you the the Enterprises once you know how many times have have they updated their whole framework probably not much so I'm pretty sure the security team is is doing this once in a while once they know they're running Cordova if any of you guys know you guys are inning Cordova now you're probably not too not too happy but and again some even even with the we run times there's also vulnerabilities so crosswalk has their own op SSL this is from Google Play Store but it's for crosswalk as well another big common or big big player in the game is for hybrid

Frameworks is zamarin and zamarin is owned by Microsoft and what they say is anything you can do is an Objective C Swift or Java you can do with C and C with zamarin so you basically write C code and it converts that to Objective C to Swift and to Java uh which is interesting right like I'm pretty sure there are some issues there uh and it runs uh for on the devices it runs mono which is net runtime it for uh for zamaron applications and then for uh Android applications it runs an arm executable and it's a ahead of time compilation is what it is so zamarin also has a free and Enterprise version and I did not again

that has another Marketplace too um but within its free and Enterprise versions they have its own they have their own IDE and uh and within their IDE it's it's like a fork of Visual Studio because again Microsoft owns it but it also has specific uh zamarin functions as well so one cool thing that I found uh this is back in 2014 is when this was raised uh but to keep or to store passwords within an Android application you're to securely store it is within the Android key store and uh for zamaron applications they have their key store hardcoded into the zamarin framework so anybody with a zamarin application on an Android device they can an attacker can

decrypt all their passwords for Facebook Google or anything that uses uh the this z.o um Plugin or or component for for zamarin so this guy says uh back in 2014 instead of using hardcoded key Store password the application should provide its own from a safe origin otherwise the zamarin social. accounts keystore and all apps that zarino components can that use zarino components can easily be breached just by looking at the source code on GitHub because this Open Source by the way it's all on GitHub and here's that string that amazing string here that you can use to to to uh um decrypt the passwords within uh applications that's that use zamar and. off so I I first started looking at this

in April uh I gave this talk back at Cactus con or similar talk at Cactus con and just yesterday I went and take a took a look back and there's some there's some activity back in June and uh this guy was saying basically you know I think that I think that this uh pool request should be reviewed even if it's pasted two years from its initial proposal and uh the guy St were working on it in June and then supposedly it was merged but it's not merged I already looked at it but the it's still not merging to master so it's still an issue and this is July this is you know not too long

ago so while I was while I was clicking around researching this I was laughing because I saw this post of this guy who found the same thing and this is in July as well he's like I wanted to store some sensitive information like refresh tokens in the key store I was going to use you know another another uh key Vault Storage uh plugin um she all and and in their zindo Library which leverages the key store they have the password hardcoded he's like what's going on am I missing something which is not it's plain it's in plain text but all of a sudden I thought it's funny that people are kind of taking note after years of this being

a vulnerability um but but again uh any anybody's using zamarin on an Android device are pretty much at risk for their uh credentials to be compromised

uh another another thing within Z zamarin with Android uh 5.1 and Below um zamarin uses a DL and it drops it or it had dropped it into the SD card and SD card is World writable World readable uh and what someone can do is basically overwrite that D file and back door the application and that's exactly what people did so and then developers have to rebuild their application using zamarin for Android 5.1 or newer and I think most Enterprises Target Android 4.4 right now so um this was last

year um here's another one it's taric app builder it's one of those drag and drop type of applications uh and uses backend as service so uh let's say MySQL MSS SQL things like that basically Outsource that to uh toic and for me when I see easy I know there's some issues there so having to look at their documentation and it piggybacks on on Cordova and uh what they advise to uh their customers is they want everybody to deploy via their App Store uh so that way they can have full control 100% full control on who has the ability to install their app which is not true uh for one and for two iOS are they going

to encrypt those those uh applications is it going to be that much easier for attackers to get access to those apps and also even uh the malicious behavior the libraries the back doors and all that I I guarantee you that taric is not putting throwing those into uh a virtual machine and analyzing that type of information they're not Google but also uh there to kind of summarize here they want uh if you're going to store Secrets uh they're advising you to uh offis skate and minimize um the JavaScript code which you can just Google thecate JavaScript and it'll do it for you so obviously that's not a solution but they're suggesting or advising uh their clients

to do so or just load JavaScript remotely because you can't Pro you know you can't proxy the information at runtime right being sarcastic you could you could proxy it look at the hcp response and then view everything it's it's sending back to uh the application never store secrets and JavaScript hardcoded never store secrets on the client side if you're going to store Secret Storm in the key store for Android or the uh keychain for iOS and this was from a post here uh within uh their um it's ionic again ionic uses toic app builder but there was about like 80 83 or 84 like thumbs up like hey this is good advice use it and they have a kind of a general

disclaimer disclaimer as well when you use toic and it says um taric does not enforce any security permissions it will and and will invoke any user to supply data object code and process regardless of whether it is trusted or not so they said

it one of the last ones is genexus um I've seen genexis only in kind of Latin America area for within applications that are used within Latin America and uh again it's one of those app Builders drag and drop type of things and uh it has various uh compatibility with various languages C PHP and other backends as well U some of them are specific that's kind of why I I put that out there um and what it uses for authentication authorization is ooth how many are familiar with ooth okay definit a lot more sweet because that's going to be a huge topic um and some of the insecure defaults uh it's everything's defaulted over HTP um even um their uh their rest

interface to call ooth tokens all over HTTP and they also advise to hardcode your client secret within your application binary which is not a good idea um we'll talk about that in a bit as to why it's not but uh once you have the secret the client secret and the client ID uh you can basically uh Grant get granted an access token or a refresh token but genexus only uses access tokens so they're long lived so access tokens are something that say that Twitter uses I don't know when the last time you guys logged into Twitter or Facebook or Instagram probably like never unless you like had to reinstall or something like that but again long

lived you don't have to have username and passwords all you have to do is grab this client ID and client secret and you're good you can you can get refresh tokens so common findings I'll start with SSI on TLS issues uh always for the most part always unless they're they're pinning but these are the things I look for uh within iOS if they're using a certain Library like AF networking uh it doesn't verify or validate certificate chains um you can allow all https certificates sometimes see that for debugging purposes but they'll deploy it to production forgetting maybe I'm hoping forgetting I don't know uh and they're turning off uh SSL painting mode SSL painting is basically um only

allowing the application to uh communicate with a server that has uh either a public key or a domain name or just that only that certificate only is what SSL pinning kind of enforces so these are these are when I drop it into Hopper or Ida proo for example I'm looking at client side code I look for this before I even I even install the application I'm going to statically analyze and then I'm going to verify and validate um during runtime so again more apis I look for within iOS okay I got to hurry up here and here's a new one for iOS uh 9 and above allow arbitrary loads this is the pist file uh um and um it's basically with uh

with app Transport Security it only enforces TLS 2. um I mean one point no two I wish 1.2 and uh forward secrecy Cipher Suites so if you're a bank something like that you'd want to uh enforce app Transport Security uh but in this case they're disabling it iOS 9 and above it's default I'm going to kind of go through this quickly because I want to show you the demo these are the Android API vulnerable API that that I search for as well um this is easy when I get the application um I decompile it and I open up in JD guy and uh we I'll show you in a bit something to know uh within Cordova uh Cordova

doesn't support true certificate pinning so if app if uh a mobile app or banking app is using Cordova something to keep in mind and insecure data storage is everywhere within uh um mobile applications that's what I see the most that's what I find whether it's personal information encryption Keys secret keys or values passwords oo tokens definitely uh sqi databases uh real databases which are iOS specific binary cookies cach and temp directories is where I look for where I look for those uh you cannot see this but uh this is a client encryption key here client secret here API keys and these this is all within a Json file for an for an iOS application uh this is something that a

tool won't find this is when I'm on the file system of let's say my iPad and I'm just checking within the bundler container I showed you guys in the sandbox earlier uh I kind of I look through everything I'm nosy so I happen to find this and I was like sweet you know client you know encryption keys this is like server encryption Keys like private keys not even public keys

uh here's another one again I'm in I'm in the the uh the container here the bundle container for the application and again another instance of a private key being stored within an XML file and clear text this is while the application is running too so the device is jailbroken so that's how I'm able to get access ssh

in and by the way this is their own encryption I don't know why they try to encrypt their own things instead of using the platform security encryption mechanisms but yeah that's why I said but why so Android side of things again same thing using name passwords all the secret values shared preferences is the difference here it's XML file I noted earlier um and people or developers seem to think that's a secure location because it's within the it's within the application sandbox but within uh mobile security if somebody gets a device uh let's say it gets stolen lost and it's stored within the shared preference is you don't have to have a username or password if credentials are stored in

there or if tokens are stored in there uh here's an instance where the uh the access Keys let's see I'm the I'm sorry the access token is being logged to the console uh during application runtime so with within Android you could do ADB log cat and just watch all the logs or you can grep for uh the specific application but in this instance they were C they were they were logging uh the access token and as well as the refresh token and here's the shared preferences file where they're storing the the access token here in clear Tex and I can just pop that into another uh Android app the same thing into their uh shed

preferences and now I have access easy refresh the page no username or passwords required and then I'll have access forever basically uh here's a funny one with sqlite sqlite database that basically uh one of the CL one of one of one of my clients uh decided to uh clone their production database into a sqlite database uh which included usernames passwords um sorry here's the usernames here's the passwords and then the hash passwords and then other tables it showed like emails other people's emails it showed whether it showed their Windows Sid the the it showed everything and I was like what is going on

uh here's just a note with uh about ooth and and they they they describe it uh in their RFC but uh it's the threat of obtaining CL client Secrets here and uh let me see if I can here's the attack here obtain secret from uh from source code or binary and that's the the client ID and client secret I was talking about in order to retrieve an access token so the uh client secret is used to authenticate the identity of the application to use the services API with the application requests to access a user's account and must be kept private between the application and the API so it's not private if it's within the client client side code and my in my in

my world uh here's an instance in real life uh where Samsung smart things lock uh within their application binary hardcoded their client secret and again just like the other apps I showed but now people are able to get access to the front door because of that and again I kind of highlighted here client ID and client Secret at this point we had everything we needed to get our own ooth token and then you have access to someone's front door so that's cool like James Brown says I'll let you guys read it I want to read it out loud uh more instances um this is with genexus obviously um where they hardcode the client secret client ID uh um and

obviously rename this but these are the the the end points in which you authenticate to again clear text not it's supposed to be a secret okay I'm gonna get to demo real quick because I'm running out of time more secrets perfect uh I have one running here and it's called mobile security framework it's python based I'm just run it for you guys I believe I have a scan here

already I'll show you my friends from Subaru because I seem to be picking on them

lately if it runs if not we'll go to Cork Cork's on base as well and cork was created by the LinkedIn guys so it's asking us to provide APK the path of the APK in which I will and I didn't even separate this but close your eyes guys think I have it here demo apps perfect uh

here's a manifest file this is for Subaru uh I gave a talk at iot Village at Defcon and uh I was a again their client secret client ID I was able to get access to my car um based upon that forever to unlock my car door locks everything but uh you what uh what can't see it looks kind of weird I think it's the terminal but um what cork does is get three different Java DEC compilers JD core proon and CFR and Aggregates the best um best results and it's going to it's going to statically analyze and it's decompiling right now so we'll hop over hopefully this is

running cool so there's mobile security framework um obiously Run's responsive so in Twitter bootstrap um shows the main components here activities Services receivers providers uh also Java as well I'll show you guys this real quick um or just a second but this is on GitHub free Tool uh tells you about permissions going to have to go quickly here but everything anything that looks like HTTP connections or anything that has has this type of activity or API it it uh categorizes it for you uh what I always look for first is passwords so in this case see if there's any password I see a URL it turns out there's a local web server that starts up but here I'll go into the fun stuff

do Secret

oh looks like here we go consumer key secret hard code into the app okay wrapping up guys um but again very very easy and this is also for um for iOS applications as well not as not as um in detail but you can see classes Within an application and the pist files as well uh but the other tools I was going to show you aside from Cork is uh Android bugs framework python base as well real quick give me one minute there's the file and this is really quick and it again statically analyzes the application the client side code of the application very very quick it's going to spit out a text file and this will be my last one but if

you guys have any questions or want to know more just hit me up or I'll I'll show you guys afterwards very very easy these tools again do like 80% of the job for you and this is before you install the application onto your device H okay 1 minute let me just show you the file real quick and going to looks like and then we will close out just SSL checks vulnerable methods Dynamic code loading anything store in external okay let me go to my final slide

and using Google Slides by the way so it's taking some time

come

on

okay you guys can read that real quick okay thanks guys

first got copy of Android security internals Android security it's a great book I've read it um yeah yeah um what does binder check for what permissions or what anybody know yes uh no what does it check for that's what it is but what does it check for like um yes that's good who said that cool all right I got another book here this one is IOS application security that's a great book too yep uh what is what is the the iOS application sandbox how does it sandbox applications simple think of it as Linux they all separate directories yeah they're all separate home directories all right cool um also uh for the drawing I got some uh ticket numbers if

you guys can check your tickets uh there's things for a grab bag not sure what's in there but uh this