Threats

Apps perform network communication, which can occur through unsecure networks such as cafe wifi.

The phone can be lost or stolen, no app data should be available in the filesystem

Unofficial markets provide malware threats

Big attack surface (NFC, bluetooth, camera, SMS, USB, QR, ...)

Common vulnerabilities

Insecure data storage: data in cleartext, hardcoded keys, or other means that can be reversed engineered.

Insecure transmission of data: not using TLS or implemented incorrectly

Lack of binary protections: No having protections against debugging, tampering, reverse engineering.

Client-side injection: untrusted data in handled in an unsafe manner

Hard-coded passwords: in the app code or data.

Leakage of sensitive data: leaking data through OS or frameworks.

Mobile OWASP top 10

M1 - Improper platform usage

M3 - Insufficient Transport Layer (on server side)

M2 - Insecure Data storage

M4 - Insecure Authentication

M5 - Insufficient Cryptography

M6 - Insecure Authorization

M8 - Code Tampering

M9 -Reverse Engineering

M10 - Extraneous Functionality

App Taxonomy

Native: developed using the SDK of android or IOs

Web: HTML5, run in the browser

Hybrid: web view(html5 on steroids, HTML5 with some OS functions) (react native, jquery mobile, ...)

Mobile pentest

Whitebox

Blackbox

If white/gray:

Static analysis

Dynamic analysis

Mapping the app: use the app, entry points, data flows, functions

Exploit

Report

Identify sensitive data (rest(datastore), in use, in transit_

Env

Android SDK and testing on a rooted device

set up burp with the CA installed on the phone, certificate pinning killed.

Automated dynamic analysis android Drozer
Static analysis

Use http://jd.benow.ca/ to decompile to APK classes. Read the code to understand what libraries it uses, how communication is handled and obvious flaws.

Automated open source tools android static analysis:

Network traffic

Intercept requests using Burp

Data storage

Encrypted?

IOS Security

Secure Boot Chain

Secure Enclave

Code Singing

Process Level SandBoxing

Data at rest Encryption

Exploit Mitigation

File Crypto

Jailbreak detection

Bypassing apple apps store review:

Automatic reference counting

App file system layout

Security testing

Analyzing Android Apps

Android development kit (SDK)

$ android avd # create virtual device
$ emulator -adv kitkat # start virtual device
$ adb devices # list devices

BusyBox

Drozer

Attacking Android Apps

Intent: Data object that defines a task to be perfomed

Activity Graphical interface of app for users

Install app

adb install diva-beta.apk

Decompile classes

First get the jar:

$ sh dex2jar.sh diva-beta.apk
dex2jar diva-beta.apk -> diva-beta_dex2jar.jar

You can use JD-GUI to decompile the classes

Getting AndroidManifest.xml and smali code
$ java -jar apktool_2.0.3.jar d diva-beta.apk -o output8
Manual test

Test the app and check the output of the command:

$ adb logcat

It will show written files, activities, etc..

Inspecting the system

You can run the following command to inspect the files created by the app:

$ adb shell
    > cd /data/data/

Copying files

$ adb pull file

Reading DBs:

$ sqlite3 ids2
Intend
WebView

Main classes WebChromeClient WebViewClient

Native component provided by the operating system to be able to load web content and interact with the OS. Browser on steroids.

connection hijacking, XSS

Same Origin Policy (SOP) bypass can lead to device file-system access.

Threat modeling

Microsoft Threat Modelling (DFDs and STRIDE_

Attack trees

Cigital Threat Modelling: Assets, Threat Agents, Controls modelled directly, Component Diagram

Mobile course

Unencrypted sensitive data

Types of apps

Mobile-aware web site

WebView app

Hybrid /framework-based app

Full native code app

Real binaries, debuggers

Simulators for devices you don’t have

Android testing env

SDK + phone + USB SDK + System Image

Create an Android Virtual Device

IOs

XCode