© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Man-In-The-Front Ray Kelly.

Slides:



Advertisements
Similar presentations
The Mobile Threat Landscape
Advertisements

SEC835 OWASP Top Ten Project.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6 Ways to Build an Insecure.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Metro (down the Tube) Security Testing Windows Store Apps Marion McCune – ScotSTS Ltd.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Presentation By Deepak Katta
Android Introduction Platform Overview.
Introduction to Application Penetration Testing
FORESEC Academy FORESEC Academy Security Essentials (II)
HTTP and Server Security James Walden Northern Kentucky University.
Cosmos Security Feature Overview Product Planning Group Samsung IT Solutions Business 12 July 2010.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
A Security Review Process for Existing Software Applications
Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat
CSC 2720 Building Web Applications Web Application Security.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Web 2.0 Security James Walden Northern Kentucky University.
Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
An Inside Look at Mobile Security Android & iOS Zachary Hance & Andrew Phifer Dr Harold Grossman.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Microsoft Azure SoftUni Team Technical Trainers Software University
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Android Security Auditing Slides and projects at samsclass.info.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 8 Omar Meqdadi Department of Computer Science and Software Engineering University of.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.
Trunica Inc. 500 East Kennedy Blvd #300 Tampa, FL Cross Platform Mobile Apps With Cordova and Visual Studio 2015 © Copyright 2015.
Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
FriendFinder Location-aware social networking on mobile phones.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
MIS Week 5 Site:
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
Exploring Networked Data and Data Stores Lesson 3.
Technical and organisational measures for protecting data and ensuring data security Simon Rice Group Manager (Technology) 29 May 2014.
Stuff to memorise… "A method tells an object to perform an action. A property allows us to read or change the settings of the object."
James F. Fox MENA Cyber Security Practice Lead Presenters Cyber Security in a Mobile and “Always-on” World Booz | Allen | Hamilton.
M IND Q S YSTEMS Leaders in Training /7, 2nd Floor, Srinivasa Nagar Colony (W) Above HDFC Bank, S.R.Nagar Hyderabad
INTRODUCTION CHARLES MUIRURI
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Intro to Mobile Device Testing
Canberra OWASP Chapter meeting
World Wide Web policy.
Mobile App Trends: lifecycle, functions, and cognitive
A Security Review Process for Existing Software Applications
OWASP Secure Coding Practices Quick Reference Guide
Sioux Falls OWASP Jan-2018 Mobile Top 10
TechEd /15/2019 8:08 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Web Hacking: Beginners
Presentation transcript:

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Man-In-The-Front Ray Kelly Innovation and Research, HP Fortify on Demand March 2014 Modifying the Android OS for Mobile Application Testing

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2 Introduction Ray Kelly Innovation and Research, HP Fortify on Demand - Lead Developer of WebInspect - Work with FoD Mobile Team - Penetration Testing Background - Web and Mobile Application Testing - Creator of MineChat for iOS and Windows Phone

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3 Agenda Challenges of Mobile Testing Overview of the Android operating system Identify key Android source code files for modification The Android build process Demonstrate a custom Android OS with intercepting code

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Inspiration

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5 Inspiration

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Challenges of Mobile Testing

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7 Why is Mobile Testing Important Mobile development is the hottest type of development right now. New surface area equals dangerous surface area If anyone’s going to put features over security to get the product out the door, it’s likely to be a mobile team Many enterprise mobile developers haven’t had the security training that other types of developers have had Many assume that because mobile back ends aren’t visited directly they are more secure (obscurity assumption)

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8 Client Challenges of Mobile Testing NetworkServer Credentials in memory Credentials on filesystem Data stored on filesystem Poor cert management Cleartext credentials Cleartext data Backdoor data Data leakage Injection flaws Authentication Session management Access control Logic flaws

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9 OWASP Mobile Top 10 Risks M1 – Insecure Data StorageM6 – Improper Session Handling M2 – Weak Server Side ControlsM7 – Security Decisions via Untrusted Inputs M3 – Insufficient Transport Layer ProtectionM8 – Side Channel Data Leakage M4 – Client Side InjectionM9 – Broken Cryptography M5 – Poor Authorization and AuthenticationM10 – Sensitive Information Disclosure

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10 Challenges of Mobile Testing: Server Side Mobile API’s are vulnerable to most of the same vulnerabilities as standard websites e.g. SQL Injection, XSS, path traversal etc. Testing JSON/XML based API’s should need to be tested with valid structures as well as invalid structures. Need to Man-In-The Middle – Set up proxy configuration Not all app respect device proxy settings (especially Global HTTP proxy on iOS) Difficult to test when using SSL and Certificate Pinning

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11 Challenges of Mobile Testing: Network Privacy/data leakage, clear text data Need to MiTM, same challenges as server side Difficult to test when using SSL and Certificate Pinning

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12 Challenges of Mobile Testing: Client The big unknown especially without source code. Even with source code its not always easy (what is sensitive input?) What’s the concern, my data safe right? Once jail broken, all bets are off. What is being written to the file system? o Credentials o Private information o Sensitive photos outside of sandbox SQL Lite o Application storage o iOS WebKit cache (includes query string) o Example, RSA 2014 Mobile App source: IOActive

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13 Common vulnerabilities: Promiscuous client-side storage Perhaps the most abused functionality is client-side storage Storage of credentials in plist files, SQLite databases Failure to use KeyChain to store credentials Storage of sensitive application data on filesystem Apps (e.g.: banks) storing their images in the public folder rather than in their sandbox Applications logging to the system log, but sending sensitive app data along with it

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The Android OS

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15 The Android OS: How Low Can We Go source: Wikipedia

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16 The Android OS: How Low Can We Go Source: Wikipedia WebKit SQLite HTTPClient File Access

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Building the Android OS

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18 The Host And Environment Ubuntu bit Sounds crazy, but follow the instructions!

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19 Building Run “build/envsetup.sh” to setup the environment

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20 Building Run “lunch sdk-eng” to select the sdk target and images Don’t bother with the lunch menu

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21 Building Start the build “win_sdk” or “sdk”

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22 Building Success!

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23 Building For x86 Use x86 build target for better emulator performance Little to no documentation Another hidden “lunch” target win_sdk target does not build x86 Copy linux x86 system-images folder build/envsetup.sh lunch sdk_x86-eng make sdk

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Modifications

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25 Modifications Helper Class Co mmon class for logging and monitoring Place class in java.io

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26 Modifications HTTP There are a few places to capture HTTP traffic Most apps utilize Java.Net and Apache.HTTP o/libcore/luni/src/main/java/libcore/net/http/HttpEngine.java o/external/apache-http/src/org/apache/http/protocol/HttpRequestExecutor.java

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27 Modifications File System Common read/write functions o/libcore/luni/src/main/java/java/io/FileInputStream.java o/libcore/luni/src/main/java/java/io/FileOutputStream.java

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28 Modifications SQLite One main SQLite class o/frameworks/base/core/java/android/database/sqlite/SQLiteDatabase.java Main functions for logging oConstructor SQLiteDatabase for Open oinsertWithOnConflict for Insert oupdateWithOnConflict for Update

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Monitoring

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 30 Monitoring With logcat adb.exe logcat -s "ShadowOS"

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 31 Monitoring With Remote Monitor Using socket connection to specific port Data formatted in XML Configure hosts file and push with adb Must start emulator with “partition-size” parameter to avoid “Out Of Memory” error emulator -avd Test -partition-size 512 adb.exe push hosts /system/etc

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 32 To Do Two way communication (filters) Interception of more content e.g. Contacts, Sockets, Geolocation Logger integrations (WebInspect, Burp, Encoders/Decoders) Logger modify and push hosts file (adb.exe) Logger upload of applications (adb.exe)

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Reach

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.