Nowadays, like the technology itself, hacking activities against mobile phone is growing very rapidly, both for mobile devices (operating system) or mobile applications, some applications providers even dedicate a penetration testing activity for applications that they created right before it gets released to the public, while others open a bug bounty programs, and sadly the rest just watch and do nothing.
On the other side, malware developer arround the world also already move their main target and has been developing malware to take over the mobile devices which surely keep all our personal/private and our work, some of it even make us to pay for getting it back.
This talks will be focusing more on the trend of mobile device security lately, mobile security penetration testing activity, also in practice, showing several types of common weaknesses/vulnerabiliies within the mobile applications and how the exploitation is done by the attacker, malware is created and planted, until it is successfully to take over the target mobile device.
9. Pegasus Exploit
CVE-2016-4655: Information leak in Kernel – A kernel base
mapping vulnerability that leaks information to the attacker
allowing him to calculate the kernel’s location in memory.
CVE-2016-4656: Kernel Memory corruption leads to Jailbreak –
32 and 64 bit iOS kernel-level vulnerabilities that allow the
attacker to silently jailbreak the device and install surveillance
software.
CVE-2016-4657: Memory Corruption in Webkit – A vulnerability
in the Safari WebKit that allows the attacker to compromise the
device when the user clicks on a link.
10. Pegasus is developed by an American-owned NSO
Group in Israel, which specialises in zero-days,
obfuscation, encryption and kernel level exploitation.
The attack sequence, boiled down, is a classic
phishing scheme: send text message, open web
browser, load page, exploit vulnerabilities, install
persistent software to gather information.
Pegasus Exploit
14. StageFright
"Stagefright" is the nickname given to a potential
exploit.
vulnerability in libStageFright mechanism which helps
Android process video files.
http://www.androidcentral.com/stagefright
17. M1. Weak Server Side
Controls
OWASP Top 10
M2. Insecure Data
Storage
M3. Insufficient
Transport Layer
Protection
M4. Unintended Data
Leakage
M5. Poor Authorization
and Authentication
M6. Broken
Cryptography
M7. Client Side
Injection
M8. Security Decisions
via Untrusted Inputs
M9. Improper Session
Handling
M10. Lack of Binary
Protections
OWASP Mobile top 10 2014 - https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
18. Mobile Pen-test
What pen-tester “normally" doing is static analysis,
dynamic analysis
Static simply recompile, reversing, decrypt
Dynamic simply run the apps and see apps
behaviour, logs, db updates, etc.
22. SecureBox AndroidManifest
Decompile Apps Using Apktool
See AndroidManifest.xml if nothing wrong continue…
We can try to access Activity Secure using Activity Manager tool
25. Inject valid Apps with MSF
Create Metasploit APK
Decompile Metasploit APK using Apktool
Decompile Legitimate applications using Apktool
Copy smali folder from Metasploit to smali folder in legitimate
applications
Find “correct place” to inject and invoke Metasploit project
Recompile Applications
Sign and verify.
30. Survive
Anything that must truly remain private should not
reside on the mobile device; Keep it on the server.
Design mobile client and the server following security
best practice.
Design and implement all apps under the assumption
that the users device will be lost or stolen.
Include mobile security Pen-test/Audit in software
development life cycle.