Offensive Security Testing of Mobile Applications

Mobile applications and services are playing a key role in enterprise communications as well as financial and subscriber services. Larger organisations supervise mobile devices of employees for corporate communication and office collaboration. Financial companies offer mobile services to improve customer satisfaction and to shape their new habits. Service providers also supply mobile devices with some applications to offer their subscriber services such as entertainment or communication. However, due to insufficient security enforced on mobile applications, they are also under attack by malware, state-sponsored actors or just causal attackers who are after unauthorised financial benefits or cyber intelligence. Android, Windows and iOS mobile platforms offer security features to improve mobile security, they require full integration of mobile applications though.

This tutorial will be focused on the mobile applications security testing with practical exercises to highlight mobile security vulnerabilities of applications and design. Device security testing requirements including supervised devices, stolen device cases and MDM requirements will be discussed with demonstrations. New security testing techniques for Android, Windows and iOS applications will also be parts of the exercises such as assessing secure storage requirements, analysing multi-platform security integration, reverse engineering of mobile applications, testing cloud services and debugging supervised devices. The exercises are based on sample vulnerable applications as well as real life mobile applications available on the application stores. Improving mobile security testing skills may help software developers, consultants, administrators and architects to improve existing services as well as penetration testers to improve existing security testing services such as mobile applications and MDM security testing.

Tutorial registration (AusCERT Conference 2016)

https://conference.auscert.org.au/registration  

TUTORIAL HEADLINES 

SECURITY TESTING REQUIREMENTS FOR MOBILITY 

Mobile applications and devices need a well-designed test platform for security assessments. Various test devices including tablets, mobile phones, virtual machines, embedded devices and watches are required to run target mobile applications. Jailbreaking and customisation of devices is another task to create a flexible test platform. In addition, essential test tools, official SDKs and vulnerable applications should be parts the test lab. In this section, participants will learn fundamentals of mobile security and how can they build a test lab.

DEVICE INTEGRATION SECURITY

Supervised devices, financial applications and subscriber services may need a secure platform integration to manage users’ actions. Secure storage, secure compile, encryption used and platform security objects such as sandboxing, internal services used (e.g. intent, broadcast, content provider, keychain/keystore), fingerprint modules, two-factor authentication and device policies are essential testing targets. Moreover, application specific services, information disclosure issues and functions used should be analysed in security perspective. During exercises, sample applications will be tested for common mobile security vulnerabilities, lack of platform integration, application specific security issues and insecure design.

REVERSE ENGINEERING

Reverse engineering for mobile applications is required to identify fundamental security issues such as information disclosure through source code, security bypass using runtime manipulation, insecure security and access management. In addition, it can be used for attacking target applications as malware, bypassing sandboxed information and bypassing security policies such as jailbreak detection and device enforcements. Reverse engineering section will teach fundamentals for mobile security such ARM shellcoding, explaining VMs (e.g. Xamarin/Mono, Dalvik and ART), disassembling mobile applications and debugging using GDB, LLDB and ADB. The exercises in this section will include unpacking and dissembling applications, Drozer exercises, runtime manipulation exercises using Cyript and GDB.

TRANSPORT SECURITY

Mobile applications need backend services on cloud or corporate networks to complete their features. However, most of mobile applications have security issues to implement transport security for backend services. Encryption issues such as lack of TLS enforcements, insecure crypto options and missing TLS pinning features are well-known security vulnerabilities for mobile implementations. Exercises in this section are based on using various proxies to intercept mobile traffic, attacking TLS implementations and bypassing TLS pinning.

BYOD and MDM SECURITY

Device security testing requirements including supervised devices, stolen device cases and MDM requirements will be discussed in this section. Various security problems of MDM solutions, well-known design issues, lack of cloud security and bypassing enforcements will be demonstrated.

AusCERT 2014 Tutorials from Sense of Security

Sense of Security will have 2 tutorials and 3 presentations at AusCERT 2014, details are accessible at the tutorials and the presentations pages of the event. 

Nathaniel Carew, Nadeem Ahmed Salim and I have prepared a penetration testing tutorial for mobile applications, registration link is accessible from here. We're planning to explain test procedures of the mobile pen-test, testing tools and the cutting-edge techniques. We will cover iOS and Android platforms for the tutorial, the demonstrations prepared for these platforms as well. They will be based on sample vulnerable applications and real applications from the application stores. The followings are the headlines of the mobile pen-test tutorial.

Penetration Testing for Mobile Applications and Web Services

• Mobile Applications 101
• Preparing a mobile pen-test lab 
• Auditing platform integration 
• Compile options, Encryption, Storage, Caching, Logs
• Reverse engineering
• Unpacking, Deobfuscating, Permission Management
• Source code analysis, Protection bypass, Sandbox Issues
• Runtime manipulation, Debugging
• Transport and communication features 
• Certificate pinning, MITM, Fake services

Moreover, Shawn Thompson and I have prepared an another tutorial as well, Next Generation Attacks and Countermeasures for VoIP. Registration link is accessible from here and the major tool of the tutorial, Viproy, is accessible from here. We're planning to demonstrate next generation VoIP attacks starting from the LAN attacks to the SIP, Skinny, Trust and Proxy attacks. The beta versions of the new Viproy modules will be in these demonstrations as well such as Skinny signalling protocol attacks, CDP support, Cisco vendor support for SIP, TCP and SSL support for SIP. We will prepare a test lab for the tutorial which includes different SIP servers, VLAN supported switch, Cisco SIP and Skinny services. The followings are the headlines of the mobile pen-test tutorial.

Next Generation Attacks and Countermeasures for VoIP

• Network Infrastructure Analysis
• WAN/LAN/VLAN analysis, Service discovery
• IP Telephony Server Security
• Weak configuration, Management issues
• SIP, Skinny and RTP Analysis
• Discovery, Authentication, Call tests, VAS
• Enumeration, Eavesdropping, Call Spoofing
• VoIP Clients’ Security 
• Advanced Attacks
• Trust hacking, Proxy hacking, DoS, Fuzzing

If you have further questions about these tutorials, feel free to contact me at fatih.ozavci at viproy.com. 

SSL over IO Usage for Converting HTTPS Connect Requests on MITM Analysis

Mobile applications use SSL Connect requests to connect remote server for HTTPS Communications. Mobile Applications should be analyzed dynamically during Penetration Tests and MITM attacks are very useful in this stage. HTTPS communications should be converted via MITM Proxies such as Burp Proxy and Fiddler2. These tools useful to convert HTTPS Connect requests and intercept them. Manual request mangling and fuzzing depend on this HTTPS Connect conversion. These tools are closed source and they don't explain this feature.   

MBFuzzer is a subproject of Yakindan Egitim, I'm mentor of this MBFuzzer and Mehmet Kilic is the developer of it. MBFuzzer is an MITM Mobile Application Fuzzing tool, HTTPS Connect conversion is one of the main requirements. We presented a way to convert HTTPS Connect requests via IO (Input/Output).  It has a little CA Error bug but it works for conversion, it will be fixed later.

When MBFuzzer Proxy detects a HTTPS Connect Request (CONNECT domain:port HTTP/1.1), it connects target (domain:port) and send "HTTP/1.1 200 Connection Established" message to client socket. After this message, Client tries to initiate a HTTPS session and MBFuzzer accepts this connection as a server via sending connection to ssl_io function (ssl_connection=ssl_io(connection)).

This Code is Responsible to Convert HTTPS Requests

#creating ssl io object

def ssl_io(io)

begin

   sslContext = OpenSSL::SSL::SSLContext.new

   sslContext.cert = OpenSSL::X509::Certificate.new(File.open('./certs/server.crt'))

   sslContext.key = OpenSSL::PKey::RSA.new(File.open('./certs/server.key'))

   sslContext.ca_file = './certs/cacert.pem'

   sslContext.verify_mode = OpenSSL::SSL::VERIFY_NONE

sslio = OpenSSL::SSL::SSLSocket.new(io, sslContext)

sslio.sync_close = true

sslio.accept

rescue Exception => sslException

puts "SSL Exception : #{sslException}"

end

return sslio

end

Standard implementations of ruby SSL servers use OpenSSL::SSL::SSLServer class, unfortunately this class is not useful in this situation. It's designed to serve SSL via TCP Socket and it doesn't work without it. We used OpenSSL::SSL::SSLSocket class that designed to initiate SSL client requests. We disabled "sync" that try to make an SSL handshake and started to accept this IO as an SSL socket. After this modifications; MBFuzzer accepts HTTPS Connect requests, handles SSL IO as a server, manipulate content, sends it to remote server and redirect response to client via SSL session.

We have a few bugs of course, a tls error caused by CA issues and IO.sysread problems. You can inspect our project, use this HTTPS Proxy Library in your project or send us fixes. It's license is GPL, you can use or contribute it. We are working on bugs, on-the-fly certification generation and request mangling features. I'll keep this blog updated about MBFuzzer and Yakindan Egitim projects.

Yakindan Egitim: Mobile Application Fuzzer via SSL MITM

Yakindan Egitim project is started last week, it's a training project like Google Summer of Code. Homepage is www.yakindanegitim.org, Blog address is blog.yakindanegitim.org and Github address is github.com/YakindanEgitim . 

I started a sub-project at Yakindan Egitim, Mobile Application Fuzzer via SSL MITM (mbfuzzer). I'm mentor of MBFuzzer and waiting for attendees. Also I'll code it, don't feel that you are alone. You could join the project if you are a student at any university and interested. Please visit our blog for further information.

Mobile Application Fuzzer via SSL MITM (mbfuzzer)

Project Home 

github.com/yakindanegitim/mbfuzzer

Development Platform : Ruby 2.0

MBFuzzer will be developed for MITM (Man in the Middle) Fuzzing. Mobile applications use HTTP, SOAP, XML and JSON based data streams for communicate the servers. Many mobile applications use SSL Connect method for server communication. This method should be converted to HTTPS GET/POST method for MITM attacks. MBFuzzer will provide HTTP/HTTPS Proxy functionality and Real-Time Fuzzing feature with HTTP Connect conversion support

Features

• HTTP/HTTP Proxy Support
• HTTPS Connect Conversion Support
• On-The-Fly Valid SSL certificate generation for target server
• Real-Time Response/Request Fuzzing Support
• Fake Service Installation via XML/JSON Templates
• Supports Different Injection Payloads using Templates

Inspired Projects

Android Proxy - https://code.google.com/p/androidproxy

Project Team Requirements

• Good Understanding of SSL/TLS Technology
• Ruby Development Skills
• JSON & XML Knowledge
• Fuzzing Knowledge