avalanche disclosure
DESCRIPTION
Story about static analysis of 15k mobile Apps.TRANSCRIPT
![Page 1: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/1.jpg)
Avalanche Disclosure Story about static analysis of 15k mobile Apps
![Page 2: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/2.jpg)
Who am I?
• Work hard on defense
• Have fun in offensive
• Break things
Alexey Troshichev
@pl0lq
#ZeroNights2013 hackapp.com 2
![Page 3: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/3.jpg)
What’s wrong with an App ?
Insecure transfer
Injections
Insecure storage
Architecture flaws
Mobile OWASP for bla-bla-bla …
hackapp.com 3 #ZeroNights2013
![Page 4: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/4.jpg)
Common Attacks
hackapp.com 4 #ZeroNights2013
![Page 5: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/5.jpg)
On-device analysis ?
Unlock Device
Remove DRM
Setup research environment
Dynamic analysis
Time & Brains
hackapp.com 5 #ZeroNights2013
![Page 6: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/6.jpg)
Why should we waste time attacking one user, when we can just break into
backend to get them all ?
hackapp.com 6 #ZeroNights2013
Why always just binary file?
App is dangerous for user, but what’s about vendor ?
![Page 7: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/7.jpg)
What App can tell us?
Testing environment disclosure
Third party services authentication data
Built-in accounts
Something you can’t even imagine =)
hackapp.com 7 #ZeroNights2013
![Page 8: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/8.jpg)
Why it’s interesting?
Installation is not important
Finally, we are just searching strings…
…and it could be automated =)
hackapp.com 8 #ZeroNights2013
![Page 9: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/9.jpg)
Let’s build a Grinder !
#ZeroNights2013 hackapp.com 9
![Page 10: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/10.jpg)
AWK, STRINGS, GREP ?
Not suitable for binary containers
Too many garbage
hackapp.com 10 #ZeroNights2013
![Page 11: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/11.jpg)
DRM
hackapp.com 11 #ZeroNights2013
“Typical” Application
![Page 12: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/12.jpg)
Actual Application
hackapp.com 12 #ZeroNights2013
![Page 13: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/13.jpg)
Steps
Containers recursive traversal
“Unusual” files search
Selective GREP
Structure validation
hackapp.com 13 #ZeroNights2013
![Page 14: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/14.jpg)
Let’s take ~15k iOS Apps from iTunes Finance section…
…I like Finance
hackapp.com 14 #ZeroNights2013
![Page 15: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/15.jpg)
What’s inside ?
hackapp.com 15 #ZeroNights2013
224061 files of 1396 types
![Page 16: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/16.jpg)
Low hanging fruits 94452 files = 42% of whole
#ZeroNights2013 hackapp.com 16
![Page 17: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/17.jpg)
Shared authentication
#ZeroNights2013 hackapp.com 17
![Page 18: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/18.jpg)
“Secure” communication
#ZeroNights2013 hackapp.com 18
![Page 19: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/19.jpg)
Third party services
#ZeroNights2013 hackapp.com 19
![Page 20: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/20.jpg)
Third party services
#ZeroNights2013 hackapp.com 20
![Page 21: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/21.jpg)
Access to user data
#ZeroNights2013 hackapp.com 21
AWS-secret:eyH0aw7IW7wdL8z2eSyK/A8q7rIF7uEMVpvQkbwC
You “publish” your contacts and photos by installing the app… =(
![Page 22: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/22.jpg)
Not identified • RSA private key:MIICeQIBADANBgkqhkiG9w6xmHVejkTokPs68ow== • secret:164AC36F64FCC2D5 • secret:33728B17A93A4A92 • secret:4711429DAE3C6F7C • secret:62ebd594bc903feeea5ee459715e08fa • secret:6508E621E259AC4A • secret:697E46CE13AA557B • secret:76a863da0821f58ecb13e31cb761c573 • secret:a7df64e1d5a33a93c12b06fa0f8c6f47 • secret_android:2859389F73072C90 • secret_android:3D05E67E03216A9B • secret_android:66549A9BB401AF56 • secret_android:678649CED531B8E8 • secret_android:745A209380630940
(and more, and more, and more…)
#ZeroNights2013 hackapp.com 22
![Page 23: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/23.jpg)
4% Apps released
with hardcoded credentials
#ZeroNights2013 hackapp.com 23
![Page 24: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/24.jpg)
DEV Environment
svn://mokah.siab01.com/ https://test.freerange360.com/ http://test.mmf.berlingskemedia.net http://test.informatel.com http://test.improveagency.com http://test.appswiz.com https://test.freerange360. https://dev.magtab.com:8888 http://dev.touchpublisher.com http://dev.pressrun.com/ http://dev.openstreetmap.de/ http://dev.aleph-labs.com (and more, and more… )
#ZeroNights2013 hackapp.com 24
![Page 25: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/25.jpg)
Mad Stuff
#ZeroNights2013 hackapp.com 25
![Page 26: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/26.jpg)
Shocking configs
#ZeroNights2013 hackapp.com 26
SMS gateway
OpenVpn config
![Page 27: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/27.jpg)
Unpredictable
#ZeroNights2013 hackapp.com 27
![Page 28: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/28.jpg)
Developers Certificates P12 containers, most are encrypted, but..
#ZeroNights2013 hackapp.com 28
![Page 29: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/29.jpg)
HAVE NO TIME TO EXPLAIN
#ZeroNights2013 hackapp.com 29
![Page 30: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/30.jpg)
Is there an App for that?
http://hackapp.com/
hackapp.com 30 #ZeroNights2013
![Page 31: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/31.jpg)
Dashboard
#ZeroNights2013 hackapp.com 31
![Page 32: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/32.jpg)
Report
#ZeroNights2013 hackapp.com 32
![Page 33: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/33.jpg)
Details
#ZeroNights2013 hackapp.com 33
![Page 34: Avalanche Disclosure](https://reader033.vdocuments.net/reader033/viewer/2022042521/54b660664a795917178b4626/html5/thumbnails/34.jpg)
Questions ?
URL: http://hackapp.com/
Twitter: @hackapp
Mail: [email protected]
hackapp.com 34 #ZeroNights2013