© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Episode ITHE FORENSIC MENACE
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Episode II
RETURN OF THE NETWORK/BACK-END
Episode I
THE FORENSIC MENACE
Episode III
ATTACK OFTHE CODE
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Connect
Twitter: @NowSecureMobile
—
Subscribe to #MobSec5, our weekly mobile security news digest
http://mobsec5.nowsecure.com/
—
Web: nowsecure.com
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Katie StrzempkaDirector of Mobile Services | NowSecure
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● Areas of analysis/coverage
● Forensics deep dive: Mobile data at rest
● Approaching Android
● Approaching iOS
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Your analysis checklist (a must have)
● Why a checklist?
○ Consistency across results & teams
○ Creates a minimum baseline for security
● Creating your checklist
○ Internal policies
○ OWASP Top 10, NIAP (for government), etc.
○ Group into high-level categories
○ Break-down categories into specific tests
● Allow analysts some leeway to get creative
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
A repeatable process drives consistency and metrics
● Establish testing requirements
● Identify areas for interpretation/creativity
● Help with on-boarding & training staff
● Show developers what and how you will test
● Explain what must be fixed & what’s accepted
● Ensure full coverage (more on that later)
● Repeatability allows for measurement
● Make reporting consistent
For inspiration, see:
OWASP Mobile Security Testing Guide
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Mobile forensics &
data recovery
Network, web services, andAPI testing
Server-side penetration
testing
Reverse engineering & code analysis
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.https://www.bostonglobe.com/arts/2015/12/12/how-lightsaber-works/RY5A2SwWShmYiSORqdgMdN/story.html
“You know that [little droid leaking data] is going to cause me a lot of trouble.”
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Where on a mobile device can data-at-rest be found?
SD card/Emulated SD card
(Android)
System log files
RAM
Source code (hardcoded)
Web cache/history (hybrid/web-wrapper apps)
Private application
folder
Keychain
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
What tools will allow you to achieve yourdata recovery and analysis objectives?
● Standard forensic acquisition software will recover file system
● But it won’t:
○ Decrypt Keychain to see if sensitive values are stored
○ Recover syslog files (requires a special Cydia package)
○ Extract memory for running app processes
● Command-line knowledge is required for open-source tools
● The wrong tools can lead you down a tedious, time-consuming path
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Sharpest tools in the shed
Target Relevant tools and/or documentation
File system● Android: debug bridge (i.e., “adb pull” command)● iOS: libimobiledevice
System Log Files● Android: logcat command-line tool● iOS: Syslog (instructions for non-developers)
iOS Keychain ● iOS Keychain analyzer
RAM● Android: Android debug bridge (i.e., “adb dumpsys meminfo”)● iOS: heapdump-ios
A full suite of mobile tools: Santoku Linux
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Prioritize findings by risk (likelihood+significance+value)
● Risk depends on location of data
● Take into consideration:
○ Sensitivity of the data
○ Likeliness of exploit
○ Remote vs. local attack
● Common Vulnerability Scoring System
(CVSS) is one framework for assigning
risk to vulnerabilities
Like
liho
od
Significance
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.https://en.wikipedia.org/wiki/Finn_(Star_Wars)
“[Droid Android], please!”
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Requirements for Android forensic analysis
Rooted Android devicew/ USB cable
We’ll be using a Google Nexus 5
Linux machine or VMw/ Android Studio tools
May we recommend Santoku Linux?
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Where does data “rest” on Android?
● Private application folder*
● SD Card / Emulated SD Card*
● System log files
● RAM
● Hard-coded data in source code
● Web cache/history (for hybrid/web wrapper apps)
Common storage areas
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Step 1: Locate your app (adb)
Access the device shell:
Locate the app data directory:
Find the app’s private directory:
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Step 2: Pull app data off phone
Pull data from the SD card/app directory:(adb pull <data-path-source> <destination>):
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Step 3: Analyze app data
App files recovered from Any.do Android app:
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.http://www.officialpsds.com/Darth-Vader-PSD108098.html
“The [Emperor iOS] is not as forgiving as I am.”
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Requirements for iOS forensic analysis
Linux machineor VM
Again, give Santoku Linux a try
Jailbroken iOS device(≤ 9.3.3) w/ USB cable
We’ll be using an iPhone 6
Remote connection (SSH)& secure copy/paste (SCP)
Instructions here
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Where does data “rest” in iOS?Common storage areas
● Private application folder*
● Syslog
● RAM
● Keychain
● Hard-coded values
● Web cache/history (for hybrid/web wrapper apps)
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Step 1: Locate your appRemotely connect to your iOS device
App bundles and data location:
App bundles location:
App data location:
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Step 1 (continued): Locate your app
Sort by most recently installed:
Change into that directory/make sure it’s the target app:
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Step 2: Pull app data off phone
/private/var/mobile/Containers/Data/Application/983FCB4E-E5B5-4C8C-A4AF-F9139FE74EC3 (for example)
Make note of the full path from the previous step:
Scp command to copy files from app folder:
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Step 3: Analyze app data
App files recovered from Any.do iOS app:
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Pointers to keep in mind during forensic analysis
SQLite databases, plist, and xml files are common: Find
your favorite viewers
When searchingfor data in large files, command line tools
are best: Try grep
Look for data stored as common hashes/encodings
(base64, md5, sha256, etc.)
iOS apps use the “Cache.db” file,
which often contains large amounts
of data
Don’t limit yourself: explore storage
locationsbeyond those
discussed today!
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Create a checklist and document your process
Assign responsibility for various test coverage areas
Select the right tools to find/test for insecure data storage
Look for data in common areas (but don’t limit yourself)
If data is found, determine its value and the risk
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Episode II
RETURN OF THE NETWORK/BACK-END
Next Thursday, December 151 p.m. CST / 11 a.m. PST
REGISTER NOW: http://bit.ly/2g7ZRXd
Let’s talk
NowSecure+1 312.878.1100
@NowSecureMobilewww.nowsecure.com
Subscribe to #MobSec5 - a digest of the week’s mobile news that matters - http://mobsec5.nowsecure.com/