SlideShare a Scribd company logo

DefCamp_2016_Chemerkin_Yury_--_publish.pdf

Yury Chemerkin
Yury Chemerkin

DefCamp_2016_Chemerkin_Yury-publish.pdf - Presentation by Yury Chemerkin at DefCamp 2016 discussing mobile app vulnerabilities, data protection issues, and analysis of security levels across different types of mobile applications.

Related slideshows

Tt 06-ck
Tt 06-ckTt 06-ck
Tt 06-ck
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
HackMiami_2017_Chemerkin_Yury_for_website.pdf
HackMiami_2017_Chemerkin_Yury_for_website.pdfHackMiami_2017_Chemerkin_Yury_for_website.pdf
HackMiami_2017_Chemerkin_Yury_for_website.pdf
 
1 of 62
Download to read offline
RISKWARE BETRAYER WHO IS THE BIGGEST ONE? YURY CHEMERKIN MULTI-SKILLED SECURITY EXPERT
INTRO: RISKY MOBILE APPS  Mobile applications store data locally and transfer it over networks (at least)  Data - not only binary protected or non-protected. Quality of protection matters  Reverse engineering gives an answer how it works and is protected (slowly)  Pentesting the data protection gives an answer ‘what happened’ and ‘why’ (faster)  Developers never tell and never admit they fail but they does  Privacy Policy might be pure, high detailed or misleading even  One app might be risky and has a quite bad data protection – OK  One risky app over several dozens apps is a betrayer that lead to leaks – not OK
OWASP MOBILE PAST vs. NOW  Top 10 Mobile Risks 2012-2013  M1: Insecure Data Storage  M2: Weak Server Side Controls  M3: Insufficient Transport Layer Protection  M4: Client Side Injection  M5: Poor Authorization and Authentication  M6: Improper Session Handling  M7: Security Decisions Via Untrusted Inputs  M8: Side Channel Data Leakage  M9: Broken Cryptography  M10: Sensitive Information Disclosure  Top 10 Mobile Risks 2014-2015  M1: Weak Server Side Controls  M2: Insecure Data Storage  M3: Insufficient Transport Layer Protection  M4: Unintended Data Leakage  M5: Poor Authorization and Authentication  M6: Broken Cryptography  M7: Client Side Injection  M8: Security Decisions Via Untrusted Inputs  M9: Improper Session Handling  M10: Lack of Binary Protections  Top 10 Mobile Risks 2016  M1: Improper Platform Usage  M2: Insecure Data Storage  M3: Insecure Communication  M4: Insecure Authentication  M5: Insufficient Cryptography  M6: Insecure Authorization  M7: Client Code Quality  M8: Code Tampering  M9: Reverse Engineering  M10: Extraneous Functionality https://www.owasp.org/index.php/ Projects/OWASP_Mobile_Security_ Project_-_Top_Ten_Mobile_Risks https://www.owasp.org/index.php/ Mobile_Top_10_2016-Top_10 Code Protection Code Protection & Dev fails Data Protection & Dev fails
VULNERABILITIES IN DATA PROTECTION. EXCERPTs Sensitive data leakage [CWE-200]  Sensitive data leakage can be either inadvertent or side channel  Protection can be poorly implemented exposing it: Location; Owner ID info: name, number, device ID; Authentication credentials & tokens Target App Information is also sensitive (out of scope of CWE-200) Unsafe sensitive data storage [CWE-312]  Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off the file system, especially on removable disk like micro SD card or public folders (out of scope of CWE-312) such as banking and payment system PIN numbers, credit card numbers, or online service passwords  There’s no excuse for sandboxing without encryption here Unsafe sensitive data transmission [CWE-319]  Data be encrypted in transmission lest it be eavesdropped by attackers e.g. in public Wi-Fi  If app implements SSL, it could fall victim to a downgrade attack degrading HTTPS to HTTP.  Another way SSL could be compromised is if the app does not fail on invalid certificates.  There’s no excuse for partial SSL validation here
SOLUTIONS  Vulnerability databases Security scanners Forensics software Privacy Policy
SOLUTIONS. VULNERABILITY DBs CVE, CWE, CVSS, NVD, and so on… Put 100 vulns into the report – be ready to prove it works Vulnerabilities are everywhere
SOLUTIONS. SECURITY SCANNERS Incorporated into EMM, MDM, MAM solutions Pure & High detailed at the same time Based mainly on auto-scanners Based on idea API/System Calls  Data Item That ≠ any info how’s protected  Built like a checklist ‘be up-to-date’
SOLUTIONS. FORENSICS SOFTWARE Isn’t easy to adopt for you needs. You still don’t know how good or bad it was protected But you know how much data can be extracted by these tools Common features (example, Oxygen Software) Social Networks. Extraction from Kate Mobile (30.1) from Android OS devices. Messengers. Extraction from WhatsApp (2.16.1) including encrypted messages. Messengers. Extraction from Skype (6.15.0.1162) from Blackberry 10 devices. Business. Extraction from Yandex.Money (4.4.1) from iOS devices. Messengers. Extraction from Telegram (3.7.0) from Android OS devices. Messengers. Extraction from Viber (5.8.1) from iOS devices. Social Networks. Extraction from LinkedIn (9.0.9) from iOS devices. Social Networks. Extraction from Instagram (7.19.0) from Android OS devices. http://www.oxygen-forensic.com/en/events/news
SOLUTIONS. PRIVACY POLICY Privacy Policy is a ‘longread’ doc filled by scaring buzzphrases like: We request all permissions & information we need Do not guarantee the confidentiality of information and data Participant is obliged to observe safety measures & care security  Under no circumstances be liable of business interruption, loss of business, or other data or information … Certified by PCI DSS… and use SSL Everything is 100% protected because of SSL Keep yourself inform about security.. by yourself
SOLUTIONS. SUMMARY • Vuln. DBs make sense for known vulnerabilities. Vuln. Scanner is like • 1st day: “Device is not checked yet! Check now! Congrats – 100% Secure” • 2nd day: “Oops, device is 50% protected”. Wait for developer’s update • … 364th day: “Finally, updated. Now 86% protected”. Another app is bad. Wait for update • Security Scanner is mainly based on app code scanner. Lack of useful details • “This application has vulnerabilities”. See a section above (Vuln. DBs) • “This application has a HTTP”. It’s bad app! • “This application encrypt your traffic”. It’s good app! • “This application request your Device ID, IMEI,… and ACCESS to FILE SYSTEM” • Very detailed about device & lack of details about files? This is APIDATA • “Device is jailbroken/rooted”. Don’t do that! Fix it! • “Malware detected”. Remove it!
PANDA SM MANAGER IOS APP - MITM SSL CERTIFICATE VULNERABILITY  "Panda Systems Management is the new way to manage and monitor IT systems.“ Issue The Panda SM Manager iOS application (version 2.0.10 and below) does not validate the SSL certificate it receives when connecting to a secure site. http://osdir.com/ml/bugtraq.security/2016- 03/msg00018.html Impact An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Usernames, passwords and sensitive information could be captured by an attacker without the user's knowledge. Solution Upgrade to version 2.6.0 or later  Timeline July 19, 2015 - Notified Panda Security via security@xxxx, e-mail bounced July 20, 2015 - Resent vulnerability report to corporatesupport@xxxx & security@xxxx July 20, 2015 - Panda Security responded stating they will investigate July 31, 2015 - Asked for an update on their investigation August 3, 2015 - Panda Security responded stating that the issue has been escalated and is still being reviewed August 14, 2015 - Asked for an update on their investigation October 16, 2015 - Asked for an update on their investigation March 1, 2016 - Panda Security released version 2.6.0 which resolves this vulnerability IT TOOK 6 MINOR RELEASES & 8 MONTHES TO FIX ‘MITM’ ISSUE
ANSWERS ARE LOOKING FOR? What questions are usually asked by customers when they see a security report? Which security holes are important and may lead to the leakage? What data may leak through the particular hole? Do updates help? And when it will be fixed? At a customer level: Doe app need access to emails in address book, or handles & display names? Does browser process need access to the home directory, or just downloads directory? What does media player need write access to? Does any solution answer any questions? Not really.
UPDATES DON’T WORK! o App v2 o SSL worked but MITM was possible (preinstalled cert?) o Privacy Policy “We encrypt our services and data transmission using SSL” “You’re responsible for privacy”. Just do it yourself On March, 2016 Slide #48, http://goo.gl/wPfmgM o App v3 o Everything is in plaintext by HTTP, even app installers (APK) o Privacy Policy We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information, username, password, transaction information & data stored on Site Official Website http://goo.gl/FYOXjE MOBOMARKET (ANDROID APP STORE), BEST ONE IN CHINA & INDIA
UPDATES DON’T WORK! o Before Summer/Autumn 2016 eFax Media Data (faxes) are PINNED, but Media URL of faxes, Credentials & rest data are MITMed (Cert) Evernote Everything is PINNED, except Social credentials of LinkedIn Locally stored data Accessible via iTunes incl. all DBs o Since Autumn 2016 eFax MITM with preinstalled/crafted/stolen CERT Applies to all data items Evernote Everything is MITMed with preinstalled/crafted/stolen CERT Location data is not protected Documents & Location Info: GEO Data & Address Data eFax – weird SSL Pinning Evernote – downgraded from Pinning
COMPLEX DATA LEAKAGE Don’t trust email applications? Signed up for account on popular services and got a confirmation email? Here we go!
UPDATES. IT WORKS! OS updates / Vendors (Apple, Google, Asus, HTC,…) App updates Updates fix the issues sometimes But keep an eye on a vendor activity
VKONTAKTE – iPHONE, iPAD, ANDROID VK for iPhone/Android  on fly MITM (no preinstalled cert need)  HTTPS was turned off by default, everything except credentials were transferred by HTTP  Updated in Autumn – now preinstalled cert is need to MITM VK for iPad  on fly MITM (no preinstalled cert need), https was turned off by default June 5th, 2016 VK DBs records for just 1 Bitcoin (approx. US$580) VK.com HACKED! 100 Million Clear Text Passwords Leaked Online http://thehackernews.com/2016/06 /vk-com-data-breach.html
Apple iMessage EXPOSES USER IP ADDRESS AND DEVICE DETAILS  When the user opens iMessage to see the message, even if he never clicks the link and accesses it, iMessage would connect to the URL automatically, and retrieve the necessary preview data plus user's IP address, OS version, and device details.  Preview & device data issue is not iMessage only issue.  Preview, device data and media have a weaker protection issue is also known for many mobile apps even if the rest data is good protected http://news.softpedia.com/news/apple-s- imessage-exposes-user-ip-address-and-device- details-to-spammers-508948.shtml
APP IN THE AIR Flight manager & notification app:  In-App, SMS, stats, history, so on Y2014: HTTP  Simple notification app Y2015+: HTTPS  Fake/Crafted/Preinstalled certificate to perform MITM
INSTAGRAM: FROM INSECURITY TO INSECURITY THOUGHT THE SECURITY Metadata is usually technical data that is associated with User Content. For example, Metadata can describe how, when and by whom a piece of User Content was collected and how that content is formatted. Users can add or may have Metadata added including a hashtag (e.g., to mark keywords when you post a photo), geotag (e.g., to mark your location to a photo), comments or other data. It becomes searchable by meta if photo is made public Details: (1), (2) https://goo.gl/1IxKUg https://goo.gl/LPh07C
INSTAGRAM: FROM INSECURITY TO INSECURITY THOUGHT THE SECURITY  Media Data incl. Advertisement and Profile images  Y2014: Media data transferred as is without protection and hosted on Amazon Storage Service (AWS S3)  Y2015: Media data transferred over HTTPS and hosted on Amazon Storage Service (AWS S3); Crafted cert to MITM needed  Y2016: Media data transferred as is without protection and hosted on own Instagram storages
PureVPN iOS V.1.0.2 PureVPN ANDROID V.5.4.0 Account Information Account Details, Settings 'n' Configs, Credentials IDs+Passwords, Account Media, Tracked/Favorites Analytics 'n' Ads Information Analytics Configs, Device Data, Environment Application Information Application Certificates 'n' Profile + Configs, Credentials (IDs+Passwords+ Tokens) Device Information Device Data but network data is available by preinstalled certificate Location 'n' Maps Information GEO & Address Data VPN Information Application Configs iOS App’s data items protected by SSL pinning_Android App’s data item MITMed by preinstalled certificate
CYBERGHOST iOS V.6.4 CYBERGHOST ANDROID V.5.5.1.7 Account Information Account & License Details Analytics 'n' Ads Information Application Information Application Certificates 'n' Profile Browser Information Credentials IDs, Password, Tokens Account & License Details, GEO Data, Environment, Application Config Credentials Information Credentials (IDs, Tokens, Access IDs, App Passwords, PreShared Secret) Device Information Environment & Network Details Location 'n' Maps Information GEO Data & Address Data Log Information (supposed to be logs) – out of backup files, jailbreak/root required Log Data, Credentials IDs, Tokens, Access IDs, App Passwords, PreShared Secret GEO Data & Address Data, Account Details & License Details, Network Details License information, credentials, app passwords, settings can be MITMed with crafted/stolen/installed certificate
iOS vs. ANDROID: CINEMAGIA 3.9.3 vs. 5.0.9 – Sept 2016  iOS – MITM with preinstalled cert Account Info Booking 'n' Purchases Info Credentials Info Device Info Location 'n' Maps Info Payment 'n' Transaction Info Social Info  Android – Mainly w/o protection Account Info Booking 'n' Purchases Info Credentials Info Device Information Location 'n' Maps Info Payment 'n' Transaction Info Social Info
GHOST PROJECTS: MOBILE APPS ALIVE, BUT NO CHANGES SINCE MAY Y2014 ALTERGEO iOS 4.6 / Android 3.13 Account Information: Account Details, GEO & Address Data Contact Information: Profile, Social, GEO, Stream, Place Details, Media URLs Analytics 'n' Ads Information: Device Data & Environment Browser Information: Credentials IDs, Passwords, Tokens Credentials Information: Credentials IDs, Passwords, Tokens Location Info: Messages, GEO & Address Data, Place Details, Media Data Loyalty Information: GEO & Address Data + Place Details Media Information: Place Details Social Information: Media Data, Stream, Place Details + GEO Data Out of backup file (rest is in backup) Account Information: Address Data Contact Information: Media Data Location Info: GEO & Address Data, Place Details, Media Data AlterGeo is Russian clone of Foursquare & Swarm; nothing is protected except browser log-in, but not an in-app login
WEIRD PROJECTS: WEATHER STREET STYLE 1.8.6 ANDROID ONLY Account Information Account & Media Data Address Data, Account Settings Credentials Information Credentials IDs + Passwords Activation IDs + Tokens Device Information: Device Details Location 'n' Maps Information: GEO Data, GEO Snapshots Social Information: Contact Profile, Media Data, Messages Weather Information: Weather Data Weather style is app to show what people wear at the moment in different countries. Everything in plaintext
IHG & MARRIOTT APPS WHEN ENCRYPTION DOESN’T MATTER Everything is MITMed with crafted / stolen / preinstalled certificate Account, Analytics, Application Info, Booking, Credentials, Device Information, Financial Information, Location, Log, Loyalty, Media, Payment 'n' Transaction, Personal 'n' Private and Travel Information Encrypted Credentials Information: Passwords - IHG only Doesn’t make a sense if it’s only way to give an access to the user account Makes a sense if it’s data that stored locally if it’s out of backup even Limited access by a time (no longer 180 days) Booking 'n' Purchases Information: Orders & Reservation History
FLOW & IFTTT ABSOLUTE POWER OVER YOUR ACCOUNTS  In this research were found over 8K data items 30 unique data groups 105 unique data items 462 unique pairs of data group & data item In each app Flow and IFTTT were found 15 unique data group out of all 30 = 50% 52 unique data items out of all 105 = 50% ~150 unique pairs of data group & data item out of all 462 = 30% Everything is MITMed with crafted / stolen / preinstalled certificate Account, Analytics, Browser, Credentials, Device Info, Events, Location, Media, Message, News, Social, Storage Info, Tasks, Weather, Workflow Data includes everything to direct access, such as credentials/tokens, and data itself from linked services, such as Dropbox or mobile device GEO/network lists IFTTT & Flow are two apps to automatize any kind of activities with social networks or IoT
WECHAT HOW TO FAIL BEING AWESOME Awesome protected (many security fails fixed by now), encrypted, own protocol: Account Information: Account Settings 'n' Configs Address Book 'n' Contact Information: Contact Profile Application Information: Application Configs Location 'n' Maps Information: GEO Data Message Information: Media Data, vCard, Messages, Short Profile But Location data is still out of protection Location 'n' Maps Information: Contact Media Message Information: GEO & Address Data, GEO Snapshots, Place Details Many Chinese apps might be with a lack of protection or overloaded with own protocols, encryption of data and code
FACEBOOK & MESSENGER. DUPLICATE DATA, PREVIEW AND LOCATION FAILS Application Information Log Data Credentials (Passwords) Credentials (App Passwords) Transaction History Contact Short Profile Credentials (IDs) Card Full Information Card Short Information Credentials (Tokens) Browser Information Preview Message Information GEO Data GEO Snapshots https://m.facebook.com/password/change/?refid=70
EMAIL APPS – MESSAGES MIGHT BE PROTECTED Gmail – N#4, L#0 Account data & media URLs, Settings + profile, Rest L#6 Yandex.Mail – Messages N#6, rest N#4, App Configs & Account settings – L#0, Rest L#6 MailTime – Message & Sender Info – N#7, Rest N#4 (iOS) or N#6 (Android), L#0 Mail.Ru – N#4, L#6 – Creds, Message Attachs & Sender Info, rest L#0 MyMail – N#4, L#6 – Creds, Message Attachs & Sender Info, rest L#0 YahooMail – N#4, L#6 – Creds, AddressBook & Media, Log & App Events Newton Mail (prev. CloudMagic) – N#4, L#0 – Creds & Device Data, rest L#6 MS Outlook – Credentials – N#4, rest N#7, Attach & Sync Docs – L#6, rest L#0 Alto – N#4, Creds - Config, Analytics, Logs, Creds, Attachs – L#6, rest L#0 N#7 - Non-standard protocol N#6 - Pinned cert N#4 - Intercept/MITM with preinstalled/crafted cert N#2 – MITM on fly without preinstalled trusted cert L#6 – out of backup file L#0 – in backup
TAXI APPS – EVEN PAYMENTS MIGHT NOT BE PROTECTED Meridian – Social Account, Geo & Creds N#4, rest N#0, L#0 Taxi 777 – Device & Environment Analytics N#4, rest N#0, L#0 Fixtaxi (Aerotaxi) – N#0, L#0 Gett (Gettaxi) – N#4, L#0 CleverTaxi – N#4, L#0 CrisTaxi – Social Account, Geo & Creds N#4, rest N#0, L#0 YandexTaxi – Activation Code N#6, Creds, Geo & Address - N#5, rest – Bank Card, Orders, Favorites N#4, L#0 N#6 - Pinned cert N#5 – same as N#4 but pinning inform about weird cert N#4 - Intercept/MITM with preinstalled/crafted cert N#0 – No Protection L#6 – out of backup file L#0 – in backup
WALLET APPS – PROTECT SYNC DATA ONLY NS Wallet (any edition) – Device Data N#4, In-App iOS Payment N#6, Creds Sync Data L#8, rest L#0 EnPass – Creds Sync Data N#8, rest incl. Creds N#4, Creds Sync Data L#8, rest L#0 Dashlane – Creds Sync Data N#8, rest incl. Creds, app config, logs… N#4, Creds Sync Data L#8, rest L#0 LastPass – Creds Sync Data N#8, rest incl. Creds, app config, device info… N#4, Creds Sync Data L#8, rest L#0 Sticky Password – Creds Sync Data N#8, rest incl. Creds, License Details N#4, Creds Sync Data L#8, rest L#0 1Password – Creds Sync Data N#8, rest incl. Creds, app config, device info… N#4, Creds Sync Data L#8, rest L#0 N#8 – Encrypted N#6 - Pinned cert N#4 - Intercept/MITM with preinstalled/crafted cert L#8 – out of backup file L#6 – out of backup file L#0 – in backup
MEDIA AND LOCATION LEAKS. NO PROTECTION • Account Data • Address Data • Contact Media • GEO Data • GEO Snapshots • Maps Data • Media Data • Messages (Comment on • Personalization • Place Details • Tracked Data 'n' Favourites • AlterGeo • Aviasales • Booking.com • Cris Taxi Bucuresti • Evernote • Fixtaxi (Aerotaxi) • Foursquare • Instagram • Marriott • Meridian Taxi • momondo • Plazius • Skyscanner • Taxi 777 • Velobike • VK for iPad • Weather Street Style • WeChat
SENSITIVE DATA. NO PROTECTION • Aeroexpress • AlterGeo • Anywayanyday • AppCompass • Aviasales • Booking.com • British Airways • Cinemagia • Cris Taxi Bucuresti • Evernote • Facebook Messenger • Fixtaxi (Aerotaxi) • Flipboard • Fly Delta • Foursquare • IHG • Instagram • KliChat • Lookout • Marriott • Meridian Taxi • Microsoft Office • momondo • OK Messages • Pinterest • Plazius • Skyscanner • Swarm • Taxi 777 • Velobike • VK • Weather Street Style • WeChat • Account Details • Account Settings 'n' Configs • Address Data • Application Configs • Card Full Information • Contact GEO, Media, Profile • Credentials (IDs, Passwords, Tokens) • Device Details, Environment • Messages • Orders & Reservation • Passport Data (Short) • Personalization • Place Details • Preview • Stream • Tracked Data 'n' Favourites • Travel Details
UNTRUSTED PLACES • Untrusted chargeable places. • When you connect your device to them you will see a notification you plugged to PC/Mac • Or lost devices • Untrusted network places. • When you connect your device to them • You will see nothing • You will see a question about untrusted certificate. You accept or decline it • Someone make you to install trusted certificate
EXTRACTING LOCAL DATA. EXAMPLES • Oxygen Forensic® Detective introduces offline maps and new physical approach for Samsung Android devices! • The updated version offers a new physical method for Samsung Android OS devices via custom forensic recovery. This innovative approach allows to bypass screen lock and extract a full physical image of supported Samsung devices. • http://www.oxygen-forensic.com/en/events/news/666- oxygen-forensic-detective-introduces-offline-maps-and-new- physical-approach-for-samsung-android-devices
UNTRUSTED PLACES
DefCamp_2016_Chemerkin_Yury_--_publish.pdf
DefCamp_2016_Chemerkin_Yury_--_publish.pdf
SSL ISSUES: Apps, Mozilla, WoSign, Apple, Google Applications handle SSL connection in different ways: Some don’t validate SSL certificate during the connection Many trust to the root SSL certificates installed on the device due to SSL validating Some have pinned SSL certificate and trust it only Trusting root certificate might not be a good idea (Mozilla reports): Between 16th January 2015 and 5th March 2015, WoSign issued 1,132 SHA-1 certificates whose validity extended beyond 1st January 2017 Between 9th April 2015 and 14th April 2015, WoSign issued 392 certificates with duplicate serial numbers, across a handful of different serial numbers It is important background information to know which WoSign roots are cross-signed by other trusted or previously-trusted roots (expired but still unrevoked) Eventually Apple removes SSL certificate from iOS, perhaps from iOS 10 only https://support.apple.com/en-us/HT204132, https://support.apple.com/en-us/HT202858 https://threatpost.com/google-to-distrust-wosign-startcom-certs-in-2017/121709/
DATA PROTECTION CONCEPTS (DPC) There are known many of them, some were renamed but still 3: Data-at-Rest (DAR) Locally stored data on internet or external storage. Data might divide into several parts, full data, backup data, and containerized data Data-in-Transit (DIT) Data transmitted over Internet and local wireless network (as part of solid internet connection) and limited by it Data-in-Use (DIU) Referred to data operated in internal memory (not storage) and application code, like hardcoded values
IMPLEMENTATION OF DPC. DATA-AT-REST  No special tools for viewing various data types  No root to gain an access backup data  No root to gain an access to internal storage to the application data folder (works only for iOS older than 8.3) CVE-2015-1087  Root to gain an access to internal storage to the keychain folder  Root to gain an access to internal storage to the application data folder (iOS 8.3 and higher)  Root to gain an access to internal storage in general  No special tools for viewing various data types  Root to gain an access to internal storage.  No root to gain an access to external storage, public folders or backup data  Unlocking locked bootloader wipes all data on several devices, e.g. HTC  Non-locked or unlocked bootloader might give an opportunity to root a device, grab data or install malicious application and de-root it back, e.g. Samsung, LG (details, news, http://www.oxygen- forensic.com/en/events/news)
IMPLEMENTATION OF DPC. DATA-IN-TRANSIT Do not require a root for cases, such as onon-protected traffic, ono SSL validation except centralized list of certificates oMITM possible - fake/crafted/stolen SSL certificate installed as trusted Require root for cases, such as oSSL Pinning to bypass it automatically or manually oRest cases that directly impacts on app code and mixed with DIU  App-level proxy is an alternative internet access  OS-level proxy  no app-level alternative tunnels
QUANTIFICATION SECURITY LEVELS. DAR Non-Protected Protection N/A or Jailbroken iOS Encode Protected Encoded data (zlib, bas64, etc.) Weak Protected App Data access w/o jailbreak iOS <8.3 Obesity Protected Not Defined Medium Protected Data available via sharing, such as iTunes Iterim Protected Access limited by time, e.g. cache folders Good Protected Not Defined Strong Protected Sandboxed data, jailbreak needs & wipe data Extra Protected No public tools for a jailbreak is available Best Protected Not Defined Protection N/A, rooted,public folders,SD cards Encoded data (zlib, bas64, etc.) Not Defined Not Defined Not Defined Access limited by time, e.g. cache folders Sandbox, root/unlocking not wipe data Sandboxed data, root needs & wipe data No public tools for a jailbreak is available Not Defined
Non-Protected Protection N/A, Jailbroken, crafted certificate Protection N/A, rooted, crafted certificate Encode Protected Encoded data (zlib, bas64, etc.) Encoded data (zlib, bas64, etc.) Weak Protected Stolen or expired certificates Stolen or expired certificates Obesity Protected Not Defined Not defined Medium Protected Basic feature of SSL validation of certificates Basic feature of SSL validation of certificates Iterim Protected Not defined App-level proxy/tunnel for internet Good Protected Not defined Not defined Strong Protected Not defined Not defined Extra Protected System and/or user VPN System and/or user VPN Best Protected Not Defined Not defined QUANTIFICATION SECURITY LEVELS. DIT
LIST OF SOFTWARE RELATED TO SECURITY CHECKS File Viewers Online services & tools for calculations Network Debug & Pentest Debuggers, Disassemblers, Decompilers, activity tracers, and pentest frameworks File & Device Access Forensics & special pentest solutions No tools Non-Protected Weak Protected Obesity Protected Medium Protected Iterim Protected Good Protected Strong Protected Extra Protected Best Protected Encode Protected Free or paid $100- 300 or less Free or Paid Home ~$100 Enterprise $300+ $5-10k+, lightweight - $100-1k No tools, if no data available
SOLUTIONS: FOR DEVELOPERS  Secure Mobile Development Guide by NowSecure  Coding Practices  Handling Sensitive Data  iOS & Android Tips  etc.  https://books.nowsecure.com/secure-mobile- development/en/index.html
SOLUTIONS: DATA PROTECTION DBs • We [as security experts] know what data is protected and not protected despite of it’s locally stored, transferred or hardcoded • Also, we know two simple things • not only users publish their data • developers can’t protect data • At the same time we’re customers, right? • I’m as a customer prefer and have a right to know where devices shouldn’t be connected to network or plugged PC/Mac. • Developers aren’t going to tell me if they fail. Instead they’re telling ‘everything is OK but they're not responsible for anything’
SOLUTIONS: DATA PROTECTION DBs • Goal is providing a solution that helps to keep ‘everyone’ informed about app security fails. • Everyone means • app users as well as app developers • you don’t need to be expert to understand that how it affects you; you just know if it has required level of protected or not • but you have to get used that your application operates many data visible and not visible for you beyond the blueberry muffins over the weekend
Vulnerabilities matter but exist over 40 years Vulnerability is a defect/flaw in design in dev’s code or third party libraries Lack of data protection is usually an insecurity by design and implementation fails Even OWASP considers data protection as more important thing than vulnerabilities by now Lack of data protection is described by 3 vulnerabilities sensitive data leakage, storage, transmission CWE-200, CWE-312, CWE-319 PrivacyMeter gives answer about (at the moment) list of apps and average values (Raw value, Environment value depend on OS) list of app data items grouped by ‘protection levels/categories’ data item protection level and explanation examination of privacy policy in regards to gained app results Results are available on the web-site http://www.privacymeter.online/ see booklets (!) Download the Autumn Report http://www.privacymeter.online/reports see booklets (!)
APPS FINDINGS. OVERALL RESULTS 250 apps = 135 iOS apps + 115 Android apps 8124 data items = 4287 (iOS) + 3837 (Android) 20+ application groups (17 unique groups) 30 data groups & 105 data items over 8K data items 462 unique pairs of data group & data item News & Magazines Productivity Shopping Social Networking Tools & Utilities Transportation Travel & Local Weather Business Communication Entertainment Finance Food & Drink Lifestyle Photo & Video Music Navigation
DATA GROUPS' AVERAGE PROTECTION LEVEL. iOS VS. ANDROID 0.00 1.00 2.00 3.00 4.00 5.00 6.00 7.00 Account Information Address Book 'n' Contact Information Analytics 'n' Ads Information Application BaaS Information Application Information Booking 'n' Purchases Information Bookmark Information Browser Information Call Information Credentials Information Device Information Documents Information Events Information Financial Information Location 'n' Maps Information Log Information Loyalty Information Media Information Message Information News Information Notification Information Payment 'n' Transaction Information Personal 'n' Private Information Social Information Storage Information Tasks Information Travel Information Visa 'n' Passport Information VPN Information Weather Information Workflow Information iOS Android
QUANTITY OF APPS PER EACH GROUP 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% Worst applications Bad applications Good applications Best applications iOS 27.41% 100.00% 97.04% 30.37% Android 24.35% 100.00% 30.43% 20.87% 27.41% 100.00% 97.04% 30.37% 24.35% 100.00% 30.43% 20.87% iOS Android
WORST PROTECTED ITEMS OVER APPS 0 1 2 3 4 5 6 Env (iOS) Raw (iOS) Env (Android) Raw (Android)
WORST PROTECTED ITEMS OVER APPS  Account Information: Account Details, GEO & Address  Contact Information: GEO + Profile + Social + Media URLs + Place Details + Stream  Analytics 'n' Ads Information: Device Data & Environment  Credentials Information: Credentials IDs & Passwords  Events Information: Stream  Location 'n' Maps Information: GEO & Address, Media Data, Messages, Place Details  Loyalty Information: Account Data, GEO & Address, Place Details  Media Information: Place Details Many of applications reveal something in plaintext 8 groups, 16 data items, 30 pairs of group + data items
WORST iOS AND ANDROID APPLICATIONS 0 0.5 1 1.5 2 2.5 3 AppCompass Cris Taxi Bucuresti Fixtaxi (Aerotaxi) Meridian Taxi Skyscanner Taxi 777 Velobike Env (iOS) Raw (iOS) Env (Android) Raw (Android)
GOOD iOS & ANDROID APPS 0 1 2 3 4 5 6 Env (iOS) Raw (iOS) Env (Android) Raw (Android) 4.6 4.8 5 5.2 5.4 5.6 5.8 Asana British Airways British Airways for iPad Cloud Hub Firefox Google Trips NS Wallet FREE NS Wallet PRO ParkSeason Spaces Trello Env (iOS) Raw (iOS) Env (Android) Raw (Android)
DefCamp_2016_Chemerkin_Yury_--_publish.pdf
http://goo.gl/9WF2dC http://goo.gl/CT4nTT RISKWARE BETRAYER. TWO POLLS
[ YURY CHEMERKIN ] • MULTISKILLED SECURITY EXPERT • EXPERIENCED IN : • REVERSE ENGINEERING & AV, DEVELOPMENT (PAST) • MOBILE SECURITY, & CLOUD SECURITY • IAM, COMPLIANCE, FORENSICS • PARTICIPATION & SPEAKING AT MANY SECURITY CONFERENCES
RISKWARE BETRAYER WHO IS THE BIGGEST ONE? HOW TO CONTACT ME ? ADD ME IN LINKEDIN: HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN YURY CHEMERKIN SEND A MAIL TO: YURY.S@CHEMERKIN.COM

More Related Content

Similar to DefCamp_2016_Chemerkin_Yury_--_publish.pdf

Tt 06-ck
Tt 06-ckTt 06-ck
Tt 06-ck
Narinrit Prem-apiwathanokul
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
Tobias Koprowski
 
HackMiami_2017_Chemerkin_Yury_for_website.pdf
HackMiami_2017_Chemerkin_Yury_for_website.pdfHackMiami_2017_Chemerkin_Yury_for_website.pdf
HackMiami_2017_Chemerkin_Yury_for_website.pdf
Yury Chemerkin
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Advanced monitoring
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
Tom Eston
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
Vince Verbeke
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
Vince Verbeke
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
Jack Mannino
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyser
Tim Youm
 
OWASP_Russia_2016_-_Yury_Chemerkin_--_run.pdf
OWASP_Russia_2016_-_Yury_Chemerkin_--_run.pdfOWASP_Russia_2016_-_Yury_Chemerkin_--_run.pdf
OWASP_Russia_2016_-_Yury_Chemerkin_--_run.pdf
Yury Chemerkin
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
Jorge Orchilles
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
Eoin Keary
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
Dean Iacovelli
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
Sergey Kochergan
 
Power Saturday 2019 E1 - Office 365 security
Power Saturday 2019 E1 - Office 365 securityPower Saturday 2019 E1 - Office 365 security
Power Saturday 2019 E1 - Office 365 security
PowerSaturdayParis
 
Mobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An IntroductionMobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An Introduction
Nagarro
 
INFOSEC_UAB_2016_Conference_Chemerkin_Yury.pdf
INFOSEC_UAB_2016_Conference_Chemerkin_Yury.pdfINFOSEC_UAB_2016_Conference_Chemerkin_Yury.pdf
INFOSEC_UAB_2016_Conference_Chemerkin_Yury.pdf
Yury Chemerkin
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 

Similar to DefCamp_2016_Chemerkin_Yury_--_publish.pdf (20)

Tt 06-ck
Tt 06-ckTt 06-ck
Tt 06-ck
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
HackMiami_2017_Chemerkin_Yury_for_website.pdf
HackMiami_2017_Chemerkin_Yury_for_website.pdfHackMiami_2017_Chemerkin_Yury_for_website.pdf
HackMiami_2017_Chemerkin_Yury_for_website.pdf
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyser
 
OWASP_Russia_2016_-_Yury_Chemerkin_--_run.pdf
OWASP_Russia_2016_-_Yury_Chemerkin_--_run.pdfOWASP_Russia_2016_-_Yury_Chemerkin_--_run.pdf
OWASP_Russia_2016_-_Yury_Chemerkin_--_run.pdf
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Power Saturday 2019 E1 - Office 365 security
Power Saturday 2019 E1 - Office 365 securityPower Saturday 2019 E1 - Office 365 security
Power Saturday 2019 E1 - Office 365 security
 
Mobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An IntroductionMobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An Introduction
 
INFOSEC_UAB_2016_Conference_Chemerkin_Yury.pdf
INFOSEC_UAB_2016_Conference_Chemerkin_Yury.pdfINFOSEC_UAB_2016_Conference_Chemerkin_Yury.pdf
INFOSEC_UAB_2016_Conference_Chemerkin_Yury.pdf
 
Application security
Application securityApplication security
Application security
 

More from Yury Chemerkin

YURY_CHEMERKIN__NullCon_2013_Conference.pdf
YURY_CHEMERKIN__NullCon_2013_Conference.pdfYURY_CHEMERKIN__NullCon_2013_Conference.pdf
YURY_CHEMERKIN__NullCon_2013_Conference.pdf
Yury Chemerkin
 
YURY_CHEMERKIN__ITA_2013_Proceedings.pdf
YURY_CHEMERKIN__ITA_2013_Proceedings.pdfYURY_CHEMERKIN__ITA_2013_Proceedings.pdf
YURY_CHEMERKIN__ITA_2013_Proceedings.pdf
Yury Chemerkin
 
YURY_CHEMERKIN__I-Society-2013_Proceedings.pdf
YURY_CHEMERKIN__I-Society-2013_Proceedings.pdfYURY_CHEMERKIN__I-Society-2013_Proceedings.pdf
YURY_CHEMERKIN__I-Society-2013_Proceedings.pdf
Yury Chemerkin
 
YURY_CHEMERKIN__CYBER_CRIME_FORUM_2012.pdf
YURY_CHEMERKIN__CYBER_CRIME_FORUM_2012.pdfYURY_CHEMERKIN__CYBER_CRIME_FORUM_2012.pdf
YURY_CHEMERKIN__CYBER_CRIME_FORUM_2012.pdf
Yury Chemerkin
 
YURY_CHEMERKIN__CONFidence_2013_Conference.pdf
YURY_CHEMERKIN__CONFidence_2013_Conference.pdfYURY_CHEMERKIN__CONFidence_2013_Conference.pdf
YURY_CHEMERKIN__CONFidence_2013_Conference.pdf
Yury Chemerkin
 
Security_Compliance_Challenges_On_Clouds.pdf
Security_Compliance_Challenges_On_Clouds.pdfSecurity_Compliance_Challenges_On_Clouds.pdf
Security_Compliance_Challenges_On_Clouds.pdf
Yury Chemerkin
 
DefCamp_2017_Conference_Chemerkin_Yury_-_full.pdf
DefCamp_2017_Conference_Chemerkin_Yury_-_full.pdfDefCamp_2017_Conference_Chemerkin_Yury_-_full.pdf
DefCamp_2017_Conference_Chemerkin_Yury_-_full.pdf
Yury Chemerkin
 
YURY_CHEMERKIN__ICITST_2012_Conference.pdf
YURY_CHEMERKIN__ICITST_2012_Conference.pdfYURY_CHEMERKIN__ICITST_2012_Conference.pdf
YURY_CHEMERKIN__ICITST_2012_Conference.pdf
Yury Chemerkin
 
YURY_CHEMERKIN__AthCon_2013._Conference.pdf
YURY_CHEMERKIN__AthCon_2013._Conference.pdfYURY_CHEMERKIN__AthCon_2013._Conference.pdf
YURY_CHEMERKIN__AthCon_2013._Conference.pdf
Yury Chemerkin
 
YURY_CHEMERKIN_InfoSecurityRussia_2012.pdf.pdf
YURY_CHEMERKIN_InfoSecurityRussia_2012.pdf.pdfYURY_CHEMERKIN_InfoSecurityRussia_2012.pdf.pdf
YURY_CHEMERKIN_InfoSecurityRussia_2012.pdf.pdf
Yury Chemerkin
 
YURY_CHEMERKIN__ICITST-2012_Proceedings.pdf
YURY_CHEMERKIN__ICITST-2012_Proceedings.pdfYURY_CHEMERKIN__ICITST-2012_Proceedings.pdf
YURY_CHEMERKIN__ICITST-2012_Proceedings.pdf
Yury Chemerkin
 
DefCamp_2015_Conference_Chemerkin_Yury.pdf
DefCamp_2015_Conference_Chemerkin_Yury.pdfDefCamp_2015_Conference_Chemerkin_Yury.pdf
DefCamp_2015_Conference_Chemerkin_Yury.pdf
Yury Chemerkin
 
InfoSecurityRussia-_2014_Conferences.pdf
InfoSecurityRussia-_2014_Conferences.pdfInfoSecurityRussia-_2014_Conferences.pdf
InfoSecurityRussia-_2014_Conferences.pdf
Yury Chemerkin
 
YURY_CHEMERKIN_NotaCon_2014_Conference.pdf
YURY_CHEMERKIN_NotaCon_2014_Conference.pdfYURY_CHEMERKIN_NotaCon_2014_Conference.pdf
YURY_CHEMERKIN_NotaCon_2014_Conference.pdf
Yury Chemerkin
 
YURY_CHEMERKIN_HackMiami_2014_Conference.pdf
YURY_CHEMERKIN_HackMiami_2014_Conference.pdfYURY_CHEMERKIN_HackMiami_2014_Conference.pdf
YURY_CHEMERKIN_HackMiami_2014_Conference.pdf
Yury Chemerkin
 
Mobile_Security_Challenges_On_Compliance.pdf
Mobile_Security_Challenges_On_Compliance.pdfMobile_Security_Challenges_On_Compliance.pdf
Mobile_Security_Challenges_On_Compliance.pdf
Yury Chemerkin
 
Mobile_Security_From_The_BYOD_Viewpoint.pdf
Mobile_Security_From_The_BYOD_Viewpoint.pdfMobile_Security_From_The_BYOD_Viewpoint.pdf
Mobile_Security_From_The_BYOD_Viewpoint.pdf
Yury Chemerkin
 
DefCamp_2019_Conference_Chemerkin_Yury.pdf
DefCamp_2019_Conference_Chemerkin_Yury.pdfDefCamp_2019_Conference_Chemerkin_Yury.pdf
DefCamp_2019_Conference_Chemerkin_Yury.pdf
Yury Chemerkin
 
YURY_CHEMERKIN_InfoSecurityRussia_2011.pdf
YURY_CHEMERKIN_InfoSecurityRussia_2011.pdfYURY_CHEMERKIN_InfoSecurityRussia_2011.pdf
YURY_CHEMERKIN_InfoSecurityRussia_2011.pdf
Yury Chemerkin
 
YURY_CHEMERKIN__I-Society_2013_Conference.pdf
YURY_CHEMERKIN__I-Society_2013_Conference.pdfYURY_CHEMERKIN__I-Society_2013_Conference.pdf
YURY_CHEMERKIN__I-Society_2013_Conference.pdf
Yury Chemerkin
 

More from Yury Chemerkin (20)

YURY_CHEMERKIN__NullCon_2013_Conference.pdf
YURY_CHEMERKIN__NullCon_2013_Conference.pdfYURY_CHEMERKIN__NullCon_2013_Conference.pdf
YURY_CHEMERKIN__NullCon_2013_Conference.pdf
 
YURY_CHEMERKIN__ITA_2013_Proceedings.pdf
YURY_CHEMERKIN__ITA_2013_Proceedings.pdfYURY_CHEMERKIN__ITA_2013_Proceedings.pdf
YURY_CHEMERKIN__ITA_2013_Proceedings.pdf
 
YURY_CHEMERKIN__I-Society-2013_Proceedings.pdf
YURY_CHEMERKIN__I-Society-2013_Proceedings.pdfYURY_CHEMERKIN__I-Society-2013_Proceedings.pdf
YURY_CHEMERKIN__I-Society-2013_Proceedings.pdf
 
YURY_CHEMERKIN__CYBER_CRIME_FORUM_2012.pdf
YURY_CHEMERKIN__CYBER_CRIME_FORUM_2012.pdfYURY_CHEMERKIN__CYBER_CRIME_FORUM_2012.pdf
YURY_CHEMERKIN__CYBER_CRIME_FORUM_2012.pdf
 
YURY_CHEMERKIN__CONFidence_2013_Conference.pdf
YURY_CHEMERKIN__CONFidence_2013_Conference.pdfYURY_CHEMERKIN__CONFidence_2013_Conference.pdf
YURY_CHEMERKIN__CONFidence_2013_Conference.pdf
 
Security_Compliance_Challenges_On_Clouds.pdf
Security_Compliance_Challenges_On_Clouds.pdfSecurity_Compliance_Challenges_On_Clouds.pdf
Security_Compliance_Challenges_On_Clouds.pdf
 
DefCamp_2017_Conference_Chemerkin_Yury_-_full.pdf
DefCamp_2017_Conference_Chemerkin_Yury_-_full.pdfDefCamp_2017_Conference_Chemerkin_Yury_-_full.pdf
DefCamp_2017_Conference_Chemerkin_Yury_-_full.pdf
 
YURY_CHEMERKIN__ICITST_2012_Conference.pdf
YURY_CHEMERKIN__ICITST_2012_Conference.pdfYURY_CHEMERKIN__ICITST_2012_Conference.pdf
YURY_CHEMERKIN__ICITST_2012_Conference.pdf
 
YURY_CHEMERKIN__AthCon_2013._Conference.pdf
YURY_CHEMERKIN__AthCon_2013._Conference.pdfYURY_CHEMERKIN__AthCon_2013._Conference.pdf
YURY_CHEMERKIN__AthCon_2013._Conference.pdf
 
YURY_CHEMERKIN_InfoSecurityRussia_2012.pdf.pdf
YURY_CHEMERKIN_InfoSecurityRussia_2012.pdf.pdfYURY_CHEMERKIN_InfoSecurityRussia_2012.pdf.pdf
YURY_CHEMERKIN_InfoSecurityRussia_2012.pdf.pdf
 
YURY_CHEMERKIN__ICITST-2012_Proceedings.pdf
YURY_CHEMERKIN__ICITST-2012_Proceedings.pdfYURY_CHEMERKIN__ICITST-2012_Proceedings.pdf
YURY_CHEMERKIN__ICITST-2012_Proceedings.pdf
 
DefCamp_2015_Conference_Chemerkin_Yury.pdf
DefCamp_2015_Conference_Chemerkin_Yury.pdfDefCamp_2015_Conference_Chemerkin_Yury.pdf
DefCamp_2015_Conference_Chemerkin_Yury.pdf
 
InfoSecurityRussia-_2014_Conferences.pdf
InfoSecurityRussia-_2014_Conferences.pdfInfoSecurityRussia-_2014_Conferences.pdf
InfoSecurityRussia-_2014_Conferences.pdf
 
YURY_CHEMERKIN_NotaCon_2014_Conference.pdf
YURY_CHEMERKIN_NotaCon_2014_Conference.pdfYURY_CHEMERKIN_NotaCon_2014_Conference.pdf
YURY_CHEMERKIN_NotaCon_2014_Conference.pdf
 
YURY_CHEMERKIN_HackMiami_2014_Conference.pdf
YURY_CHEMERKIN_HackMiami_2014_Conference.pdfYURY_CHEMERKIN_HackMiami_2014_Conference.pdf
YURY_CHEMERKIN_HackMiami_2014_Conference.pdf
 
Mobile_Security_Challenges_On_Compliance.pdf
Mobile_Security_Challenges_On_Compliance.pdfMobile_Security_Challenges_On_Compliance.pdf
Mobile_Security_Challenges_On_Compliance.pdf
 
Mobile_Security_From_The_BYOD_Viewpoint.pdf
Mobile_Security_From_The_BYOD_Viewpoint.pdfMobile_Security_From_The_BYOD_Viewpoint.pdf
Mobile_Security_From_The_BYOD_Viewpoint.pdf
 
DefCamp_2019_Conference_Chemerkin_Yury.pdf
DefCamp_2019_Conference_Chemerkin_Yury.pdfDefCamp_2019_Conference_Chemerkin_Yury.pdf
DefCamp_2019_Conference_Chemerkin_Yury.pdf
 
YURY_CHEMERKIN_InfoSecurityRussia_2011.pdf
YURY_CHEMERKIN_InfoSecurityRussia_2011.pdfYURY_CHEMERKIN_InfoSecurityRussia_2011.pdf
YURY_CHEMERKIN_InfoSecurityRussia_2011.pdf
 
YURY_CHEMERKIN__I-Society_2013_Conference.pdf
YURY_CHEMERKIN__I-Society_2013_Conference.pdfYURY_CHEMERKIN__I-Society_2013_Conference.pdf
YURY_CHEMERKIN__I-Society_2013_Conference.pdf
 

Recently uploaded

Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinhBài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
NguynThNhQunh59
 
BCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docxBCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docx
pubgnewstate1620
 
Getting Started with Azure AI Studio.pptx
Getting Started with Azure AI Studio.pptxGetting Started with Azure AI Studio.pptx
Getting Started with Azure AI Studio.pptx
Swaminathan Vetri
 
Top keywords searches on home and garden
Top keywords searches on home and gardenTop keywords searches on home and garden
Top keywords searches on home and garden
riannecreativetwo
 
TribeQonf2024_Dimpy_ShiftingSecurityLeft
TribeQonf2024_Dimpy_ShiftingSecurityLeftTribeQonf2024_Dimpy_ShiftingSecurityLeft
TribeQonf2024_Dimpy_ShiftingSecurityLeft
Dimpy Adhikary
 
Using ScyllaDB for Real-Time Write-Heavy Workloads
Using ScyllaDB for Real-Time Write-Heavy WorkloadsUsing ScyllaDB for Real-Time Write-Heavy Workloads
Using ScyllaDB for Real-Time Write-Heavy Workloads
ScyllaDB
 
Scientific-Based Blockchain TON Project Analysis Report
Scientific-Based Blockchain TON Project Analysis ReportScientific-Based Blockchain TON Project Analysis Report
Scientific-Based Blockchain TON Project Analysis Report
SelcukTOPAL2
 
The Challenge of Interpretability in Generative AI Models.pdf
The Challenge of Interpretability in Generative AI Models.pdfThe Challenge of Interpretability in Generative AI Models.pdf
The Challenge of Interpretability in Generative AI Models.pdf
Sara Kroft
 
Connecting Attitudes and Social Influences with Designs for Usable Security a...
Connecting Attitudes and Social Influences with Designs for Usable Security a...Connecting Attitudes and Social Influences with Designs for Usable Security a...
Connecting Attitudes and Social Influences with Designs for Usable Security a...
Cori Faklaris
 
Top keywords searches on business in AUS
Top keywords searches on business in AUSTop keywords searches on business in AUS
Top keywords searches on business in AUS
riannecreativetwo
 
Flame Atomic Emission Spectroscopy.-pptx
Flame Atomic Emission Spectroscopy.-pptxFlame Atomic Emission Spectroscopy.-pptx
Flame Atomic Emission Spectroscopy.-pptx
VaishnaviChavan206944
 
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Munich Seminar In-Vehicle Payment Trends.pptxFIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Alliance
 
FIDO Munich Seminar FIDO Automotive Apps.pptx
FIDO Munich Seminar FIDO Automotive Apps.pptxFIDO Munich Seminar FIDO Automotive Apps.pptx
FIDO Munich Seminar FIDO Automotive Apps.pptx
FIDO Alliance
 
AMD Zen 5 Architecture Deep Dive from Tech Day
AMD Zen 5 Architecture Deep Dive from Tech DayAMD Zen 5 Architecture Deep Dive from Tech Day
AMD Zen 5 Architecture Deep Dive from Tech Day
Low Hong Chuan
 
Mega MUG 2024: Working smarter in Marketo
Mega MUG 2024: Working smarter in MarketoMega MUG 2024: Working smarter in Marketo
Mega MUG 2024: Working smarter in Marketo
Stephanie Tyagita
 
IVE 2024 Short Course Lecture 9 - Empathic Computing in VR
IVE 2024 Short Course Lecture 9 - Empathic Computing in VRIVE 2024 Short Course Lecture 9 - Empathic Computing in VR
IVE 2024 Short Course Lecture 9 - Empathic Computing in VR
Mark Billinghurst
 
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptxFIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
FIDO Alliance
 
FIDO Munich Seminar: Securing Smart Car.pptx
FIDO Munich Seminar: Securing Smart Car.pptxFIDO Munich Seminar: Securing Smart Car.pptx
FIDO Munich Seminar: Securing Smart Car.pptx
FIDO Alliance
 
Project Delivery Methodology on a page with activities, deliverables
Project Delivery Methodology on a page with activities, deliverablesProject Delivery Methodology on a page with activities, deliverables
Project Delivery Methodology on a page with activities, deliverables
CLIVE MINCHIN
 
Securiport Gambia - Intelligent Threat Analysis
Securiport Gambia - Intelligent Threat AnalysisSecuriport Gambia - Intelligent Threat Analysis
Securiport Gambia - Intelligent Threat Analysis
Securiport Gambia
 

Recently uploaded (20)

Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinhBài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
 
BCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docxBCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docx
 
Getting Started with Azure AI Studio.pptx
Getting Started with Azure AI Studio.pptxGetting Started with Azure AI Studio.pptx
Getting Started with Azure AI Studio.pptx
 
Top keywords searches on home and garden
Top keywords searches on home and gardenTop keywords searches on home and garden
Top keywords searches on home and garden
 
TribeQonf2024_Dimpy_ShiftingSecurityLeft
TribeQonf2024_Dimpy_ShiftingSecurityLeftTribeQonf2024_Dimpy_ShiftingSecurityLeft
TribeQonf2024_Dimpy_ShiftingSecurityLeft
 
Using ScyllaDB for Real-Time Write-Heavy Workloads
Using ScyllaDB for Real-Time Write-Heavy WorkloadsUsing ScyllaDB for Real-Time Write-Heavy Workloads
Using ScyllaDB for Real-Time Write-Heavy Workloads
 
Scientific-Based Blockchain TON Project Analysis Report
Scientific-Based Blockchain TON Project Analysis ReportScientific-Based Blockchain TON Project Analysis Report
Scientific-Based Blockchain TON Project Analysis Report
 
The Challenge of Interpretability in Generative AI Models.pdf
The Challenge of Interpretability in Generative AI Models.pdfThe Challenge of Interpretability in Generative AI Models.pdf
The Challenge of Interpretability in Generative AI Models.pdf
 
Connecting Attitudes and Social Influences with Designs for Usable Security a...
Connecting Attitudes and Social Influences with Designs for Usable Security a...Connecting Attitudes and Social Influences with Designs for Usable Security a...
Connecting Attitudes and Social Influences with Designs for Usable Security a...
 
Top keywords searches on business in AUS
Top keywords searches on business in AUSTop keywords searches on business in AUS
Top keywords searches on business in AUS
 
Flame Atomic Emission Spectroscopy.-pptx
Flame Atomic Emission Spectroscopy.-pptxFlame Atomic Emission Spectroscopy.-pptx
Flame Atomic Emission Spectroscopy.-pptx
 
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Munich Seminar In-Vehicle Payment Trends.pptxFIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
 
FIDO Munich Seminar FIDO Automotive Apps.pptx
FIDO Munich Seminar FIDO Automotive Apps.pptxFIDO Munich Seminar FIDO Automotive Apps.pptx
FIDO Munich Seminar FIDO Automotive Apps.pptx
 
AMD Zen 5 Architecture Deep Dive from Tech Day
AMD Zen 5 Architecture Deep Dive from Tech DayAMD Zen 5 Architecture Deep Dive from Tech Day
AMD Zen 5 Architecture Deep Dive from Tech Day
 
Mega MUG 2024: Working smarter in Marketo
Mega MUG 2024: Working smarter in MarketoMega MUG 2024: Working smarter in Marketo
Mega MUG 2024: Working smarter in Marketo
 
IVE 2024 Short Course Lecture 9 - Empathic Computing in VR
IVE 2024 Short Course Lecture 9 - Empathic Computing in VRIVE 2024 Short Course Lecture 9 - Empathic Computing in VR
IVE 2024 Short Course Lecture 9 - Empathic Computing in VR
 
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptxFIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
 
FIDO Munich Seminar: Securing Smart Car.pptx
FIDO Munich Seminar: Securing Smart Car.pptxFIDO Munich Seminar: Securing Smart Car.pptx
FIDO Munich Seminar: Securing Smart Car.pptx
 
Project Delivery Methodology on a page with activities, deliverables
Project Delivery Methodology on a page with activities, deliverablesProject Delivery Methodology on a page with activities, deliverables
Project Delivery Methodology on a page with activities, deliverables
 
Securiport Gambia - Intelligent Threat Analysis
Securiport Gambia - Intelligent Threat AnalysisSecuriport Gambia - Intelligent Threat Analysis
Securiport Gambia - Intelligent Threat Analysis
 

DefCamp_2016_Chemerkin_Yury_--_publish.pdf

  • 1. RISKWARE BETRAYER WHO IS THE BIGGEST ONE? YURY CHEMERKIN MULTI-SKILLED SECURITY EXPERT
  • 2. INTRO: RISKY MOBILE APPS  Mobile applications store data locally and transfer it over networks (at least)  Data - not only binary protected or non-protected. Quality of protection matters  Reverse engineering gives an answer how it works and is protected (slowly)  Pentesting the data protection gives an answer ‘what happened’ and ‘why’ (faster)  Developers never tell and never admit they fail but they does  Privacy Policy might be pure, high detailed or misleading even  One app might be risky and has a quite bad data protection – OK  One risky app over several dozens apps is a betrayer that lead to leaks – not OK
  • 3. OWASP MOBILE PAST vs. NOW  Top 10 Mobile Risks 2012-2013  M1: Insecure Data Storage  M2: Weak Server Side Controls  M3: Insufficient Transport Layer Protection  M4: Client Side Injection  M5: Poor Authorization and Authentication  M6: Improper Session Handling  M7: Security Decisions Via Untrusted Inputs  M8: Side Channel Data Leakage  M9: Broken Cryptography  M10: Sensitive Information Disclosure  Top 10 Mobile Risks 2014-2015  M1: Weak Server Side Controls  M2: Insecure Data Storage  M3: Insufficient Transport Layer Protection  M4: Unintended Data Leakage  M5: Poor Authorization and Authentication  M6: Broken Cryptography  M7: Client Side Injection  M8: Security Decisions Via Untrusted Inputs  M9: Improper Session Handling  M10: Lack of Binary Protections  Top 10 Mobile Risks 2016  M1: Improper Platform Usage  M2: Insecure Data Storage  M3: Insecure Communication  M4: Insecure Authentication  M5: Insufficient Cryptography  M6: Insecure Authorization  M7: Client Code Quality  M8: Code Tampering  M9: Reverse Engineering  M10: Extraneous Functionality https://www.owasp.org/index.php/ Projects/OWASP_Mobile_Security_ Project_-_Top_Ten_Mobile_Risks https://www.owasp.org/index.php/ Mobile_Top_10_2016-Top_10 Code Protection Code Protection & Dev fails Data Protection & Dev fails
  • 4. VULNERABILITIES IN DATA PROTECTION. EXCERPTs Sensitive data leakage [CWE-200]  Sensitive data leakage can be either inadvertent or side channel  Protection can be poorly implemented exposing it: Location; Owner ID info: name, number, device ID; Authentication credentials & tokens Target App Information is also sensitive (out of scope of CWE-200) Unsafe sensitive data storage [CWE-312]  Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off the file system, especially on removable disk like micro SD card or public folders (out of scope of CWE-312) such as banking and payment system PIN numbers, credit card numbers, or online service passwords  There’s no excuse for sandboxing without encryption here Unsafe sensitive data transmission [CWE-319]  Data be encrypted in transmission lest it be eavesdropped by attackers e.g. in public Wi-Fi  If app implements SSL, it could fall victim to a downgrade attack degrading HTTPS to HTTP.  Another way SSL could be compromised is if the app does not fail on invalid certificates.  There’s no excuse for partial SSL validation here
  • 6. SOLUTIONS. VULNERABILITY DBs CVE, CWE, CVSS, NVD, and so on… Put 100 vulns into the report – be ready to prove it works Vulnerabilities are everywhere
  • 7. SOLUTIONS. SECURITY SCANNERS Incorporated into EMM, MDM, MAM solutions Pure & High detailed at the same time Based mainly on auto-scanners Based on idea API/System Calls  Data Item That ≠ any info how’s protected  Built like a checklist ‘be up-to-date’
  • 8. SOLUTIONS. FORENSICS SOFTWARE Isn’t easy to adopt for you needs. You still don’t know how good or bad it was protected But you know how much data can be extracted by these tools Common features (example, Oxygen Software) Social Networks. Extraction from Kate Mobile (30.1) from Android OS devices. Messengers. Extraction from WhatsApp (2.16.1) including encrypted messages. Messengers. Extraction from Skype (6.15.0.1162) from Blackberry 10 devices. Business. Extraction from Yandex.Money (4.4.1) from iOS devices. Messengers. Extraction from Telegram (3.7.0) from Android OS devices. Messengers. Extraction from Viber (5.8.1) from iOS devices. Social Networks. Extraction from LinkedIn (9.0.9) from iOS devices. Social Networks. Extraction from Instagram (7.19.0) from Android OS devices. http://www.oxygen-forensic.com/en/events/news
  • 9. SOLUTIONS. PRIVACY POLICY Privacy Policy is a ‘longread’ doc filled by scaring buzzphrases like: We request all permissions & information we need Do not guarantee the confidentiality of information and data Participant is obliged to observe safety measures & care security  Under no circumstances be liable of business interruption, loss of business, or other data or information … Certified by PCI DSS… and use SSL Everything is 100% protected because of SSL Keep yourself inform about security.. by yourself
  • 10. SOLUTIONS. SUMMARY • Vuln. DBs make sense for known vulnerabilities. Vuln. Scanner is like • 1st day: “Device is not checked yet! Check now! Congrats – 100% Secure” • 2nd day: “Oops, device is 50% protected”. Wait for developer’s update • … 364th day: “Finally, updated. Now 86% protected”. Another app is bad. Wait for update • Security Scanner is mainly based on app code scanner. Lack of useful details • “This application has vulnerabilities”. See a section above (Vuln. DBs) • “This application has a HTTP”. It’s bad app! • “This application encrypt your traffic”. It’s good app! • “This application request your Device ID, IMEI,… and ACCESS to FILE SYSTEM” • Very detailed about device & lack of details about files? This is APIDATA • “Device is jailbroken/rooted”. Don’t do that! Fix it! • “Malware detected”. Remove it!
  • 11. PANDA SM MANAGER IOS APP - MITM SSL CERTIFICATE VULNERABILITY  "Panda Systems Management is the new way to manage and monitor IT systems.“ Issue The Panda SM Manager iOS application (version 2.0.10 and below) does not validate the SSL certificate it receives when connecting to a secure site. http://osdir.com/ml/bugtraq.security/2016- 03/msg00018.html Impact An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Usernames, passwords and sensitive information could be captured by an attacker without the user's knowledge. Solution Upgrade to version 2.6.0 or later  Timeline July 19, 2015 - Notified Panda Security via security@xxxx, e-mail bounced July 20, 2015 - Resent vulnerability report to corporatesupport@xxxx & security@xxxx July 20, 2015 - Panda Security responded stating they will investigate July 31, 2015 - Asked for an update on their investigation August 3, 2015 - Panda Security responded stating that the issue has been escalated and is still being reviewed August 14, 2015 - Asked for an update on their investigation October 16, 2015 - Asked for an update on their investigation March 1, 2016 - Panda Security released version 2.6.0 which resolves this vulnerability IT TOOK 6 MINOR RELEASES & 8 MONTHES TO FIX ‘MITM’ ISSUE
  • 12. ANSWERS ARE LOOKING FOR? What questions are usually asked by customers when they see a security report? Which security holes are important and may lead to the leakage? What data may leak through the particular hole? Do updates help? And when it will be fixed? At a customer level: Doe app need access to emails in address book, or handles & display names? Does browser process need access to the home directory, or just downloads directory? What does media player need write access to? Does any solution answer any questions? Not really.
  • 13. UPDATES DON’T WORK! o App v2 o SSL worked but MITM was possible (preinstalled cert?) o Privacy Policy “We encrypt our services and data transmission using SSL” “You’re responsible for privacy”. Just do it yourself On March, 2016 Slide #48, http://goo.gl/wPfmgM o App v3 o Everything is in plaintext by HTTP, even app installers (APK) o Privacy Policy We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information, username, password, transaction information & data stored on Site Official Website http://goo.gl/FYOXjE MOBOMARKET (ANDROID APP STORE), BEST ONE IN CHINA & INDIA
  • 14. UPDATES DON’T WORK! o Before Summer/Autumn 2016 eFax Media Data (faxes) are PINNED, but Media URL of faxes, Credentials & rest data are MITMed (Cert) Evernote Everything is PINNED, except Social credentials of LinkedIn Locally stored data Accessible via iTunes incl. all DBs o Since Autumn 2016 eFax MITM with preinstalled/crafted/stolen CERT Applies to all data items Evernote Everything is MITMed with preinstalled/crafted/stolen CERT Location data is not protected Documents & Location Info: GEO Data & Address Data eFax – weird SSL Pinning Evernote – downgraded from Pinning
  • 15. COMPLEX DATA LEAKAGE Don’t trust email applications? Signed up for account on popular services and got a confirmation email? Here we go!
  • 16. UPDATES. IT WORKS! OS updates / Vendors (Apple, Google, Asus, HTC,…) App updates Updates fix the issues sometimes But keep an eye on a vendor activity
  • 17. VKONTAKTE – iPHONE, iPAD, ANDROID VK for iPhone/Android  on fly MITM (no preinstalled cert need)  HTTPS was turned off by default, everything except credentials were transferred by HTTP  Updated in Autumn – now preinstalled cert is need to MITM VK for iPad  on fly MITM (no preinstalled cert need), https was turned off by default June 5th, 2016 VK DBs records for just 1 Bitcoin (approx. US$580) VK.com HACKED! 100 Million Clear Text Passwords Leaked Online http://thehackernews.com/2016/06 /vk-com-data-breach.html
  • 18. Apple iMessage EXPOSES USER IP ADDRESS AND DEVICE DETAILS  When the user opens iMessage to see the message, even if he never clicks the link and accesses it, iMessage would connect to the URL automatically, and retrieve the necessary preview data plus user's IP address, OS version, and device details.  Preview & device data issue is not iMessage only issue.  Preview, device data and media have a weaker protection issue is also known for many mobile apps even if the rest data is good protected http://news.softpedia.com/news/apple-s- imessage-exposes-user-ip-address-and-device- details-to-spammers-508948.shtml
  • 19. APP IN THE AIR Flight manager & notification app:  In-App, SMS, stats, history, so on Y2014: HTTP  Simple notification app Y2015+: HTTPS  Fake/Crafted/Preinstalled certificate to perform MITM
  • 20. INSTAGRAM: FROM INSECURITY TO INSECURITY THOUGHT THE SECURITY Metadata is usually technical data that is associated with User Content. For example, Metadata can describe how, when and by whom a piece of User Content was collected and how that content is formatted. Users can add or may have Metadata added including a hashtag (e.g., to mark keywords when you post a photo), geotag (e.g., to mark your location to a photo), comments or other data. It becomes searchable by meta if photo is made public Details: (1), (2) https://goo.gl/1IxKUg https://goo.gl/LPh07C
  • 21. INSTAGRAM: FROM INSECURITY TO INSECURITY THOUGHT THE SECURITY  Media Data incl. Advertisement and Profile images  Y2014: Media data transferred as is without protection and hosted on Amazon Storage Service (AWS S3)  Y2015: Media data transferred over HTTPS and hosted on Amazon Storage Service (AWS S3); Crafted cert to MITM needed  Y2016: Media data transferred as is without protection and hosted on own Instagram storages
  • 22. PureVPN iOS V.1.0.2 PureVPN ANDROID V.5.4.0 Account Information Account Details, Settings 'n' Configs, Credentials IDs+Passwords, Account Media, Tracked/Favorites Analytics 'n' Ads Information Analytics Configs, Device Data, Environment Application Information Application Certificates 'n' Profile + Configs, Credentials (IDs+Passwords+ Tokens) Device Information Device Data but network data is available by preinstalled certificate Location 'n' Maps Information GEO & Address Data VPN Information Application Configs iOS App’s data items protected by SSL pinning_Android App’s data item MITMed by preinstalled certificate
  • 23. CYBERGHOST iOS V.6.4 CYBERGHOST ANDROID V.5.5.1.7 Account Information Account & License Details Analytics 'n' Ads Information Application Information Application Certificates 'n' Profile Browser Information Credentials IDs, Password, Tokens Account & License Details, GEO Data, Environment, Application Config Credentials Information Credentials (IDs, Tokens, Access IDs, App Passwords, PreShared Secret) Device Information Environment & Network Details Location 'n' Maps Information GEO Data & Address Data Log Information (supposed to be logs) – out of backup files, jailbreak/root required Log Data, Credentials IDs, Tokens, Access IDs, App Passwords, PreShared Secret GEO Data & Address Data, Account Details & License Details, Network Details License information, credentials, app passwords, settings can be MITMed with crafted/stolen/installed certificate
  • 24. iOS vs. ANDROID: CINEMAGIA 3.9.3 vs. 5.0.9 – Sept 2016  iOS – MITM with preinstalled cert Account Info Booking 'n' Purchases Info Credentials Info Device Info Location 'n' Maps Info Payment 'n' Transaction Info Social Info  Android – Mainly w/o protection Account Info Booking 'n' Purchases Info Credentials Info Device Information Location 'n' Maps Info Payment 'n' Transaction Info Social Info
  • 25. GHOST PROJECTS: MOBILE APPS ALIVE, BUT NO CHANGES SINCE MAY Y2014 ALTERGEO iOS 4.6 / Android 3.13 Account Information: Account Details, GEO & Address Data Contact Information: Profile, Social, GEO, Stream, Place Details, Media URLs Analytics 'n' Ads Information: Device Data & Environment Browser Information: Credentials IDs, Passwords, Tokens Credentials Information: Credentials IDs, Passwords, Tokens Location Info: Messages, GEO & Address Data, Place Details, Media Data Loyalty Information: GEO & Address Data + Place Details Media Information: Place Details Social Information: Media Data, Stream, Place Details + GEO Data Out of backup file (rest is in backup) Account Information: Address Data Contact Information: Media Data Location Info: GEO & Address Data, Place Details, Media Data AlterGeo is Russian clone of Foursquare & Swarm; nothing is protected except browser log-in, but not an in-app login
  • 26. WEIRD PROJECTS: WEATHER STREET STYLE 1.8.6 ANDROID ONLY Account Information Account & Media Data Address Data, Account Settings Credentials Information Credentials IDs + Passwords Activation IDs + Tokens Device Information: Device Details Location 'n' Maps Information: GEO Data, GEO Snapshots Social Information: Contact Profile, Media Data, Messages Weather Information: Weather Data Weather style is app to show what people wear at the moment in different countries. Everything in plaintext
  • 27. IHG & MARRIOTT APPS WHEN ENCRYPTION DOESN’T MATTER Everything is MITMed with crafted / stolen / preinstalled certificate Account, Analytics, Application Info, Booking, Credentials, Device Information, Financial Information, Location, Log, Loyalty, Media, Payment 'n' Transaction, Personal 'n' Private and Travel Information Encrypted Credentials Information: Passwords - IHG only Doesn’t make a sense if it’s only way to give an access to the user account Makes a sense if it’s data that stored locally if it’s out of backup even Limited access by a time (no longer 180 days) Booking 'n' Purchases Information: Orders & Reservation History
  • 28. FLOW & IFTTT ABSOLUTE POWER OVER YOUR ACCOUNTS  In this research were found over 8K data items 30 unique data groups 105 unique data items 462 unique pairs of data group & data item In each app Flow and IFTTT were found 15 unique data group out of all 30 = 50% 52 unique data items out of all 105 = 50% ~150 unique pairs of data group & data item out of all 462 = 30% Everything is MITMed with crafted / stolen / preinstalled certificate Account, Analytics, Browser, Credentials, Device Info, Events, Location, Media, Message, News, Social, Storage Info, Tasks, Weather, Workflow Data includes everything to direct access, such as credentials/tokens, and data itself from linked services, such as Dropbox or mobile device GEO/network lists IFTTT & Flow are two apps to automatize any kind of activities with social networks or IoT
  • 29. WECHAT HOW TO FAIL BEING AWESOME Awesome protected (many security fails fixed by now), encrypted, own protocol: Account Information: Account Settings 'n' Configs Address Book 'n' Contact Information: Contact Profile Application Information: Application Configs Location 'n' Maps Information: GEO Data Message Information: Media Data, vCard, Messages, Short Profile But Location data is still out of protection Location 'n' Maps Information: Contact Media Message Information: GEO & Address Data, GEO Snapshots, Place Details Many Chinese apps might be with a lack of protection or overloaded with own protocols, encryption of data and code
  • 30. FACEBOOK & MESSENGER. DUPLICATE DATA, PREVIEW AND LOCATION FAILS Application Information Log Data Credentials (Passwords) Credentials (App Passwords) Transaction History Contact Short Profile Credentials (IDs) Card Full Information Card Short Information Credentials (Tokens) Browser Information Preview Message Information GEO Data GEO Snapshots https://m.facebook.com/password/change/?refid=70
  • 31. EMAIL APPS – MESSAGES MIGHT BE PROTECTED Gmail – N#4, L#0 Account data & media URLs, Settings + profile, Rest L#6 Yandex.Mail – Messages N#6, rest N#4, App Configs & Account settings – L#0, Rest L#6 MailTime – Message & Sender Info – N#7, Rest N#4 (iOS) or N#6 (Android), L#0 Mail.Ru – N#4, L#6 – Creds, Message Attachs & Sender Info, rest L#0 MyMail – N#4, L#6 – Creds, Message Attachs & Sender Info, rest L#0 YahooMail – N#4, L#6 – Creds, AddressBook & Media, Log & App Events Newton Mail (prev. CloudMagic) – N#4, L#0 – Creds & Device Data, rest L#6 MS Outlook – Credentials – N#4, rest N#7, Attach & Sync Docs – L#6, rest L#0 Alto – N#4, Creds - Config, Analytics, Logs, Creds, Attachs – L#6, rest L#0 N#7 - Non-standard protocol N#6 - Pinned cert N#4 - Intercept/MITM with preinstalled/crafted cert N#2 – MITM on fly without preinstalled trusted cert L#6 – out of backup file L#0 – in backup
  • 32. TAXI APPS – EVEN PAYMENTS MIGHT NOT BE PROTECTED Meridian – Social Account, Geo & Creds N#4, rest N#0, L#0 Taxi 777 – Device & Environment Analytics N#4, rest N#0, L#0 Fixtaxi (Aerotaxi) – N#0, L#0 Gett (Gettaxi) – N#4, L#0 CleverTaxi – N#4, L#0 CrisTaxi – Social Account, Geo & Creds N#4, rest N#0, L#0 YandexTaxi – Activation Code N#6, Creds, Geo & Address - N#5, rest – Bank Card, Orders, Favorites N#4, L#0 N#6 - Pinned cert N#5 – same as N#4 but pinning inform about weird cert N#4 - Intercept/MITM with preinstalled/crafted cert N#0 – No Protection L#6 – out of backup file L#0 – in backup
  • 33. WALLET APPS – PROTECT SYNC DATA ONLY NS Wallet (any edition) – Device Data N#4, In-App iOS Payment N#6, Creds Sync Data L#8, rest L#0 EnPass – Creds Sync Data N#8, rest incl. Creds N#4, Creds Sync Data L#8, rest L#0 Dashlane – Creds Sync Data N#8, rest incl. Creds, app config, logs… N#4, Creds Sync Data L#8, rest L#0 LastPass – Creds Sync Data N#8, rest incl. Creds, app config, device info… N#4, Creds Sync Data L#8, rest L#0 Sticky Password – Creds Sync Data N#8, rest incl. Creds, License Details N#4, Creds Sync Data L#8, rest L#0 1Password – Creds Sync Data N#8, rest incl. Creds, app config, device info… N#4, Creds Sync Data L#8, rest L#0 N#8 – Encrypted N#6 - Pinned cert N#4 - Intercept/MITM with preinstalled/crafted cert L#8 – out of backup file L#6 – out of backup file L#0 – in backup
  • 34. MEDIA AND LOCATION LEAKS. NO PROTECTION • Account Data • Address Data • Contact Media • GEO Data • GEO Snapshots • Maps Data • Media Data • Messages (Comment on • Personalization • Place Details • Tracked Data 'n' Favourites • AlterGeo • Aviasales • Booking.com • Cris Taxi Bucuresti • Evernote • Fixtaxi (Aerotaxi) • Foursquare • Instagram • Marriott • Meridian Taxi • momondo • Plazius • Skyscanner • Taxi 777 • Velobike • VK for iPad • Weather Street Style • WeChat
  • 35. SENSITIVE DATA. NO PROTECTION • Aeroexpress • AlterGeo • Anywayanyday • AppCompass • Aviasales • Booking.com • British Airways • Cinemagia • Cris Taxi Bucuresti • Evernote • Facebook Messenger • Fixtaxi (Aerotaxi) • Flipboard • Fly Delta • Foursquare • IHG • Instagram • KliChat • Lookout • Marriott • Meridian Taxi • Microsoft Office • momondo • OK Messages • Pinterest • Plazius • Skyscanner • Swarm • Taxi 777 • Velobike • VK • Weather Street Style • WeChat • Account Details • Account Settings 'n' Configs • Address Data • Application Configs • Card Full Information • Contact GEO, Media, Profile • Credentials (IDs, Passwords, Tokens) • Device Details, Environment • Messages • Orders & Reservation • Passport Data (Short) • Personalization • Place Details • Preview • Stream • Tracked Data 'n' Favourites • Travel Details
  • 36. UNTRUSTED PLACES • Untrusted chargeable places. • When you connect your device to them you will see a notification you plugged to PC/Mac • Or lost devices • Untrusted network places. • When you connect your device to them • You will see nothing • You will see a question about untrusted certificate. You accept or decline it • Someone make you to install trusted certificate
  • 37. EXTRACTING LOCAL DATA. EXAMPLES • Oxygen Forensic® Detective introduces offline maps and new physical approach for Samsung Android devices! • The updated version offers a new physical method for Samsung Android OS devices via custom forensic recovery. This innovative approach allows to bypass screen lock and extract a full physical image of supported Samsung devices. • http://www.oxygen-forensic.com/en/events/news/666- oxygen-forensic-detective-introduces-offline-maps-and-new- physical-approach-for-samsung-android-devices
  • 41. SSL ISSUES: Apps, Mozilla, WoSign, Apple, Google Applications handle SSL connection in different ways: Some don’t validate SSL certificate during the connection Many trust to the root SSL certificates installed on the device due to SSL validating Some have pinned SSL certificate and trust it only Trusting root certificate might not be a good idea (Mozilla reports): Between 16th January 2015 and 5th March 2015, WoSign issued 1,132 SHA-1 certificates whose validity extended beyond 1st January 2017 Between 9th April 2015 and 14th April 2015, WoSign issued 392 certificates with duplicate serial numbers, across a handful of different serial numbers It is important background information to know which WoSign roots are cross-signed by other trusted or previously-trusted roots (expired but still unrevoked) Eventually Apple removes SSL certificate from iOS, perhaps from iOS 10 only https://support.apple.com/en-us/HT204132, https://support.apple.com/en-us/HT202858 https://threatpost.com/google-to-distrust-wosign-startcom-certs-in-2017/121709/
  • 42. DATA PROTECTION CONCEPTS (DPC) There are known many of them, some were renamed but still 3: Data-at-Rest (DAR) Locally stored data on internet or external storage. Data might divide into several parts, full data, backup data, and containerized data Data-in-Transit (DIT) Data transmitted over Internet and local wireless network (as part of solid internet connection) and limited by it Data-in-Use (DIU) Referred to data operated in internal memory (not storage) and application code, like hardcoded values
  • 43. IMPLEMENTATION OF DPC. DATA-AT-REST  No special tools for viewing various data types  No root to gain an access backup data  No root to gain an access to internal storage to the application data folder (works only for iOS older than 8.3) CVE-2015-1087  Root to gain an access to internal storage to the keychain folder  Root to gain an access to internal storage to the application data folder (iOS 8.3 and higher)  Root to gain an access to internal storage in general  No special tools for viewing various data types  Root to gain an access to internal storage.  No root to gain an access to external storage, public folders or backup data  Unlocking locked bootloader wipes all data on several devices, e.g. HTC  Non-locked or unlocked bootloader might give an opportunity to root a device, grab data or install malicious application and de-root it back, e.g. Samsung, LG (details, news, http://www.oxygen- forensic.com/en/events/news)
  • 44. IMPLEMENTATION OF DPC. DATA-IN-TRANSIT Do not require a root for cases, such as onon-protected traffic, ono SSL validation except centralized list of certificates oMITM possible - fake/crafted/stolen SSL certificate installed as trusted Require root for cases, such as oSSL Pinning to bypass it automatically or manually oRest cases that directly impacts on app code and mixed with DIU  App-level proxy is an alternative internet access  OS-level proxy  no app-level alternative tunnels
  • 45. QUANTIFICATION SECURITY LEVELS. DAR Non-Protected Protection N/A or Jailbroken iOS Encode Protected Encoded data (zlib, bas64, etc.) Weak Protected App Data access w/o jailbreak iOS <8.3 Obesity Protected Not Defined Medium Protected Data available via sharing, such as iTunes Iterim Protected Access limited by time, e.g. cache folders Good Protected Not Defined Strong Protected Sandboxed data, jailbreak needs & wipe data Extra Protected No public tools for a jailbreak is available Best Protected Not Defined Protection N/A, rooted,public folders,SD cards Encoded data (zlib, bas64, etc.) Not Defined Not Defined Not Defined Access limited by time, e.g. cache folders Sandbox, root/unlocking not wipe data Sandboxed data, root needs & wipe data No public tools for a jailbreak is available Not Defined
  • 46. Non-Protected Protection N/A, Jailbroken, crafted certificate Protection N/A, rooted, crafted certificate Encode Protected Encoded data (zlib, bas64, etc.) Encoded data (zlib, bas64, etc.) Weak Protected Stolen or expired certificates Stolen or expired certificates Obesity Protected Not Defined Not defined Medium Protected Basic feature of SSL validation of certificates Basic feature of SSL validation of certificates Iterim Protected Not defined App-level proxy/tunnel for internet Good Protected Not defined Not defined Strong Protected Not defined Not defined Extra Protected System and/or user VPN System and/or user VPN Best Protected Not Defined Not defined QUANTIFICATION SECURITY LEVELS. DIT
  • 47. LIST OF SOFTWARE RELATED TO SECURITY CHECKS File Viewers Online services & tools for calculations Network Debug & Pentest Debuggers, Disassemblers, Decompilers, activity tracers, and pentest frameworks File & Device Access Forensics & special pentest solutions No tools Non-Protected Weak Protected Obesity Protected Medium Protected Iterim Protected Good Protected Strong Protected Extra Protected Best Protected Encode Protected Free or paid $100- 300 or less Free or Paid Home ~$100 Enterprise $300+ $5-10k+, lightweight - $100-1k No tools, if no data available
  • 48. SOLUTIONS: FOR DEVELOPERS  Secure Mobile Development Guide by NowSecure  Coding Practices  Handling Sensitive Data  iOS & Android Tips  etc.  https://books.nowsecure.com/secure-mobile- development/en/index.html
  • 49. SOLUTIONS: DATA PROTECTION DBs • We [as security experts] know what data is protected and not protected despite of it’s locally stored, transferred or hardcoded • Also, we know two simple things • not only users publish their data • developers can’t protect data • At the same time we’re customers, right? • I’m as a customer prefer and have a right to know where devices shouldn’t be connected to network or plugged PC/Mac. • Developers aren’t going to tell me if they fail. Instead they’re telling ‘everything is OK but they're not responsible for anything’
  • 50. SOLUTIONS: DATA PROTECTION DBs • Goal is providing a solution that helps to keep ‘everyone’ informed about app security fails. • Everyone means • app users as well as app developers • you don’t need to be expert to understand that how it affects you; you just know if it has required level of protected or not • but you have to get used that your application operates many data visible and not visible for you beyond the blueberry muffins over the weekend
  • 51. Vulnerabilities matter but exist over 40 years Vulnerability is a defect/flaw in design in dev’s code or third party libraries Lack of data protection is usually an insecurity by design and implementation fails Even OWASP considers data protection as more important thing than vulnerabilities by now Lack of data protection is described by 3 vulnerabilities sensitive data leakage, storage, transmission CWE-200, CWE-312, CWE-319 PrivacyMeter gives answer about (at the moment) list of apps and average values (Raw value, Environment value depend on OS) list of app data items grouped by ‘protection levels/categories’ data item protection level and explanation examination of privacy policy in regards to gained app results Results are available on the web-site http://www.privacymeter.online/ see booklets (!) Download the Autumn Report http://www.privacymeter.online/reports see booklets (!)
  • 52. APPS FINDINGS. OVERALL RESULTS 250 apps = 135 iOS apps + 115 Android apps 8124 data items = 4287 (iOS) + 3837 (Android) 20+ application groups (17 unique groups) 30 data groups & 105 data items over 8K data items 462 unique pairs of data group & data item News & Magazines Productivity Shopping Social Networking Tools & Utilities Transportation Travel & Local Weather Business Communication Entertainment Finance Food & Drink Lifestyle Photo & Video Music Navigation
  • 53. DATA GROUPS' AVERAGE PROTECTION LEVEL. iOS VS. ANDROID 0.00 1.00 2.00 3.00 4.00 5.00 6.00 7.00 Account Information Address Book 'n' Contact Information Analytics 'n' Ads Information Application BaaS Information Application Information Booking 'n' Purchases Information Bookmark Information Browser Information Call Information Credentials Information Device Information Documents Information Events Information Financial Information Location 'n' Maps Information Log Information Loyalty Information Media Information Message Information News Information Notification Information Payment 'n' Transaction Information Personal 'n' Private Information Social Information Storage Information Tasks Information Travel Information Visa 'n' Passport Information VPN Information Weather Information Workflow Information iOS Android
  • 54. QUANTITY OF APPS PER EACH GROUP 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% Worst applications Bad applications Good applications Best applications iOS 27.41% 100.00% 97.04% 30.37% Android 24.35% 100.00% 30.43% 20.87% 27.41% 100.00% 97.04% 30.37% 24.35% 100.00% 30.43% 20.87% iOS Android
  • 55. WORST PROTECTED ITEMS OVER APPS 0 1 2 3 4 5 6 Env (iOS) Raw (iOS) Env (Android) Raw (Android)
  • 56. WORST PROTECTED ITEMS OVER APPS  Account Information: Account Details, GEO & Address  Contact Information: GEO + Profile + Social + Media URLs + Place Details + Stream  Analytics 'n' Ads Information: Device Data & Environment  Credentials Information: Credentials IDs & Passwords  Events Information: Stream  Location 'n' Maps Information: GEO & Address, Media Data, Messages, Place Details  Loyalty Information: Account Data, GEO & Address, Place Details  Media Information: Place Details Many of applications reveal something in plaintext 8 groups, 16 data items, 30 pairs of group + data items
  • 57. WORST iOS AND ANDROID APPLICATIONS 0 0.5 1 1.5 2 2.5 3 AppCompass Cris Taxi Bucuresti Fixtaxi (Aerotaxi) Meridian Taxi Skyscanner Taxi 777 Velobike Env (iOS) Raw (iOS) Env (Android) Raw (Android)
  • 58. GOOD iOS & ANDROID APPS 0 1 2 3 4 5 6 Env (iOS) Raw (iOS) Env (Android) Raw (Android) 4.6 4.8 5 5.2 5.4 5.6 5.8 Asana British Airways British Airways for iPad Cloud Hub Firefox Google Trips NS Wallet FREE NS Wallet PRO ParkSeason Spaces Trello Env (iOS) Raw (iOS) Env (Android) Raw (Android)
  • 61. [ YURY CHEMERKIN ] • MULTISKILLED SECURITY EXPERT • EXPERIENCED IN : • REVERSE ENGINEERING & AV, DEVELOPMENT (PAST) • MOBILE SECURITY, & CLOUD SECURITY • IAM, COMPLIANCE, FORENSICS • PARTICIPATION & SPEAKING AT MANY SECURITY CONFERENCES
  • 62. RISKWARE BETRAYER WHO IS THE BIGGEST ONE? HOW TO CONTACT ME ? ADD ME IN LINKEDIN: HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN YURY CHEMERKIN SEND A MAIL TO: YURY.S@CHEMERKIN.COM