Mobile App Attack

Trainer Name: Sneha Rajguru
Title: Mobile App Attack
Duration: 2 Days
Dates: 28^th Feb - 1^st March 2018

Abstract

Mobiles Apps are the most preferred way of delivering the attacks today. Understanding the finer details of Mobile App attacks is soon becoming an essential skill for penetration testers as well as for the app developers & testers.

So, if you are an Android or an iOS User, a developer, a security analyst, a mobile pen-tester or just a mobile security enthusiast then the 'Mobile App Attack' is of definite interest to you, as the Mobile App Attack familiarises attendees with in-depth technical explanation of some of the most notorious mobile (Android and iOS) based vulnerabilities, ways to verify and exploit them. Along with the various Android, iOS application analysis techniques, inbuilt security schemes and teaches how to bypass those security models on both the platforms.

With live demos using intentionally crafted real-world vulnerable Android and iOS apps by the author, we shall look into the some of the common ways as to how the malicious apps bypass the security mechanisms or misuse the given permissions.

Apart from that we shall have a brief understanding of what is so special with the latest Android 8 and iOS 10 security and the relating flaws.

Course outline

This training will mainly focus on the following:

• Arm basics and Android native code.
• Reverse engineer Dex code for security analysis.
• Jailbreaking / Rooting of the device and also various techniques to detect Jailbreak / Root.
• Runtime analysis of the apps by active debugging.

Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, we will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, Reverse Engineering an application, get its executable binaries , modify these binaries accordingly, resign the application.

Runtime modification of code. Objective is to learn how the programs / codes can be changed or modified at runtime. we will learn how to perform introspection or overriding the default behavior of the methods during runtime and then we will learn how to identify if the methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc.

Hooking an application and learn to perform program / code modification.

By the end of training, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges. The workshop will begin with a quick understanding on the architecture, file system, permissions and security model of both iOS and Android platform.

Course Content

Day 1

Session 1: Android Introduction & Basics

• Android Architecture & File System
• Android Security & Kernel
• Android - Permission model & sandboxing
• Application Components & Structure

Session 2: Setting up the Pentesting environment

• SDK and Android Tools
• Setting up the Pentesting environment
• Setting the Android Emulator & other required settings.
• Android device rooting essentials
• Penetration Testing Approach
• Application Analysis
• Android Debug Bridge
• Hands on - Setting up the Pentesting environment
• Hands on - Looking at the artifacts of the application.
• Hands on - Lab exercise

Session 3: Reverse engineering & runtime manipulation

• Reverse engineer the app
• Hands on - apk decompilation(smali / baksmali Dalvik assembler / disassembler)
• Hands on - Runtime manipulation and code patching
• Hands on - Recompile and Resign the APK
• Hands on - Reading the class files and
• Hands on - Lab exercise

Session 4: Application dynamic runtime analysis

• Monitoring process & Network activity
• Analyzing logs using logcat
• Memory dumps and analysis
• Debugging :
  • Native debugging with IDA (building signatures, types etc.)
• Runtime instrumentation and manipulation
• Hands on - Memory dumps and objects analysis
• Hands on - Bypass Application Restrictions
• Hands on - lab exercise

Session 5: Application Components and security issues

• Knowing Activity, Service, Content provider, Broadcast receiver
• The application components structure
• Hands on - Direct component invocation by unauthorized apps
• Hands on - Invoking Activities using malicious intents
• Hands on - Using broadcast receivers

Session 6: Data and Network interception – manipulation and analysis

• Traffic interception (Active & Passive )
• Sniffing Application & Device data
• Proxies and sniffers
• Hands on - Intercepting application traffic
• Hands on - Importing SSL certificates & trusted CA's
• Validating server certificates and avoiding man-in-the-middle
• Hands on - Techniques such as HostnameVerifier and HttpsURLConnection class
• Hands on - SSL Pinning and SSLPinning bypass
• Client side certificate authentication
• Hands on - Vulnerabilities relating to information transmission

Day 2

Session 1: Introduction to iOS

• iOS Security Architecture & Features
• iOS Application Overview

Session 2: iOS Security Model

• iOS Security Model
• Code signing
• Sandboxing
• Encryption
• iOS application components

Session 3: Setting up the iOS testing Environment

• Setting up the iPhone / iPad / Simulator
• Setting up the Xcode
• Jailbreak essentials
• iBoot
• DFU - mode ( Recovery mode)

Session 4: Reverse Engineering

• Hands on - Reverse Engineering the iOS Applications
• Hands on - Decrypting Appstore Binaries
• Hands on - Identifying the use of Stack smashing Protection
• Hands on - Locating Position Independent Executables
• Hands on - Inspecting Binary

Session 5: Perform instrumenting at runtime using dynamic linkers

• Hands on - Runtime modification using gdb
• Hands on - Method swizzling using cycript
• Hands on - Inspecting the applications for runtime changes
• Understanding the hooking process
• Identifying whether the application is being debugged
• Hands on - Debugging the native code in iSO (gdb & lldb)

Session 6: Auditing & Pentesting the iOS Applications

• Hands on - Aduting the insecure API usage
• Exposing the protocol headers
• Hands on - Identifying Insecure storage
• Hands on - Grabbing the iOS KeyChain
• Hands on - Application analysis
• Hands on - Exploiting XSS in Apps through WebViews
• Hands on - Attacking XML Processors
• Hands on - SQL Injection
• File System interaction

Who should take this course?

• Penetration testers / security professional,
• Mobile Developers,
• Anyone interested to learn mobile application security.

What should students bring?

• A jailbroken iPhone / iPad / iPod for iOS testing is must for hands-on.
• Laptop with 20+ GB free hard disk space 4+ GB RAM
• Windows 7 / 8, Ubuntu 12.x + (64 bit Operating System), MacOSX (Maverick or later)
• Android SDK, Genymotion installed.
• Intel / AMD Hardware Virtualization enabled Operating System
• Administrative access on your laptop with external USB allowed

What will be provided?

• Slides (PDF),
• Lab manuals, 
• Practice apps, 
• VM for pen testing Mobile apps

About the trainer

Sneha Rajguru

Sneha works as Security Consultant with Payatu Software Labs LLP. Her areas of interest lies in web application and mobile application security and fuzzing. She has discovered various application flaws within open source applications such as PDFLite, Jobberbase, Lucidchart and more. She has spoken and provided training at GNUnify, FUDCon, DefCamp, DefCon, BSidesLV, AppSec USA and Nullcon. She is also the chapter lead for null - Pune.
Twitter: @sneharajguru.