Re: IT Audits/PT's of Smartphones

[Andre Gironda <andreg () gmail com>]

On Thu, Aug 4, 2011 at 7:22 AM, Sheran Gunasekera <sheran () zenconsult net> wrote:
> I'm assuming you mean application vulnerability scanners?  As far as
> I'm aware this is an area that needs improvement.  I've done several

An automated app crawler would be possible for Android using the SDK
emulator and Eclipse DDMS.

However, for iOS and BBOS, the apps appear to be much more difficult
as there is no full emulator for testing (only simulators that do not
have all of the necessary functional testing approaches/components).

> pentests for applications developed by third-party vendors for my
> clients.  I generally follow this approach:
>
> 1. Get a copy of the app (usually I get it through the developer; if
> its live, you could download it) and reverse engineer it.  During this
> stage I check for:

It is much more efficient to get a copy of the build environment or
steps necessary (with source code and commercial third-party
components included) to re-create a successful build. This is true
even with regards to Android.

The arguments are clearly stated here --
http://blog.nvisiumsecurity.com/2011/06/blackbox-vs-whitebox-mobile-security.html
-- "With source code for the client-side app, a security tester can
execute and debug the app within an IDE.  The application still runs
on an actual device or emulator/simulator, but the application's flow
of execution can be tightly controlled through the IDE.   Methodically
debugging in Eclipse or Xcode is much more efficient than other
methods of testing.  Having the luxury to set breakpoints at key areas
within the application can give a skilled tester the ability to do
magical things".

> a. Storing sensitive data (like login credentials) without adequate
> protection - like encryption > b. Hardcoded encryption keys > c. Algorithms that encode data (e.g. base64) rather 
> than encrypt data

Temporary storage in memory or swap is also problematic, no only for
the process of the app, but also other processes (especially logging).

> For the iPhone, I have my own jailbroken device that I can ssh to.
> Once there, I can use the standard tools like gdb to debig and otool
> to disassemble.

You should do a write-up on the procedures you take to do this. I
would be very interested, and know many others that are interested as
well. In the meantime, check out --
http://trailofbits.com/2011/08/10/ios-4-security-evaluation/

> For the BlackBerry, I've written my own decompiler so that I can
> decompile .cod files.  I just use that to read off the standard Java
> code.

Can you please put your code up on GitHub and send us the link? If you
don't want to release at this time, could you at least point people in
the direction of what libraries, system calls, or other software
components you used to build the decompiler? I know that the iSec
Partners "Mobile Application Security" book covers the concepts, but
it's wonderful to contribute to the community, especially early-on ;>

> 2. Often, enterprise apps (like mobile banking, stock trading, etc)
> will always connect to a server.  So I check the communication between
> client and server.  I use the Mallory proxy together with my ubuntu
> box and usb-wifi adapter to 'break' ssl and look at the plain text
> traffic.  Sometimes, from step (1) above, you can also collect clues
> as to how the client app will communicate with the server app.

Often, I find that the server app is merely a Web Service and does not
appreciate normal HTTP/TLS without XML.

> Sadly, there is a shortage of skilled enterprise app developers.  In
> almost all my pentests, the apps have been nothing more than a
> BrowserField (BlackBerry) or UIWebView (iOS) that just displays
> HTML/CSS/JS content on the mobile device.  It is nothing more than a
> web application running on the device.  So in cases like these, I just
> end up focusing a lot on the server and it ends up in a web app
> pentest instead.

It is my guess that iPad apps like vudu.com will become the standard:
A) Because of the dominance of the iPad and the App Store
B) Because of the licensing restrictions for content, advertising, app
capabilities, App Store app reviews/stipulations, etc imposed by Apple

In other words, apps will not even do much except open a Safari
instance to a series of HTML5 web applications that are riddled with
vulnerabilities.

OWASP iGoat and OWASP GoatDroid will be good starting points for
anyone interested in this kind of research or work.

Cheers,
Andre

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------