MHE

A team of researchers from Georgia Tech has demonstrated how hackers can slip a malicious app by Apple’s reviewers so that it’s published to the App Store and ready for unsuspecting victims to download.

Led by Tielei Wang, a research scientist at Georgia Tech’s school of computer science, the team created a “Jekyll” app — named for the Robert Louis Stevenson novella, Strange Case of Dr. Jekyll and Mr. Hyde — that posed as a benign news reader. Hidden inside the app, however, were code fragments, dubbed “gadgets,” that self-assembled to create a proof-of-concept exploit only after the app was approved by Apple.

The assembled attack code was able to send tweets, email and texts without the user’s knowledge, and could steal the iPhone’s unique device ID, turn on the camera and take video, forward voice calls to other phones and connect with local Bluetooth devices. Because the reconfigured app also “phoned home” to a server operated by the researchers, they were able to download additional malware and compromise other apps on the smartphone, including the Safari browser.

See http://www.computerworld.com/s/article/9241742/ for full details.

http://mobilehackingexposed.com/591/

Filed Under: Mobile Hacking Exposed Blog

Installing custom cert into android emulator system cert store

August 14, 2013 By MHE

A quick Android security testing tip from our colleagues John Kozyrakis and Doug Logan…

Up to Android 2.3 adding trusted CA certs to the keystore required either a rooted phone and manual editing of the java keystore or an OTA update.

After 2.3 Android added that GUI in the Settings app, making possible for non-rooted phones to install new certs.

Some other options for easily inserting a new trusted system cert into the Android emulator:

1) mount an sdcard on the emulator. Just use ‘mksdcard 50M’ and start the emulator with -sdcard [or hardcode it in its config file].

2) upload the cert somewhere, browse to it, download, install. http://www.realmb.com/droidCert/

3) use a third party app like otertool

Filed Under: Mobile Hacking Exposed Blog

Andriod 4.3 new security features

July 25, 2013 By MHE

Android 4.3 was released today. Here’s a list of security related changes or new features and some comments, provided by our colleague, John Kozyrakis:

– /system is now mounted as nosuid. Not sure how this makes things more secure since there are no setuid binaries in /system by default afaik

– New system to revoke individual permissions from applications. Seems to gather a list of used permissions at runtime. That list could be useful in testing. http://www.androidpolice.com/2013/07/25/app-ops-android-4-3s-hidden-app-permission-manager-control-permissions-for-individual-apps/

– SELinux mandatory access control system

– KeyChain is now hardware-backed (if appropriate hardware exists). It uses a hardware root of trust (Secure Element/TrustZone/TPM) to encrypt keys, so keychain data would be unusable outside the phone

– There’s now a Keystore Provider API that creates and stores app-private keys for use by applications.

– Multi-user is more polished

– ‘restricted profiles’ can be created on tables – this is basically customised guest accounts with access to specific installed apps

– Capability bounding using prctl(PR_CAPBSET_DROP) to drop sensitive capabilities from apps – should research which ones are dropped

– Apps use prctl(PR_SET_NO_NEW_PRIVS) to block addition of new privileges after application start

– More FORTIFY_SOURCE enhancements

– A number of other undisclosed security fixes

https://developer.android.com/about/versions/jelly-bean.html#android-43

http://developer.android.com/about/versions/android-4.3.html

http://developer.android.com/sdk/api_diff/18/changes.html

http://source.android.com/devices/tech/security/enhancements43.html

Filed Under: Mobile Hacking Exposed Blog

Meet The Contributing Authors

July 2, 2013 By MHE

Swapnil Deshmukh is an Information Security Specialist at Visa. He was previously a security consultant at Cigital, where he helped clients build secure mobile practices. His responsibilities included designing and implementing mobile threat modeling, implementing security coding practices, performing source code analysis, reverse engineering application binaries, and performing mobile penetration testing. Prior to working at Cigital, Swapnil held a position as a mobile threat analyst at MyAppSecurity, where he designed and implemented a mobile threat modeler. Swapnil holds an MS from George Mason University in Computer Networks and Telecommunication.

Sarath Geethakumar is Chief Information Security Specialist at Visa, Inc. He specializes in mobile platform and application security and is actively involved in security research around mobility. Sarath’s research activities have been instrumental in uncovering numerous security weaknesses with mobile device management solutions and platform security capabilities that were ethically disclosed to appropriate vendors. In addition to research, Sarath leads efforts around secure mobile application development and ethical hacking at Visa.

Sarath’s background also includes roles such as security specialist, security consultant, lead architect, and software developer. Before joining Visa, he served as an information security specialist and Red Team member at American Express. Sarath has also provided consulting expertise to various financial institutions and Fortune 500 companies as part of his consulting career. He has played a key role in shaping mobile security practices across various organizations and training security professionals on mobile security.

Scott Matsumoto is a Principal Consultant at Cigital with over 20 years of software security and commercial software product development experience. At Cigital, Scott is responsible for mobile security practice within the company and has been instrumental in building Cigital’s western US business through direct consulting as well as oversight of projects, training, and software deployments. He works with many of Cigital’s clients on security architecture topics such as Mobile Application Security, Cloud Computing Security, SOA Security, fine-grained entitlements systems, and SOA Governance.

Scott’s prior experience encompasses development of component-based middleware, performance management systems, graphical UIs, language compilers, database management systems, and operating system kernels. He is a founding member of the Cloud Security Alliance (CSA) and is actively involved in its Trusted Computing Initiative.

Mike Price is currently Chief Architect at Appthority, Inc. In this role, Mike focuses full time on research and development related to mobile operating system and application security. Mike was previously Senior Operations Manager for McAfee Labs in Santiago, Chile. In this role, Mike was responsible for ensuring smooth operation of the office, working with external entities in Chile and Latin America, and generally promoting technical excellence and innovation across the team and region. Mike was a member of the Foundstone Research team for nine years. Most recently, he was responsible for content development for the McAfee Foundstone Enterprise vulnerability management product. In this role, Mike worked with and managed a global team of security researchers responsible for implementing software checks designed to remotely detect the presence of operating system and application vulnerabilities. He has extensive experience in the information security field, having worked in the area of vulnerability analysis and infosec-related R&D for nearly 13 years. Mike is a published author, contributing to Hacking Exposed: Network Security Secrets & Solutions, 7th Edition on the topic of iOS security and to Sockets, Shellcode, Porting & Coding on the topic of sockets programming and code portability. Mike is also co-founder of the 8.8 Computer Security Conference, held annually in Santiago, Chile.

John Steven is Cigital’s Internal CTO. He is a sought-after speaker with over 15 years of industry experience. John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a Principal Consultant, John provided strategic direction to many multinational corporations. As Internal CTO, John directs Cigital’s security practices and his keen interest in automation keeps Cigital technology at the cutting edge.

Filed Under: Uncategorized

Online Resources and Tools

June 23, 2013 By MHE

Mobile security is a rapidly changing discipline, and we recognize that the printed word is often not the most adequate medium to keep current with all of the new happenings in this vibrant area of research.

Thus, we have created a website that tracks new information relevant to topics discussed in this book, along with errata and a compilation of the public-domain tools, scripts, and techniques we have covered throughout the book. That site address is

http://www.mobilehackingexposed.com

It also provides a forum to talk directly with the authors. We hope you return to the site frequently as you read through these chapters to view any updated materials, gain easy access to the tools that we mentioned, and otherwise keep up with the ever-changing face of mobile security. Otherwise, you never know what new developments may jeopardize your mobile devices before you can defend yourself against them.

A Final Word to Our Readers

We’ve poured our hearts, minds, and combined experience into this book, and we sincerely hope that all of our effort translates to tremendous time savings for those of you responsible for securing mobile infrastructure and applications. We think you’ve made a courageous and forward-thinking decision to stake your claim on the new mobile frontier—but, as you will discover in these pages, your work only begins the moment the app goes live. Don’t panic—start turning the pages and take great solace that when the next big mobile security calamity hits the front page, you won’t even bat an eye.

Filed Under: Mobile Hacking Exposed Blog

Meet The Authors

June 23, 2013 By MHE

Neil Bergman is a senior security consultant at Cigital. He has been involved in leading and conducting penetration testing, code review, and architecture risk analysis of critical applications for industry-leading financial and software companies. Neil has conducted security assessments on a multitude of mobile platforms such as Android, iOS, and RIM in addition to conducting numerous assessments against web services, web applications, and thick clients. His primary areas of interest include mobile and web application vulnerability discovery and exploitation. Neil graduated from James Madison University with a master’s degree in Computer Science and received a bachelor’s degree in Computer Science from North Carolina State University.

Mike Stanfield joined Cigital in 2012 as a security consultant. As part of Cigital’s mobile security practice, Mike has specialized in application security assessments and penetration testing involving the iOS, Android, and Blackberry platforms, and has been involved with the development and delivery of Cigital’s mobile software security training offerings. He also has experience working with mobile payment platforms, including GlobalPlatform/Java Card applet security and development. Prior to joining Cigital, Mike was the head of Information Technology for the Division of Student Affairs at Indiana University. He also worked as a grant analyst for the Office of Research Administration at Indiana University, where he was involved with the development of the open source Kuali Coeus project. Currently residing in Manhattan, Mike studied Security Informatics at Indiana University and holds a bachelor’s in Anthropology from Indiana State University.

Jason Rouse brings over a decade of hands-on security experience after plying his craft at many of the leading companies in the world. He is currently a member of the team responsible for the security of Bloomberg LP’s products and services, exploring how to reinvent trusted computing and deliver on the promise of ubiquitous biometrics. Jason is passionate about security, splitting his time between improving Bloomberg’s security capabilities and contributing to cutting-edge security projects around the world. In his spare time, he has chaired the Financial Services Technology Consortium committee on Mobile Security and worked to elevate mobile security through his professional contributions. Prior to his work at Bloomberg, Jason was a principal consultant at Cigital, Inc., an enterprise software security consulting firm. He performed many activities at Cigital, including creating the mobile and wireless security practice, performing architecture assessments, and being a trusted advisor to some of the world’s largest development organizations. Prior to Cigital, Jason worked with Carnegie Mellon’s CyLab Security Research Lab, creating next-generation mobile authentication and authorization frameworks and expanding the state of the art in computer security. Currently residing in Manhattan, Jason holds both a BCS and MCS from Dalhousie University, Canada.

Joel Scambray is a Managing Principal at Cigital, a leading software security firm established in 1992. He has assisted companies ranging from newly minted startups to members of the Fortune 500 address information security challenges and opportunities for over 15 years.
Joel’s background includes roles as an executive, technical consultant, and entrepreneur. He co-founded and led information security consulting firm Consciere before it was acquired by Cigital in June 2011. He has been a Senior Director at Microsoft Corporation, where he provided security leadership in Microsoft’s online services and Windows divisions. Joel also co-founded security software and services startup Foundstone, Inc., and helped lead it to acquisition by McAfee in 2004. He previously held positions as a manager for Ernst & Young, security columnist for Microsoft TechNet, editor at large for InfoWorld Magazine, and director of IT for a major commercial real estate firm.
Joel is a widely recognized writer and speaker on information security. He has co-authored and contributed to over a dozen books on IT and software security, many of them international bestsellers. He has spoken at forums including Black Hat, as well as for organizations including IANS, CERT, CSI, ISSA, ISACA, SANS, private corporations, and government agencies including the FBI and the RCMP.
Joel holds a BS from the University of California at Davis, an MA from UCLA, and he is a Certified Information Systems Security Professional (CISSP).