The Mobile Application Hacker's Handbook E-Book

Contents

Introduction

Overview of This Book

How This Book Is Organized

Who Should Read This Book

Tools You Will Need

What's on the Website

Chapter 1 Mobile Application (In)security

The Evolution of Mobile Applications

Mobile Application Security

Summary

Chapter 2 Analyzing iOS Applications

Understanding the Security Model

Understanding iOS Applications

Jailbreaking Explained

Understanding the Data Protection API

Understanding the iOS Keychain

Understanding Touch ID

Reverse Engineering iOS Binaries

Summary

Chapter 3 Attacking iOS Applications

Introduction to Transport Security

Identifying Insecure Storage

Patching iOS Applications with Hopper

Attacking the iOS Runtime

Understanding Interprocess Communication

Attacking Using Injection

Summary

Chapter 4 Identifying iOS Implementation Insecurities

Disclosing Personally Identifiable Information

Identifying Data Leaks

Memory Corruption in iOS Applications

Summary

Chapter 5 Writing Secure iOS Applications

Protecting Data in Your Application

Avoiding Injection Vulnerabilities

Securing Your Application with Binary Protections

Summary

Chapter 6 Analyzing Android Applications

Creating Your First Android Environment

Understanding Android Applications

Understanding the Security Model

Reverse-Engineering Applications

Summary

Chapter 7 Attacking Android Applications

Exposing Security Model Quirks

Attacking Application Components

Accessing Storage and Logging

Misusing Insecure Communications

Exploiting Other Vectors

Additional Testing Techniques

Summary

Chapter 8 Identifying and Exploiting Android Implementation Issues

Reviewing Pre-Installed Applications

Exploiting Devices

Infiltrating User Data

Summary

Chapter 9 Writing Secure Android Applications

Principle of Least Exposure

Essential Security Mechanisms

Advanced Security Mechanisms

Slowing Down a Reverse Engineer

Summary

Chapter 10 Analyzing Windows Phone Applications

Understanding the Security Model

Understanding Windows Phone 8.x Applications

Building a Test Environment

Analyzing Application Binaries

Summary

Chapter 11 Attacking Windows Phone Applications

Analyzing for Data Entry Points

Attacking Transport Security

Attacking WebBrowser and WebView Controls

Identifying Interprocess Communication Vulnerabilities

Attacking XML Parsing

Attacking Databases

Attacking File Handling

Patching .NET Assemblies

Summary

Chapter 12 Identifying Windows Phone Implementation Issues

Identifying Insecure Application Settings Storage

Identifying Data Leaks

Identifying Insecure Data Storage

Insecure Random Number Generation

Insecure Cryptography and Password Use

Identifying Native Code Vulnerabilities

Summary

Chapter 13 Writing Secure Windows Phone Applications

General Security Design Considerations

Storing and Encrypting Data Securely

Secure Random Number Generation

Securing Data in Memory and Wiping Memory

Avoiding SQLite Injection

Implementing Secure Communications

Avoiding Cross-Site Scripting in WebViews and WebBrowser Components

Secure XML Parsing

Clearing Web Cache and Web Cookies

Avoiding Native Code Bugs

Using Exploit Mitigation Features

Summary

Chapter 14 Analyzing BlackBerry Applications

Understanding BlackBerry Legacy

Understanding BlackBerry 10

Understanding the BlackBerry 10 Security Model

BlackBerry 10 Jailbreaking

Using Developer Mode

The BlackBerry 10 Device Simulator

Accessing App Data from a Device

Accessing BAR Files

Looking at Applications

Summary

Chapter 15 Attacking BlackBerry Applications

Traversing Trust Boundaries

Summary

Chapter 16 Identifying BlackBerry Application Issues

Limiting Excessive Permissions

Resolving Data Storage Issues

Checking Data Transmission

Handling Personally Identifiable Information and Privacy

Ensuring Secure Development

Summary

Chapter 17 Writing Secure BlackBerry Applications

Securing BlackBerry OS 7.x and Earlier Legacy Java Applications

Securing BlackBerry 10 Native Applications

Securing BlackBerry 10 Cascades Applications

Securing BlackBerry 10 HTML5 and JavaScript (WebWorks) Applications

Securing Android Applications on BlackBerry 10

Summary

Chapter 18 Cross-Platform Mobile Applications

Introduction to Cross-Platform Mobile Applications

Bridging Native Functionality

Exploring PhoneGap and Apache Cordova

Summary

Title page

Copyright

Dedication

About the Authors

About the Technical Editor

Credits

Acknowledgments

EULA

List of Tables

Chapter 2

Table 2.1

Table 2.2

Table 2.3

Table 2.4

Table 2.5

Table 2.6

Table 2.7

Chapter 6

Table 6.1

Table 6.2

Table 6.3

Table 6.4

Table 6.5

Chapter 7

Table 7.1

Table 7.2

Chapter 9

Table 9.1

List of Illustrations

Chapter 1

Figure 1.1

The incidence of some common mobile application vulnerabilities recently tested by the authors

Figure 1.2

OWASP Top 10 Mobile Risks

Chapter 2

Figure 2.1

The secure boot chain

Figure 2.2

The user sees this privacy prompt when an application tries to access the address book.

Figure 2.3

Users can access Privacy settings if they want to grant access to a resource.

Figure 2.4

The data protection key hierarchy

Figure 2.5

The Mach-O file format

Chapter 3

Figure 3.1

Configuring Burp Suite to listen on all interfaces

Figure 3.2

Configuring your device to use a proxy

Figure 3.3

Capturing cipher suites using Wireshark

Figure 3.4

Installing the Burp certificate on your device

Figure 3.5

Install profile view

Figure 3.6

Snoop-it filesystem monitoring

Figure 3.7

Jailbreak check in sample application

Figure 3.8

Hopper disassembler

Figure 3.9

Locating strings in Hopper

Figure 3.10

Finding references to strings in Hopper

Figure 3.11

Disassembly of the viewDidLoad delegate

Figure 3.12

Pseudo-code view in Hopper

Figure 3.13

Pseudo-code view of clickedButtonAtIndex in Hopper

Figure 3.14

Pseudo-code view of sub_b1fc function in Hopper

Figure 3.15

Modifying an instruction in Hopper

Figure 3.16

Running the example application after bypassing the jailbreak detection

Figure 3.17

A breakdown of an Objective-C interface

Figure 3.18

A breakdown of Swift class

Figure 3.19

Bypassing the Password Manager lock screen

Figure 3.20

Pivoting to internal networks in Kaseya BYOD

Figure 3.21

View of the Snoop-it application

Figure 3.22

The Snoop-it Objective-C classes view

Figure 3.23

Registering a URL scheme in Xcode

Figure 3.24

An app extension can indirectly communicate and share resources with the containing app.

Chapter 4

Figure 4.1

Accessing application snapshots with iExplorer

Figure 4.2

A snapshot can capture a registration page.

Chapter 6

Figure 6.1

From this Android SDK Manager interface you can install SDK platforms and tools.

Figure 6.2

You can customize your emulator configuration. Here is just one example.

Figure 6.3

The main activity of the drozer agent displaying the embedded server toggle.

Figure 6.4

The main activity of the clock application

Figure 6.5

A list of running services on a device and the applications they belong to

Figure 6.6

A simple manifest file showing the general structure

Figure 6.7

The runtime selection activity available on Android 4.4

Figure 6.8

The simplified structure of a zip file containing a single file entry.

Figure 6.9

The required permissions displayed when looking at the permission details on the Twitter application.

Figure 6.10

The prompt displayed by SuperSU to allow an application access to root context.

Figure 6.11

The options available on Cydia Impactor to make use of code-signing bugs to obtain system and root.

Figure 6.12

Graph view showing the disassembly of a DEX file in IDA.

Figure 6.13

Viewing decompiled application code in JD-GUI

Figure 6.14

Viewing decompiled application code in JEB

Figure 6.15

Viewing decompiled application code in Jadx-gui

Chapter 7

Figure 7.1

A high-level overview of various testing perspectives of an Android application

Figure 7.2

The vulnerable Sieve password manager application

Figure 7.3

Exported activity that leads to the disclosure of all accounts within Sieve

Figure 7.4

Device lock screen requiring a password and then this being removed after the exploit is run

Figure 7.5

An illustration of how a toast could be used to perform unintended actions on underlying activities

Figure 7.6

The recent applications being shown on a device

Figure 7.7

Fragment loaded inside the Settings activity that allows the PIN to be changed without providing the existing one

Figure 7.8

Sieve allows the Settings activity to be opened without logging in

Figure 7.9

Finding SQL injection using drozer’s WebContentResolver web interface

Figure 7.10

Call initiated from exploiting a broadcast receiver in com.android.phone

Figure 7.11

Activity started by entering *#*#4636#*#* in the dialer

Figure 7.12

SuperSU prompt requesting permission to run droidwall.sh as root

Figure 7.13

An error in Wireshark when you try to open the generated capture file

Figure 7.14

Loading libencrypt.so into IDA

Figure 7.15

The application backup activity

Figure 7.16

Root Checker displaying that the device is rooted

Figure 7.17

Root Checker now displaying that the device is not rooted

Figure 7.18

The main activity of Cydia Substrate running on an Android device

Figure 7.19

Burp is able to proxy Twitter API traffic after loading Android SSL TrustKiller

Figure 7.20

The configuration available in Introspy

Chapter 8

Figure 8.1

The prompt shown to the user when a device with USB debugging is connected to his computer

Figure 8.2

A screenshot of a Sony Xperia Z2 before and after having the password lock screen removed

Figure 8.3

Showing the Forgot pattern? button and the resulting screen by pressing it

Figure 8.4

The Android Device Manager Lock functionality and the resulting screen of the locked device

Figure 8.5

A Samsung Galaxy S3 device visiting the exploit page and receiving the exploit files

Figure 8.6

Setting up the drozer MitM helper extension for JavaScript injection

Figure 8.7

Burp extension showing that an injection has taken place

Figure 8.8

Setting up the drozer MitM helper extension to replace APKs and then invoke them

Figure 8.9

The prompt shown to the user after a valid response is obtained from the server

Figure 8.10

The configuration of the Custom URI Handler Injection section of the drozer Burp plug-in

Figure 8.11

The drozer exploit page attempting to perform social engineering to get the user to click the reload button

Figure 8.12

A screen recording of capturing the user's lock screen pattern

Chapter 10

Figure 10.1

Windows Phone 8.x chamber architecture

Figure 10.2

Stack frame with cookies

Figure 10.3

: SEH chain

Figure 10.4

Unzipped non-Store XAP package

Figure 10.5

Splash screen for a Samsung Windows Phone 8 device

Figure 10.6

Creating a new WP8 project

Figure 10.7

Application Deployment tool

Figure 10.8

Developer Registration tool

Figure 10.9

Sideloading the Interop Unlock helper app

Figure 10.10

Setting the MaxUnsignedApp registry key

Figure 10.11

Setting the PortalUrlProd registry key

Figure 10.12

Applying the Full Filesystem access hack using SamWP8 tools

Figure 10.13

Browsing the filesystem

Figure 10.14

Home Screen with Spavlin’s MBN Applied

Figure 10.15

Configuration of checkboxes and radio buttons

Figure 10.16

Browsing an app’s Install directory in Explorer

Figure 10.17

Opening a .NET assembly from a device’s filesystem

Chapter 11

Figure 11.1

Viewing XAML files in .NET reflector

Figure 11.2

The proxy settings disabled

Figure 11.3

Proxy settings configured

Figure 11.4

Burp Suite captures web traffic from a Windows Phone device

Figure 11.5

Exporting Burp Suite CA Certificate

Figure 11.6

Installing the certificate onto the device

Figure 11.7

.NET reflector showing XAML pages in a Windows Phone 8 application

Figure 11.8

.NET reflector showing an XAML page’s OnNavigatedTo() implementation

Figure 11.9

The Native Toast Notification Launcher sending a toast message

Figure 11.10

The XAML screen launched after you tap the toast notification

Figure 11.11

Names parsed out from the XML document

Figure 11.12

Out-of-memory exception reported by Visual Studio due to a “billion laughs” attack

Figure 11.13

Result of external entity resolution of the “secret file” in a message box

Figure 11.14

SQLite syntax error

Figure 11.15

EncryptAndSaveData() in .NET reflector

Figure 11.16

Reversed CIL code in .NET reflector and Reflexil

Figure 11.17

Deleting an instruction in Reflexil

Figure 11.18

Modified CIL code after deleting instructions

Figure 11.19

New disassembly for SaveAndEncryptData() after patching the method

Figure 11.20

Editing an existing instruction in Reflexil

Figure 11.21

Patching a method in C#

Chapter 12

Figure 12.1

Accessing an __ApplicationSettings file on a device’s filesystem

Figure 12.2

Browsing an app’s INetCookies directory on a device

Figure 12.3

Original image of the Linux mascot, Tux the Penguin

Figure 12.4

Recovered image of Tux the Penguin

Chapter 14

Figure 14.1

The Developer Mode menu

Figure 14.2

Elcomsoft cracking the BlackBerry backup encryption

Figure 14.3

Sachesi helps you access BAR files

Figure 14.4

Splitting the firmware image using Sachesi

Figure 14.5

Extracting the application using Sachesi

Figure 14.6

The extracted application

Figure 14.7

Rename the original BAR file

Figure 14.8

Result of extracting the BAR file

Figure 14.9

Example MANIFEST.MF file

Figure 14.10

BAR root directory

Figure 14.11

Contents of the native directory

Figure 14.12

The bar-descriptor.xml file

Figure 14.13

The Assets subdirectory

Figure 14.14

Example QML file

Figure 14.15

The MANIFEST.MF file for a WebWorks application

Figure 14.16

The entry point for a WebWorks application

Figure 14.17

The BARs native subdirectory

Figure 14.18

The jnext directory

Chapter 15

Figure 15.1

Container separation in BlackBerry Balance

Figure 15.2

An example file browser application

Chapter 16

Figure 16.1

Disassembly of vulnerable function in IDA Pro

Guide

Cover

Table of Contents

Chapter

Pages

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xxxviii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

258

259

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

386

387

388

389

390

391

392

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

583

584

585

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

673

675

676

677

678

679

681

682

683

684

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

722

723

724

725

726

727

729

730

731

732

733

734

735

736

737

738

739

740

741

742

743

744

745

746

747

748

749

750

Introduction

Mobile computing has changed the game. Your personal data is no longer just stored on your desktop in the sanctuary of your office or home. You now carry personally identifiable information, financial data, personal and corporate email, and much more in your pocket, wherever you go. The smartphone is quickly becoming ubiquitous, and with at least 40 applications installed on the average smartphone the attack surface is significant.

Smartphones have become commonplace not only in the consumer markets but also now in the enterprise. Enterprise mobile applications extend the corporate environment beyond the workplace, introducing new security concerns and exposing organizations to new types of threats. Enterprises embracing “Bring Your Own Device” (BYOD) strategies should be particularly mindful of the array of applications that the smartphone may have installed and run within the corporate network.

This book is a practical guide to reviewing the security of mobile applications on the most widely adopted mobile operating systems: Apple iOS, Google Android, BlackBerry, and Windows Mobile. It focuses solely on the client-side, examining mobile applications in the context of these devices as opposed to server-side applications, where security is much more mature and better understood.

Overview of This Book

The focus of this book is highly practical. Although we provide some background theory for you to understand the fundamentals of mobile application vulnerabilities, our primary concern is documenting the techniques you need to master to attack and exploit them. Where applicable, we include real-world examples derived from our many years of experience and from publically documented vulnerabilities.

In addition to describing mobile application security vulnerabilities and attack techniques, we describe in detail the defense-in-depth strategies and countermeasures that application developers can use to effectively defend their applications. This information enables penetration testers, security consultants, and developers alike to provide high-quality remediation advice to application owners.

In short, this book is intended to act as an all-encompassing single point of reference for mobile application security, bringing together the publicly available knowledge on the attack and defense of mobile applications and combining it with the blended experience of the authors.

How This Book Is Organized

This book is roughly split into the topics covered for each of the mobile device platforms, you can think of it as four books in one! For each of the mobile platforms; we provide a pragmatic approach to performing a mobile application security assessment. First detailing the necessary background information on how to analyze the application itself, followed by detailed information on how to attack the application and the categories of vulnerability that affect the relevant platform, finally providing remedial action that can be implemented to develop secure mobile applications. If you are new to mobile application security, it is recommended that you read the book from start to finish, acquiring the knowledge and understanding to tackle later chapters. This can be applied to the relevant chapters for each mobile platform, or the entirety of the book. If you're only interested in one specific platform or only a specific area of a platform, you can jump straight into the subsection that interests you. Where applicable, we have included cross-references to other chapters, which can be used to fill any gaps in your understanding.

Chapter 1, “Mobile Application (In) Security,” describes the current state of security in mobile applications today. As an area that has seen explosive and rapid growth over the past few years, security has been frequently overlooked or misunderstood in the fast evolving software lifecycles. As a consequence, mobile application vulnerabilities are rife and commonplace in the application ecosystem. This chapter examines the key attack surfaces for mobile applications, how mobile security has evolved and what standards and frameworks exist that can be used to categorize mobile application vulnerabilities. It then provides an overview of some mobile security resources that may prove useful in developing your assessment skills. Finally, it provides an insight into how mobile application security is, in our opinion, likely to evolve in the future.

Chapter 2, “Analyzing iOS Applications,” is the first chapter to focus on iOS application assessment. It starts off by describing some foundational knowledge on the security features of the iOS platform and briefly touches on how they have been circumvented in the past through jailbreaking. Although jailbreaking weakens the security controls of the device, it provides the opportunity to gain interactive access to the operating system, which is essential to thoroughly assess the security of an iOS application. This chapter describes how to access the device, and the file system as well as important concepts such as the Data Protection API and Keychain. This chapter also describes a range of further interesting topics, including App Store encryption, reverse engineering of iOS binaries, generic exploit, and mitigation features.

Chapter 3, “Attacking iOS Applications,” describes in detail the offensive techniques that can be used to attack iOS applications. It provides a brief introduction to Objective-C and Swift, the languages in which iOS applications are developed, and then outlines how the Swift and Objective-C runtimes can be manipulated to access and control the internals of an application. We then go on to describe the various types of client-side injection attacks that iOS applications can be susceptible to, including SQL injection, XML injection, and XML External Entity injection. It also dives into how data can be transmitted between applications on the same device through Inter Process Communication and how insecurities can arise that leave an application at risk of attack.

Chapter 4, “Identifying iOS Implementation Issues,” contains information related to how implementation issues specific to the iOS platform can leave applications at risk. This chapter describes how iOS applications can be audited for vulnerabilities arising from improper use of the device's address book, geolocation frameworks, and logging system. We also examine iOS specific peculiarities that can leave residual data on a device and may expose sensitive content, including caching of snapshots, web view data, and pasteboards. Finally, the chapter concludes with an overview of the memory corruption issues that affect iOS applications and how and to what extent these can be exploited.

Chapter 5, “Writing Secure iOS Applications,” transitions from the attacker’s perspective to that of the defender. In this chapter, we examine the techniques that developers can use in their applications to protect against manipulation. This chapter also serves as a reference point for professional security assessors who need to offer remedial advice following application assessments. We describe how to securely implement encryption, erase data from both memory and the file system, and embed binary protections such as tamper proofing, jailbreaking, and runtime validation.

Chapter 6, “Analyzing Android Applications,” is the first section in a series of chapters on the Google Android platform. It starts by providing the necessary background on the security features of the platform, including code signing, sandboxing and a detailed description of the permission model. With the basics covered, we go on to examine how Android devices can be rooted to provide interactive super user access to the device. We also examine how Android applications are packaged, loaded onto devices, and some of the tools that can be used to build a test environment. The chapter concludes by describing the different ways packages are compiled and how security assessments can be conducted by decompiling and examining the application packages.

Chapter 7, “Attacking Android Applications,” provides a detailed description of the common areas of vulnerability in Android applications, along with the techniques to attack and exploit them. This chapter delves into many Android-specific attack categories, including exploitation of insecure services, content providers, broadcasts, intents, and activities. The chapter also examines how the Android runtime can be manipulated, exploring the various frameworks that can be used to implement function hooking in the Java Virtual Machine with sample use cases and practical examples. We also address perhaps two of the most important areas in mobile security, file system storage, and network communications. We explore how file and folder permissions can be exploited to leak sensitive information, how poor cryptographic practices can undermine secure storage, and how poorly implemented network access can be exploited from public or insecure networks. Finally, this chapter concludes with an insight into JavaScript interfaces, an area that has come under close scrutiny in 2014, and one that has exposed a significant number of Android devices to remote compromise.

Chapter 8, “Identifying Android Implementation Issues,” teaches you how to become an Android hacker. It provides practical advice on how to identify vulnerabilities in OEM device applications, how to find and exploit powerful packages, and how to leverage privilege escalations to compromise other applications or, in some circumstances, the device itself. We also examine how to exploit applications from the network, with insecurities in URI handlers, JavaScript bridges, handling of SSL certificates, and custom update mechanisms. This chapter also explores how to use Drozer, the Android attack tool, to gain access to a device, including chaining of remote and local exploits and the post exploitation activities that can be performed.

Chapter 9, “Writing Secure Android Applications,” concludes the series of Android chapters and, similarly to the iOS counterpart, provides a basis for which defensive advice can be offered. We provide security professionals and developers detailed instructions on how to correctly implement encryption, perform root detection, and protect intellectual property by obfuscating code. At the end of the chapter, an application checklist is provided that can be used as a reference point when auditing an Android application.

Chapter 10, “Analyzing Windows Phone Applications,” details the essential “need to know” knowledge for the Windows Phone (WP8) platform and application ecosystem. In this section, we examine the fundamental security protections that are employed by the platform, including exploit mitigation features and application capabilities. We then explain the inner workings of WP8 applications, how to develop, build, compile, and run them along with the essential toolkit needed to set up a test environment. We conclude with an analysis of the Windows Data Protection API (DPAPI) and how misconfigurations in the protection flags can leave application content at risk.

Chapter 11, “Attacking Windows Phone Applications,” provides an in-depth analysis of the common insecurities that occur with WP8 applications. It covers perhaps the most important and relevant topics that you will need to learn in order to hack a Windows Phone application. This chapter examines and explains transport security in WP8 applications, how to intercept network communications, and how to bypass protection mechanisms such as certificate pinning. We also delve into reverse engineering of WP8 applications, including both native and managed code components and how information gained from this allows you to manipulate application behavior by patching application code. An important skill for professional security assessors reviewing mobile applications is the ability to identify the key data entry points in an application. This chapter explains how to analyze WP8 applications to identify data entry points, and how when tainted data enters an application it can lead to serious security vulnerabilities. Having identified the various entry points that can exist, we explore and examine the various injection attacks that can be exploited, including SQL injection, injection into web browser controls, XML-based injection, and injection into file handling routines.

Chapter 12, “Identifying Windows Phone Implementation Issues,” deals with the common issues that arise through insecurely implemented WP8 applications. In particular, we focus on insecurities that arise through handling of log data, lack of protections on the clipboard, caching in keyboard and web browser controls, and geo-location leakages. This chapter provides security professionals and developers with the required knowledge to audit WP8 applications for not only the misuse of the platform APIs but also how to identify memory corruption issues. We examine the various types of memory corruption that can occur in WP8 applications, including the implications of traditional corruption bugs, read access violations, information leaks, and issues that arise in managed c# code.

Chapter 13, “Writing Secure Windows Phone Applications,” like its counterparts on iOS and Android, details the necessary information about to develop secure WP8 applications. It covers the fundamental practices that application developers should be including in WP8 applications. If you're only looking for remediation and hardening advice, feel free to jump straight into this chapter. This chapter also examines how to securely implement encryption, securely erase data from both memory and the file system, and how to implement binary protections. We provide in-depth analysis on anti-tamper implementations, available compiler protections, and WP8 application obfuscation, none of which are widely documented in the public domain.

Chapter 14, “Analyzing BlackBerry Applications,” is the backbone of the BlackBerry section, and provides the foundational knowledge needed to understand the different types of BlackBerry applications that exist and how they are developed and distributed. We also examine the BlackBerry platform itself, providing an in-depth evaluation of the core platform security features, including sandboxing, data-at-rest encryption, and process-level sandboxing. This chapter also details how to build a test environment using the simulator and developer mode, with some analysis of the Dingleberry jailbreak exploit. We explain how to access the device, where content can be found and the various files and file types that you will encounter when exploring your BlackBerry. We then conclude by discussing the Security Builder API, how and when transport insecurities occur, how certificate pinning works, and some of the strategies that can be used to bypass it.

Chapter 15, “Attacking BlackBerry Applications,” provides some much needed insight into the world of BlackBerry application security. In this chapter we discuss how the application runtime functions, including important subjects such as the System API and the various programming frameworks that BlackBerry applications take advantage of. We then examine the Inter-Process Communication (IPC) mechanisms that exist, how BlackBerry 10 applications differ from previous implementations, and detail how insecurely implemented IPC can be exploited by other applications on the device.

Chapter 16, “Identifying BlackBerry Application Implementation Issues,” discuses the common issues that arise in BlackBerry applications due to misuse of BlackBerry APIs. This chapter may be of particular interest to developers, and investigates the various types of information leakages that an application can be susceptible to with a particular focus on Personally Identifiable Information. Topics that are also explored are system logging and a brief review of memory corruption vulnerabilities that affect BB10 applications.

Chapter 17, “Writing Secure BlackBerry Applications,” is of particular relevance to application developers. This chapter pulls together some of the techniques that can be used to improve the security of BlackBerry applications. We discuss strategies for performing secure deletion of data, both in memory and from the filesystem, and how to securely implement encryption. Where applicable, we provide practical examples using both built-in APIs and custom developed functions.

Chapter 18, “Cross Platform Applications,” examines a growing trend in mobile development and cross-platform mobile applications. We explore the various implementations that currently exist, and provide a breakdown of the functionality that they offer. We then detail the various vulnerability categories that affect cross-platform applications, with practical examples on how to exploit these to perform malicious actions in Apache Cordova.

Who Should Read This Book

This book's primary audience is anyone who has a personal or professional interest in attacking mobile applications. It also caters to anyone responsible for the development of mobile applications. This book not only provides a detailed analysis of how to attack and secure iOS, Android, BlackBerry, and Windows Phone applications, but also serves as a reference point for generic mobile application security regardless of operating platform.

In the course of illustrating many categories of security flaws, we provide code extracts showing how applications can be vulnerable. These examples are simple enough that you can understand them without any prior knowledge of the language in question. But they are most useful if you have some basic experience with reading or writing code.

Tools You Will Need

This book is strongly geared toward hands-on practical techniques that you can use to attack mobile applications. After reading this book you will understand the different types of vulnerabilities that affect mobile applications and have the practical knowledge to attack and exploit them. The emphasis of the book is on practical and human-driven exploitation as opposed to running automated tools on the target application.

That said, you will find several tools useful, and sometimes indispensable, when performing the tasks and techniques we describe. All of these are available on the Internet. We recommend that you download and experiment with each tool as you read about it.

While in most cases it is possible to follow the practical examples in a simulated or emulated environment, there is no substitute for running an application on a physical device. Therefore, we would recommend that, where possible, the examples be followed on a real device.

What's on the Website

The companion website for this book at www.mobileapphacker.com, which you can also link to from www.wiley.com/go/mobileapplicationhackers, contains several resources that you will find useful in the course of mastering the techniques we describe and using them to attack actual applications. In particular, the website contains access to the following:

Source code for some of the scripts we present in the book

A list of current links to all the tools and other resources discussed in the book

A handy checklist of the tasks involved in attacking a typical application

Answers to the questions posed at the end of each chapter

CHAPTER 1Mobile Application (In)security

There is little doubt that mobile computing has changed the world; in particular, the way you work, interact, and socialize will never be the same again. It has brought infinite possibilities to your fingertips, available all the time. The ability to do your online banking, check your e-mail, play the stock market and much, much more are just a swipe away. Indeed, application development is now so popular that Apple’s trademark, “There’s an app for that” is bordering on reality.

This chapter takes a look how mobile applications have evolved and the benefits that they provide. It presents some metrics about the fundamental vulnerabilities that affect mobile applications, drawn directly from our experience, demonstrating that the vast majority of mobile applications are far from secure. We then examine a means to categorize these vulnerabilities based on the Open Web Application Security Project (OWASP) Top 10 mobile security risks. We also provide a high-level overview of some of the open source mobile security tools endorsed by OWASP, how you can use them to identify some of the issues detailed in the project, and where to find them. Finally, we describe the latest trends in mobile application security and how we expect this area to develop in the future.

The Evolution of Mobile Applications

The first mobile phone applications were developed by handset manufacturers; documentation was sparse, and little information existed in the public domain on the operating internals. This can perhaps be attributed to a fear from the vendors that opening the platforms to third-party development might have exposed trade secrets in what was not yet a fully developed technology. The early applications were similar to many of the manufacturer-based apps found on today’s phone, such as contacts and calendars, and simple games such as Nokia’s popular Snake.

When smartphones emerged as the successor to personal digital assistants (PDAs), application development really began to take off. The growth of mobile applications can perhaps be directly attributed to the increased processing power and capabilities of the smartphone combined with the growing demand for functionality driven by the consumer market. As smartphones have evolved, mobile applications have been able to take advantage of the enhancements of the platforms. Improvements in the global positioning system (GPS), camera, battery life, displays, and processor have all contributed to the feature-rich applications that we know today.

Third-party application development came to fruition in 2008 when Apple announced the first third-party application distribution service, the App Store. This followed on from the company’s first smartphone, the iPhone, which had been released the previous year. Google closely followed with the Android Market, otherwise known today as Google Play. Today, a number of additional distribution markets exist, including the Windows Phone Store, the Amazon Appstore, and the BlackBerry World to name but a few.

The increased competition for third-party application development has left the developer markets somewhat fragmented. The majority of mobile applications are platform specific, and software vendors are forced to work with different operating systems, programming languages, and tools to provide multi-platform coverage. That is, iOS applications traditionally have been developed using Objective-C, Android, and BlackBerry applications using Java (up until BlackBerry 10, which also uses Qt) and Windows Phone applications using the .NET Framework. This fragmentation can often leave organizations requiring multiple development teams and maintaining multiple codebases.

However, a recent increase has occurred in the development of cross-platform mobile applications as organizations look to reduce development costs and overheads. Cross-platform frameworks and development of HTML5 browser-based applications have grown in popularity for these exact reasons and, in our opinion, will continue to be increasingly adopted.

Common Mobile Application Functions

Mobile applications have been created for practically every purpose imaginable. In the combined Apple and Google distribution stores alone, there are believed to be more than 2 million applications covering a wide range of functions, including some of the following:

Online banking (Barclays)

Shopping (Amazon)

Social networking (Facebook)

Streaming (Sky Go)

Gambling (Betfair)

Instant Messaging (WhatsApp)

Voice chat (Skype)

E-mail (Gmail)

File sharing (Dropbox)

Games (

Angry Birds

)

Mobile applications often overlap with the functionality provided by web applications, in many cases using the same core server-side APIs and displaying a smartphone-compatible interface at the presentation layer.

In addition to the applications that are available in the various distribution markets, mobile applications have been widely adopted in the business world to support key business functions. Many of these applications provide access to highly sensitive corporate data, including some of the following, which have been encountered by the authors during consultancy engagements:

Document storage applications allowing users to access sensitive business documents on demand

Travel and expenses applications allowing users to create, store, and upload expenses to internal systems

HR applications allowing users to access the payroll, time slips, holiday information, and other sensitive functionality

Internal service applications such as mobile applications that have been optimized to provide an internal resource such as the corporate intranet

Internal instant messaging applications allowing users to chat in real time with other users regardless of location

In all of these examples, the applications are considered to be “internal” applications and are typically developed in-house or specifically for an organization. Therefore, many of these applications require virtual private network (VPN) or internal network access to function so that they interact with core internal infrastructure. A growing trend in enterprise applications is the introduction of “geo fencing” whereby an application uses the device’s GPS to ascertain whether a user is in a certain location, for example, the organization’s office, and then tailors or restricts functionality based on the result.

Benefits of Mobile Applications

It is not difficult to see why mobile applications have seen such an explosive rise in prominence in such a short space of time. The commercial incentives and benefits of mobile applications are obvious. They offer organizations the opportunity to reach out to end users almost all the time and to much wider audiences due to the popularity of smartphones. However, several technical factors have also contributed to their success:

The foundations of mobile applications are built on existing and popular protocols. In particular, the use of HTTP is widely adopted in mobile deployments and is well understood by developers.

The technical advancements of smartphones have allowed mobile applications to offer more advanced features and a better user experience. Improvements in screen resolution and touch screen displays have been a major factor in improving the interactive user experience, particularly in gaming applications. Enhancements in battery life and processing power allow the modern smartphone to run not just one but many applications at once and for longer. This is of great convenience to end users as they have a single device that can perform many functions.

Improvements in cellular network technologies have resulted in significant speed increases. In particular, widespread 3G and 4G coverage has allowed users to have high-speed Internet access from their smartphones. Mobile applications have taken full advantage of this to provide access to an array of online services.

The simplicity of the core technologies and languages used in mobile development has helped with the mobile revolution. Applications can be developed using popular and mature languages such as Java, which are well understood and have a large user base.

Mobile Application Security

Mobile applications are affected by a range of security vulnerabilities, many of which are inherited from traditional attacks against web and desktop applications. However, several other classes of attack are specific to the mobile area and arise due to the way in which mobile applications are used and the relatively unique entry points and the attack surfaces that these apps create. Consider the possible attack surfaces for a mobile application that developers should be aware of and look to defend against:

Most mobile applications perform some kind of network communication, and due to the nature in which mobile devices are used, this communication may often occur over an untrusted or insecure network such as hotel or café Wi-Fi, mobile hotspot, or cellular. Unless data is adequately secured in transit, it may expose an application to a number of possible risks, including disclosure of sensitive data and injection attacks.

Mobile devices are carried with you wherever you go, creating many opportunities for them to be lost or stolen. Mobile application developers must recognize the risks from data recovery attempts against a device’s filesystem. Any residual content that an application leaves on the filesystem, whether it’s through persistent storage or temporary caching, can potentially expose sensitive data to an attacker.

A scenario that is fairly unique to mobile applications is awareness of threats originating from the host device. Malware is rife within the mobile space, particularly in the unofficial distribution markets, and developers must be conscious of attacks from other applications.

Mobile applications can derive input from a large number of possible sources, which creates a significant number of possible entry points. For example, seeing applications accept data from one or many of the following is not uncommon: near field communication (NFC), Bluetooth, camera, microphone, short message service (SMS), and universal serial bus (USB) or quick response (QR) codes to name but a few.

The most serious attacks against mobile applications are those that expose sensitive data or facilitate a compromise of the host device. These vulnerabilities are more often than not limited to the mobile end user’s data and device as opposed to all users of the service. Although server-side vulnerabilities pose the greatest risk to mobile application deployments as a whole because they can expose unrestricted access to back end systems, these issues are well documented and understood. Server-side vulnerabilities in mobile applications are not covered in the context of this book; however, we highly recommend The Web Application Hacker’s Handbook (http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html) if you would like to know more about this attack category.

Mobile application security is still somewhat misunderstood and has not fully matured as an area of focus; indeed, the majority of mobile applications are still considered insecure. We have tested hundreds of mobile applications in recent years and one or more serious security issues affected the majority of them. Figure 1.1 shows what percentage of these mobile applications tested since 2012 were found to be affected by some common categories of client-side vulnerability:

Insecure data storage (63%)—

This category of vulnerability incorporates the various defects that lead to an application’s storing data on the mobile device in either cleartext, an obfuscated format, using a hard-coded key, or any other means that can be trivially reversed by an attacker.

Insecure transmission of data (57%)—

This involves any instance whereby an application does not use transport layer encryption to protect data in transit. It also includes cases where transport layer encryption is used but has been implemented in an insecure manner.

Lack of binary protections (92%)—

This flaw means that an application does not employ any form of protection mechanism to complicate reverse engineering, malicious tampering, or debugging.

Client-side injection (40%)—

This category of vulnerability describes scenarios where untrusted data is sent to an application and handled in an unsafe manner. Typical origins of injection include other applications on the device and input populated into the application from the server.

Hard-coded passwords/keys (23%)—

This flaw arises when a developer embeds a sensitive piece of information such as a password or an encryption key into the application.

Leakage of sensitive data (69%)—

This involves cases where an application unintentionally leaks sensitive data through a side channel. This specifically includes data leakages that arise through use of a framework or OS and occur without the developer’s knowledge.

Figure 1.1 The incidence of some common mobile application vulnerabilities recently tested by the authors

Key Problem Factors

The core security problems in mobile applications arise due to a number of factors; however, vulnerabilities typically occur when an application must handle or protect sensitive data or process data that has originated from an untrusted source. However, several other factors have combined to intensify the problem.

Underdeveloped Security Awareness

Unlike most web applications where the attack surface is limited to user-derived input, mobile application developers have a number of different scenarios to consider and protect against. Mobile application development is fairly unique when compared to the development of other applications in that developers cannot trust the host operating system or even their own application. Awareness of the many attack surfaces and defensive protections is limited and not well understood within the mobile development communities. Widespread confusion and misconceptions still exist about many of the core concepts involved in mobile security. A prime example is that many developers believe that they don’t need to encrypt or protect data that is persistently stored on the device because it is encrypted through the data-at-rest encryption that comes standard with many devices. As you will discover, this assumption is not accurate and can expose sensitive user content.

Ever-Changing Attack Surfaces

Research into mobile device and application security is a continually evolving area in which ideas are regularly challenged and new threats and concepts discovered. Particularly on the device side, discovering new vulnerabilities that may undermine the accepted defenses that an application employs is common. A prime example of this was the discovery of Apple’s “goto fail” vulnerability (http://support.apple.com/kb/HT6147), which undermined the integrity of what was previously believed to be a secure communications channel. In this instance even recommended protections such as certificate pinning could be bypassed, which lead to many developers and security professionals researching and implementing secondary encryption schemes to protect data inside the SSL/TLS channel. These types of vulnerabilities demonstrate how on-going research can affect or change the threat profile for an application even partway through a development project. A development team that begins a project with a comprehensive understanding of the current threats may have lost this status and have to adapt accordingly before the application is completed and deployed.

Economic and Time Constraints

Most application development projects are governed by strict resource and time constraints, and mobile application development is no exception. The economics of an application development project often mean that having permanent security expertise throughout the development process is infeasible for companies, particularly in smaller organizations that on the whole tend to leave security testing until late in a project’s lifecycle. Indeed, smaller organizations typically have much smaller budgets, which means they are often less willing to pay for expensive security consulting. A short time-constrained penetration test is likely to find the low-hanging fruit, but it is likely to miss more subtle and complex issues that require time and patience to identify. Even in projects with a permanent security presence, strict time constraints may mean that adequately reviewing every release can prove a challenging task. Development methods such as Agile, in which there are many iterations in a short space of time, can often intensify this challenge.

Custom Development

Mobile applications are typically developed by either in-house developers or third-party development teams, or in some cases a combination of the two. In general, when organizations are regularly developing multiple applications, components that have been thoroughly tested will find themselves being reused across projects; this often promotes more robust and secure code. However, even when applications reuse established components from other projects, seeing libraries or frameworks bolted on to the project that may not have been developed by the project team is not uncommon. In these cases, the main project developers may not have full awareness of the code and misuse could lead to the introduction of security defects. Furthermore, in some cases the libraries may contain vulnerabilities themselves if they have not been thoroughly security tested. An example of this is the addJavascriptInterface vulnerability that affected the Android Webview component and when exploited resulted in a remote compromise of the device. Research found that this vulnerability was bundled with the libraries used to provide ad integration and potentially affected a significant number of applications (https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/).

The OWASP Mobile Security Project

The OWASP Mobile Security Project (https://www.owasp.org/index.php/OWASP_Mobile_Security_Project) is an initiative created by the not-for-profit group OWASP that is well known for its work in web application security. Given the many similarities between mobile applications and web applications, OWASP is a natural fit for promoting and raising awareness of mobile security issues.

The project provides a free centralized resource that classifies mobile security risks and document development controls to reduce their impact or likelihood of exploitation. The project focuses on the application layer as opposed to the security of the mobile platform; however, risks inherent with the use of the various mobile platforms are taken into consideration.

OWASP Mobile Top Ten

Similar to the renowned OWASP Top 10, the Mobile Security Project defines an equivalent Top 10 Mobile Risks. This section of the project broadly identifies and categorizes some of the most critical risks in mobile application security. We will now loosely summarize each of the risks described in the OWASP Top 10; for a more detailed description and remedial advice, review the project page, as shown in Figure 1.2, on the OWASP wiki (https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks).

Figure 1.2 OWASP Top 10 Mobile Risks

The top 10 risks to mobile applications as defined by the OWASP Mobile Security Project are

M1: Weak Server-Side Controls—

This category of risk is rated as the most critical issue to affect mobile applications. The impact is rated as severe and rightly so; a serious defect in a server-side control can have significant consequences to a business. This risk encompasses any vulnerability that may occur on the server side including in mobile web services, web server configurations, and traditional web applications. The inclusion of this risk in the mobile Top 10 is somewhat controversial because it does not take place on the mobile device, and separate projects exist that explicitly cover web application risks. Although we acknowledge the severity of this risk, it is not detailed in this book because it has previously been well documented in other publications (

http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html

).

M2: Insecure Data Storage—

This risk relates to circumstances when an application stores sensitive data on the mobile device in either plaintext or a trivially reversible format. The impact of this risk is rated as severe and can typically lead to serious business risks such as identity theft, fraud, or reputational damage. In addition to disclosure through physical access to the device, this risk also incorporates filesystem access that can be attained through malware or by otherwise compromising the device.

M3: Insufficient Transport Layer Protection—

This flaw pertains to the protection of network traffic and would be relevant to any situation whereby data is communicated in plaintext. It is also applicable in scenarios where traffic is encrypted but has been implemented in an insecure manner such as permitting self-signed certificates, performing insufficient validation on certificates, or using insecure cipher suites. These types of issues can typically be exploited from an adversary positioned within the local network or from within the carrier’s network; physical access to the device is not required.

M4: Unintended Data Leakage—

This problem manifests in cases when a developer inadvertently places sensitive information or data in a location on the mobile device where it is easily accessible by other applications. More often than not this risk arises as a side effect from the underlying mobile platform and is likely to be prevalent when developers do not have intimate knowledge of how the operating system can store data. Frequently seen examples of unintended data leakage include caching, snapshots, and application logs.

M5: Poor Authorization and Authentication—

This category of risk relates to authentication and authorization flaws that can occur in either the mobile application or the server-side implementation. Local authentication within a mobile application is relatively common, particularly in applications that provide access to sensitive data and need to operate in an offline state. Where appropriate security controls have been missed, the possibility exists that this authentication can be bypassed to provide access to the application. This risk also pertains to authorization flaws that can occur on the server-side application and may allow a user to access or execute functionality outside the scope of her privilege level.

M6: Broken Cryptography—