This workshop will introduce mobile application security (Apps), discuss their risks for your devices and provide you with effective methodologies to test those “beasts”. After discussing threats and typical vulnerabilities of mobile applications, we will audit some iOS and Android apps.
So this workshop is all about “learning by doing” ;-) After the workshop you will be able to test iOS and Android apps before approving them in your organization.
We will provide you with some devices. Your own devices are welcome, too.
Mobile Application Testing Agenda
Basics
Threads and Vulns
- Common Risks of Mobile Devices
- App Specific Attack Vectors
- Demands for Enterprise Apps
- General Testing Methodology
Determining Testing Points
- Local vs. Remote Storage
- Security Features of the Mobile Plattform
- Problems with Cross Plattform Development
- Trustworthiness of an Application (Criteria and Metric)
iOS
Introduction
- Development Process and Environment
- The App (as a file) and Deployment Process
- iOS Security Features (Keychain, Data Protection, Storage Encryption)
- Permission Model (API Interfaces)
- Hidden APIs
Set up Testing Lab
- Quick Start
- Required Devices
- Required Tools
- Working with iOS Simulator and XCode
- Jailbreak (and common Pitfalls)
- Setting up a Web Proxy
Local Storage
- File Structure of an App
- General Approach of Testing
- SQLite Database
- XML files
- Common Pitfalls
Network Transmission
- Mobile Web Apps
- Web Services
- Transmission Encryption
- Approaches of Sniffing Traffic
- Different Network Interfaces
Audit of Security Features
- Keychain
- Data Protection (& Data Protection Classes)
- Caching
- iCloud/iTunes Backup
Reverse Engineering
- General Approach
- Identify and Defeat Appstore Encrytption
- Debugging
- Disassembling and Decompiling (Tools and Tactics)
- Identify suspicious APIs
- Identify Anti-Reverse Engineering
Android
Introduction
- Development Process and Environment
- Overview of Android Versions and Devices
- Consequences of Device Fragmentation
- The App (as a file) and Deployment Process
- Android Security Features (Storage Encryption, Certificate Store)
- Permission Model
Set up Testing Lab
- Quick Start
- Required Devices
- Required Tools
- Working with Emulator and ADT
- Rooting (General Approach)
Local Storage
- File Structure of an App
- General Approach of Testing
- SQLite Database
- XML files
- Common Pitfalls
Network Transmission
- Mobile Web Apps
- Web Services
- Transmission Encryption
- Approaches of Sniffing Traffic
- Different Network Interfaces
Audit of Security Features
- GoogleSync Backup
- Use of Certificate Store
Reverse Engineering
- General Approach
- Debugging
- Existing Tools for Decompiling
- Identify Anti-Reverse Engineering
Sergej Schmidt works at the Mobile Security Team, where he spends most of his time testing mobile apps and their backends trying to circumvent their security mechanisms. Besides pentesting he also does research in the area of iOS and Android platforms.
Michael Thumann is Chief Security Officer and head of the ERNW application security team. He has published security advisories regarding topics like ‘Cracking IKE Preshared Keys’ and Buffer Overflows in Web Servers/VPN Software/VoIP Software. Michael enjoys sharing his self-written security tools (e.g. ‘tomas – a Cisco Password Cracker’, ‘ikeprobe – IKE PSK Vulnerability Scanner’ or ‘dnsdigger – a dns information gathering tool’) and his experience with the community. Besides numerous articles and papers he wrote the first (and only) German Pen-Test Book that has become a recommended reading at german universities.
In addition to his daily pentesting tasks he is a regular conference-speaker (e.g. Blackhat, HITB and RSA Conference) and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michaels’ main interest is to uncover vulnerabilities and security design flaws from the network to the application level and reverse almost everything to understand the inner working.