BSidesLV 2016: Mobile App Attack

 Mobile devices are rapidly becoming the primary need of any user. Ease of use, portability, user-friendly GUI, robust computing, a wide variety of applications… all of these features makes a mobile device much more compelling than a normal computer.

However, mobile phones are becoming more of a security concern, and organizations need to consider a new approach to meet and serve the market demands, which in turn leads to questions about security. Securing data on mobile devices requires that organizations implement new methodologies depending upon the data storage strategy on which each mobile device operates.

With the emergence of low-cost smartphones and a strong demand for premium smartphones, global sales of mobile devices have increased to a considerable level. Android operating system tops the market share, followed by iOS and other mobile operating systems. (Android covers 80.7% of the market in Asia/Pacific, compared to 17.7% of iOS for Q42015.)

At BSidesLV this August, I will discuss the security aspects of the world’s two leading mobile operating systems: Android and iOS.

In this training, I delve into their architecture; filesystem; security model; application components; rooting/jailbreak; reverse engineering techniques for uncovering security flaws; method swizzling and run-time manipulation for apps; and hooking of applications to exploit security flaws.

The training will also provide a thorough guide on how mobile applications can be attacked, as well as an overview of how some of the most important security checks for applications operate and are applied.

I’ll mainly focus on the following:

Reverse engineer Dex code for security analysis.
Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root.
Runtime analysis of the apps by active debugging.
Modifying parts of the code where any part can be specified as functions and classes, as well as perform this check to identify the modification. We will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, reverse engineer an application, get its executable binaries, modify these binaries accordingly, and resign the application.
Runtime modification of code. The objective is to learn how the programs/codes can be changed or modified at runtime. We will learn how to perform introspection or override the default behavior of the methods during runtime, and then we will learn how to identify if the methods have been changed. For iOS, we can make use of tool Cycript, snoop-it, etc.
Hooking an application and learn to perform program/code modification.
I will begin by providing a thorough analysis pf the architecture, file system, permissions, and security model of both the iOS and Android platform. At the end of the training, based on the course content, we’ll engage in some CTF challenges during which attendees will use their skills they gained during the training.

At BSidesLV, beginning on August 2 at 08:30 am, I’ll be conducting two days of complete hands-on training on mobile applications penetration testing.

I hope to see you there!

About the Author: Sneha works as a Security Consultant with Payatu Technologies Pvt.Ltd. and holds C.E.H and E.C.S.A certifications. Her area of interest lies in Web application and mobile application security and fuzzing. She has discovered various serious application flaws within open source applications such as PDFLite.Jobberbase, Lucidchart and more. She is also an active member of Null – The open security community in India, and a contributor to regular meetups at the Pune chapter. She has spoken and provided training at GNUnify, FUDCon, Defcamp #6 and Nullcon 2016.