fast forwarding mobile security with the mstg
play

Fast forwarding Mobile Security with the MSTG Jeroen Willemsen - PowerPoint PPT Presentation

Jan 15, 2024 •216 likes •727 views

Fast forwarding Mobile Security with the MSTG Jeroen Willemsen XSECCON Gamma About me Jeroen Willemsen @commjoenie jeroen.willemsen@owasp.org Security architect Full-stack developer Mobile security @OWASP_MSTG Agenda

  2. Fast forwarding Mobile Security with the MSTG Jeroen Willemsen – XSECCON Gamma

  3. About me Jeroen Willemsen @commjoenie jeroen.willemsen@owasp.org “Security architect” “Full-stack developer” “Mobile security” @OWASP_MSTG

  4. Agenda • Introduction into the MASVS • Introduction into the MSTG • Some examples

  5. The MSTG: mobile security? QUESTION: Can you do a CSRF or XSS attack on a native mobile app without a webview? Answer: XSS: No, CSRF: No. Even with deeplinks it is not the same.

  6. The MSTG: mobile security? • So CSRF and XSS do not easily apply. • But path-traversals do…

  7. The MSTG: mobile security? • So CSRF and XSS do not easily apply. • But path-traversals do… • And then there is… Data leakage – through logging, – through insecure storage, – Through IPC. • What about weak authentication mechanisms? • What about reverse engineering?

  8. How do we fix this? Mobile Security Mobile Application Testing Guide Security https://github.com/O Verification Standard WASP/owasp-mstg https://github.com/O WASP/owasp-masvs Mobile Appsec Checklist

  9. OWASP Mobile AppSec Verification Standard (MASVS) • Started as a fork of the OWASP ASVS • Formalizes best practices and other security requirements • Mobile-specific, high-level, OS-agnostic • Why? Shift left: give security requirements a-priori •

  10. OWASP Mobile AppSec Verification Standard (MASVS)

  11. OWASP Mobile AppSec Verification Standard (MASVS) V2: Data Storage and Privacy Requirements

  12. How to use the MASVS? During early stages of development: Basis for (future) design decisions and enhancements • Helps building internal baselines for Mobile Security and Coding Guidelines • To determine security requirements early on. For example: • While Implementing: Track the security requirements during development • Redefine security requirements when business requirements are changing • During Penetration Test: Share the status of your security requirements with the tester •

  13. Current status MASVS • Current release: 1.1.3 • Translations: Spanish, Russian, French, German, Japanese, Chinese (ZHTW) – Started: Persian

  14. Current status MASVS • Current release: 1.1.3 • Translations • Lab-project status!

  15. Current status MASVS • Current release: 1.1.3 • Translations • Lab-project status! • NIST 800-163, revision 1

  16. Current status MASVS Project Lead Lead Author Contributors and Reviewers Alexander Antukh, Mesheryakov Aleksey, Bachevsky Artem, Jeroen Beckers, Vladislav Chelnokov, Ben Cheney, Peter Chi, Lex Chien, Stephen Corbiaux, Manuel Delgado, Ratchenko Denis, Ryan Dewhurst, Tereshin Dmitry, Christian Dong, Oprya Egor, Ben Gardiner, Rocco Gränitz, Sven Schleier & Henry Hu, Sjoerd Langkemper, Vinícius Henrique Jeroen Willemsen Bernhard Mueller Marangoni, Martin Marsicano, Roberto Martelloni, Gall Maxim, Riotaro Okada, Abhinav Sejpal, Stefaan Seys, Yogesh Shamrma, Prabhant Singh, Nikhil Soni, Anant Shrivastava, Francesco Stillavato, Romuald SZKUDLAREK, Abdessamad Temmar, Koki Takeyama, Chelnokov Vladislav, Leo Wang

  17. Future plans for the MASVS • Ongoing: Integration with SKF • Ongoing conversations with the Cloud Security Alliance. • Revisit Location & Connectivity requirements • Re-evaluate the need for payload encryption • Add more translations

  18. Your turn! • https://github.com/OWASP/owasp-masvs • https://mobile-security.gitbook.io/masvs/ ü Download it ü Read it ü Use it ü Give Feedback! Create an issue or a PR ü Tweet about it (@OWASP_MSTG)

  19. Agenda • Introduction into the MASVS • Introduction into the MSTG • Some examples

  20. OWASP Mobile Security Testing Guide (MSTG) • Manual for testing security maturity of iOS and Android (mostly) native apps. • Maps on MASVS requirements. • Why? Educate developers and penetration testers. • Provide a baseline for automated checks •

  21. OWASP Mobile Security Testing Guide (MSTG) • General testing guide • Android Testing guide • iOS Testing guide

  22. OWASP Mobile Security Testing Guide (MSTG) • General testing guide • Android Testing guide • iOS Testing guide • Crackme’s & Challenges Kudos to Bernhard Mueller @bernhardm for his hard work!

  23. OWASP Mobile Security Testing Guide (MSTG) • General testing guide • Android Testing guide • iOS Testing guide • Crackme’s & Challenges • Mobile Appsec Checklist

  24. OWASP Mobile Security Testing Guide (MSTG) • General testing guide • Android Testing guide • iOS Testing guide • Crackme’s & Challenges • Mobile Appsec Checklist • MSTG playground (External)

  25. Current status MSTG • Version 1.1.0 • Lab-project & Mentioned in NIST 800-163, revision 1, 3K+ stars • Automation: Simplified Crackme maintenance & document generation

  26. Current status MSTG Authors Co-Authors Top Contributors Reviewers Editors Bernhard Mueller Romuald Szkudlarek Pawel Rzepa Sjoerd Langkemper Heaven Hodges Francesco Stillavato Anant Shrivastava Caitlin Andrews Jeroen Willemsen Andreas Happe Nick Epson (@jeroenwillemsen) Alexander Anthuk Anita Diamond Henry Hoggard Anna Szkudlarek Sven Schleier Wen Bin Kong (@sushi2k) Abdessamad Temmar Bolot Kerimbaev Slawomir Kosowski The full list of contributors is available on GitHub: https://github.com/OWASP/owasp-mstg/graphs/contributors

  28. Ongoing work for MSTG • Adding code samples in Swift and Kotlin • Adding Android 8/9 & iOS 12 updates (ongoing for 1.2) • Translation to Japanese & Russian (ongoing) • Getting hardcopies available

  29. Future plans MSTG • Migrate crackmes and MSTG playground to one repository and develop more bad/good examples • Restructure the MSTG to align with the MASVS • Consider MDM write-ups (version 1.3)? • Add more crackme exercises for iOS • Seek collaboration with Apple / Google to speed up ? • Collaborate with standardization bodies

  30. Your turn! • https://github.com/OWASP/owasp-mstg https://mobile-security.gitbook.io/mstg/ ü Download it ü Read it ü Use it ü Give Feedback (file an issue) ü Fix issues: send in your Pull Requests! ü Tweet about it (@OWASP_MSTG)

  31. Agenda • Introduction into the MASVS • Introduction into the MSTG • Some examples

  32. Version Root SSL pinning Certificate Serial Number CA Certificate Algorithm Identifier for Certificate Issuer’s Signature Intermediate Issuer Validity Period Subject Leaf cert Subject Algorithm Identifier Public-Key Public-key Value Information Issuer Unique Identifier TLS Subject Unique Identifier Extensions Certification Authority’s Digital Signature

  33. SSL pinning – SSL killswitch V2 Two easy ways to break most pinners: 1. Jailbreak à use Cydia & SSL Killswitch V2 2. Do dynamic instrumentation on a non- jailbroken device See https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04f- Testing-Network-Communication.md and https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06g- Testing-Network-Communication.md

  35. SSL pinning – SSL killswitch V2 Patch underlying SSL Mobile app @ iOS 9 SSL killswitch Mobile app @ iOS 9 Mobile app @ iOS 9 handshake implementation SSLHandshake, Used by NSURLConnection SSLHandshake, MSHookFunction SSLHandshake, SSLSetSessionOption, For all apps… SSLSetSessionOption, SSLSetSessionOption, SSLCreateContext SSLCreateContext SSLCreateContext Mobile substrate Mobile app @ iOS 10 / 11 Mobile app @ iOS 10 / 11 Mobile app @ iOS 10 / 11 tls_helper_create_peer_trust tls_helper_create_peer tls_helper_create_peer_trust _trust

  36. What if you don’t want to jailbreak? • Jailbroken devices require maintenance • Jailbreaks are getting harder to find • What about jailbreak protection of the app? • Let’s patch the app itself!

  37. SSL pinning – non-jailbroken device

  38. SSL pinning – Objection Patch underlying SSL Mobile app handshake implementation Used by NSURLConnection For one app. 1. Frida server in Gadget waits 2. Objection connects to server with explore REPL 3. Objection calls script that patches underlying SSL handshake implementation

  39. SSL Pinning in Android Let’s do similar runtime patching in Android…

  41. TouchID the wrong way: using LAContext There are 2 ways to use TouchID: 1. Protect an entry in the keychain and unlock it via TouchID 2. Use the LocalAuthenticationContext : LocalAuthenticationContext.evaluatePolicy(.deviceOwnerAut henticationWithBiometrics, localizedReason: reasonString) { success, evaluateError in { If success { What if we call the successmethods() successmethods() directly? } else { …. }

  42. Bypassing Touch-ID • With • With • Both cases: use Frida to hook onto `evaluatePolicy:localizedReason:reply` – Ensures that when evaluatePolicy is calls that the reply its success is set to true (E.g.: call success methods) See https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f- Testing-Local- Authentication.md

  45. There is much more! • Reverse Engineering ü Root / Jailbreak Detection ü Anti-Debugging ü Detecting Reverse Engineering Tools ü Emulator Detection / Anti-Emulation ü File and Memory Integrity Checks ü Device Binding ü Obfuscation

Recommend

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera $ whoami Carlos Holguera [olera] Security Engineer working at ESCRYPT GmbH since 2012 Area of expertise:

791 views • 56 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
A Concise Forwarding Information Base for Scalable and Fast Name Switching Chen Qian University

A Concise Forwarding Information Base for Scalable and Fast Name Switching Chen Qian University

A Concise Forwarding Information Base for Scalable and Fast Name Switching Chen Qian University of Kentucky University of California Santa Cruz with Ye Yu, Djamal Belazzougui, Qin Zhang Forwarding Information Base (FIB) A data structure

380 views • 24 slides
Architectures Enabled by Intra-Unit Fast Forwarding Jihee Seo and Dae Hyun Kim School of

Architectures Enabled by Intra-Unit Fast Forwarding Jihee Seo and Dae Hyun Kim School of

High-Throughput Multiplier Architectures Enabled by Intra-Unit Fast Forwarding Jihee Seo and Dae Hyun Kim School of Electrical Engineering and Computer Science Washington State University ARITH19, Kyoto, Japan (June 10 - 12) Outline

466 views • 24 slides
Fast-forwarding to Desired Visualizations with Aditya Parameswaran Assistant Professor

Fast-forwarding to Desired Visualizations with Aditya Parameswaran Assistant Professor

Fast-forwarding to Desired Visualizations with Aditya Parameswaran Assistant Professor University of Illinois http://data-people.cs.illinois.edu With: Tarique Siddiqui , John Lee, Albert Kim, Ed Xue , Chao Wang, Sean Zou, Changfeng Liu, Lijin

1k views • 25 slides
What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University tl;dr The computers inside the computer Every chip has one or more CPUs inside; they have exploitable bugs

1.23k views • 87 slides
Selfishness in packet forwarding/ Secure protocols for behavior enforcement Security and

Selfishness in packet forwarding/ Secure protocols for behavior enforcement Security and

Selfishness in packet forwarding/ Secure protocols for behavior enforcement Security and Cooperation in Wireless Networks Georg-August University Gttingen Part I: Selfishness in packet forwarding the operation of multi-hop wireless networks

860 views • 36 slides
Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction Statistics of Mobile Usage Current State of Mobile Security Recent Attacks Various Mobile Threats Security & Privacy

1.03k views • 57 slides
Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues. Mobile access is expected to become the main access method. Services and mobile commerce (mCommerce) are expected to become a major business.

818 views • 20 slides
CS244 Advanced Topics in Networking Lecture 7: Programmable Forwarding Nick McKeown Processing

CS244 Advanced Topics in Networking Lecture 7: Programmable Forwarding Nick McKeown Processing

CS244 Advanced Topics in Networking Lecture 7: Programmable Forwarding Nick McKeown Processing in Hardware for SDN Forwarding Metamorphosis: Fast Programmable Match-Action [Pat Bosshart et al. 2013] Spring 2020 Context + Others from TI

907 views • 38 slides
Mobile IP FEUP Manuel P. Ricardo Faculdade de Engenharia da Universidade do Porto Mobile IP 2

Mobile IP FEUP Manuel P. Ricardo Faculdade de Engenharia da Universidade do Porto Mobile IP 2

Mobile IP 1 Mobile IP FEUP Manuel P. Ricardo Faculdade de Engenharia da Universidade do Porto Mobile IP 2 Mobile IP, v4 Mobile IP 3 Motivation Forwarding of IP datagrams Based on IP destination address IP network address

1.03k views • 26 slides
CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Announcement Course Evaluations Now online Will be available from Friday, Dec 7 Will also allow students to do

864 views • 50 slides
Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps Defense

1.17k views • 93 slides
Improving Web Performance on Mobile Browsers bengr@google.com Desktop browsing is fast,

Improving Web Performance on Mobile Browsers bengr@google.com Desktop browsing is fast,

Improving Web Performance on Mobile Browsers bengr@google.com Desktop browsing is fast, relatively speaking. Desktops and laptops are over-provisioned to display web pages The have GBs of RAM, fast processors, fast networks

316 views • 19 slides
Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Spring 2018 CS 155 Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories n Physical, platform malware, malicious apps Defense against physical theft Thurs

1.28k views • 64 slides
Mobile Communications Mobile Communications Confidentiality Security No access to information

Mobile Communications Mobile Communications Confidentiality Security No access to information

Security Requirements Authorization Which objects are accessible by whom? Authentication Reliable identification of users identity . Mobile Communications Mobile Communications Confidentiality Security No access to information for

577 views • 11 slides
Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices Presented by Michael Harris [MS, CISSP, WAPT] Systems Security Analyst University of Missouri Overview What data needs to be protected, what

407 views • 18 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g.

506 views • 34 slides
CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g. 1234) or do

780 views • 54 slides
CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g. 1234) or do

827 views • 54 slides
Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software

Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software

Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords

520 views • 38 slides
ENGAGING CONSUMERS THROUGH MOBILE GAMING Mobile is fast becoming the consumers 1 st screen Brands

ENGAGING CONSUMERS THROUGH MOBILE GAMING Mobile is fast becoming the consumers 1 st screen Brands

ENGAGING CONSUMERS THROUGH MOBILE GAMING Mobile is fast becoming the consumers 1 st screen Brands want an app presence on mobile which engages and connects with consumers Consumers want engaging and rewarding app experiences which they value and

426 views • 15 slides
CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mobile Phones Networked device

302 views • 11 slides
Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami

Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami

Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami R&D Team Member @ viaForensics I work mainly on Android/iOS The Problem We want to trace the code in mobile applications that we

632 views • 48 slides

More recommend