ExploitMe Mobile Defective Mobile Application for your hacking pleasures! An ExploitMe Series Production Version 0.93 Page | 1 The ExploitMe Series This document is for informational purposes only. Security Compass MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided ―as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Copyright © 2012 Security Compass Inc. All rights reserved. Page | 2 ExploitMe Mobile (EMM) is a Security Compass open source project demonstrating common mobile application vulnerabilities in the iOS and Android platforms. ExploitMe Mobile is a training platform built based on the common mobile application security pitfalls. The entire source of the project can be found on github - github.com/SecurityCompass T ECHNICAL D ETAILS ExploitMe Mobile training platform is built on client-server model. The server component is shared between the iOS and Android client and can be used simultaneously. The diagram below outlines the architecture of the ExploitMe Mobile platform. The objectives of the ExploitMe Mobile training platform are: Capture the common security related mobile application development pitfalls within a mobile application for iOS and Android platforms. Build in intentionally vulnerable client and server side code to illustrate business level impact of technical mobile application vulnerabilities. Develop a learning platform that can educate developers on secure coding practices. Create an openly available platform that encourages community collaboration. All the vulnerabilities featured in the ExploitMe Mobile training platform are inspired by the results of mobile application security assessments performed by Security Compass consultants across various industry verticals. The iPhone and Android versions of ExploitMe Mobile feature the top 80% of all Medium, High and Critical risk mobile application vulnerabilities in the following broad categories: Parameter manipulation Protocol encryption Password lock screens File system access permissions Insecure storage of files Insecure logging EMM Android Client EMM iOS Client Lab Server EMM LAB SERVER The ExploitMe Mobile Lab Server component is the heart of the platform. The server contains the backend business logic that the mobile client applications are designed to communicate with. In order to maintain simplicity, the Lab Server component is designed as a simple HTTP REST server that returns JSON arrays. The Lab Server is built using Python Flask micor-framework and is easily extensible to add functionality to the application. For further details on the Lab Server component, please visit Security Compass’s Github page https://github.com/SecurityCompass Page | 1 EMM ANDROID & IOS CLIENTS ExploitMe Mobile is primarily a Mobile Banking application designed in native code for the iOS and Android platform. The functionality of the application is identical across both platforms. This client application communicates with the lab Server component to authenticate, retrieve data, perform transactions etc. All the ExploitMe Mobile hands-on labs are designed to hack the client applications and train developers to code securely on both the platforms. 1. iOS Lab Launch the lab server: python app.py 2. Launch the application in the simulator. 3. Launch your favorite proxy and ensure that MacOSX is set up to use the proxy server. The iPhone simulator obeys the OSX settings for a proxy. You can configure it in Preferences -> Network & Sharing -> Proxies. E XPLOIT M E M OBILE L ABS ExploitMe Mobile features hands-on lab exercises to guide users to hunt for vulnerabilities within the application. In order to set your environment up to execute the labs, please refer to the following documentation pages hosted on GitHub: iOS Labs Setup http://securitycompass.github.com/iPhoneL abs/setup.html Android Labs Setup http://securitycompass.github.com/Androi dLabs/setup.html IOS LAB 1 - SECURE CONNECTIONS In the first lab, we will use a proxy server such as Charles to proxy the ExploitMe Mobile clientserver communication channel. This guide assumes you have configured your environment by following the steps outlined in the above links. 4. Ensure that your proxy is correctly accepting network traffic and then run the iPhone ExploitMe Mobile lab in the simulator. Once the simulator is running, login using the standard login and password jdoe/password for the user, or if you’ve already logged in before, enter your local password you configured on first run. Page | 2 5. It is clear that the application is using clear-text at this point and that HTTP traffic can be trapped and modified. This is often the first step to attacking any mobile application and if you’ve made it this far, you now are able to fully act as a man in the middle against any iPhone application. IOS LAB 1 SECURE CONNECTIONS - SOLUTION 1. We want to encrypt the communication between the client and server so that we can’t so easily man-in-the-middle it. Since we are using HTTP for communication, all we have to do is change the protocol to HTTPS and thus enable SSL/TLS. 6. In the following screenshot, we can see that EMM sends user credentials upon first entry to the application in cleartext. The username and password is clearly shown. 2. We re-launch the server in ssl mode and run it on port 8443: python 8443 7. You can achieve the same effect by using wireshark. Since both the simulator and the server are running on the same server, we need to monitor the loopback interface (lo0) to view communication between your computer and itself. app.pyt --ssl --port 3. In the iPhone simulator, under Settings -> Base we change the URL to http://localhost:8443: 4. Now, we can see in Wireshark that the communication is encrypted: Page | 3 7. Above, Charles can decrypt the SSLencrypted traffic for us since we accepted the Charles certificate as valid in the simulator. ANDROID LAB 1 The android apk that we’ll use for most labs is the base.apk 5. We can still use Charles (or another proxy) to intercept SSL traffic as long as we accept the Charles SSL certificate in the iOS simulator. More information on how to do that here. 6. When using a proxy that intercepts SSL, we can see the decrypted traffic: This is a simple lab, but it demonstrates a key point that sometimes is forgotten, which is that mobile device traffic can still be sniffed. The Android emulator has a built in setting to capture network traffic which makes it much easier for us to sniff data from android applications. 1. To run, we perform: emulator.exe -avd emu -tcpdump test.cap 2. Now, we have to run the Lab Server: python app.py 3. Now, launch the Lab APK file and install it to the emulator through any IDE of your choice, in our case, we’ll use Eclipse. 4. Upon first launch, the lab will ask for a username and password to your banking account. This, like in a real application could either be done securely (encrypted) or insecurely. Page | 4 6. Let’s analyze how the application performed the login procedure. Open up the cap file in Wireshark. Find the HTTP stream where the application logs in within the packet history. You’ll see it highlighted by HTTP and green. ANDROID LAB 1 - SOLUTION We want to enable HTTPS so that the connection can’t be snooped. We do this by first running the server in SSL mode: python app.py --ssl --port 8443 Then, we enable HTTPS in the preferences of the client application: 5. The first lab is about network encryption, so clearly we’ll have to look at the network TCP dump to see how the application is performing authentication. Page | 5 LAB 2 PARAMETER MANIPULATION The parameter manipulation lab is contained within the bank transfer section. The purpose of this lab is to demonstrate that many common iPhone applications still rely on traditional web architectures or REST interfaces in the back end to perform their tasks. Often, if you’re able to trap the request, you can make the application or server act in ways it may not have felt possible. 1. First, enter the bank money transfer screen within the ExploitMe Mobile application. 2. There are a number of accounts preconfigured in EMM’s default Lab server configuration. We’ve logged in before using the jdoe account. The two usernames we have preconfigured and their bank account numbers are: jdoe / password o Debit: 123456789 o Credit: 987654321 bsmith / password o Debit: 111111111 o Credit: 22222222 3. In this lab, we’ll try to transfer money between accounts on the server by intercepting the EMM app request. Again, this traditionally isn’t any different from web exploits, but most apps work in the same manner so it’ll be good to see how it works on the mobile app space. Page | 6 4. Fill in the transfer screen and ensure your proxy is trapping the request. LAB 2 - SOLUTION The solution here is the same as it would be in a regular web app, we have to perform some validation on the server. #validate that accounts belong to user: if to_account.user != session.user or from_account.user != session.user: return error("E6") #validate that amount positive if total_cents < 0: return error("E5") is O THER L ABS In addition to the above labs, ExploitMe Mobile features more hands-on exercises to walk through the various mobile application security vulnerabilities designed into the application. Please refer to the following GitHub pages for detailed documentation on all the iOS and Android labs. iOS Labs http://securitycompass.github.com/iPhoneL abs/index.html Android Labs http://securitycompass.github.com/Androi dLabs/index.html More on mobile security course is available from http://labs.securitycompass.com/mobile/ne w-mobile-security-course-and-exploitmemobile/ O THER R ESOURCES Security Compass’s Blog – http://labs.securitycompass.com Security Compass’s Mobile Case Study – http://securitycompass.com/company/case -studies.html#!/mobile-security-assessment Security Compass’s Mobile Assessment – http://securitycompass.com/services/mobil e-security-assessment.html Page | 7 What can we do for you? We understand application security and strive to provide you with the best consulting & training experience for you and your organization. Our consultants are helping our clients manage real world security risks. Our experience in managing these same risks enables us to deliver training material with the latest threats and vulnerabilities seen in every day engagements. What does that mean? It means that we are here to help you and your staff to respond with forward thinking concepts to securing your business. Here to help. Reach out to Security Compass’ advisors who can help by emailing us at [email protected]. Page | 8