Is Your Mobile App Secure?

Powerpoints · Projects · Links · Home Page

Hall of Fame
Real Vulnerabilities Found by Students





Preparing Your Computer

What Computer to Use

A computer with one of these operating systems
(running on the bare metal--NOT a virtual machine)
  • Best: Mac OS X or Ubuntu Linux
  • Difficult to use: Windows
  • Very difficult to use: Kali Linux

Software to Install (Instructions Below)

  • Android Studio
  • Burp Proxy
  • Genymotion Android Emulator (including VirtualBox)

Instructions for Ubuntu Linux Machines

Installing Android Studio, Genymotion, and Burp on Ubuntu

Adding Google Play to Genymotion

Instructions for Mac OS X or Windows Machines

Installing Android Studio on a Mac or Windows Computer

Installing Genymotion and Burp on a Mac or Windows Computer


Projects

There won't be enough time to do all the projects below. I'll demonstrate several of them, and each student should do a few they find the most interesting.

This page will stay up after the con, so you can do more of them later. It's possible that some of these companies will actually patch the apps someday, so some of these may stop working.

Simple Insecurities

1. Observing the TD Ameritrade Log
2. Mayo Clinic Medical Transport App Hardcoded Password Exposure

Using a Proxy to Audit SSL Traffic

3. GenieMD Broken SSL
4. Garland & Associates App Broken SSL
5. Stitcher Caesar Cipher Obfuscation (top portion)

Code Modification and Smali

6. Making a Signed App with Android Studio
7. Trojaning the Charles Schwab App -- (Normal Trojan)
8. Trojaning the Citibank App -- (HTTP Parameters Trojan)
9. Trojaning the Capital One App -- (Apache Cordova Trojan)
10. Trojaning the BanCorp App -- (String Builder Trojan)

11. Auto-Trojaning the Walmart App

Auditing Local File Storage

12. Auditing Local File Storage for the Safeway App
13. Auditing Local File Storage for the Lumosity App
14. Stitcher Local Password Storage (lower portion)

Defenses & Countermeasures

15: Obfuscating an Android App with ProGuard (10 points)
16: Obfuscating Android Source Code with DashO (15 pts. extra credit)
17: MaaS360 (15 points)

iOS Apps: SSL Auditing Proxy

18. Making an SSL Auditing Proxy with a Mac, Burp, and pf
19. Comparing Secure and Insecure iOS Apps (not public yet)

Forensics

Project 14: Acquiring a Forensic Image of an Android Phone (25 pts.)
Project X4: Acquiring an iPad image with iTunes (15 pts.) (rev. 5-6-15)
Project X6: Analyzing an iTunes Backup with Magnet Forensics' Internet Evidence Finder (15 pts.) (new 5-6-15)

Old Projects

Project 1: Preparing an Android Virtual Machine (25 pts.)
Project 2: Rooting Your Android Virtual Machine (10 pts.)
Project 3: Android Studio (20 pts.)

Troubleshooting Android Emulator Problems

Project 4: ExploitMe Mobile Lab 1: Sniffing Insecure Connections with Burp (15 points)
Project 5: ExploitMe Mobile Lab 2: Parameter Manipulation (15 points)
Project 6: ExploitMe Mobile Lab 3: Insecure File Storage (20 points)
Project 7: ExploitMe Mobile Lab 4: Secure Logging (10 points)
Project 8: ExploitMe Mobile Lab 7: Scraping Data from RAM (15 points)
Project 9: Decompiling and Trojaning an Android App with Smali Code (15 points)

Extra Credit Projects

Project 1x: Android Security Auditing with Genymotion and Burp (20 pts. extra credit)
Project 2x: Security Audit of the NFL Android App (15 pts. extra credit)
Project 3x: Security Audit of Another Android App (20 pts. extra credit)
Project 4x: BlueStacks Android Emulator on Windows (15 pts. extra credit)
Project 5x: Trojaning an Android App and Posting Credentials on the Web (15 pts. extra credit)
Project 7x: Making an iPhone App with Xcode (15 pts. extra credit)
Project 8x: Security Audit of ExploitMe Mobile in Xcode (25 pts. extra credit)
Project 9x: Making a Data-Stealing Android Trojan (15 pts. extra credit)
Project 10x: Find an Android Vulnerability and Report it Correctly (40 pts. extra credit)
Project 11x: Stealing Credentials from an Android App with a SSL MITM Attack (15 pts.)

References for Projects

ExploitMe Mobile Android Labs from Security Compass
Android Assessments with GenyMotion + Burp
Back to Top


Powerpoints

Android Security Auditing
Android Trojans
Android and iOS Vulnerabilities Research

1: The mobile risk ecosystem
2: Hacking the cellular network
3: iOS
4: Android
5: Mobile malware
6: Mobile services and mobile Web (part 1)
6: Mobile services and mobile Web (part 2)
7: Mobile Device Management
8: Mobile development security
9: Mobile payments

If you do not have PowerPoint you can use Open Office.


Back to Top


Links

Apple Platform Security
Apple Platform Security PDF
DVIA (Damn Vulnerable iOS App) | A vulnerable iOS app for pentesting
OWASP/owasp-masvs: The Mobile Application Security Verification Standard (MASVS) is a standard for mobile app security.
2019-12-29: Hybrid App Developers: Don't Store Your User's Passwords
Passwords are the biggest threat to GDPR compliance (Mar. 2019)
Chat app Knuddels fined 20 k Eurosunder GDPR regulation (Nov 24, 2018)
Remote logging for mobile apps (April, 2019)
From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13 -- spaceraccoon.dev
Project Zero: Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641 (Jan. 2019)
Project Zero: Remote iPhone Exploitation Part 2: Bringing Light into the Darkness -- a Remote ASLR Bypass (Jan. 2019)
Project Zero: Remote iPhone Exploitation Part 3: From Memory Corruption to JavaScript and Back -- Gaining Code Execution (Jan. 2019)
Reverse-Engineering-and-Tampering iOS Apps OWASP
GDB to LLDB command map -- The LLDB Debugger
Google Maps Platform--Protecting API Keys
We reverse engineered 16k apps, here's what we found
Hands On Mobile API Security: Get Rid of Client Secrets
Why OAuth API Keys and Secrets Aren't Safe in Mobile Apps
Hey Developer, Give me your API keys.!!
HOW TO EXTRACT AN API KEY FROM A MOBILE APP BY STATIC BINARY ANALYSIS

          
Back to Top
Last Updated: 8-8-15