Mobile notes

• Android
• iOS

Mostly from OWASP testing guide.

Good resources

Android

* Setup / commands:
    ```
    adb root
    adb shell
    # if error: insufficient permissions for device: udev requires plugdev group membership.
    # change Advanced setup -> USB configuration -> MTP

    # install cert in device
    adb push cacert.der /sdcard/Downloads

    # change certs etc.
    apktool d app.apk
    apktool b app
    java -jar sign.jar app/dist/app.apk
    adb install -r app/dist/app.s.apk

    # remove
    adb uninstall package

    # drozer
    adb forward tcp:31415 tcp:31415
    drozer console connect

    list
    run app.package.list -f app
    run app.package.attacksurface app.name


    # debugging
    adb jdwp  # list pids
    adb forward tcp:7777 jdwp:$pid
    {echo "suspend"; cat;} | jdb -attach localhost:7777
    am start -D -n "package/package.acrivity"  # start from adb shell to debug startup
    ```

• Data storage:
  • Testing for Sensitive Data in Local Storage
    • Prior to API 16, all apps can read logs (check android:minSdkVersion)
    • sensitive and private data needs to be protected or even better not get stored on the device in the first place
    • keys should be derived from user input / external servers / keyStore
    • shared preferences: /data/data/appname/shared_prefs, encrypted or “Secure-preferences”, avoid MODE_WORLD_READABLE
    • SQL/Realm: encrypted
    • internal storage: avoid MODE_WORLD_READABLE/MODE_WORLD_WRITEABLE
    • external storage: <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
    • KeyChain: system wide keys
    • KeyStore: .store() with user specified password
    • resources: e.g. res/values/strings.xml
    • build configs, such as in local.properties or gradle.properties
    • file permissions in /data/data/appname
  • Testing for Sensitive Data in Logs
    • Prior to API 16, all apps can read logs (check android:minSdkVersion)
    • android.util.Log
    • Log.d | Log.e | Log.i | Log.v | Log.w | Log.wtf
    • Logger
    • System.out.print | System.err.print
    • logfile | logging | logs

    • unused strings (failed to remove by automatic stripper):

      Log.v("Private key [byte format]: " + key); -> new StringBuilder("Private key [byte format]: ").append(key.toString()

  • Testing Whether Sensitive Data is Sent to Third Parties

  • Testing Whether the Keyboard Cache Is Disabled for Text Input Fields

    • for sensitive fields:

      <EditText android:id="@+id/KeyBoardCache" android:inputType="textNoSuggestions"/>

  • Testing for Sensitive Data in the Clipboard
    • copy/past should be disabled: etxt.setCustomSelectionActionModeCallback
    • android:longClickable=”false”
  • Testing Whether Stored Sensitive Data Is Exposed via IPC Mechanisms
    • activities/broadcast/intents
      • check android:exported="true" or <intent-filter>
      • Avoid intent filters on Activities if they are private, instead use explicit intent.
      • Use permissions to protect Intents in your application.
      • intent sniffnig: Do not pass sensitive data between apps using broadcast intents. Instead, use explicit intents.
    • services:
      • use permissions
    • content providers:
      • use permissions
      • android.content.ContentProvider | android.database.Cursor | android.database.sqlite | .query(
      • sql injections
      • path traversals
  • Testing for Sensitive Data Disclosure Through the User Interface
    • android:inputType=”textPassword”
  • Testing for Sensitive Data in Backups
    • android:allowBackup=”true”
    • shouldn't store sensitive data | encryption
  • Testing for Sensitive Information in Auto-Generated Screenshots
    • LayoutParams.FLAG_SECURE should be set
  • Testing for Sensitive Data in Memory
    • no immutable structures should be used to carry secrets (e.g. String, BigInteger)
    • use AndroidKeyStore
    • Keys should be handled by the AndroidKeyStore or the SecretKey class needs to be adjusted
  • Testing the Device-Access-Security Policy
    • check if detection of rooted/encrypted device, debugging, min OS version can be bypassed
    • Settings.Secure
    • The Device Administration API
  • Verifying User Education Controls
    • pointing out weak passwords/rooted devices/old OS
• Cryptography
  • Testing for Custom Implementations of Cryptography
  • Testing for Insecure and/or Deprecated Cryptographic Algorithms
  • Testing for Insecure Cryptographic Algorithm Configuration and Misuse
    • Cryptographic salt, which should be at least the same length as hash function output
    • iteration counts KDF
    • IV, nonces, encryption modes
    • key management
  • Testing for Hardcoded Cryptographic Keys
    • two-way SSL: cert is not hardcoded, passphrase should be in KeyChain
  • Testing Key Generation Techniques
  • Testing for Stored Passwords
    • KDFs, not hashes
  • Testing Random Number Generation
    • shouldn’t use java.util.Random / JSA secureRandom bug
• Local Authentication
  • Testing Biometric Authentication
    • fingerprintManager.authenticate() with first arg be CryptoObject (not null)
    • KeyGenerator with .setUserAuthenticationRequired(true)
    • remote endpoint must require the client to present the secret retrieved from the Keystore, or some value derived from the secret.
• Network communication
  • Testing Endpoint Identify Verification
    • TLS cert: signed by CA, not self-signed, not expired
    • TrustManager
    • HostnameVerifier
  • Testing Custom Certificate Stores and SSL Pinning
  • Testing the Security Provider
  • use usesCleartextTraffic in manifest
• Testing Platform Interaction on Android
  • App permissions
  • Testing Custom URL Schemes
    • dz> run scanner.activity.browsable + a com.google.android.apps.messaging
    • dz> run app.activity.start + -action android.intent.action.VIEW + -data-uri “sms://0123456789”
  • Testing For Sensitive Functionality Exposure Through IPC
    • Binders
    • Services
    • Bound Services
    • AIDL
    • Intents
    • Content Providers
    • dz> run app.package.attacksurface com.mwr.example.appname
  • Testing JavaScript Execution in WebViews
    • best practices call for explicitly setting them as disabled
    • Disable local file access
  • Testing WebView Protocol Handlers
  • Testing Whether Java Objects Are Exposed Through WebViews
    • addJavascriptInterface()
  • Testing Object Persistence
  • Testing Root Detection
  • External links (from attacker) with intent:// protocol (may crash app)
• Code Quality and Build Settings
  • Verifying That the App is Properly Signed
  • Testing If the App is Debuggable
  • Testing for Debugging Symbols
  • Testing for Debugging Code and Verbose Error Logging
    • StrictMode tool
  • Testing for Injection Flaws
  • Testing Exception Handling
  • Verify That Free Security Features Are Activated
    • ProGuard tool
• Authentication recommendations (in order more or less):
  • generate (after login) and store (possibly encrypted) session id; server should handle expiration
  • generate (after login) and store (possibly encrypted) token (jwt/oauth) that expire after some time
  • AccountManager
  • encrypted credentials stored inside shared_preferences
  • plaintext credentials inside shared_preferences
  • refs:
    • https://android-developers.googleblog.com/2013/02/using-cryptography-to-store-credentials.html
    • https://developer.android.com/training/articles/security-tips.html
    • https://developer.pidgin.im/wiki/PlainTextPasswords
• Tools
  • RE
    • apktool - getting smali from .dex / .apk
    • http://www.javadecompilers.com/apk - decompile apk to .java files
    • apkx - one-step APK Decompilation With Multiple Backends (dex2jar,enjarify / cfr,procyon)
    • jdax - GUI Dex to Java decompiler
    • jd-gui - A standalone Java Decompiler GUI
  • Automated tools
    • androBugs - console vulnerability scanner
    • MobSF - automated pen-testing framework, web interface, both apk and ipa files
    • super - command-line Android Analyzer
  • Others
    • Genymotion - emulator
    • drozer - Security Assessment Framework, performs tests from local, malicious app perspective
    • android-backup-extractor
    • nogotofail - tests related to SSL/TLS
    • APK sign
    • Xposed - framework, modyfing Android system
    • Xposed Module: Just Trust Me - bypass SSL certificate pinning

iOS

• Insecure Data Storage
  • NSUserDefaults / .plist files / CoreData / WebCache
    • path: appDataPath/Library/Preferences/, appDataPath/Documents
    • view with: plutil
    • persists after app close
    • not encrypted
  • Keychain
    • can dump on jailbroken devices
• Side Channel Data Leakage
  • Logs
    • path: /var/log/syslog
  • Screenshots
    • path: appDataPath/Library/Caches/Snapshots/
  • Clipboard
    • cycript [UIPasteboard generalPasteboard].string
  • Keystroke logging
    • path: /var/mobile/Library/Keyboard/dynamic-text.dat
• URL schemes
  • path: appBundle/Info.plist -> CFBundleURLTypes
  • method handler: – (BOOL)application:(UIApplication )application openURL:(NSURL )url sourceApplication:(NSString *)sourceApplication annotation:(id)annotation
• Client Side Injection
  • with UIWebView
  • example payload: <script>document.location='tel://1123456789'</script>
• Tools
  • Automated tools
    • MobSF - automated pen-testing framework, web interface, both apk and ipa files
    • Needle - framework, static code analysis, runtime manipulation, syslogs etc.
  • Others
    • Clutch - decryption tool (from memory)
    • dumpdecrypted
    • classdump
    • Keychain-Dumper - dumping keychain tool
    • libimobiledevice - library to communicate with iOS devices
    • Cydia Impactor - installing IPA on iOS devices tool
    • BinaryCookieReader - tool to read the binarycookie format from iOS applications
    • Ipainstaller - info about installed applications like directories, application uuid etc.