THE RISE OF SECURITY ASSISTANTS

OVER SECURITY AUDIT SERVICES

YURY CHEMERKIN
MULTI-SKILLED SECURITY EXPERT
 YURY CHEMERKIN
Yury Chemerkin has ten years of experience in
information security. I‘m a multi-skilled security
expert on security & compliance and mainly
focused on privacy and leakage showdown. Key
activity fields are EMM and Mobile &, Cloud
Computing, IAM, Forensics & Compliance.
I published many papers on mobile and cloud
security, regularly appears at conferences such as
CyberCrimeForum, HackerHalted, DefCamp,
NullCon, OWASP, CONFidence, Hacktivity,
Hackfest, DeepSec Intelligence, HackMiami,
NotaCon, BalcCon, Intelligence-Sec, InfoSec
NetSysAdmins, etc.

LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN

TWITTER: @YURYCHEMERKIN

EMAIL: [email protected]
MY RESEARCHES TO READ RELATED TO THE TOPIC
2014
Included ~200 apps results, for Cross OS apps provide - protection concepts, OS specifics
per concept, outlines & remediation, EMM specifics
“We know Twitter & Dropbox are better secured than bank apps!”
http://www.slideshare.net/EC-Council/hh-yury-chemerkin
http://defcamp.ro/dc14/Yury_Chemerkin.pdf
2015
Current Research ~700 apps (iOS, Android, BlackBerry, Windows, Mac OS apps)
+ Bonus: Security & Privacy Project (demo)
http://def.camp/wp-content/uploads/dc2015/Chemerkin_Yury_DefCamp_2015.pdf
2016
Refined by iOS and Android Only
+ Bonus: Report + Security Project (alfa)
https://def.camp/wp-content/uploads/dc2016/Day%202/Yury_Chemerkin.pdf
2017 (Work in progress)
App security level is useful but ability to find the MIN data protection level is more valuable
+ Bonus: Report + Security Project (beta)
https://www.privacymeter.online/our-apps
MOBILE APPS BING BANG – Y2011 - Y2014 - Y2017
Y2011 – viaForensics, which runs the appWatchdog web page, checked whether an app encrypted passwords, user names, or
actual email content before storing it on the phone. A full pass meant that all three were stored in encrypted form. An app received
a warning if the user name was left in plain text but password and content were encrypted. If either the password or content was
stored in plain text, the app failed
http://www.cbsnews.com/news/want-to-protect-your-emails-dont-use-these-11-android-and-iphone-email-apps/

Y2014 – Researchers find data leaks in Instagram, Grindr, OoVoo and more. By sniffing out the details of network communications,
University of New Haven researchers have uncovered a host of data-leakage problems in Instagram, Vine, Nimbuzz, OoVoo, Voxer
and several other Android apps. The problems include storing images and videos in unencrypted form on Web sites, storing chat
logs in plaintext on the device, sending passwords in plaintext, and in the case of TextPlus, storing screenshots of app usage that the
user didn't take

All in all, the researchers estimate 968 million people total use the apps.
https://www.cnet.com/news/researchers-find-data-leaks-in-instagram-grindr-oovoo-and-more/

Y2017 – 76 Popular Apps Confirmed Vulnerable to Silent Interception of TLS-Protected Data. According to Apptopia estimates,
there has been a combined total of more than 18,000,000 (Eighteen Million) downloads of app versions which are confirmed to
be affected by this vulnerability

For 33 of the iOS applications, this vulnerability was deemed to be low risk (All data confirmed vulnerable to intercept is only
partially sensitive analytics data about the device, partially sensitive personal data such as e-mail address, and/or login
credentials which would only be entered on a non-hostile network).

For 24 of the iOS applications, this vulnerability was deemed to be medium risk (Confirmed ability to intercept service login
credentials and/or session authentication tokens for logged in users).

For 19 of the iOS applications, this vulnerability was deemed to be high risk (Confirmed ability to intercept financial or medical
service login credentials and/or session authentication tokens for logged in users).
https://medium.com/@chronic_9612/76-popular-apps-confirmed-vulnerable-to-silent-interception-of-
tls-protected-data-2c9a2409dd1#.ea21dxqmw
 PUBLIC RESEARCH
“AN ANALYSIS OF THE PRIVACY AND SECURITY RISKS
OF ANDROID VPN PERMISSION-ENABLED APPS”
The BIND_VPN_SERVICE permission is a powerful Android feature that allows the requesting app to
intercept, manipulate and forward all user’s traffic to a remote proxy or VPN server of their choice or to
implement proxies in localhost [93].
Android generates two warnings to notify user’s whenever an app creates a virtual interface using the VPN
permission:
(i) a system dialog seeking users approval to create a virtual interface, and
(ii) a system-generated notification that informs users as long as the VPN interface remains active [60].
Third-party user tracking and access to sensitive Android permissions: 75% of them use third-party tracking
libraries and 82% request permissions to access sensitive resources including user accounts and text
messages.
(Lack of) Encryption and traffic leaks: 18% of the VPN apps implement tunneling protocols without. 84%
and 66% of the analyzed VPN apps do not tunnel IPv6 and DNS traffic due to lack of IPv6 support,
misconfigurations or developer-induced errors.
TLS interception: Four of the analyzed VPN apps compromise users’ root-store and actively perform TLS
interception in the flight. Three of these apps claim providing traffic acceleration services and selectively
intercept traffic to specific online services like social networks, banking, e-commerce sites, email and IM
services and analytics services
https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf
CHECK BOOKLETS AT THE
REGISTRATION TABLE
 PENTESTER vs. DEVELOPERS

https://youtu.be/Nh11A41klL4?t=50s
 HACKING PEOPLE USING PUBLIC WI-FI

http://www.downvids.net/using-public-wifi-is-not-as-safe-as-you-think-you-never-know-
who-is-watching-1110506.html
NO WEAKNESS IN NORMAL ACTIVITY

Data Leakage is data that becomes available when you

perform typical activities. Instead, Vulnerability is a
weakness of program. Thus, Vulnerability ≠ Data Leakage,
because no weakness in normal activities…

So, shut up and install our application J

COMMON WEAKNESS OR VULNERABILITIES IN
DATA PROTECTION. EXCERPTs
Sensitive data leakage [CWE-200]
ü Sensitive data leakage can be either inadvertent or side channel
ü Protection can be poorly implemented exposing it:
Location; Owner ID info: name, number, device ID; Authentication credentials & tokens
Target App Information is also sensitive (out of scope of CWE-200)
Unsafe sensitive data storage [CWE-312]
ü Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this
data off the file system, especially on removable disk like micro SD card or public folders (out
of scope of CWE-312) such as
banking and payment system PIN numbers, credit card numbers, or online service passwords
ü There’s no excuse for sandboxing without encryption here
Unsafe sensitive data transmission [CWE-319]
ü Data be encrypted in transmission lest it be eavesdropped by attackers e.g. in public Wi-Fi
ü If app implements SSL, it could fall victim to a downgrade attack degrading HTTPS to HTTP.
ü Another way SSL could be compromised is if the app does not fail on invalid certificates.
ü There’s no excuse for partial SSL validation here
OWASP MOBILE: PAST vs. NOW
Code Protection & Data Protection &
Code Protection Dev fails Dev fails
§ Top 10 Mobile Risks 2012-2013 § Top 10 Mobile Risks 2014-2015 § Top 10 Mobile Risks 2016-2017
§ M1: Insecure Data Storage § M1: Weak Server Side Controls § M1: Improper Platform Usage

§ M2: Weak Server Side Controls § M2: Insecure Data Storage § M2: Insecure Data Storage

§ M3: Insufficient Transport Layer Protection § M3: Insufficient Transport Layer Protection § M3: Insecure Communication
§ M4: Client Side Injection § M4: Unintended Data Leakage § M4: Insecure Authentication

§ M5: Poor Authorization and Authentication § M5: Poor Authorization and Authentication § M5: Insufficient Cryptography

§ M6: Improper Session Handling § M6: Broken Cryptography § M6: Insecure Authorization

§ M7: Security Decisions Via Untrusted Inputs § M7: Client Side Injection § M7: Client Code Quality

§ M8: Side Channel Data Leakage § M8: Security Decisions Via Untrusted Inputs § M8: Code Tampering

§ M9: Broken Cryptography § M9: Improper Session Handling § M9: Reverse Engineering

§ M10: Sensitive Information Disclosure § M10: Lack of Binary Protections § M10: Extraneous Functionality

https://www.owasp.org/index.php/ https://www.owasp.org/index.php/
Projects/OWASP_Mobile_Security_ Mobile_Top_10_2016-Top_10
Project_-_Top_Ten_Mobile_Risks Y2017’s Top 10 is upcoming
THE BEST ‘WORST’ APPs. Everything in plaintext
AlterGeo
No updates since Spring Y2014. Everything in plaintext including Credentials
Weather Street Style
Sending Credentials & Geo to the server each 30 second
WeChat
Own protection over http, except Location data – plaintext
Location 'n' Maps Information: Contact Media
Message Information: GEO & Address Data, GEO Snapshots, Place Details
Maxim Taxi (RU) (iOS & Android)
No Credit card is supported (?)
Meridian (RO) (iOS & Android)
Geolocation, Credentials, Account Info, Social Info
Cris Taxi Bucuresti (RO) (iOS & Android)
Geolocation, Credentials, Account Info, Social Info, Travel Info, Orders Info
Taxi 777 (RU) (iOS & Android)
Geolocation, Credentials, Account Info, Orders Info, Financial Info
Fix Taxi (RU) (Android)
Geolocation, Credentials, Account Info, Orders Info, Financial Info
WEIRD PROJECTS: FACEBOOK APPS
FACEBOOK, MESSENGER, PAGE MANAGER

~60 data items per each application

Application Information – MITMed, crafted cert is needed
Transaction History & Contact Short Profile
Credentials (IDs), Credentials (Passwords) and Credentials (Tokens)
Browser Information
Preview
Message Information
GEO Data
GEO Snapshots
The rest Data-in-Transit data is SSL Pinned & Data-at-Rest data is in backup
Account Information, Address Book 'n' Contact Information, Analytics 'n' Ads Information,
Application Information, Credentials Information, Device Information, Events Information,
Location 'n' Maps Information, Media Information, Social Information
Media Data are in plaintext (Facebook Messenger)
Cached profile images
 AEROEXPRESS. PCI DSS PASSED BUT FAILS
WITH ANTIMITM
Apps didn’t have a SSL Validation over years until Apr 16th, 2017. Now a cert is needed to MITM
~20-25 data items per each application February Y2015
Aeroexpress has passed its PCI DSS certification.
Data-in-Transit Data Items Now it is even safer for passengers to pay for
‘Credentials Info' Group: Credentials (IDs, Activation online services provided by this express carrier.
IDs, Password)
In early February, Aeroexpress passed its PCI DSS
‘Loyalty Info' Group: Account Details certification, which is aimed at ensuring the secure
‘Payment Info' Group: Card Full Information, Shorted processing, storage and transfer of data about
Visa and MasterCard holders. Given the PCI DSS
Passport Data certified security level, Aeroexpress passengers can
‘Orders Info' Group: Orders Details & History, Media pay for tickets via the website or the company’s
Data (QR Ticket, URL for Ticket, Address Data - mobile app using bank cards and can be confident
that their personal data and funds are safely
Railways Station), Shorted Passport Data secured.
‘Account Info' Group: Tracked Data & Favourites Press Release:
Data-at-Rest Data Items (same data items) https://aeroexpress.tickets.ru/en/content/safety_p
ayments.html
According to PCI DSS docs, app is required: Press Release:
prevent MITM, does a validation SSL https://aeroexpress.ru/en/press_releases/news20
090589.html
does not store payment details
https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
COMPANIES’ QUOTES
WHAT THEY THINK ABOUT INSECURITY

"Message data is stored in an unencrypted format because the operating systems (both
iOS and Android) provide data isolation that prevents apps from having their storage
read by other apps. This is considered standard in the industry, and is completely safe,"
the Kik said in 2014. Now they went to the secure storage (Y’17)
https://www.cnet.com/news/researchers-find-data-leaks-in-instagram-grindr-oovoo-and-more/

Oxygen Forensics releases a maintenance version of Oxygen Forensic® Detective.

Version 9.0.1 offers functionality and interface improvements of Oxygen Forensic®
Cloud Extractor, Oxygen Forensic® Maps and Export Engine. It also adds data parsing
from Video Locker and KeepSafe applications and updates support for popular
messengers: Kik Messenger, Facebook Messenger, Viber, WatsApp, etc. The total number
of supported apps versions exceeds 2400!
Applications. Messengers. Updated support for Kik Messenger (10.16.1.9927) for Android OS
devices.
https://www.oxygen-forensic.com/en/events/news/739-oxygen-forensic-detective-adds-
support-for-new-applications-and-devices
EXTRACTING LOCAL DATA. EXAMPLES

Common OS techniques
Public tools incl. rooting scripts
Forensics solutions
Cellerite
OxygenForensiscs
Elcomsoft
And more…
 FORENSICS CLOUD FEATURES
Cellebrite
UFED Cloud Analyzer provides access to more than 25 private cloud data sources to help you attain the critical case evidence that
often hides in cloud application data. See the full list below: Facebook, WhatsApp, Twitter, Gmail, Google Location History, Google
My Activity, Google Photos, Google Chrome, Google Calendar, Google Contacts, Google Drive, Google Bookmarks, Google Tasks,
Mail (IMAP), Dropbox, iCloud App, iCloud Calendar, iCloud Contacts, iCloud Drive, iCloud Photos, OneDrive, Instagram, KIK, VK,
Telegram, iCloud Notes, iCloud Reminder, iCloud Location http://www.cellebrite.com/Pages/ufed-cloud-analyzer
Oxygen Forensic® Detective
Oxygen Forensic® Detective acquires data from more than 30 cloud storages: iCloud contacts and calendar, Google Drive, Google
Location History, Live contacts and calendar, OneDrive, Dropbox and Box as well as from a wide range of social media including
Twitter and Instagram https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/detective/cloud-data-extraction
Elcomsoft Cloud eXplorer
Acquire information from users’ Google Account with a simple all-in-one tool! Elcomsoft Cloud Explorer makes it easier to download,
view and analyze information collected by the search giant, providing convenient access to users’ search and browsing history, page
transitions, contacts, Google Keep notes, Hangouts messages, as well as images stored in the user’s Google Photos account.
https://www.elcomsoft.com/ecx.html
Elcomsoft Phone Breaker
Cloud acquisition is an alternative way of retrieving information stored in mobile backups produced by Apple iOS, and the only
method to explore Windows Phone 8 and Windows 10 Mobile devices. Elcomsoft Phone Breaker can retrieve information from Apple
iCloud and Windows Live! services provided that original user credentials for that account are known.
The Forensic edition of Elcomsoft Phone Breaker enables over-the-air acquisition of iCloud data without having the original Apple ID
and password. Password-free access to iCloud data is made possible via the use of a binary authentication token extracted from the
user’s computer.
Elcomsoft Phone Breaker supports accounts with Apple's two-step verification as well as the new two-factor authentication. Access to
the second authentication factor such as a trusted device or recovery key is required. You will only need to use it once as Elcomsoft
Phone Breaker can save authentication credentials for future sessions. https://www.elcomsoft.com/eppb.html
CELLEBRITE UNLOCKING CAPABILITIES

Cellebrite Advanced Investigative Services (CAIS) experts provide law enforcement

agencies with forensically sound, early access to sensitive mobile digital intelligence.

Advanced Technical Services provide:

Unlocking and extraction of Apple iPhone 4S, 5, 5C, 5S, 6, 6 Plus, iPad 2, 3, 4,
iPad Air, iPad mini 1, 2, 3, 4, iPod touch 5G, 6G
Unlocking and decrypted physical extraction of Samsung Galaxy S6, S6 edge,
S6 edge+, S6 active, A5, A7, A8, J1, J7, Note 5, S7, S7 edge, S7 edge, S7
active
Decrypted Physical extractions available for most models
Limitations may apply based on iOS/Android version and Security patch level

http://go.cellebrite.com/cais_unlock
OXYGEN FORENSIC DETECTIVE
Oxygen Forensic® software retrieves all vital application data from mobile devices running
iOS, Android OS, BlackBerry 10, Windows Phone 8. The program is able to decrypt apps
databases even if they securely encrypted.
Currently 370 unique applications and 2760+ app versions are supported.
Social Networks, Dating, Messengers, Web Browsers, Navigation, Travel, Finance,
Productivity, Health, Games
Android Rooting add-on grants an access to: Full file system, Applications data, Geo-location
information , Deleted data
No 100% successful rooting is guaranteed. The procedure is available for the most of
Android devices with versions 1.6 - 2.3.4 and 3.0 - 5.1
The Jet-Imager module allows to create full physical dumps from Android devices on average
up to 25% faster. The extraction speed depends on how much data the device has. For
example, 16GB can be extracted in 5-7 minutes, 32Gb – in 8-10 minutes.
Currently there are two extraction methods in the Jet-Imager module:
physical extraction via custom forensic recovery (Samsung)
physical extraction of pre-rooted devices
https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/detective/jet-imager
https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/analyst/android-rooting-addon
https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/analyst/applications
 ELCOMSOFT iOS FORENSIC TOOLKIT
Support for 32-bit and 64-bit iOS Devices
All devices: Logical acquisition is available for all devices regardless of jailbreak status / iOS version. Supports lockdown files for accessing passcode-protected devices.
Legacy: Unconditional physical acquisition support for legacy devices (iPhone 4 and older) regardless of iOS version and lock status
32-bit: Full physical acquisition support of jailbroken 32-bit devices running all versions of iOS up to and including iOS 9.3.3 (iPhone 4S through 5C, iPad mini)
64-bit: Physical acquisition for jailbroken 64-bit devices running any version of iOS for which a jailbreak is available (iPhone 5S, 6, 6S and their Plus versions, iPad mini 2
through 4, iPad Air, Air 2)
iOS 9.3.4, 9.3.5, iOS 10.x: Logical acquisition only for iPhone 7, 7 Plus and all other devices running iOS 10 or versions of iOS 9 without jailbreak. Device must be
unlocked with passcode, Touch ID or lockdown record
Locked: Limited acquisition support for jailbroken 32-bit and 64-bit iOS devices that are locked with an unknown passcode and cannot be unlocked
Compatible Devices and Platforms
The Toolkit completely fully supports the following iOS devices, running all iOS versions up to iOS 7; no jailbreaking required, passcode can be bypassed or quickly
recovered:
iPhone (original), iPhone 3G, iPhone 3GS, iPhone 4 (GSM and CDMA models), iPad (1st generation), iPod Touch (1st - 4th generations)
Physical acquisition is available for the following models (requires jailbreak with OpenSSH installed)
iPhone 4S, iPhone 5, iPhone 5C, iPod Touch (5th gen), iPad 2, iPad with Retina display (3rd and 4th generations), iPad Mini
The following (64-bit) models are supported via physical acquisition for 64-bit devices, regardless of iOS version (up to 9.3.3):
iPhone 5S, iPhone 6, iPhone 6 Plus, iPhone 6S, iPhone 6S Plus, iPad Air, iPad Air 2, iPad Mini 2/3/4, iPad Pro
All other devices including iPhone 7/7 Plus as well as devices running iOS 10.x, 9.3.4 and 9.3.5 are supported via logical acquisition (must be unlocked with passcode,
Touch ID or lockdown record).
Decrypt keychain items, extract, device keys (32-bit devices only)
Supported operating systems: Keychain is extracted but cannot be decrypted with 64-bit device except the known / empty backup passcode;
iOS 1-5 passcode must be removed in iOS settings
iOS 6.0-6.1.2 (with evasi0n jailbreak) Passcode is not required
iOS 6.1.3-6.1.6 (with p0sixspwn jailbreak) iOS 1.x-3.x: passcode not required. All information will be accessible. The original passcode will be instantly
recovered and displayed.
iOS 7.0 (with evasi0n jailbreak)
iOS 4.0-7.x: certain information is protected with passcode-dependent keys, including the following:
iOS 7.1 (with Pangu 1.2+ jailbreak) Email messages; Most keychain records (stored login/password information);
iOS 8.0-8.1.2 (with TaiG, PanGu or PP jailbreak) Certain third-party application data, if the application requested strong encryption.
iOS 8.1.3-8.4 (with TaiG 2.0 jailbreak) iOS 8.x through 10.x: most information is protected. Without the passcode, only very limited amount of data
iOS 9.0-9.1-9.2-9.3.3 (with PanGu jailbreak) Call log that includes all incoming and outgoing calls (including FaceTime), Voicemail, All settings and options,
List of installed apps, Many log files including download and update histories, service launch logs and many
iOS 9.3.4-10.x (via logical acquisition only)
other system and application logs, Various temporary files
https://www.elcomsoft.com/eift.html Simple 4-digit passcodes recovered in 10-40 minutes https://www.elcomsoft.com/eift.html
UNSECURED WI-FI.
FREE WI-FI IN A CITY (UNDERGROUND/SUBWAY, PARKS,
BUS & BUS STOP, … EVERYWHERE)
 SSL ISSUES: Apps, Mozilla, WoSign,
Apple, Google
Applications handle SSL connection in different ways:
q Some don’t validate SSL certificate during the connection or affected SSL Strip attacks
q Many trust to the root SSL certificates installed on the device due to SSL validating
q Some have pinned SSL certificate and trust it only

Trusting root certificate might not be a good idea

Mozilla reports about WoSign & StartCom roots are cross-signed by other trusted or previously-
trusted roots (expired but still unrevoked) :
WoSign issued ~1,500 invalid certificates. Apple removes these from iOS & Mac https://support.apple.com/en-us/HT204132
Despite revoked CA’s, StartCom and WoSign continue to sell certificates. So, Apple (Safari), Mozilla (Firefox) and Google
(Chrome) are about to stop trusting them
Symantec API Flaws reportedly let attackers steal Private SSL Keys & Certificates. Symantec knew
of API Flaws Since 2015
The flaw, discovered by Chris Byrne, an information security could allow an unauthenticated attacker to retrieve other
persons' SSL certificates, including public and private keys, as well as to reissue or revoke those certificates.
Even without revoking and reissuing a certificate, attackers can conduct "man-in-the-middle" attack over the secure
connections using stolen SSL certs, tricking users into believing they are on a legitimate site when in fact their SSL traffic is
being secretly tampered with and intercepted. http://thehackernews.com/2017/03/symantec-ssl-certificates.html
GOVERNMENT AND NETWORK SECURITY
Online surveillance. Microsoft may be accidentally helping Thailand’s government spy on its citizens

A new report from Privacy International entitled “Who’s That Knocking at My Door? Understanding Surveillance in
Thailand” says a Microsoft policy involving root certificates enables the state to monitor encrypted communications
sent via email or posted on social media sites. Microsoft says that the certificate meets the company’s standards.

While Apple’s macOS does not include the Thai root certificate by default, Microsoft Windows does, and Privacy
International says this leaves users of that operating system open to attack or surveillance. Windows accounts for
over 85 percent of the desktop computing market in Thailand, according to StatCounter.
https://news.vice.com/story/microsoft-may-be-accidentally-helping-thailands-government-spy-on-its-citizens

Kazakhstan is going to start intercepting HTTPS traffic via “man-in-the-middle attack” starting Jan 1, 2016
The law was accepted in December, but now one of the providers announced
information for small and medium business how to install
government-provided root SSL certificate: https://goo.gl/yzGzPp
Update, Contribution with Mozilla:
Mozilla bug report – Add Root Cert of Republic of Kazakhstan
Mozilla CA Program (in pdf)
Gov Cert of Kazakhstan

https://www.reddit.com/r/sysadmin/comments/3v5zpz/kazakhstan_is_going_to_start_intercepting_https/
BYPASSING NETWORK SECURITY FOR $0
How To: Use mitmproxy to read and modify HTTPS traffic
https://blog.heckel.xyz/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-
traffic-of-your-phone/
Use SSLsplit to transparently sniff TLS/SSL connections – including non-HTTP(S) protocols
https://blog.heckel.xyz/2013/08/04/use-sslsplit-to-transparently-sniff-tls-ssl-connections/
How To: DNS spoofing with a simple DNS server using Dnsmasq
https://blog.heckel.xyz/2013/07/18/how-to-dns-spoofing-with-a-simple-dns-server-using-
dnsmasq/
Rogue AP Setup
https://null-byte.wonderhowto.com/how-to/hack-wi-fi-creating-invisible-rogue-access-point-
siphon-off-data-undetected-0148031/
Kali Linux Evil Wireless Access Point
https://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/
Bettercap – mixed features
https://www.bettercap.org/docs/proxying/http.html
https://www.bettercap.org/docs/servers/dns.html
https://www.bettercap.org/docs/proxying/custom.html
… and so on J
MOBOMARKET
MOBOMARKET (ANDROID APP STORE), BEST ONE IN CHINA & INDIA
o App v2 o App v3
o SSL worked but MITM was o Everything is in plaintext by
possible (preinstalled cert?) HTTP, even app installers (APK)
o Privacy Policy o Privacy Policy
“We encrypt our services and data transmission We adopt appropriate data collection, storage and
using SSL” processing practices and security measures to
“You’re responsible for privacy”. Just do it yourself protect against unauthorized access, alteration,
disclosure or destruction of your personal
On March, 2016 information, username, password, transaction
Slide #48, http://goo.gl/wPfmgM information & data stored on Site
Official Website http://goo.gl/FYOXjE
GOOGLE MAPS, TRELLO, SWARM, FOURSQUARE, PLAZIUS
Google Maps: SSL Pinned to Not Pinned (MITM is available by crafted certificate)
~24-31 data items per each iOS & Android app
Address Data (what you’re typing in search field) – was pinned
Other items are still MITMed with crafted certificate
Trello: SSL Pinned to Not Pinned (MITM is available by crafted certificate
~25 data items per each application iOS & Android app – was pinned
'Credentials Info' Group: Credentials (IDs, Password)
‘Account Info' Group: Account Data, Media Data (Profile Images)
‘Tasks Info' Group: Tasks, Sync Docs, Doc List, URLs
Foursquare & Swarm: Non-protected Media, iOS fixed – can MITMed via crafted cert
~30-40 data items per each application
‘Account Info’ Group: Media Data (Profile Images) – iOS & Android not fixed
‘Media Info’ Group: Place Details (Place & Building photos) – iOS fixed
‘Geo Info’ Group: Place Details (textual), Media Data (City photos) - iOS fixed
Plazius: Random fixes
~20-25 data items per each application
Apps written for iOS < 10 DO NOT HAVE a SSL validation
Apps written for iOS 10+ only got fixes (MITM with crafted certificate still works)
Android Apps HAVE a SSL Pinning
 EVERNOTE AND EFAX

eFax – weird SSL Pinning Evernote for Android (March, 2017)

Evernote – downgraded from Pinning – Pinned everything

o Before Summer/Autumn 2016 o Since Autumn 2016 o Since March 2017

eFax eFax eFax
Media faxes are PINNED, but MITM with MITM with
Media URL of faxes, Credentials preinstalled/crafted/stolen CERT preinstalled/crafted/stolen CERT
& rest data are MITMed (Cert) Applies to all data items Applies to all data items
Evernote Evernote Evernote
Everything is PINNED, except Everything is MITMed with Everything Pinned
preinstalled/crafted/stolen CERT (Android only)
Social credentials of LinkedIn
Location data is not protected Location data is Pinned (Android)
Locally stored data
Documents & Location Info: GEO
Accessible via iTunes incl. all DBs Documents & Location Info: GEO
Data & Address Data Data & Address Data
INSTAGRAM: “LONG ROAD TO SECURITY”
FROM INSECURITY TO SECURITY
THOUGHT THE SECURITY & INSECURITY
§ Media Data = Advertisement, Profile images, your
photos and so on…

§ Y2014: Media data transferred as is without protection;

hosted on AWS S3
§ Instagram said it's moving to encrypted communications
for its images by moving to HTTPS, the secure version of
the standard used to transfer Web data over the Internet.

§ Y2015: Media data transferred over HTTPS and hosted

on Amazon Storage Service (AWS S3); Crafted cert to
MITM needed

§ Y2016: Media data transferred as is without protection

and hosted on own Instagram storages

§ Y2017 - iOS: Media data transferred over HTTPS;

Crafted cert to MITM needed

§ Y2017 - Android: Media data transferred as is without

protection; the rest data is SSL PINNED
IOS. ENABLE A USER ROOT CERT TO BYPASS
A SYSTEM-WIDE ANTI-MITM TECHNOLOGY

Apple introduced on iOS 10+ new

network security enhancement. That
new enhancement prevents 3rd party
to listen to network requests coming
out of the app by enabling and
disabling root user certificates
ANDROID 7. REPACK APK TO BYPASS A
SYSTEM-WIDE ANTI-MITM TECHNOLOGY
<?xml version="1.0" encoding="utf-8"?>
Google introduced on Android 7.0 new network security enhancements. Those <network-security-config>
new enhancements prevents 3rd party to listen to network requests coming out <base-config>
<trust-anchors>
of the app. More info: <certificates src="..."/>
1) https://developer.android.com/training/articles/security-config.html ...
</trust-anchors>
2) http://android-developers.blogspot.com/2016/07/changes-to-trusted- </base-config>
certificate.html <domain-config>
This script injects into the APK network security exceptions that allow 3rd party <domain>android.com</domain>
...
softwares, like Charles Proxy / Fidler to listen to the network requests and <trust-anchors>
responses of the app. <certificates src="..."/>
...
Download the script and the xml file and place them in the same directory. </trust-anchors>
<pin-set>
You will need apktool and android sdk installed. I recommend using brew on <pin digest="...">...</pin>
Mac to install apktool (brew install apktool) ...
</pin-set>
The script take 2 arguments: </domain-config>
1) Apk file path. 2) keystore file path (optional - Default is: ...
<debug-overrides>
~/.android/debug.keystore ) <trust-anchors>
<certificates src="..."/>
Examples ...
</trust-anchors>
./addSecurityExceptions.sh myApp.apkor./addSecurityExceptions.sh </debug-overrides>
myApp.apk ~/.android/debug.keystore </network-security-config>

https://github.com/levyitay/AddSecurityExceptionAndroid
iOS MASQUE ATTACK WEAPONIZED:
A REAL WORLD LOOK
FireEye has recently uncovered 11 iOS apps within the Hacking Team’s arsenals that
utilize Masque Attacks, marking the first instance of targeted iOS malware being
used against non-jailbroken iOS devices.
These apps are reverse engineered and weaponized versions of popular social
networking and messaging apps, including: WhatsApp, Twitter, Facebook, Facebook
Messenger, WeChat, Google Chrome, Viber, Blackberry Messenger, Skype,
Telegram, and VK.
Unlike the normal versions of these apps, they come with an extra binary designed
to exfiltrate sensitive data and communicate with a remote server. Because all the
bundle identifiers are the same as the genuine apps on App Store, they can directly
replace the genuine apps on iOS devices prior 8.1.3.
https://www.fireeye.com/blog/threat-research/2015/08/ios_masque_attackwe.html
AN EXAMPLE OF THE RUNTIME BEHAVIOR
OF THE REPACKAGED FACEBOOK APP

https://www.fireeye.com/blog/threat-research/2015/08/ios_masque_attackwe.html
 APPS FINDINGS. OVERALL RESULTS
Business News & Magazines

Communication Productivity
Entertainment 250 apps = 135 iOS apps + 115 Android apps
Shopping
Finance 8124 data items = 4287 (iOS) + 3837 (Android)
Social Networking
Food & Drink 20+ application groups (17 unique groups)
Tools & Utilities
Lifestyle 30 data groups & 105 data items over 8K data items
Transportation
Photo & Video 462 unique pairs of data group & data item
Travel & Local
Music

Navigation Weather
 COMPARING UP-TO-DATE OS AND OUTDATED OS OVER
250 APPS

9,00
8,00
7,00
6,00 4,97 4,97
4,61 4,72
4,25 4,37 4,33 4,29
5,00 4,02 3,91
3,60 3,64
4,00
3,00
2,00
1,00
0,00
Av. OS Protection Av. DIT Protection Av. DAR Protection
Level Level Level
Android 7+ iOS 10+ Android < 7 iOS < 10
 QUANTITY OF APPLICATIONS PER THE
PROTECTION GROUP
100,00%
90,00%
80,00%
70,00%
60,00%
50,00%
40,00%
30,00%
20,00%
10,00%
0,00%
Worst applications Bad applications Good applications Best applications
iOS 27,41% 100,00% 97,04% 30,37%
Android 24,35% 100,00% 93,04% 24,35%
iOS old 27,41% 100,00% 97,04% 30,37%
Android old 24,35% 100,00% 30,43% 20,87%

iOS Android iOS old Android old

 QUANTITY OF APPLICATIONS
WITHOUT ENCRYPTION ß àWITH ENCRYPTION

97,78% 100,00
% 28,89%
100,00% 30,00%

90,00%
25,00%
80,00%
20,74% 20,87%
19,13% 19,60%
70,00%
58,80% 20,00%
60,00%

50,00% 15,00% 12,40%

40,00% 30,43%
27,41% 10,00%
30,00%
17,60%
20,00%
5,00%
10,00%

0,00% 0,00%
iOS Android iOS & Android iOS Android iOS & Android

DIT DAR DIT DAR

 THE QUANTITY OF
PROTECTED DATA ITEMS VS. OS IMPACT.
50,00% 46,30%

45,00%
40,00% 36,54%

35,00%
27,81%
30,00%
25,00%
20,00%
15,00%
4,20% 4,25% 4,14%
10,00%
4,17% 3,97% 4,41%
5,00% 1,38% 1,70% 1,51%

0,00%
Worst All Worst iOS Worst Android Best All Best iOS Best Android
Env. Raw
 0
1
2
3
4
5
6
An Alt
y w er
ay G e
o
Ap any
pC da
om y
p
Av ass
B o a sa i
Br o l
it i B r king e s
sh i t i
A i sh c om .
rw A i
a y rw
s f ay
or s
Cr Ci iPa
is n
Ta e m d
xi ag
Bu ia
cu
r
Da est i
yC
os
Fa t
ce eF
bo E ax
o k ve
F i x M rn o
t a e ss te
Fli xi (A eng
gh e
t S ero t r
af ax
e

Env (iOS)
T o i)
F li da
pb y
F ly oa
r
De Fly d
lta De
fo lta
r

Raw (iOS)
Fo iPa
ur
sq d
ua
re
Ins HG I
ta
gr
a

Env (Android)
Kl m
iC
ha
M Ma t
er
id rriot
ia
n t
T
NS mo axi
W mon
a d

Raw (Android)
O llet o
K P
M RO
e
P a ssag
rk es
Se
Sk
ys a
ca P in so n
ITEMS AND ITS PROTECTION LEVEL

nn t
e r S ky ere
- H sca st
o t nn
el er
Se
ar
c
APPS WITH WORST PROTECTED DATA

Sw h
T a rm a
xi
77
W V el 7
ea o bi
th ke
er
St
re VK
et
St
W yle
eC
ha
t
ISSUE:
SAME DATA ITEMS, DIFFERENT PROTECTION LEVEL
Same data items (one password, card data, passport, etc. over several apps)
Different protection level of these apps means the worst one burns your security down
'Account Info' Group: Account Data, Account Details
'Application Info' Group: URLs (URL to binary installer files)
'Browser Info' Group: Card Full Info (with CVC/CVV)
'Credentials Info' Group: Credentials (Tokens, IDs, Password, Activations IDs)
'Financial Info' Group: Card Short Info (no CVC/CVV), Favourites Cards
'Geolocation Info' Group: Geo, Address Data, Place Details, Favourites Addresses, Media
'Orders Info' Group: Orders Details & History
'Travel Info' Group: Geo, Address Data, Trips Info
‘Social Info' Group: Account Data, Credentials (Tokens, IDs, Password), Device Environment
CONCLUSIONS
q App designed in compliance to Apple and Google Security Guidelines means the minimal level of protection if it is done in a
right way

q There is nothing alike data leakage beside vulnerabilities. OWASP strongly disagree

q I believe my app has a good protection. Okay, don’t forget to check it on the forensics web-site J

q Privacy Policy and other statement about security don’t guarantee anything

q It works only with root/jailbreak.

q There are backup copies that keep a plenty awesome data inside itself
q Tell that to forensics teams and check it on the forensics web-site again J

q Crafted SSL certificate to perform MITM is not a global issue. What about stolen, revoked and government root certificates
then?

q Android 7 prevents MITM attacks. Yes, but only in align to other requirements (No alternative AppMarket, No Repackaged
Apps, No Root, No Any Apps from Unknown sources)

q iOS 10 prevents MITM attacks via root user certificates. Users can enable or disable installed certificates

q Next update is going to bring fixes? No, it is possible to get worse protected release even

q But we keep an eye on new releases

q Many apps are not good protected, should I ignore it? No, keep an eye on security update news
SOLUTIONS: FOR DEVELOPERS

§ Secure Mobile Development Guide by NowSecure

Ø Coding Practices
Ø Handling Sensitive Data
Ø iOS & Android Tips
Ø etc.
https://books.nowsecure.com/secure-mobile-
development/en/index.html
SOLUTIONS: DATA PROTECTION DBs

• We [as security experts] know what data is protected and not

protected despite of it’s locally stored, transferred or hardcoded
• Also, we know two simple things
• not only users publish their data
• developers can’t protect data
• At the same time we’re customers, right?
• I’m as a customer prefer and have a right to know where devices shouldn’t
be connected to network or plugged PC/Mac.
• Developers aren’t going to tell me if they fail. Instead they’re telling
‘everything is OK but they're not responsible for anything’
SOLUTIONS: DATA PROTECTION DBs

• Goal is providing a solution that helps to keep ‘everyone’

informed about app security fails.
• Everyone means
• app users as well as app developers
• you don’t need to be expert to understand that how it affects
you; you just know if it has required level of protected or not
• but you have to get used that your application operates many
data visible and not visible for you beyond the blueberry
muffins over the weekend
Vulnerabilities matter but exist over 40 years
Vulnerability is a defect/flaw in design in dev’s code or third party libraries
Lack of data protection is usually an insecurity by design and implementation fails
Even OWASP considers data protection as more important thing than vulnerabilities by now
Lack of data protection is described by 3 vulnerabilities in data protection
sensitive data leakage, storage, transmission CWE-200, CWE-312, CWE-319
PrivacyMeter gives answer about (at the moment)
list of apps and average values (Raw value, Environment value depend on OS)
list of app data items grouped by ‘protection levels/categories’
data item protection level and explanation
examination of privacy policy in regards to gained app results
Results are available on the web-site http://www.privacymeter.online/ see booklets (!)
Download the Autumn Report http://www.privacymeter.online/reports see booklets (!)
PRIVACYMETER. PROJECT

App Section (Goal):

Find averagely bad app
Overall results
List of apps
Filtering by app level
Local & Network Data
PRIVACYMETER. PROJECT

App’s Data Section (Goal):

Find bad data item
Check if the new OS is better
App’s Level
List of Data Items
App Data’s Level filters
All app levels by OS ver.
Data’s Level Explanation
PRIVACYMETER. PROJECT

Data Section (Goal):

Find Betrayer App per Data
List of Data Items
Data’s Level filters
App related to Data
Data App’s Level filters
Data’s Level Explanation
PRIVACYMETER. PROJECT.
UPCOMING FEATURES

Custom App List (already done)

Android Apps Synchronize (already done)
Forensics affected devices (which is in a forensics list and crackable)
Custom Data List (important data tracking)
New simple data naming
Profiles & Alerting
Simple explanations and advices for users
Sorting by name, level m and so on
More cool features…
THE RISE OF SECURITY ASSISTANTS OVER
SECURITY AUDIT SERVICES

https://goo.gl/eR8MWh
THE RISE OF SECURITY ASSISTANTS
OVER SECURITY AUDIT SERVICES

YURY CHEMERKIN
SEND A MAIL TO: [email protected]

HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN