OWASP Mobile Security Project

Experiencias en el PenTest de aplicaciones bancarias usando

OWASP MASVS

OWASP Spain Luis A. Solís

23-Nov-17
 Contents
● About me
● Motivation
● Introduction
● OWASP Mobile Security Project
– OWASP MSTG
–OWASP MASVS
● OWASP MASVS
– Security Verification Level
– Verification Requirements
● Tools
● Bonus track

2
4
Motivation

5
[1] https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
6
OWASP Mobile Security Project

7
Top 10 Mobile Risks - Final List 2014
OWASP Mobile Security Project

8
The Mobile Top Ten 2016
OWASP Mobile Security Project

9
OWASP Mobile Security Project
MASVS MSTG

Checklist

10
 OWASP MSTG
The OWASP Mobile Security Testing Guide
(MSTG) is a comprehensive manual for testing
the security of mobile apps. It describes
processes and techniques for verifying the
requirements listed in the [Mobile Application
Security Verification Standard (MASVS)] and
provides a baseline for complete and consistent
security tests.

– 0x04b Mobile App Security Testing

– 0x04c Tampering and Reverse Engineering
– 0x04e Testing-Authentication-and-Session-
Managemen
– 0X04f Testing-Network-Communication
– 0x04g Testing-Cryptography
– 0x04h Testing-Code-Quality [2] [https://github.com/OWASP/owasp-masvs]

11
12
 OWASP MASVS
Is a standard for mobile app security. It can be
used by mobile software architects and
developers seeking to develop secure mobile
applications, as well as security testers to
ensure completeness and consistency of test
results.
The MASVS defines two strict security verification
levels (L1 and L2), as well a set of reverse
engineering resiliency requirements (MASVS-R)
that is flexible, i.e. adaptable to an app-specific
threat model. MASVS-L1 and MASVS-L2 contain
generic security requirements and are
recommended for all mobile apps (L1) and apps
that handle highly sensitive data (L2).
MASVS-R covers additional protective controls that
can be applied if preventing client-side threats is a
design goal.
Fuente: Mobile AppSec Verification v 0.9
[Latest release: version 0.9.4]

13
 Security Verification Level
Security Verification Levels. MASVS-L1 provides a solid security baseline that
is appropriate for most mobile apps. MASVS-L2 adds defense-in-depth-
controls. MASVS-R represents an optional protective layer for impeding
reverse engineering and tampering.

14
 OWASP MASVS Requriments

Detailed verification requirements

– V1 Architecture, design and threat modeling
– V2 Data storage and privacy
– V3 Cryptography verification
– V4 Authentication and session management
– V5 Network communication
– V6 Interaction with the environment
– V7 Code quality and build setting
– V8 Resiliency against reverse engineering

15
OWASP MASVS – Verification Requirements

14
13
12
12
11
10
10
09
8
08

6
06
05 Num. Controls
4

0
ur
e ge hy t io
n rk rm lit
y
i ng
ct ora rap a t wo t fo ua ers
i te t
og tic e la Q v
ch .S pt en .N .P e Re
Ar V2 ry t h V5
V 6 od .
. .C Au . C V8
V1 3 . V7
V V4

74 Controls
16
OWASP MASVS Checklist

17
Mobile Security & Tools

18
19
 FRIDA
Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers. Frida is:
– Scriptable
– Portable
– Free
– Battle tested
Frida “lets you inject snippets of JavaScript or your own library
into native apps on Windows, macOS, Linux, iOS, Android, and
QNX.” [3]

[3] https://github.com/frida/frida

20
 Using FRIDA
Requirements:
– Frida version 10.6.21
– Frida-server-10.6.21-android-x86.xz (tested in Android 7)
– Android emulator with Android 7.0 x86
– The app for Android [frida.re]

V01 demo

21
22
[4] https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk

23
 drozer
[1] Install drozer: sdk-linux/platform-tools $ ./adb install 'drozer-agent-2.3.4.apk'
[2] Port forwarding: sdk-linux/platform-tools$ ./adb forward tcp:31415 tcp:31415
[3] Connet to the device: $ drozer console connect

dz> run app.package.manifest com.ap..

dz> module install mwrlabs.develop
dz> module install post.capture.clipboard
dz> run post.capture.clipboard
dz> run app.package.list -f appBanco
dz> run app.package.attacksurface com.b..
dz> run app.activity.info -a com.b..

24
Zap proxy

25
 [1] CREACIÓN DEL CERTIFICADO

[2] INSTALAR EL CERTIFICADO

1. Desde ZAP Proxy generar el certificado

2. Grabar en el computador
3. Usar adb de Android Studio para subir el .cert al emulador
> adb.exe push owasp_zap_ca.cer /storage/carpetaEmulador/owasp.cer

[2] INSTALACIÓN DEL CERTIFICADO

[4] PROBAR EL NAVEGADOR TRAS EL PROXY
1. Settings /
2. Security
3. Install from SD Card 1. Abrir ZAP Proxy en el PC
4. Seleccionar el cert. subido con adb 3. Desde el móvil:
Abrir el navegador
5. Instalar Ir a una página web
ADVANCED
Proced to… unsafe
4. Mirar ZAP Proxy

[3] CONFIGURACIÓN DEL PROXY

1. Settings
2. Cellular networks 5. Proxy: IP del PC.
3. Access Point Names 6. Puerto: del ZAP Proxy (8080)
4. Seleccionar red 7. Grabar
 V1 Architecture, design and threat modeling
Security be considered throughout all
phases of development, the architecture
of the mobile app, and that the functional
and security roles of all components.
Requirements pertaining to architecture and
design of the app.
Threat modeling, secure SDLC, Key
management.

28
 V2 Data storage and privacy
● Testing Local Storage for Sensitive Data
● Shared Preferences
● SQLite Database (Unencrypted)
● Manifest.XML

dz> run app.package.manifest com.banco.. $ apktool d appBanca.apk ./banca

29
V03 demo

V04 demo
31
 V2 Data storage and privacy

Inspect the source code to determine whether native Android mechanisms

identify sensitive information. Sensitive information should be encrypted, not
stored in clear text. For sensitive information that must be stored on the
device, several API calls are available to protect the data via the KeyChain
class.

難經本義卷上 Difícil pasar el volumen original

難經本義 Duro por el significado original
僅輸入原文 Ingrese solo el texto original 33
34
 V3 Cryptography verification
The goal of cryptography is to provide constant confidentiality, data integrity, and authenticity,
even in the face of an attack. The purpose of the controls is to ensure that the verified
application uses cryptography according to industry best practices, including:
– Using proven cryptographic libraries;
– Properly choosing and configuring cryptographic primitives;
– Using suitable random number generator wherever randomness is required.

Identifying Insecure and/or Deprecated Cryptographic Algorithms

– DES, 3DES
– RC2
– RC3
– BLOWFISH
– MD4, MD5
– SHA1

35
V3 Cryptography verification

script

37
V4 Authentication and session management
● Problems with Authentication and Authorization

● Chekc TOP 10 OWASP 2017

– A2:2017 - Broken Authentication
– A3:2017 - Sensitive Data Exposure
– A4:2017 - XML External Entities (XXE)
– A6:2017 - Security Misconfiguration
– A7:2017 - Cross-Site Scripting (XSS)

38
 V5 Network communication

Encrypted communication between mobile application and

backend API is not a trivial task.
– verify that a certificate comes from a trusted source and
– check whether the endpoint server presents the right certificate.

39
 V5 Network communication

Android Specific Best Practices

– Remove all code after the development cycle that may allow the application to
accept all certificates such as org.apache.http.conn.ssl.AllowAllHostnameVerifier
or SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER. These are
equivalent to trusting all certificates.
– If using a class which extends SSLSocketFactory, make sure
checkServerTrusted method is properly implemented so that server certificate is
correctly checked.

com/loopj/android/http/MySSLSocketFactory.java

40
V6 Interaction with the environment
The controls in this group ensure that the app uses platform
APIs and standard components in a secure manner.
– The app only request minimun set of permissions
– JavaScript is disabled in WebViews
– The app detects whether it is being executed on a
rooted or jailbroken device
– The app does not export sensitive functionality via
custom URL schemes, unless thesemechanisms
are properly protected.

41
V7 Code quality and build setting
The goal of this control is to ensure that basic security coding
practices are followed in developing the app, and that "free"
security features offered by the compiler are activated.
– The app is signed and provisioned with valid certificate.
– Debugging symbols have been removed from native binaries.
– Debugging code has been removed, and the app does not
log verbose errors or debugging messages.
– The app catches and handles possible exceptions.
– Error handling logic in security controls denies access by
default.

V6 demo

43
 V8 Resiliency against reverse engineering
Covers software protection measures that are recommended for apps that process,
or give access to, sensitive data or functionality. The app detects, and responds to:
– the presence of a rooted or jailbroken device
– a debugger being attached.
– tampering with executable files and critical data
– the presence of reverse engineering tools
– tampering the code and data
● All executable files and libraries belonging to the app are either encrypted on the
file level
● Obfuscation is applied to programmatic defenses, which in turn impede de-
obfuscation via dynamic analysis.
● The app implements a 'device binding' functionality

44
 V8 Resiliency against reverse engineering

Cordova plugin device, https://www.npmjs.com/package/cordova-plugin-device

M9 - Reverse Engineering, http://bit.ly/2tw9Zjc

45
 Protections ?

: Efficient tools for secure mobile banking

46
https://media.kaspersky.com/en/business-security/KFP%20SDK%20Data%20Sheet%20March%202015.pdf
47
 Protections

難經本義卷上 Difícil pasar el volumen original

難經本義 Duro por el significado original
僅輸入原文 Ingrese solo el texto original
48
https://data.eventworld.cz/file/cybersecurity2014_II_temp/prezentace/12_30_Kaspersky_Fraud_Prevention_SOLUTION_Cyber_Security2014.pdf
 Protections

49
https://data.eventworld.cz/file/cybersecurity2014_II_temp/prezentace/12_30_Kaspersky_Fraud_Prevention_SOLUTION_Cyber_Security2014.pdf
 ELK Como herramienta forense
● Elasticsearch Logstash Kibana
– Conjunto de herramientas que permiten analizar grandes
volúmenes de información de eventos tales como Logs, CSV, etc.
– Facilita el análisis forense de red
– Actualmente disponible la versión 6
– Indrodujo el concepto de machine learning para detectar
anonmalías.
– El machine learning se puede aplicar en la investigación de
aplicaciones móviles, usando como inputs las clases
reverseados, logs generados por logcat y datos generados por las
aplicaciones en tiempo real.

50
ELK Stack

52
 Nuevos proyecos
● Traducción al Español
– 80% avanzado de la versión
0.9 del OWASP MASVS
– Traduccón del manual
● Uso de ELK para revisar eventos
– Análisis de logs en apps

53
 References
● [1] Drozer Guide, https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf
● [2] Android InsecureBankV2, Vulnerable Android application for developers and security enthusiasts to learn
about Android insecurities, https://github.com/dineshshetty/Android-InsecureBankv2
● [3] OWASP MSTG, https://github.com/OWASP/owasp-mstg
● [4] FRIDA, Dynamic instrumentation toolkit, https://www.frida.re/
● [5] OWASP Zed Attack Proxy, https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
● [6] OWASP Mobile Security Project,
https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
https://www.dropbox.com/sh/d143o6tbkdx4w4l/AAAQlpmnCpHCgiBqZkgXPSTKa?dl=0
● [7] Vijay Kumar Velu, Mobile Application Penetration Testing
● [8] Prashant Verma,Akshay Dixit, Mobile Device Exploitation Cookbook
● [9] Nikolay Elenkov, Android Security Internals

54