By Guillaume Lopes | December 2, 2019
During the DeepSec event, we gave our Mobile Hacking training (this training was also provided at Hack In Paris).
This training presented the toolset needed when assessing mobile applications (such as adb, Apktool, Jadx, Androguard, Cycript, Frida, Needle and MobSF) and, also, the techniques to help you to work faster and in a more efficient way in the mobile ecosystem. This 2-days training focused on Android and iOS applications. The main topics of the training were:
- Introduce the OWASP MSTG (Mobile Security Testing Guide) and the MASVS (Mobile Application Security Verification Standard)
- Learn Android and iOS security basics
- Know how to build an Android and iOS pentest toolset
- Learn how to review the codebase of a mobile application (aka static analysis)
- Run the mobile application on a rooted device (to check data security issues)
- Inspect the app via instrumentation and manipulate the runtime (aka runtime analysis)
- Man in The Middle all the network communications (aka inspect the traffic)
We received really good feedbacks, especially regarding the hands-on exercices and the content of the training.
In the case of the DeepSec event, the only limitation is the duration of the training. Students wanted a longer training to have time to go
deeper on the topics presented.
That’s why we are going to provide a 3-days training at Hack in the Box. Don’t hesitate to register right now, if you want to enjoy the early bird (2599 euros) before 31st January!
Just after the trainings, the conference took place at the Imperial Riding School hotel during 2 days. Guillaume Lopes had the oportunity to present his research about the Google Play Billing API. If you want to know how to bypass the payment process on Android apps, you can download the slides
Regarding the other presentations, we really enjoyed the following ones:
Chinese Police and CloudPets
Abraham Aranguren presented the results of 3 different audits performed against Android applications.
The first target was about the toy CloudPets. In short, it is a connected toy allowing parents to send messages to their kids using the toy.
An Android app is used to interact with the connected toy. Abraham found many critical issues such as no HTTPS used for communication,
S3 buckets open publicly with all the customers data, unprotected MongoDB, etc. The security was so bad that major resellers like Walmart and Amazon decided
to remove CloudPets from their catalog!
Then, two other apps used by Chinese police were assessed: IJOP and BXAQ. For those apps, the objective was to find the information collected by the police. The IJOP app allows to collect information about the Muslim population and the type of data collected is really scaring (record of blood type, electricity usage at home, phone usage and especially if the phone becomes inactive, etc.). The BXAQ app is a trojan installed on tourist phones in order to collect many personal information such as contacts, calendar, phone calls, SMS, etc.). All the data collected is saved on a ZIP file on the SDCARD (sometimes it happens that the ZIP file is not correctly removed :)).
Mastering AWS Pentesting and Methodology
Ankit Giri reviewed the security best practices to set-up in AWS environments such as :
- performing the inventory of your AWS account (the aws-inventory can be used to this purpose)
- blocking public access to S3 buckets
- enabling CloudWatch
- enabling CloudTrail
- setting Billing alerts
Finally, a demonstration of the tool Prowler was performed.
Saving Private Brian
Michael Burke presented various techniques to perform forensics analysis on iOS devices in order to identify if a malware/spyware is installed. The idea is not to use expensive tools but to manually perform a quick and dirty basic level forensic by checking:
- the settings for modified configuration (VPN, profiles)
- the installed apps (network / battery consumption, permissions)
- your iCloud account (syncing, look me up, find my …)
- suspicious safari “website data” statistics
He also explained a nice trick to obtain a lot of verbose logs: the sysdiagnose tool which can be triggered by pressing simultaneously the power button, the volume up and down buttons.
If you want a more complete overview of the presentations, Xavier Mertens already provided a complete wrap-up of the conference in his blog: