Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: mobile

[BSidesLV] It Melts In Your Hand: An Overview of Security (Failures) In Mobile Applications

It Melts In Your Hand: An Overview of Security (Failures) In Mobile Applications – Zach Lanier

Mobile Application Themes

Broad Observations

The web pushed content to the browser

  • Centralization of apps and data
  • Always a push for MORE (ActiveX, applets, …)

Now, everyone gets their own app!

  • Code (not HTML) gets pushed to the endpoint
  • App for things like XKCD


Carriers only authenticate to the network. Once you’re on the carrier, it’s free access with almost no checks.

Third-party applications are sometimes better than carrier apps with support for better auth

Some stupid client-side auth issues (admin=1)

Many apps are syncing data between the device and cloud using simple HTTP

At that point it’s just like pentesting a webapp

Platform Security

Quick Overview of the common platforms

Many disparate platforms

  • Android, iPhone Os, RIM, WinMo, Brew, ….

Different platforms handle security differently


  • Shared user accounts
  • Native Code
    • Obj-C, JNI)
  • Certificate Validation
    • SSL, Code Signing
  • Support for Emerging Technologies
    • Flash, WebKit, HTML5

Testing Techniques

  • Whitebox
    • Sometimes it’s trivial to get app source-code
  • Blackbox
    • Acquiring application binaries
    • Reverse Engineering
      • Dissassembly
    • Network Analysis
      • Protocol Analysis
      • Fuzzing
      • MITM

Protocol analysis is often the easiest method. A lot of applications tunnel over HTTP and make it easier for testers.

Tools commonly used .:

  • undx, coddec, JAD
    • decompilation
  • Smali / baksmali
    • (dis)assembly, patching
  • Native Code?
    • IDA with ARM support
    • Strings

adb –> Android Debugging Bridge

Not everybody can by a RE ninja.. sometimes the easiest way is to listen to it’s traffic

Become the MITM using tools like WAPT, WebScarab/Paros/Burp

Issues include things like requirement to be on the carrier connection and string SSL Certificate checks

Solutions including the use of mobile broadband cards and emulators to sit on the carrier network and still run the app

Wifi isn’t always an option as not all phones support it, applications may not connect over Wifi

Intrepidus have released a tool called mallory for MITM on TCP and UDP connections. This is useful for MITM mobile device testing

Case Studies


Application for 4square

Usage of Basic Auth instead of OAuth

  • Cleartext transmission of username/password

4square are starting to enforce OAuth and SSL in the future

Why is this a problem –> Most applications prefer WIFI over carrier. Easy to sniff at your local Starbucks

A Storage Application

Multi-platform application

Developed by a third-party, branded for major carriers

Problem –> Simple crash in the storage quota viewer

Attacker needs to MITM and alter the server response –> Client crashes

Application has DRM, but allows you to share between friends.

Enforcement occurs on the client-side when viewing (XML response from the server detailing DRM info) –> FAIL

Embedded Device #1

Mix of HTTP and HTTPS content

MITM on HTTP traffic to enable hidden Admin content

Strict SSL Validation prevents SSL MITM

The big problem was command injection by injection of commands into the SSID –> SSID; <insert your command here>

Embedded Device #2

Typical XSS flaws in interface

Also command injection flaw allowing access

BREW Picture Upload

Designed to upload data from the phone to the cloud

BREW != Smart Phone

– No Wifi

Application Directed SMS

  • SMS Client can parse messages and identify specific control messages for distinct applications
  • Debug code: SMS instruction to change remote upload destination
  • Traffic was plaintext HTTP/SOAP

Authentication uses a static token for the lifetime of the app on that device.

Authentication token was an MD5 hash created server-side –> Able to recreate the data used to create the MD5 hash

Able to hijack other users accounts based on this information and creation of valid MD5s


  • No SSL
  • No Real Auth Scheme
    • Wh would you lie about your phone number
    • If they’re on our network they’re trusted
  • No authorization controls on the server

RIM Picture Upload

Similar to the BREW upload

Extract binary using JavaLoader.exe and run it in an emulator

Main app in a COD file.. simple ZIP format produces files to be decompiled

Decompilation didn’t give a clean output.

What was visible was a hard-coded 3-DEs key in the Java Bytecode. All devices use the same key!

Every encrypted image sent out on the wire was prefixed with an auth header

The WebApp at the server-side was vulnerable to a number of flaws including injection, and information disclosure

LAX permissions: Allowed to do whatever it wanted on the device itself –> What ever happened to least privilege?


  • Broken, Hard-coded crypto
  • Lack of input validation
  • LAX permissions and no defense in-depth


  • Quine Twitter –> @quine
  • Mallory –> LINK
  • Mallory BH Talk –> LINK

[Plumbercon/Ninjacon] How to stay invisible (still using cellphones)

How to stay invisible (still using cellphones)



It is a well known fact that cell phones are the most common way of pinpointing identity, to position and set up a social diagram of an individual under investigation. In this talk, we will learn how to position cell phones using SMS-submit messages from an SMSC and how to position cell-IDs using a phone. These are known methods of positioning. Also, the audience will gain knowledge on how to stay anonymous and avoid getting your MSISDN (cell phone number) identified in the first place. ETSI standards of lawful interception tell half the story on how IMEI, IMSI and MSISDN are logged and tracked together with a position to find out your location. You will learn how to change an IMEI number on your phone as you change IMSI by switching between different low-cost prepaid SIM cards to be able to fly under the radar.

GSM Phone Privacy

7 Attacks that everybody could perform against GSM

ETSI Lawful Interception

Standard private, but working draft can be found at http://eu.sabotage.org

Establishes a form for Lawful Interception requests. The 4 main pieces of information that can be requested are :

  • IMSI (Unique SIM identifier)
  • IMEI (Mobile Phone manufacturer, model, and unique identifier)
  • Time

ICCID is made up of 5 parts: System code, MCC, MNC, Subscriber number, check digit

In some cases (such as the recent AT&T hack) it’s possible to transform the ICCID information into an IMSI number.

ETSI LI SMS Interception

Normally the agency performing the interception will receive copies of all SMS sent and received. This however isn’t always possible when the phone is roaming. Arrangements are not in place between countries to share this kind of LI information.

HLR (Home Location Register) Lookups

As presented at CCC in recent years, it’s possible to track a user using a number of online services. These services cost less than €10 to provide tracking services.

One possible service is http://routomessaging.com/

IMSI and IMEI Database

IMSI and IMEI information get associated and stored in a database. Switching SIMS isn’t enough, as once an IMSI and IMEI are linked, you can track the phone even when a new SIM is put into it. Changing the SIM and the Phone is one method of defeating this. Unless you can change the IMEI on a phone.

Nokia had a tool to change the IMEI and other settings on older phones (3310). This isn’t always legal however. Check your local laws.

Sim Card scanning/cloning

Older attack (used by Mitnick, way back).

Simcard cracking/ scanning is used to create a simcard clone

Simcard clones can be used in regular handsets

Operator settings are exposed (and can be modified in the clone)

Older Simcards are prone to this attack using tools like SIMeasy

You can crack the encryption and write the cloned simcard information to a wafercards (Phoenix or smartmouse).

If you clone a sim, the last person to register on the network gets incoming calls, the other is ignored.

Prepaid simcards

Some operators need to see ID (and photocopy the ID) before buying a sim. This ID can then be provided to any agency when requested.

50% of all simcards are pre-paid

Hacked Firmware

Nokia 3310 hacked firmware (Nokia 3310 spyphone).

When activated, the phone will accept any inbound call without notifying the user. This could be used to spy on people and record conversations. As the firmware is available on Rapidshare, it can be modified for other uses.

UEA LI Blackberry –> http://news.bbc.co.uk/2/hi/8161190.stm

The UAE also rolled out a hacked Blackberry firmware that caused issues on people’s Blackberry phones.

Hijacking Mobile Data Connections

Changing the http proxy settings of a user. See http://www.mseclab.com/?p=146

Use IMSI to figure out the operator and correct settings

Possible methods of deployment

  • OTA – Over The Air provisioning
  • iPhone .mobileconfig
  • Possible on Android also

Protecting yourself – Solutions

Make your own rules

  • Who are you giving your number to?
    • They can track you
  • When do you change your IMSI/IMEI?
    • You need to change them at the same time to avoid a trail
  • What number do you give to your mother?
    • Easy to find a link between your family and you using simple checks

Giving out your number is giving out your location

Acceptance of updates may lead to data eavesdropping

Pre-paid cards from abroad make things more complex for legal interception

Links :

eport: Cyber Attacks Caused Power Outages in Brazil

  • Plumbercon/Ninjacon Synopsis -–> http://plumbercon.org/schedule/50
  • UEA LI Blackberry –> http://news.bbc.co.uk/2/hi/8161190.stm
  • ETSI Lawful Interception –> http://eu.sabotage.org
  • Hacking Mobile Data Connections –> http://www.mseclab.com/?p=146
  • HLR Lookups –> http://routomessaging.com/
  • http://routomessaging.com/SMS-services/sms-hlrlookup.pmx