Summit: June 16 & 17


white paper


Abusing Android Apps and Gaining Remote Code Execution

This is a technical presentation which details a new exploit pattern for Android applications. A network based attacker can gain code execution on many Android devices by abusing the behavior of certain APIs. A walk though of the vulnerability and a demo of the exploit on a popular application will be shown. The issue is largely platform and architecture independent.

The vulnerability exists in many applications and can be used to gain code execution in many cases. This vulnerability also affects one major OEM allowing remote code execution as System user with no user interaction. The attack is highly reliable, completely silent, and affects all devices by said OEM.

presented by

Ryan Welton

Android Security State of the Union

The world of security is riddled with assumptions and guesses. Using data collected from hundreds of millions of Android devices, we'll establish a baseline for the major factors driving security in the Android ecosystem. This will help provide direction for the issues that we think will benefit the most from security community attention and research contributions.

presented by

Adrian Ludwig

Blackbox iOS Application Assessments Using idb

More than ever, mobile apps are used to manage and store sensitive data by both corporations and individuals. In this talk, we review common iOS mobile app flaws involving data storage, inter-process communication, network communications, and user input handling as seen in real-world applications. To assist the community in assessing security risks of mobile apps, we introduce a recent tool called 'idb' and show how it can be used to efficiently test for a range of iOS app flaws indicated above.

During our presentation, we will explore a number of vulnerability classes. Each class will first be introduced and discussed before demonstrating how idb can enhance the testing for instances of it. With this we illustrate how apps commonly fail at safeguarding sensitive data and demonstrate how idb can arm security professionals and developers with the means necessary to uncover these flaws from a black-box perspective. Furthermore, we will provide illustration of how to mitigate each flaw. idb is open source and available to the public.

presented by

Daniel Mayer

CopperDroid: Automatic Reconstruction of Android Malware Behaviors

Mobile devices and their application marketplaces drive the entire economy of today's mobile landscape. Android platforms alone have produced staggering revenues, exceeding five billion USD, which has attracted cybercriminals and increased malware in Android markets at an alarming rate. To better understand this slew of threats, in this talk I present CopperDroid, an automatic VMI-based dynamic analysis system to reconstruct the behaviors of Android malware. The novelty of CopperDroid lies in its agnostic approach to identify interesting OS-and high-level Android-specific behaviors. It reconstructs these behaviors by observing and dissecting system calls and, therefore, is resistant to the multitude of alterations the Android runtime is subjected to over its life-cycle. CopperDroid automatically and accurately reconstructs events of interest that describe, not only well-known process-OS interactions (e.g., file and process creation), but also complex intra- and inter-process communications (e.g., SMS reception), whose semantics are typically contextualized through complex Android objects. Because CopperDroid's reconstruction mechanisms are agnostic to the underlying action invocation methods, it is able to capture actions initiated both from Java and native code execution. CopperDroid's analysis generates detailed behavioral profiles that abstract a large stream of low-level---often uninteresting---events into concise, high-level semantics, which are well-suited to provide insightful behavioral traits and open the possibility to further research directions. We carried out an extensive evaluation to assess the capabilities and performance of CopperDroid on more than 2,900 Android malware samples. Our experiments show that CopperDroid faithfully reconstructs OS- and Android-specific behaviors. Additionally, we demonstrate how CopperDroid can be leveraged to disclose additional behaviors through the use of a simple, yet effective, app stimulation technique. Using this technique, we successfully triggered and disclosed additional behaviors on more than 60% of the analyzed malware samples. This qualitatively demonstrates the versatility of CopperDroid's ability to improve dynamic based code coverage.

presented by

Lorenzo Cavallaro

Data Extraction on Resold and Stolen Android Smartphones: A Security Analysis of Consumer Grade Protections

We study the protection mechanisms available to consumers to thwart unauthorised access to personal data on resold and stolen Android smartphones. With hundreds of millions of devices expected to be traded by 2018 and millions of devices stolen in the USA in 2013 alone, such attacks are a serious and growing problem.

The main protection against data extraction from resold devices is using the built-in "Factory Reset" function on device disposal. Trade press reports2 have already raised doubts about the effectiveness of Android "Factory Reset", but this paper presents the first comprehensive study of the issue. We study the implementation of Factory Reset on 21 Android smartphones from 5 vendors running Android versions v2.3.x to v4.3. We estimate that more than 340 million devices do not properly sanitise their data partition where credentials and other sensitive data are stored, and still more fail to properly sanitise the internal SD card where multi- media files are generally saved. We found we could recover Google credentials on all device presenting a flawed Factory Reset. Full-disk encryption has the potential to mitigate the problem, but we found that a flawed Factory Reset leaves behind enough data for the encryption key to be recovered.

The main mitigation against unauthorised data access on stolen devices is provided by apps with "remote wipe" and "remote lock" functions. We study the top 10 Mobile Anti- Virus (MAV) apps downloaded by hundreds of millions of users. We uncover flaws that undermine MAV security claims and highlight the fragility of third-party security apps. MAV remote locks are unreliable due to poor implementation practices, Android API limitations and vendor customisations. Mobile OS architectures leave third-party security apps little leeway to improve built-in Factory Resets, therefore MAV remote wipe functions are not an alternative to a flawed built-in Factory Reset. We conclude the only viable solutions are those driven by vendors themselves.

presented by

Laurent Simon

Deconstructing Kony Android Apps

KonyLabs implements a "write once deploy many" IDE to simplify mobile application development and expand developer platform reach. While making developers lives easier, this makes security engineers' lives much more difficult. By embedding a Lua Byte code VM with the application and serializing the application code in a proprietary format, the KonyLabs IDE does an effective job of obfuscating application analysis. This talk focuses on ways to overcome the obstacles presented by the KonyLabs IDE by leveraging the Jolla phone, Alien Dalvik implementation, and out-of-the-box thinking.

This technique was briefly talked about at Ekoparty (2014) in Buenos Aires as a part of a talk on Exploring the Jolla Phone attack surface. After much discussion with attendees, I decided that there was sufficient content and it is relevant enough to warrant its own talk.

presented by

Chris Weedon

Inspecting Data from the Safety of Your Trusted Execution Environment

In this presentation, we demonstrate a method for performing real-time volatile memory analysis of a normal world system from within a trusted world on a machine running ARM TrustZone. This technique differs from existing solutions by allowing inspection of memory without using a normal world agent. Agent-less inspection provides the groundwork for the development of trusted world anti-malware techniques that have minimal interaction with the untrusted system. This talk will demonstrate a PoC of this capability and show how existing analysis tools can be leveraged for automated analysis of key system security indicators.

presented by

John Williams

Mobile Malware - A Network View

Mobile devices are becoming the target of choice for cybercriminals. This presentation will provide an in-depth view of the mobile malware that is currently active on the Internet. It will describe the infection rates, what the malware does, how it is monetized and the impact it has on network resources and the user experience. The presentation will draw on network based malware detection results from deployments that monitor the network traffic from close to 100M mobile devices in major carriers around the world.

presented by

Kevin McNamee

SAP Mobile: Attack & Defense

Mobile devices are becoming ubiquitous in the infrastructure of any modern organization. As part of this industry's push towards remotely accessible business functions, business critical applications vendors (such as SAP) are also getting on board. In the last few years, SAP has been developing a series of solutions which covers different aspects of the mobile landscape from managing devices, to integrating custom mobile applications to the business logic of the SAP systems.

The SAP Mobile Platform is composed of a group of complex third-party technologies, both open source and in-house developments. Moreover, bridging naturally isolated ecosystems like SAP to a mobile device infrastructure, poses challenging tasks from a security perspective. Such challenges include securing communications, choosing an adequate authentication mechanism, defining the proper data encryption requirements and taking care of an adequate device provisioning. An organization has to have in mind all of these concepts and increasingly complex attack scenarios while building a secure mobile infrastructure.

If an attacker is able to exploit vulnerabilities exposing any of the previously mentioned attack vectors, he would be able to perform sabotage, espionage or fraud attacks to the company. This could lead to a full compromise of the backend system, which manage not only critical business data, but also confidential and sensitive information with the liability implications of this.

During this presentation, we will provide a technical overview of the most relevant security features that the SAP mobile ecosystem brings into play, and how organizations can leverage these mechanisms to mitigate the wide attack surface. When relevant, a deeper technical analysis of the strengths and weaknesses of each technology will be shared with the audience including critical vulnerabilities recently reported to SAP by Onapsis that could be used by attackers to compromise the SAP infrastructure going through its Mobile components.

presented by

Julian Rapisardi &  Fernando Russ

SCADA and Mobile: Security Assessment of the Applications That Turns Your Smartphone Into a Factory Control Room

The days when mobile technologies were just a rising trend have passed, and now mobile devices are an integral part of our life. As a result, you may find them in places where they probably shouldn't be. But convenience often wins over security. Nowadays, you can monitor (or even control!) your ICS (Industrial Control System) from a brand-new Android or iOS smartphone. Just type the words 'HMI', 'SCADA', or 'PLC' into Google Play Store or ITunes App Store, and a surprisingly large bunch of results will appear. Moreover, many of these applications are developed by serious vendors, like Siemens, GE, Omron, etc., and allow accessing, monitoring, or controlling the HMI, PLC, DCS, or SCADA systems in your ICS infrastructure. Are they secure? Could an attacker do something bad if they get access to an industrial engineer's tablet? What kind of vulnerabilities can exist in these applications? What attack vectors are possible?

To answer all these questions, we took a sample of "mobile apps for your SCADA, PLC, HMI" and assessed them. In this talk, found vulnerabilities, attack methods, and other potential risks will be shown. We will discuss whether it is SAFE to allow mobile applications to interact with your ICS infrastructure. Two attack scenarios will be shown: attacking ICS infrastructure via a compromised smartphone and penetrating mobile devices out of a compromised ICS environment (bottom-to-top attacks). Also, the detailed statistics of found flaws and security mechanisms usage will be shown.

The Machines That Betrayed Their Masters

The devices we carry betray us to those who want to invade our privacy by emitting uniquely identifiable signals. The most common example is the wireless signals emitted by your mobile phone (even whilst tucked safely into your pocket). Such signals may be used to track you, or be used toward more malicious intent.

This talk will discuss the process the author has gone through to build a resilient, modular, reliable, distributed, tracking framework - originally spawned as a PoC tool in 2012 by the name 'Snoopy'. The dog is back, and with more bite - looking beyond just Wi-Fi. Also, he's now airborne via a quadcopter.

presented by

Glenn Wilkinson

The Savage Curtain: Mobile SSL Failures

Organizations are all so anxious to reach their "mobile moment", but are failing miserably at securing the mobile application traffic, in a variety of ways. We will review some of the common pitfalls with mobile application traffic encryption, how to test for vulnerabilities and a fool-proof method on how to prevent your organization from falling victim to these all too common errors. We will also be presenting a novel SSL/TLS attack, which could be used for a semi-permanent, nearly undetectable MitM attacks.

presented by

Tony Trummer &  Tushar Dalvi

What Can You Do to an apk Without its Private Key Except Repacking?

In Android, each apk should be signed with its developer's certificate before it is installed, while those without valid signature cannot be installed. Only those with valid signatures can be installed and run as expected. Generally speaking, without the private key, an attacker cannot forge a valid signature with the developer's certificate, then the the original apk can be prevented from modifying.

But is it absolutely true? Except repacking and resigning, what can we do to an apk without its private key? How to turn it into a "brick"? How to turn it into a "bomb"? Here we will bring some ideas to modify and attack a real downloaded apk, increasingly by its harm from light attack to medium attack, to heavy attack, and finally to serious attack, which are Certificate Cheater, Upgrade DoS, Hide and Ignite, and Shadows Everywhere detailed in this presentation.

presented by

Peng Xiao

Witchcraft for Windows Phone Breakers

Microsoft Windows Phone holds the third place in the smartphone market share, powering nearly 3% of the overall mobile devices. Despite having a modest degree of diffusion, the platform is experiencing a slow but continuous spreading in the business context and is becoming the "new BlackBerry", thanks to enterprise features included with Windows Phone 8.1 and the natively integration with the Microsoft products ecosystem. In addition, more and more banking institutes are extending their mobile banking apps offering, with the introduction of a Windows version (Silverlight or Universal App).

The "new role" of the platform, together with the criticality of security in the field of its employment, introduces a pressing need to research threats, exploiting techniques and secure coding strategies. The talk will detail a series of exploiting techniques, which could be leveraged to target vulnerable apps or perform local and network attacks against Windows Phone devices. The talk will also detail how an attacker could easily compromise application code integrity in order to backdoor pre-installed apps and spy on targeted victims, violating the confidentiality of sandboxed files.

presented by

Luca De Fulgentis