HackMiami_2017_Chemerkin_Yury_for_website.pdf
YuryChemerkin
19 views
52 slides
Jul 19, 2024
Slide 1 of 52
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
About This Presentation
Presentation by Yury Chemerkin on mobile device management, security features, and compliance issues. Analyzes security capabilities across different mobile operating systems and discusses common vulnerabilities.
Slide Content
THE RISE OF SECURITY ASSISTANTS
OVER SECURITY AUDIT SERVICES
YURY CHEMERKIN
MULTI-SKILLED SECURITY EXPERT
OVER SECURITY AUDIT SERVICES
YURY CHEMERKIN
MULTI-SKILLED SECURITY EXPERT
YURY CHEMERKIN
Yury Chemerkin has ten years of experience in
information security. I‘m amulti-skilled security
expert on security & compliance and mainly
focused on privacy and leakage showdown. Key
activity fields are EMM and Mobile &, Cloud
Computing, IAM, Forensics & Compliance.
Ipublished many papers on mobile and cloud
security, regularly appears at conferences such as
CyberCrimeForum, HackerHalted, DefCamp,
NullCon, OWASP, CONFidence, Hacktivity,
Hackfest, DeepSec Intelligence, HackMiami,
NotaCon, BalcCon, Intelligence-Sec, InfoSec
NetSysAdmins, etc.
LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
TWITTER: @YURYCHEMERKIN
EMAIL: [email protected]
Yury Chemerkin has ten years of experience in
information security. I‘m amulti-skilled security
expert on security & compliance and mainly
focused on privacy and leakage showdown. Key
activity fields are EMM and Mobile &, Cloud
Computing, IAM, Forensics & Compliance.
Ipublished many papers on mobile and cloud
security, regularly appears at conferences such as
CyberCrimeForum, HackerHalted, DefCamp,
NullCon, OWASP, CONFidence, Hacktivity,
Hackfest, DeepSec Intelligence, HackMiami,
NotaCon, BalcCon, Intelligence-Sec, InfoSec
NetSysAdmins, etc.
LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
TWITTER: @YURYCHEMERKIN
EMAIL: [email protected]
MY RESEARCHES TO READ RELATED TO THE TOPIC
2014
Included ~200 apps results, for Cross OS apps provide -protection concepts, OS specifics
per concept, outlines & remediation, EMM specifics
“We know Twitter & Dropbox are better secured than bank apps!”
http://www.slideshare.net/EC-Council/hh-yury-chemerkin
http://defcamp.ro/dc14/Yury_Chemerkin.pdf
2015
Current Research ~700 apps (iOS, Android, BlackBerry, Windows, Mac OS apps)
+ Bonus: Security & Privacy Project (demo)
http://def.camp/wp-content/uploads/dc2015/Chemerkin_Yury_DefCamp_2015.pdf
2016
Refined by iOS and Android Only
+ Bonus: Report + Security Project (alfa)
https://def.camp/wp-content/uploads/dc2016/Day%202/Yury_Chemerkin.pdf
2017 (Work in progress)
App security level is useful but ability to find the MIN data protection level is more valuable
+ Bonus: Report + Security Project (beta)
https://www.privacymeter.online/our-apps
2014
Included ~200 apps results, for Cross OS apps provide -protection concepts, OS specifics
per concept, outlines & remediation, EMM specifics
“We know Twitter & Dropbox are better secured than bank apps!”
http://www.slideshare.net/EC-Council/hh-yury-chemerkin
http://defcamp.ro/dc14/Yury_Chemerkin.pdf
2015
Current Research ~700 apps (iOS, Android, BlackBerry, Windows, Mac OS apps)
+ Bonus: Security & Privacy Project (demo)
http://def.camp/wp-content/uploads/dc2015/Chemerkin_Yury_DefCamp_2015.pdf
2016
Refined by iOS and Android Only
+ Bonus: Report + Security Project (alfa)
https://def.camp/wp-content/uploads/dc2016/Day%202/Yury_Chemerkin.pdf
2017 (Work in progress)
App security level is useful but ability to find the MIN data protection level is more valuable
+ Bonus: Report + Security Project (beta)
https://www.privacymeter.online/our-apps
MOBILE APPS BING BANG–Y2011 -Y2014 -Y2017
Y2011–viaForensics,whichrunstheappWatchdogwebpage,checkedwhetheranappencryptedpasswords,usernames,or
actualemailcontentbeforestoringitonthephone.Afullpassmeantthatallthreewerestoredinencryptedform.Anappreceived
awarningiftheusernamewasleftinplaintextbutpasswordandcontentwereencrypted.Ifeitherthepasswordorcontentwas
storedinplaintext,theappfailed
Y2014–ResearchersfinddataleaksinInstagram,Grindr,OoVooandmore.Bysniffingoutthedetailsofnetworkcommunications,
UniversityofNewHavenresearchershaveuncoveredahostofdata-leakageproblemsinInstagram,Vine,Nimbuzz,OoVoo,Voxer
andseveralotherAndroidapps.TheproblemsincludestoringimagesandvideosinunencryptedformonWebsites,storingchat
logsinplaintextonthedevice,sendingpasswordsinplaintext,andinthecaseofTextPlus,storingscreenshotsofappusagethatthe
userdidn'ttake
Allinall,theresearchersestimate968millionpeopletotalusetheapps.
Y2017–76PopularAppsConfirmedVulnerabletoSilentInterceptionofTLS-ProtectedData.AccordingtoApptopiaestimates,
therehasbeenacombinedtotalofmorethan18,000,000(EighteenMillion)downloadsofappversionswhichareconfirmedto
beaffectedbythisvulnerability
For33oftheiOSapplications,thisvulnerabilitywasdeemedtobelowrisk(Alldataconfirmedvulnerabletointerceptisonly
partiallysensitiveanalyticsdataaboutthedevice,partiallysensitivepersonaldatasuchase-mailaddress,and/orlogin
credentialswhichwouldonlybeenteredonanon-hostilenetwork).
For24oftheiOSapplications,thisvulnerabilitywasdeemedtobemediumrisk(Confirmedabilitytointerceptservicelogin
credentialsand/orsessionauthenticationtokensforloggedinusers).
For19oftheiOSapplications,thisvulnerabilitywasdeemedtobehighrisk(Confirmedabilitytointerceptfinancialormedical
servicelogincredentialsand/orsessionauthenticationtokensforloggedinusers).
https://www.cnet.com/news/researchers-find-data-leaks-in-instagram-grindr-oovoo-and-more/
https://medium.com/@chronic_9612/76-popular-apps-confirmed-vulnerable-to-silent-interception-of-
tls-protected-data-2c9a2409dd1#.ea21dxqmw
http://www.cbsnews.com/news/want-to-protect-your-emails-dont-use-these-11-android-and-iphone-email-apps/
Y2011–viaForensics,whichrunstheappWatchdogwebpage,checkedwhetheranappencryptedpasswords,usernames,or
actualemailcontentbeforestoringitonthephone.Afullpassmeantthatallthreewerestoredinencryptedform.Anappreceived
awarningiftheusernamewasleftinplaintextbutpasswordandcontentwereencrypted.Ifeitherthepasswordorcontentwas
storedinplaintext,theappfailed
Y2014–ResearchersfinddataleaksinInstagram,Grindr,OoVooandmore.Bysniffingoutthedetailsofnetworkcommunications,
UniversityofNewHavenresearchershaveuncoveredahostofdata-leakageproblemsinInstagram,Vine,Nimbuzz,OoVoo,Voxer
andseveralotherAndroidapps.TheproblemsincludestoringimagesandvideosinunencryptedformonWebsites,storingchat
logsinplaintextonthedevice,sendingpasswordsinplaintext,andinthecaseofTextPlus,storingscreenshotsofappusagethatthe
userdidn'ttake
Allinall,theresearchersestimate968millionpeopletotalusetheapps.
Y2017–76PopularAppsConfirmedVulnerabletoSilentInterceptionofTLS-ProtectedData.AccordingtoApptopiaestimates,
therehasbeenacombinedtotalofmorethan18,000,000(EighteenMillion)downloadsofappversionswhichareconfirmedto
beaffectedbythisvulnerability
For33oftheiOSapplications,thisvulnerabilitywasdeemedtobelowrisk(Alldataconfirmedvulnerabletointerceptisonly
partiallysensitiveanalyticsdataaboutthedevice,partiallysensitivepersonaldatasuchase-mailaddress,and/orlogin
credentialswhichwouldonlybeenteredonanon-hostilenetwork).
For24oftheiOSapplications,thisvulnerabilitywasdeemedtobemediumrisk(Confirmedabilitytointerceptservicelogin
credentialsand/orsessionauthenticationtokensforloggedinusers).
For19oftheiOSapplications,thisvulnerabilitywasdeemedtobehighrisk(Confirmedabilitytointerceptfinancialormedical
servicelogincredentialsand/orsessionauthenticationtokensforloggedinusers).
https://www.cnet.com/news/researchers-find-data-leaks-in-instagram-grindr-oovoo-and-more/
https://medium.com/@chronic_9612/76-popular-apps-confirmed-vulnerable-to-silent-interception-of-
tls-protected-data-2c9a2409dd1#.ea21dxqmw
http://www.cbsnews.com/news/want-to-protect-your-emails-dont-use-these-11-android-and-iphone-email-apps/
PUBLIC RESEARCH
“AN ANALYSIS OF THE PRIVACY AND SECURITY RISKS
OF ANDROID VPN PERMISSION-ENABLED APPS”
TheBIND_VPN_SERVICEpermissionisapowerfulAndroidfeaturethatallowstherequestingappto
intercept,manipulateandforwardalluser’straffictoaremoteproxyorVPNserveroftheirchoiceorto
implementproxiesinlocalhost[93].
Androidgeneratestwowarningstonotifyuser’swheneveranappcreatesavirtualinterfaceusingtheVPN
permission:
(i)asystemdialogseekingusersapprovaltocreateavirtualinterface,and
(ii)asystem-generatednotificationthatinformsusersaslongastheVPNinterfaceremainsactive[60].
Third-partyusertrackingandaccesstosensitiveAndroidpermissions:75%ofthemusethird-partytracking
librariesand82%requestpermissionstoaccesssensitiveresourcesincludinguseraccountsandtext
messages.
(Lackof)Encryptionandtrafficleaks:18%oftheVPNappsimplementtunnelingprotocolswithout.84%
and66%oftheanalyzedVPNappsdonottunnelIPv6andDNStrafficduetolackofIPv6support,
misconfigurationsordeveloper-inducederrors.
TLSinterception:FouroftheanalyzedVPNappscompromiseusers’root-storeandactivelyperformTLS
interceptionintheflight.Threeoftheseappsclaimprovidingtrafficaccelerationservicesandselectively
intercepttraffictospecificonlineserviceslikesocialnetworks,banking,e-commercesites,emailandIM
servicesandanalyticsservices
https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf
“AN ANALYSIS OF THE PRIVACY AND SECURITY RISKS
OF ANDROID VPN PERMISSION-ENABLED APPS”
TheBIND_VPN_SERVICEpermissionisapowerfulAndroidfeaturethatallowstherequestingappto
intercept,manipulateandforwardalluser’straffictoaremoteproxyorVPNserveroftheirchoiceorto
implementproxiesinlocalhost[93].
Androidgeneratestwowarningstonotifyuser’swheneveranappcreatesavirtualinterfaceusingtheVPN
permission:
(i)asystemdialogseekingusersapprovaltocreateavirtualinterface,and
(ii)asystem-generatednotificationthatinformsusersaslongastheVPNinterfaceremainsactive[60].
Third-partyusertrackingandaccesstosensitiveAndroidpermissions:75%ofthemusethird-partytracking
librariesand82%requestpermissionstoaccesssensitiveresourcesincludinguseraccountsandtext
messages.
(Lackof)Encryptionandtrafficleaks:18%oftheVPNappsimplementtunnelingprotocolswithout.84%
and66%oftheanalyzedVPNappsdonottunnelIPv6andDNStrafficduetolackofIPv6support,
misconfigurationsordeveloper-inducederrors.
TLSinterception:FouroftheanalyzedVPNappscompromiseusers’root-storeandactivelyperformTLS
interceptionintheflight.Threeoftheseappsclaimprovidingtrafficaccelerationservicesandselectively
intercepttraffictospecificonlineserviceslikesocialnetworks,banking,e-commercesites,emailandIM
servicesandanalyticsservices
https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf
CHECK BOOKLETS AT THE
REGISTRATION TABLE
REGISTRATION TABLE
PENTESTERvs. DEVELOPERS
https://youtu.be/Nh11A41klL4?t=50s
https://youtu.be/Nh11A41klL4?t=50s
HACKING PEOPLE USING PUBLIC WI-FI
http://www.downvids.net/using-public-wifi-is-not-as-safe-as-you-think-you-never-know-
who-is-watching-1110506.html
http://www.downvids.net/using-public-wifi-is-not-as-safe-as-you-think-you-never-know-
who-is-watching-1110506.html
NO WEAKNESS IN NORMAL ACTIVITY
DataLeakageisdatathatbecomesavailablewhenyou
performtypicalactivities.Instead,Vulnerabilityisa
weaknessofprogram.Thus,Vulnerability≠DataLeakage,
becausenoweaknessinnormalactivities…
So, shut up and install our applicationJ
DataLeakageisdatathatbecomesavailablewhenyou
performtypicalactivities.Instead,Vulnerabilityisa
weaknessofprogram.Thus,Vulnerability≠DataLeakage,
becausenoweaknessinnormalactivities…
So, shut up and install our applicationJ
COMMON WEAKNESS OR VULNERABILITIES IN
DATA PROTECTION. EXCERPTs
Sensitivedataleakage[CWE-200]
üSensitivedataleakagecanbeeitherinadvertentorsidechannel
üProtectioncanbepoorlyimplementedexposingit:
Location;OwnerIDinfo:name,number,deviceID;Authenticationcredentials&tokens
TargetAppInformationisalsosensitive(outofscopeofCWE-200)
Unsafesensitivedatastorage[CWE-312]
üSensitivedatashouldalwaysbestoredencryptedsothatattackerscannotsimplyretrievethis
dataoffthefilesystem,especiallyonremovabledisklikemicroSDcardorpublicfolders(out
ofscopeofCWE-312)suchas
bankingandpaymentsystemPINnumbers,creditcardnumbers,oronlineservicepasswords
üThere’snoexcuseforsandboxingwithoutencryptionhere
Unsafesensitivedatatransmission[CWE-319]
üDatabeencryptedintransmissionlestitbeeavesdroppedbyattackerse.g.inpublicWi-Fi
üIfappimplementsSSL,itcouldfallvictimtoadowngradeattackdegradingHTTPStoHTTP.
üAnotherwaySSLcouldbecompromisedisiftheappdoesnotfailoninvalidcertificates.
üThere’snoexcuseforpartialSSLvalidationhere
DATA PROTECTION. EXCERPTs
Sensitivedataleakage[CWE-200]
üSensitivedataleakagecanbeeitherinadvertentorsidechannel
üProtectioncanbepoorlyimplementedexposingit:
Location;OwnerIDinfo:name,number,deviceID;Authenticationcredentials&tokens
TargetAppInformationisalsosensitive(outofscopeofCWE-200)
Unsafesensitivedatastorage[CWE-312]
üSensitivedatashouldalwaysbestoredencryptedsothatattackerscannotsimplyretrievethis
dataoffthefilesystem,especiallyonremovabledisklikemicroSDcardorpublicfolders(out
ofscopeofCWE-312)suchas
bankingandpaymentsystemPINnumbers,creditcardnumbers,oronlineservicepasswords
üThere’snoexcuseforsandboxingwithoutencryptionhere
Unsafesensitivedatatransmission[CWE-319]
üDatabeencryptedintransmissionlestitbeeavesdroppedbyattackerse.g.inpublicWi-Fi
üIfappimplementsSSL,itcouldfallvictimtoadowngradeattackdegradingHTTPStoHTTP.
üAnotherwaySSLcouldbecompromisedisiftheappdoesnotfailoninvalidcertificates.
üThere’snoexcuseforpartialSSLvalidationhere
OWASP MOBILE: PAST vs.NOW
§Top10MobileRisks2012-2013
§M1:InsecureDataStorage
§M2:WeakServerSideControls
§M3:InsufficientTransportLayerProtection
§M4:ClientSideInjection
§M5:PoorAuthorizationandAuthentication
§M6:ImproperSessionHandling
§M7:SecurityDecisionsViaUntrustedInputs
§M8:SideChannelDataLeakage
§M9:BrokenCryptography
§M10:SensitiveInformationDisclosure
§Top10MobileRisks2014-2015
§M1:WeakServerSideControls
§M2:InsecureDataStorage
§M3:InsufficientTransportLayerProtection
§M4:UnintendedDataLeakage
§M5:PoorAuthorizationandAuthentication
§M6:BrokenCryptography
§M7:ClientSideInjection
§M8:SecurityDecisionsViaUntrustedInputs
§M9:ImproperSessionHandling
§M10:LackofBinaryProtections
§Top10MobileRisks2016-2017
§M1:ImproperPlatformUsage
§M2:InsecureDataStorage
§M3:InsecureCommunication
§M4:InsecureAuthentication
§M5:InsufficientCryptography
§M6:InsecureAuthorization
§M7:ClientCodeQuality
§M8:CodeTampering
§M9:ReverseEngineering
§M10:ExtraneousFunctionality
https://www.owasp.org/index.php/
Projects/OWASP_Mobile_Security_
Project_-_Top_Ten_Mobile_Risks
https://www.owasp.org/index.php/
Mobile_Top_10_2016-Top_10
Y2017’s Top 10 is upcoming
Code Protection
Code Protection &
Dev fails
Data Protection &
Dev fails
§Top10MobileRisks2012-2013
§M1:InsecureDataStorage
§M2:WeakServerSideControls
§M3:InsufficientTransportLayerProtection
§M4:ClientSideInjection
§M5:PoorAuthorizationandAuthentication
§M6:ImproperSessionHandling
§M7:SecurityDecisionsViaUntrustedInputs
§M8:SideChannelDataLeakage
§M9:BrokenCryptography
§M10:SensitiveInformationDisclosure
§Top10MobileRisks2014-2015
§M1:WeakServerSideControls
§M2:InsecureDataStorage
§M3:InsufficientTransportLayerProtection
§M4:UnintendedDataLeakage
§M5:PoorAuthorizationandAuthentication
§M6:BrokenCryptography
§M7:ClientSideInjection
§M8:SecurityDecisionsViaUntrustedInputs
§M9:ImproperSessionHandling
§M10:LackofBinaryProtections
§Top10MobileRisks2016-2017
§M1:ImproperPlatformUsage
§M2:InsecureDataStorage
§M3:InsecureCommunication
§M4:InsecureAuthentication
§M5:InsufficientCryptography
§M6:InsecureAuthorization
§M7:ClientCodeQuality
§M8:CodeTampering
§M9:ReverseEngineering
§M10:ExtraneousFunctionality
https://www.owasp.org/index.php/
Projects/OWASP_Mobile_Security_
Project_-_Top_Ten_Mobile_Risks
https://www.owasp.org/index.php/
Mobile_Top_10_2016-Top_10
Y2017’s Top 10 is upcoming
Code Protection
Code Protection &
Dev fails
Data Protection &
Dev fails
THE BEST ‘WORST’ APPs. Everything in plaintext
AlterGeo
No updatessince Spring Y2014. Everything in plaintext including Credentials
Weather Street Style
Sending Credentials & Geo to the server each 30 second
WeChat
Own protection over http, except Location data –plaintext
Location 'n' Maps Information: Contact Media
Message Information: GEO & Address Data, GEO Snapshots, Place Details
Maxim Taxi (RU) (iOS & Android)
No Credit card is supported (?)
Meridian (RO) (iOS & Android)
Geolocation, Credentials, Account Info, Social Info
Cris Taxi Bucuresti (RO) (iOS & Android)
Geolocation, Credentials, Account Info, Social Info, Travel Info, Orders Info
Taxi 777 (RU) (iOS & Android)
Geolocation, Credentials, Account Info, Orders Info, Financial Info
Fix Taxi (RU) (Android)
Geolocation, Credentials, Account Info, Orders Info, Financial Info
AlterGeo
No updatessince Spring Y2014. Everything in plaintext including Credentials
Weather Street Style
Sending Credentials & Geo to the server each 30 second
Own protection over http, except Location data –plaintext
Location 'n' Maps Information: Contact Media
Message Information: GEO & Address Data, GEO Snapshots, Place Details
Maxim Taxi (RU) (iOS & Android)
No Credit card is supported (?)
Meridian (RO) (iOS & Android)
Geolocation, Credentials, Account Info, Social Info
Cris Taxi Bucuresti (RO) (iOS & Android)
Geolocation, Credentials, Account Info, Social Info, Travel Info, Orders Info
Taxi 777 (RU) (iOS & Android)
Geolocation, Credentials, Account Info, Orders Info, Financial Info
Fix Taxi (RU) (Android)
Geolocation, Credentials, Account Info, Orders Info, Financial Info
WEIRD PROJECTS: FACEBOOK APPS
FACEBOOK, MESSENGER, PAGE MANAGER
~60 data items per each application
Application Information–MITMed, crafted cert is needed
Transaction History & Contact Short Profile
Credentials (IDs), Credentials (Passwords) and Credentials (Tokens)
Browser Information
Preview
Message Information
GEO Data
GEO Snapshots
The rest Data-in-Transitdata is SSL Pinned & Data-at-Restdata is in backup
Account Information, Address Book 'n' Contact Information, Analytics 'n' Ads Information,
Application Information, Credentials Information, Device Information, Events Information,
Location 'n' Maps Information, Media Information, Social Information
Media Data are in plaintext (Facebook Messenger)
Cached profile images
FACEBOOK, MESSENGER, PAGE MANAGER
~60 data items per each application
Application Information–MITMed, crafted cert is needed
Transaction History & Contact Short Profile
Credentials (IDs), Credentials (Passwords) and Credentials (Tokens)
Browser Information
Preview
Message Information
GEO Data
GEO Snapshots
The rest Data-in-Transitdata is SSL Pinned & Data-at-Restdata is in backup
Account Information, Address Book 'n' Contact Information, Analytics 'n' Ads Information,
Application Information, Credentials Information, Device Information, Events Information,
Location 'n' Maps Information, Media Information, Social Information
Media Data are in plaintext (Facebook Messenger)
Cached profile images
AEROEXPRESS. PCI DSS PASSED BUT FAILS
WITH ANTIMITM
~20-25dataitemspereachapplication
Data-in-TransitDataItems
‘CredentialsInfo'Group:Credentials(IDs,Activation
IDs,Password)
‘LoyaltyInfo'Group:AccountDetails
‘PaymentInfo'Group:CardFullInformation,Shorted
PassportData
‘OrdersInfo'Group:OrdersDetails&History,Media
Data(QRTicket,URLforTicket,AddressData-
RailwaysStation),ShortedPassportData
‘AccountInfo'Group:TrackedData&Favourites
Data-at-RestDataItems(samedataitems)
AccordingtoPCIDSSdocs,appisrequired:
preventMITM,doesavalidationSSL
doesnotstorepaymentdetails
Apps didn’t have a SSL Validation over years until Apr 16
th
, 2017. Now a cert is needed to MITM
https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
FebruaryY2015
AeroexpresshaspasseditsPCIDSScertification.
Nowitisevensaferforpassengerstopayfor
onlineservicesprovidedbythisexpresscarrier.
InearlyFebruary,AeroexpresspasseditsPCIDSS
certification,whichisaimedatensuringthesecure
processing,storageandtransferofdataabout
VisaandMasterCardholders.GiventhePCIDSS
certifiedsecuritylevel,Aeroexpresspassengerscan
payforticketsviathewebsiteorthecompany’s
mobileappusingbankcardsandcanbeconfident
thattheirpersonaldataandfundsaresafely
secured.
Press Release:
https://aeroexpress.tickets.ru/en/content/safety_p
ayments.html
Press Release:
https://aeroexpress.ru/en/press_releases/news20
090589.html
WITH ANTIMITM
~20-25dataitemspereachapplication
Data-in-TransitDataItems
‘CredentialsInfo'Group:Credentials(IDs,Activation
IDs,Password)
‘LoyaltyInfo'Group:AccountDetails
‘PaymentInfo'Group:CardFullInformation,Shorted
PassportData
‘OrdersInfo'Group:OrdersDetails&History,Media
Data(QRTicket,URLforTicket,AddressData-
RailwaysStation),ShortedPassportData
‘AccountInfo'Group:TrackedData&Favourites
Data-at-RestDataItems(samedataitems)
AccordingtoPCIDSSdocs,appisrequired:
preventMITM,doesavalidationSSL
doesnotstorepaymentdetails
Apps didn’t have a SSL Validation over years until Apr 16
th
, 2017. Now a cert is needed to MITM
https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
FebruaryY2015
AeroexpresshaspasseditsPCIDSScertification.
Nowitisevensaferforpassengerstopayfor
onlineservicesprovidedbythisexpresscarrier.
InearlyFebruary,AeroexpresspasseditsPCIDSS
certification,whichisaimedatensuringthesecure
processing,storageandtransferofdataabout
VisaandMasterCardholders.GiventhePCIDSS
certifiedsecuritylevel,Aeroexpresspassengerscan
payforticketsviathewebsiteorthecompany’s
mobileappusingbankcardsandcanbeconfident
thattheirpersonaldataandfundsaresafely
secured.
Press Release:
https://aeroexpress.tickets.ru/en/content/safety_p
ayments.html
Press Release:
https://aeroexpress.ru/en/press_releases/news20
090589.html
COMPANIES’ QUOTES
WHAT THEY THINK ABOUT INSECURITY
"Messagedataisstoredinanunencryptedformatbecausetheoperatingsystems(both
iOSandAndroid)providedataisolationthatpreventsappsfromhavingtheirstorage
readbyotherapps.Thisisconsideredstandardintheindustry,andiscompletelysafe,"
theKiksaidin2014.Nowtheywenttothesecurestorage(Y’17)
OxygenForensicsreleasesamaintenanceversionofOxygenForensic®Detective.
Version9.0.1offersfunctionalityandinterfaceimprovementsofOxygenForensic®
CloudExtractor,OxygenForensic®MapsandExportEngine.Italsoaddsdataparsing
fromVideoLockerandKeepSafeapplicationsandupdatessupportforpopular
messengers:KikMessenger,FacebookMessenger,Viber,WatsApp,etc.Thetotalnumber
ofsupportedappsversionsexceeds2400!
Applications.Messengers.UpdatedsupportforKikMessenger(10.16.1.9927)forAndroidOS
devices.
https://www.cnet.com/news/researchers-find-data-leaks-in-instagram-grindr-oovoo-and-more/
https://www.oxygen-forensic.com/en/events/news/739-oxygen-forensic-detective-adds-
support-for-new-applications-and-devices
WHAT THEY THINK ABOUT INSECURITY
"Messagedataisstoredinanunencryptedformatbecausetheoperatingsystems(both
iOSandAndroid)providedataisolationthatpreventsappsfromhavingtheirstorage
readbyotherapps.Thisisconsideredstandardintheindustry,andiscompletelysafe,"
theKiksaidin2014.Nowtheywenttothesecurestorage(Y’17)
OxygenForensicsreleasesamaintenanceversionofOxygenForensic®Detective.
Version9.0.1offersfunctionalityandinterfaceimprovementsofOxygenForensic®
CloudExtractor,OxygenForensic®MapsandExportEngine.Italsoaddsdataparsing
fromVideoLockerandKeepSafeapplicationsandupdatessupportforpopular
messengers:KikMessenger,FacebookMessenger,Viber,WatsApp,etc.Thetotalnumber
ofsupportedappsversionsexceeds2400!
Applications.Messengers.UpdatedsupportforKikMessenger(10.16.1.9927)forAndroidOS
devices.
https://www.cnet.com/news/researchers-find-data-leaks-in-instagram-grindr-oovoo-and-more/
https://www.oxygen-forensic.com/en/events/news/739-oxygen-forensic-detective-adds-
support-for-new-applications-and-devices
EXTRACTING LOCAL DATA. EXAMPLES
Common OS techniques
Public tools incl. rooting scripts
Forensics solutions
Cellerite
OxygenForensiscs
Elcomsoft
And more…
Common OS techniques
Public tools incl. rooting scripts
Forensics solutions
Cellerite
OxygenForensiscs
Elcomsoft
And more…
FORENSICS CLOUD FEATURES
Cellebrite
UFEDCloudAnalyzerprovidesaccesstomorethan25privateclouddatasourcestohelpyouattainthecriticalcaseevidencethat
oftenhidesincloudapplicationdata.Seethefulllistbelow:Facebook,WhatsApp,Twitter,Gmail,GoogleLocationHistory,Google
MyActivity,GooglePhotos,GoogleChrome,GoogleCalendar,GoogleContacts,GoogleDrive,GoogleBookmarks,GoogleTasks,
Mail(IMAP),Dropbox,iCloudApp,iCloudCalendar,iCloudContacts,iCloudDrive,iCloudPhotos,OneDrive,Instagram,KIK,VK,
Telegram,iCloudNotes,iCloudReminder,iCloudLocation
OxygenForensic®Detective
OxygenForensic®Detectiveacquiresdatafrommorethan30cloudstorages:iCloudcontactsandcalendar,GoogleDrive,Google
LocationHistory,Livecontactsandcalendar,OneDrive,DropboxandBoxaswellasfromawiderangeofsocialmediaincluding
TwitterandInstagram
ElcomsoftCloudeXplorer
Acquireinformationfromusers’GoogleAccountwithasimpleall-in-onetool!ElcomsoftCloudExplorermakesiteasiertodownload,
viewandanalyzeinformationcollectedbythesearchgiant,providingconvenientaccesstousers’searchandbrowsinghistory,page
transitions,contacts,GoogleKeepnotes,Hangoutsmessages,aswellasimagesstoredintheuser’sGooglePhotosaccount.
ElcomsoftPhoneBreaker
CloudacquisitionisanalternativewayofretrievinginformationstoredinmobilebackupsproducedbyAppleiOS,andtheonly
methodtoexploreWindowsPhone8andWindows10Mobiledevices.ElcomsoftPhoneBreakercanretrieveinformationfromApple
iCloudandWindowsLive!servicesprovidedthatoriginalusercredentialsforthataccountareknown.
TheForensiceditionofElcomsoftPhoneBreakerenablesover-the-airacquisitionofiClouddatawithouthavingtheoriginalAppleID
andpassword.Password-freeaccesstoiClouddataismadepossibleviatheuseofabinaryauthenticationtokenextractedfromthe
user’scomputer.
ElcomsoftPhoneBreakersupportsaccountswithApple'stwo-stepverificationaswellasthenewtwo-factorauthentication.Accessto
thesecondauthenticationfactorsuchasatrusteddeviceorrecoverykeyisrequired.YouwillonlyneedtouseitonceasElcomsoft
PhoneBreakercansaveauthenticationcredentialsforfuturesessions.
https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/detective/cloud-data-extraction
http://www.cellebrite.com/Pages/ufed-cloud-analyzer
https://www.elcomsoft.com/ecx.html
https://www.elcomsoft.com/eppb.html
Cellebrite
UFEDCloudAnalyzerprovidesaccesstomorethan25privateclouddatasourcestohelpyouattainthecriticalcaseevidencethat
oftenhidesincloudapplicationdata.Seethefulllistbelow:Facebook,WhatsApp,Twitter,Gmail,GoogleLocationHistory,Google
MyActivity,GooglePhotos,GoogleChrome,GoogleCalendar,GoogleContacts,GoogleDrive,GoogleBookmarks,GoogleTasks,
Mail(IMAP),Dropbox,iCloudApp,iCloudCalendar,iCloudContacts,iCloudDrive,iCloudPhotos,OneDrive,Instagram,KIK,VK,
Telegram,iCloudNotes,iCloudReminder,iCloudLocation
OxygenForensic®Detective
OxygenForensic®Detectiveacquiresdatafrommorethan30cloudstorages:iCloudcontactsandcalendar,GoogleDrive,Google
LocationHistory,Livecontactsandcalendar,OneDrive,DropboxandBoxaswellasfromawiderangeofsocialmediaincluding
TwitterandInstagram
ElcomsoftCloudeXplorer
Acquireinformationfromusers’GoogleAccountwithasimpleall-in-onetool!ElcomsoftCloudExplorermakesiteasiertodownload,
viewandanalyzeinformationcollectedbythesearchgiant,providingconvenientaccesstousers’searchandbrowsinghistory,page
transitions,contacts,GoogleKeepnotes,Hangoutsmessages,aswellasimagesstoredintheuser’sGooglePhotosaccount.
ElcomsoftPhoneBreaker
CloudacquisitionisanalternativewayofretrievinginformationstoredinmobilebackupsproducedbyAppleiOS,andtheonly
methodtoexploreWindowsPhone8andWindows10Mobiledevices.ElcomsoftPhoneBreakercanretrieveinformationfromApple
iCloudandWindowsLive!servicesprovidedthatoriginalusercredentialsforthataccountareknown.
TheForensiceditionofElcomsoftPhoneBreakerenablesover-the-airacquisitionofiClouddatawithouthavingtheoriginalAppleID
andpassword.Password-freeaccesstoiClouddataismadepossibleviatheuseofabinaryauthenticationtokenextractedfromthe
user’scomputer.
ElcomsoftPhoneBreakersupportsaccountswithApple'stwo-stepverificationaswellasthenewtwo-factorauthentication.Accessto
thesecondauthenticationfactorsuchasatrusteddeviceorrecoverykeyisrequired.YouwillonlyneedtouseitonceasElcomsoft
PhoneBreakercansaveauthenticationcredentialsforfuturesessions.
https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/detective/cloud-data-extraction
http://www.cellebrite.com/Pages/ufed-cloud-analyzer
https://www.elcomsoft.com/ecx.html
https://www.elcomsoft.com/eppb.html
CELLEBRITEUNLOCKING CAPABILITIES
CellebriteAdvanced Investigative Services (CAIS) experts provide law enforcement
agencies with forensically sound, early access to sensitive mobile digital intelligence.
Advanced Technical Services provide:
Unlocking and extraction of Apple iPhone 4S, 5, 5C, 5S, 6, 6 Plus, iPad 2, 3, 4,
iPad Air, iPad mini 1, 2, 3, 4, iPod touch 5G, 6G
Unlocking and decrypted physical extraction of Samsung Galaxy S6, S6 edge,
S6 edge+, S6 active, A5, A7, A8, J1, J7, Note 5, S7, S7 edge, S7 edge, S7
active
Decrypted Physical extractions available for most models
Limitations may apply based on iOS/Android version and Security patch level
http://go.cellebrite.com/cais_unlock
CellebriteAdvanced Investigative Services (CAIS) experts provide law enforcement
agencies with forensically sound, early access to sensitive mobile digital intelligence.
Advanced Technical Services provide:
Unlocking and extraction of Apple iPhone 4S, 5, 5C, 5S, 6, 6 Plus, iPad 2, 3, 4,
iPad Air, iPad mini 1, 2, 3, 4, iPod touch 5G, 6G
Unlocking and decrypted physical extraction of Samsung Galaxy S6, S6 edge,
S6 edge+, S6 active, A5, A7, A8, J1, J7, Note 5, S7, S7 edge, S7 edge, S7
active
Decrypted Physical extractions available for most models
Limitations may apply based on iOS/Android version and Security patch level
http://go.cellebrite.com/cais_unlock
OXYGEN FORENSIC DETECTIVE
OxygenForensic®softwareretrievesallvitalapplicationdatafrommobiledevicesrunning
iOS,AndroidOS,BlackBerry10,WindowsPhone8.Theprogramisabletodecryptapps
databaseseveniftheysecurelyencrypted.
Currently370uniqueapplicationsand2760+appversionsaresupported.
SocialNetworks,Dating,Messengers,WebBrowsers,Navigation,Travel,Finance,
Productivity,Health,Games
AndroidRootingadd-ongrantsanaccessto:Fullfilesystem,Applicationsdata,Geo-location
information,Deleteddata
No100%successfulrootingisguaranteed.Theprocedureisavailableforthemostof
Androiddeviceswithversions1.6-2.3.4and3.0-5.1
TheJet-ImagermoduleallowstocreatefullphysicaldumpsfromAndroiddevicesonaverage
upto25%faster.Theextractionspeeddependsonhowmuchdatathedevicehas.For
example,16GBcanbeextractedin5-7minutes,32Gb–in8-10minutes.
CurrentlytherearetwoextractionmethodsintheJet-Imagermodule:
physicalextractionviacustomforensicrecovery(Samsung)
physicalextractionofpre-rooteddevices
https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/detective/jet-imager
https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/analyst/android-rooting-addon
https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/analyst/applications
OxygenForensic®softwareretrievesallvitalapplicationdatafrommobiledevicesrunning
iOS,AndroidOS,BlackBerry10,WindowsPhone8.Theprogramisabletodecryptapps
databaseseveniftheysecurelyencrypted.
Currently370uniqueapplicationsand2760+appversionsaresupported.
SocialNetworks,Dating,Messengers,WebBrowsers,Navigation,Travel,Finance,
Productivity,Health,Games
AndroidRootingadd-ongrantsanaccessto:Fullfilesystem,Applicationsdata,Geo-location
information,Deleteddata
No100%successfulrootingisguaranteed.Theprocedureisavailableforthemostof
Androiddeviceswithversions1.6-2.3.4and3.0-5.1
TheJet-ImagermoduleallowstocreatefullphysicaldumpsfromAndroiddevicesonaverage
upto25%faster.Theextractionspeeddependsonhowmuchdatathedevicehas.For
example,16GBcanbeextractedin5-7minutes,32Gb–in8-10minutes.
CurrentlytherearetwoextractionmethodsintheJet-Imagermodule:
physicalextractionviacustomforensicrecovery(Samsung)
physicalextractionofpre-rooteddevices
https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/detective/jet-imager
https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/analyst/android-rooting-addon
https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/analyst/applications
ELCOMSOFT iOS FORENSIC TOOLKIT
Supportfor32-bitand64-bitiOSDevices
Alldevices:Logicalacquisitionisavailableforalldevicesregardlessofjailbreakstatus/iOSversion.Supportslockdownfilesforaccessingpasscode-protecteddevices.
Legacy:Unconditionalphysicalacquisitionsupportforlegacydevices(iPhone4andolder)regardlessofiOSversionandlockstatus
32-bit:Fullphysicalacquisitionsupportofjailbroken32-bitdevicesrunningallversionsofiOSuptoandincludingiOS9.3.3(iPhone4Sthrough5C,iPadmini)
64-bit:Physicalacquisitionforjailbroken64-bitdevicesrunninganyversionofiOSforwhichajailbreakisavailable(iPhone5S,6,6SandtheirPlusversions,iPadmini2
through4,iPadAir,Air2)
iOS9.3.4,9.3.5,iOS10.x:LogicalacquisitiononlyforiPhone7,7PlusandallotherdevicesrunningiOS10orversionsofiOS9withoutjailbreak.Devicemustbe
unlockedwithpasscode,TouchIDorlockdownrecord
Locked:Limitedacquisitionsupportforjailbroken32-bitand64-bitiOSdevicesthatarelockedwithanunknownpasscodeandcannotbeunlocked
CompatibleDevicesandPlatforms
TheToolkitcompletelyfullysupportsthefollowingiOSdevices,runningalliOSversionsuptoiOS7;nojailbreakingrequired,passcodecanbebypassedorquickly
recovered:
iPhone(original),iPhone3G,iPhone3GS,iPhone4(GSMandCDMAmodels),iPad(1stgeneration),iPodTouch(1st-4thgenerations)
Physicalacquisitionisavailableforthefollowingmodels(requiresjailbreakwithOpenSSHinstalled)
iPhone4S,iPhone5,iPhone5C,iPodTouch(5thgen),iPad2,iPadwithRetinadisplay(3rdand4thgenerations),iPadMini
Thefollowing(64-bit)modelsaresupportedviaphysicalacquisitionfor64-bitdevices,regardlessofiOSversion(upto9.3.3):
iPhone5S,iPhone6,iPhone6Plus,iPhone6S,iPhone6SPlus,iPadAir,iPadAir2,iPadMini2/3/4,iPadPro
AllotherdevicesincludingiPhone7/7PlusaswellasdevicesrunningiOS10.x,9.3.4and9.3.5aresupportedvialogicalacquisition(mustbeunlockedwithpasscode,
TouchIDorlockdownrecord).
Supportedoperatingsystems:
iOS1-5
iOS6.0-6.1.2(withevasi0njailbreak)
iOS6.1.3-6.1.6(withp0sixspwnjailbreak)
iOS7.0(withevasi0njailbreak)
iOS7.1(withPangu1.2+jailbreak)
iOS8.0-8.1.2(withTaiG,PanGuorPPjailbreak)
iOS8.1.3-8.4(withTaiG2.0jailbreak)
iOS9.0-9.1-9.2-9.3.3(withPanGujailbreak)
iOS9.3.4-10.x(vialogicalacquisitiononly)
https://www.elcomsoft.com/eift.html
Decryptkeychainitems,extract,devicekeys(32-bitdevicesonly)
Keychainisextractedbutcannotbedecryptedwith64-bitdeviceexcepttheknown/emptybackuppasscode;
passcodemustberemovediniOSsettings
Passcodeisnotrequired
iOS1.x-3.x:passcodenotrequired.Allinformationwillbeaccessible.Theoriginalpasscodewillbeinstantly
recoveredanddisplayed.
iOS4.0-7.x:certaininformationisprotectedwithpasscode-dependentkeys,includingthefollowing:
Emailmessages;Mostkeychainrecords(storedlogin/passwordinformation);
Certainthird-partyapplicationdata,iftheapplicationrequestedstrongencryption.
iOS8.xthrough10.x:mostinformationisprotected.Withoutthepasscode,onlyverylimitedamountofdata
Calllogthatincludesallincomingandoutgoingcalls(includingFaceTime),Voicemail,Allsettingsandoptions,
Listofinstalledapps,Manylogfilesincludingdownloadandupdatehistories,servicelaunchlogsandmany
othersystemandapplicationlogs,Varioustemporaryfiles
Simple4-digitpasscodesrecoveredin10-40minuteshttps://www.elcomsoft.com/eift.html
Supportfor32-bitand64-bitiOSDevices
Alldevices:Logicalacquisitionisavailableforalldevicesregardlessofjailbreakstatus/iOSversion.Supportslockdownfilesforaccessingpasscode-protecteddevices.
Legacy:Unconditionalphysicalacquisitionsupportforlegacydevices(iPhone4andolder)regardlessofiOSversionandlockstatus
32-bit:Fullphysicalacquisitionsupportofjailbroken32-bitdevicesrunningallversionsofiOSuptoandincludingiOS9.3.3(iPhone4Sthrough5C,iPadmini)
64-bit:Physicalacquisitionforjailbroken64-bitdevicesrunninganyversionofiOSforwhichajailbreakisavailable(iPhone5S,6,6SandtheirPlusversions,iPadmini2
through4,iPadAir,Air2)
iOS9.3.4,9.3.5,iOS10.x:LogicalacquisitiononlyforiPhone7,7PlusandallotherdevicesrunningiOS10orversionsofiOS9withoutjailbreak.Devicemustbe
unlockedwithpasscode,TouchIDorlockdownrecord
Locked:Limitedacquisitionsupportforjailbroken32-bitand64-bitiOSdevicesthatarelockedwithanunknownpasscodeandcannotbeunlocked
CompatibleDevicesandPlatforms
TheToolkitcompletelyfullysupportsthefollowingiOSdevices,runningalliOSversionsuptoiOS7;nojailbreakingrequired,passcodecanbebypassedorquickly
recovered:
iPhone(original),iPhone3G,iPhone3GS,iPhone4(GSMandCDMAmodels),iPad(1stgeneration),iPodTouch(1st-4thgenerations)
Physicalacquisitionisavailableforthefollowingmodels(requiresjailbreakwithOpenSSHinstalled)
iPhone4S,iPhone5,iPhone5C,iPodTouch(5thgen),iPad2,iPadwithRetinadisplay(3rdand4thgenerations),iPadMini
Thefollowing(64-bit)modelsaresupportedviaphysicalacquisitionfor64-bitdevices,regardlessofiOSversion(upto9.3.3):
iPhone5S,iPhone6,iPhone6Plus,iPhone6S,iPhone6SPlus,iPadAir,iPadAir2,iPadMini2/3/4,iPadPro
AllotherdevicesincludingiPhone7/7PlusaswellasdevicesrunningiOS10.x,9.3.4and9.3.5aresupportedvialogicalacquisition(mustbeunlockedwithpasscode,
TouchIDorlockdownrecord).
Supportedoperatingsystems:
iOS1-5
iOS6.0-6.1.2(withevasi0njailbreak)
iOS6.1.3-6.1.6(withp0sixspwnjailbreak)
iOS7.0(withevasi0njailbreak)
iOS7.1(withPangu1.2+jailbreak)
iOS8.0-8.1.2(withTaiG,PanGuorPPjailbreak)
iOS8.1.3-8.4(withTaiG2.0jailbreak)
iOS9.0-9.1-9.2-9.3.3(withPanGujailbreak)
iOS9.3.4-10.x(vialogicalacquisitiononly)
https://www.elcomsoft.com/eift.html
Decryptkeychainitems,extract,devicekeys(32-bitdevicesonly)
Keychainisextractedbutcannotbedecryptedwith64-bitdeviceexcepttheknown/emptybackuppasscode;
passcodemustberemovediniOSsettings
Passcodeisnotrequired
iOS1.x-3.x:passcodenotrequired.Allinformationwillbeaccessible.Theoriginalpasscodewillbeinstantly
recoveredanddisplayed.
iOS4.0-7.x:certaininformationisprotectedwithpasscode-dependentkeys,includingthefollowing:
Emailmessages;Mostkeychainrecords(storedlogin/passwordinformation);
Certainthird-partyapplicationdata,iftheapplicationrequestedstrongencryption.
iOS8.xthrough10.x:mostinformationisprotected.Withoutthepasscode,onlyverylimitedamountofdata
Calllogthatincludesallincomingandoutgoingcalls(includingFaceTime),Voicemail,Allsettingsandoptions,
Listofinstalledapps,Manylogfilesincludingdownloadandupdatehistories,servicelaunchlogsandmany
othersystemandapplicationlogs,Varioustemporaryfiles
Simple4-digitpasscodesrecoveredin10-40minuteshttps://www.elcomsoft.com/eift.html
UNSECURED WI-FI.
FREE WI-FI IN A CITY (UNDERGROUND/SUBWAY, PARKS,
BUS & BUS STOP, … EVERYWHERE)
FREE WI-FI IN A CITY (UNDERGROUND/SUBWAY, PARKS,
BUS & BUS STOP, … EVERYWHERE)
SSL ISSUES: Apps, Mozilla, WoSign,
Apple, Google
ApplicationshandleSSLconnectionindifferentways:
qSomedon’tvalidateSSLcertificateduringtheconnectionoraffectedSSLStripattacks
qManytrusttotherootSSLcertificatesinstalledonthedeviceduetoSSLvalidating
qSomehavepinnedSSLcertificateandtrustitonly
Trustingrootcertificatemightnotbeagoodidea
MozillareportsaboutWoSign&StartComrootsarecross-signedbyothertrustedorpreviously-
trustedroots(expiredbutstillunrevoked):
WoSignissued~1,500invalidcertificates.AppleremovesthesefromiOS&Mac
DespiterevokedCA’s,StartComandWoSigncontinuetosellcertificates.So,Apple(Safari),Mozilla(Firefox)andGoogle
(Chrome)areabouttostoptrustingthem
SymantecAPI Flaws reportedly let attackers steal Private SSL Keys & Certificates. Symantec knew
of API Flaws Since 2015
The flaw, discovered by Chris Byrne, an information security could allow an unauthenticated attacker to retrieve other
persons' SSL certificates, including public and private keys, as well as to reissue or revoke those certificates.
Even without revoking and reissuing a certificate, attackers can conduct "man-in-the-middle" attack over the secure
connections using stolen SSL certs, tricking users into believing they are on a legitimate site when in fact their SSL traffic is
being secretly tampered with and intercepted.
https://support.apple.com/en-us/HT204132
http://thehackernews.com/2017/03/symantec-ssl-certificates.html
Apple, Google
ApplicationshandleSSLconnectionindifferentways:
qSomedon’tvalidateSSLcertificateduringtheconnectionoraffectedSSLStripattacks
qManytrusttotherootSSLcertificatesinstalledonthedeviceduetoSSLvalidating
qSomehavepinnedSSLcertificateandtrustitonly
Trustingrootcertificatemightnotbeagoodidea
MozillareportsaboutWoSign&StartComrootsarecross-signedbyothertrustedorpreviously-
trustedroots(expiredbutstillunrevoked):
WoSignissued~1,500invalidcertificates.AppleremovesthesefromiOS&Mac
DespiterevokedCA’s,StartComandWoSigncontinuetosellcertificates.So,Apple(Safari),Mozilla(Firefox)andGoogle
(Chrome)areabouttostoptrustingthem
SymantecAPI Flaws reportedly let attackers steal Private SSL Keys & Certificates. Symantec knew
of API Flaws Since 2015
The flaw, discovered by Chris Byrne, an information security could allow an unauthenticated attacker to retrieve other
persons' SSL certificates, including public and private keys, as well as to reissue or revoke those certificates.
Even without revoking and reissuing a certificate, attackers can conduct "man-in-the-middle" attack over the secure
connections using stolen SSL certs, tricking users into believing they are on a legitimate site when in fact their SSL traffic is
being secretly tampered with and intercepted.
https://support.apple.com/en-us/HT204132
http://thehackernews.com/2017/03/symantec-ssl-certificates.html
GOVERNMENT AND NETWORK SECURITY
Onlinesurveillance.MicrosoftmaybeaccidentallyhelpingThailand’sgovernmentspyonitscitizens
AnewreportfromPrivacyInternationalentitled“Who’sThatKnockingatMyDoor?UnderstandingSurveillancein
Thailand”saysaMicrosoftpolicyinvolvingrootcertificatesenablesthestatetomonitorencryptedcommunications
sentviaemailorpostedonsocialmediasites.Microsoftsaysthatthecertificatemeetsthecompany’sstandards.
WhileApple’smacOSdoesnotincludetheThairootcertificatebydefault,MicrosoftWindowsdoes,andPrivacy
Internationalsaysthisleavesusersofthatoperatingsystemopentoattackorsurveillance.Windowsaccountsfor
over85percentofthedesktopcomputingmarketinThailand,accordingtoStatCounter.
KazakhstanisgoingtostartinterceptingHTTPStrafficvia“man-in-the-middleattack”startingJan1,2016
ThelawwasacceptedinDecember,butnowoneoftheprovidersannounced
informationforsmallandmediumbusinesshowtoinstall
government-providedrootSSLcertificate:https://goo.gl/yzGzPp
Update,ContributionwithMozilla:
Mozillabugreport–AddRootCertofRepublicofKazakhstan
MozillaCAProgram(inpdf)
GovCertofKazakhstan
https://news.vice.com/story/microsoft-may-be-accidentally-helping-thailands-government-spy-on-its-citizens
https://www.reddit.com/r/sysadmin/comments/3v5zpz/kazakhstan_is_going_to_start_intercepting_https/
Onlinesurveillance.MicrosoftmaybeaccidentallyhelpingThailand’sgovernmentspyonitscitizens
AnewreportfromPrivacyInternationalentitled“Who’sThatKnockingatMyDoor?UnderstandingSurveillancein
Thailand”saysaMicrosoftpolicyinvolvingrootcertificatesenablesthestatetomonitorencryptedcommunications
sentviaemailorpostedonsocialmediasites.Microsoftsaysthatthecertificatemeetsthecompany’sstandards.
WhileApple’smacOSdoesnotincludetheThairootcertificatebydefault,MicrosoftWindowsdoes,andPrivacy
Internationalsaysthisleavesusersofthatoperatingsystemopentoattackorsurveillance.Windowsaccountsfor
over85percentofthedesktopcomputingmarketinThailand,accordingtoStatCounter.
KazakhstanisgoingtostartinterceptingHTTPStrafficvia“man-in-the-middleattack”startingJan1,2016
ThelawwasacceptedinDecember,butnowoneoftheprovidersannounced
informationforsmallandmediumbusinesshowtoinstall
government-providedrootSSLcertificate:https://goo.gl/yzGzPp
Update,ContributionwithMozilla:
Mozillabugreport–AddRootCertofRepublicofKazakhstan
MozillaCAProgram(inpdf)
GovCertofKazakhstan
https://news.vice.com/story/microsoft-may-be-accidentally-helping-thailands-government-spy-on-its-citizens
https://www.reddit.com/r/sysadmin/comments/3v5zpz/kazakhstan_is_going_to_start_intercepting_https/
BYPASSING NETWORK SECURITYFOR $0
How To: Use mitmproxyto read and modify HTTPS traffic
https://blog.heckel.xyz/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-
traffic-of-your-phone/
Use SSLsplitto transparently sniff TLS/SSL connections –including non-HTTP(S) protocols
https://blog.heckel.xyz/2013/08/04/use-sslsplit-to-transparently-sniff-tls-ssl-connections/
How To: DNS spoofing with a simple DNS server using Dnsmasq
https://blog.heckel.xyz/2013/07/18/how-to-dns-spoofing-with-a-simple-dns-server-using-
dnsmasq/
Rogue AP Setup
https://null-byte.wonderhowto.com/how-to/hack-wi-fi-creating-invisible-rogue-access-point-
siphon-off-data-undetected-0148031/
Kali Linux Evil Wireless Access Point
https://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/
Bettercap–mixed features
https://www.bettercap.org/docs/proxying/http.html
https://www.bettercap.org/docs/servers/dns.html
https://www.bettercap.org/docs/proxying/custom.html
… and so on J
How To: Use mitmproxyto read and modify HTTPS traffic
https://blog.heckel.xyz/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-
traffic-of-your-phone/
Use SSLsplitto transparently sniff TLS/SSL connections –including non-HTTP(S) protocols
https://blog.heckel.xyz/2013/08/04/use-sslsplit-to-transparently-sniff-tls-ssl-connections/
How To: DNS spoofing with a simple DNS server using Dnsmasq
https://blog.heckel.xyz/2013/07/18/how-to-dns-spoofing-with-a-simple-dns-server-using-
dnsmasq/
Rogue AP Setup
https://null-byte.wonderhowto.com/how-to/hack-wi-fi-creating-invisible-rogue-access-point-
siphon-off-data-undetected-0148031/
Kali Linux Evil Wireless Access Point
https://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/
Bettercap–mixed features
https://www.bettercap.org/docs/proxying/http.html
https://www.bettercap.org/docs/servers/dns.html
https://www.bettercap.org/docs/proxying/custom.html
… and so on J
MOBOMARKET
oApp v2
oSSL worked but MITM was
possible(preinstalled cert?)
oPrivacy Policy
“We encrypt our services and data transmission
using SSL”
“You’re responsible for privacy”. Just do it yourself
On March, 2016
Slide #48, http://goo.gl/wPfmgM
oApp v3
oEverything is in plaintext by
HTTP, even app installers (APK)
oPrivacy Policy
We adopt appropriate data collection, storage and
processing practices and security measures to
protect against unauthorized access, alteration,
disclosure or destruction of your personal
information, username, password, transaction
information & data stored on Site
Official Website http://goo.gl/FYOXjE
MOBOMARKET (ANDROID APP STORE), BEST ONE IN CHINA & INDIA
oApp v2
oSSL worked but MITM was
possible(preinstalled cert?)
oPrivacy Policy
“We encrypt our services and data transmission
using SSL”
“You’re responsible for privacy”. Just do it yourself
On March, 2016
Slide #48, http://goo.gl/wPfmgM
oApp v3
oEverything is in plaintext by
HTTP, even app installers (APK)
oPrivacy Policy
We adopt appropriate data collection, storage and
processing practices and security measures to
protect against unauthorized access, alteration,
disclosure or destruction of your personal
information, username, password, transaction
information & data stored on Site
Official Website http://goo.gl/FYOXjE
MOBOMARKET (ANDROID APP STORE), BEST ONE IN CHINA & INDIA
GOOGLE MAPS, TRELLO, SWARM, FOURSQUARE, PLAZIUS
Google Maps: SSL Pinned to Not Pinned (MITM is available by crafted certificate)
~24-31 data items per each iOS & Android app
Address Data (what you’re typing in search field) –was pinned
Other items are still MITMedwith crafted certificate
Trello: SSL Pinned to Not Pinned (MITM is available by crafted certificate
~25 data items per each application iOS & Android app –was pinned
'Credentials Info' Group: Credentials (IDs, Password)
‘Account Info' Group: Account Data, Media Data (Profile Images)
‘Tasks Info' Group: Tasks, Sync Docs, Doc List, URLs
Foursquare&Swarm:Non-protectedMedia,iOSfixed–canMITMedviacraftedcert
~30-40dataitemspereachapplication
‘AccountInfo’Group:MediaData(ProfileImages)–iOS&Androidnotfixed
‘MediaInfo’Group:PlaceDetails(Place&Buildingphotos)–iOSfixed
‘GeoInfo’Group:PlaceDetails(textual),MediaData(Cityphotos)-iOSfixed
Plazius:Randomfixes
~20-25dataitemspereachapplication
AppswrittenforiOS<10DONOTHAVEaSSLvalidation
AppswrittenforiOS10+onlygotfixes(MITMwithcraftedcertificatestillworks)
AndroidAppsHAVEaSSLPinning
Google Maps: SSL Pinned to Not Pinned (MITM is available by crafted certificate)
~24-31 data items per each iOS & Android app
Address Data (what you’re typing in search field) –was pinned
Other items are still MITMedwith crafted certificate
Trello: SSL Pinned to Not Pinned (MITM is available by crafted certificate
~25 data items per each application iOS & Android app –was pinned
'Credentials Info' Group: Credentials (IDs, Password)
‘Account Info' Group: Account Data, Media Data (Profile Images)
‘Tasks Info' Group: Tasks, Sync Docs, Doc List, URLs
Foursquare&Swarm:Non-protectedMedia,iOSfixed–canMITMedviacraftedcert
~30-40dataitemspereachapplication
‘AccountInfo’Group:MediaData(ProfileImages)–iOS&Androidnotfixed
‘MediaInfo’Group:PlaceDetails(Place&Buildingphotos)–iOSfixed
‘GeoInfo’Group:PlaceDetails(textual),MediaData(Cityphotos)-iOSfixed
Plazius:Randomfixes
~20-25dataitemspereachapplication
AppswrittenforiOS<10DONOTHAVEaSSLvalidation
AppswrittenforiOS10+onlygotfixes(MITMwithcraftedcertificatestillworks)
AndroidAppsHAVEaSSLPinning
oBefore Summer/Autumn 2016
eFax
Media faxes are PINNED, but
Media URL of faxes, Credentials
& rest data are MITMed(Cert)
Evernote
Everything is PINNED, except
Social credentials of LinkedIn
Locally stored data
Accessible via iTunes incl. all DBs
oSince Autumn 2016
eFax
MITM with
preinstalled/crafted/stolen CERT
Applies to all data items
Evernote
Everything is MITMedwith
preinstalled/crafted/stolen CERT
Location data is not protected
Documents & Location Info: GEO
Data & Address Data
oSince March 2017
eFax
MITM with
preinstalled/crafted/stolen CERT
Applies to all data items
Evernote
Everything Pinned
(Android only)
Location data is Pinned (Android)
Documents & Location Info: GEO
Data & Address Data
EVERNOTE AND EFAX
eFax –weird SSL Pinning
Evernote –downgraded from Pinning
Evernote for Android (March, 2017)
–Pinned everything
eFax
Media faxes are PINNED, but
Media URL of faxes, Credentials
& rest data are MITMed(Cert)
Evernote
Everything is PINNED, except
Social credentials of LinkedIn
Locally stored data
Accessible via iTunes incl. all DBs
oSince Autumn 2016
eFax
MITM with
preinstalled/crafted/stolen CERT
Applies to all data items
Evernote
Everything is MITMedwith
preinstalled/crafted/stolen CERT
Location data is not protected
Documents & Location Info: GEO
Data & Address Data
oSince March 2017
eFax
MITM with
preinstalled/crafted/stolen CERT
Applies to all data items
Evernote
Everything Pinned
(Android only)
Location data is Pinned (Android)
Documents & Location Info: GEO
Data & Address Data
EVERNOTE AND EFAX
eFax –weird SSL Pinning
Evernote –downgraded from Pinning
Evernote for Android (March, 2017)
–Pinned everything
INSTAGRAM: “LONG ROAD TO SECURITY”
FROM INSECURITY TO SECURITY
THOUGHT THE SECURITY & INSECURITY
§Media Data = Advertisement, Profile images, your
photos and so on…
§Y2014: Media data transferred as is without protection;
hosted on AWS S3
§Instagram said it's moving to encrypted communications
for its images by moving to HTTPS, the secure version of
the standard used to transfer Web data over the Internet.
§Y2015: Media data transferred over HTTPS and hosted
on Amazon Storage Service (AWS S3); Crafted cert to
MITM needed
§Y2016: Media data transferred as is without protection
and hosted on own Instagram storages
§Y2017 -iOS: Media data transferred over HTTPS;
Crafted cert to MITM needed
§Y2017 -Android: Media data transferred as is without
protection; the rest data is SSL PINNED
FROM INSECURITY TO SECURITY
THOUGHT THE SECURITY & INSECURITY
§Media Data = Advertisement, Profile images, your
photos and so on…
§Y2014: Media data transferred as is without protection;
hosted on AWS S3
§Instagram said it's moving to encrypted communications
for its images by moving to HTTPS, the secure version of
the standard used to transfer Web data over the Internet.
§Y2015: Media data transferred over HTTPS and hosted
on Amazon Storage Service (AWS S3); Crafted cert to
MITM needed
§Y2016: Media data transferred as is without protection
and hosted on own Instagram storages
§Y2017 -iOS: Media data transferred over HTTPS;
Crafted cert to MITM needed
§Y2017 -Android: Media data transferred as is without
protection; the rest data is SSL PINNED
IOS. ENABLE A USER ROOT CERT TO BYPASS
A SYSTEM-WIDE ANTI-MITMTECHNOLOGY
Apple introduced on iOS 10+ new
network security enhancement. That
new enhancement prevents 3rd party
to listen to network requests coming
out of the app by enabling and
disabling root user certificates
A SYSTEM-WIDE ANTI-MITMTECHNOLOGY
Apple introduced on iOS 10+ new
network security enhancement. That
new enhancement prevents 3rd party
to listen to network requests coming
out of the app by enabling and
disabling root user certificates
ANDROID 7. REPACK APKTO BYPASS A
SYSTEM-WIDE ANTI-MITMTECHNOLOGY
Google introduced on Android 7.0 new network security enhancements. Those
new enhancements prevents 3rd party to listen to network requests coming out
of the app. More info:
1)https://developer.android.com/training/articles/security-config.html
2)http://android-developers.blogspot.com/2016/07/changes-to-trusted-
certificate.html
This script injects into the APK network security exceptions that allow 3rd party
softwares, like Charles Proxy / Fidlerto listen to the network requests and
responses of the app.
Download the script and the xml file and place them in the same directory.
You will need apktooland android sdkinstalled. I recommend using brew on
Mac to install apktool(brew install apktool)
The script take 2 arguments:
1) Apkfile path. 2) keystorefile path (optional -Default is:
~/.android/debug.keystore)
Examples
./addSecurityExceptions.sh myApp.apkor./addSecurityExceptions.sh
myApp.apk~/.android/debug.keystore
https://github.com/levyitay/AddSecurityExceptionAndroid
<?xmlversion="1.0"encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificatessrc="..."/>
...
</trust-anchors>
</base-config>
<domain-config>
<domain>android.com</domain>
...
<trust-anchors>
<certificatessrc="..."/>
...
</trust-anchors>
<pin-set>
<pindigest="...">...</pin>
...
</pin-set>
</domain-config>
...
<debug-overrides>
<trust-anchors>
<certificatessrc="..."/>
...
</trust-anchors>
</debug-overrides>
</network-security-config>
SYSTEM-WIDE ANTI-MITMTECHNOLOGY
Google introduced on Android 7.0 new network security enhancements. Those
new enhancements prevents 3rd party to listen to network requests coming out
of the app. More info:
1)https://developer.android.com/training/articles/security-config.html
2)http://android-developers.blogspot.com/2016/07/changes-to-trusted-
certificate.html
This script injects into the APK network security exceptions that allow 3rd party
softwares, like Charles Proxy / Fidlerto listen to the network requests and
responses of the app.
Download the script and the xml file and place them in the same directory.
You will need apktooland android sdkinstalled. I recommend using brew on
Mac to install apktool(brew install apktool)
The script take 2 arguments:
1) Apkfile path. 2) keystorefile path (optional -Default is:
~/.android/debug.keystore)
Examples
./addSecurityExceptions.sh myApp.apkor./addSecurityExceptions.sh
myApp.apk~/.android/debug.keystore
https://github.com/levyitay/AddSecurityExceptionAndroid
<?xmlversion="1.0"encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificatessrc="..."/>
...
</trust-anchors>
</base-config>
<domain-config>
<domain>android.com</domain>
...
<trust-anchors>
<certificatessrc="..."/>
...
</trust-anchors>
<pin-set>
<pindigest="...">...</pin>
...
</pin-set>
</domain-config>
...
<debug-overrides>
<trust-anchors>
<certificatessrc="..."/>
...
</trust-anchors>
</debug-overrides>
</network-security-config>
iOS MASQUE ATTACK WEAPONIZED:
A REAL WORLD LOOK
FireEye has recently uncovered 11 iOS apps within the Hacking Team’s arsenals that
utilize Masque Attacks, marking the first instance of targeted iOS malware being
used against non-jailbroken iOS devices.
These apps are reverse engineered and weaponized versions of popular social
networking and messaging apps, including: WhatsApp, Twitter, Facebook, Facebook
Messenger, WeChat, Google Chrome, Viber, Blackberry Messenger, Skype,
Telegram, and VK.
Unlike the normal versions of these apps, they come with an extra binary designed
to exfiltratesensitive data and communicate with a remote server. Because all the
bundle identifiers are the same as the genuine apps on App Store, they can directly
replace the genuine apps on iOS devices prior 8.1.3.
https://www.fireeye.com/blog/threat-research/2015/08/ios_masque_attackwe.html
A REAL WORLD LOOK
FireEye has recently uncovered 11 iOS apps within the Hacking Team’s arsenals that
utilize Masque Attacks, marking the first instance of targeted iOS malware being
used against non-jailbroken iOS devices.
These apps are reverse engineered and weaponized versions of popular social
networking and messaging apps, including: WhatsApp, Twitter, Facebook, Facebook
Messenger, WeChat, Google Chrome, Viber, Blackberry Messenger, Skype,
Telegram, and VK.
Unlike the normal versions of these apps, they come with an extra binary designed
to exfiltratesensitive data and communicate with a remote server. Because all the
bundle identifiers are the same as the genuine apps on App Store, they can directly
replace the genuine apps on iOS devices prior 8.1.3.
https://www.fireeye.com/blog/threat-research/2015/08/ios_masque_attackwe.html
AN EXAMPLE OF THE RUNTIME BEHAVIOR
OF THE REPACKAGED FACEBOOK APP
https://www.fireeye.com/blog/threat-research/2015/08/ios_masque_attackwe.html
OF THE REPACKAGED FACEBOOK APP
https://www.fireeye.com/blog/threat-research/2015/08/ios_masque_attackwe.html
APPS FINDINGS. OVERALL RESULTS
250 apps = 135 iOS apps + 115 Android apps
8124 data items = 4287 (iOS) + 3837 (Android)
20+ application groups (17 unique groups)
30 data groups & 105 data items over 8K data items
462 unique pairs of data group & data item
News & Magazines
Productivity
Shopping
Social Networking
Tools & Utilities
Transportation
Travel & Local
Weather
Business
Communication
Entertainment
Finance
Food & Drink
Lifestyle
Photo & Video
Music
Navigation
250 apps = 135 iOS apps + 115 Android apps
8124 data items = 4287 (iOS) + 3837 (Android)
20+ application groups (17 unique groups)
30 data groups & 105 data items over 8K data items
462 unique pairs of data group & data item
News & Magazines
Productivity
Shopping
Social Networking
Tools & Utilities
Transportation
Travel & Local
Weather
Business
Communication
Entertainment
Finance
Food & Drink
Lifestyle
Photo & Video
Music
Navigation
COMPARING UP-TO-DATE OSAND OUTDATED OS OVER
250 APPS
0,00
1,00
2,00
3,00
4,00
5,00
6,00
7,00
8,00
9,00
Av. OS Protection
Level
Av. DIT Protection
Level
Av. DAR Protection
Level
4,25
4,72
3,60
4,61
4,33
4,97
4,02
4,29
3,64
4,37
3,91
4,97
Android 7+iOS 10+Android < 7iOS < 10
250 APPS
0,00
1,00
2,00
3,00
4,00
5,00
6,00
7,00
8,00
9,00
Av. OS Protection
Level
Av. DIT Protection
Level
Av. DAR Protection
Level
4,25
4,72
3,60
4,61
4,33
4,97
4,02
4,29
3,64
4,37
3,91
4,97
Android 7+iOS 10+Android < 7iOS < 10
QUANTITY OF APPLICATIONS PER THE
PROTECTION GROUP
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
70,00%
80,00%
90,00%
100,00%
Worst applications Bad applications Good applications Best applications
iOS 27,41% 100,00% 97,04% 30,37%
Android 24,35% 100,00% 93,04% 24,35%
iOS old 27,41% 100,00% 97,04% 30,37%
Android old 24,35% 100,00% 30,43% 20,87%
iOSAndroidiOS oldAndroid old
PROTECTION GROUP
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
70,00%
80,00%
90,00%
100,00%
Worst applications Bad applications Good applications Best applications
iOS 27,41% 100,00% 97,04% 30,37%
Android 24,35% 100,00% 93,04% 24,35%
iOS old 27,41% 100,00% 97,04% 30,37%
Android old 24,35% 100,00% 30,43% 20,87%
iOSAndroidiOS oldAndroid old
QUANTITY OF APPLICATIONS
WITHOUT ENCRYPTION ßàWITH ENCRYPTION
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
70,00%
80,00%
90,00%
100,00%
iOS Android iOS & Android
27,41%
30,43%
17,60%
97,78%
100,00
%
58,80%
DITDAR
0,00%
5,00%
10,00%
15,00%
20,00%
25,00%
30,00%
iOS Android iOS & Android
20,74% 20,87%
12,40%
28,89%
19,13%
19,60%
DITDAR
WITHOUT ENCRYPTION ßàWITH ENCRYPTION
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
70,00%
80,00%
90,00%
100,00%
iOS Android iOS & Android
27,41%
30,43%
17,60%
97,78%
100,00
%
58,80%
DITDAR
0,00%
5,00%
10,00%
15,00%
20,00%
25,00%
30,00%
iOS Android iOS & Android
20,74% 20,87%
12,40%
28,89%
19,13%
19,60%
DITDAR
THE QUANTITY OF
PROTECTED DATA ITEMS VS. OS IMPACT.
0,00%
5,00%
10,00%
15,00%
20,00%
25,00%
30,00%
35,00%
40,00%
45,00%
50,00%
Worst AllWorst iOSWorst AndroidBest All Best iOSBest Android
4,17% 3,97% 4,41%
1,38% 1,70% 1,51%
36,54%
27,81%
46,30%
4,20% 4,25% 4,14%
Env.Raw
PROTECTED DATA ITEMS VS. OS IMPACT.
0,00%
5,00%
10,00%
15,00%
20,00%
25,00%
30,00%
35,00%
40,00%
45,00%
50,00%
Worst AllWorst iOSWorst AndroidBest All Best iOSBest Android
4,17% 3,97% 4,41%
1,38% 1,70% 1,51%
36,54%
27,81%
46,30%
4,20% 4,25% 4,14%
Env.Raw
APPS WITH WORST PROTECTED DATA
ITEMS AND ITS PROTECTION LEVEL
0
1
2
3
4
5
6
AlterGeo
Anywayanyday
AppCompass
Aviasales
Booking.com
British Airways
British Airways for iPad
Cinemagia
Cris Taxi Bucuresti
DayCost
eFax
Evernote
Facebook Messenger
Fixtaxi (Aerotaxi)Flight Safe Today
FlipboardFly Delta
Fly Delta for iPad
Foursquare
IHG
Instagram
KliChatMarriott
Meridian Taxi
momondo
NS Wallet PRO
OK Messages
ParkSeason
Pinterest
Skyscanner
Skyscanner - Hotel Search
Swarm
Taxi 777Velobike
VK
Weather Street Style
WeChat
Env (iOS)Raw (iOS)Env (Android)Raw (Android)
ITEMS AND ITS PROTECTION LEVEL
0
1
2
3
4
5
6
AlterGeo
Anywayanyday
AppCompass
Aviasales
Booking.com
British Airways
British Airways for iPad
Cinemagia
Cris Taxi Bucuresti
DayCost
eFax
Evernote
Facebook Messenger
Fixtaxi (Aerotaxi)Flight Safe Today
FlipboardFly Delta
Fly Delta for iPad
Foursquare
IHG
KliChatMarriott
Meridian Taxi
momondo
NS Wallet PRO
OK Messages
ParkSeason
Skyscanner
Skyscanner - Hotel Search
Swarm
Taxi 777Velobike
VK
Weather Street Style
Env (iOS)Raw (iOS)Env (Android)Raw (Android)
ISSUE:
SAME DATA ITEMS, DIFFERENT PROTECTION LEVEL
Same data items (one password, card data, passport, etc. over several apps)
Different protection level of these apps means the worst one burns your security down
'Account Info' Group: Account Data, Account Details
'Application Info' Group: URLs (URL to binary installer files)
'Browser Info' Group: Card Full Info (with CVC/CVV)
'Credentials Info' Group: Credentials (Tokens, IDs, Password, Activations IDs)
'Financial Info' Group: Card Short Info (no CVC/CVV), FavouritesCards
'Geolocation Info' Group: Geo, Address Data, Place Details, FavouritesAddresses, Media
'Orders Info' Group: Orders Details & History
'Travel Info' Group: Geo, Address Data, Trips Info
‘Social Info' Group: Account Data, Credentials (Tokens, IDs, Password), Device Environment
SAME DATA ITEMS, DIFFERENT PROTECTION LEVEL
Same data items (one password, card data, passport, etc. over several apps)
Different protection level of these apps means the worst one burns your security down
'Account Info' Group: Account Data, Account Details
'Application Info' Group: URLs (URL to binary installer files)
'Browser Info' Group: Card Full Info (with CVC/CVV)
'Credentials Info' Group: Credentials (Tokens, IDs, Password, Activations IDs)
'Financial Info' Group: Card Short Info (no CVC/CVV), FavouritesCards
'Geolocation Info' Group: Geo, Address Data, Place Details, FavouritesAddresses, Media
'Orders Info' Group: Orders Details & History
'Travel Info' Group: Geo, Address Data, Trips Info
‘Social Info' Group: Account Data, Credentials (Tokens, IDs, Password), Device Environment
CONCLUSIONS
qApp designed in compliance to Apple and Google Security Guidelines means the minimal level of protection if it is done in a
right way
qThere is nothing alike data leakage beside vulnerabilities. OWASP strongly disagree
qI believe my app has a good protection. Okay, don’t forget to check it on the forensics web-site J
qPrivacy Policy and other statement about security don’t guarantee anything
qIt works only with root/jailbreak.
qThere are backup copies that keep a plenty awesome data inside itself
qTell that to forensics teams and check it on the forensics web-site again J
qCrafted SSL certificate to perform MITM is not a global issue. What about stolen, revoked and government root certificates
then?
qAndroid 7 prevents MITM attacks. Yes, but only in align to other requirements (No alternative AppMarket, No Repackaged
Apps, No Root, No Any Apps from Unknown sources)
qiOS 10 prevents MITM attacks via root user certificates. Users can enable or disable installed certificates
qNext update is going to bring fixes? No, it is possible to get worse protected release even
qBut we keep an eye on new releases
qMany apps are not good protected, should I ignore it? No, keep an eye on security update news
qApp designed in compliance to Apple and Google Security Guidelines means the minimal level of protection if it is done in a
right way
qThere is nothing alike data leakage beside vulnerabilities. OWASP strongly disagree
qI believe my app has a good protection. Okay, don’t forget to check it on the forensics web-site J
qPrivacy Policy and other statement about security don’t guarantee anything
qIt works only with root/jailbreak.
qThere are backup copies that keep a plenty awesome data inside itself
qTell that to forensics teams and check it on the forensics web-site again J
qCrafted SSL certificate to perform MITM is not a global issue. What about stolen, revoked and government root certificates
then?
qAndroid 7 prevents MITM attacks. Yes, but only in align to other requirements (No alternative AppMarket, No Repackaged
Apps, No Root, No Any Apps from Unknown sources)
qiOS 10 prevents MITM attacks via root user certificates. Users can enable or disable installed certificates
qNext update is going to bring fixes? No, it is possible to get worse protected release even
qBut we keep an eye on new releases
qMany apps are not good protected, should I ignore it? No, keep an eye on security update news
SOLUTIONS: FOR DEVELOPERS
§Secure Mobile DevelopmentGuideby NowSecure
ØCoding Practices
ØHandling Sensitive Data
ØiOS & Android Tips
Øetc.
https://books.nowsecure.com/secure-mobile-
development/en/index.html
§Secure Mobile DevelopmentGuideby NowSecure
ØCoding Practices
ØHandling Sensitive Data
ØiOS & Android Tips
Øetc.
https://books.nowsecure.com/secure-mobile-
development/en/index.html
SOLUTIONS: DATA PROTECTION DBs
•We [as security experts] know what data is protected and not
protected despite of it’s locally stored, transferred or hardcoded
•Also, we know two simple things
•not only users publish their data
•developers can’t protect data
•At the same time we’re customers, right?
•I’m as a customer prefer and have a right to know where devices shouldn’t
be connected to network or plugged PC/Mac.
•Developers aren’t going to tell me if they fail. Instead they’re telling
‘everything is OK but they're not responsible for anything’
•We [as security experts] know what data is protected and not
protected despite of it’s locally stored, transferred or hardcoded
•Also, we know two simple things
•not only users publish their data
•developers can’t protect data
•At the same time we’re customers, right?
•I’m as a customer prefer and have a right to know where devices shouldn’t
be connected to network or plugged PC/Mac.
•Developers aren’t going to tell me if they fail. Instead they’re telling
‘everything is OK but they're not responsible for anything’
SOLUTIONS: DATA PROTECTION DBs
•Goal is providing a solution that helps to keep ‘everyone’
informed about app security fails.
•Everyonemeans
•app users as well as app developers
•you don’t need to be expert to understand that how it affects
you; you just know if it has required level of protected or not
•butyou have to get used that your application operates many
data visible and not visible for youbeyond the blueberry
muffins over the weekend
•Goal is providing a solution that helps to keep ‘everyone’
informed about app security fails.
•Everyonemeans
•app users as well as app developers
•you don’t need to be expert to understand that how it affects
you; you just know if it has required level of protected or not
•butyou have to get used that your application operates many
data visible and not visible for youbeyond the blueberry
muffins over the weekend
Vulnerabilities matter but exist over 40 years
Vulnerability is a defect/flaw in design in dev’s code or third party libraries
Lack of data protection is usually an insecurity by design and implementation fails
Even OWASP considers data protection as more important thing than vulnerabilities by now
Lack of data protection is described by 3 vulnerabilities in data protection
sensitive data leakage, storage, transmission CWE-200, CWE-312, CWE-319
PrivacyMeter gives answerabout (at the moment)
list of apps and average values (Raw value, Environment value depend on OS)
list of app data itemsgrouped by ‘protection levels/categories’
data item protection leveland explanation
examination of privacy policy in regards to gained app results
Results are available on the web-site http://www.privacymeter.online/see booklets (!)
Download the Autumn Report http://www.privacymeter.online/reportssee booklets (!)
Vulnerability is a defect/flaw in design in dev’s code or third party libraries
Lack of data protection is usually an insecurity by design and implementation fails
Even OWASP considers data protection as more important thing than vulnerabilities by now
Lack of data protection is described by 3 vulnerabilities in data protection
sensitive data leakage, storage, transmission CWE-200, CWE-312, CWE-319
PrivacyMeter gives answerabout (at the moment)
list of apps and average values (Raw value, Environment value depend on OS)
list of app data itemsgrouped by ‘protection levels/categories’
data item protection leveland explanation
examination of privacy policy in regards to gained app results
Results are available on the web-site http://www.privacymeter.online/see booklets (!)
Download the Autumn Report http://www.privacymeter.online/reportssee booklets (!)
PRIVACYMETER. PROJECT
App Section (Goal):
Find averagely bad app
Overall results
List of apps
Filtering by app level
Local & Network Data
App Section (Goal):
Find averagely bad app
Overall results
List of apps
Filtering by app level
Local & Network Data
PRIVACYMETER. PROJECT
App’s Data Section (Goal):
Find bad data item
Check if the new OS is better
App’s Level
List of Data Items
App Data’s Level filters
All app levels by OS ver.
Data’s Level Explanation
App’s Data Section (Goal):
Find bad data item
Check if the new OS is better
App’s Level
List of Data Items
App Data’s Level filters
All app levels by OS ver.
Data’s Level Explanation
PRIVACYMETER. PROJECT
Data Section (Goal):
Find Betrayer App per Data
List of Data Items
Data’s Level filters
App related to Data
Data App’s Level filters
Data’s Level Explanation
Data Section (Goal):
Find Betrayer App per Data
List of Data Items
Data’s Level filters
App related to Data
Data App’s Level filters
Data’s Level Explanation
PRIVACYMETER. PROJECT.
UPCOMING FEATURES
Custom App List (already done)
Android Apps Synchronize (already done)
Forensics affected devices (which is in a forensics list and crackable)
Custom Data List (important data tracking)
New simple data naming
Profiles & Alerting
Simple explanations and advices for users
Sorting by name, level m and so on
More cool features…
UPCOMING FEATURES
Custom App List (already done)
Android Apps Synchronize (already done)
Forensics affected devices (which is in a forensics list and crackable)
Custom Data List (important data tracking)
New simple data naming
Profiles & Alerting
Simple explanations and advices for users
Sorting by name, level m and so on
More cool features…
https://goo.gl/eR8MWh
THE RISE OF SECURITY ASSISTANTS OVER
SECURITY AUDIT SERVICES
THE RISE OF SECURITY ASSISTANTS OVER
SECURITY AUDIT SERVICES
THE RISE OF SECURITY ASSISTANTS
OVER SECURITY AUDIT SERVICES
HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
YURY CHEMERKIN
SEND A MAIL TO:[email protected]
OVER SECURITY AUDIT SERVICES
HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
YURY CHEMERKIN
SEND A MAIL TO:[email protected]
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 19
- Slides 52
- Age 501 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
22 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views