Blog

  •

    How to carry out mobile app risk assessments

    5.00 of 27 votes

    If you work for a large organisation, the chances are that a requirement may occasionally surface for a new mobile app to be deployed on company-issued mobile devices for staff usage. This post is to help guide security analysts and engineers on how they can use MobSF to carry out basic internal security reviews of any mobile applications that their respective organisation may intend to deploy for their end users. Please note that this blog post is high-level, intended for moderately technical audiences, and is limited in scope to only static analysis of Android apps. I may cover more involved assessment methodologies via dynamic analysis in a future post. Requirements A Linux OS (in this guide I'll be using Kali) Some basic CLI experience A dedicated Android device which is rooted (optional)   Installing and deploying MobSF To get started we can leverage the open-source Mobile Security Framework, more commonly known as MobSF, to automate static analysis and generate a report. Install MobSF using: git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.gitcd Mobile-Security-Framework-MobSF./setup.sh Update MobSF using: git pull origin master. venv/bin/activatepip install --no-cache-dir --use-deprecated=legacy-resolver -r requirements.txtpython manage.py makemigrationspython manage.py makemigrations StaticAnalyzerpython manage.py migratedeactivate Deploy MobSF using: ./run.sh 127.0.0.1:8000 Obtain an APK file for analysis: To interrogate the compiled binaries and functionality for analysis, MobSF requires the raw APK file of the desired app. APK files can be obtained a number of ways, and the process can differ between free and paid-for apps. I plan to create a separate blog post in the future which helps guide through the process I've standardised for myself involving a rooted Android device. For now I might recommend trying third-party services such as APK Pure. Upload an APK file for analysis: From here you can upload any .apk binary for static analysis. Note, any uploaded file should be a raw .apk and not the compressed .zip container or .xapk package in which the .apk files usually reside.If an .xapk package is sourced, you can extract the raw .apk files from this by renaming the filename to a .zip extension. For example, if the filename is com.riggsmobileapp.xapk, rename this to com.riggsmobileapp.zip, open the .zip, then pull out the .apk file(s) you wish to analyse and submit them into MobSF for analysis. Third-party app providers also reserve the ability to supply these files and may do so upon request. Review the generated report: Once static analysis is complete, MobSF will produce a report detailing its findings. These can be interactively navigated using the categories listed within the left sidebar, or exported into a PDF file using the PDF Report button. What should your assessment of the MobSF report aim to cover? This will largely depend on the mobile app and on your organisational risk appetite for introducing new mobile apps into their environment. Below I will expand on some key areas I think are worth reviewing, but please note that these should not be considered exhaustive. Application permissions The functionality and access of an app are determined by its permissions. These permissions vary, spanning from the ability to retrieve data stored on the mobile device, such as contacts and media files, to operating certain hardware components like the device's camera or microphone.This information can be found in the following location of the report: Permissions The Permissions tab provides detailed information about permissions extracted from the AndroidManifest.xml file. This file in an Android application is responsible for declaring the permissions the app needs, along with many other settings. Within this tab you should see a list of permissions the app has requested and brief descriptions of what those permissions allow the app to do. You should pay particular attention to any permissions which do not align with the app's described purpose and that can potentially compromise user privacy or the device security. Network traffic In static analysis, it's useful to assess specific destinations, or servers, to which an app dispatches data and the sources from where it extracts data. This means it's useful to consider the server's credibility, the integrity of the connections (whether they're all secured or only a fraction of them), and the nature of information returning via these links (for example, whether malware or phishing attacks are originating from a previously considered safe URL).This information can be found in the following locations of the report: Reconnaissance > Hardcoded Secrets Check for any URLs which might be hardcoded as destination servers. Assess if any shown are unexpected (in the context of the application purpose) and consider manual review of their IP reputation and conduct reverse-lookups to identify any anomolies. Malware Analysis > Domain Malware Check Check for any URL domains within the report which indicate a suspicious status. This may indicate that the app communicates with a server domain that is known to have been associated with malicious activities in the past. While the report can offer some information about the usage of secure data transfer protocols, it may not provide a complete picture. The application could make decisions at runtime about which protocols to use, or it could use different protocols in different circumstances. For a more thorough analysis, you might need to intercept and inspect the application's network traffic using a tool like Burp Suite. Secure data transmission Android platforms by default employ TLS to protect all data transmitted to or from an Android device. However, developers have the discretion to modify their app's network security settings to permit unencrypted connections. For this reason it's useful to validate that any network configurations observed are optimised to leverage secure protocols.This information can be found in the following locations of the report: Scan Options > View AndroidManifext.xml The report will provide a detailed analysis of the AndroidManifest.xml file, which could include usage of insecure protocols, if they are declared. Security Analysis > Code Analysis Here, you can find the analysis of the .java or .kt files. Look for usage of HTTP/HTTPS calls in this section. It might show insecure HTTP calls (http://) if the application is using them, which would indicate that it is not using secure SSL/TLS protocols for those calls. Application components It's useful to inspect the fundamental components of the application, including the programming language, techniques, libraries, frameworks etc, to ensure that the application employs safe elements devoid of known vulnerabilities.This information can be found in the following locations of the report: Components > Services This displays a list of all the services used by the Android application. A service is an application component that can perform long-running operations in the background, and it does not provide a user interface. It can continue running even if the application's main process is not active, or the application is in the background. These services can be important from a security perspective because they can perform actions without direct user interaction. For example, a service could be used to periodically sync data with a server, or to run some computation in the background. Components > Libraries This section offers a detailed view of the native libraries that the app includes, which can be helpful in the security analysis of the application, as by knowing which third-party libraries are used, you can check if these libraries have known vulnerabilities. If the version of the library used by the application is known to have security vulnerabilities, then the application might be vulnerable as well. App store records It may be useful to conduct a thorough analysis of the data available on the app store. This includes information like the identity of the developer, the number of app installations, the frequency of updates, the presence of a process for reporting bugs, and any negative or fraudulent app reviews. Additionally, it's worth examining the developer's credibility for indications of fraudulent activities. Warning signs may include nonfunctional 'contact us' links, irrelevant information on FAQ pages, or a collection of unrelated or suspicious apps within their portfolio. Third-party intelligence It can also be useful to consider looking for assessments or reports shared by other researchers to gain additional insight. For example, you could try submitting search queries to Google such as "[INSERT APP NAME HERE] vulnerability" or "[INSERT DEVELOPER NAME HERE] data breach" to identify if any evidence exists within the public domain to suggest that your organisation's adoption of the app could introduce risk. My risk report template Below I have included a copy of a Microsoft Word document template I drafted to help with documenting the appropriate risk report findings. My recommendation is to consider using a document like this to evidence your analysis and archive it, along with the full MobSF output, within your organisation's filesystem for auditable reference. This should help the business understand any associated point-in-time risk a particular mobile app may carry, and can be relied upon as evidence when required to demonstrate that you have exercised a reasonable degree of due diligence. Mobile App Risk Report Template (.DOCM) Mobile App Risk Report Template (.PDF)   Please note that the Microsoft Word .docm file made available above includes a small VBA macro script I added which basically allows for the risk level ratings to be easily selected from within an interactive drop-down menu in the document. The script then auto-populates the corresponding cell with an appropriate background colour. This was added purely for convenience. If you have any concerns, you can still use the file as a template without permitting the macro functionality, which in most cases should be blocked by default anyway. The key is to present your report findings in a clear, concise manner, offering a complete picture of the potential risks, while also giving actionable recommendations for mitigating these risks. Remember to adjust and customise the template as necessary to best suit the requirements of your organisation and the specific nature of the app that you're assessing.

  •

    I got a cat

    5.00 of 25 votes

    Please welcome my new feline companion, Mr Slevin. Slevin is a domestic semi-long hair tabby, born 3rd June 2021 alongside his brother and sister. He was always a bit slower than his siblings. Prone to bumping into things, falling over, and spectacularly failed escape attempts. I adopted Slevin at age 1, after he had seemingly grown enough to produce an abundance of fur that somehow sticks to all upholstery. It took him a while to adjust to the new environment, but I think he’s settled in well, and I’ve fortunately got the assistance of my Roomba to help keep his fluffy deposits under control.Just like most cats, he’s rather nocturnal, and prefers the cover of darkness to explore in all his feline curiosity. This works well for my insomnia, as I’m often awake in the early hours of the morning, incidentally curious about hacking all the things. It’s comforting to share his company. Whilst my exposure to cats has been somewhat limited, I’ve always enjoyed their company. Just like hackers, they seem to exhibit natural information seeking behaviours, a daring curiosity of their environment, and share an innate desire to understand and test boundaries. I have no doubt we'll enjoy each other's company for many years to come.

  •

    Discord saves deleted images to your filesystem

    • General
    • by Jacob Riggs
    • 08-05-2023
    4.87 of 38 votes

    This post outlines a security issue with Discord due to how it handles deletion records and localised caching for media posted in shared channels. The issue Media posted in Discord channels is written to the filesystem of every channel participant, even if that media is deleted from the channel immediately after being posted. It's important to note that this form of caching is a common practice and typically employed to facilitate quicker loading of content. However, the fact that Discord allows for the deletion of channel posts without any clear evidence of the deletion may present a potential vector for attack that I think all Discord users should be mindful of. In an extreme hypothetical scenario, consider if a malicious party was to post indencent images of children or bomb-making plans to a wide-audience Discord channel, then immediately delete the posted images and proceed to file an anonymous report to law enforcement agencies alleging the participants in the channel have copies of that data stored on their filesystems. Whilst some might consider this attack unlikely, the possibility remains, particularly if your threat-model includes state actors with a desire to get their hands on your devices. Finding your Discord cache Open File Explorer and navigate to %AppData%/discord/Cache/Cache_Data Right-click in the window and navigate to Open in Terminal Rename all files in the folder to use the .png extension by running the command:Get-ChildItem -Path "$env:APPDATA/discord/Cache/Cache_Data" -File | ForEach-Object {Rename-Item $_.FullName -NewName "$($_.BaseName).png"} Unfortunately, Discord's lack of configuration options adds to this issue. At the time of this blog post, there are no settings present within the application that allows for cache control. My recommendation is simply to be careful what Discord channels you choose to participate in.Alternatively, you can also opt to employ the use of a Windows Task Scheduler to automatically run a PowerShell script that deletes the folder every 24 hours. Whilst this doesn't solve the problem, it may offer some assurance that cached media won't persist forever. This approach of course also doesn't prevent forensic recovery. Set up a task scheduler to auto-delete your Discord cache Open a notepad file and paste this command into it Remove-Item -Path "$env:APPDATA/discord/Cache/Cache_Data" -Recurse -Force Save the file somewhere you won't lose it, such as to your Documents folder, and rename it to use the .ps1 file extension (such as discord-cache-deletion.ps1). Open the Windows Task Scheduler by searching for Task Scheduler in the start menu. Navigate to Task Scheduler in the start menu. Click on Create Basic Task in the pane on the right side of the window and then add a name and description for the task. Configure the Trigger conditions to run Daily In the Action step, select Start a program In the Program/script field enter powershell.exe and in the Add arguments field, enter the file path -ExecutionPolicy Bypass -File "C:/[YOUR_ACCOUNT_NAME]/Documents/discord-cache-deletion.ps1" Click Finish to save the task.

  • Configuring Burp to proxy traffic from mobile apps

    4.86 of 43 votes

    In this blog post, I'll explore how to configure Burp to proxy traffic from mobile apps to assist with the security testing of mobile applications. Getting started To get started, there are a few pre-requisites needed: Windows OS An up-to-date Windows OS with Android Debug Bridge (adb) installed. Kali VM An up-to-date Kali VM with Android Debug Bridge (adb) installed (run sudo apt-get install adb) Burp Suite An up-to-date Burp Suite. Mobile Device A rooted Android device (in this example I'm using a rooted Nexus 5X running LineageOS). Configuring the Burp listener Open up Burp Setup listener Navigate to Proxy > Proxy settings > Proxy listeners then Add a new proxy listener and bind it to port 8081 across All interfaces Connecting the mobile device Connect mobile device via USB Connect the Android mobile device (in this example I'm using a rooted Nexus 5X running LineageOS) via a USB data cable. Configure the USB connection On the device, navigate to Settings > Connected devices > USB and select Transfer files Mirroring the mobile device to desktop Download and install Vysor You can download Vysor from here. Run Vysor Open Vysor and select the View Device button with a play icon. Your Android mobile device should not be mirrored to your computer screen. If Vysor cannot find your device, follow the steps below: (a) Restart your mobile device and restart your computer. (b) Make sure you are using a USB data cable. Charge cables will not always allow data transfer over USB. (c) On Windows, download the Universal ADB Drivers. If that doesn't work, try installing your manufacturer's drivers. (d) Enable ADB debugging on the mobile device. (e) Set your mobile device USB mode to PTP (it is usually MTP or Charge Only).   Configuring the mobile device proxy Configure the mobile device network On your Android mobile device, navigate to Settings > Network & Internet > Wi-Fi > and select the access point you wish to connect to. Then select Advanced options and set the Proxy to ManualIf you're already connected to the access point before starting this step, ensure you first select Forget network Configure the mobile device proxy The proxy settings should be set as follows: (a) Proxy hostname = The IP address of the device using Burp which you wish to proxy traffic through (b) Proxy port = The port we set earlier which is 8081 Example: (c) Now click CONNECT Exporting the CA Certificate Now Burp is configured to intercept the Android mobile device traffic, but without a valid CA Certificate in place will be unable to decrypt HTTPS traffic. Export the CA certificate Open Burp and navigate to Proxy > Proxy settings > Proxy listeners then select the Import / export CA certificate button Select the CA certificate format Export the CA Certificate in DER format. In this example we will name it cacert.der Converting the CA certificate format Convert the DER file into PEM Now we need to convert the DER file into PEM format for Android and have the filename equal to the subject_hash_old value appended with a .0. To achieve this, we can move the cacert.der file over to a Kali VM and execute the following commands: openssl x509 -inform DER -in cacert.der -out cacert.pemopenssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1mv cacert.pem [hash].0 Example: Move the PEM file to the mobile device Now we need to move the newly created PEM file over to the Android mobile device /system filesystem. To achieve this we can leverage the following adb commands: adb rootadb remountadb push [cert].0 /sdcard/ adb shellmv /sdcard/[cert].0 /system/etc/security/cacerts/chmod 644 /system/etc/security/cacerts/[cert].0exit adb reboot Example: Verifying the CA certificate is installed Verify the certificate installation Once restarted, the CA Certificate should be installed on the Android mobile device. This can be verified by navigating to Settings > Security & privacy > Encryption & credentials > Trusted credentials and searching in the System directory to validate the CA Certificate from PortSwigger is present.

  • Setting up an API pentesting environment

    4.89 of 44 votes

    This is my go-to reference documentation for setting up a fresh dedicated API pentesting environment within Kali. Setting up Burp Download Jython Head over to https://www.jython.org/download.html and download the latest Jython standalone installer. Set the Python Environment path Set the downloaded Jython installer as the Python Environment path. Install the Autorize extension Within Burp, navigate to Extender > BApp Store > search for Autorize and install the extension. Install FoxyProxy With Firefox open, press Ctrl + Shift + A to open the add-ons menu. Search for FoxyProxy Standard Add FoxyProxy to Firefox Navigate to FoxyProxy options Add Burp to FoxyProxy Add Postman to FoxyProxy Configure Burp Suite Certificate Start Burp With Burp Suite enabled in FoxyProxy, navigate to http://burpsuite and click the CA Certificate to download the certificate. In Firefox, open Preferences and use the search bar to look for certificates. Import the downloaded certificate. In Chrome, open Settings > Privacy and security > Certificates managed by Chrome and import the downloaded certificate (may need to change the file type options to 'All Files'). Postman Download Postman sudo wget https://dl.pstmn.io/download/latest/linux64 -O postman-linux-x64.tar.gz Extract and install Postman sudo tar -xvzf postman-linux-x64.tar.gz Link the postman command sudo ln -s ~/Postman/Postman /usr/bin/postman mitmproxy2swagger Install mitmproxy2swagger sudo pip3 install mitmproxy2swagger Git Install Git sudo apt install git Docker Install Docker sudo apt install docker-composesudo apt install docker.io Golang Install Golang sudo apt install golang-go At this point a restart may be required. JWT Tool Pull down the JWT Tool repo sudo git clone https://github.com/ticarpi/jwt_tool.git Install JWT Tool cd jwt_toolpython3 -m pip install termcolor cprint pycryptodomex requestssudo chmod +x jwt_tool.pysudo ln -s ~/jwt_tool/jwt_tool.py /usr/bin/jwt_tool Kiterunner Pull down the Kiterunner repo sudo git clone https://github.com/assetnote/kiterunner.git Install Kiterunner cd kiterunnersudo make buildcd distsudo ln -s ~/kiterunner/dist/kr /usr/bin/kr Arjun Pull down the Arjun repo sudo git clone https://github.com/s0md3v/Arjun.git Install Arjun cd Arjunsudo python3 setup.py install ZAProxy Install ZAProxy sudo apt install zaproxy Update OpenAPI add-on

  • The mystery 50p coin I found

    • General
    • by Jacob Riggs
    • 13-09-2022
    4.90 of 49 votes

    Over 50 years ago a coin entered circulation. A coin that once belonged to a man named Sean Creamer. Engraved on the faces of this coin are the wordsThis once belonged to Sean Creamer 58 Henry St Limerick — worth £5 to me if returned Today this mystery coin resides with me, after what I suspect has been a very long journey.I'm not sure who Sean Creamer is or what motivated him to inscribe his message, though the words do make me think there's a certain desperation in the creative fight to declare our existence. Much like the reason many of us post online, we're participants of the past speaking our own timeless messages like a familiar chapter in a tattered book — messages that we hope might survive the test of time and someday outlive us. "See me. Remember me. I was here." Perhaps this small relic of the past is intended to function as more than a memento, a keepsake, or a souvenir. Maybe it's an artifact of history that truly belongs to nobody, only temporary caretakers during its journey, and serves to teach an important lesson about value.Maybe a value worth more than we ever realise at the time.