Professional Documents
Culture Documents
Yury Chemerkin Hackmiami 2014
Yury Chemerkin Hackmiami 2014
YURY CHEMERKIN
HackMiami 2014
[ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin http://sto-strategy.com yury.s@chemerkin.com
MULTISKILLED SECURITY RESEARCHER
EXPERIENCED IN :
REVERSE ENGINEERING & AV, DEVELOPMENT (IN THE PAST)
MOBILE SECURITY, INCL. IAM, MDM, MAM, etc.
CYBER SECURITY & CLOUD SECURITY (INCL. IAM)
IAM & COMPLIANCE & FORENSICS ON MOBILE & CLOUD SECURITY
WRITING (STO BLOG, HAKING, PENTEST, eFORENSICS Magazines)
PARTICIPATION AT CONFERENCES:
INFOSECURITY RUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS, HACKERHALTED,
DEFCON MOSCOW, HACKTIVITY, HACKFEST, NOTACON, HACKMIAMI;
CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, DEEPINTEL;
ICITST, CTICON, ITA, I-SOCIETY;
Forensics Capabilities on Application Data Access
Forensics Capabilities on Application Data Access
App Disablement (similar to DIU & DAR) Rule based policies, out of dev activity
Location Masking (similar to DIT/DIM) Policies & DIM/DIT characteristics
Storing Information on device ::
iOS data-in-rest Specifics
SQLite storage
any type of data File Cache
attachments, files from clouds, etc.
Binary cookies
depends, usually, credentials, tokens Error logs
any data, even credentials
Keyboard Cache
auto correction, word list counts 600 iCloud
all data backup to cloud, even credentials
Snapshot Storage
any preview info, like email from Banks
Storing Information on device ::
Android data-in-rest Specifics
Where & What stores :: /data/data/<package>/… How does it store
App Shared preferences (lightweight XML format)
analytics, dump, misc
Cache Internal storage (/data/data/ + shared docs &
up/downloaded files media)
Databases
history, chat, bank info External storage (cache, debug, db, maps)
Files
attachments, crypto-keys SQLite (DB, discussed earlier)
Shared_prefs
credentials, token, history Network (logs/event, datestamp, credentials)
Storing Information on device ::
BlackBerry data-in-rest Specifics
BlackBerry Backup Misc tracks
What :: app, app data, app config, all documents, etc. Device/Misc
How :: ElcomSoft, any other that works with BB backup What :: Misc files, backup like whatsapp,
Shared folders How:: like a shared folders or remote access
What :: docs, media, backup with credentials may happen Device/Android except android data
How :: live access, spyware, rarely encrypted What :: any data Android and Android apps usually
Remotely accessed data store on SD card
What :: device entirely plus SD-Card How :: :: like a shared folders or remote access
How :: BB Link should authorized PC before gaining access The rest data protected except you got an access to backup or find
Android application data files a way how to root/jailbreak OS
What :: cached files, any other like Android App
Where :: Device/misc/android/Android/data)
How :: like a shared folders or remote access
EMM FEATURES : Vendors
EMM FEATURES
MOBILE PLATFORMS SUPPORTED :: ALMOST OF ALL
iOS Android Zoo (? Not yet) ::
BlackBerry OS
KNOX, SAFE, LG Gate,
Windows OS Kindle Fire HD and Kindle Fire HDX,
Windows Mobile Nook HD and Nook HD+,
Windows Phone Smart watches / devices
Windows RT Tablets
Android OS
[ EMM FRAMEWORK ]
EMM (Enterprise Mobile Management) 3rd Party Solutions to EMM
Messages; 85,00%
Notes; 89,00%
Calendar; 76,00%
Contacts; 95,00%
[ KNOW YOUR APPLICATIONS ]
FEATURES VS PRIVACY :: IM APP
Kik Messenger;
Lync; 61,00% 79,00%
Facebook
Messenger; 87,00% Viber; 87,00%
BBM; 86,00%
Whatsapp; 85,00%
WeChat; 78,00%
Hangouts; 80,00%
Account ::: PIN , Names, Status "74afbe19","Yury Chemerkin“, "*fly*“, "@ Holiday Inn (MOSCOW)"
Information
Barcode / QR history (when, what) "QR_CODE","bbm:2343678095c7649723436780","1382891450014"
Transferred files "RemotePin“, "Path","ContentType“, "image/jpeg“, "23436780“,
"/storage/sdcard0/Android/data/com.skype.raider/cache/photo_1383731771908.jpg“
Transferred as a JFIF file :: FFD8FFE000104A464946 ......JFIF
Invitations: "Pin","Greeting","Timestamp",”LocalPublicKey/PrivateKey","EncryptionKey«
Messages (Date, Text,…) :: "1383060689","Gde","Edu k metro esche, probka tut","Park pobedy”,"Aha","А
щас","Belorusskaja","Долго"
Logs
Revealing PINs, Email, device information,
Applications actions associated with applications modules *.c files, *.so, etc.
It helps to analyze .apk in future
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Account Conversations
country code, phone number Quantity of messages & participants
Device Hardware Key per conversations
login / tokens of Twitter & Facebook Additional participant info (full name,
Calls history phone)
Name + internal ID Messages
Duration + date and time Date & Time
Address book content of message
Quantity of contacts / viber-contacts ID
Full name / Email / phone numbers
Messages
[ KNOW YOUR APPLICATIONS ]
FEATURES VS PRIVACY :: SOCIAL APP
SlideShare; 67,00% Vkontakte; 78,00%
Scribd; 63,00%
Facebook; 83,00%
So.Cl; 42,00%
Instagram; 67,00%
Groupon; 68,00%
Banjo; 62,00%
FourSquare; 85,00%
2GIS; 61,00%
Yandex Maps;
76,00%
GeoBucket; 54,00%
Office Mobile;
51,00% Yandex.Disk; 65,00%
QuickOffice; 71,00%
Mail.Ru; 65,00%
AdobeReader;
51,00% Amazon Cloud
DocsToGo; 71,00% Drive; 67,00%
[ KNOW YOUR APPLICATIONS ]
FEATURES VS PRIVACY :: TRAVEL APP
Taxi (any); 31,00% Yelp; 57,00%
AnywayAnyday; 74,00% Hotels.com; 64,00% Travel;
S7; 62,00% BlackBerry
73,00%
KLM; 64,00%
Lufthansa; 26,00% Hilton; 78,00%
Miles & More; 27,00%
HotelByMe; 23,00%
IHG; 81,00%
JetBlue; 43,00%
American Airlines;
56,00% Hilton; 73,00%
United Airlines; 61,00%
SPG; 79,00%
Aeroflot; 73,00%
British Airways; 23,00% Booking.com; 54,00%
Delta; 67,00% Marriott; 56,00%
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Account
ID ,bonus card number, password not revealed
Other id & tokens
Information
Date of birth
Passport details
History (airlines, city, flight number only)
Flights tickets, logins credentials
Repack app and grab it
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Account
ID , password
Loyalty (bonus) card number
Information
Not revealed (tickets, history or else)
Repack app
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
Account
ID , however password is encrypted
Information
Loyalty (bonus) of your membership, program name 901***** \\ Skymiles
Flight
confirmations, depart time, flight #:: GCXXXX || 0467 || 2013-11-07T12:40:00+04:00 || DL90
"checkedIn": "false“, "seatNumber": "09B",
Issued date, ticket # :: "2013-10-26T15:37:00-04:00", 006xxxxxxxxxxx
Aeroports ::
SVO/ "Sheremetyevo Arpt, JFK/"John F Kennedy International“, NYC / "New York-Kennedy“…
[ KNOW YOUR APPLICATIONS ]
FEATURES VS PRIVACY :: BANK APP
Mail.Ru Money;
15,00% AlfaBank; 4,00% 4,00%
Raffeisen;
RSB; 4,00%
Sberbank; 6,00%
Citibak; 3,00%
Tinkoff; 3,00%
RBK Money; 22,00%
Paypal; 16,00%
Yandex Money;
17,00% Qiwi; 14,00%
Megafon Money;
17,00%
[ APPLICATION EXAMINATION ]
ONLY THOSE I HAVE TO USE EVERY DAY FORENSICS EXAMINATION
In-the-Rest; 57,00%
In-the-Memory;
95,00%
In-the-Transit;
71,00%
[ KNOW YOUR APPLICATIONS ]
FORENSICS APPLICATION EXAMINATION :: EXCITING FAILS
Social app Plain-Text & Rarely Store smth Plain-Text Best case - SSL/HTTPS
Bank apps Rarely Store smth & Good Encryption Plain-Text Encrypted
EMM FAILS :: MAM
PACKAGED/WRAPPED APPLICATIONS
QUANTITY OF APPLICATION CHALLENGE ( OBVIOUSLY > 100 )
COOPERATION WITH APPLICATION VENDOR
SEPARATION OF PERSONAL, WORK, AND SUSPICIOUS APP
SERIOUSLY DIFFERENCE ON APP INTERFACES PER EACH OS WITH THE SAME APP
VPN
ENCRYPTION
ACCESS RESTRICTION (GEO, CREDENTIALS)
EMM FAILS :: MIM
App47 which offers a platform that allows enterprises to deploy their own App stores (hot opportunity alert)
AppBlade which supports application deployments and management across iPhone iPad BlackBerry and Android platforms.
AppCentral which also helps enterprises to develop app stores
BlackBerry
(BES/Fusion) is good for MDM partially MIM & MAM. Supports all mobile OS
MaaS360 is good with BlackBerry together
Kony which has a platform that allows partners to build enterprise app stores for customers.
MobileIron focused heavily on MDM
Nukona another provider of enterprise app store technology
Partnerpedia the former builder of channel partner communities; now focused on private labeled app stores.
WorkLight now owned by IBM; focused on mobile development tools middleware and management
Terria Mobile which offers a platform for app management.
Good Technology supports application deployments and management across modern OS
GENERAL REMEDIATION/ISSUE S
iOS & Android & BlackBerry apps have the same behavior & logic issues
Log Leakage
In general, iOS & Android & BlackBerry apps have the same behavior & logic issues
ANDROID SPECIFIC REMEDIATION
Call ‘setStorageEncryption’ API for locally stored files (new Android OS v4+)
Encrypt externally stored files on SD Card or Cloud (any OS)
Reduce using of ‘MODE_WORLD_READABLE ’ unless it really needs
Avoid hardcoded and debug tracks as much as possible (it’s easy to decompile)
Add extra protect beyond OS (encryption, wiping, etc.)
iOS SPECIFIC REMEDIATION
Never store credentials on the phone file system. Use API or web scheme instead
Use any API and protection mechanisms properly but never default settings