Ostorlab: Mobile App Security Testing for Android and iOS

Author

Anne


                        Thu 27 May 2021

June 2021 Issue #5

How would you like your nuggets for lunch? Secure? Crispy?

On the menu this month, walk-in readings around the health and tech challenges, a dive into webview measures for dev/sec, SSL pinning, and a glimpse at several tools for security and productivity. Ending that with a selection of international dishes for you to enjoy!

In the wild: Active compromises and attacks, from the supply chain, mobile banking to Wordpress.
In our Blog: New Attacks, Instrumentation, and Webviews for devs/sec.
Events: Black Hat and SSTIC announced, videos online.
Cloud: eBPF on Windows and driving acquisitions.
Web Security: security headers and more security headers.
Tools: we tested them and we like them.
Productivity: new-gen parallelization and some handy tools.
Zoom in: Health, Tech, and Security through our reads this month.
Privacy and Politics: Laws and no order, thanks to Ponzi schemes and Bitcoin.
Bonus - We love it!

In the wild

WordPress, Supply Chain, Health, Mobile ... compromised

Another live supply chain attack reported in security week. And well, it is scary but look at the list of compromised apps
A cyber attack on Irish health service computer systems is possibly the most significant cybercrime attack on the Irish state (BBC)
WordPress in the news again: WordPress XXE injection vulnerability could allow attackers to remotely steal host files (The Daily Swig) And Zeriodium wants more exploits: triples payout to 300k (WordPress Tavern)
Multiple Critical Vulnerabilities in Exim Mail Server (Qualys Community)
Task Hijacking, Fake notifications, overlay hijacking or URL scheme hijacking, malware have a wide list of attack pattern that aps needs active protection against (blog nviso)

Dive in our blog

Debugger-based Instrumentation and universal SSL pinning bypass

This article is about bypassing SSL pinning without needing to. Sounds confusing? We will go over the theory, build a full PoC using LLDB in Python and finally extend it to other cool tasks. Read it

5 things you should know about WebViews

This article is about WebViews and the security notions we need to have in mind when using these component in both Android and iOS. The article goes over some less known attack vectors, from debugging and abstract socket permissions to file access and same-origin policy. Read it

Events

Black hat (US) and SSTIC (Fr), save the date

Black hat 2021 (Jul 31-Aug. 5) will take place in Mandala bay / Las Vegas + Virtual. Registration and Briefing are available Here
For our dear french speaking Security enthusiastics: SSTIC will be held in Rennes (FR) in June 2-4,2021. Ask the Program!
And waiting for that, all 40 videos from Black Hat Asia 2020 are now live (Black hat Youtube Channel)

Cloud

eBPF: Security, Monitoring, Profiling ...

It is quite impressive to see how eBPF has revolutionized observability, opening the door for many applications, from programmable network, system call filtering, to tracing and monitoring.

Adoption has now been extended to Microsoft announcing a new open-source project to bring eBPF to Windows 10 and Windows Server.

Relic in the same fashion has acquired the Pixie project and made it open-source enabling a wider application of eBPF to Kubernetes monitoring.

Other similar projects include Cillium and Hubble.

Web Security

Headers, Headers... Headaches

Have you heard of Timing-allow-origin header, Referrer policy, how about Sec-Fetch-Mode. Headers security has quite few additions in the last years, some forgotten ones seem to make a comeback. If you are lost with the changes, we compiled a list to dust off or discover the different HTTP headers and understand when to use them.

More on web headers, the web is evolving, not sure always on the right direction
We started seeing timing-allow-origin used by real production website. Do you know what it is and what does it prevent?
For a recap of some of the most common header, check out this article. This is unfortunately not complete as CORS has quite few other esoteric headers like Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy

Tools

ATT&CK v9, Chaos Testing and LLDB Scripting

MITRE has published a new version (v9) of its ATT&CK knowledge base. If you are looking for a tool to help test the attacks, you can check this one by Red Canary. In the same category, guardicore/monkey by Guardicore is an interesting tool that tries to bring Chaos Engineering to Security.
Tools that we tested and found very useful are the set of LLDB scripts by Derek Selander; to use in conjunction with Facebook’s Chisel. These are very helpful to dynamically test iOS applications and not just for security.
Finally, for french speakers, you can check the latest podcast by the excellent NoLimitSecu. This one we particularly know very well and enjoy using ;).

Productivity

New Generation Parallelisation, Dashboard and Readmes

Dask distributed is an amazing piece of engineering and takes parallelization to a whole new level and with little effort. Dask is very popular among the data science community, as is Streamlit, an easy-to-use library to create dynamic dashboards.

And if you decide to share your code and create an app, consider using readme.so, a fun way to create readme files.

Zoom in

Health, Tech, Security... All that matters - by Anne

Health is everything. I know it; we all know it. But since we entered into this pandemic, it has come to shake up the world. The digitization of systems plays a key role in the care process fluidity, the provision of diagnostics, and the quality of treatments: Health tech is booming. And when it comes to health tech, the first thing I have in mind is Security. "Don't mess with my Health Security."

The reminder was quite painful for the Irish HSE last week: it encountered an attack described as the biggest that the country has ever known. If we have escaped the worst by ensuring the care continuity, the service for making medical appointments went down, particularly those for the COVID-19 vaccination.

Take a look at this interesting Big Data Analytics in Health Care study. This paper presents an overview of big data content, sources, technologies, tools, and healthcare challenges. Guess what is reported as the first challenge before storage and processing issues or skills requirement? Privacy and Security. Who is accessing such confidential information is critical but not easy at all. On-field, IT departments have to set up a strong IAM solution, as explained by Aaron Miri, CIO of UT Health Austin and the University of Texas at Austin, in this interview for Info Risk Today. But their other challenge is a step higher on the risk criticality scale: how to secure bio-medical devices? No Limit Secu devoted its episode 316 to it. How scary it is to discover that vital devices are connected to flat networks in our hospitals with the unmaintained OS. How do we manage this? Are we expecting a new wake-up call?

Hard to tell. I take a deep breath and come back to what I can do: How do I stay healthy? I am sure my mobile can assist me. That's the question of Harvard Business Review: Do health applications make us healthier?". It presents scientific evidence that consumer adoption and usage of mHealth actually leads to a tangible change in their behavior, which, in turn, can show up in concrete health care outcomes. Just after, the review opens the question of how insurance companies could deal with these data as a very good opportunity…

Play store: "health" search. In front of a list with more than a thousand results, I cannot pick one. What mHealth are you using? Tell me please, and it might help me. Waiting for that, let me wish you only one thing: the best for your health.

Privacy and Politics

Governments vs Cybercrime, regulators have a lot to do

President Biden has signed a Cybersecurity Executive Order that has implications and deadlines for IT service providers that work with the federal government. Consequently, John Katko (R-NY), the ranking member on the House Homeland Security Committee, has reportedly submitted a budget proposal that would see the Homeland Security Department’s cyber wing’s funding bump up by 25 percent to some $2.5 billion for FY 2022.

Across the Atlantic, UK Government is planning a new law to ensure smart devices shoppers know how long products are supported with vital security updates before they buy. Smartphones are the latest product to be put in scope of the planned Secure By Design legislation. And talking about law, another example of international bitcoin transaction. A lawsuit reveals Onecoin Scammer “Cryptoqueen” holds 230k BTC worth $13 billions. Ponzi scheme and offshore companies, this could be a smart idea for a Hollywood movie.... So Sherlock, who benefits from the crime? (Finance Feeds)

We love it!

On the TV The new season is out on Netflix: Love Death + Robots, if you are a sci-fi fan, the series is a set of short stories, some particularly touching.

On the Sofa (or wherever you like) We like the idea that anyone could learn to quickly memorize huge quantities of information, but is it really true? In Moonwalking with Einstein, Joshua Foer, a science writer got interested in how memory works, and why some people seem to have an amazing ability to recall facts.

On the Radio Back to basics with the Black Keys: Delta Kream is a sweet journey through the Blues where the famous American band brings its youthful idols to life.

Get in touch

Any question, comment or feedback, please email me, I would love hearing from you! And if you find this newsletter useful, don't hesitate to share and subscribe.

Take care, Anne

Tags:

Healthcare, Android, iOS, eBFP, Web, instrumentation

We do newsletters, too

Get the latest news, updates, and product innovations from Ostorlab right in your inbox.

Table of Contents

Ostorlab Nuggets in June issue 5