iPhone Security - ISSA Baltimore

advertisement
Peter Coddington
CEO
240-258-2100 :: pcoddington@parabal.com
About PaRaBaL
• PaRaBaL was founded in 2009 and is located in the Research Park of
University of Maryland, Baltimore County. UMBC has a strong
computer curriculum.
• Full Apple – iPhone – iPad Exploitation Training Lab.
• PaRaBaL offers one of kind one week training.
• PaRaBaL is driven to create and build iPhone and iPad security and
applications for the Intelligence and DOD agencies in the US.
• PaRaBaL is an SBA-certified HUBzone company.
• PaRaBaL is the first company to be awarded an iPhone security training
contract – see press release on our web site.
• PaRaBaL is facility cleared with cleared personnel to assist the
government with mobile security and applications to deliver information
to mobile platforms.
iOS Security and Exploitation Training
• PaRaBaL started in the iPhone space teaching iPhone security to the Intelligence
Community.
• Understanding the Architecture & File System
• Reverse Engineering
• Understanding/Attacking iPhone/iPad Apps & Secure Coding Practices
• Using the iPhone/iPad as an attack platform & iPhone/iPad forensics
• The PaRaBaL training lab is 100% Apple products including iPhone, iPads &
iMacs along with emulators for the respective devices.
• Only full Apple lab with supporting software for ethical hacking on the East Coast.
• Assembled a cadre of experts in the area of iPhone/iPad security and iOS
understanding.
PaRaBaL Security Lab Example:
File System – SQLite Databases
We show how to alter databases in the iPhone to retain deleted and altered texts,
address entries and other databases, and apply the alterations to non-jailbroken
iPhones
PaRaBaL Security Lab Example:
File System – Plist files
Plist files are XML files that house app setting, session information, keychain data.
Plist can be altered to increase performance, and alter app functionality.
PaRaBaL Security Lab Example:
Address Book Exploitation
This app is designed to show how content from the address book can be sent to a
designated server when a user taps “Upload Score” (i.e., if they’re playing a game
and record a high score)
PaRaBaL Security Lab Example:
Address Book Exploitation
We show how to check what apps are transmitting using a proxy and Wireshark
PaRaBaL Security Lab Example:
Address Book Exploitation
After showing this exploit for almost a year which allows apps to submit this
functionality and receive approval. This year apps offering this “functionality” are
being exposed.
PaRaBaL Security Lab Example:
Geo-location Spoof App
This xcode-based app is designed to spoof the user’s location. It is able to
constantly change the location of the device to a different area.
PaRaBaL Security Lab Example:
Reverse Engineering and Binary Code Injection
We examine an app using IDA Pro for unused sections of binary code where we
inject a payload to exploit the traffic of the iPhone.
PaRaBaL Security Lab Example:
Reverse Engineering and Binary Code Injection
This include intro to ARM assembly, and assembly instruction conversion to binary.
PaRaBaL Security Lab Example:
iPhone as a Mobile Attack Device
With the increased processing power of an iPhone, we use Ruby, mobile terminal,
and Metasploit to execute network exploitation on the road.
PaRaBaL Secure App Development for DoD
• Companies & organizations are moving to a broad range of mobile devices in the
workforce.
• As iOS devices become more prominent in the workforce so do security
concerns for iOS based applications.
• PaRaBaL’s extensive background in exploitation and security makes our
development team the ideal choice for secure development of internal apps.
PaRaBaL iPad & iPhone Security Consulting
•
Offer consulting services that entail designing a holistic mobile security
solution and plan for your organization:
• Four step process to get the organization completely secure in regards
to iOS devices that are in use within the workplace.
•
Teach how to protect mobile iOS devices from vulnerabilities that have
been exploited by people with malicious intent.
•
Teach in-depth secure coding practices as well as ethical hacking
exercises within the iOS platform.
•
Create and develop new and customized apps for iOS devices catered
specifically towards the customer’s needs.
•
Offer training to employees on how to use their iOS devices without
compromising company data and interests.
PaRaBaL
Peter Coddington
240-258-2100
pcoddington@parabal.com
www.parabal.com
5523 Research Park Dr.
Suite 325
Catonsville, MD 21228
Download