[Editor's Note: Josh Wright provides some really useful insight in how penetration testers and vulnerability assessors can use tools traditionally associated with digital forensics to look for information leakage flaws from mobile applications. The techniques he describes below are powerful yet pretty easy to implement — That's awesome. Check out the interesting issue Josh discovered in Dropbox using the technique! -Ed.]
By Joshua Wright
As a penetration tester and author of SANS Mobile Device Security and Ethical Hacking (SEC575) course, I get this kind of question a lot:
"My organization is looking at deploying the XYZ app company-wide. Is the app secure? Any significant flaws I should know about?"
With the Apple and Google Play stores each adding nearly 1,000 new apps per day, it's hard to keep up. Analyzing the security of mobile device applications can be time-consuming and cumbersome, but there are some easy tools that we can use to get quick results.
In this short series of articles, I'll present tips and techniques for evaluating the security of mobile device applications for both Apple iOS and Android. First, we'll start with network traffic analysis with NetworkMiner.
NetworkMiner is described as a Network Forensics Analysis Tool (NFAT). This is both an unfortunate acronym and a shortcoming since NetworkMiner is useful for many tasks beyond the scope of forensic analysis.
NetworkMiner evaluates live or stored network traffic, summarizing the data in a useful and easy-to-browse manner. Unlike Wireshark (a tool I love dearly), NetworkMiner doesn't try to give you all the information. Rather, NetworkMiner summarizes the network traffic into several tabs of information that can be quickly assessed without digging into the minutia of network protocols. Personally, I love the minutia of network protocols, but there are only so many hours in the day.
Dropbox for Android
For this article, we'll look at the security of the Dropbox application (version 2.1.10) since it is a popular application used by many mobile device users for transferring and synchronizing potentially sensitive documents. I installed the Dropbox application from the Google Play store on my Samsung Galaxy S3 running Android 4.1.1 (Jelly Bean).
After installing Dropbox, I created a new Dropbox account, and uploaded some images, a PDF file and an MPEG movie file to my account through the web interface. Next, I started a packet capture using tcpdump on a hub connected to the WiFi AP my Android device is connected to (you could use a network tap, or a span port, as appropriate). My Android device is using a local IP address of 172.16.0.134.
With my packet capture running, I performed several actions using Dropbox:
- Logged in to the Dropbox application
- Downloaded three different image files
- Opened a PDF file, invoking the default Galaxy PDF viewer (Polaris Office)
- Streamed a video file
Next, I ran the packet capture through NetworkMiner to assess the results.
Network Activity Analysis
After opening the packet capture with NetworkMiner, I have a populated list of 25 unique hosts. Of these identified hosts, only the bold lines represent hosts where network traffic was sent or received (the remainder are extracted from HREF links or other host references). In the Hosts tab, we can quickly change the sort order to identify the hosts that sent or received the most packets, the greatest number of listening TCP ports, or even the Time To Live (TTL) distance. For me, the best summary data is available on the Sessions tab.
The Sessions tab summarizes the unique session traffic, sorted by the frame number that initiated the session. For TCP-based protocols, this view gives us a mostly-chronological list of hosts and protocols that were used.
In the previous figure, we see two TCP/443 (SSL) session from my Galaxy S3 (starting with frames 2 and 28). This likely corresponds to the authentication exchange from the Android Dropbox software to the Dropbox servers.
Immediately afterward, we see three more SSL sessions, pointing to dl-balancer.blah.dropbox.com (with an alias indicating that Dropbox uses Amazon AWS services). This likely corresponds to my three image open operations, each one retrieving the selected image from the Dropbox server. So far so good; authentication appears to happen over SSL, and file transfers happen over SSL as well.
At the TCP session starting with frame 996 there is another request, corresponding to my selecting and opening a PDF file from Dropbox. This leads to some different host activity, including HTTP requests to www.google.com and usermgr1.polarisoffice.com. The www.google.com request is inconsequential here (further inspection in Wireshark indicates that the Android client opens the TCP connection and then closes it without sending any data), but the 2nd request corresponds to the startup of the Polaris Office PDF Viewer on my Galaxy S3 device.
After closing Polaris Office and returning to Dropbox, I opened a movie file. This causes Dropbox to stream the content to my Android device within Dropbox application. In the NetworkMiner view, we can see that the initial connection establishment process starts over SSL, but then reverts later to HTTP.
From this analysis, we can determine that the Dropbox for Android application encrypts file transfer activity for image and PDF files. Invoking Polaris Office and seeing the HTTP request that was sent may indicate to an attacker that the document opened is one that is not natively supported by Dropbox (such as a PDF, MS Office file, or other formats supported by Polaris Office), but otherwise does not disclose the content of the files themselves. However, the use of SSL does not extend to the streaming video content as well.
Extracting Files from Network Data
Perhaps the most significant feature of NetworkMiner is the ability to extract file content from network traffic, recreating the files on the filesystem in the NetworkMiner "AssembledFiles" directory. Clicking on the "Files" tab lists the extracted file content along with the associated protocol and server IP addresses. Where possible, NetworkMiner will also identify the file type and filename.
Many of the files listed here are ".cer" files, corresponding to certificate data exchanged in the SSL connection setup process. Right-clicking and selecting "open file" on any of these lines will open the associated file handler as shown below.
Navigating to the filename associated with the Polaris Office HTTP traffic reveals an XML file that was transferred at application startup as shown below. These URL's are used in the Polaris Office application as part of application screen content, potentially creating an opportunity for a man-in-the-middle attacker to exploit cross-site request forgery or client-side injection vulnerabilities. I'm sure one of our faithful readers will investigate this issue in more depth at some point in the future.
Scrolling further down in the NetworkMiner files tab indicates that several "MP2T" files were also extracted from the packet capture, corresponding to 8-10 second clips of the movie file I transferred in Dropbox. Opening these files in a media playback tool such as Windows Media Player displays the content of the video (with audio) as shown below.
Not only is Dropbox streaming video content in an unencrypted fashion, but NetworkMiner is ready and able to extract and recreate that content for us. Although the content is stored in shorter segments than the original video, it is easy to put the entire video back together with a M3U playlist file that identifies each filename to play in sequence. Additional analysis is needed to determine if this is the only file type that Dropbox for Android delivers in an unencrypted format, or if other file content is similarly disclosed.
NetworkMiner is not trying to take the place of Wireshark, but it is an easy tool to use to quickly assess the hosts and protocols in a packet capture, and to extract and recreate file content. I've given it a special place of honor in my C:\TOOLS directory on my Windows boxes, and will certainly return to it on future mobile application security assessments.
- Joshua Wright
[If you are interested in detailed penetration testing and analysis of mobile applications and environments, you should definitely check out Josh's SANS Security 575 course, which provides a treasure trove of information, tools, and techniques for securing and testing mobile environments. There are several upcoming sessions in cities around the world, including Monterey CA, Reston VA, San Diego CA, Berlin Germany, Washington DC, and Canberra Australia. The full schedule is here.]