15 Apr, 2020

Digital Medical Device Security Assessments

Lately I’ve been heavily involved in assessments on a couple of different medical devices. I can’t lay down specifics on the types of device or the companies at the moment but you can use your imagine. The devices are of the ‘smart’ genre and the end-user is a patient with health concerns.

These assessments have been really interesting. When we get down to the nitty-gritty, studying the docs with a fine-toothed comb, applying the knowledge we’ve gained from years of mobile app development and hardware curiosity, it’s really satisfying. We’ve done threat modelling exercises and full risk assessments of these devices, discovering issues with things like the proprietary software design approaches and with lack of tamper detection.

One of the most important parts of my work on the initial assessments has been the literature review, especially when FDA regulations are involved. I’ve found the details of exactly what is required to get the products through the FDA approval process.

Of course the initial assessments are succeeded by the BEST part, the penetration test! Pentesting smart medical devices in my experience involves attempts at dumping firmware – usually from Android hardware, sniffing traffic, dumping memory, and lots more exciting stuff. In the future I hope I can do a write-up and a conference talk on something juicy.

If you are developing an IoT device, it doesn’t have to be a medical device, you need a cybersecurity assessment. Threat modelling, full risk assessment, regulatory compliance, and pentest. Drop me an e-mail and let’s talk!

Stay safe during this pandemic. James xx

9 Mar, 2020

[Wire Security] How to Pentest Mobile Apps in 2020 – A Sensible Approach

This is a cross-post from https://www.wire-security.com

Introduction

I’m James and I’m a consultant here at Wire Security. I’ve been an app developer since 2012 and I’m just getting started in my career in security. I’ve always felt like a hacker and these days I’m over the moon to actually be one! I’m going to be writing more articles here regularly so please remember to check back and keep an eye on our company Twitter feed: @Wire_Sec

Old News

Over the years other people in the industry have developed guides and tools to forensically analyse mobile apps which made pentesting easier. Unfortunately many of those tools were dependant on specific Android/iOS releases or other factors which make them no longer usable.

On a recent engagement with Wire Security I took the lead on an Android and iOS app report where the items in scope were:

1) The app sandbox on rooted/jailbroken devices and on non-compromised devices too,

2) External network communication, and

3) Device memory

We were interested in sensitive user data, any credentials being leaked, etc. The client gave us the source code. After stumbling through many outdated mobile pentesting guides and lists of tools, I took a step back to consider my requirements carefully. The approach I used in the end was very simple.

Simple New Approach

With most guides and toolsets published on GitHub being out of date, or not working on the latest iOS and Android versions, I had to manually do most of the work where my goal was to analyse memory, the app sandbox, and key storage. These targets are going to be very similar in most mobile app penetration tests in 2020 and beyond so if I can help you lay down a simple, standard attack process then you can take that forward and own it, and play with it as you like. Alongside my no-frills methodology I had two important devices, which were a jailbroken iPad Mini 4 and a rooted Huawei P20 Pro. You don’t need physical devices when services like Corellium exist (for now), but they are nice. Note: the Android Emulator (AVD) has support for root.

MEMORY ANALYSIS

On Android you can use adb shell am dumpheap <pid> This command gives a dump of the memory heap of the chosen app or process. Use ps -aux <package name> to find the PID. Very handy with breakpoints in the source code. If you pass the output to a file then you can open with vim or your favourite text editor to search for interesting nuggets like apiKeys. In vim you can use :%!xxd to view the hex output. You can also use strings to filter interesting human-readable text from the file. Android Studio has awesome built-in functionality for memory profiling. DZone done a write-up on the usage of Android Studio.

On iOS Xcode also has a fantastic collection of memory tools including heap analysis. ZenDesk Engineering wrote a great piece on this.

APP SANDBOX

On rooted Android you can use a file manager like File Explorer Root Browser to browse the app sandbox storage.

With a jailbroken iOS device you can install Terminal from Cydia or SSH into your device and explore the app sandbox storage.

KEY STORAGE

With Elcomsoft tools, on Android you can browse Google Drive backups (which can contain app data), and on iOS you can browse the KeyChain backed up by iTunes.

Outro

Thanks for taking the time to read! If you have any comments you can reach me on Twitter: @Jabo_SCO