This blog post series describes identified flaws in Smart Sheriff, a mandated app, see Intro for background. Please note this work was coordinated with human right activists, vulnerabilities reported to the vendor, etc. Previous blog posts you might have missed and maybe you would like to read first for background:
- Part 1: Intro
- Part 2: Translating APKs
- Part 3: What is SSL? [ MSTG‑NETWORK‑1 ]
- Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ]
The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog post, under section V6: Platform Interaction Requirements, as follows:
Detailed information and steps to test for this kind of issue can be found in the OWASP Mobile Security Testing Guide:
This finding corresponds to the second round of testing we did on Smart Sheriff:
SMS-01-001 Possible Remote Code Execution via MitM in WebView (Critical)
So, now we have a mobile app supposed to protect children that:
In both cases, network communications could be intercepted via MitM without the app showing any errors to the user.
In mobile apps this is interesting because it makes attack vectors via malicious or tampered HTTP responses from the server a possibility available even to average attackers (i.e. no need for a government CA-signed SSL certificate to MitM).
Therefore, as vulnerable Android versions were supported by the app, and this app was also vulnerable to MitM attacks, it would be possible for a malicious attacker to gain RCE in the phone of a parent or child using the app over public Wi-Fi, for example.
Hack Smart Sheriff to pieces with us!
NOTE: Attendants will get lifetime access to our training portal with:
– Unlimited course updates & Step-by-step lab video recordings
– Lots of real-world apps to practice with, such as:
+ Government-mandated and police apps in various countries
+ Many other excitingly vulnerable real-world apps!
+ IoT apps controlling Toys, Drones, etc.
- Global AppSec Amsterdam, EU: 23-25 September 2019
- c0c0n, Kochi, India: 25-26 September 2019
- LASCON, Austin, TX, USA: 22-23 October 2019
Cannot make it? ping firstname.lastname@example.org for training portal access.
Next blog post: