- Security
- A
Mobile Device Security: Interview with a Positive Technologies Expert
Recently, the head of the advanced technologies department of Positive Technologies, Nikolai Anisenya, visited the AUTHORITY channel.
Recently, the head of the advanced technologies department at Positive Technologies, Nikolay Anisenya, visited the AUTHORITY channel.
We talked with the expert about the security of mobile devices, the latest trends and threats in the field of mobile security. In addition, Nikolay shared tips for beginners.
Tell us a few words about yourself, about your path. How did you come to information security and choose the field of mobile security?
My name is Nikolay Anisenya, I head the advanced technologies department at Positive Technologies, and I am engaged in the security of mobile applications. I write about this and more on the Telegram channel @xyuriti.
I became interested in programming as a teenager: my friend and I modified various game files — revoiced them, changed the text (this was basically all we had the skills for at the age of 12). Later, I learned that there is a specialty called "computer security," and I decided that I definitely wanted to go there — the romantic image of a hacker attracted me. Already as a student, I met the guys from the student CTF team SiBears, who held lectures and practical security training every week. I started attending their classes, and even spent the night at the university during competitions (most of the competitions were held during the day in the USA, and in Siberia, it was deep night, and we could participate in them online).
Two years later, I joined the main team and went to my first on-site competition RuCTF in Yekaterinburg. There I met the Russian-speaking information security community, learned about the profession of a pentester, and my future goals were adjusted: I decided to become a specialist in offensive security.
A couple of years later, with the help of my teammates from SiBears, I received invitations to my first freelance projects in pentesting and web application security analysis. By the time I graduated from university, I already had some experience in pentesting, internal audits, web, and even mobile security.
When in 2014 in Tomsk, the company Positive Technologies decided to open its branch, I was offered to try to pass an interview for a hacker, but there were no web vacancies in the company, but there were vacancies for mobile applications. I decided to try, prepared in a couple of weeks and passed. So I ended up in Positive Technologies, where I still work in the mobile field.
The path turned out to be thorny. Let's talk about mobile security. What are the main security threats to mobile devices, in your opinion? Which ones are most often encountered in research?
Based on personal experience, and not on any statistical data, I can name the main weak points of mobile applications:
as a rule, the APIs of mobile applications are less protected than the APIs of web applications;
in my opinion, developers of 90% of mobile applications do not protect their code from analysis at all, and this is a necessary stage in finding vulnerabilities, creating clones, or simply studying the intricacies of implementing certain application functions;
deeplink processing is the most common entry point for attacking applications.
What is most often encountered in research is usually not the most dangerous vulnerabilities. Let's consider here only the vulnerabilities of the client part of the mobile application:
various configuration flaws: backup allowed, hardcoded keys, tokens, addresses, passwords;
lack of protection against code analysis: running on devices with jailbreak (root), the possibility of repackaging;
storage of sensitive data, which can only be extracted if there is a jailbreak (root) or additional vulnerabilities.
All these are low or informational risk vulnerabilities. Everything related to more interesting bugs is almost always something unique, consisting of several flaws and requiring several techniques for exploitation. Usually these are vulnerabilities related to interprocess communication.
What challenges and tasks in the field of mobile security do you find most interesting and would like to explore in the future?
From the attacker's point of view, I am most interested in exploring hidden API / private API — these are the OS functions that an application can use, but they are poorly documented and intended for use by system applications. They exist in both Android and iOS. All this can greatly expand the arsenal of techniques with which various shortcomings can be turned into full-fledged exploitation chains. This is what can push this area far ahead.
From the point of view of application security, I understand that a major omission is the lack of even elementary code protection techniques in practice. From the experience of bug hunters (vulnerability search specialists), I can say that a wall of more or less tolerable code protection greatly reduces the attacker's interest in a particular application, and he is more likely to switch to some other application. Only the most motivated storm these walls, which cannot but affect the cost of the attack. Therefore, in my opinion, the huge unrealized potential of mobile protection lies precisely in the application of mobile application protectors.
Let's touch a little on the corporate environment. In your opinion, what are the most relevant risks associated with the use of mobile devices to access corporate resources at present?
Mobile devices have several properties that make them an ideal target for attacking a company through its employees:
this device travels with the owner and connects to various networks. A network attack vector can be applied to any of them, not to mention the physical one. This is true for cases of using gadgets for both work and personal purposes;
people rarely separate work and personal devices, in most cases it is the same device. Corporate messengers and pirated games, mail and social networks coexist on it. If there are vulnerabilities, some applications can attack others within the same device;
a mobile phone is often a router and can route malware traffic to the corporate network if you have a work VPN installed. Simple scanning no longer seems difficult in this case;
there is almost no monitoring on mobile phones that signals the company about malicious activity, especially if this activity is carried out inside the device and is not directly related to the network.
As far as I know, the law does not allow personal devices of employees to be included in the scope for pentesting. However, this law certainly does not stop attackers, and who knows how often they use such properties of mobile devices to carry out attacks on companies?
Currently, two types of malware cause the most damage to businesses around the world: ransomware and stealers (in the context of stealing data that is a trade secret). Are these attacks relevant for mobile devices?
I do not specialize in mobile malware, however, I can assume that it is much more difficult to gain uncontrolled access to stored files on a mobile device than on desktops. This is due to the fact that rights to public storage (files, photos) are issued separately from each other. In addition, there is isolation of the internal storage of application files (containerization).
For a desktop-like impact, privileged access is most likely needed: root or jailbreak. There are few such devices in the world (according to various estimates in different years - from a fraction of a percent to 7% of the total number of devices). Such attacks work due to massiveness: the more devices are infected, the more victims will eventually pay the ransom. As we can see, there may be problems with massiveness.
How realistic is the scenario of gaining initial access to a company's infrastructure through the exploitation of a mobile device?
Such cases are not known to me, although they surely have occurred, albeit not on a massive scale. Nowadays, no one is surprised by remote work, as well as working from a phone. VPN, email, messengers, video calls, other internal services - all or part of such applications are available to every employee of even a small company with its own infrastructure. As I mentioned earlier, in the event of a device or even a single application compromise, the phone turns into a router capable of reaching the corporate network through an enabled VPN - this is at least network scanning.
The applications themselves for working with documents, chats, email, and other corporate information can also contain vulnerabilities through which an attacker can gain access to data or even take over a corporate account. I repeat once again: although such attacks seem plausible to me, detecting them is much more difficult due to the exploitation of vulnerabilities on the mobile phone side in the client part of applications - this is simply not detected now.
Tell us about the tools and technologies you use for testing the security of mobile devices.
I think like everyone else. Decompilers: jadx, Hopper Disassembler, IDA Pro, Apktool, androguard. Tools for dynamic instrumentation: frida, lsposed. To find vulnerabilities in application APIs, most use burp suite. And then there are custom tools on top of all this or some situational plugins and projects on GitHub - strictly for the task.
Let's talk a little about AI. What attack methods using AI have you encountered? Can you tell us about your experience with AI technologies in the context of mobile security?
I believe that AI, particularly large language models (LLM), has enormous potential in code analysis. They can already find simple vulnerabilities. They also help a lot in reverse engineering. Here's a case from personal experience. Once in a mobile application, I found an embedded token from a service that I had not encountered before. I spent a couple of hours reading the documentation and reverse engineering, but I still couldn't figure out how to use this token to get anything. ChatGPT came to the rescue, which wrote me a curl command from the code in jadx, and through it, I was able to exploit the vulnerability.
Have you encountered backdoors, intentionally weakened encryption, or something similar?
A couple of times I came across a non-obvious entry into the debug menu, where you could reconfigure the application. The most dangerous thing in such reconfiguration is to specify your server instead of the original one. Whether this is considered a backdoor, I don't know. We also regularly found money manipulation in banking applications. Sometimes the exploitation was so simple that you involuntarily wonder: did they leave such an opportunity on purpose? But this is also unproven.
How realistic is it now to gain full control on a non-rooted device? Does this happen as a result of exploiting binary or logical vulnerabilities?
I think such vulnerabilities exist, but such exploits do not roam the internet en masse. And it seems that the whole point is that zero-click code execution for Android and iOS now costs 2 and 1.5 million dollars, respectively. Probably, this encourages exploit creators not to make their developments public sometimes, but to sell them for good money to vulnerability brokers.
In the world of malware development, there is a term "fileless attacks". Is it really possible to carry out something like this and gain a foothold in the mobile system without installing an additional application? If so, and if the company's policy allows, tell us about the experience of discovering vulnerabilities leading to such attacks.
As far as I understand, we are talking about malware that exists only in RAM. I have not encountered such attacks myself, but I can suggest several scenarios:
dynamic code loading. The application loads part of the code over the network, and the attacker can influence this through a vulnerability: conduct an insecure data transfer (MitM) or send a URL to download malicious code using a deeplink;
blitz-applications or App Clips (iOS) and Instant Apps (Android) are applications that run without installation. In this case, exactly the part of the application that is necessary to perform a certain action, such as paying for parking, is downloaded and launched. Then this application acts as an application installed on the device, albeit with reduced rights.
Although I can't give real examples, of course.
How useful are antivirus programs on mobile devices now?
Forgive me, colleagues who are engaged in antivirus programs. I believe that they are practically useless on mobile devices. Signature analysis can still work poorly on Android, but it is almost impossible to track the behavior of applications dynamically. The fact is that mobile operating systems do not give as many privileges to applications as desktop OSs do.
We couldn't pass by this question. Which is safer: IOS or Android?
There are critical risk vulnerabilities in both. Safe code can be written in both. But more vulnerabilities are found in Android itself and in applications for it simply due to the openness of the platform and the simplicity of analyzing such applications.
A few words about bug bounty. Have you participated and if not, why? Tell us about your experience. Or tell us about your first detected bug.
I used to participate. Not very successfully, but not too sadly either. The biggest payout was from Reddit — 3750$ for a vulnerability in the Android application that allowed account hijacking by modifying files in the public directory.
The very first vulnerability was in the Instagram* app and was not a vulnerability at all. In the Terms and Conditions section, the agreement was opened in WebView via HTTP (without encryption), from which one could navigate to any website. Opening an arbitrary site inside WebView is a low-risk vulnerability, and here the attacker had to be on the same network as the victim to replace the page with their own for phishing purposes (in WebView, the victim does not see the page address and thinks they are interacting with the app, not with a site inside it). But since the minimum bounty for Instagram was 500$, that's how much I was paid even for such a weak bug.
* Instagram is owned by Meta Inc., which is recognized as extremist and banned in the Russian Federation
What future do you think awaits mobile devices?
Mobile devices are gaining new features year by year, which inevitably expand the attack surface. I am sure that researchers and bug hunters will have a lot to study and find vulnerabilities or errors for a long time. And thanks to such enthusiasts, the security of these technologies will "keep up" with their rapid development.
And traditionally — five tips for beginners) How to become a mobile device security researcher?
Start with OWASP Top 10 Mobile. If you have an understanding of the basics of web security, it will be much easier to get into mobile, starting with server-side. It is easier to master iOS after Android, as many things are done by analogy.
Read mobile application vulnerability disclosures, find old versions where the vulnerability was present, and reproduce them with your own hands — this will help you improve the fastest.
Read specialized blogs, such as PT SWARM and the blog of my former colleague Sergey Toshin, who is a top hacker of Android applications and founded his own company Oversecured — I learned a lot from him myself.
Write comment