Mobile App forensic...
 
Notifications
Clear all

Mobile App forensics

4 Posts
4 Users
0 Likes
388 Views
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

A friend of mine claimed that someone stole her personal data via hacking certain App. She installed that App several months ago and registered an account. The user information including name,phone number,birth date,address and e-mail address etc. Recently she got lots of spam e-mails, and guess what??? She saw her personal data in those e-mails. What an coincidence~

She asked me to conduct an forensic on that App to see if it is secure or not. I took a look at that App "X". You guys could take a look at my blog as below link to see what's going on.
http//www.cnblogs.com/pieces0310/p/6683445.html

 
Posted : 08/04/2017 8:22 pm
 LC6
(@grigollo)
Posts: 25
Eminent Member
 

interesting

 
Posted : 17/04/2017 4:46 am
(@athulin)
Posts: 1156
Noble Member
 

She asked me to conduct an forensic on that App to see if it is secure or not.

There seems to be a tendency to use the term 'forensic' to mean whatever you like. In this case, it appears to be used to mean something like 'security assessment'. While a security assessment can be an important part in a forensic examination, it doesn't say anything about what actually happened, only what might have happened.

For example In the present case, there's a suggestion that a man-in-the-middle attack would be used to collect the user_access_token. Technically possible, of course.

From a forensic point of view, the question if the information was collected in transit, or if it was collected from the application back-end servers seems more relevant. App security doesn't seem to be too good, admittedly, but if the information leaked due to a server security weakness – say, a SQL injection attack against a (presumed) "X" customer portal or database API, or the Web_API that can be seen in the article – it puts a slightly different spin on things.

From a practical point of view, going after single users of a particular app seems a rather ineffective use to collect – not information useful for spam, but session tokens that could be used to gain access to an app database in which the information lives and extract the information that is useful.

But could it? How long does a session token live? Forever? Or is it renewed on regular basis, based on user activity? In the latter case, collecting user tokens is useless, unless you exploit it within the session token timeout period. And we have no evidence either way. For this question – deciding the restrictions a session hijacking attack would be subject to (can it be done any time, or need it be done within a minute?) – the security assessment does not provide an answer.

Let's not conflate app security assessments with app forensics or other digital forensics. The one deals with possibilities and probabilities, which is something the other should avoid.

 
Posted : 17/04/2017 10:34 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

Discussing around possibilities without a clear goal is worthless. To find out if an app (do not forget to log what version exactly was installed) you best google to find out if other users faced the same problem. This is not about forensics, its just check-it out.

If the app ApacerCloud was a compromised version at the time of downloading, is not possible to find out without fully examining the device. If its an Android device with no most up-to-date patching (which does not work in this 3-players constellation Google - PhoneManufacturer-User) any discussion about MITM or other malware spying or keylogging is worthless too.

Just stop to examine. Credentials could be stolen at another incident and dont make the mistake to false connect the dots as they occure at the same time or the time expected. Multi problems follow muti reasons. No chance and false expectation against forensics to find out.

Good idea - but false interpretation of the situation.

 
Posted : 17/04/2017 1:33 pm
Share: