 I'm going to introduce myself. I am speaking for the XR Village. My name is Whitney Phillips. I'm going to be presenting on augmented reality and the implications on mobile security. A little bit about myself. So I've been in Infosecond IT for about 12 years. I started off at Help Desk. I was a system administrator after that. Shortly after doing system administration, I became a security operations, I guess, analyst. That was I would do anything between running antivirus or putting encryption on PCs. Anything just that could break my way into security. After that, I switched over to a purple team where I did code review. And I know zero coding. So that was quite an interesting one year. And I quickly got out of it. And that's where I turned to mobile application pentesting. I started that about five years ago and have enjoyed it ever since. And that's what kind of broke me into my job here at TrustedSec right now. So I primarily do mobile app pentesting. And then I go and do gray box when they need help for that. So that's a little bit about me. I was, had no plan on coming to DEF CON today. About three weeks ago, the XR village needed an extra person to fill in. So I created my talk. And here I am. And we'll give this a go. Yay. All right. So why are we here? I am going to talk to you about augmented reality and the security and privacy issues it has around mobile security. So a little bit about augmented reality. And I'm not going to lie. I'm more of a mobile expert. Augmented reality is a little bit outside of my realm. So I felt like Big Bird trying to research something completely new. And I'm like, I don't know what I'm doing. Why am I researching something that's out of my realm? But it's not. Because we live in augmented reality every single day. So augmented reality, it's technology that is digital. And it ingrates into a user's physical environment in real time. So anything from QR codes, the Snapchat, to even those fun little things that you can put out in your house like little 3D images, that's all augmented reality. But what we don't really think about is it collects a wealth of our information in our everyday life. So that's my break slide. So when I was doing research for augmented reality, it was kind of hard. There was a lot of different information out there. So this is kind of the information that I've gathered. There's two different main types of augmented reality. There's marker base. And that's like your Snapchat, your face filtering, logos, posters, QR codes, augmented reality. I wouldn't even have thought of that. It's so crazy. Then there is without markers. So location-based, that's GPS, projection-based. That's your 3D images that maybe you get an app from Target. And you're like, this dresser looks really cute in my house. That's the 3D image, your Pokemon Go. And then the overlay of screen for the super imposition. It's like the best I can explain it is like flying a drone app. That's how I take that specific augmented reality. So with all those, I kind of broke them down a little bit more into not so marker, markerless projection. I wanted to talk about it and how I understood it. So a lot of augmented reality, there's a lot of biometrics that are involved, especially with face-changing ones or makeup apps. You've got facial recognition software. They're tracking your eyes. Heart rate monitors is considered an augmented reality. Those fun makeup apps where you want to put eyeshadow on your face to see if it looks really cute. And not that everybody does that here. Yeah, face filtering and even those clothing apps. There's clothing apps right now that you can take a picture of yourself and see how that fits on you. But at the meantime, you're still scanning your whole body and you're scanning everything about you and you're placing it in this app. And then location-based and projection. So I keep going on about apps that you can see how products will fit in your house. Architecture uses augmented reality. Navigation is augmented reality. Manufacturing games like the Pokemon Go. And even our military uses augmented reality for this lawnmower man. I don't know if anybody. I have to have those break slides. All right, so here's some examples of what I found when I was doing research of what is considered augmented reality. Shopify has an integration into apps that will basically do the same thing as the Targon IAKEA app. I want to see how this fits in my home. OK, well now you're taking your GPS location. You're taking everything in your home and you're now giving it to that app. You can make up cam. Is it GIF or GIF? World. Roar. You're putting dinosaurs in your house. Like, you're giving your information up for dinosaurs. So other app examples. Pokemon Go. I know we have some Pokemon Go people in here, for sure. I didn't take that soldier's location out. It's supposed to go into a separate part, but ignore that. That's later on. QR codes. And again, Snapchat. We all know we like our Snapchat filters, right? We all know we like our Snapchat filters. Again, I'm a sucker to it. Don't I look really pretty as an elf? And I have no friends. So yeah, we have friends right here. All right, so with apps, there's also devices, too. So Apple's coming out with a new device. Google Glass has had devices out. Bose didn't even know they have frames. Raybans have frames. Did not know that. Amazon and even our US Army, they have a tactical augmented reality. That's my, it looks like this. So I know the Army gets picked on a lot. And I just, I see something like that. And it makes me a little uncomfortable because I hope that maybe they're the ones sitting behind the scenes and not doing the actual military work, but like shooting and stuff. But this might be our future right here. And especially with these devices. So where am I going with this? You have these devices. You have these apps. Let's talk about the physical, like let's talk about security concerns and privacy concerns around these. So with the physical devices, imagine you're wearing your Google Glasses and you're trying to go into somewhere where you're not supposed to take pictures. How are we supposed to know if you're recording or not? I'm pretty sure plenty of people in here don't want their picture taken. If I had glasses on right now, would you want to be in my, would you want to be in my Google thing and have your information being sent out? There was also earlier reports of people being assaulted for wearing Google, those types of virtual augmented reality glasses, just because you're kind of drawing a fine line in people's privacy. So that's kind of where I'm going with the physical devices and with the apps, there's also just general app security concerns. So attackers can gain access to your device, I know when you're building out an app and there's such a rush to get things out, you have developers creating apps that are maybe not as up to par and then like where your data is stored and then what third parties get it. And I'm going to kind of go over those now. So attackers gaining access, it basically, they could potentially capture your images if it's not stored properly on your device. That's another way, if they can get a secure backup from your phone, they can pull that information off depending on how the app is storing it. Ransomware on your device is another security issue. So I don't see it as much on my end because I'm doing more of the red teaming and mobile pen testing, but higher profile people could be susceptible to ransomware because they have more information that's needed or is desired. And then this is a little bit more in my realm, man in the middle of tax, trying to intercept traffic. We don't know and this is more where I'm coming in from the mobile perspective, I see a lot of applications that they rush through and get the app done just to get it out there. And then they have no concern over how their app is done or if it's done securely, they want to be the front runner of being in the augmented reality space, especially because it's newer, but if you look back, there still is research that is going back several years. I will say the information out on augmented reality reminds me of how mobile security was five years ago when I started doing this. So proper app development, I don't know mobile app development like Cycle is something needed and I don't see that happening very quickly. Data storage on your device, that's another privacy and security concern. I do get a lot of apps, not augmented reality, but example chat and a chat app that I had, stores every photo that you take into the cache of the phone and if you have backups enabled on that app, well, now you have all your phone's pictures that you took in that app. So data storage on the device, if you don't have a lock screen on your device, is an issue. So we're lost and damaged. I mean, it's still a privacy concern. And then these apps also store stuff up in the cloud and we have, a lot of times we do not know, I know going and doing my gray box testing, and my mobile testing, when I first started working there, I was like, wait a minute, why is all this information heading like to all these different companies? Like, why is that a thing? Because I was so focused on data leaving the device and you just, you don't realize how much goes to third parties, but it's a huge risk because if the third party vendor potentially gets breached, then your data is out there and I know that's a general concern of everybody in security. So that's a little bit like on my take on augmented reality on the app portion of it. So we have these apps. How are we going to maybe look at them from a technical perspective? So I actually did these, a couple of these slides just a couple of days ago. So I'm kind of gonna go over something you can do as a user and you don't even have to have, you don't even have to have a jailbroken phone, just these two pieces of information. So there's a site called APK pure. This is where you can pull down Android installation files. And from there, let me go over my IPA. iPhone cake, same idea. I did that, I pulled my APK file down. APK, if you're not familiar, it's the Android installation file. IPA is the iOS installation file. So I took those and I stuck it in a static analysis tool called mob SF. This is so great, like if you're just wanting like a high level overview of what's going on in your app. So I took Snapchat, for instance. Look at all these security like issues with danger all over here, read your phone number, your phone state, external storage. I mean, I guess maybe it stores something there. Read your call logs, isn't that a little scary? So, and this is something I do like as a mobile pen tester. This is my first step, I'm looking at how this app is functioning. So we've got vulnerabilities, Janice folder abilities, and you can install it on a really old version of Android. So is your data gonna be secured? No. It also allows clear checks traffic. So, yeah, it's, and I was a little bit surprised. So I thought maybe Snapchat would have had a lot of trackers to it. It doesn't, just Mapbox and, you know, your general Firebase analytics. So that was really impressive. I was kind of hoping to see a list of trackers, but I did not. Back to that Roar app. I just, I like it for some reason. I kind of want to install it after I'm done with this talk and give them all my data. They actually have like less permission settings that I would have expected. Still to read external storage, find location, but they need that. And that's kind of as a mobile tester, you have to look and see and look at the app. Like why, what does the app do? Does it absolutely need to do this? That, all right, and what else did they got? Oh, minimum version again and clear checks. So, clear checks allowed on this app. But look at all these trackers. So, that's the Dinosaur app. So you're purchasing this app to put 3D images in your house of dinosaurs and it's tracking all your information. And I know, I hate to pick on the military, but I like picking on them a little bit just because our guys are using these apps and this is a civilian version so I shouldn't get in trouble for this. But our boots on the ground are using these apps and it's just as, we want to make sure that they're secure. But then it still needs a lot of permissions to have that app run. And still clear text and another vulnerability. But why do we have servers over in different countries if it's a US app? So, I know, it's, all this, all this, I just wanted to kind of show from a mobile, you know, a mobile pen tester's perspective how I would securely look at these devices. I'm gonna go in just a little bit more on my mobile. Say you want to take it a step further. You need a jailbroken or rooted device. I use Magisk personally for my Android. I use Uncover for my iOS. And then these are my steps that I would take to look at the local data storage. I would have my rooted or jailbroken phone. And then if I was wanting to not get the app from the actual app store, I would just create a fake account and do it that way. But the, if you're just doing a do static analysis and you don't need a phone, APK Pure and Mob SF is like the best way to go. So, this is my little bit more technical part of my talk. I use ADB for Android, and that is my toolkit that I use a lot to do more internal investigation of the device and the application. Burp Suite I use to do that traffic to see what the application, how it functions, which, you know, what information is being sent. Frida is another app that I use. This app, if you have to like be in a wrong state of mind to learn how this app functions. So, I use FreeDump a lot to dump the memory of a device. So, sometimes applications will dump information in runtime. This is a great tool. So, if they don't reboot their phone and you're looking for maybe potential security flaws or application issues, I would use this tool right here. This one I have just left over. I was, you pull like your unencrypted IPA file and that's another way you can like statically analysis an IPA for iOS and that's FreeDump. Tied to Frida, let me take a break here. Tied to Frida is Objection and that's another tool that I use in and out. And if I were to be taking these augmented reality apps, I would go through and kind of inspect them a little bit deeper. So, Objection, you can do file system, exploration, you can bypass certificate pinning, dump keychains, so if they're not storing things or if they're storing stuff in the keychain properly or maybe they're not storing it properly, you can get that information. Memory leak issues, you can manipulate objects. This is a starting command for Objection. You didn't think this was gonna be a mobile talk now, did you? It is. So these are the kind of commands that you can run with Objection. Basically, these are my go-to when I'm like searching through an app. If it's got SSL, like a cert pinning so I can't use Burp Suite, I'll use the bypass. If it detects root detection, I will bypass that with the root disable, key store, looking for classes. I like to take the classes and try to launch them in the app without being logged in to see if I can get some sort of different information. And that's not so much with these apps that I was talking about before, but a lot of times, like maybe a banking app, can I launch that activity? Will it drop me into the banking software? So, iOS, and as user defaults, sometimes a lot of information gets stored in that and you'd be surprised. Yeah, you'd be surprised. I've seen passwords in there. So it's definitely a good thing to look at. Credentials, I'll have the defaults twice and never fix that. Whoops. Keychain dump and then cookies. Again, we need to see if the app is storing things properly in the keychain. So, I know it kind of touched on, oopsie, a little crazy on the slides. I know it kind of touched on iOS a little bit, but I use JetX too for decompiling my Android apps. That's a good app to have a nice, if you're a GUI person like I am, you can take that APK, you don't even have to do anything with it. It just, you stick it in the app and it shows you all your classes and it's an easier way to be able to look at that information and see what the app has. So you have your mobile apps. What am I looking for? Secrets, keys, credentials, URLs, IP addresses, email addresses. And then again, with the augmented reality, if I was given that as an assignment, I would probably look to see what kind of URLs that aren't tied to that company. Why are they going to that? Is it necessary? Because there is a lot of information that gets stored in apps that you don't normally think you would wanna see. So, after all this, circling back around with our augmented reality and our mobile apps, how, what should we do as humans to keep ourselves secure? So, avoiding giving out too much information. A lot of times, it's easy to just put your name down and just let it auto fill in the app and then hope for the best. So, give half information if it's an app that does not need your information. You do not need to give that app your information. So, have a Jane Doe or whatever name and then Paul won't be able to use her enumerate you. So, do you wanna come finish the rest of your talk? No. Anyways, VPN, that's another one. I've been told I should use it. I probably will eventually. And then, going back to the physical devices. So, firmware. Firmware is huge when you have your physical devices, like your glasses, keeping those up to date. I know when I worked in my previous job, I did a lot of drone stuff. And keeping firmware up to date on your drones is a necessary evil. So, it can be a pain in the butt and it probably sometimes might make your drone act funny. I may or may not have had that happen in my life before. Maybe it'll just fly up in your house for no reason. But firmware updates are needed. And then locking your device. I know it's something really simple to say, but I feel like people still don't do that. And two factor authentication is, I feel like the best way to make sure that your information doesn't get put out there. And like I said, to push that first bullet point is don't put your information out there if it doesn't need to be. That's like the best information that I could give for keeping yourself secure in these kind of apps, because they are gonna start pushing more tracking information and they are gonna start getting more of our data and sending it out so then they can use it for other things. Like when you think about buying a pair of shoes and it shows up in your ads, right? So I might have went too fast, but some training material that I often like to suggest, shameless post in my job, the blog, or you can hear me on a podcast. But when I first started doing mobile security, like this was my bread and butter, the OWASP mobile security testing guide. It's my thing. Like I liked it, it has good information. And there's also a website hack tricks that I've referenced quite often now, but I did not have that on that slide. So with that, I think I think I have 30 minutes. That's a solid 30 minutes. If anybody has any questions, we can answer them down. There's a royal we can answer them down there. And here's my information. If you wanna just message me, that's fine too. But yeah, that's my first def contact. Woo!