 Wir sind hier von einem alten Freund, der uns in einer der Universität Erdang-Nürnberg. Er ist doing a PhD in Information Science and Peter Science. Und er is going to present to us the fabulous world of mobile banking. Please welcome to the stage Vincent Haupert. Ja, herzlichen Dank für die Einführung. Thank you for the introduction. Fabulous is a very many-layered world. First of all I would like to thank the fabulous cooperation with my colleague. Thank you very much. Online banking, I assume most of you are using it. The first factor is always logging into the online banking portal with the username and password. And after that you start a transaction with an iBan and an amount. And then you have to enter a transaction number to authorise a transaction that's been there for ages. And the way of generating, receiving that TAN can differ quite a bit. The first three methods in this list have motivated by the fact that there was quite a lot of fraud. And Chiptan was the zenith of what can be achieved technically. At least as far as security is concerned and therefore the photo TAN and aptan try to optimise a bit more for usability, which is not a bad idea. And I don't have anything against these as long as you use two devices because whenever you use two devices you have the protection of knowing that if one of your devices is compromised the transaction is still secure. Two years ago I was asked about photo TAN and said that it's a fairly reliable method because it implicitly assumes that you use two devices because you have to scan a second device and then generate a TAN. And then there's push TAN or methods that are implemented in two apps. This has been around for ages and the paradox thing is that these days you can even use photo TAN on the same device. There's nothing to scan anymore. The apps just communicate amongst themselves, which shows how absurd all this is. Nobody is really talking about two app methods anymore. Most try to implement a one app method. This is remarkable because the SMS TAN method has undergone a transformation from a single purpose device to a multi purpose device. And which means now it's more or less another app. But this meant that people were using the same device to initiate and authorise a transaction. This turned out to be a bad idea fairly quickly and was excluded from many banks terms and conditions quite quickly. But this makes me wonder what the difference is with the other one app methods. So, this didn't really impress the Sparkasse German Bank. They already said, yeah, there's a lot of free requisitions and this won't really work. There's a lot of work involved in rolling out a new version of the software and that's what they want to address. So, earlier I said, yeah, SMS TAN, we don't do that, that's not safe. So, what's really the difference with these apps? Yeah, there's a lot of properties, but the important part is the verification by a third party. There's quite a big market for party vendors that sell you verification and safety for these kind of things. So, the small selection here on the slide, the one I'm going to look at is PROMON. PROMON has a product called SHIELD. All of these pieces of information on the slide are from their web page. And it's supposed to shield your app from unsafe environments. It's platform independent, it works on iOS, Windows, on Android and it should be usable within minutes. The next quote is from a video. It recognizes every danger or fat in real time and it becomes highly secure even on infested and compromised systems. Schauen wir uns das mal genauer an. So, look at this some more. So, what kind of properties or features would cope with this? There's two categories, there's app hardening that does verification analysis and there's the new area called best practices like certificate pinning, their own keyboard and so on, stuff that developer usually did. So, they're all trying to do this right now. And in the space of mobile banking, they're pretty important. So, how do you use this shield now? How do I want to use this for my Android or iOS app? Do I as a user still have to make some changes in my settings? Do I need to turn off features like root detection or does this promo tool, this shield just show up and then magically make my app safe? How does it work? This is the list of the apps, 31 of them, that actually all use promo and shield. The two that I just grayed out, those are not banking apps. They're coming from the finance space, but they're not banking apps, which I want to focus on. Now, I want to look at the German ones so we can exclude a few more. So, we can see already that still a large number of their customers are German. All of those are German banks, that a lot of you may know. Also, they're quite important. Let's look at one specifically. It's called Jomo. Maybe not a lot of you know it, but why is it special? Jomo is a one-app verification system. As I already said, this is not special anymore, everybody does it. Also, ich höre immer wieder das Gerücht, das ist intern sogar. Es ist ein Rumor, dass es app 27 war. Es war ein App, das 26 war. Das war eine Inspiration für das. Es benutzt das letzte Version von promo und shield, weil es eine neue App ist. Ich erinnere mich, dass es das neueste Version verwendet. Wenn Sie sagen, wir machen auch so ein app-Authentifizierungssystem. Wie funktioniert das jetzt intern? Wie läuft das mit der Integration Tool von promo und shield? Die integration tool kommt an und sie betrifft die Hauptaktivität, also die Entry-Pointe der App und enttötet eine native-librär-lipshield-Funktion. Sie haben auch Java-Klassen, weil sie ihre eigene Librär-Librär-Klassen müssen. Das ist offizierend, aber das ist jetzt nicht sehr wichtig. Aber in addition to the actual app, all the strings and constants are taking out of the app and are important to their app. And this includes certificates, these are no longer handled by the actual app, it's called by the shield app. So, if we want to get rid of this, the first thing I might try to do is to get rid of that library and this is a control folk laugh, this is not a Windows crash, this is an actual graph and you don't really want to look at it. There are some approaches to hacking this, it uses a fairly common obfascator, but it's economically not feasible. We want something simple. The next approach would be, if we can't modify it, then we just have to strip the library out of the app, but it's not quite as simple as that because all the strings and the constants and the client certificates are in this Lipshield function, so we have to first strip those out. Let's start with the strings. On the left side you see Jomo and on the right side you see the Lipshield function by Proman. It's a before-and-after setup, essentially. So, if you want to output a string like Jomo, then they replace it with a call to their native library and it's got some mappings internally and returns a string. It's not difficult, it makes sense. So, if you want to circumvent this, what can you do? Let's find out what the highest index in this thing is and then we iterate from 0 to n and create our own mapping and then we can reverse what they've done in their library. But it turned out we didn't even have to do that work because you can just keep iterating until it returns null. Constants are a similar problem. Top of this we have a constant that turns out to be minus 1 und after Proman ran over it, it just is some random garbage that doesn't really make sense. What Proman does is that it implements something on top of that, it uses reflection, that then converts this back into the correct constant before it's accessed for the first time. The solution to this is fairly similar. We'll just enter all the classes that call this function and you call it yourself and you've got your own mapping. The client certificate, this is getting more tricky because you can't use the same approach as previously because Yomo turns its own Java Code into a request but doesn't pass it to Android's library. Instead it passes it to Proman and they do some work on that and then they add their own certificate and of course you can't just ask Proman to give it their client certificate. But it has to be somewhere in memory, you have to be able to find it somehow. We assumed that we'd only be able to find the certificate but what we actually found was a far more interesting data structure. This looks a bit confusing but these are configuration files. Here we have what we were looking for, it's the client certificate in Base 64. So we can start. So we'll write around to NoMop to... ...download the app from the Play Store then we need to analyse the app that was run through PromanShield. People extract all the mappings for us. This means we need to install it on the device and as soon as the app starts all these mappings fall out and the configuration file along with the client certificate as well. We feed this into our tool and out comes the unprotected app. So the whole process from the start downloading the app, installing it getting the final result takes 10-15 minutes depends on how big the app is. If it's 10 megabytes, then it's fast. If it's 100 MB, then it'll take a bit longer because we have to do a lot of transformation on the basis of desktop 2. But after a little time you get your result. So let's look at those mappings some more. The configuration file that we just looked at before. All those strings and constants all of them are in that the shield data. But we saw the configuration file so why would they already be in the SO file? It turns out that this the shield SO is already compiled by the vendor and they actually deliver it like that to the app offer. So it's already pre-compiled and this IDE this integration tool that they sell already has that lib shield that is all pre-compiled within it and they're responsible for encrypting those files and the certificate is already contained within the SO file. They're just being loaded and then used. So, that makes it even more interesting because now we have a completely new Attack Vector. So, if you look at this on the left you see a couple of URLs Debugger URL. So, it checks the app if it crashes then it tries to use this URL and just opens it in the browser. So, now if we can modify it before it's being parsed then let's see what we can achieve. I was already being annoyed by this because I was already pretty bad. So, all of this was pretty Ender-specific. So, let's have a look at the Roman Shield iOS. The virus is pretty much the same. There's also a config file. It's a lot less comprehensive. I already have the feeling that there's a lot less work being done on it. But overall, it's reasonably similar. Small rewrite. Okay, so let's summarize the Attack Vectors. We just saw a couple. The first one that is a little bit more complicated where you basically try to remove the Roman Shield and the one that I just showed where you just rewrite the config and you don't have any trouble at all because there's no compatibility issues and so on. So, after that, the app is completely unsecure. There's no repackaging protection being done by the app offers. So, we can just start automating it some more. So, let's extend it no more so that we can do it completely automated. Okay, so, this is an example that I want to show. It's the VR Banking App, VR is a German Bank. You want to manipulate a couple of text views. Those are the interesting ones. It's the name of the recipient, but this is wrong. I actually want to change the I-Band. And the other one is the amount that is being transferred. And those you have to manually find out how to automate it. You can inject everything. All you need to do is what you need to read out first. So, let's do a demo. Oh, we're not going to use Yomo for this. They can relax. We are going to use the VR Banks in the German Bank. We took this video this afternoon and it was covered together a bit hastily. So, here's what's about to happen. We have a Nexus device with a patch level from about, it lacks behind about one year. We were looking for something that would let us write files that we would not usually be allowed to write. And it's not that simple to actually achieve full root on this device. But we can write files so we wouldn't normally be able to write. So, we are going to download an app from the actual Play Store. And our app just replaces it with a transaction with an app replaced mit an app run through Nomop and it's going to try to manipulate the amount that is being transferred and it's completely automated. All we had to do was determine the IDs. This is just to show you the version of the app and the first was the VR banking app and the screen is black because it has got the secure flag set so that we can't record the screen. So, now we're downloading it from the Play Store and yes, this is real. And this appears to be a great app but in the background my phone has been exploited. So, let's restart the banking app. So, genau, jetzt muss man sich da einloggen. Jetzt machen wir die Transaktion. Let's start the transaction. This time it's going to me. Just have to enter my iBan. So, eben die 15 Euro, die ich gerade eben gesagt habe. 15 Euro, as I said. Das ist aber nicht so wichtig jetzt in dem Fall. The subject of 34C3. So, the transfer has been sent. So, the next step is authorizing the transaction in the town app and some things happen to this as well. I have to enter my password again. Also, das ist natürlich hier, dass die iBan stimmt. Das geht aber so schnell, da versichere ich euch, dass das stimmt. Das stehen noch 15 Euro immer noch. I can assure you that the iBan is the same and it still says 15 Euros and all seems correct. So, will authorize the transaction. So, genau, da unten steht auch irgendwie 15 Euro. And it says 15 Euros here as well. Was hier wichtig ist, was hier wichtig ist, ist, dass all of this was completely automated. Sondern man musste im Prinzip ja nur die IDs bestimmen, nachdem Pro-Mond draußen war. After Pro-Mond was out, we just had to determine the IDs. So, yeah, let's have a look at the reactions of the parties involved. We've been in touch with Pro-Mond since the end of November. They've been very nice and professional. And they've developed a new version of Pro-Mond Shield. They've sent it to me, but I haven't been able to look at it more closely. But no more app doesn't work. That is... I don't know what kind of app how much work it would be to get it to work again. The point I'm trying to make is that we need more individualization from the apps because Pro-Mond Shield works the same on all these 31 apps. Because it's such a universal approach I can just extract the conflict files each time. As far as the banks are concerned, I'm hearing the same thing from them for years. They haven't been told about any attacks. And these apps have just a market share of 5-8%, so they are simply not very relevant, but this may change in the future. I really like this quote. It's by Dennis Kugler and Jens Spender. In the area of the transaction space there's a special creativity that's being developed in the interpretation of the property two-factor authentication. Ja, man denkt ja so nach Mobile Banking, also nach 2. Ja, I can only agree. So, after Mobile Banking with one app, it doesn't get any worse, but then on Windows even, there is one app authentication system now. So, two questions. Is it hardening, even sensible at all? Is there any point? Ja, natürlich. My answer is yes, of course. It's sensible to have an additional layer of protection, but it needs to be on top. Is it a replacement for sensible two-factor authentication? The answer, of course, is no. Also, wie gesagt, es gibt nur Software-Measures, die das ausnutzen können. Danke. Vielen Dank, Vincent, für deinen Talk und deinen weiteren Ausflug in die Welt des Mobile Bankings. Wir haben Zeit für einige Fragen. Reit euch an den Mikrofonen auf. Dann können wir noch ein paar Fragen, oder Vincent kann ein paar Fragen für euch beantworten. Vincent will be able to answer some of your questions. Ihr könnt euch winken, wenn ihr an einem steht. Okay, an Mikrofon 3 haben wir eine Frage. Ja, genau. Vielen Dank für den Talk, ganz toll. Danke für den Talk. Jetzt gibt es ja für DRM-Systeme schon die Dinge, die sich direkt in den Schipen verwendet haben. Habt ihr das in eurer Recherche gesehen? Das ist ein wichtiger Punkt. Ich glaube, dass die Ereignisse der Ereignisse der Ereignisse auf einem Gerät machen können. Ja, in Perl, da gibt es den Bootsdom-Talk, dass die Leute sagen, dass ich falsch bin. Aber das ist ein Ansatz, das ihr eigentlich nicht beantwortet. Ich habe es nicht gesehen, aber das Problem ist, dass es da keine Einheiten gibt. Das Problem ist, dass es keine Unifahrt-Solution gibt. Es gibt ein paar Profi-Solutionen, und es gibt keine Standards. Es ist ein großes Problem. Die App, die ihr seht, erhielt euch zu den neuesten Guidelines, weil diese exklusiv zwei Faktor-Authentikationen verabschiedet haben. Ja, eine starke zwei Faktor-Authentikation. Die Standards haben einfach verabschiedet. Es gibt viele Zeit, um die App zu verabschieden. Ja, all die Ad-Ads für die Faktor-Authentikationen haben schon die Faktor-Authentikationen verabschiedet. Es ist ein bisschen schwierig zu sagen, weil die letzte Faktor-Authentikation, in der ich das gelesen habe, ist mehr so wie in der Anzeige. Es ist so wie in der Anzeige, in der ich die Promenz, wo die Faktor-Authentikationen, die Faktor-Authentikationen verabschieden, ist mehr so als in der Anzeige, um die Anzeige zu verabschieden. Es ist ein Teil der Anzeige, um die Faktor-Authentikationen zu verabschieden. Es ist ein Teil der Anzeige, Es gibt ein paar mehr, die in der deutschen Späße sehr populär sind, z.B. Axon. Es gibt auch so etwas, wie Koko Kobiel. Ich kann nicht sagen, was ich noch nicht gesehen habe. Ich habe kein Problem mit Promen. Es ist mehr der Spass, weil sie in der deutschen Späße sehr groß sind. Das war warum es für mich wichtig war, zu schauen. Jeder hatte eine andere Späße. Das wäre viel mehr Effort. Man hätte sich alles anschauen müssen. Hier kann man die Aktivität deaktivieren. Es funktioniert überall. Mikrofon 1, letzte Frage. Vielen Dank für den Vortrag. Eine Frage zu dem Angriffslektor in diesem Fall. Ich habe mich über die Angriffslektoren gefragt. In der UK hat man einfach die App verabschiedet. Es ist leicht zu verabschieden. Würden die App verabschieden, um die App zu verabschieden, um sie einfach auf den Fliehen zu verabschieden? Das ist das, was wir tun. Wir verabschieden die App, um die Angriffslektoren zu verabschieden, um die App zu verabschieden. Wenn das nicht geroutet wäre, dann wäre es wahrscheinlich möglich. Wenn das nicht verabschiedet wäre, dann würde man wahrscheinlich nicht eine andere App aus einem anderen App verabschieden. Man muss eine andere App verabschieden. Man muss eine andere App verabschieden. Man muss eine andere App verabschieden. Es gibt immer eine Unschärfe. Das ist für mich eine gewisse Entscheidung. Das ist meine own Determination. Ich kann Dirty Cow ausprobieren, aber das ist nicht persistent. Das ist schwer zu verabschieden, um die Angriffslektoren zu verabschieden. Man kann die Angriffslektoren von den Lösungen und die App verabschieden. Man kann die App verabschieden. Man kann die App verabschieden. EVERYTHEM ist meine northmahl herzlichen Dank, die muitosấpend JUSTIN HAUBTR. REMAKER absorbieren dritte abuse