Thursday 19 September 2013

[Solved] "Your device has been modified. Software updates are not available" error on non rooted Android device

Yesterday when I was updating my new Galaxy S4 I faced a really weird issue. I started getting an error "Your device has been modified. Software updates are not available" whenever I tried updating the device.



I know that I have this bad habit of tinkering with all the devices I get my hands on which made me wonder if I had rooted the wrong android device yesterday night during my random research :-o. I then checked my other device which was a Android S3 and noticed that it was rooted which kind of assured me that I did nothing that could cause this error on the S4. Googling this error showed me "N" number of pages mentioning that this error means I had goofed up the kernel and I can no longer update my phone and its warranty stands VOID.  (yea.. a serious WTF moment). Not that I care about  the stupid warranty, but I had resisted messing around with the device for 4 days already just to be sure that I had used it properly before it dies :D

Then, after reading 100+ random posts and spending some hours trying to figure out what could have possibly gone wrong, I came across this post. The reply on the thread by "vferrari" solved the problem for me with a little tweak.
Below are the steps I had to do to get the phone back to a condition where OTA updates are again functional:
  1. Un-mounted the inserted SD card.
  2. Restart the device.
  3. Go to Android recovery mode by pressing the Power + Volume down button.
  4. Select the "Wipe cache partition".
  5. Restart the device after successful wipe.
  6. Continue the normal steps for OTA android update.
After the above steps, I was able to successfully solve the problem and update my device. I re-inserted the SDcard, but did not face the error again.

References:

Sunday 15 September 2013

QuickStart iOS Security Assessment

Introduction:

So, I am gearing up to taking up yet another Mobile Application security training for a customer. This one is different than the one's than I normally take because its totally up to me to decide the duration of the course. Additionally it is planned to be a complete practical one with 80% demo and hands-on for the team.

Since I had taken a break from the actual Mobile PenTest scene for some time now, I had to literally start from scratch so as to make sure I included anything that has come up in the last few months (which has been a lot :-o). During the prep-work, I created a short list of topics I would be covering for the course and turns out, this looks like a pretty neat iOS Security Assessment QuickStart guide. Hence the share.

The Guide:

This diagram covers all the focus points when testing an iOS application. Considering I am jam packed at the moment with multiple projects am not sure when I would be able to make a detailed post for each of the components, but just one line "Google is your friend". :)

References:

Friday 19 July 2013

[Solved] sbt.ResolveException: download failed: org.slf4j#slf4j-api;1.6.6!slf4j-api.jar

So, I was working on Scala with Play Framework for some time now. I have to compile the source code provided by the client from time to time and I have faced this issue nearly everytime whenever I use a new developer machine.

When I run the "play clean", "play update", "play compile" or the "play run" command on the provided project, I get the error as sbt.ResolveException: download failed: org.slf4j#slf4j-api;1.6.6!slf4j-api.jar.

Below is a screenshot of this error message:



I tried a bunch of ways to solve this issue, but only one method seems to work.

The first thing you need to do is edit the /project/plugins.sbt file and add the latest version of sbt-plugin in the addSbtPlugin section.

Now, delete the ivy directory present at ~/.ivy2
Then, go ahead and delete the below mentioned files:

  • <path to Play Framework home directory>/.sbt.ivy.lock
  • <path to Play Framework home directory>/cache/org.slf4j
  • <path to Play Framework home directory>/local/org.slf4j
Then, run the same play command which you ran earlier.
As shown in the below screenshots, this time the command ran successfully without any sort of error.



References:




Tuesday 23 April 2013

Installing latest nodejs on Linux


Introduction:

According to its site, Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

Basically, it is a server side software system that can be used to design and write scalable Internet applications. It can be used to create a web server on its own, thus removing the need of using a web server software like Apache. Due to the asynchronous I/O mode, there is minimum overhead(computation time).

I have a machine running Ubuntu 12.10, so I normally use my package manager (apt-get) to install applications which are present in the repository. However, even though I did apt-get multiple times, the installed version seemed to an outdated v0.6.* where-as, the latest version as per their site was v0.10.4 (Huhhh!!!)

Detailed Steps:

Below are the steps which I had to perform, to get the latest nodejs up and running:

Step 1: We will start off, by installing the "software-properties-common" package for the "apt-get" repository. This can be done using the command:
"sudo apt-get install software-properties-common"

Step 2: Chris Lea's repository includes the latest npm and nodejs-dev that is required to install nodejs v0.10.4
Below command helps you add thoseto your local repository list:
"sudo add-apt-repository ppa:chris-lea/node.js"

Step 3: Update the local package index with the changes made in the repository using the command:
"sudo apt-get update"

Step 4: Now, install nodejs as you normally would, using apt-get command as shown below:
"sudo apt-get install nodejs"

You can run #nodejs --version on terminal to see the version of the currently installed nodejs.




Above screenshot shows that we have updated nodejs to the latest available version: v0.10.4

References:



Saturday 2 February 2013

Mobile Client Side Certificate Pinning


I just completed giving a training on Secure Mobile application development and Code reviews and one of the attendees asked me query whether we can limit a Mobile application to allow only the servers certificate to be a trusted one rather than relying on the Mobile's own Trusted Certificate Store?

Well... there is a way actually. Its called as "Certificate Pinning". Rather than relying on the device trusted store, set the application to trust only the servers SSL certificate. This way, when you are connecting to your specific SSL server, you don’t need anyone else to tell you the server’s identity. Compromises of any of the CA in the device trusted store too does not matter as the connection does not rely on it any more. 

There are ways to implement it on both Android and iOS. Twitter for example; implements certificate pinning and i was not able to intercept traffic even after forcing my certificate on to the OS level trusted certificate list.

Good Reads:

Certificate Pinning on iOS:

Certificate Pinning in Android:

Way to achieve this can be seen here, which is a OWASP page explaining the various details on Certificate Pinning.

However, like all other good things, this too can be bypassed :D .. This link will tell you how you can bypass it on iOS using Mobile Substrate and on Android using JDWP.

Understandably this would not be of much use against remote attacks but atleast would help in cases where attacker tries to fuzz for local vulnebilities in the application right? 

I wonder why none of the other applications are not using it and whether there would be any drawback of suggesting it to the client. 
Open for discussion :)

Monday 28 January 2013

[Solved] W: GPG error: http://coredev.nl iphone Release


Many times when i was installing "Theos" on my iOS device everything went well till the last step which is "apt-get update". When i ran the command, it would always give me an error "W: GPG error: http://coredev.nl iphone Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY" as shown in the below screenshot.










After much googling, i found this link which explains the solution to this issue. Though the scenario in the link is different than mine, however it seemed to work well for me :)
The solution was, navigate to the sources.list.d folder and add the "public key" to that folder. This can be done wither by using "lynx" or by using "wget".



A shown in the above screenshot, apt-get works well after the above steps were followed.

References:

iOS SSH over USB


Introduction:

Many a times, at client side we are not provided with Wifi access and connecting to our iOS device to read local data can be a real pain. At such a period, we can use a tool called as “usbmuxd” to connect to the Jailbroken iOS device running OpenSSH over the USB.

Detailed Steps:

Step 1: Make sure you have python installed on your machine. Download latest copy of “usbmuxd” using the command “git clone http://git.sukimashita.com/usbmuxd.git”.


Step 2: Navigate to the “python-client” folder and run the command “chmod +x tcprelay.py” and then run the tool using the command “./tcprelay.py -t 22:2222”


The “t” basically allows multiple threads to run so that multiple simultaneous ssh connections can be established.

Step 3: Now, once the tcprelay starts its work, we use the command “ssh root@localhost -p 2222” to forward the local port 2222 to remote port 22. Use the credentials “root/alpine” to connect to the OpenSSH server running on the device.


Now, all the commands which can be used over SSH can be run on the prompt provided. 

References: