Keeping pace with ever-increasing mobile security threats is a team sport that requires the support and performance of many key players. Here at NowSecure, our security research team spends countless hours helping our customers find and fix vulnerabilities to secure their mobile apps.
The research group at NowSecure holds multiple responsibilities. Part of its mission is to find and document system and application vulnerabilities. Another key function focuses on building tools to reverse engineer and automate testing of mobile apps and devices to detect and ultimately help our customers close these security gaps.
As a whole, the team keeps up with security research and conducts its own to discover critical vulnerabilities. The researchers have made vulnerability findings such as Corrupdate and many other remote code execution flaws. Realizing it would be far more effective to detect vulnerabilities at scale, NowSecure created a database of hundreds of thousands of mobile application vulnerabilities that are incorporated into the findings of our mobile appsec testing solutions. The team also invented “jailed” testing of iOS applications.
The following is the first installment of an occasional Q&A interview series to highlight key roles and responsibilities of our team members who advance mobile security. In this first discussion, we shine the spotlight on Francesco Tamagni, senior security research engineer for NowSecure.
Photo: Francesco presenting at r2con in Barcelona, Spain.
Q: How long have you been with NowSecure?
A: A little more than two years
Q: Where are you based?
A: Novara, Italy
Q: What do you do as a mobile security engineer?
A: My job is at the intersection of reverse engineering, vulnerability research and software engineering. I mainly work on the defensive side, building internal mobile app security testing tools that become part of the NowSecure automated analysis solutions.
Sometimes my job is to find novel ways of interacting with systems that were not built with automation in mind, and other times to build tools that expose security-relevant information to the rest of our infrastructure. For example, low-level function tracing can be used to understand the underlying flow of a system application and replicate it for offline use or to incorporate into an automated workflow. In some instances, a workflow that would normally require a physical device, and was only designed for human interaction, can instead be automated once the network protocol is fully understood and documented for internal use. Something previously impossible becomes possible once all the details of the system are uncovered and the puzzle is solved.
My passion with security tools is also centered around Frida and Radare2, two open-source tools that our employees pioneered and that are embedded in our products, along with unique capabilities that enable us to go deeper and automate aspects of security testing.
My day-to-day job is a mix of maintaining and enhancing our current dynamic analysis tools, adding new tests based on internal or external vulnerability research, and occasionally examining apps and operating systems manually to find or confirm bugs.
Q: What is your schedule typically like?
A: I work mainly from 9 a.m. to midnight with a few pauses in between, such as when I pick up my daughter from school. If I need to interact with people in the United States, that happens mainly in the afternoon or evening.
Q: How do you start your day?
A: I usually know what to do because we have two weekly meetings with the entire security research team where we define the priorities as guided by our Chief Technology Officer David Weinstein. In addition, there can be escalations when a customer needs support in understanding what’s going on and solving the problem. That’s part of my job.
It varies on a day-to-day basis. The things I do are pretty hard to estimate in terms of difficulty and how much time they require. We may need to adjust the priorities based on what’s actually doable and can be accomplished in a reasonable amount of time.
Q: What are you working on today?
A: One of my recent projects involved finding novel ways of defeating anti-debugging and anti-jailbreak approaches. This is a cat and mouse game, but it’s fun to see what developers believe will protect their apps from analysis. Ultimately they can all be defeated given sufficient time spent understanding the low-level details of the application or library.
Q: So how do you attack the problem?
A: Many times there’s not a tool to solve the specific problem I’m working on and many of the components I’m working with are undocumented. To that end, I have to develop custom tools just to o be able to observe how stuff works, to help build a mental model, and finally recreate specific workflows. I frequently find myself using Frida and Radare2 and building custom tools on top of that, then methodically applying the tool.
Some of the fundamental challenges of program analysis are quite interesting. Many of the techniques we employ to inject code into an application are OS-specific, requiring extremely detailed understanding of how a program is mapped into memory, how it launches, and how it interacts with other services. In order for an analysis to succeed everything must be perfectly aligned otherwise an application may crash as a result of our analysis instrumentation. Spending countless hours in a debugger or in a Radare2 session is pretty common.
Q: What are your favorite tools of the trade?
- iOS kernelcache plugin for radare2
Q: How do you collaborate with your teammates?
A: We are pretty much grouped into iOS and Android. I’m focusing on iOS right now. When a problem is hard, we consult each other to brainstorm solutions.
Q: What skills make a security researcher successful?
A: You need to be passionate because there are many times when something seems impossible but is not. Instead, it just requires some focus, experience and the right tools. During the past year, Frida and Radare2 have improved a lot and continue to improve. Maybe something you tried to do a year ago and gave up, now is possible. And that’s true of many, many tasks.
Q: And what personality traits lend themselves to the role?
A: It helps to have an attitude to write tools in a way that other people can understand them. But it’s not strictly required to use given code patterns or specific programming languages and we are free to explore what’s best for the task. That’s good.
You can’t give up on problems and should be self directed. It’s not like when I was a mobile developer and I had a problem, I could just Google it.
Q: Can you give me an example of a recent challenge?
A: There was a bug in Frida for which it couldn’t spawn apps on iOS 11.3. It turns out it was a bug in the iOS kernel. I had to discover it myself by reversing the binary. You have to find a solution and figure it out.
Q: What do you like best about your job?
A: I’m learning a lot from my teammates in the two years I’ve been here; in fact more than at university. I was a late adopter of mobile phones, I didn’t get my first one until 2009 when my wife forced me to have one. And now it’s cool that part of my job is understanding what’s going on in these black boxes and being able to contribute to open-source tools.
I was a mobile developer but was always interested in security and reverse engineering. I started to contribute to Radare and used Frida before joining NowSecure and that’s how I met the team.
Q: What do you like the least about your job or find most challenging?
A: Maybe I work too much but I love it. I guess the time difference can be challenging. For example, say I’ve already worked 12 hours on a problem and for me it’s 8:00 p.m. but for the U.S. it’s like 2:00 p.m. People are pinging me for escalations to solve by tomorrow and I’m in the supermarket with my daughter so I have to manage a little bit, but it’s cool.
In terms of technology, jailbreaks are getting more and more complex because Apple is creating a lot of mitigations. With every iOS release there are new challenges. It’s very hard and time consuming. We test mobile apps with or without jailbreaks depending on the use case.
Q: How can others get into the field of mobile app security research?
A: Basically security research requires being an engineer; there’s no magic about it and it’s mostly based on open-source tools. If you want to do that, just go and contribute to tools like Frida and Radare to learn how it works. There are beautiful communities that are able to help you.
Q: One last question – what personal mobile device you do you carry?
A: It’s a OnePlus phone for which we helped in discovering a vulnerability – we discovered a hard-coded password that provides you root access. I didn’t change it because it’s fun to have root.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.