Mobile Security Framework

Similar documents
Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Adobe Systems Incorporated

The Top Web Application Attacks: Are you vulnerable?

Rational AppScan & Ounce Products

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Enterprise Application Security Workshop Series

Advanced ANDROID & ios Hands-on Exploitation

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015

Mobile Application Security

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

Security Testing Guidelines for mobile Apps

HP WebInspect Tutorial

Chapter 1 Web Application (In)security 1

HackMiami Web Application Scanner 2013 PwnOff

WebGoat for testing your Application Security tools

TACKYDROID. Pentesting Android Applications in Style

Web Application Penetration Testing

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

ABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications

Secure Coding in Node.js

Newsletter - September T o o l s W a t c h T e a m NJ OUCHN & MJ SOLER

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Application Security Testing

Using Sprajax to Test AJAX. OWASP AppSec Seattle Oct The OWASP Foundation

Criteria for web application security check. Version

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

elearning for Secure Application Development

Still Aren't Doing. Frank Kim

(WAPT) Web Application Penetration Testing

SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules

Web Application Vulnerability Testing with Nessus

Workday Mobile Security FAQ

What is Web Security? Motivation

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

AGENDA. Background. The Attack Surface. Case Studies. Binary Protections. Bypasses. Conclusions

Client logo placeholder XXX REPORT. Page 1 of 37

Invest in security to secure investments. Breaking SAP Portal. Dmitry Chastuhin Principal Researcher at ERPScan

Reducing Application Vulnerabilities by Security Engineering

When Security Gets in the Way. PenTesting Mobile Apps That Use Certificate Pinning

Pentesting Android Apps. Sneha Rajguru

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Penetration Testing for iphone Applications Part 1

Online Vulnerability Scanner Quick Start Guide

Pentesting Mobile Applications

Virtually Pwned Pentesting VMware. Claudio

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Rapid Security Framework (RSF) Taxonomie, Bewertungsparameter und Marktanalyse zur Auswahl von Fuzzing-Tools

Penetration Testing: Lessons from the Field

SAMSUNG SMARTTV: HOW-TO TO CREATING INSECURE DEVICE IN TODAY S WORLD. Sergey Belov

A Network Administrator s Guide to Web App Security

Application Security Testing. Generic Test Strategy

Turning your managed Anti-Virus

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Secure in 2010? Broken in 2011! Matias Madou, PhD Principal Security Researcher

Web application security: automated scanning versus manual penetration testing.

Learning objectives for today s session

Mobile Application Security and Penetration Testing Syllabus

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

SECURING MOBILE APPLICATIONS

Certified Secure Web Application Security Test Checklist

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Web Application Report

Apache Milagro (incubating) An Introduction ApacheCon North America

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

D. Best Practices D.1. Assurance The 5 th A

SSL BEST PRACTICES OVERVIEW

OWASP NZ Day 2011 Testing Mobile Applications

WebView addjavascriptinterface Remote Code Execution 23/09/2013

Secure development and the SDLC. Presented By Jerry

Using Nessus In Web Application Vulnerability Assessments

Application Code Development Standards

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Security First Umbrella

Web Application Firewall Profiling and Evasion. Michael Ritter Cyber Risk Services Deloitte

Lecture 11 Web Application Security (part 1)

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

OWASP Mobile Top Ten 2014 Meet the New Addition

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

vcommander will use SSL and session-based authentication to secure REST web services.

Transcription:

Automated Mobile Application Security Testing with Mobile Security Framework Ajin Abraham

About Me! Security Consultant @ Yodlee! Security Engineering @ IMMUNIO! Next Gen Runtime Application Self Protection (RASP)! Author of OWASP Xenotix XSS Exploit Framework, Mobile Security Framework.! Teach Security via https://opsecx.com! Blog about Security: http://opensecurity.in

The Takeaways! A FREE and Open Source Security Tool for Mobile App Security Assessment.! Mobile App Pentesters/Mobile Malware Analysts - How to make your job easier with MobSF.! Developers Build secure mobile Apps identifying vulnerabilities at all stages of development. (SDLC Integration)! Web Pentesters REST API Fuzzer capable of detecting vulnerabilities like SSRF, XXE, IDOR etc.

Agenda! What is MobSF?! MobSF Architecture! Static Analyzer! Dynamic Analyzer! Web API Fuzzer! Static Analysis! Static Analysis & some Statistics! Top Indian Bank Mobile Apps! Top Indian Wallet Mobile Apps! Observations! Dynamic Analysis! Dynamic SSL Testing! Exported Activity Tester! Challenges in Dynamic Analysis! Dynamic Analysis on Custom VM/ Rooted Android Device.! Web API Fuzzer! Vulnerabilities API Fuzzer detects.! Explains the API Fuzzer Logic.! Conclusion

What is MobSF? Mobile Security Framework is an open source mobile application (Android/iOS) automated pentesting framework capable of performing end to end security testing of mobile Apps. Android ios

Hosted in your environment. Your application and data is never send to the cloud.

MobSF Architecture

Static Analyzer INPUT OUTPUT Mobile Security Framework REPORT

Demo Static Analysis & Report Generation (Diva)

Static Analysis & Some Statistics! Static Analysis on Top Financial Apps - Criteria! SSL bypass in Native Code! SSL bypass in WebView! Remote Web View Debugging! Hardcoded Secrets

Top Indian Bank Apps Analyzed

Face palm

Top Indian Wallet Apps Analyzed

Observations! State of Mobile App Security, Not evolved as Web Security.! Most common issue is SSL Bypass in (Both Native Code and WebView)! SSL Error bypassed in WebViews are really really bad.

Real-world Exploitation

Dynamic Analyzer OUTPUT INPUT Android VM Or Android Device Mobile Security Framework REPORT

Dynamic Analyzer - Architecture Install and Run APK Invoke Agents in VM Android VM/Device Dynamic Analyzer Results Agent Collected Information Application Data AGENTS Start HTTP(S) Web Proxy HTTP(S) Traffic HTTP(S) Proxy

DEMO (LOCX)

Dynamic SSL Testing! Dynamically verify if SSL connections are securely implemented.! Disable JustTrustMe and Remove MobSF Root CA.! If you can still access the decrypted HTTPS Web Traffic then that means the app is bypassing SSL errors.

Exported Activity Tester! Android Exported Activities. DEMO

Challenges in Dynamic Analysis! Some Android Apps are built with security in mind.! Anti VM Detection! Anti Root Detection! Anti MITM with Certificate Pinning.! Some Apps / Malwares have sophisticated methods to detect Virtual Machines.

How to deal with these Challenges! API overriding with Xposed Framework! Anti VM Detection Bypass > Android Blue Pill! Anti Root Detection Bypass -> RootCloak! Anti MITM Certificate Pinning Bypass -> JustTrustMe! APK smali Patching.! For sophisticated apps and malware, Use a real device for dynamic analysis.

Dynamic Analysis on Device! MobSFy Script Convert your VM/ Device to support MobSF Dynamic Analysis! Documentation here: https://github.com/ajinabraham/mobile-security-framework- MobSF/wiki/2.-Configure-MobSF-Dynamic-Analysis- Environment-in-your-Android-Device-or-VM! DEMO : Weak Crypto! Java - String hashcode() Method! s[0]*31^(n-1) + s[1]*31^(n-2) +... + s[n-1]

Web API Fuzzer Web Request DB Select Scope URLs of Scan Select Scope Vulnerabilities Select Login API Pin API Register API Logout API OUTPUT Web API Fuzzing Logic REPORT

Fuzzing REST APIs! Why most web scanners suck at API Testing?! We have knowledge about the application and generic API routes (Login, Logout, Register).! So we use more of Whitebox approach than Blackbox approach.! Detects vulnerabilities like IDOR, SSRF and XXE.

What We Detect! XXE! SSRF! IDOR! Directory Traversal or Path Traversal! Logical and Session Related! API Rate Limiting

How we Detect

SSRF & XXE API Server Web API Fuzzer MobSF Cloud Server Cloud Server: APITester/cloud/cloud_server.py

Insecure Direct Object Reference (IDOR)! Without Credentials. Request with Auth Header/ Cookie Web API Fuzzer Request without Auth Header/ Cookie API Server! With multiple user credentials (needs two login attempts) Request with User1 s Auth Header/Cookie Web API Fuzzer Repeat the Request with a User2 s Auth Header/Cookie API Server

Session Related Checks Access Resource with Auth Header/Cookie Web API Fuzzer Calls Logout API Access Resource with expired Auth Header/Cookie API Server

Rate Limiter Web API Fuzzer Brute force Login API and Register API API Server

Other Checks! Security Headers and Info Gathering! Directory/ Path Traversal

DEMO

What's Coming Soon?! Windows App Security Analyzer.! ios App Dynamic Analysis.! API Fuzzer to support detection of SQLi and RCE.! Export Proxy logs to BurpSuite/IronWASP/ZAP

Stakeholders! Looks like people are interested!! Bugs opened and Closed

Useful Links! Source: https://github.com/ajinabraham/mobile-security-framework! Issues: https://github.com/ajinabraham/mobile-security-framework/ issues! Documentation: https://github.com/ajinabraham/mobile-security-framework- MobSF/wiki! Video Course: https://opsecx.com/index.php/product/automated-mobileapplication-security-assessment-with-mobsf/

QA Thanks & Credits Sachinraj Shetty Kamaiah Nadavala Bharadwaj Machiraju Yashin Mehboobe Anto Joseph Tim Brown Thomas Abraham Graphics/Image Owners @ajinabraham ajin25@gmail.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information