Mobile Application Security Testing

•

4 likes•911 views

Presented by Spv Reddy from National Cyber Safety and Security Standards on Mobile Application Security Testing in OWSAP Hyderabad in February. AGENDA: 1.Why Mobile Applications are more Vulnerable? 2.Types of Mobile Applications 3.Android Architecture 4.Introduction to Mobile Application Security Testing Information Gathering Static Code Analysis Introduction and Process in Static Analysis Setting Up Lab and Tools Used Mobile Security Framework (Demo) Analyzing App1 Analyzing App2 Comparison of issues in 10 Mobile Apps Working with jadx,dex2jar , jd-gui, Decompiler( (Demo) Dynamic Code Analysis Setting Up Lab and Tools Used Introduction to adb and commands used in it Comparison of issues in 10 Mobile Apps Diva Challenges(7 Demonstration and 6 POC) Dynamic Analysis App1(WhatsApp) Dynamic Analysis App2(Mobile Wallet) Dynamic Analysis App3(Woo App) Dynamic Analysis App4(Hacking Game Manually) Dynamic Analysis App5(Hacking Game with Tools) Mobile Forensics

Technology

What's hot

Frans Rosén Keynote at BSides Ahmedabad

Security BSides Ahmedabad

OWASP Top 10 2021 What's New

Michael Furman

Dynamic Security Analysis & Static Security Analysis for Android Apps.

VodqaBLR

Android Security & Penetration Testing

Subho Halder

Simplified Security Code Review Process

Sherif Koussa

In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole. OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications. APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year. In this session we’ll discuss: · What makes API Security different from web application security · The top 10 common API security vulnerabilities · Examples and mitigation strategies for each of the risks

OWASP API Security Top 10 - API World

42Crunch

Web Application Penetration Testing

Priyanka Aash

Secure Code Review 101

Narudom Roongsiriwong, CISSP

Presented at the DEFCON27 Red Team Offensive Village on 8/10/19. From the dawn of technology, adversaries have been present. They have ranged from criminal actors and curious children to - more modernly - nation states and organized crime. As an industry, we started to see value in emulating bad actors and thus the penetration test was born. As time passes, these engagements become less about assessing the true security of the target organization and more about emulating other penetration testers. Furthermore, these tests have evolved into a compliance staple that results in little improvement and increasingly worse emulation of bad actors. In this presentation, we will provide a framework complementary to the Penetration Testing Execution Standard (PTES). This complementary work, the Red Team Framework (RTF), focuses on the objectives and scoping of adversarial emulation with increased focus on the perspective of the business, their threat models, and business models. The RTF borrows part of the PTES, adding emphasis on detection capabilities as well as purple team engagements. We believe this approach will better assist organizations and their defensive assets in understanding threats and building relevant detections.

Red Team Framework

👀 Joe Gray

Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications. In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application. In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.

A Hacker's perspective on AEM applications security

Mikhail Egorov

iOS Application Static Analysis - Deepika Kumari.pptx

deepikakumari643428

Thick client pentesting_the-hackers_meetup_version1.0pptx

Anurag Srivastava

Assessment process of Android application vulnerability such as methods, check-lists, tools and runtime manipulation. Agenda: 1. Methodic's - OWASP TOP 10 2016, MSTG, MASVS 2. Static testing - MobSF, AndroBug Framework, QARG, VCG scanner 3. Dynamic testing - BurpSuite, Inspekage, LogCat, MobSF, Drozer, Frida framework #cybersecurity #mobilepentesting #applicationsecurity #UP2IT #accesssoftek #bytecode

Android pentesting

Mykhailo Antonishyn

Hackfest presentation.pptx

Peter Yaworski

Presented at Black Hat 2019 https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540 Casey Smith (Red Canary) Ross Wolf (Endgame) bit.ly/fantastic19 Abstract: Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible. This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events. Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.

Fantastic Red Team Attacks and How to Find Them

Ross Wolf

This is my talk from OWASP Appsec EU and also Security Fest 2017. A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.

DNS hijacking using cloud providers – No verification needed

Frans Rosén

View on-demand: https://wso2.com/library/webinars/api-security-best-practices-and-guidelines/ Modern enterprises are increasingly adopting APIs, exceeding all predictions. With more businesses investing in microservices and the increased consumption of cloud APIs, you need to secure beyond just a handful of well-known APIs. You will need to secure a higher number of internal and external endpoints. At the same time, security itself is a broad area and vendors implement a number of seemingly similar standards and patterns, making it very difficult for consumers to settle on the best option for securing APIs. The sheer number of options can be very confusing. There is much to learn about API security, regardless of whether you are a novice or expert and it’s extremely important that you do because security is an integral part of any development project, including API ecosystems. This webinar will deep-dive into the importance of API security, API security patterns, and how identity and access management (IAM) fit in the ecosystem. DURING THE WEBINAR, WE WILL COVER: Managed APIs OAuth 2.0 and API security patterns Introduction to WSO2 Identity Server How we align with OWASP API security guidelines

API Security Best Practices and Guidelines

WSO2

Introduction To OWASP

Marco Morana

Api security-testing

n|u - The Open Security Community

APISecurity_OWASP_MitigationGuide

Isabelle Mauny

What's hot (20)

Frans Rosén Keynote at BSides Ahmedabad

OWASP Top 10 2021 What's New

Dynamic Security Analysis & Static Security Analysis for Android Apps.

Android Security & Penetration Testing

Simplified Security Code Review Process

OWASP API Security Top 10 - API World

Web Application Penetration Testing

Secure Code Review 101

Red Team Framework

A Hacker's perspective on AEM applications security

iOS Application Static Analysis - Deepika Kumari.pptx

Thick client pentesting_the-hackers_meetup_version1.0pptx

Android pentesting

Hackfest presentation.pptx

Fantastic Red Team Attacks and How to Find Them

DNS hijacking using cloud providers – No verification needed

API Security Best Practices and Guidelines

Introduction To OWASP

Api security-testing

APISecurity_OWASP_MitigationGuide

Recently uploaded

How to Check CNIC Information Online with Pakdata cf

danishmna97

In the dynamic field of DevOps, the quest for efficiency and productivity is endless. This talk introduces a revolutionary toolkit: Large Language Models (LLMs), including ChatGPT, Gemini, and Claude, extending far beyond traditional coding assistance. We'll explore how LLMs can automate not just code generation, but also transform day-to-day operations such as crafting compelling cover letters for TPS reports, streamlining client communications, and architecting innovative DevOps solutions. Attendees will learn effective prompting strategies and examine real-life use cases, demonstrating LLMs' potential to redefine productivity in the DevOps landscape. Join us to discover how to harness the power of LLMs for a comprehensive productivity boost across your DevOps activities.

ChatGPT and Beyond - Elevating DevOps Productivity

VictorSzoltysek

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)

Samir Dash

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Understanding the FAA Part 107 License ..

Christopher Logan Kennedy

Stronger Together: Developing an Organizational Strategy for Accessible Desig...

caitlingebhard1

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Bhuvaneswari Subramani

Key topics covered: - Understanding the basics of IAM and its significance in the modern enterprise. IAM in a platformless environment - Tackling real-world issues like prioritizing frictionless yet secure user access, securing high-value APIs, integrating to business, compliance, and adapting to cloud native environments with scalable solutions - Practical demonstrations of how WSO2 products can be instrumental in deploying efficient IAM solutions - Preparing for upcoming trends and innovations in identity management

Navigating Identity and Access Management in the Modern Enterprise

WSO2

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

In this keynote, Asanka Abeysinghe, CTO,WSO2 will explore the shift towards platformless technology ecosystems and their importance in driving digital adaptability and innovation. We will discuss strategies for leveraging decentralized architectures and integrating diverse technologies, with a focus on building resilient, flexible, and future-ready IT infrastructures. We will also highlight WSO2's roadmap, emphasizing our commitment to supporting this transformative journey with our evolving product suite.

Platformless Horizons for Digital Adaptability

WSO2

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Design and Development of a Provenance Capture Platform for Data Science

Paolo Missier

In the ever-evolving landscape of data management, Zero-ETL is an approach that is reshaping how businesses handle and integrate their data. This webinar explores Zero-ETL, a paradigm shift from the traditional Extract, Transform, Load (ETL) process, offering a more streamlined, efficient, and real-time data integration method. We will begin with an introduction to the concept of Zero-ETL, including how it allows direct access to data in its native environment and real-time data transformation, providing up-to-date information with significantly reduced data redundancy. Next, we'll take you through several demonstrations showing how Zero-ETL can deliver real-time data and enable the free movement of data between systems. We will also discuss the various tools that support all aspects of Zero-ETL, providing attendees with an understanding of how they can adopt this innovative approach in their organizations. Lastly, the session will conclude with an interactive Q&A segment, allowing participants to gain deeper insights into how Zero-ETL can be tailored to their specific business needs and how they can get started today. Join us to discover how Zero-ETL can elevate your organization's data strategy.

The Zero-ETL Approach: Enhancing Data Agility and Insight

Safe Software

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Quantum Leap in Next-Generation Computing

WSO2

Recently uploaded (20)

How to Check CNIC Information Online with Pakdata cf

ChatGPT and Beyond - Elevating DevOps Productivity

Introduction to Multilingual Retrieval Augmented Generation (RAG)

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Understanding the FAA Part 107 License ..

Stronger Together: Developing an Organizational Strategy for Accessible Desig...

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Vector Search -An Introduction in Oracle Database 23ai.pptx

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Navigating Identity and Access Management in the Modern Enterprise

AWS Community Day CPH - Three problems of Terraform

Platformless Horizons for Digital Adaptability

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Design and Development of a Provenance Capture Platform for Data Science

The Zero-ETL Approach: Enhancing Data Agility and Insight

Corporate and higher education May webinar.pptx

Quantum Leap in Next-Generation Computing

Mobile Application Security Testing

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Recently uploaded

Recently uploaded (20)