SlideShare a Scribd company logo

Android pentesting

Download as PPTX, PDF
M
Mykhailo Antonishyn

Assessment process of Android application vulnerability such as methods, check-lists, tools and runtime manipulation. Agenda: 1. Methodic's - OWASP TOP 10 2016, MSTG, MASVS 2. Static testing - MobSF, AndroBug Framework, QARG, VCG scanner 3. Dynamic testing - BurpSuite, Inspekage, LogCat, MobSF, Drozer, Frida framework #cybersecurity #mobilepentesting #applicationsecurity #UP2IT #accesssoftek #bytecode

Mobile
1 of 33
Android application security assessment
Introductions Agenda: 1. Methodology 2. Static testing 3. Dynamic testing
P.1. Methodology 1. OWASP Mobile Top-10 2. MSTG - Mobile Security Testing Guide 3. MASVS - Mobile Application Security Verification Standard
P.1. Methodology P.1.1. OWASP Mobile TOP-10 https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 M1-Improper Platform Usage M6-Insecure Authorization M2-Insecure Data Storage M7-Poor Code Quality M3-Insecure Communication M8-Code Tampering M4-Insecure Authentication M9-Reverse Engineering M5-Insufficient Cryptography M10-Extraneous Functionality
P.1. Methodology P.1.2. MSTG General parts Mobile App Authentication Architectures Testing Network Communication Cryptography in Mobile Apps Testing Code Quality Tampering and Reverse Engineering Testing User Education https://github.com/OWASP/owasp-mstg
P.1. Methodology P.1.2. MSTG Android specific parts Platform Overview Android Basic Security Testing Data Storage on Android Android Cryptographic APIs Local Authentication on Android Android Network APIs Android Platform APIs Code Quality and Build Settings for Android Apps Tampering and Reverse Engineering on Android Android Anti-Reversing Defenses
P.1. Methodology P.1.3. MASVS v1 Architecture, Design and Threat Modeling Requirements v2 Data Storage and Privacy Requirements v3 Cryptography Requirements v4 Authentication and Session Management Requirements v5 Network Communication Requirements v6 Environmental Interaction Requirements v7 Code Quality and Build Setting Requirements v8 Resiliency Against Reverse Engineering Requirements https://github.com/OWASP/owasp-masvs
P.2. Static testing Android-app 1. MobSF 2. Androbugs framework 3. QARK 4. VCG scanner
P.2. Static testing Android-app P.2.1. MobSF Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. https://github.com/MobSF/Mobile-Security-Framework-MobSF
P.2. Static testing Android-app P.2.1. MobSF
P.2. Static testing Android-app P.2.2. Androbugs framework AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers to find the potential security vulnerabilities in Android applications. No splendid GUI interface, but the most efficient (less than 2 minutes per scan in average) and more accurate. https://github.com/AndroBugs/AndroBugs_Framework
P.2. Static testing Android-app P.2.2. Androbug framework
P.2. Static testing Android-app P.2.3. QARK QARK is an easy to use tool capable of finding common security vulnerabilities in Android applications. Unlike commercial products, it is 100% free to use. QARK features educational information allowing security reviewers to locate precise, in-depth explanations of the vulnerabilities. QARK automates the use of multiple decompilers, leveraging their combined outputs, to produce superior results, when decompiling APKs. Finally, the major advantage QARK has over traditional tools, that just point you to possible vulnerabilities, is that it can produce ADB commands, or even fully functional APKs, that turn hypothetical vulnerabilities into working "POC" exploits. https://github.com/linkedin/qark
P.2. Static testing Android-app P.2.3. QARK
P.2. Static testing Android-app P.2.4. VCG scanner VCG is an automated code security review tool for C++, C#, VB, PHP, Java and PL/SQL which is intended to drastically speed up the code review process by identifying bad/insecure code. https://sourceforge.net/projects/visualcodegrepp/
P.2. Static testing Android-app P.2.4. VCG scanner
P.3. Dynamic testing Android-app 1. BurpSuite 2. Inspeckage 3. LogCat 4. MobSF 5. Drozer 6. Frida
P.3. Dynamic testing Android-app P.3.1. BurpSuite https://habr.com/ru/post/432820/
P.3. Dynamic testing Android-app P.3.1. BurpSuite
P.3. Dynamic testing Android-app P.3.2. Inspeckage Inspeckage - Android Package Inspector Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime. ● Shared Preferences ● Serialization ● Crypto ● Hash ● SQLite ● HTTP ● FileSystems ● IPC https://github.com/ac-pm/Inspeckage https://habr.com/ru/post/432820/
P.3. Dynamic testing Android-app P.3.2. Inspeckage
P.3. Dynamic testing Android-app P.3.3. LogCat https://developer.android.com/studio/command-line/logcat https://habr.com/ru/post/432820/ Logcat is a command-line tool that dumps a log of system messages, including stack traces when the device throws an error and messages that you have written from your app with the Log class.
P.3. Dynamic testing Android-app P.3.3. LogCat
P.3. Dynamic testing Android-app P.3.3. LogCat
P.3. Dynamic testing Android-app P.3.4. MobSF Run a Genymotion Android VM before starting MobSF. Everything will be configured automatically at runtime. MobSF requires Genymotion Android x86 VMs version 4.1 to 9.0 for dynamic analysis. We recommend using Android 7.0 and above. HTTPS Proxy ● For Android versions 4.4 - 9.0, global proxy settings are automatically applied at runtime. ● For Android version 4.1 - 4.3, set Android VM proxy as displayed in Dynamic Analysis page.
P.3. Dynamic testing Android-app P.3.4. MobSF
P.3. Dynamic testing Android-app P.3.5. Drozer Drozer (formerly Mercury) is the leading security testing framework for Android. Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS. Drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR's advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT). https://github.com/mwrlabs/drozer https://habr.com/ru/post/352252/
P.3. Dynamic testing Android-app P.3.5. Drozer
P.3. Dynamic testing Android-app P.3.5. Drozer
P.3. Dynamic testing Android-app P.3.6. Frida Frida, as described by its creators as – “ a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, Linux, iOS, Android, and QNX” https://frida.re https://www.notsosecure.com/pentesting-android-apps-using-frida/ https://codeshare.frida.re/browse?page=1
P.3. Dynamic testing Android-app P.3.6. Frida
P.3. Dynamic testing Android-app P.3.6. Frida
Any questions???

Recommended

Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 

Recommended

Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourPriyanka Aash
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Chandrapal Badshah
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentestingn|u - The Open Security Community
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite StarterFadi Abdulwahab
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DivePrathan Phongthiproek
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 
MobSF: Mobile Security Testing (Android/IoS)
MobSF: Mobile Security Testing (Android/IoS)MobSF: Mobile Security Testing (Android/IoS)
MobSF: Mobile Security Testing (Android/IoS)Agile Testing Alliance
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile securityJudy Ngure
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 

More Related Content

What's hot

Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourPriyanka Aash
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Chandrapal Badshah
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 
MobSF: Mobile Security Testing (Android/IoS)
MobSF: Mobile Security Testing (Android/IoS)MobSF: Mobile Security Testing (Android/IoS)
MobSF: Mobile Security Testing (Android/IoS)Agile Testing Alliance
 

What's hot (20)

Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Android security
Android securityAndroid security
Android security
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an Hour
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
 
Android Security
Android SecurityAndroid Security
Android Security
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTG
 
MobSF: Mobile Security Testing (Android/IoS)
MobSF: Mobile Security Testing (Android/IoS)MobSF: Mobile Security Testing (Android/IoS)
MobSF: Mobile Security Testing (Android/IoS)
 

Similar to Android pentesting

Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile securityJudy Ngure
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Mobile application security tools
Mobile application security toolsMobile application security tools
Mobile application security toolsQTMContent
 
Top Mobile Application Penetration Testing Tools for Android and iOS.pdf
Top Mobile Application Penetration Testing Tools for Android and iOS.pdfTop Mobile Application Penetration Testing Tools for Android and iOS.pdf
Top Mobile Application Penetration Testing Tools for Android and iOS.pdfElanusTechnologies
 
100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your Testing100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your TestingBugRaptors
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...Agile Testing Alliance
 
2.Android App Development_ Types of Automated Unit Tests.pdf
2.Android App Development_ Types of Automated Unit Tests.pdf2.Android App Development_ Types of Automated Unit Tests.pdf
2.Android App Development_ Types of Automated Unit Tests.pdfBelayet Hossain
 
COVERT app
COVERT appCOVERT app
COVERT appitba9
 
Droidstat-X, Android Applications Security Analyser Xmind Generator
Droidstat-X, Android Applications Security Analyser Xmind GeneratorDroidstat-X, Android Applications Security Analyser Xmind Generator
Droidstat-X, Android Applications Security Analyser Xmind GeneratorCláudio André
 
Android automation tools
Android automation toolsAndroid automation tools
Android automation toolsSSGMCE SHEGAON
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 
Avtest Kasım 2011 Bedava Android Antivirüs Araştırması
Avtest Kasım 2011 Bedava Android Antivirüs AraştırmasıAvtest Kasım 2011 Bedava Android Antivirüs Araştırması
Avtest Kasım 2011 Bedava Android Antivirüs AraştırmasıErol Dizdar
 
Anjali_lahariy2 yearnExperience.docx ()
Anjali_lahariy2 yearnExperience.docx ()Anjali_lahariy2 yearnExperience.docx ()
Anjali_lahariy2 yearnExperience.docx ()Anjali Lahariya
 
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONSANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONSIJNSA Journal
 
Androinspector a system for
Androinspector a system forAndroinspector a system for
Androinspector a system forIJNSA Journal
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 

Similar to Android pentesting (20)

Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Mobile application security tools
Mobile application security toolsMobile application security tools
Mobile application security tools
 
Top Mobile Application Penetration Testing Tools for Android and iOS.pdf
Top Mobile Application Penetration Testing Tools for Android and iOS.pdfTop Mobile Application Penetration Testing Tools for Android and iOS.pdf
Top Mobile Application Penetration Testing Tools for Android and iOS.pdf
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
 
100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your Testing100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your Testing
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
 
2.Android App Development_ Types of Automated Unit Tests.pdf
2.Android App Development_ Types of Automated Unit Tests.pdf2.Android App Development_ Types of Automated Unit Tests.pdf
2.Android App Development_ Types of Automated Unit Tests.pdf
 
COVERT app
COVERT appCOVERT app
COVERT app
 
Appium overview
Appium overviewAppium overview
Appium overview
 
Droidstat-X, Android Applications Security Analyser Xmind Generator
Droidstat-X, Android Applications Security Analyser Xmind GeneratorDroidstat-X, Android Applications Security Analyser Xmind Generator
Droidstat-X, Android Applications Security Analyser Xmind Generator
 
Android automation tools
Android automation toolsAndroid automation tools
Android automation tools
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Avtest Kasım 2011 Bedava Android Antivirüs Araştırması
Avtest Kasım 2011 Bedava Android Antivirüs AraştırmasıAvtest Kasım 2011 Bedava Android Antivirüs Araştırması
Avtest Kasım 2011 Bedava Android Antivirüs Araştırması
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
 
Anjali_lahariy2 yearnExperience.docx ()
Anjali_lahariy2 yearnExperience.docx ()Anjali_lahariy2 yearnExperience.docx ()
Anjali_lahariy2 yearnExperience.docx ()
 
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONSANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONS
 
Androinspector a system for
Androinspector a system forAndroinspector a system for
Androinspector a system for
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 

More from Mykhailo Antonishyn

Arcantos - web applications pentest tools
Arcantos - web applications pentest toolsArcantos - web applications pentest tools
Arcantos - web applications pentest toolsMykhailo Antonishyn
 
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdf
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdfПравила_кибер_гигиены_при_работе_с_криптовалютами.pdf
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdfMykhailo Antonishyn
 
Правила_кибер_гигиены.pdf
Правила_кибер_гигиены.pdfПравила_кибер_гигиены.pdf
Правила_кибер_гигиены.pdfMykhailo Antonishyn
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
Masters of transformation part 2
Masters of transformation part 2Masters of transformation part 2
Masters of transformation part 2Mykhailo Antonishyn
 
Android application security assessment
Android application security assessmentAndroid application security assessment
Android application security assessmentMykhailo Antonishyn
 

More from Mykhailo Antonishyn (9)

Arcantos - web applications pentest tools
Arcantos - web applications pentest toolsArcantos - web applications pentest tools
Arcantos - web applications pentest tools
 
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdf
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdfПравила_кибер_гигиены_при_работе_с_криптовалютами.pdf
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdf
 
Правила_кибер_гигиены.pdf
Правила_кибер_гигиены.pdfПравила_кибер_гигиены.pdf
Правила_кибер_гигиены.pdf
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
 
Masters of transformation part 2
Masters of transformation part 2Masters of transformation part 2
Masters of transformation part 2
 
Masterstvo transformacii part 1
Masterstvo transformacii part 1Masterstvo transformacii part 1
Masterstvo transformacii part 1
 
Android application security assessment
Android application security assessmentAndroid application security assessment
Android application security assessment
 

Recently uploaded

Leading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfLeading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfCWS Technology
 
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Servicenishacall1
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRnishacall1
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPsychicRuben LoveSpells
 

Recently uploaded (6)

Leading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfLeading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdf
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
 
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 

Android pentesting

  • 3. P.1. Methodology 1. OWASP Mobile Top-10 2. MSTG - Mobile Security Testing Guide 3. MASVS - Mobile Application Security Verification Standard
  • 4. P.1. Methodology P.1.1. OWASP Mobile TOP-10 https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 M1-Improper Platform Usage M6-Insecure Authorization M2-Insecure Data Storage M7-Poor Code Quality M3-Insecure Communication M8-Code Tampering M4-Insecure Authentication M9-Reverse Engineering M5-Insufficient Cryptography M10-Extraneous Functionality
  • 5. P.1. Methodology P.1.2. MSTG General parts Mobile App Authentication Architectures Testing Network Communication Cryptography in Mobile Apps Testing Code Quality Tampering and Reverse Engineering Testing User Education https://github.com/OWASP/owasp-mstg
  • 6. P.1. Methodology P.1.2. MSTG Android specific parts Platform Overview Android Basic Security Testing Data Storage on Android Android Cryptographic APIs Local Authentication on Android Android Network APIs Android Platform APIs Code Quality and Build Settings for Android Apps Tampering and Reverse Engineering on Android Android Anti-Reversing Defenses
  • 7. P.1. Methodology P.1.3. MASVS v1 Architecture, Design and Threat Modeling Requirements v2 Data Storage and Privacy Requirements v3 Cryptography Requirements v4 Authentication and Session Management Requirements v5 Network Communication Requirements v6 Environmental Interaction Requirements v7 Code Quality and Build Setting Requirements v8 Resiliency Against Reverse Engineering Requirements https://github.com/OWASP/owasp-masvs
  • 8. P.2. Static testing Android-app 1. MobSF 2. Androbugs framework 3. QARK 4. VCG scanner
  • 9. P.2. Static testing Android-app P.2.1. MobSF Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. https://github.com/MobSF/Mobile-Security-Framework-MobSF
  • 10. P.2. Static testing Android-app P.2.1. MobSF
  • 11. P.2. Static testing Android-app P.2.2. Androbugs framework AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers to find the potential security vulnerabilities in Android applications. No splendid GUI interface, but the most efficient (less than 2 minutes per scan in average) and more accurate. https://github.com/AndroBugs/AndroBugs_Framework
  • 12. P.2. Static testing Android-app P.2.2. Androbug framework
  • 13. P.2. Static testing Android-app P.2.3. QARK QARK is an easy to use tool capable of finding common security vulnerabilities in Android applications. Unlike commercial products, it is 100% free to use. QARK features educational information allowing security reviewers to locate precise, in-depth explanations of the vulnerabilities. QARK automates the use of multiple decompilers, leveraging their combined outputs, to produce superior results, when decompiling APKs. Finally, the major advantage QARK has over traditional tools, that just point you to possible vulnerabilities, is that it can produce ADB commands, or even fully functional APKs, that turn hypothetical vulnerabilities into working "POC" exploits. https://github.com/linkedin/qark
  • 14. P.2. Static testing Android-app P.2.3. QARK
  • 15. P.2. Static testing Android-app P.2.4. VCG scanner VCG is an automated code security review tool for C++, C#, VB, PHP, Java and PL/SQL which is intended to drastically speed up the code review process by identifying bad/insecure code. https://sourceforge.net/projects/visualcodegrepp/
  • 16. P.2. Static testing Android-app P.2.4. VCG scanner
  • 17. P.3. Dynamic testing Android-app 1. BurpSuite 2. Inspeckage 3. LogCat 4. MobSF 5. Drozer 6. Frida
  • 18. P.3. Dynamic testing Android-app P.3.1. BurpSuite https://habr.com/ru/post/432820/
  • 19. P.3. Dynamic testing Android-app P.3.1. BurpSuite
  • 20. P.3. Dynamic testing Android-app P.3.2. Inspeckage Inspeckage - Android Package Inspector Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime. ● Shared Preferences ● Serialization ● Crypto ● Hash ● SQLite ● HTTP ● FileSystems ● IPC https://github.com/ac-pm/Inspeckage https://habr.com/ru/post/432820/
  • 21. P.3. Dynamic testing Android-app P.3.2. Inspeckage
  • 22. P.3. Dynamic testing Android-app P.3.3. LogCat https://developer.android.com/studio/command-line/logcat https://habr.com/ru/post/432820/ Logcat is a command-line tool that dumps a log of system messages, including stack traces when the device throws an error and messages that you have written from your app with the Log class.
  • 23. P.3. Dynamic testing Android-app P.3.3. LogCat
  • 24. P.3. Dynamic testing Android-app P.3.3. LogCat
  • 25. P.3. Dynamic testing Android-app P.3.4. MobSF Run a Genymotion Android VM before starting MobSF. Everything will be configured automatically at runtime. MobSF requires Genymotion Android x86 VMs version 4.1 to 9.0 for dynamic analysis. We recommend using Android 7.0 and above. HTTPS Proxy ● For Android versions 4.4 - 9.0, global proxy settings are automatically applied at runtime. ● For Android version 4.1 - 4.3, set Android VM proxy as displayed in Dynamic Analysis page.
  • 26. P.3. Dynamic testing Android-app P.3.4. MobSF
  • 27. P.3. Dynamic testing Android-app P.3.5. Drozer Drozer (formerly Mercury) is the leading security testing framework for Android. Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS. Drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR's advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT). https://github.com/mwrlabs/drozer https://habr.com/ru/post/352252/
  • 28. P.3. Dynamic testing Android-app P.3.5. Drozer
  • 29. P.3. Dynamic testing Android-app P.3.5. Drozer
  • 30. P.3. Dynamic testing Android-app P.3.6. Frida Frida, as described by its creators as – “ a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, Linux, iOS, Android, and QNX” https://frida.re https://www.notsosecure.com/pentesting-android-apps-using-frida/ https://codeshare.frida.re/browse?page=1
  • 31. P.3. Dynamic testing Android-app P.3.6. Frida
  • 32. P.3. Dynamic testing Android-app P.3.6. Frida