Successfully reported this slideshow.

Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015

7

Share

1 of 24
1 of 24

More Related Content

Similar to Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015

  1. 1. Ajin Abraham Automated Security Analysis of Android & iOS Applications with Mobile Security Framework
  2. 2. About Me Application Security Engineer, Yodlee Author of OWASP Xenotix XSS Exploit Framework, Mobile Security Framework. Co-Organizer of X0RC0NF. Blog about Security: http://opensecurity.in
  3. 3. The Takeaways A Free and Open Source Tool Mobile App Pentesters/Malware Analysts - How to make your life easier. Developers – Build secure mobile Apps by detecting vulnerabilities at earlier stages of development. For the Rest – Some new Information.
  4. 4. WTF is it? Mobile Security Framework is an open source mobile application (Android/iOS) automated pentesting framework capable of performing static and dynamic security analysis*. Android iOS
  5. 5. Hosted in your environment. Your application and data is never send to the cloud.
  6. 6. Basic Requirements iOS • Python 2.7 • Django 1.8 • Oracle Java - JDK 1.7+ • Oracle VirtualBox • Mac Android • Python 2.7 • Django 1.8 • Oracle Java - JDK 1.7+ • Oracle VirtualBox
  7. 7. Static Analyzer Mobile Security Framework INPUT OUTPUT REPORT
  8. 8. Static Analysis Android Binary INFORMATION GATHERING DECOMPILE TO JAVA & SMALI PERMISSION ANALYSIS MANIFEST ANALYSIS JAVA CODE ANALYSIS ANDROID API INFO FILE ANALYSIS URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS REPORT GENERATION
  9. 9. Static Analysis Android Source INFORMATION GATHERING DECOMPILE TO JAVA & SMALI PERMISSION ANALYSIS MANIFEST ANALYSIS JAVA CODE ANALYSIS ANDROID API INFO FILE ANALYSIS URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS REPORT GENERATION
  10. 10. DEMO Static Analysis of APK Static Analysis of Zipped Source Code
  11. 11. Static Analysis iOS - Binary BASIC INFORMATION BINARY ANALYSIS FILE ANALYSIS LIBRARIES REPORT GENERATION iOS - Source BASIC INFORMATION CODE ANALYSIS iOS API INFORMATION FILE ANALYSIS URL, EMAIL, FILES, LIBRARIES REPORT GENERATION
  12. 12. DEMO Static Analysis of IPA Binary Static Analysis of Zipped Source Code
  13. 13. Dynamic Analyzer Mobile Security Framework INPUT Android VM REPORT OUTPUT
  14. 14. Dynamic Analyzer - Architecture Dynamic Analyzer AGENTS Install and Run APK HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM Application Data Agent Collected Information Start HTTP(S) Web Proxy
  15. 15. Dynamic Analysis SCREENSHOT CAPTURE HTTP(S) TRAFFIC LOGCAT and DUMPSYS DYNAMIC API MONITOR DYNAMIC URLS and EMAILS MONITOR APPLICATION DATA DUMPER FILE ANALYSIS ON APPLICATION DATA REPORT GENERATION UNDER DEVELOPMENT
  16. 16. DEMO Dynamic Analysis of Android Application
  17. 17. Some Real World Results Mobile Security Framework – Bypassing PIN in Whisper Android Application - http://opensecurity.in/mobile- security-framework-bypassing-pin-in-whisper-android- application/ AppLock MITM Password Reset Vulnerability - http://opensecurity.in/applock-mitm-password-reset- vulnerability/
  18. 18. AppLock MITM Password Reset Vulnerability DEMO
  19. 19. ANDROID MALWARE ANALYSIS DEMO
  20. 20. Future Plans Looks like people are interested!
  21. 21. In Aplha Dev Web Service Testing/REST API testing for Hybrid Applications. Dynamic Analysis Support for Real Android and iOS Devices. Anti VM/Sandbox Detection Bypass. IDOR and Cross Talk Detection support in Proxy. Better Front End. DB Support. Scheduled Scans.
  22. 22. What you can do? Download, Test, Contribute Source: https://github.com/ajinabraham/YSO-Mobile- Security-Framework Issues: https://github.com/ajinabraham/YSO-Mobile- Security-Framework/issues
  23. 23. QA @ajinabraham ajin25@gmail.com http://opensecurity.in Thanks • Bharadwaj Machiraju • Anto Joseph • Tim Brown • Thomas Abraham • Graphics/Image Owners

×