Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Ajin Abraham
Automated Security Analysis
of Android & iOS Applications
with Mobile Security
Framework
About Me
Application Security Engineer, Yodlee
Author of OWASP Xenotix XSS Exploit
Framework, Mobile Security Framework.
C...
The Takeaways
A Free and Open Source Tool
Mobile App Pentesters/Malware Analysts -
How to make your life easier.
Developer...
WTF is it?
Mobile Security Framework is an open source
mobile application (Android/iOS) automated pentesting
framework cap...
Hosted in your environment. Your application and
data is never send to the cloud.
Basic Requirements
iOS
• Python 2.7
• Django 1.8
• Oracle Java - JDK 1.7+
• Oracle VirtualBox
• Mac
Android
• Python 2.7
•...
Static Analyzer
Mobile Security Framework
INPUT OUTPUT
REPORT
Static Analysis
Android Binary
INFORMATION GATHERING
DECOMPILE TO JAVA & SMALI
PERMISSION ANALYSIS
MANIFEST ANALYSIS
JAVA ...
Static Analysis
Android Source
INFORMATION GATHERING
DECOMPILE TO JAVA & SMALI
PERMISSION ANALYSIS
MANIFEST ANALYSIS
JAVA ...
DEMO
Static Analysis of APK
Static Analysis of Zipped Source Code
Static Analysis
iOS - Binary
BASIC INFORMATION
BINARY ANALYSIS
FILE ANALYSIS
LIBRARIES
REPORT GENERATION
iOS - Source
BASI...
DEMO
Static Analysis of IPA Binary
Static Analysis of Zipped Source Code
Dynamic Analyzer
Mobile Security Framework
INPUT
Android VM
REPORT
OUTPUT
Dynamic Analyzer -
Architecture
Dynamic Analyzer
AGENTS
Install and Run APK
HTTP(S) Proxy
Invoke Agents in VM
Results
HTTP...
Dynamic Analysis
SCREENSHOT
CAPTURE HTTP(S) TRAFFIC
LOGCAT and DUMPSYS
DYNAMIC API MONITOR
DYNAMIC URLS and EMAILS MONITOR...
DEMO
Dynamic Analysis of Android Application
Some Real World Results
Mobile Security Framework – Bypassing PIN in Whisper
Android Application - http://opensecurity.in/...
AppLock MITM Password
Reset Vulnerability DEMO
ANDROID MALWARE
ANALYSIS DEMO
Future Plans
Looks like people are interested!
In Aplha Dev
Web Service Testing/REST API testing for Hybrid
Applications.
Dynamic Analysis Support for Real Android and i...
What you can do?
Download, Test, Contribute
Source: https://github.com/ajinabraham/YSO-Mobile-
Security-Framework
Issues: ...
QA
@ajinabraham
ajin25@gmail.com
http://opensecurity.in
Thanks
• Bharadwaj Machiraju
• Anto Joseph
• Tim Brown
• Thomas Ab...
Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015
Upcoming SlideShare
Loading in …5
×

Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015

8,375 views

Published on

Automated Security Analysis of Android & iOS Applications with Mobile Security Framework

Published in: Education

Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015

  1. 1. Ajin Abraham Automated Security Analysis of Android & iOS Applications with Mobile Security Framework
  2. 2. About Me Application Security Engineer, Yodlee Author of OWASP Xenotix XSS Exploit Framework, Mobile Security Framework. Co-Organizer of X0RC0NF. Blog about Security: http://opensecurity.in
  3. 3. The Takeaways A Free and Open Source Tool Mobile App Pentesters/Malware Analysts - How to make your life easier. Developers – Build secure mobile Apps by detecting vulnerabilities at earlier stages of development. For the Rest – Some new Information.
  4. 4. WTF is it? Mobile Security Framework is an open source mobile application (Android/iOS) automated pentesting framework capable of performing static and dynamic security analysis*. Android iOS
  5. 5. Hosted in your environment. Your application and data is never send to the cloud.
  6. 6. Basic Requirements iOS • Python 2.7 • Django 1.8 • Oracle Java - JDK 1.7+ • Oracle VirtualBox • Mac Android • Python 2.7 • Django 1.8 • Oracle Java - JDK 1.7+ • Oracle VirtualBox
  7. 7. Static Analyzer Mobile Security Framework INPUT OUTPUT REPORT
  8. 8. Static Analysis Android Binary INFORMATION GATHERING DECOMPILE TO JAVA & SMALI PERMISSION ANALYSIS MANIFEST ANALYSIS JAVA CODE ANALYSIS ANDROID API INFO FILE ANALYSIS URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS REPORT GENERATION
  9. 9. Static Analysis Android Source INFORMATION GATHERING DECOMPILE TO JAVA & SMALI PERMISSION ANALYSIS MANIFEST ANALYSIS JAVA CODE ANALYSIS ANDROID API INFO FILE ANALYSIS URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS REPORT GENERATION
  10. 10. DEMO Static Analysis of APK Static Analysis of Zipped Source Code
  11. 11. Static Analysis iOS - Binary BASIC INFORMATION BINARY ANALYSIS FILE ANALYSIS LIBRARIES REPORT GENERATION iOS - Source BASIC INFORMATION CODE ANALYSIS iOS API INFORMATION FILE ANALYSIS URL, EMAIL, FILES, LIBRARIES REPORT GENERATION
  12. 12. DEMO Static Analysis of IPA Binary Static Analysis of Zipped Source Code
  13. 13. Dynamic Analyzer Mobile Security Framework INPUT Android VM REPORT OUTPUT
  14. 14. Dynamic Analyzer - Architecture Dynamic Analyzer AGENTS Install and Run APK HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM Application Data Agent Collected Information Start HTTP(S) Web Proxy
  15. 15. Dynamic Analysis SCREENSHOT CAPTURE HTTP(S) TRAFFIC LOGCAT and DUMPSYS DYNAMIC API MONITOR DYNAMIC URLS and EMAILS MONITOR APPLICATION DATA DUMPER FILE ANALYSIS ON APPLICATION DATA REPORT GENERATION UNDER DEVELOPMENT
  16. 16. DEMO Dynamic Analysis of Android Application
  17. 17. Some Real World Results Mobile Security Framework – Bypassing PIN in Whisper Android Application - http://opensecurity.in/mobile- security-framework-bypassing-pin-in-whisper-android- application/ AppLock MITM Password Reset Vulnerability - http://opensecurity.in/applock-mitm-password-reset- vulnerability/
  18. 18. AppLock MITM Password Reset Vulnerability DEMO
  19. 19. ANDROID MALWARE ANALYSIS DEMO
  20. 20. Future Plans Looks like people are interested!
  21. 21. In Aplha Dev Web Service Testing/REST API testing for Hybrid Applications. Dynamic Analysis Support for Real Android and iOS Devices. Anti VM/Sandbox Detection Bypass. IDOR and Cross Talk Detection support in Proxy. Better Front End. DB Support. Scheduled Scans.
  22. 22. What you can do? Download, Test, Contribute Source: https://github.com/ajinabraham/YSO-Mobile- Security-Framework Issues: https://github.com/ajinabraham/YSO-Mobile- Security-Framework/issues
  23. 23. QA @ajinabraham ajin25@gmail.com http://opensecurity.in Thanks • Bharadwaj Machiraju • Anto Joseph • Tim Brown • Thomas Abraham • Graphics/Image Owners

×