Ajin Abraham, profile picture
Uploaded byAjin Abraham
PPTX, PDF10,079 views

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile Security Framework

Mobile Security Framework is an open source automated mobile application testing framework capable of static and dynamic analysis of Android and iOS apps. It performs various analyses including permission analysis, API monitoring, and HTTP traffic analysis. The framework supports analyzing APK, IPA, and source code. It is available on GitHub and includes demos of static analysis on sample APK and IPA files. The presentation also describes a mobile security CTF challenge involving two Android apps, GETSECRET and SENDSECRET, that can be solved by analyzing the apps with Mobile Security Framework or other reversing techniques.

Embed presentation

Downloaded 79 times
G4H Webcast Ajin Abraham Automated Security Analysis of Mobile Applications with Mobile Security Framework.
Mobile Security Framework Mobile Security Framework is an intelligent, all- in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis.
Inputs • Android, iOS binaries (APK, IPA) • Android Zipped Source Code (eclipse, Android Studio) • iOS Zipped Source Code • Android Binary - Static and Dynamic Analysis • Android Source – Static Analysis • iOS Binary and Source – Static Analysis (TIZEN support, on it’s way)
Open Source Project • Feel free to contribute: • Source: https://github.com/ajinabraham/YSO- Mobile-Security-Framework • Issues: https://github.com/ajinabraham/YSO- Mobile-Security-Framework/issues
Setting it Up Android • Python 2.7 • Django 1.8 • Oracle Java - JDK 1.7+ iOS • Python 2.7 • Django 1.8 • Oracle Java - JDK 1.7+ • Mac
Static Analysis • Android – INFORMATION GATHERING – DECOMPILE TO JAVA & SMALI – PERMISSION ANALYSIS – MANIFEST ANALYSIS – JAVA CODE ANALYSIS – ANDROID API INFO – FILE ANALYSIS – URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS – REPORT GENERATION
DEMO • Static Analysis of APK • Static Analysis of Zipped Source Code
Static Analysis • iOS - Binary – BASIC INFORMATION – BINARY ANALYSIS – FILE ANALYSIS – LIBRARIES – FILES – REPORT GENERATION • iOS - Source – BASIC INFORMATION – CODE ANALYSIS – iOS API INFORMATION – FILE ANALYSIS – URL, EMAIL, FILES, LIBRARIES – REPORT GENERATION
DEMO • Static Analysis of IPA Binary • Static Analysis of Zipped Source Code
Dynamic Analyzer - Architecture Dynamic Analyzer AGENTS Install and Run APK HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM Application Data Agent Collected Information Start HTTP(S) Web Proxy
Dynamic Analysis • SCREENSHOT • HTTP(S) TRAFFIC • LOGCAT and DUMPSYS • DROIDMON API MONITOR • DYNAMIC URLS and EMAILS • DUMPED APPLICATION DATA • FILE ANALYSIS ON APPLICATION DATA • REPORT GENERATION • UNDER DEVELOPMENT
DEMO • Under Dev + • Lot’s • Hoping that things will work ! 
Interesting Facts • Free and Open Source • Support VM, and Rooted Phones with our agents installed. • Complete Mobile Application Security Testing (Android, iOS and Tizen*). • Reporting Future Plans - Pentesting Server Side components of Hybrid Applications. -Exploitation Module.
G4H Mobile Security CTF GETSECRET.apk SENDSECRET.apk
G4H Mobile Security CTF • CTF Entry point is GETSECRET, you need to capture the secret send from SENDSECRET to GET Secret. • Vulnerabilities. SENDSECRET Exported Activity .ValidateAccess Logical Vulnerability Send secret to any application with package name as opensecurity.getsecret and Activity name as GetFlag GETSECRET Hardcoded Password LoginActivity Exported Activities AskSecret GetFlag Logging Sensitive Information Logging the Secret
G4H - CTF- How to Solve 1. Reversing DexGuard, find the logic, reverse the hardcoded secret to decrypt the AES encrypted flag 2. Bypass Login of GETSECRET - Wait till the Random no matches. -> SendSecret sends the Secret. Collect the Secret form Log and Enter it in GetFlag activity to get the Flag. 3. Easiest - Patch the APK and recompile it
Sorry • Can’t cover Reversing DexGuard. • Blog post removed! • The license I have, deny reversing DexGuard technology.
Thanks • G4H Team • Bharadwaj Machiraju Contact: @ajinabraham ajin25@gmail.com http://opensecurity.in

More Related Content

PPTX
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
byAjin Abraham
 
PPTX
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
byAjin Abraham
 
PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
byAjin Abraham
 
PPTX
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
byAnant Shrivastava
 
PPTX
Penetrating Android Aapplications
byRoshan Thomas
 
PPTX
Dynamic Security Analysis & Static Security Analysis for Android Apps.
byVodqaBLR
 
PDF
Qark DefCon 23
by☠Tony Trummer☠
 
PPTX
Abusing Google Apps and Data API: Google is My Command and Control Center
byAjin Abraham
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
byAjin Abraham
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
byAjin Abraham
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
byAjin Abraham
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
byAnant Shrivastava
 
Penetrating Android Aapplications
byRoshan Thomas
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
byVodqaBLR
 
Qark DefCon 23
by☠Tony Trummer☠
 
Abusing Google Apps and Data API: Google is My Command and Control Center
byAjin Abraham
 

What's hot

PPTX
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
byAjin Abraham
 
PPTX
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
byAjin Abraham
 
PPTX
[OPD 2019] AST Platform and the importance of multi-layered application secu...
byOWASP
 
PDF
Security testing in mobile applications
byJose Manuel Ortega Candel
 
ODP
Mobile App Security Testing -2
byKrisshhna Daasaarii
 
PDF
Mobile Application Pentest [Fast-Track]
byPrathan Phongthiproek
 
PDF
Mobile_app_security
byHassan El Hadary
 
PDF
Why you need API Security Automation
by42Crunch
 
PDF
Hacking Tizen: The OS of everything - Whitepaper
byAjin Abraham
 
PDF
API Security: the full story
by42Crunch
 
PDF
Injecting Security into vulnerable web apps at Runtime
byAjin Abraham
 
PDF
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
byAnant Shrivastava
 
PDF
Pentesting Mobile Applications (Prashant Verma)
byClubHack
 
PPTX
Android pen test basics
byOWASPKerala
 
PDF
The Dev, Sec and Ops of API Security - API World
by42Crunch
 
PPTX
The curious case of mobile app security.pptx
byAnkit Giri
 
PDF
OWASP API Security TOP 10 - 2019
byMiguel Angel Falcón Muñoz
 
PDF
Injecting Security into Web apps at Runtime Whitepaper
byAjin Abraham
 
PPTX
Abusing Exploiting and Pwning with Firefox Addons
byAjin Abraham
 
PDF
Abusing, Exploiting and Pwning with Firefox Add-ons
byAjin Abraham
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
byAjin Abraham
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
byAjin Abraham
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
byOWASP
 
Security testing in mobile applications
byJose Manuel Ortega Candel
 
Mobile App Security Testing -2
byKrisshhna Daasaarii
 
Mobile Application Pentest [Fast-Track]
byPrathan Phongthiproek
 
Mobile_app_security
byHassan El Hadary
 
Why you need API Security Automation
by42Crunch
 
Hacking Tizen: The OS of everything - Whitepaper
byAjin Abraham
 
API Security: the full story
by42Crunch
 
Injecting Security into vulnerable web apps at Runtime
byAjin Abraham
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
byAnant Shrivastava
 
Pentesting Mobile Applications (Prashant Verma)
byClubHack
 
Android pen test basics
byOWASPKerala
 
The Dev, Sec and Ops of API Security - API World
by42Crunch
 
The curious case of mobile app security.pptx
byAnkit Giri
 
OWASP API Security TOP 10 - 2019
byMiguel Angel Falcón Muñoz
 
Injecting Security into Web apps at Runtime Whitepaper
byAjin Abraham
 
Abusing Exploiting and Pwning with Firefox Addons
byAjin Abraham
 
Abusing, Exploiting and Pwning with Firefox Add-ons
byAjin Abraham
 

Similar to G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile Security Framework

PPTX
Android Penetration testing - Day 2
byMohammed Adam
 
PPTX
Mobile App Penetration Testing Bsides312
bywphillips114
 
PPTX
Hacking mobile apps
bykunwaratul hax0r
 
PPTX
Android Penetration Testing - Day 3
byMohammed Adam
 
PPTX
Security testing of mobile applications
byGTestClub
 
PDF
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
byShadowman Kung
 
PDF
Android Pentesting
byn|u - The Open Security Community
 
PPTX
Pentesting Android Apps
byAbdelhamid Limami
 
PPTX
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
PDF
Pentesting iOS Apps
byHerman Duarte
 
PDF
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
byAndy Davies
 
PPTX
Virtue Security - The Art of Mobile Security 2013
byVirtue Security
 
PPTX
Rapid Android Application Security Testing
byNutan Kumar Panda
 
PPTX
Untitled 1
bySergey Kochergan
 
PPTX
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
byTestDevLab
 
PDF
Denis Zhuchinski Ways of enhancing application security
byАліна Шепшелей
 
PDF
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
byInhacking
 
PDF
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
byCodemotion
 
PDF
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
byConsulthinkspa
 
PDF
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
byRomansh Yadav
 
Android Penetration testing - Day 2
byMohammed Adam
 
Mobile App Penetration Testing Bsides312
bywphillips114
 
Hacking mobile apps
bykunwaratul hax0r
 
Android Penetration Testing - Day 3
byMohammed Adam
 
Security testing of mobile applications
byGTestClub
 
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
byShadowman Kung
 
Android Pentesting
byn|u - The Open Security Community
 
Pentesting Android Apps
byAbdelhamid Limami
 
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
Pentesting iOS Apps
byHerman Duarte
 
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
byAndy Davies
 
Virtue Security - The Art of Mobile Security 2013
byVirtue Security
 
Rapid Android Application Security Testing
byNutan Kumar Panda
 
Untitled 1
bySergey Kochergan
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
byTestDevLab
 
Denis Zhuchinski Ways of enhancing application security
byАліна Шепшелей
 
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
byInhacking
 
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
byCodemotion
 
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
byConsulthinkspa
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
byRomansh Yadav
 

More from Ajin Abraham

PDF
AppSec PNW: Android and iOS Application Security with MobSF
byAjin Abraham
 
PPTX
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
byAjin Abraham
 
PPTX
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
byAjin Abraham
 
PDF
Shellcoding in linux
byAjin Abraham
 
PDF
Wi-Fi Security with Wi-Fi P+
byAjin Abraham
 
PPTX
Phishing With Data URI
byAjin Abraham
 
PDF
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
byAjin Abraham
 
PPTX
Exploit Research and Development Megaprimer: Win32 Egghunter
byAjin Abraham
 
PDF
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
byAjin Abraham
 
PPTX
Exploit Research and Development Megaprimer: Buffer overflow for beginners
byAjin Abraham
 
PPTX
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
byAjin Abraham
 
PPTX
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
byAjin Abraham
 
PPTX
Buffer overflow for Beginners
byAjin Abraham
 
PDF
Xenotix XSS Exploit Framework: Clubhack 2012
byAjin Abraham
 
AppSec PNW: Android and iOS Application Security with MobSF
byAjin Abraham
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
byAjin Abraham
 
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
byAjin Abraham
 
Shellcoding in linux
byAjin Abraham
 
Wi-Fi Security with Wi-Fi P+
byAjin Abraham
 
Phishing With Data URI
byAjin Abraham
 
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
byAjin Abraham
 
Exploit Research and Development Megaprimer: Win32 Egghunter
byAjin Abraham
 
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
byAjin Abraham
 
Exploit Research and Development Megaprimer: Buffer overflow for beginners
byAjin Abraham
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
byAjin Abraham
 
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
byAjin Abraham
 
Buffer overflow for Beginners
byAjin Abraham
 
Xenotix XSS Exploit Framework: Clubhack 2012
byAjin Abraham
 

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile Security Framework

  • 1.
    G4H Webcast Ajin Abraham AutomatedSecurity Analysis of Mobile Applications with Mobile Security Framework.
  • 2.
    Mobile Security Framework MobileSecurity Framework is an intelligent, all- in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis.
  • 3.
    Inputs • Android, iOSbinaries (APK, IPA) • Android Zipped Source Code (eclipse, Android Studio) • iOS Zipped Source Code • Android Binary - Static and Dynamic Analysis • Android Source – Static Analysis • iOS Binary and Source – Static Analysis (TIZEN support, on it’s way)
  • 4.
    Open Source Project •Feel free to contribute: • Source: https://github.com/ajinabraham/YSO- Mobile-Security-Framework • Issues: https://github.com/ajinabraham/YSO- Mobile-Security-Framework/issues
  • 5.
    Setting it Up Android •Python 2.7 • Django 1.8 • Oracle Java - JDK 1.7+ iOS • Python 2.7 • Django 1.8 • Oracle Java - JDK 1.7+ • Mac
  • 6.
    Static Analysis • Android –INFORMATION GATHERING – DECOMPILE TO JAVA & SMALI – PERMISSION ANALYSIS – MANIFEST ANALYSIS – JAVA CODE ANALYSIS – ANDROID API INFO – FILE ANALYSIS – URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS – REPORT GENERATION
  • 7.
    DEMO • Static Analysisof APK • Static Analysis of Zipped Source Code
  • 8.
    Static Analysis • iOS- Binary – BASIC INFORMATION – BINARY ANALYSIS – FILE ANALYSIS – LIBRARIES – FILES – REPORT GENERATION • iOS - Source – BASIC INFORMATION – CODE ANALYSIS – iOS API INFORMATION – FILE ANALYSIS – URL, EMAIL, FILES, LIBRARIES – REPORT GENERATION
  • 9.
    DEMO • Static Analysisof IPA Binary • Static Analysis of Zipped Source Code
  • 10.
    Dynamic Analyzer -Architecture Dynamic Analyzer AGENTS Install and Run APK HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM Application Data Agent Collected Information Start HTTP(S) Web Proxy
  • 11.
    Dynamic Analysis • SCREENSHOT •HTTP(S) TRAFFIC • LOGCAT and DUMPSYS • DROIDMON API MONITOR • DYNAMIC URLS and EMAILS • DUMPED APPLICATION DATA • FILE ANALYSIS ON APPLICATION DATA • REPORT GENERATION • UNDER DEVELOPMENT
  • 12.
    DEMO • Under Dev+ • Lot’s • Hoping that things will work ! 
  • 13.
    Interesting Facts • Freeand Open Source • Support VM, and Rooted Phones with our agents installed. • Complete Mobile Application Security Testing (Android, iOS and Tizen*). • Reporting Future Plans - Pentesting Server Side components of Hybrid Applications. -Exploitation Module.
  • 14.
    G4H Mobile SecurityCTF GETSECRET.apk SENDSECRET.apk
  • 15.
    G4H Mobile SecurityCTF • CTF Entry point is GETSECRET, you need to capture the secret send from SENDSECRET to GET Secret. • Vulnerabilities. SENDSECRET Exported Activity .ValidateAccess Logical Vulnerability Send secret to any application with package name as opensecurity.getsecret and Activity name as GetFlag GETSECRET Hardcoded Password LoginActivity Exported Activities AskSecret GetFlag Logging Sensitive Information Logging the Secret
  • 16.
    G4H - CTF-How to Solve 1. Reversing DexGuard, find the logic, reverse the hardcoded secret to decrypt the AES encrypted flag 2. Bypass Login of GETSECRET - Wait till the Random no matches. -> SendSecret sends the Secret. Collect the Secret form Log and Enter it in GetFlag activity to get the Flag. 3. Easiest - Patch the APK and recompile it
  • 17.
    Sorry • Can’t coverReversing DexGuard. • Blog post removed! • The license I have, deny reversing DexGuard technology.
  • 18.
    Thanks • G4H Team •Bharadwaj Machiraju Contact: @ajinabraham ajin25@gmail.com http://opensecurity.in