Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile Security Framework

7,435 views

Published on

Automated Security Analysis of Mobile Applications with Mobile Security Framework

Published in: Mobile
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile Security Framework

  1. 1. G4H Webcast Ajin Abraham Automated Security Analysis of Mobile Applications with Mobile Security Framework.
  2. 2. Mobile Security Framework Mobile Security Framework is an intelligent, all- in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis.
  3. 3. Inputs • Android, iOS binaries (APK, IPA) • Android Zipped Source Code (eclipse, Android Studio) • iOS Zipped Source Code • Android Binary - Static and Dynamic Analysis • Android Source – Static Analysis • iOS Binary and Source – Static Analysis (TIZEN support, on it’s way)
  4. 4. Open Source Project • Feel free to contribute: • Source: https://github.com/ajinabraham/YSO- Mobile-Security-Framework • Issues: https://github.com/ajinabraham/YSO- Mobile-Security-Framework/issues
  5. 5. Setting it Up Android • Python 2.7 • Django 1.8 • Oracle Java - JDK 1.7+ iOS • Python 2.7 • Django 1.8 • Oracle Java - JDK 1.7+ • Mac
  6. 6. Static Analysis • Android – INFORMATION GATHERING – DECOMPILE TO JAVA & SMALI – PERMISSION ANALYSIS – MANIFEST ANALYSIS – JAVA CODE ANALYSIS – ANDROID API INFO – FILE ANALYSIS – URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS – REPORT GENERATION
  7. 7. DEMO • Static Analysis of APK • Static Analysis of Zipped Source Code
  8. 8. Static Analysis • iOS - Binary – BASIC INFORMATION – BINARY ANALYSIS – FILE ANALYSIS – LIBRARIES – FILES – REPORT GENERATION • iOS - Source – BASIC INFORMATION – CODE ANALYSIS – iOS API INFORMATION – FILE ANALYSIS – URL, EMAIL, FILES, LIBRARIES – REPORT GENERATION
  9. 9. DEMO • Static Analysis of IPA Binary • Static Analysis of Zipped Source Code
  10. 10. Dynamic Analyzer - Architecture Dynamic Analyzer AGENTS Install and Run APK HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM Application Data Agent Collected Information Start HTTP(S) Web Proxy
  11. 11. Dynamic Analysis • SCREENSHOT • HTTP(S) TRAFFIC • LOGCAT and DUMPSYS • DROIDMON API MONITOR • DYNAMIC URLS and EMAILS • DUMPED APPLICATION DATA • FILE ANALYSIS ON APPLICATION DATA • REPORT GENERATION • UNDER DEVELOPMENT
  12. 12. DEMO • Under Dev + • Lot’s • Hoping that things will work ! 
  13. 13. Interesting Facts • Free and Open Source • Support VM, and Rooted Phones with our agents installed. • Complete Mobile Application Security Testing (Android, iOS and Tizen*). • Reporting Future Plans - Pentesting Server Side components of Hybrid Applications. -Exploitation Module.
  14. 14. G4H Mobile Security CTF GETSECRET.apk SENDSECRET.apk
  15. 15. G4H Mobile Security CTF • CTF Entry point is GETSECRET, you need to capture the secret send from SENDSECRET to GET Secret. • Vulnerabilities. SENDSECRET Exported Activity .ValidateAccess Logical Vulnerability Send secret to any application with package name as opensecurity.getsecret and Activity name as GetFlag GETSECRET Hardcoded Password LoginActivity Exported Activities AskSecret GetFlag Logging Sensitive Information Logging the Secret
  16. 16. G4H - CTF- How to Solve 1. Reversing DexGuard, find the logic, reverse the hardcoded secret to decrypt the AES encrypted flag 2. Bypass Login of GETSECRET - Wait till the Random no matches. -> SendSecret sends the Secret. Collect the Secret form Log and Enter it in GetFlag activity to get the Flag. 3. Easiest - Patch the APK and recompile it
  17. 17. Sorry • Can’t cover Reversing DexGuard. • Blog post removed! • The license I have, deny reversing DexGuard technology.
  18. 18. Thanks • G4H Team • Bharadwaj Machiraju Contact: @ajinabraham ajin25@gmail.com http://opensecurity.in

×