Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Ajin Abraham
Automated Mobile Application
Security Testing with
Mobile Security Framework
About Me
!   Security Consultant @ Yodlee
!   Security Engineering @ IMMUNIO
!   Next Gen Runtime Application Self Protect...
The Takeaways
!   A FREE and Open Source Security Tool for Mobile
App Security Assessment.
!   Mobile App Pentesters/Mobil...
Agenda
!   What is MobSF?
!   MobSF Architecture
!   Static Analyzer
!   Dynamic Analyzer
!   Web API Fuzzer
!   Static An...
What is MobSF?
Mobile Security Framework is an open source mobile
application (Android/iOS) automated pentesting framework...
Hosted in your environment. Your application and data
is never send to the cloud.
MobSF Architecture
Static Analyzer
Mobile Security Framework
INPUT OUTPUT
REPORT
Demo
Static Analysis & Report Generation
(Diva)
Static Analysis & Some Statistics
!   Static Analysis on Top Financial Apps - Criteria
!   SSL bypass in Native Code
!   S...
Top Indian Bank Apps Analyzed
Face palm
Top Indian Wallet Apps Analyzed
Observations
!   State of Mobile App Security, Not evolved as Web
Security.
!   Most common issue is SSL Bypass in (Both
N...
Real-world Exploitation
Dynamic Analyzer
Mobile Security Framework
INPUT
Android VM
Or
Android Device
REPORT
OUTPUT
Dynamic Analyzer - Architecture
Dynamic Analyzer
AGENTS
Install and Run APK
HTTP(S) Proxy
Invoke Agents in VM
Results
HTTP...
DEMO
(LOCX)
Dynamic SSL Testing
!   Dynamically verify if SSL connections are securely
implemented.
!   Disable JustTrustMe and Remove...
Exported Activity Tester
!   Android Exported Activities.
DEMO
Challenges in Dynamic Analysis
!   Some Android Apps are built with security in
mind.
!  Anti VM Detection
!  Anti Root De...
How to deal with these Challenges
!   API overriding with Xposed Framework
!  Anti VM Detection Bypass –> Android Blue Pil...
Dynamic Analysis on Device
! MobSFy Script – Convert your VM/ Device to support MobSF
Dynamic Analysis
!   Documentation h...
Web API Fuzzer
•  Login API
•  Pin API
•  Register API
•  Logout API
Select
•  Select Scope URLs of Scan
•  Select Scope V...
Fuzzing REST APIs
!   Why most web scanners suck at API Testing?
!   We have knowledge about the application and
generic A...
What We Detect
!   XXE
!   SSRF
!   IDOR
!   Directory Traversal or Path Traversal
!   Logical and Session Related
!   API...
How we Detect
SSRF & XXE
API Server
Web API Fuzzer
MobSF Cloud Server
Cloud Server: APITester/cloud/cloud_server.py
Insecure Direct Object Reference (IDOR)
!   Without Credentials.
!   With multiple user credentials (needs two login attem...
Session Related Checks
Web API
Fuzzer API Server
Calls Logout API
Access Resource with expired Auth Header/Cookie
Access R...
Rate Limiter
Web API
Fuzzer
API Server
Brute force Login API and Register API
Other Checks
!   Security Headers and Info Gathering
!   Directory/ Path Traversal
DEMO
What's Coming Soon?
!   Windows App Security Analyzer.
!   iOS App Dynamic Analysis.
!   API Fuzzer to support detection o...
Stakeholders
!   Looks like people are interested!
!   Bugs opened and Closed
Useful Links
!   Source:
https://github.com/ajinabraham/Mobile-Security-Framework
!   Issues:
https://github.com/ajinabrah...
QA
@ajinabraham
ajin25@gmail.com
Thanks & Credits
•  Sachinraj Shetty
•  Kamaiah Nadavala
•  Bharadwaj Machiraju
•  Yashin...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile Security Framework (MobSF)
Upcoming SlideShare
Loading in …5
×

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile Security Framework (MobSF)

19,189 views

Published on

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

Published in: Mobile

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile Security Framework (MobSF)

  1. 1. Ajin Abraham Automated Mobile Application Security Testing with Mobile Security Framework
  2. 2. About Me !   Security Consultant @ Yodlee !   Security Engineering @ IMMUNIO !   Next Gen Runtime Application Self Protection (RASP) !   Author of OWASP Xenotix XSS Exploit Framework, Mobile Security Framework. !   Teach Security via https://opsecx.com !   Blog about Security: http://opensecurity.in
  3. 3. The Takeaways !   A FREE and Open Source Security Tool for Mobile App Security Assessment. !   Mobile App Pentesters/Mobile Malware Analysts - How to make your job easier with MobSF. !   Developers – Build secure mobile Apps identifying vulnerabilities at all stages of development. (SDLC Integration) !   Web Pentesters – REST API Fuzzer capable of detecting vulnerabilities like SSRF, XXE, IDOR etc.
  4. 4. Agenda !   What is MobSF? !   MobSF Architecture !   Static Analyzer !   Dynamic Analyzer !   Web API Fuzzer !   Static Analysis !   Static Analysis & some Statistics !   Top Indian Bank Mobile Apps !   Top Indian Wallet Mobile Apps !   Observations !   Dynamic Analysis !   Dynamic SSL Testing !   Exported Activity Tester !   Challenges in Dynamic Analysis !   Dynamic Analysis on Custom VM/ Rooted Android Device. !   Web API Fuzzer !   Vulnerabilities API Fuzzer detects. !   Explains the API Fuzzer Logic. !   Conclusion
  5. 5. What is MobSF? Mobile Security Framework is an open source mobile application (Android/iOS) automated pentesting framework capable of performing end to end security testing of mobile Apps. Android iOS
  6. 6. Hosted in your environment. Your application and data is never send to the cloud.
  7. 7. MobSF Architecture
  8. 8. Static Analyzer Mobile Security Framework INPUT OUTPUT REPORT
  9. 9. Demo Static Analysis & Report Generation (Diva)
  10. 10. Static Analysis & Some Statistics !   Static Analysis on Top Financial Apps - Criteria !   SSL bypass in Native Code !   SSL bypass in WebView !   Remote Web View Debugging !   Hardcoded Secrets
  11. 11. Top Indian Bank Apps Analyzed
  12. 12. Face palm
  13. 13. Top Indian Wallet Apps Analyzed
  14. 14. Observations !   State of Mobile App Security, Not evolved as Web Security. !   Most common issue is SSL Bypass in (Both Native Code and WebView) !   SSL Error bypassed in WebViews are really really bad.
  15. 15. Real-world Exploitation
  16. 16. Dynamic Analyzer Mobile Security Framework INPUT Android VM Or Android Device REPORT OUTPUT
  17. 17. Dynamic Analyzer - Architecture Dynamic Analyzer AGENTS Install and Run APK HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM/Device Application Data Agent Collected Information Start HTTP(S) Web Proxy
  18. 18. DEMO (LOCX)
  19. 19. Dynamic SSL Testing !   Dynamically verify if SSL connections are securely implemented. !   Disable JustTrustMe and Remove MobSF Root CA. !   If you can still access the decrypted HTTPS Web Traffic then that means the app is bypassing SSL errors.
  20. 20. Exported Activity Tester !   Android Exported Activities. DEMO
  21. 21. Challenges in Dynamic Analysis !   Some Android Apps are built with security in mind. !  Anti VM Detection !  Anti Root Detection !  Anti MITM with Certificate Pinning. !  Some Apps / Malwares have sophisticated methods to detect Virtual Machines.
  22. 22. How to deal with these Challenges !   API overriding with Xposed Framework !  Anti VM Detection Bypass –> Android Blue Pill !  Anti Root Detection Bypass -> RootCloak !  Anti MITM Certificate Pinning Bypass -> JustTrustMe !   APK smali Patching. !   For sophisticated apps and malware, Use a real device for dynamic analysis.
  23. 23. Dynamic Analysis on Device ! MobSFy Script – Convert your VM/ Device to support MobSF Dynamic Analysis !   Documentation here: https://github.com/ajinabraham/Mobile-Security-Framework- MobSF/wiki/2.-Configure-MobSF-Dynamic-Analysis- Environment-in-your-Android-Device-or-VM !   DEMO : Weak Crypto !   Java - String hashCode() Method !   s[0]*31^(n-1) + s[1]*31^(n-2) + ... + s[n-1]
  24. 24. Web API Fuzzer •  Login API •  Pin API •  Register API •  Logout API Select •  Select Scope URLs of Scan •  Select Scope Vulnerabilities Web API Fuzzing Logic REPORT OUTPUT Web Request DB
  25. 25. Fuzzing REST APIs !   Why most web scanners suck at API Testing? !   We have knowledge about the application and generic API routes (Login, Logout, Register). !   So we use more of Whitebox approach than Blackbox approach. !   Detects vulnerabilities like IDOR, SSRF and XXE.
  26. 26. What We Detect !   XXE !   SSRF !   IDOR !   Directory Traversal or Path Traversal !   Logical and Session Related !   API Rate Limiting
  27. 27. How we Detect
  28. 28. SSRF & XXE API Server Web API Fuzzer MobSF Cloud Server Cloud Server: APITester/cloud/cloud_server.py
  29. 29. Insecure Direct Object Reference (IDOR) !   Without Credentials. !   With multiple user credentials (needs two login attempts) Web API Fuzzer API Server Request with Auth Header/ Cookie Request without Auth Header/ Cookie API Server Web API Fuzzer Request with User1’s Auth Header/Cookie Repeat the Request with a User2’s Auth Header/Cookie
  30. 30. Session Related Checks Web API Fuzzer API Server Calls Logout API Access Resource with expired Auth Header/Cookie Access Resource with Auth Header/Cookie
  31. 31. Rate Limiter Web API Fuzzer API Server Brute force Login API and Register API
  32. 32. Other Checks !   Security Headers and Info Gathering !   Directory/ Path Traversal
  33. 33. DEMO
  34. 34. What's Coming Soon? !   Windows App Security Analyzer. !   iOS App Dynamic Analysis. !   API Fuzzer to support detection of SQLi and RCE. !   Export Proxy logs to BurpSuite/IronWASP/ZAP
  35. 35. Stakeholders !   Looks like people are interested! !   Bugs opened and Closed
  36. 36. Useful Links !   Source: https://github.com/ajinabraham/Mobile-Security-Framework !   Issues: https://github.com/ajinabraham/Mobile-Security-Framework/ issues !   Documentation: https://github.com/ajinabraham/Mobile-Security-Framework- MobSF/wiki !   Video Course: https://opsecx.com/index.php/product/automated-mobile- application-security-assessment-with-mobsf/
  37. 37. QA @ajinabraham ajin25@gmail.com Thanks & Credits •  Sachinraj Shetty •  Kamaiah Nadavala •  Bharadwaj Machiraju •  Yashin Mehboobe •  Anto Joseph •  Tim Brown •  Thomas Abraham •  Graphics/Image Owners

×