Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile Security Framework (MobSF)

Ajin Abraham
Ajin AbrahamSecurity Engineer | Freelance Security Consultant | Speaker at IMMUNIO
Ajin Abraham Automated Mobile Application Security Testing with Mobile Security Framework
About Me !   Security Consultant @ Yodlee !   Security Engineering @ IMMUNIO !   Next Gen Runtime Application Self Protection (RASP) !   Author of OWASP Xenotix XSS Exploit Framework, Mobile Security Framework. !   Teach Security via https://opsecx.com !   Blog about Security: http://opensecurity.in
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile Security Framework (MobSF)
The Takeaways !   A FREE and Open Source Security Tool for Mobile App Security Assessment. !   Mobile App Pentesters/Mobile Malware Analysts - How to make your job easier with MobSF. !   Developers – Build secure mobile Apps identifying vulnerabilities at all stages of development. (SDLC Integration) !   Web Pentesters – REST API Fuzzer capable of detecting vulnerabilities like SSRF, XXE, IDOR etc.
Agenda !   What is MobSF? !   MobSF Architecture !   Static Analyzer !   Dynamic Analyzer !   Web API Fuzzer !   Static Analysis !   Static Analysis & some Statistics !   Top Indian Bank Mobile Apps !   Top Indian Wallet Mobile Apps !   Observations !   Dynamic Analysis !   Dynamic SSL Testing !   Exported Activity Tester !   Challenges in Dynamic Analysis !   Dynamic Analysis on Custom VM/ Rooted Android Device. !   Web API Fuzzer !   Vulnerabilities API Fuzzer detects. !   Explains the API Fuzzer Logic. !   Conclusion
What is MobSF? Mobile Security Framework is an open source mobile application (Android/iOS) automated pentesting framework capable of performing end to end security testing of mobile Apps. Android iOS
Hosted in your environment. Your application and data is never send to the cloud.
MobSF Architecture
Static Analyzer Mobile Security Framework INPUT OUTPUT REPORT
Demo Static Analysis & Report Generation (Diva)
Static Analysis & Some Statistics !   Static Analysis on Top Financial Apps - Criteria !   SSL bypass in Native Code !   SSL bypass in WebView !   Remote Web View Debugging !   Hardcoded Secrets
Top Indian Bank Apps Analyzed
Face palm
Top Indian Wallet Apps Analyzed
Observations !   State of Mobile App Security, Not evolved as Web Security. !   Most common issue is SSL Bypass in (Both Native Code and WebView) !   SSL Error bypassed in WebViews are really really bad.
Real-world Exploitation
Dynamic Analyzer Mobile Security Framework INPUT Android VM Or Android Device REPORT OUTPUT
Dynamic Analyzer - Architecture Dynamic Analyzer AGENTS Install and Run APK HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM/Device Application Data Agent Collected Information Start HTTP(S) Web Proxy
DEMO (LOCX)
Dynamic SSL Testing !   Dynamically verify if SSL connections are securely implemented. !   Disable JustTrustMe and Remove MobSF Root CA. !   If you can still access the decrypted HTTPS Web Traffic then that means the app is bypassing SSL errors.
Exported Activity Tester !   Android Exported Activities. DEMO
Challenges in Dynamic Analysis !   Some Android Apps are built with security in mind. !  Anti VM Detection !  Anti Root Detection !  Anti MITM with Certificate Pinning. !  Some Apps / Malwares have sophisticated methods to detect Virtual Machines.
How to deal with these Challenges !   API overriding with Xposed Framework !  Anti VM Detection Bypass –> Android Blue Pill !  Anti Root Detection Bypass -> RootCloak !  Anti MITM Certificate Pinning Bypass -> JustTrustMe !   APK smali Patching. !   For sophisticated apps and malware, Use a real device for dynamic analysis.
Dynamic Analysis on Device ! MobSFy Script – Convert your VM/ Device to support MobSF Dynamic Analysis !   Documentation here: https://github.com/ajinabraham/Mobile-Security-Framework- MobSF/wiki/2.-Configure-MobSF-Dynamic-Analysis- Environment-in-your-Android-Device-or-VM !   DEMO : Weak Crypto !   Java - String hashCode() Method !   s[0]*31^(n-1) + s[1]*31^(n-2) + ... + s[n-1]
Web API Fuzzer •  Login API •  Pin API •  Register API •  Logout API Select •  Select Scope URLs of Scan •  Select Scope Vulnerabilities Web API Fuzzing Logic REPORT OUTPUT Web Request DB
Fuzzing REST APIs !   Why most web scanners suck at API Testing? !   We have knowledge about the application and generic API routes (Login, Logout, Register). !   So we use more of Whitebox approach than Blackbox approach. !   Detects vulnerabilities like IDOR, SSRF and XXE.
What We Detect !   XXE !   SSRF !   IDOR !   Directory Traversal or Path Traversal !   Logical and Session Related !   API Rate Limiting
How we Detect
SSRF & XXE API Server Web API Fuzzer MobSF Cloud Server Cloud Server: APITester/cloud/cloud_server.py
Insecure Direct Object Reference (IDOR) !   Without Credentials. !   With multiple user credentials (needs two login attempts) Web API Fuzzer API Server Request with Auth Header/ Cookie Request without Auth Header/ Cookie API Server Web API Fuzzer Request with User1’s Auth Header/Cookie Repeat the Request with a User2’s Auth Header/Cookie
Session Related Checks Web API Fuzzer API Server Calls Logout API Access Resource with expired Auth Header/Cookie Access Resource with Auth Header/Cookie
Rate Limiter Web API Fuzzer API Server Brute force Login API and Register API
Other Checks !   Security Headers and Info Gathering !   Directory/ Path Traversal
DEMO
What's Coming Soon? !   Windows App Security Analyzer. !   iOS App Dynamic Analysis. !   API Fuzzer to support detection of SQLi and RCE. !   Export Proxy logs to BurpSuite/IronWASP/ZAP
Stakeholders !   Looks like people are interested! !   Bugs opened and Closed
Useful Links !   Source: https://github.com/ajinabraham/Mobile-Security-Framework !   Issues: https://github.com/ajinabraham/Mobile-Security-Framework/ issues !   Documentation: https://github.com/ajinabraham/Mobile-Security-Framework- MobSF/wiki !   Video Course: https://opsecx.com/index.php/product/automated-mobile- application-security-assessment-with-mobsf/
QA @ajinabraham ajin25@gmail.com Thanks & Credits •  Sachinraj Shetty •  Kamaiah Nadavala •  Bharadwaj Machiraju •  Yashin Mehboobe •  Anto Joseph •  Tim Brown •  Thomas Abraham •  Graphics/Image Owners
1 of 38

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile Security Framework (MobSF)

Download to read offline
Mobile

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

Ajin Abraham
Ajin AbrahamSecurity Engineer | Freelance Security Consultant | Speaker at IMMUNIO

Recommended

Automated Security Analysis of Android & iOS Applications with Mobile Securit... by
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
26.1K views24 slides
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF by
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
23K views38 slides
Android Application Penetration Testing - Mohammed Adam by
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
3.3K views53 slides
Mobile Application Security Testing (Static Code Analysis) of Android App by
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
825 views39 slides
Pentesting Android Applications by
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
8.2K views36 slides
Security testing in mobile applications by
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applicationsJose Manuel Ortega Candel
1.4K views55 slides

More Related Content

What's hot

Pentesting Android Apps by
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
923 views30 slides
Android pentesting by
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
472 views30 slides
Android pentesting by
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
459 views33 slides
OWASP Top 10 for Mobile by
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
1.8K views30 slides
Mobil Pentest Eğitim Dökümanı by
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıAhmet Gürel
2.8K views130 slides
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol by
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
93 views42 slides

What's hot(20)

Pentesting Android Apps by Abdelhamid Limami
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami923 views
Android pentesting by Mykhailo Antonishyn
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn472 views
Android pentesting by Mykhailo Antonishyn
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn459 views
OWASP Top 10 for Mobile by Appvigil - Mobile App Security Scanner
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner1.8K views
Mobil Pentest Eğitim Dökümanı by Ahmet Gürel
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim Dökümanı
Ahmet Gürel2.8K views
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol by apidays
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
apidays93 views
Android Security & Penetration Testing by Subho Halder
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder8.1K views
Dynamic Security Analysis & Static Security Analysis for Android Apps. by VodqaBLR
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
VodqaBLR2.5K views
Android Pentesting by n|u - The Open Security Community
Android PentestingAndroid Pentesting
Android Pentesting
n|u - The Open Security Community237 views
Directory Traversal & File Inclusion Attacks by Raghav Bisht
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
Raghav Bisht1.2K views
Android security by Midhun P Gopi
Android securityAndroid security
Android security
Midhun P Gopi4.8K views
Mobile Application Security by Ishan Girdhar
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar8.2K views
Android Security by Lars Jacobs
Android SecurityAndroid Security
Android Security
Lars Jacobs4K views
Android security by Mobile Rtpl
Android securityAndroid security
Android security
Mobile Rtpl1.9K views
A Guide to AWS Penetration Testing.pptx by saurabhpandey251355
A Guide to AWS Penetration Testing.pptxA Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
saurabhpandey251355196 views
Mobile App Security Testing -2 by Krisshhna Daasaarii
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
Krisshhna Daasaarii1.4K views
Security Testing Mobile Applications by Denim Group
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group11.1K views
Android security and penetration testing | DIVA | Yogesh Ojha by Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha394 views
Api security-testing by n|u - The Open Security Community
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community777 views
Injecting Security into vulnerable web apps at Runtime by Ajin Abraham
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham3K views

Similar to Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile Security Framework (MobSF)

mobsf.pdf by
mobsf.pdfmobsf.pdf
mobsf.pdfTaseen Ali
21 views38 slides
Protecting Your APIs Against Attack & Hijack by
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
18.4K views43 slides
Starwest 2008 by
Starwest 2008Starwest 2008
Starwest 2008Caleb Sima
798 views40 slides
API SECURITY by
API SECURITYAPI SECURITY
API SECURITYTubagus Rizky Dharmawan
307 views57 slides
Owasp advanced mobile-application-code-review-techniques-v0.2 by
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
2.5K views65 slides
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront by
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontOry Segal
123 views40 slides

Similar to Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile Security Framework (MobSF)(20)

mobsf.pdf by Taseen Ali
mobsf.pdfmobsf.pdf
mobsf.pdf
Taseen Ali21 views
Protecting Your APIs Against Attack & Hijack by CA API Management
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
CA API Management18.4K views
Starwest 2008 by Caleb Sima
Starwest 2008Starwest 2008
Starwest 2008
Caleb Sima798 views
API SECURITY by Tubagus Rizky Dharmawan
API SECURITYAPI SECURITY
API SECURITY
Tubagus Rizky Dharmawan307 views
Owasp advanced mobile-application-code-review-techniques-v0.2 by drewz lin
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin2.5K views
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront by Ory Segal
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Ory Segal123 views
Outpost24 webinar - Api security by Outpost24
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
Outpost24125 views
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S... by Ajin Abraham
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham10K views
Hackers versus Developers and Secure Web Programming by Akash Mahajan
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan2K views
42Crunch Security Audit for WSO2 API Manager 3.1 by WSO2
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
WSO2205 views
Web API Security by Stefaan
Web API SecurityWeb API Security
Web API Security
Stefaan 1.3K views
Web Application Penetration Testing Introduction by gbud7
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud78.5K views
Better API Security With A SecDevOps Approach by Nordic APIs
Better API Security With A SecDevOps ApproachBetter API Security With A SecDevOps Approach
Better API Security With A SecDevOps Approach
Nordic APIs151 views
Better API Security with Automation by 42Crunch
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch635 views
Triangle Node Meetup : APIs in Minutes with Node.js by Shubhra Kar
Triangle Node Meetup : APIs in Minutes with Node.jsTriangle Node Meetup : APIs in Minutes with Node.js
Triangle Node Meetup : APIs in Minutes with Node.js
Shubhra Kar1.7K views
IBM AppScan Standard - The Web Application Security Solution by hearme limited company
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solution
hearme limited company3.5K views
Acunetix - Web Vulnerability Scanner by Comguard India
Acunetix - Web Vulnerability ScannerAcunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability Scanner
Comguard India831 views
Hybrid vs Native vs Web Apps by Poluru S
Hybrid vs Native vs Web AppsHybrid vs Native vs Web Apps
Hybrid vs Native vs Web Apps
Poluru S1.8K views
Cyber security by Sakib Sami
Cyber securityCyber security
Cyber security
Sakib Sami401 views
Top 10 Web Vulnerability Scanners by wensheng wei
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scanners
wensheng wei361 views

More from Ajin Abraham

Injecting Security into Web apps at Runtime Whitepaper by
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
3.1K views9 slides
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015 by
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
8K views53 slides
Hacking Tizen: The OS of everything - Whitepaper by
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
3.8K views11 slides
Hacking Tizen : The OS of Everything - Nullcon Goa 2015 by
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
7K views50 slides
Abusing Exploiting and Pwning with Firefox Addons by
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
5.7K views20 slides
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains by
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
4.6K views16 slides

More from Ajin Abraham(20)

Injecting Security into Web apps at Runtime Whitepaper by Ajin Abraham
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham3.1K views
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015 by Ajin Abraham
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham8K views
Hacking Tizen: The OS of everything - Whitepaper by Ajin Abraham
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - Whitepaper
Ajin Abraham3.8K views
Hacking Tizen : The OS of Everything - Nullcon Goa 2015 by Ajin Abraham
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham7K views
Abusing Exploiting and Pwning with Firefox Addons by Ajin Abraham
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham5.7K views
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains by Ajin Abraham
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham4.6K views
Abusing Google Apps and Data API: Google is My Command and Control Center by Ajin Abraham
Abusing Google Apps and Data API: Google is My Command and Control CenterAbusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control Center
Ajin Abraham8.7K views
Exploit Research and Development Megaprimer: Win32 Egghunter by Ajin Abraham
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham3.1K views
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ... by Ajin Abraham
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Ajin Abraham5K views
Exploit Research and Development Megaprimer: Unicode Based Exploit Development by Ajin Abraham
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham1.9K views
Exploit Research and Development Megaprimer: Buffer overflow for beginners by Ajin Abraham
Exploit Research and Development Megaprimer: Buffer overflow for beginnersExploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Ajin Abraham1.4K views
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013 by Ajin Abraham
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
Ajin Abraham4.7K views
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013 by Ajin Abraham
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Ajin Abraham10.3K views
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen... by Ajin Abraham
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Ajin Abraham3.6K views
Abusing, Exploiting and Pwning with Firefox Add-ons by Ajin Abraham
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham8.5K views
Xenotix XSS Exploit Framework: Clubhack 2012 by Ajin Abraham
Xenotix XSS Exploit Framework: Clubhack 2012 Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012
Ajin Abraham3.9K views
Wi-Fi Security with Wi-Fi P+ by Ajin Abraham
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
Ajin Abraham2.4K views
Shellcoding in linux by Ajin Abraham
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham3.4K views
Phishing With Data URI by Ajin Abraham
Phishing With Data URIPhishing With Data URI
Phishing With Data URI
Ajin Abraham2.3K views
Buffer overflow for Beginners by Ajin Abraham
Buffer overflow for BeginnersBuffer overflow for Beginners
Buffer overflow for Beginners
Ajin Abraham948 views

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile Security Framework (MobSF)

  • 1. Ajin Abraham Automated Mobile Application Security Testing with Mobile Security Framework
  • 2. About Me !   Security Consultant @ Yodlee !   Security Engineering @ IMMUNIO !   Next Gen Runtime Application Self Protection (RASP) !   Author of OWASP Xenotix XSS Exploit Framework, Mobile Security Framework. !   Teach Security via https://opsecx.com !   Blog about Security: http://opensecurity.in
  • 4. The Takeaways !   A FREE and Open Source Security Tool for Mobile App Security Assessment. !   Mobile App Pentesters/Mobile Malware Analysts - How to make your job easier with MobSF. !   Developers – Build secure mobile Apps identifying vulnerabilities at all stages of development. (SDLC Integration) !   Web Pentesters – REST API Fuzzer capable of detecting vulnerabilities like SSRF, XXE, IDOR etc.
  • 5. Agenda !   What is MobSF? !   MobSF Architecture !   Static Analyzer !   Dynamic Analyzer !   Web API Fuzzer !   Static Analysis !   Static Analysis & some Statistics !   Top Indian Bank Mobile Apps !   Top Indian Wallet Mobile Apps !   Observations !   Dynamic Analysis !   Dynamic SSL Testing !   Exported Activity Tester !   Challenges in Dynamic Analysis !   Dynamic Analysis on Custom VM/ Rooted Android Device. !   Web API Fuzzer !   Vulnerabilities API Fuzzer detects. !   Explains the API Fuzzer Logic. !   Conclusion
  • 6. What is MobSF? Mobile Security Framework is an open source mobile application (Android/iOS) automated pentesting framework capable of performing end to end security testing of mobile Apps. Android iOS
  • 7. Hosted in your environment. Your application and data is never send to the cloud.
  • 9. Static Analyzer Mobile Security Framework INPUT OUTPUT REPORT
  • 10. Demo Static Analysis & Report Generation (Diva)
  • 11. Static Analysis & Some Statistics !   Static Analysis on Top Financial Apps - Criteria !   SSL bypass in Native Code !   SSL bypass in WebView !   Remote Web View Debugging !   Hardcoded Secrets
  • 12. Top Indian Bank Apps Analyzed
  • 14. Top Indian Wallet Apps Analyzed
  • 15. Observations !   State of Mobile App Security, Not evolved as Web Security. !   Most common issue is SSL Bypass in (Both Native Code and WebView) !   SSL Error bypassed in WebViews are really really bad.
  • 17. Dynamic Analyzer Mobile Security Framework INPUT Android VM Or Android Device REPORT OUTPUT
  • 18. Dynamic Analyzer - Architecture Dynamic Analyzer AGENTS Install and Run APK HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM/Device Application Data Agent Collected Information Start HTTP(S) Web Proxy
  • 20. Dynamic SSL Testing !   Dynamically verify if SSL connections are securely implemented. !   Disable JustTrustMe and Remove MobSF Root CA. !   If you can still access the decrypted HTTPS Web Traffic then that means the app is bypassing SSL errors.
  • 21. Exported Activity Tester !   Android Exported Activities. DEMO
  • 22. Challenges in Dynamic Analysis !   Some Android Apps are built with security in mind. !  Anti VM Detection !  Anti Root Detection !  Anti MITM with Certificate Pinning. !  Some Apps / Malwares have sophisticated methods to detect Virtual Machines.
  • 23. How to deal with these Challenges !   API overriding with Xposed Framework !  Anti VM Detection Bypass –> Android Blue Pill !  Anti Root Detection Bypass -> RootCloak !  Anti MITM Certificate Pinning Bypass -> JustTrustMe !   APK smali Patching. !   For sophisticated apps and malware, Use a real device for dynamic analysis.
  • 24. Dynamic Analysis on Device ! MobSFy Script – Convert your VM/ Device to support MobSF Dynamic Analysis !   Documentation here: https://github.com/ajinabraham/Mobile-Security-Framework- MobSF/wiki/2.-Configure-MobSF-Dynamic-Analysis- Environment-in-your-Android-Device-or-VM !   DEMO : Weak Crypto !   Java - String hashCode() Method !   s[0]*31^(n-1) + s[1]*31^(n-2) + ... + s[n-1]
  • 25. Web API Fuzzer •  Login API •  Pin API •  Register API •  Logout API Select •  Select Scope URLs of Scan •  Select Scope Vulnerabilities Web API Fuzzing Logic REPORT OUTPUT Web Request DB
  • 26. Fuzzing REST APIs !   Why most web scanners suck at API Testing? !   We have knowledge about the application and generic API routes (Login, Logout, Register). !   So we use more of Whitebox approach than Blackbox approach. !   Detects vulnerabilities like IDOR, SSRF and XXE.
  • 27. What We Detect !   XXE !   SSRF !   IDOR !   Directory Traversal or Path Traversal !   Logical and Session Related !   API Rate Limiting
  • 29. SSRF & XXE API Server Web API Fuzzer MobSF Cloud Server Cloud Server: APITester/cloud/cloud_server.py
  • 30. Insecure Direct Object Reference (IDOR) !   Without Credentials. !   With multiple user credentials (needs two login attempts) Web API Fuzzer API Server Request with Auth Header/ Cookie Request without Auth Header/ Cookie API Server Web API Fuzzer Request with User1’s Auth Header/Cookie Repeat the Request with a User2’s Auth Header/Cookie
  • 31. Session Related Checks Web API Fuzzer API Server Calls Logout API Access Resource with expired Auth Header/Cookie Access Resource with Auth Header/Cookie
  • 32. Rate Limiter Web API Fuzzer API Server Brute force Login API and Register API
  • 33. Other Checks !   Security Headers and Info Gathering !   Directory/ Path Traversal
  • 34. DEMO
  • 35. What's Coming Soon? !   Windows App Security Analyzer. !   iOS App Dynamic Analysis. !   API Fuzzer to support detection of SQLi and RCE. !   Export Proxy logs to BurpSuite/IronWASP/ZAP
  • 36. Stakeholders !   Looks like people are interested! !   Bugs opened and Closed
  • 37. Useful Links !   Source: https://github.com/ajinabraham/Mobile-Security-Framework !   Issues: https://github.com/ajinabraham/Mobile-Security-Framework/ issues !   Documentation: https://github.com/ajinabraham/Mobile-Security-Framework- MobSF/wiki !   Video Course: https://opsecx.com/index.php/product/automated-mobile- application-security-assessment-with-mobsf/
  • 38. QA @ajinabraham ajin25@gmail.com Thanks & Credits •  Sachinraj Shetty •  Kamaiah Nadavala •  Bharadwaj Machiraju •  Yashin Mehboobe •  Anto Joseph •  Tim Brown •  Thomas Abraham •  Graphics/Image Owners