Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile Application Security


Published on

Presentation on Mobile Application Security at Null Delhi Meet on 25th Dec. 2011.

By Ishan Girdhar

Published in: Technology
  • For data visualization,data analytics,data intelligence and ERP Tools, online training with job placements, register at
    Are you sure you want to  Yes  No
    Your message goes here

Mobile Application Security

  1. 1. // …. and That’s all.
  2. 2.  Part 1: Mobile Application Security Part 2: Pentesting Mobile Application Part 3: Owasp Top Ten Mobile Application Risk Part 4: Case Study & Demonstrations.
  3. 3.  Introduction to Mobile Application Security. Mobile Security Stack. Mobile Threat Model Modus Operandi for Mobile Application Audit. Roadblocks Future of Mobile Application Security
  4. 4.  Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose operating system. In this respect many of the risks are similar to those of traditional spyware, Trojan software, and insecurely designed apps. Mobile devices are designed around personal and communication functionality which makes the mobile application and mobile security risks different from the top traditional computing risks.
  5. 5.  Infrastructure Layer  Lowest Layer  Protocols ▪ CDMA,GSM ▪ GPS ▪ SMS,MMS Hardware Layer  Smartphone/Tablet  Firmware Operating System Layer  Symbian S40/S60  Froyo,Gingerbread Application Layer
  6. 6. 1. Dynamic Analysis 1. Debug the Running App (on device or in emulator) 2. Analyze Network Traffic 3. Analyze Remote Services (Http/SOAP/etc)2. Static Anlysis 1. Get Application 1. Extract application from device 2. Receive application package from developers 2. Source code review 3. Reverse engineering 4. Disassembly 5. Patching
  7. 7.  OWASP guidelines, procedures for testing are not yet available like Web applications. Mobile application also includes vulnerabilities in the underlying architecture (OS & Vendor specific) unlike web application in which only application vulnerabilities are concerned. Applications can use various modes of communications like SMS,MMS,EDGE, GPRS,3G and WiFi due to which security testing becomes difficult. Simulators have their own limitations:  Can not simulate SMS communication (In case of communicating with SMS Gateway ) though, they provide mechanism to send & receive sms between simulators.  Simulator’s don’t allow intercepting installed applications traffic.  ( It has to be done, forcefully by interjecting an application into running simulator to intercept network communication from that process)
  8. 8.  Pen testing Mobile Application – Android  Background.  Setting up the Test Environment.  Setting up a proxy.  Android Application Penetration Testing Toolkit.  Reverse Engineering Android Applications  File Permissions in android
  9. 9.  Android is a Linux based platform developed by Google and the open handset alliance. Application programming for it is done exclusively in java. The android operating system software stack consist of java applications running on a Dalvik virtual machine (DVK). The current version as of august 2010 is 2.2. there are over 90,00 application available in the android market.
  10. 10.  There are several ways to test mobile application e.g:  Using burp with a proxy.  Using a phone emulator with a proxy.  Using a phone to test and proxy outgoing phone data to a PC. Requirements:  Computer running a Windows OS.  Java 6  Eclipse SDk – Helios/Indigo  Android 3.5 SDK  Burp! Proxy
  11. 11.  If Application using is using HTTP(s), or is a website that you are testing on Android browser, the next step is to setup a proxy tool such as Burp! There are 4 main ways of setting up such a proxy:
  12. 12.  Specify the proxy details when starting the emulator using the command below. This command is to use a proxy listening on port 8080 Emulator -avd testavd -http-proxy http://localhost:8080
  13. 13.  The second option is to specify the proxy details in the emulator APN setting as shown below: Home-> Menu-> Wireless & networks > Mobile Network -> Access Point Names Update the following:NAME: InternetAPN: InternetProxy: IP address of yourComputerUSERNAME: <N/A>PASSWORD:<N/A>
  14. 14.  The third option is to specify it using the adb shell using the export command to set an environment variable, for example: Export HTTP_PROXY=http://localhost:8080
  15. 15.  Final alternative is by changing the proxy setting in the settings database from where the android web browser reads. The settings database uses SQLite. Familiarity with basic SQL commands is recommended if your plan to use this method. Change the hostname and port information appropriately using the below command:
  16. 16.  Dynamic Analysis Tools ▪ ADB ▪ Manifest Explorer ▪ Intent Sniffer ▪ Busybox ▪ Strace ▪ Procrank Static Analysis ▪ Disassembly ▪ Dex2jar ▪ Baksmali ▪ Reverse Engineering ▪ JD-GUI
  17. 17. 1. ADB2. Manifest Explorer3. Intent Sniffer4. Busy box5. Strace6. Procrank
  18. 18.  Android Debug Bridge: It is part of the Android SDK. It has it’s own shell, which allows you to execute linux commands such as ls –l . The android developer’s guide lists the full range of ADB commands but we highlight a few below: ADB could be used to locate all the emulators and android devices connected to the computer to the computer using the command below: adb devices
  19. 19.  In our case the command found one instance of the emulator running. If multiple instances are running you can use the –s option in order to run commands against a specific device or emulator. Adb –s emulator-5554 install Foobar.apk Another important provided by the adb is to push or pull files to and from the device/Emulator.
  20. 20.  Every application running on android has an AndroidManifest.xml file. This file is very important from a security perspective as it defines the permission an application request. The Manifest Explorer tool is a utility that allows you to review this xml file with ease when testing it is important to verify that the application follows the principle of “Least privilege” and does not use permission that are ot required for it to function.
  21. 21.  Intent is a mechanism in android to move data process. It forms the core of android’s Inter process Communication (IPC). Inetnts could indicate a number of actions such as startservice, sendbroadcast etc. The Intent Sniffer tool performs monitoring of Intents.
  22. 22.  Busybox provides some linux commands that could be useful during the penetration testing process. It extends the capability of android’s toolbox. In order to install busybox you can go through the following steps: Download the busybox
  23. 23. 1. Disassembly 1. Dex2jar 2. Baksmali2. Reverse Engineering 1. Java Application Decompiler (JAD-Gui)
  24. 24. Dissembler: is a computer program that translatemachine language into assembly language ( Theinverse operating of an assembler). A dissemblerdiffers from a decompiler which targets a high levellanguage rather than an assembly language.Reverse Engineering: Reverse engineering involvesreversing a programs machine code (the string of 0sand 1s that are sent to the logic processor) back intothe source code that it was written in, usingprogram language statements.
  25. 25.  Android file permission uses the same model as Linux, to check the permissions of a file, go to the ADB shell and type ls –l. Every .apk file installed on the emulator has its own unique user ID. This prevents one application from accessing the other application’s data, any file created by the application will be assigned that application’s user ID and will not normally accessible to other applications.
  26. 26.  Owasp Top Ten Mobile Application Risk’s.  M1: Insecure Data Storage  M2: Weak Server Side Controls  M3: Insufficient Transport Layer Protection  M4:Client Side Injection  M5: Poor Authorization & Authentication  M6: Improper Session Handling  M7: Security Decision Via Untrusted Inputs  M8: Side channel Data Leakage  M9: Broken Cryptography  M10: Sensitive Information Disclosure.
  27. 27.  Case Study:  Facebook.apk : Pentesting a real world Application Demonstrations:  Reverse Engineering a first Trojan for Android Malware.
  28. 28. 1. Anant Srivastav Blog Ankur BhargavaHttp://