SlideShare a Scribd company logo
Ajin Abraham
Android and iOS Application
Security with MobSF
Mobile Application Security simpli
fi
ed
#whoami
• Senior Application Security Engineer @ Chime Financial
• Application Security & Security Engineering ~10 years
• Authored couple of open source security projects
• MobSF, nodejsscan, OWASP Xenotix etc.
• Published research at Hack In Paris, Hack In the Box, PHDays, OWASP
AppSec, Blackhat Arsenal, Nullcon etc.
• Security Blog: ajinabraham.com
Consultancy: opensecurity.ca
Disclaimer: All images used in this presentation belongs to their respective owners.
What is MobSF?
Free & Open Source Mobile Application Security tool
• Shipped as dockerized Python Django web application.
• Supports all the popular binary and source code formats.
• Supports Dynamic Analysis & Instrumented Security testing with popular
emulators and virtual machines.
History & Stats
MobSF Timeline
• Open Source, licensed under GPL v3.
• Started out in Dec 2014 as an automation for repetitive task at work.
• Today we have contributors (90+) from all over the world.
• Actively developed and maintained.
• Free Slack Community Support Channel.
• 1450+ closed issues, 870+ pull requests, 44 releases.
Before MobSF
How do I analyze Mobile applications in-house?
• Static Analysis:
• Di
ff
erent tools for decompiling, disassembling, SAST, converting, reporting
• Convert binary
fi
les to readable formats (ex: Binary XML/PLIST -> Text XML/PLIST)
• Disassemble & Decompile (ex: APK (DEX) -> JAR -> SMALI/JAVA)
• Binary Analysis of MachO/ELF/DEX/.so/.dylib
• Specialized tools for parsing and data extraction
• SAST, SCA, Secret Scanning etc. on code and con
fi
guration
fi
les
• Dynamic Analysis:
• Con
fi
guring a rooted and jail broken device/virtual machine
• Con
fi
gure HTTPs proxy and install certi
fi
cates
• Bypass TLS/cert pinning, root detection, anti-debug checks
• Install and setup instrumentation tools
• Log analysis, memory analysis,
fi
le system analysis.
After MobSF
Tada 🎉!
Target Audience
How can MobSF help you?
• Developers: Identify security issues as and when applications are being
developed.
• Security Engineers/Pentesters: Perform interactive security assessment of
Mobile apps.
• DevSecOps Engineers: Integrate MobSF in your CI/CD pipeline for shift left
coverage.
• Malware Analysts: Identify malicious behaviour, patterns in code and at runtime.
• Layman: Anyone who is concerned about the privacy and security of the mobile
applications they are using.
How does it work?
Static Analysis
[INFO] 14/Jun/2024 20:21:05 - MIME Type: application/vnd.android.package-archive FILE: beetlebug.apk
[INFO] 14/Jun/2024 20:21:05 - Performing Static Analysis of Android APK
[INFO] 14/Jun/2024 20:21:05 - Scan Hash: 6ea61e5468c39ef4b9650661849a843e
[INFO] 14/Jun/2024 20:21:05 - Starting Analysis on: beetlebug.apk
[INFO] 14/Jun/2024 20:21:05 - Generating Hashes
[INFO] 14/Jun/2024 20:21:05 - Unzipping
[INFO] 14/Jun/2024 20:21:05 - APK Extracted
[INFO] 14/Jun/2024 20:21:05 - Getting Hardcoded Certificates/Keystores
[INFO] 14/Jun/2024 20:21:05 - Getting AndroidManifest.xml from APK
[INFO] 14/Jun/2024 20:21:05 - Converting AXML to XML
[INFO] 14/Jun/2024 20:21:07 - Parsing AndroidManifest.xml
[INFO] 14/Jun/2024 20:21:07 - Parsing APK with androguard
[INFO] 14/Jun/2024 20:21:07 - Starting analysis on AndroidManifest.xml
[INFO] 14/Jun/2024 20:21:07 - Extracting Manifest Data
[INFO] 14/Jun/2024 20:21:07 - Performing Static Analysis on: Beetlebug (app.beetlebug)
[INFO] 14/Jun/2024 20:21:07 - Fetching Details from Play Store: app.beetlebug
[INFO] 14/Jun/2024 20:21:07 - Manifest Analysis Started
[INFO] 14/Jun/2024 20:21:08 - App Link Assetlinks Check - [app.beetlebug.ctf.DeeplinkAccountActivity] https://beetlebug.com
[INFO] 14/Jun/2024 20:21:08 - Checking for Malware Permissions
[INFO] 14/Jun/2024 20:21:08 - Fetching icon path
[INFO] 14/Jun/2024 20:21:08 - Library Binary Analysis Started
[INFO] 14/Jun/2024 20:21:08 - Reading Code Signing Certificate
[INFO] 14/Jun/2024 20:21:08 - Getting Signature Versions
[INFO] 14/Jun/2024 20:21:08 - Running APKiD 2.1.5
[INFO] 14/Jun/2024 20:21:10 - Trackers Database is up-to-date
[INFO] 14/Jun/2024 20:21:10 - Detecting Trackers
[INFO] 14/Jun/2024 20:21:12 - APK -> JAVA
[INFO] 14/Jun/2024 20:21:12 - Decompiling to Java with jadx
[INFO] 14/Jun/2024 20:21:20 - DEX -> SMALI
[INFO] 14/Jun/2024 20:21:20 - Converting classes9.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes8.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes11.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes10.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes3.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes2.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes6.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes7.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes5.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes4.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Code Analysis Started on - java_source
[INFO] 14/Jun/2024 20:22:03 - Android SAST Completed
[INFO] 14/Jun/2024 20:22:03 - Android API Analysis Started
[INFO] 14/Jun/2024 20:22:47 - Android Permission Mapping Started
[INFO] 14/Jun/2024 20:22:53 - Android Permission Mapping Completed
[INFO] 14/Jun/2024 20:22:53 - Finished Code Analysis, Email and URL Extraction
[INFO] 14/Jun/2024 20:22:53 - Extracting Data from APK
[INFO] 14/Jun/2024 20:22:53 - Extracting Data from Source Code
[INFO] 14/Jun/2024 20:22:54 - Detecting Firebase URL(s)
[INFO] 14/Jun/2024 20:22:55 - Performing Malware Check on extracted Domains
[INFO] 14/Jun/2024 20:22:55 - Maltrail Database is up-to-date
[INFO] 14/Jun/2024 20:22:56 - Saving to Database
}Extract app binary, generate hashes
}Convert Plist/Manifest Files,
Analyze Plist/Manifest
fi
les for vulnerabilities and miscon
fi
gurations
Analyze Application Permissions, Network con
fi
gurations, IPC con
fi
gurations
}Perform Binary Analysis on Shared/Dynamic libs
Run specialized binary analysis tools against the application
Identify privacy concerns such as trackers
}Convert binaries to human readable code formats
Decompile the code to SAST friendly languages
} SAST, API Analysis and Permission Mapping
} Information Gathering, Secrets and other sensitive data extraction
Geolocation, malicious domain check
DEMO: Static Analysis
Android SAST
AppSec Scorecard
iOS SAST
How does it work?
Dynamic Analysis
Android APK
iOS IPA
Jailbroken iOS VM
/
Rooted Android VM
Corellium API
MobSF
Agents
MobSF
Agents
MobSF Agents
Scripts Helpers
HTTPs Proxy
Report,
Logs,
Raw data
DEMO: Dynamic Analysis
Dynamic Analyzer
Report Generation
DEMO: Deeplink Exploitation
Static Analysis
Dynamic Veri
fi
cation
DEMO: Solve CTF Challenges
Android CTF Challenge
iOS CTF Challenge
DEMO: Defeat a Malware
Static Analysis Hints
Dynamic Analysis
DevSecOps
MobSF in CI/CD: REST APIs
DevSecOps
MobSF SAST in CI/CD
• pip install mobsfscan
mobsfscan <source_code_path>
• CLI and Library
mobsfscan GitHub action
Enterprise Ready
Enterprise support services
• Multi user authentication and access control
• SAML 2.0 SSO support
• SLA bound priority feature requests, bug
fi
xes & consultancy (paid)
• Everything goes back to the community
Question?
Thanks for listening
• Kudos 🎉 to core contributors Magaofei, Matan, &
Vincent
• Github: https://github.com/MobSF/Mobile-
Security-Framework-MobSF
• Documentation: https://mobsf.github.io/docs/
• Support Slack Channel: https://mobsf.slack.com
• Contact: ajin<AT>opensecurity.in | @ajinabraham

More Related Content

What's hot

Steganography
SteganographySteganography
Steganography
Bahaa Aladdin
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
Siddharth Bezalwar
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
Edureka!
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptx
AdityaChawan4
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
Shubham Gupta
 
Cryptography
CryptographyCryptography
Cryptography
AnandKaGe
 
安全なID連携のハウツー
安全なID連携のハウツー安全なID連携のハウツー
安全なID連携のハウツー
Masaru Kurahayashi
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails example
Railwaymen
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
Raffael Marty
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
OSINT - Open Source Intelligence
OSINT - Open Source IntelligenceOSINT - Open Source Intelligence
Cryptanalysis
CryptanalysisCryptanalysis
Cryptanalysis
Sou Jana
 
Cybersecurity risk management 101
Cybersecurity risk management 101Cybersecurity risk management 101
Cybersecurity risk management 101
Srinivasan Vanamali
 
Identity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfIdentity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdf
Chinatu Uzuegbu
 
CISSP-Certified.pptx
CISSP-Certified.pptxCISSP-Certified.pptx
CISSP-Certified.pptx
ssuser645549
 
IP, IGP, MPLS Eğitim Sunumu @Çankaya Üniversitesi
IP, IGP, MPLS Eğitim Sunumu @Çankaya Üniversitesi IP, IGP, MPLS Eğitim Sunumu @Çankaya Üniversitesi
IP, IGP, MPLS Eğitim Sunumu @Çankaya Üniversitesi
Murat Can Demir
 
Sql Injection
Sql Injection Sql Injection
Sql Injection
Mehmet Tuncer
 
Ağ Tabanlı Saldırı Tespit Sistemleri
Ağ Tabanlı Saldırı Tespit SistemleriAğ Tabanlı Saldırı Tespit Sistemleri
Ağ Tabanlı Saldırı Tespit Sistemleri
Cihat Işık
 

What's hot (20)

Steganography
SteganographySteganography
Steganography
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptx
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
 
Cryptography
CryptographyCryptography
Cryptography
 
安全なID連携のハウツー
安全なID連携のハウツー安全なID連携のハウツー
安全なID連携のハウツー
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails example
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
OSINT - Open Source Intelligence
OSINT - Open Source IntelligenceOSINT - Open Source Intelligence
OSINT - Open Source Intelligence
 
Cryptanalysis
CryptanalysisCryptanalysis
Cryptanalysis
 
Cybersecurity risk management 101
Cybersecurity risk management 101Cybersecurity risk management 101
Cybersecurity risk management 101
 
Identity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfIdentity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdf
 
CISSP-Certified.pptx
CISSP-Certified.pptxCISSP-Certified.pptx
CISSP-Certified.pptx
 
IP, IGP, MPLS Eğitim Sunumu @Çankaya Üniversitesi
IP, IGP, MPLS Eğitim Sunumu @Çankaya Üniversitesi IP, IGP, MPLS Eğitim Sunumu @Çankaya Üniversitesi
IP, IGP, MPLS Eğitim Sunumu @Çankaya Üniversitesi
 
Sql Injection
Sql Injection Sql Injection
Sql Injection
 
Ağ Tabanlı Saldırı Tespit Sistemleri
Ağ Tabanlı Saldırı Tespit SistemleriAğ Tabanlı Saldırı Tespit Sistemleri
Ağ Tabanlı Saldırı Tespit Sistemleri
 

Similar to AppSec PNW: Android and iOS Application Security with MobSF

Android Penetration testing - Day 2
 Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
Mohammed Adam
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
mobsf.pdf
mobsf.pdfmobsf.pdf
mobsf.pdf
Taseen Ali
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
tdc-globalcode
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Márcio Rosa
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting Started
NGINX, Inc.
 
NFC and the Salesforce Mobile SDK
NFC and the Salesforce Mobile SDKNFC and the Salesforce Mobile SDK
NFC and the Salesforce Mobile SDK
Salesforce Developers
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
Jerod Brennen
 
Droidcon mobile security
Droidcon   mobile securityDroidcon   mobile security
Droidcon mobile security
Judy Ngure
 
Nfc sfdc mobile_sdk
Nfc sfdc mobile_sdkNfc sfdc mobile_sdk
Nfc sfdc mobile_sdk
Cory Cowgill
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdfPTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
Shadowman Kung
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Software Integrity Group
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
SecurifyLabs & Tiki @ Countermeasure 2014
SecurifyLabs & Tiki @ Countermeasure 2014SecurifyLabs & Tiki @ Countermeasure 2014
SecurifyLabs & Tiki @ Countermeasure 2014
securifylabs
 
Native - Hybrid - Web Mobile Architectures
Native - Hybrid - Web Mobile ArchitecturesNative - Hybrid - Web Mobile Architectures
Native - Hybrid - Web Mobile Architectures
Phong Le Duy
 
"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014
"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014
"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014
Piyush Kumar
 

Similar to AppSec PNW: Android and iOS Application Security with MobSF (20)

Android Penetration testing - Day 2
 Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
mobsf.pdf
mobsf.pdfmobsf.pdf
mobsf.pdf
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting Started
 
NFC and the Salesforce Mobile SDK
NFC and the Salesforce Mobile SDKNFC and the Salesforce Mobile SDK
NFC and the Salesforce Mobile SDK
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Droidcon mobile security
Droidcon   mobile securityDroidcon   mobile security
Droidcon mobile security
 
Nfc sfdc mobile_sdk
Nfc sfdc mobile_sdkNfc sfdc mobile_sdk
Nfc sfdc mobile_sdk
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdfPTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
SecurifyLabs & Tiki @ Countermeasure 2014
SecurifyLabs & Tiki @ Countermeasure 2014SecurifyLabs & Tiki @ Countermeasure 2014
SecurifyLabs & Tiki @ Countermeasure 2014
 
Native - Hybrid - Web Mobile Architectures
Native - Hybrid - Web Mobile ArchitecturesNative - Hybrid - Web Mobile Architectures
Native - Hybrid - Web Mobile Architectures
 
"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014
"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014
"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014
 

More from Ajin Abraham

Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - Whitepaper
Ajin Abraham
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham
 
Abusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control CenterAbusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control Center
Ajin Abraham
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Ajin Abraham
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham
 
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginnersExploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Ajin Abraham
 
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
Ajin Abraham
 
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Ajin Abraham
 
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Ajin Abraham
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012 Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012
Ajin Abraham
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
Ajin Abraham
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Phishing With Data URI
Phishing With Data URIPhishing With Data URI
Phishing With Data URI
Ajin Abraham
 

More from Ajin Abraham (20)

Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - Whitepaper
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
Abusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control CenterAbusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control Center
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
 
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
 
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginnersExploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginners
 
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
 
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
 
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
 
Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012 Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Phishing With Data URI
Phishing With Data URIPhishing With Data URI
Phishing With Data URI
 

Recently uploaded

Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
Zilliz
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Zilliz
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
FIDO Alliance
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
DianaGray10
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024
Michael Price
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
KIRAN KV
 
What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024
Stephanie Beckett
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
AimanAthambawa1
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 

Recently uploaded (20)

Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
 
What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 

AppSec PNW: Android and iOS Application Security with MobSF

  • 1. Ajin Abraham Android and iOS Application Security with MobSF Mobile Application Security simpli fi ed
  • 2. #whoami • Senior Application Security Engineer @ Chime Financial • Application Security & Security Engineering ~10 years • Authored couple of open source security projects • MobSF, nodejsscan, OWASP Xenotix etc. • Published research at Hack In Paris, Hack In the Box, PHDays, OWASP AppSec, Blackhat Arsenal, Nullcon etc. • Security Blog: ajinabraham.com Consultancy: opensecurity.ca Disclaimer: All images used in this presentation belongs to their respective owners.
  • 3. What is MobSF? Free & Open Source Mobile Application Security tool • Shipped as dockerized Python Django web application. • Supports all the popular binary and source code formats. • Supports Dynamic Analysis & Instrumented Security testing with popular emulators and virtual machines.
  • 4. History & Stats MobSF Timeline • Open Source, licensed under GPL v3. • Started out in Dec 2014 as an automation for repetitive task at work. • Today we have contributors (90+) from all over the world. • Actively developed and maintained. • Free Slack Community Support Channel. • 1450+ closed issues, 870+ pull requests, 44 releases.
  • 5. Before MobSF How do I analyze Mobile applications in-house? • Static Analysis: • Di ff erent tools for decompiling, disassembling, SAST, converting, reporting • Convert binary fi les to readable formats (ex: Binary XML/PLIST -> Text XML/PLIST) • Disassemble & Decompile (ex: APK (DEX) -> JAR -> SMALI/JAVA) • Binary Analysis of MachO/ELF/DEX/.so/.dylib • Specialized tools for parsing and data extraction • SAST, SCA, Secret Scanning etc. on code and con fi guration fi les • Dynamic Analysis: • Con fi guring a rooted and jail broken device/virtual machine • Con fi gure HTTPs proxy and install certi fi cates • Bypass TLS/cert pinning, root detection, anti-debug checks • Install and setup instrumentation tools • Log analysis, memory analysis, fi le system analysis.
  • 7. Target Audience How can MobSF help you? • Developers: Identify security issues as and when applications are being developed. • Security Engineers/Pentesters: Perform interactive security assessment of Mobile apps. • DevSecOps Engineers: Integrate MobSF in your CI/CD pipeline for shift left coverage. • Malware Analysts: Identify malicious behaviour, patterns in code and at runtime. • Layman: Anyone who is concerned about the privacy and security of the mobile applications they are using.
  • 8. How does it work? Static Analysis [INFO] 14/Jun/2024 20:21:05 - MIME Type: application/vnd.android.package-archive FILE: beetlebug.apk [INFO] 14/Jun/2024 20:21:05 - Performing Static Analysis of Android APK [INFO] 14/Jun/2024 20:21:05 - Scan Hash: 6ea61e5468c39ef4b9650661849a843e [INFO] 14/Jun/2024 20:21:05 - Starting Analysis on: beetlebug.apk [INFO] 14/Jun/2024 20:21:05 - Generating Hashes [INFO] 14/Jun/2024 20:21:05 - Unzipping [INFO] 14/Jun/2024 20:21:05 - APK Extracted [INFO] 14/Jun/2024 20:21:05 - Getting Hardcoded Certificates/Keystores [INFO] 14/Jun/2024 20:21:05 - Getting AndroidManifest.xml from APK [INFO] 14/Jun/2024 20:21:05 - Converting AXML to XML [INFO] 14/Jun/2024 20:21:07 - Parsing AndroidManifest.xml [INFO] 14/Jun/2024 20:21:07 - Parsing APK with androguard [INFO] 14/Jun/2024 20:21:07 - Starting analysis on AndroidManifest.xml [INFO] 14/Jun/2024 20:21:07 - Extracting Manifest Data [INFO] 14/Jun/2024 20:21:07 - Performing Static Analysis on: Beetlebug (app.beetlebug) [INFO] 14/Jun/2024 20:21:07 - Fetching Details from Play Store: app.beetlebug [INFO] 14/Jun/2024 20:21:07 - Manifest Analysis Started [INFO] 14/Jun/2024 20:21:08 - App Link Assetlinks Check - [app.beetlebug.ctf.DeeplinkAccountActivity] https://beetlebug.com [INFO] 14/Jun/2024 20:21:08 - Checking for Malware Permissions [INFO] 14/Jun/2024 20:21:08 - Fetching icon path [INFO] 14/Jun/2024 20:21:08 - Library Binary Analysis Started [INFO] 14/Jun/2024 20:21:08 - Reading Code Signing Certificate [INFO] 14/Jun/2024 20:21:08 - Getting Signature Versions [INFO] 14/Jun/2024 20:21:08 - Running APKiD 2.1.5 [INFO] 14/Jun/2024 20:21:10 - Trackers Database is up-to-date [INFO] 14/Jun/2024 20:21:10 - Detecting Trackers [INFO] 14/Jun/2024 20:21:12 - APK -> JAVA [INFO] 14/Jun/2024 20:21:12 - Decompiling to Java with jadx [INFO] 14/Jun/2024 20:21:20 - DEX -> SMALI [INFO] 14/Jun/2024 20:21:20 - Converting classes9.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes8.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes11.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes10.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes3.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes2.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes6.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes7.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes5.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes4.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Code Analysis Started on - java_source [INFO] 14/Jun/2024 20:22:03 - Android SAST Completed [INFO] 14/Jun/2024 20:22:03 - Android API Analysis Started [INFO] 14/Jun/2024 20:22:47 - Android Permission Mapping Started [INFO] 14/Jun/2024 20:22:53 - Android Permission Mapping Completed [INFO] 14/Jun/2024 20:22:53 - Finished Code Analysis, Email and URL Extraction [INFO] 14/Jun/2024 20:22:53 - Extracting Data from APK [INFO] 14/Jun/2024 20:22:53 - Extracting Data from Source Code [INFO] 14/Jun/2024 20:22:54 - Detecting Firebase URL(s) [INFO] 14/Jun/2024 20:22:55 - Performing Malware Check on extracted Domains [INFO] 14/Jun/2024 20:22:55 - Maltrail Database is up-to-date [INFO] 14/Jun/2024 20:22:56 - Saving to Database }Extract app binary, generate hashes }Convert Plist/Manifest Files, Analyze Plist/Manifest fi les for vulnerabilities and miscon fi gurations Analyze Application Permissions, Network con fi gurations, IPC con fi gurations }Perform Binary Analysis on Shared/Dynamic libs Run specialized binary analysis tools against the application Identify privacy concerns such as trackers }Convert binaries to human readable code formats Decompile the code to SAST friendly languages } SAST, API Analysis and Permission Mapping } Information Gathering, Secrets and other sensitive data extraction Geolocation, malicious domain check
  • 9. DEMO: Static Analysis Android SAST AppSec Scorecard iOS SAST
  • 10. How does it work? Dynamic Analysis Android APK iOS IPA Jailbroken iOS VM / Rooted Android VM Corellium API MobSF Agents MobSF Agents MobSF Agents Scripts Helpers HTTPs Proxy Report, Logs, Raw data
  • 11. DEMO: Dynamic Analysis Dynamic Analyzer Report Generation
  • 12. DEMO: Deeplink Exploitation Static Analysis Dynamic Veri fi cation
  • 13. DEMO: Solve CTF Challenges Android CTF Challenge iOS CTF Challenge
  • 14. DEMO: Defeat a Malware Static Analysis Hints Dynamic Analysis
  • 16. DevSecOps MobSF SAST in CI/CD • pip install mobsfscan mobsfscan <source_code_path> • CLI and Library mobsfscan GitHub action
  • 17. Enterprise Ready Enterprise support services • Multi user authentication and access control • SAML 2.0 SSO support • SLA bound priority feature requests, bug fi xes & consultancy (paid) • Everything goes back to the community
  • 18. Question? Thanks for listening • Kudos 🎉 to core contributors Magaofei, Matan, & Vincent • Github: https://github.com/MobSF/Mobile- Security-Framework-MobSF • Documentation: https://mobsf.github.io/docs/ • Support Slack Channel: https://mobsf.slack.com • Contact: ajin<AT>opensecurity.in | @ajinabraham