The document provides an overview of BGA Bilgi Güvenliği A.Ş, a Turkish cybersecurity company that offers strategic security consulting and training. It then outlines BGA's mobile application penetration testing methodology, which involves information gathering, static analysis, dynamic analysis, and examining authentication, authorization, and session management. The methodology describes steps to analyze the mobile app's permissions, network usage, data storage, APIs, libraries, and more to identify potential vulnerabilities.
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
Presented by Spv Reddy from National Cyber Safety and Security Standards on Mobile Application Security Testing in OWSAP Hyderabad in February.
AGENDA:
1.Why Mobile Applications are more Vulnerable?
2.Types of Mobile Applications
3.Android Architecture
4.Introduction to Mobile Application Security Testing
Information Gathering
Static Code Analysis
Introduction and Process in Static Analysis
Setting Up Lab and Tools Used
Mobile Security Framework (Demo)
Analyzing App1
Analyzing App2
Comparison of issues in 10 Mobile Apps
Working with jadx,dex2jar , jd-gui, Decompiler( (Demo)
Dynamic Code Analysis
Setting Up Lab and Tools Used
Introduction to adb and commands used in it
Comparison of issues in 10 Mobile Apps
Diva Challenges(7 Demonstration and 6 POC)
Dynamic Analysis App1(WhatsApp)
Dynamic Analysis App2(Mobile Wallet)
Dynamic Analysis App3(Woo App)
Dynamic Analysis App4(Hacking Game Manually)
Dynamic Analysis App5(Hacking Game with Tools)
Mobile Forensics
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
Presented by Spv Reddy from National Cyber Safety and Security Standards on Mobile Application Security Testing in OWSAP Hyderabad in February.
AGENDA:
1.Why Mobile Applications are more Vulnerable?
2.Types of Mobile Applications
3.Android Architecture
4.Introduction to Mobile Application Security Testing
Information Gathering
Static Code Analysis
Introduction and Process in Static Analysis
Setting Up Lab and Tools Used
Mobile Security Framework (Demo)
Analyzing App1
Analyzing App2
Comparison of issues in 10 Mobile Apps
Working with jadx,dex2jar , jd-gui, Decompiler( (Demo)
Dynamic Code Analysis
Setting Up Lab and Tools Used
Introduction to adb and commands used in it
Comparison of issues in 10 Mobile Apps
Diva Challenges(7 Demonstration and 6 POC)
Dynamic Analysis App1(WhatsApp)
Dynamic Analysis App2(Mobile Wallet)
Dynamic Analysis App3(Woo App)
Dynamic Analysis App4(Hacking Game Manually)
Dynamic Analysis App5(Hacking Game with Tools)
Mobile Forensics
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
The fundamentals of Android and iOS app securityNowSecure
Looking for a high-intensity bootcamp covering the basics of secure mobile development? This slideshare was originally presented by mobile security expert and NowSecure CEO Andrew Hoog for a 60-minute workshop at Security by Design covering the following topics:
+ Introduction to identifying security flaws in mobile apps (and how to avoid them)
+ Examples of secure and insecure mobile apps and how to secure them
+ Overview of secure mobile development based on the NowSecure Secure Mobile Development Best Practices
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
This presentation talks about OWASP Mobile Risk M2 i.e. Insecure Data Storage. The agenda of the presentation is to understand the Data Storage and effect of insecure data storage. Then it also had demo's of known insecure data storage flaws. Methods to identify this flaw and various precautions that a developer should take to prevent this flaw.
The presentation was done as part of null/OWASP/G4H Monthly Meet
Basic Android OS security mechanism,
Basic malware definition
Attacking Android platform with
Malware, Remote access, File is stealing and Social Engeering attack is methods have been done discussing in the class.
Attacking the Android:
Installing Kali Linux on android to perform attacks
Installing Dsploit for running attack with android (MITM, XSS, traffic sniffing…. Etc.)
Window ağlarda saldırganların yatay hareketleri ve bunların tespiti konusunda düzenlediğimiz webinarda kullanılan sunumdur.
Amacımız saldırı ve savunma tarafının bakış açılarını bir arada sunmaktı.
Siber saldırıların tespitinde ve olay müdahalesinde Windows sistemlerin logları bize önemli bilgiler verir. Sistemin ilk ele geçirildiği andan başlayarak siber saldırganların yerel ağda yayılmasına kadar pek çok adıma bu loglar üremektedir.
Webinarda aşağıdaki konuları ele aldık:
1- Siber Ölüm Zinciri: Siber saldırıların 7+1 adımı
2- Yatay hareket (lateral movement): Siber saldırganların yerel ağdaki davranışları
3- Fidye yazılımlardaki rolü: Fidye yazılımların yerel ağda yayılmak için kullandığı teknikler
4- Yaşanılan senaryolardan örnekler
5- Yatay hareket için kullanılan araçlar: Siber saldırganlar tarafından kullanılan araçlar
6- Windows Event Logs: Yatay hareketleri tespit etmek için kullanılabilecek loglar
7- LogonTracer Aracı: Log analizini kolaylaştıracak ücretsiz bir araç
8- Olay tespiti ve müdahalesinde Microsoft Advanced Threat Analytics (ATA) aracı kullanımı
9- Yatay hareket tespiti için öneriler
================
Sorularınız için sparta@sparta.com.tr
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
The fundamentals of Android and iOS app securityNowSecure
Looking for a high-intensity bootcamp covering the basics of secure mobile development? This slideshare was originally presented by mobile security expert and NowSecure CEO Andrew Hoog for a 60-minute workshop at Security by Design covering the following topics:
+ Introduction to identifying security flaws in mobile apps (and how to avoid them)
+ Examples of secure and insecure mobile apps and how to secure them
+ Overview of secure mobile development based on the NowSecure Secure Mobile Development Best Practices
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
This presentation talks about OWASP Mobile Risk M2 i.e. Insecure Data Storage. The agenda of the presentation is to understand the Data Storage and effect of insecure data storage. Then it also had demo's of known insecure data storage flaws. Methods to identify this flaw and various precautions that a developer should take to prevent this flaw.
The presentation was done as part of null/OWASP/G4H Monthly Meet
Basic Android OS security mechanism,
Basic malware definition
Attacking Android platform with
Malware, Remote access, File is stealing and Social Engeering attack is methods have been done discussing in the class.
Attacking the Android:
Installing Kali Linux on android to perform attacks
Installing Dsploit for running attack with android (MITM, XSS, traffic sniffing…. Etc.)
Window ağlarda saldırganların yatay hareketleri ve bunların tespiti konusunda düzenlediğimiz webinarda kullanılan sunumdur.
Amacımız saldırı ve savunma tarafının bakış açılarını bir arada sunmaktı.
Siber saldırıların tespitinde ve olay müdahalesinde Windows sistemlerin logları bize önemli bilgiler verir. Sistemin ilk ele geçirildiği andan başlayarak siber saldırganların yerel ağda yayılmasına kadar pek çok adıma bu loglar üremektedir.
Webinarda aşağıdaki konuları ele aldık:
1- Siber Ölüm Zinciri: Siber saldırıların 7+1 adımı
2- Yatay hareket (lateral movement): Siber saldırganların yerel ağdaki davranışları
3- Fidye yazılımlardaki rolü: Fidye yazılımların yerel ağda yayılmak için kullandığı teknikler
4- Yaşanılan senaryolardan örnekler
5- Yatay hareket için kullanılan araçlar: Siber saldırganlar tarafından kullanılan araçlar
6- Windows Event Logs: Yatay hareketleri tespit etmek için kullanılabilecek loglar
7- LogonTracer Aracı: Log analizini kolaylaştıracak ücretsiz bir araç
8- Olay tespiti ve müdahalesinde Microsoft Advanced Threat Analytics (ATA) aracı kullanımı
9- Yatay hareket tespiti için öneriler
================
Sorularınız için sparta@sparta.com.tr
Mobile Applications Testing: From Concepts to PracticeTechWell
As applications for smartphones and tablets become incredibly popular, organizations encounter increasing pressure to quickly and successfully deliver testing for these devices. When faced with a mobile testing project, many testers find it tempting to apply the same methods and techniques used for desktop applications. Although some of these concepts transfer directly, testing mobile applications presents its own special challenges. Max Saperstone says if you follow the same practices and techniques as you have before, you will miss critical defects. Learn how to effectively test mobile applications, and how to add more structure and organization to generate effective test ideas to exploit the capabilities and weaknesses of mobile devices. Max shares first-hand experiences with testing mobile applications and discusses how to address various challenges. Work on real problems on your own device and learn firsthand how to be productive while testing mobile applications.
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks
Mobile devices are always on the move, switching from network to network and place to place constantly. The best way to keep your company's information safe is through a unified approach securing at the device, app and network levels.
SAP Hybris solutions are all about providing a connected front office. But the customer experience can easily get damaged if the data from your business partners or end customers is not secure. With the new EU General Data Protection Regulation (GDPR) coming into effect in May 2018, the need to protect your customers’ data is essential for your business. Learn how to reduce cost by integrating security into your implementation process to be ahead of the curve for future cyberattacks.
Learn about the BYOD challenge, and how to effectively address the wave of Mobile technologies, applications and Mobile device management software.
CA Technologies has been identified by Gartner as one of the industry leading providers of Enterprise Movbility Management suite of products
Rising to the Challenge of Mobile Security: The Mobile Aware CISOSamsung Business USA
Sam Philips, VP for Security Solutions, Samsung Business Services and Mark Irwin, National Director, Technical Account Management discussed mobile strategies for the enterprise at Gartner 2015.
NowPos M-Solutions Pvt. Ltd. NowPos is a Mobile Technology Development and Services company that specializes in custom solution development on various mobile platforms. Established in 2005, with offices in CA, USA and an offshore development center at Hyderabad, India, NowPos has over the years garnered expertise in developing mobile and web based solutions for industry verticals such as mobile based Advertising, Healthcare (mHealth), Patient Care and information capturing (m-PRO), Entertainment and Media, supported by robust web platforms.
Secure Enterprise Apps in Seconds Across Managed and Unmanaged Mobile DevicesSAP Solution Extensions
Read about the SAP Mobile App Protection solution by Mocana and learn how companies can move quickly toward mobile computing while maintaining security and device management. App wrapping with the solution allows administrators to meet security needs in deploying either internal or third-party software.
Is mobile access to applications a priority for your Enterprise? Rapidly enable mobility for your Apps whether they are Web, hybrid or native and login to all of them with a single password.
For more information on CA Security solutions, please visit: http://bit.ly/10WHYDm
#askSAP GRC Innovations Community Call: Cybersecurity Risk and GovernanceSAP Analytics
How is your organization tackling ever increasing cybersecurity threats? Do you have the proper structure and methods in place to effectively mitigate this constantly evolving risk?
Get a sneak preview on how SAP is helping companies embrace the age of digital transformation while rethinking their security strategy, especially as it relates to protecting business applications and improving overarching risk and governance programs.
NowPos M-Solutions Pvt. Ltd. NowPos is a Mobile Technology Development and Services company that specializes in custom solution development on various mobile platforms. Established in 2005, with offices in CA, USA and an offshore development center at Hyderabad, India, NowPos has over the years garnered expertise in developing mobile and web based solutions for industry verticals such as mobile based Advertising, Healthcare (mHealth), Patient Care and information capturing (m-PRO), Entertainment and Media, supported by robust web platforms.
Through Sonata Software's acquisition of Halosys Technologies, Sonata and Halosys are able to provide one of the most comprehensive enterprise mobility offerings available with business solutions, a unified enterprise mobile platform and service excellence.
While the “above the water” demands of mobile app development and deployment have been the focus for some time — delivering apps quickly and creating a great user experience - the “under the surface” requirements are often the most challenging. Michael Facemire, Principal Analyst, Forrester Research, Inc. shares the most common mobility technology challenges he hears from enterprise IT executives and his recommended strategies for overcoming them.
How Mobile BI can Impact Your OrganizationEmtec Inc.
Stay connected to your business anytime anywhere! Imagine the value gained from having all your dashboards, KPI's and reports accessible from your Mobile Device! Learn how purpose built analytic applications optimized for your executives on the go will change the game for your organization! How can mobile BI lower your TCO? View to gain a better understanding.
Similar to Mobile Application Penetration Testing (20)
Unutmayın! Siber saldırılarda her türde ve büyüklükteki işletme risk altındadır ve en zayıf halka insan faktörüdür! Hem teorik hem pratik örneklerle oluşan içeriğiyle bu eğitim, son savunma hattınız olan çalışanlarınızın güncel siber tehditleri daha iyi anlayıp gerekli önlemleri almasını sağlamada çok faydalı olacaktır.
BGA Security tarafından her yıl yaklasık olarak 200’e yakın
sızma testi projesi gerçeklestirilmektedir. Bu projeler standart
olmayıp müsterilerin taleplerine göre farklı boyutlarda
olabilmektedir. Bu rapor yapılan çalışmalarda karşılaşılan zafiyetler ve istismar yöntemlerinin istatistiklerini paylaşmak amacıyla hazırlanmıştır.
Fidye yazılımı, kurbanın dosyalarını şifreleyen kötü amaçlı bir yazılım türüdür. Saldırgan, ödeme yapıldıktan sonra
verilerine tekrar erişebilmesi için kurbandan fidye talep eder.
BGA Türkiye Bankacılık Sektörü 1. Çeyrek Phishing RaporuBGA Cyber Security
Bu raporda 2020 yılının ilk yarısı için Türkiye'de bulunan bankalar adına açılan sahte alan adları
(domain), bu alan adlarının SSL sertifikası durumları ve kayıt bilgilerine yönelik analizler yer almakta
olup, aylara göre artışları ve saldırganların motivasyonları incelenmiştir.
Aktif Dizin (Active Directory) Güvenlik Testleri - I: Bilgi ToplamaBGA Cyber Security
Ağ haritalama (Enumeration), sızma testi metodolojilerinden biridir. Hedef ile aktif bir bağ oluşturulduğunda ve hedefe saldırıda bulunurken giriş noktasını tespit etmek amacıyla sistemin ağ yapısının detaylı belirlenmesidir:
Açık sistemler ve üzerindeki açık portlar, servisler ve servislerin hangi yazılımın hangi sürümü olduğu bilgileri, ağ girişlerinde bulunan VPN, Firewall, IPS cihazlarının belirlenmesi, sunucu sistemler çalışan işletim sistemlerinin ve versiyonlarının belirlenmesi ve tüm bu bileşenler belirlendikten sonra hedef sisteme ait ağ haritasının çıkartılması Ağ haritalama adımlarında yapılmaktadır.
Güvenlik Testlerinde Açık Kaynak İstihbaratı KullanımıBGA Cyber Security
Bir kurum sızma testi yaptıracağı zaman, bu testi yapacak olan profesyoneller öncelikle hedef sistem hakkında bilgi toplamak zorundadır. Hedef sistemin kullandığı IP aralığı, subdomainler, aynı kullanıcı üzerinden alınmış diğer domainler, dns kayıtları, çalışanlarına açılan mail adresi politikası, bağlantılı mobil uygulamalar, kurumun sosyal medya hesapları, çalışanlarının sosyal medya hesapları, çalışan profili, güvenlik sertifikası bilgileri, kurum veya çalışanları adına gerçekleştirilen veri sızıntıları, forumlarda paylaşılan bilgiler ve daha fazlası OSINT kullanılarak elde edilebilir.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
6. @BGASecurity
BGA | MobilePentestBGA | MobilePentestInformation Gathering – Cont.
• Identify the networking interfaces used by the application
• Determine what the application supports for access 3G, 4G, wifi and or others
• What networking protocols are in use?
Ø Are secure protocols used where needed?
Ø Can they be switched with insecure protocols?
• Does the application perform commerce transactions?
Ø Credit card transactions and/or stored payment information (certain industry regulations may be
required (i.e. PCI DSS)).
Ø In-app purchasing of goods or features
• Make note for future phases to determine does the application store payment information? How is
payment information secured?
9. @BGASecurity
BGA | MobilePentestBGA | MobilePentestInformation Gathering – Cont.
• Can you determine anything about the server side application environment?
Ø Hosting provider (AWS, App Engine, Heroku, Rackspace, Azure, etc.)
Ø Development environment (Rails, Java, Django, ASP.NET, etc.)
Ø Does the application leverage Single Sign On or Authentication APIs (Google Apps, Facebook, iTunes, OAuth, etc.)
Ø Any other APIs in use
ü Payment gateways
ü SMS messaging
ü Social networks
ü Cloud file storage
ü Ad networks
• Perform a thorough crawl of exposed web resources and sift through the requests and responses to identify potentially
interesting data or behavior
Ø Leaking sensitive information (i.e. credentials) in the response
Ø Resources not exposed through the UI
Ø Error messages
Ø Cacheable information
11. @BGASecurity
BGA | MobilePentestBGA | MobilePentestGetting Started
• If the source is not directly available, decompile or disassemble the application’s binary
Ø extract the application from the device
Ø follow the appropriate steps for your platform’s application reverse engineering
Ø some applications may also require decryption prior to reverse engineering (note: decryption and
code obfuscation are not the same thing)
• Review the permissions the application requests as well as the resources that it is authorized to access
(i.e. AndroidManifest.xml, iOS Entitlements or Windows Phone's WMAppManifest.xml)
• Are there any easy to identify misconfigurations within the application found within the configuration
files? Debugging flags set, world readable/writable permissions, etc.
• What frameworks are in use? Is the application built using a cross-platform framework?
12. @BGASecurity
BGA | MobilePentestBGA | MobilePentestGetting Started
• Identify the libraries in use including both platform provided as well as third party. Perform a quick
review on the web to determine if these libraries:
Ø are up to date
Ø are free of vulnerabilities
Ø expose functionality that requires elevated privileges (access to location or contact data)
Ø native code
• Does the application check for rooted/jailbroken devices? How is this done? How can this be
circumvented? Is it as easy as changing the case of a file name or name of executable or path?
• Determine what types of objects are implemented to create the various views within the application.
This may significantly alter your test cases, as some views implement web browser functionality while
others are native UI controls only.
• Is all code expected to run within the platform’s standard runtime environment, or are some
files/libraries dynamically loaded or called outside of that environment at runtime?
16. @BGASecurity
BGA | MobilePentestBGA | MobilePentest
• Single Sign On, e.g.
Ø OAuth
Ø Facebook
Ø Google Apps
• SMS
v How is the sender authenticated?
Ø password
Ø header information
Ø Other mechanism?
v Are one time passwords (OTP) used or is other sensitive account data transmitted via SMS?
Ø Can other applications access this data?
v What if attacker tampers OTP using gprs modem?
v Can application validate the tampered OTP?
Authentication
21. @BGASecurity
BGA | MobilePentestBGA | MobilePentestData Storage
• Encryption
Ø Are the algorithms used “best of breed” or do they contain known issues?
Ø How are keys derived from i.e. a password?
Ø Based on the algorithms and approaches used to encrypt data, do implementation issues exist that
degrade the effectiveness of encryption?
Ø How are keys managed and stored on the device? Can this reduce the complexity in breaking the
encryption?
• Identify if the application utilizes storage areas external to the “sandboxed” locations to store
unencrypted data such as:
Ø Places with limited access control granularity (SD card, tmp directories, etc.)
Ø Directories that may end up in backups or other undesired locations (iTunes backup, external storage,
etc.)
Ø Cloud storage services such as Dropbox, Google Drive, or S3
23. @BGASecurity
BGA | MobilePentestBGA | MobilePentestInformation Disclosure
• Logs
Ø Does the application log data? Is sensitive information accessible?
Ø How are the logs accessed, if so, and by which mechanism/functionality? Is log access protected?
Ø Can any of the logged information be considered a privacy violation?
Ø Is the device identifier sent that could be used to identify the user? (i.e.UDID in Apple devices)
Ø Does the application upload any log file to the server?
ü Is the log file extension validated before upload?
ü Is the content of the log file validated before upload? What if malicious code is embedded in log
file?
24. @BGASecurity
BGA | MobilePentestBGA | MobilePentestInformation Disclosure
• Caches
Ø Predictive text
Ø Location information
Ø Copy and paste
Ø Application snapshot
Ø Browser cache
Ø Non-standard cache locations (i.e the various SQLite databases that apps can create if they use HTML UI
components)
Ø Are HTTPS responses being cached?
• Exceptions
Ø Does sensitive data leak in crash logs?
Ø How does application handle data/logs outside its container?
• Third Party Libraries and APIs
Ø What permissions do they require?
Ø Do they access or transmit sensitive information?
• Review licensing requirements for any potential violations.
Ø Can their runtime behavior expose users to privacy issues and unauthorized tracking?
58. @BGASecurity
BGA | MobilePentestBGA | MobilePentest
• Assume that the network layer is not secure and is susceptible to eavesdropping.
• Apply SSL/TLS to transport channels that the mobile app will use to transmit sensitive information, session tokens, or other
sensitive data to a backend API or web service.
• Account for outside entities like third-party analytics companies, social networks, etc. by using their SSL versions when an
application runs a routine via the browser/webkit. Avoid mixed SSL sessions as they may expose the user’s session ID.
• Use strong, industry standard cipher suites with appropriate key lengths.
• Use certificates signed by a trusted CA provider.
• Never allow self-signed certificates, and consider certificate pinning for security conscious applications.
• Always require SSL chain verification.
• Only establish a secure connection after verifying the identity of the endpoint server using trusted certificates in the key chain.
• Alert users through the UI if the mobile app detects an invalid certificate.
• Do not send sensitive data over alternate channels (e.g, SMS, MMS, or notifications).
• If possible, apply a separate layer of encryption to any sensitive data before it is given to the SSL channel. In the event that future
vulnerabilities are discovered in the SSL implementation, the encrytped data will provide a secondary defense against
confidentiality violation.
General Best Practices:
90. @BGASecurity
BGA | MobilePentestBGA | MobilePentestAm I Vulnerable To Improper Session Handling?
• Failure to Properly Rotate Cookies
• Authentication state changes include events like:
• Switching from an anonymous user to a logged in user
• Switching from any logged in user to another logged in user
• Switching from a regular user to a privileged user
• Timeouts
• Insecure Token Creation
• In addition to properly invalidating tokens (on the server side) during key application events, it's
also crucial that the tokens themselves are generated properly. Just as with encryption algorithms,
developers should use well-established and industry-standard methods of created tokens. They
should be sufficiently long, complex, and pseudo-random so as to be resistant to
guessing/anticipation attacks.
95. @BGASecurity
BGA | MobilePentestBGA | MobilePentestAndroid Root Detection
• Check for test-keys
Ø Check to see if build.prop includes the line ro.build.tags=test-keys indicating a developer build or unofficial ROM
Ø Check for OTA certificates
• Check to see if the file /etc/security/otacerts.zip exists
• Check for several known rooted apk's
Ø com.noshufou.android.su
Ø com.thirdparty.superuser
Ø eu.chainfire.supersu
Ø com.koushikdutta.superuser
• Check for SU binaries
Ø /system/bin/su
Ø /system/xbin/su
Ø /sbin/su
Ø /system/su
Ø /system/bin/.ext/.su
• Attempt SU command directly
• Attempt the to run the command su and check the id of the current user, if it returns 0 then the su success!
97. @BGASecurity
BGA | MobilePentestBGA | MobilePentest
• AndroidManifest.xml - This is probably by far the most important source of information. From a security point of
view, it contains information about the various components used in an application and lists the conditions in which
they can be launched. It also displays information about the permissions that the application uses. It is highly
recommend to go through Google’s documentation on the manifest file. assets - This is used to store raw assets file.
The files stored here as compiled as is into the apk file.
• res - Used to store resources such as images, layout files, and string values.
• META-INF - Contains important information about the signature and the person who signed the application.
• classes.dex - This is where the compiled application code lies. To decompile an app, you need to convert the dex file
to a jar file which can then be read by a java decompiler
Android Security
118. @BGASecurity
BGA | MobilePentestBGA | MobilePentestiOS Application Security - Understanding the Objective-C Runtime
• Objective-C runtime
Ø Objective-C is a runtime oriented language.
Ø A runtime language is a language that decides what to implement in a function and other decisions
during the runtime of the applications.
Ø Is Objective-C a runtime language ? NO.
Ø It is a runtime oriented language, which means that whenever it is possible, it defers decisions from
compile and link time to the time when the code in the application is actually being executed.
119. @BGASecurity
BGA | MobilePentestBGA | MobilePentestiOS Application Security – Runtime Analysis Using Cycript
• Cycript is a javascript interpreter which also understands Objective-C syntax, meaning we can write either
Objective-C or javascript or even both in a particular command. It can also hook into a running process
and help us to modify a lot of the things in the application during runtime. As far as its application to iOS
application is concerned, here are some of the advantages of using Cycript.
Ø We can hook into a running process and find the names of all classes being used, i.e the view
controllers, the internal and third party libraries being used and even the name of the Application
delegate.
Ø For a particular class, i.e View Controller, App delegate or any other class, we can also find the
names of all the methods being used.
Ø We can also find the names of all the instance variable and their values at any particular time during
the runtime of an application.
Ø We can modify the values of the instance variable during runtime.
Ø We can perform Method Swizzling, i.e replace the code of a particular method with some other
implementation.
Ø We can call any method in the application during runtime without it being in the actual code of the
application .
140. @BGASecurity
BGA | MobilePentestBGA | MobilePentest
iOS Application Security – Booting a Custom Ramdisk Using Sogeti Data
Protection Tools
• A bootrom exploit allows us to bypass the bootrom signature checks on the Low level bootloader and
hence boot the device using a custom ramdisk.
• Such an exploit could also allow the user to run unsigned code and hence create an untethered
jailbreak.
• A bootrom exploit once found cannot be fixed by Apple by releasing a new iOS version but can only be
fixed by a new hardware release.
• There is no bootrom exploit discovered from A5 device or later. The bootrom exploit we will be using in
this article will only work on A4 devices.
142. @BGASecurity
BGA | MobilePentestBGA | MobilePentest
Not all devices that are jailbreaked have Cydia installed on them. In fact, most hackers can just change the
location of the Cydia App
+(BOOL)isJailbroken{
if ([[NSFileManager defaultManager] fileExistsAtPath:@"/Applications/Cydia.app"]){
return YES;
}else if([[NSFileManager defaultManager] fileExistsAtPath:@"/Library/MobileSubstrate/MobileSubstrate.dylib"]){
return YES;
}else if([[NSFileManager defaultManager] fileExistsAtPath:@"/bin/bash"]){
return YES;
}else if([[NSFileManager defaultManager] fileExistsAtPath:@"/usr/sbin/sshd"]){
return YES;
}else if([[NSFileManager defaultManager] fileExistsAtPath:@"/etc/apt"]){
return YES;
}
return NO;
}
iOS Application Security – Jailbreak Detection and Evasion
144. @BGASecurity
BGA | MobilePentestBGA | MobilePentest
iOS Application Security – Secure Coding Practices for iOS
Development
• Local Data Storage
• Important data like Passwords, Session ID’s etc should never be stored locally on the device.
• NSUserDefaults should never be used to store confidential information like passwords,
authentication tokens etc.
• Plist files should also be never used to store confidential information like passwords etc because
they can also be fetched very easily from inside the application bundle even on a non-jailbroken
device.
• Core Data files are also stored as unencrypted database files in your application bundle.The Core
Data framework internally uses Sql queries to store its data and hence all the files are stored as
.db files. One can easily copy these files to their computer and use a tool like sqlite3 to examine all
the content in these database files.
146. @BGASecurity
BGA | MobilePentestBGA | MobilePentest
• TextFields that have inputs as passwords should be used with Secure option.
• Clear the Pasteboard once the application enters background.
- (void)applicationDidEnterBackground:(UIApplication *)application
{
[UIPasteboard generalPasteboard].items = nil;
}
• The input to the URL scheme should also be validated.
- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url {
//Validate input from the url
return YES;
}
• A developer should make sure that the content he loads into the UIWebview is not malicious
iOS Application Security – Secure Coding Practices for iOS
Development
165. @BGASecurity
BGA | MobilePentestBGA | MobilePentest
• Do not store sensitive data on external storage like SD cards if it can be avoided.
• Consider restricting access to sensitive data based on contextual information such as location (e.g. wallet app not usable if GPS data
shows phone is outside Europe, car key not usable unless within 100m of car etc...).
• Use non-persistent identifiers which are not shared with other apps wherever possible - e.g. do not use the device ID number as an
identifier, use a randomly generated number instead.
• Make use of remote wipe and kill switch APIs to remove sensitive information from the device in the event of theft or loss.
• Use a time based (expiry) type of control which will wipe sensitive data from the mobile device once the application has not
communicated with its servers for a given period of time.
• Automatic application shutdown and/or lockout after X minutes of inactivity (e.g. 5 mins of inactivity).
• Avoid cached application snapshots in iOS: iOS can capture and store screen captures and store them as images when an application
suspends. To avoid any sensitive data getting captured, use one or both of the following options: 1. Use the ‘willEnterBackground’
callback, to hide all the sensitive data. 2. Configure the application in the info.plist file to terminate the app when pushed to
background (only use if multitasking is disabled).
• Prevent applications from being moved and/or run from external storage such as via SD cards.
• When handling sensitive data which does not need to be presented to users (e.g. account numbers), instead of using the actual value
itself, use a token which maps to the actual value on the server-side. This will prevent exposure of sensitive information.
Data Storage and Protection