Kunwar Atul presented techniques for pentesting Android applications without root access. This included bypassing SSL pinning by modifying the app's manifest to allow user certificates, extracting sensitive data from backup files without root using ADB, and exploiting insecure Firebase databases and deep links. Deep links could be triggered via ADB to load attacker URLs within an app's webview. References were provided on SSL pinning bypass with Burp Suite, Frida, and modifying apps; reading data without root; and exploiting Firebase and deep links. The presentation did not cover Android architecture, tools like Drozer and Apktool, or lab setups.
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
This document discusses three angles for performing mobile application security testing: client side checks, dynamic/runtime checks of local storage, databases and more, and static code analysis. It focuses on static code analysis, explaining that it covers over 50% of the OWASP Mobile Top 10 risks. It provides details on fetching APKs, converting them to source code, manual and automated static code analysis tools like MobSF and QARK, and common issues like improper use of Android intents that can be discovered through static analysis.
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023
Android Applications and API Hacking
Gabrielle Botbol, Ethical Hacker |Award-winning Pentester | Artemis Red Team | Board Member | Speaker | Mentor
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
Android application Pentesting with DIVA. This Course is Divided into three main sections:
1) Prepare your envirnment (Setup Kali Linux and Andriod Emulator)
2) Infomation Gathering (Attack surface)
3) Exploitation
Tools used:
1. Adb
2. Apktool
3. unzip
4. Dex2jar
5. JD-GUI
6. sqlitebrowser
7. Drozer
8. Cutter
I hope you find this session interesting. Thanks for joining !!
This document discusses pentesting Android apps. It provides an overview of Android architecture and common attack surfaces, including the client software, communications channels, and server-side infrastructure. It describes setting up an environment for app analysis, exploiting vulnerabilities like insecure storage and logical flaws. The document demonstrates capturing network requests, reverse engineering apps, and provides developer tips to improve security like encrypting sensitive data and input sanitization.
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
The OWASP Top 10 for Mobile Apps is highly focused on security checks for your mobile apps.
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.
Kunwar Atul presented techniques for pentesting Android applications without root access. This included bypassing SSL pinning by modifying the app's manifest to allow user certificates, extracting sensitive data from backup files without root using ADB, and exploiting insecure Firebase databases and deep links. Deep links could be triggered via ADB to load attacker URLs within an app's webview. References were provided on SSL pinning bypass with Burp Suite, Frida, and modifying apps; reading data without root; and exploiting Firebase and deep links. The presentation did not cover Android architecture, tools like Drozer and Apktool, or lab setups.
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
This document discusses three angles for performing mobile application security testing: client side checks, dynamic/runtime checks of local storage, databases and more, and static code analysis. It focuses on static code analysis, explaining that it covers over 50% of the OWASP Mobile Top 10 risks. It provides details on fetching APKs, converting them to source code, manual and automated static code analysis tools like MobSF and QARK, and common issues like improper use of Android intents that can be discovered through static analysis.
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023
Android Applications and API Hacking
Gabrielle Botbol, Ethical Hacker |Award-winning Pentester | Artemis Red Team | Board Member | Speaker | Mentor
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
Android application Pentesting with DIVA. This Course is Divided into three main sections:
1) Prepare your envirnment (Setup Kali Linux and Andriod Emulator)
2) Infomation Gathering (Attack surface)
3) Exploitation
Tools used:
1. Adb
2. Apktool
3. unzip
4. Dex2jar
5. JD-GUI
6. sqlitebrowser
7. Drozer
8. Cutter
I hope you find this session interesting. Thanks for joining !!
This document discusses pentesting Android apps. It provides an overview of Android architecture and common attack surfaces, including the client software, communications channels, and server-side infrastructure. It describes setting up an environment for app analysis, exploiting vulnerabilities like insecure storage and logical flaws. The document demonstrates capturing network requests, reverse engineering apps, and provides developer tips to improve security like encrypting sensitive data and input sanitization.
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
The OWASP Top 10 for Mobile Apps is highly focused on security checks for your mobile apps.
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
Ajin Abraham presents the Mobile Security Framework, an open source tool for automating security analysis of Android and iOS mobile applications. It performs static analysis on application binaries and source code to detect vulnerabilities. It also includes dynamic analysis capabilities like monitoring network traffic, system calls and application data during runtime. The tool is hosted locally and does not send any data to the cloud. The talk demonstrates the tool's static and dynamic analysis features and provides examples of vulnerabilities it has discovered in real world applications. Future plans are discussed to add additional testing capabilities and improve the tool. Users are encouraged to download, test and contribute to the open source project.
The document discusses security testing of mobile applications. It outlines common threats like accessing sensitive stored data, intercepting data in transit, and exploiting tainted inputs. The document demonstrates analyzing an example Android app to identify potential issues, including looking at application binaries, network traffic, and content handlers. It also briefly discusses SQL injection risks for mobile apps.
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.
This document provides an overview of Android penetration testing. It discusses requirements and tools for static and dynamic analysis, including Apptitude, Genymotion, and ADB. It covers analyzing the Android manifest and classes.dex files. It also describes vulnerabilities in WebViews, such as loading cleartext content and improper SSL handling. Best practices for coding securely on Android are also presented.
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
This document provides an overview of methodology and tools for testing the security of Android applications. It discusses static testing tools like MobSF, AndroBugs, QARK and VCG scanner that can analyze Android app code without executing the app. It also covers dynamic testing tools like BurpSuite, Inspeckage, LogCat, MobSF and Drozer that allow analyzing an app's behavior while it is executing. The document provides descriptions and links for each tool to help understand their capabilities and how they can be used for Android pentesting.
The OWASP Mobile Top 10 is a nice start for any developer or a security professional, but the road is still ahead and there is so much to do to destroy most of the possible doors that hackers can use to find out about app’s vulnerabilities. We look forward to the OWASP to continue their work, but let’s not stay on the sidelines!
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
XXE Exposed Webinar Slides:
Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)
Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Learn about the OWASP Top 10 Mobile Risks and best practices to avoid mobile application security pitfalls such as insecure data storage, insecure communication, reverse engineering, and more.
These slides were originally presented on a webinar November 2016. Watch the presentation here: https://youtu.be/LuDe3u0cSVs
Getting started with Android pentestingMinali Arora
Minali Arora is a cyber security professional with 6 years of experience in application and network pentesting, bash scripting, and red teaming. She is also a part-time bug bounty hunter and blogger. The document discusses Android security architecture, testing methodologies, common vulnerabilities, and security tips for developers. It covers topics such as Android security model, application components, static and dynamic testing tools, and the OWASP top 10.
The document provides an overview of BGA Bilgi Güvenliği A.Ş, a Turkish cybersecurity company that offers strategic security consulting and training. It then outlines BGA's mobile application penetration testing methodology, which involves information gathering, static analysis, dynamic analysis, and examining authentication, authorization, and session management. The methodology describes steps to analyze the mobile app's permissions, network usage, data storage, APIs, libraries, and more to identify potential vulnerabilities.
This document discusses hacking and securing iOS applications. It begins by covering iOS security concepts and loopholes, then discusses how those loopholes can affect apps and allow easy theft of app data. The remainder of the document provides guidance on how to protect apps by securing local storage locations, runtime analysis, and transport security. Key recommendations include encrypting sensitive data, using data protection APIs, restricting access to private data, and properly validating SSL certificates.
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
File upload vulnerabilities are a devastating category of web application vulnerabilities. Without secure coding and configuration, an attacker can quickly compromise an affected system.
This presentation will discuss types, how to discover, exploit, and how to mitigate file upload vulnerabilities.
José Manuel Ortega Candel presented on security testing in mobile applications. The presentation covered static and dynamic application security testing, vulnerabilities, security risks, and best practices for mobile security testing. It discussed analyzing application source code, network traffic, and runtime behavior to identify issues. The document also provided examples of common mobile vulnerabilities and tools that can be used to conduct security testing on both Android and iOS applications.
1) The document provides guidance on testing APIs for security weaknesses, including enumerating the attack surface, common tools to use, what to test for (e.g. authentication, authorization, injections), and demo apps to practice on.
2) It recommends testing authentication and authorization mechanisms like tokens, injections attacks on state-changing requests, and how data is consumed client-side.
3) The document also discusses testing for denial of service conditions, data smuggling through middleware, API rate limiting, and cross-origin requests.
This document provides an overview of Android security. It discusses Android's architecture including activities, services, content providers and broadcast receivers. It then covers Android security features like application sandboxing, application signing, and Android's permission model. It provides examples of how these components and security features work together in a sample Android application for tracking friends' locations. It also discusses how applications can programmatically enforce permissions and how application components interact through intents.
The document discusses mobile application security testing and penetration testing of iOS apps. It covers static and dynamic testing of iOS apps, common vulnerabilities like insecure data storage, jailbreak detection, runtime manipulation and side channel leaks. Tools discussed include Burp Suite, Cycript, Class-dump and Plutil for analyzing iOS app security. The goal is to identify vulnerabilities to help developers better secure their mobile apps.
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...Agile Testing Alliance
The presentation on Cost-effective Security Testing Approaches for Web, Mobile & Enterprise Application was done during #ATAGTR2017, one of the largest global testing conference. All copyright belongs to the author.
Author and presenter : Varadarajan V. G.
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
Ajin Abraham presents the Mobile Security Framework, an open source tool for automating security analysis of Android and iOS mobile applications. It performs static analysis on application binaries and source code to detect vulnerabilities. It also includes dynamic analysis capabilities like monitoring network traffic, system calls and application data during runtime. The tool is hosted locally and does not send any data to the cloud. The talk demonstrates the tool's static and dynamic analysis features and provides examples of vulnerabilities it has discovered in real world applications. Future plans are discussed to add additional testing capabilities and improve the tool. Users are encouraged to download, test and contribute to the open source project.
The document discusses security testing of mobile applications. It outlines common threats like accessing sensitive stored data, intercepting data in transit, and exploiting tainted inputs. The document demonstrates analyzing an example Android app to identify potential issues, including looking at application binaries, network traffic, and content handlers. It also briefly discusses SQL injection risks for mobile apps.
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.
This document provides an overview of Android penetration testing. It discusses requirements and tools for static and dynamic analysis, including Apptitude, Genymotion, and ADB. It covers analyzing the Android manifest and classes.dex files. It also describes vulnerabilities in WebViews, such as loading cleartext content and improper SSL handling. Best practices for coding securely on Android are also presented.
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
This document provides an overview of methodology and tools for testing the security of Android applications. It discusses static testing tools like MobSF, AndroBugs, QARK and VCG scanner that can analyze Android app code without executing the app. It also covers dynamic testing tools like BurpSuite, Inspeckage, LogCat, MobSF and Drozer that allow analyzing an app's behavior while it is executing. The document provides descriptions and links for each tool to help understand their capabilities and how they can be used for Android pentesting.
The OWASP Mobile Top 10 is a nice start for any developer or a security professional, but the road is still ahead and there is so much to do to destroy most of the possible doors that hackers can use to find out about app’s vulnerabilities. We look forward to the OWASP to continue their work, but let’s not stay on the sidelines!
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
XXE Exposed Webinar Slides:
Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)
Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Learn about the OWASP Top 10 Mobile Risks and best practices to avoid mobile application security pitfalls such as insecure data storage, insecure communication, reverse engineering, and more.
These slides were originally presented on a webinar November 2016. Watch the presentation here: https://youtu.be/LuDe3u0cSVs
Getting started with Android pentestingMinali Arora
Minali Arora is a cyber security professional with 6 years of experience in application and network pentesting, bash scripting, and red teaming. She is also a part-time bug bounty hunter and blogger. The document discusses Android security architecture, testing methodologies, common vulnerabilities, and security tips for developers. It covers topics such as Android security model, application components, static and dynamic testing tools, and the OWASP top 10.
The document provides an overview of BGA Bilgi Güvenliği A.Ş, a Turkish cybersecurity company that offers strategic security consulting and training. It then outlines BGA's mobile application penetration testing methodology, which involves information gathering, static analysis, dynamic analysis, and examining authentication, authorization, and session management. The methodology describes steps to analyze the mobile app's permissions, network usage, data storage, APIs, libraries, and more to identify potential vulnerabilities.
This document discusses hacking and securing iOS applications. It begins by covering iOS security concepts and loopholes, then discusses how those loopholes can affect apps and allow easy theft of app data. The remainder of the document provides guidance on how to protect apps by securing local storage locations, runtime analysis, and transport security. Key recommendations include encrypting sensitive data, using data protection APIs, restricting access to private data, and properly validating SSL certificates.
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
File upload vulnerabilities are a devastating category of web application vulnerabilities. Without secure coding and configuration, an attacker can quickly compromise an affected system.
This presentation will discuss types, how to discover, exploit, and how to mitigate file upload vulnerabilities.
José Manuel Ortega Candel presented on security testing in mobile applications. The presentation covered static and dynamic application security testing, vulnerabilities, security risks, and best practices for mobile security testing. It discussed analyzing application source code, network traffic, and runtime behavior to identify issues. The document also provided examples of common mobile vulnerabilities and tools that can be used to conduct security testing on both Android and iOS applications.
1) The document provides guidance on testing APIs for security weaknesses, including enumerating the attack surface, common tools to use, what to test for (e.g. authentication, authorization, injections), and demo apps to practice on.
2) It recommends testing authentication and authorization mechanisms like tokens, injections attacks on state-changing requests, and how data is consumed client-side.
3) The document also discusses testing for denial of service conditions, data smuggling through middleware, API rate limiting, and cross-origin requests.
This document provides an overview of Android security. It discusses Android's architecture including activities, services, content providers and broadcast receivers. It then covers Android security features like application sandboxing, application signing, and Android's permission model. It provides examples of how these components and security features work together in a sample Android application for tracking friends' locations. It also discusses how applications can programmatically enforce permissions and how application components interact through intents.
The document discusses mobile application security testing and penetration testing of iOS apps. It covers static and dynamic testing of iOS apps, common vulnerabilities like insecure data storage, jailbreak detection, runtime manipulation and side channel leaks. Tools discussed include Burp Suite, Cycript, Class-dump and Plutil for analyzing iOS app security. The goal is to identify vulnerabilities to help developers better secure their mobile apps.
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...Agile Testing Alliance
The presentation on Cost-effective Security Testing Approaches for Web, Mobile & Enterprise Application was done during #ATAGTR2017, one of the largest global testing conference. All copyright belongs to the author.
Author and presenter : Varadarajan V. G.
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
A web application’s attack surface is the combination of URLs it will respond to as well as the
inputs to those URLs that can change the behavior of the application. Understanding an
application’s attack surface is critical to being able to provide sufficient security test coverage,
and by watching an application’s attack surface change over time security and development
teams can help target and optimize testing activities. This presentation looks at methods of
calculating web application attack surface and tracking the evolution of attack surface over
time. In addition, it looks at metrics and thresholds that can be used to craft policies for
integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD)
pipelines for teams integrating security into their DevOps practices.
A DevOps Approach for Building 100 iOS AppsTechWell
The document summarizes a presentation by Leigh Williamson of IBM on building 100 iOS apps using a DevOps approach. Key points include:
- IBM partnered with Apple to build over 150 cross-industry iOS apps leveraging IBM's design thinking process, mobile platform services, and DevOps tools.
- The apps were built by investing in design, leveraging a mobile platform for services/APIs, and employing DevOps practices like continuous integration, delivery, monitoring and feedback.
- IBM's mobile platform, Bluemix, provides services, SDKs and tools to help develop, integrate, secure and scale mobile apps using tools like Xcode, UrbanCode Deploy, and MaaS360.
Introduction to android - SpringPeopleSpringPeople
With the increase in use of Android and when the Lollipop is becoming viral , this content is meant for all those who are interested in Android and Android development.
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014IBM France Lab
Bluemix is an open-standard, cloud-based platform for
building, managing, and running applications of all types
(web, mobile, big data, new smart devices, and so on).
How to Integrate AppSec Testing into your DevOps Program Denim Group
During this live webinar, IBM & Denim Group join forces to demonstrate how Application Security Testing can be integrated with DevOps methodologies to identify and remediate high-risk vulnerabilities quickly, with minimal overhead.
Specifically, we’ll discuss how you can integrate Dynamic Application Security Testing (DAST) using IBM AppScan Enterprise REST API into a DevOps CI/CD pipeline, which helps you to automatically identify high-risk vulnerabilities within web applications and web services. We’ll also show how using Denim Group’s ThreadFix offering with AppScan Enterprise allows for seamless integration with typical DevOps tool-sets, in order to further reduce the overhead associated with AppSec testing within the SDLC.
This document provides information about Neev, an IT company that offers services including Android app development. It discusses Neev's expertise in areas like enterprise mobility, gaming, video streaming and their work developing over 50 Android apps. The document outlines Neev's capabilities such as their development facilities, handling device fragmentation, and key challenges in Android development. It also provides case studies of Android apps and SDKs developed for clients in various industries.
This document discusses DevOps for mobile apps. It begins with an introduction to DevOps, including key concepts like continuous integration, continuous delivery, and infrastructure as code. It then covers challenges of DevOps for mobile, such as fragmented platforms and coordination across backend systems. Best practices are presented, such as end-to-end traceability, continuous integration, and automated builds. The document concludes with discussions of implementing continuous integration and delivery, service virtualization for testing, and mobile UI testing.
Demystifying the Mobile Container - PART IRelayware
Mobile app developers have been engaged in a philosophical debate about "HTML5 vs. Native" for a couple of years now. But more and more in-the-know mobile strategists are deciding the answer is "Neither." Rather than choose between rich and interactive native experiences or portable and cost-effective web development, more apps are being deployed using web technologies and "native containers" to deliver the best of both worlds.
Highlights:
- What is a "container?"
- What are the different types of containers?
- For which types of apps is each appropriate?
- What are the advantages of a container deployment strategy?
- Are there good examples of successfully deployed containerized mobile apps?
Nader Dabit - Introduction to Mobile Development with AWS.pdfAmazon Web Services
In this session we'll introduce AWS Mobile Hub & AWS Amplify, discussing how these tools work and the type of features & services we'll be able to enable when using them.
Speaker: Nader Dabit
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.
This Presentation contains the First session materials of the Android Humla Session that was conducted by us on 1st April 2017 at Null Bangalore Chapter.
This talk focussed on the challenges facing the DevOps community from the “developers culture perspective” and the consequences of the perceived disinterest in inculcating a complete 360 degrees’ risk mitigation framework in DevOps practices.
The talk touched on the legal +Security+Operational Risk of using Open Source in their SDLC, the need for internal customized Open Source policy and a two-step approach to resolve these risks
Popular App Development Frameworks used by App Developers.Techugo
Mobile apps have been proven to be the best way for companies to increase their customer base. There have been many innovative app ideas. App development businesses were vital to ensuring that everything worked.
You can be proficient in simple computer languages to create an app. There are many platforms that allow you to develop apps for iOS and Android. You only need to grasp web-based programming languages such as HTML, CSS, or JavaScript.
Swiftic has been voted by one of the top mobile app development company for best tools on the iOS platform.
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
Whether you’re considering migrating to PHP 7 or are already there, you need to know the specifics of how to keep your application running smoothly, efficiently, and with minimum downtime. Take these techniques proven by our customers to make your PHP 7 application shine.
AppSphere 15 - How AppDynamics is Shaking up the Synthetic Monitoring Product...AppDynamics
Synthetic monitoring has been around for nearly two decades, but the innovation in this area has crawled to a trickle. Users are coping with complex and disjointed products driven by proprietary technology. This is about to change: AppDynamics Synthetic monitoring technology is driven by the leading-edge front end optimization open source technology WebPageTest and W3C standards like Webdriver. AppDynamics has embraced and combined them with changes in Cloud Computing to deliver a new generation of synthetic monitoring. These technologies allow not only for availability monitoring today, but hold a vast array of use cases and capabilities for the future which will create new innovation.
Key Takeaways:
- Learn about WebPageTest, and why it's the leading tool for front end optimization
- How AppDynamics leverages WebPageTest and Webdriver technologies
- How AppDynamics is leveraging changes in Cloud computing to deliver a new generation of synthetic -monitoring
- What future capabilities AppDynamics will leverage from these projects to create new use cases
This deck was originally presented at AppSphere 2015.
The document discusses the development of the Android operating system. It describes how the Open Handset Alliance was formed in 2007 by Google and other companies to develop Android. Android is an open source software stack that includes an operating system, middleware and key apps. It uses the Java programming language and a custom virtual machine called Dalvik. The Android architecture includes frameworks for applications, libraries, the Android runtime and the Linux kernel. It also discusses the lifecycles of Android services and applications.
Angle Bread Software Pvt. Ltd. is an Android development company that develops apps across various platforms from Android 2.2 to 4.0.3. They use Eclipse for development, SQLite for local storage, and MySQL for server-based apps. They have a team that handles requirements gathering, UI design, coding, testing, and delivery by deadlines. Their focus is on quality and they have received appreciation from clients. They work on Agile and Waterfall methodologies and have over 115 resources working on Android, iOS, PHP, Java, and .NET.
Similar to Mobile security part 1(Android Apps Pentesting)- Romansh yadav (20)
2. Content
Copyright 2017 | Romansh Yadav | All right reserved.
What is mobile
Security
Types of mobile
security
what is Android
Android
architecture
Process of app
development.
Android apps file
structure.
Tools for the app
pen testing setup a lab owasp top 10
Power of Drozer MobSF
3. The power of
smart phone
.
• Smartphones have change our life.As IOT is coming the
number of smartphone uses will increased.
• Smartphone is like our new part of body.
• Company know the next market of business will be IOT
devices.
• Here mobile apps play a great role.
• You need to make sure you customer can use your
mobile apps with confidence.
copyright 2017 | Romansh Yadav | All right reserved.
4. What is mobile security
• Mobile application security testing can help ensure there aren’t any
loopholes in the software that may cause data loss.
• The sets of tests are meant to attack the app to identify possible
threats and vulnerabilities that would allow external persons or
systems to access private information stored on the mobile device.
copyright 2017 | Romansh Yadav | All right reserved.
5. Types of mobile apps security testing
• Static mobile apps security testing.
• Dynamic mobile apps security testing.
copyright 2017 | Romansh Yadav | All right reserved.
6. Static mobile apps security testing
• In the static mobile apps security testing ,we do testing when the code is in
rest mode.
• We review the source code and check hashing algorithm used in the code.
• We analysis the manifest.xml file.
copyright 2017 | Romansh Yadav | All right reserved.
7. Dynamic mobile apps security testing
• In the dynamic testing we do testing when the app is running or we can say
at the run time label.
• We analysis the flow and try to call the activity and many more .
copyright 2017 | Romansh Yadav | All right reserved.
9. What is Android
•Android is an operating system
bought by google in 2005.
•Originally developed by Andy
Rubin, Rich Miner, Nick Sears, and
Chris White at Android Inc.
•It is based on Linux kernel.
•Ore0 upcoming android version 8.1
copyright 2017 | Romansh Yadav | All right reserved.
10. Android architecture
copyright 2017 | Romansh Yadav | All right reserved.
• Application
• Application framework
• Libraries
• Android Runtime
• Hardware abstraction Layer
• Linux Kernel
11. Application
Layer
•Android app are written in
java programming language.
•Java compiler convert java
code into .class file or byte
code
•The dex tool converts the .class
files to Dalvik byte code. Any 3rd
party libraries and .class files that
you have included in your project
are also converted into .dex files
so that they can be packaged
into the final .apk file.
copyright 2017 | Romansh Yadav | All right reserved.
12. copyright 2017 | Romansh Yadav | All right reserved.
• All non-compiled resources (such
as images), compiled resources,
and the .dex files are sent to the
apkbuilder tool to be packaged
into an .apk file.
• Once the .apk is built, it must be
signed with either a debug or
release key before it can be
installed to a device.
13. Application
Framework
• The Application Framework layer provides many higher-
level services to applications in the form of Java classes.
Application developers are allowed to make use of these
services in their applications
copyright 2017 | Romansh Yadav | All right reserved.
14. Libraries
• The libraries shown in the image are very necessary
without which application will not run likeWebkit library
is used for browsing the web , SQLite library is used for
maintaining SQL database and so on.
copyright 2017 | Romansh Yadav | All right reserved.
15. Dalvik virtual
Machine
• DalvikVirtual Machine is to execute application written
for Android . Each app running in the Android Device has
its own DalvikVirtual Machine.
copyright 2017 | Romansh Yadav | All right reserved.
16. Android runtime
• Android Runtime (ART) is a alternative to DalvikVirtual
Machine. New in ART is because of Ahead-of-time(AOT)
Compilation and Garbage Collection. InAhead-of-
time(AOT) Compilation ,android apps will be compiled
when user installs them on their device whereas in the
Dalvik used Just-in-time(JIT) compilation in which
bytecode are compiled when user runs the app.
copyright 2017 | Romansh Yadav | All right reserved.
17. Hardware abstraction Layer
• Hardware Abstraction Layer just gives Applications direct access to the
Hardware resources
copyright 2017 | Romansh Yadav | All right reserved.
18. Linux Kernel
Android is built up on the
Linux Kernel.
Linux Kernel provides basic
system functionality like
process management,
memory management,
device management like
camera, keypad, display etc
As a multiuser operating
system, a fundamental
security objective of the
Linux kernel is to isolate user
resources from one another.
Prevents userA from
reading user B’s files
Ensures that user A does not
exhaust user B’s memory
Ensures that user A does not
exhaust user B’s CPU
resources
copyright 2017 | Romansh Yadav | All right reserved.
19. Development tools
• An Integrated Development Environment (IDE) is a
software application that provides comprehensive
facilities to computer programmers for software
development
• A software development kit (SDK or devkit) is
typically a set of software development tools that
allows the creation of applications for a
certain software package, software framework,
hardware platform, computer system, video game
console, operating system, or similar development
platform.(wikipedia)
IDE
SDK
copyright 2017 | Romansh Yadav | All right reserved.
20. Developed an android app
copyright 2017 | Romansh Yadav | All right reserved.
Demo with Android Studio
22. AndroidManifest.xml File
• AndroidManifest.xml is the control file in every app.
• Every service, ContentProvider, activity, Broadcast Receiver need to be
mentioned in the AndroidManifest.xml file.
• We will explore this file in details in our testing module.
copyright 2017 | Romansh Yadav | All right reserved.
23. Component of android apps
• Activity
• Content Provider
• Services
• Broadcast Receiver
copyright 2017 | Romansh Yadav | All right reserved.
24. BasicTools for android apps
Pen testing
• Drozer(Best for dynamic)
• mobSF(Mobile security framework-Best for static)
• dex2jar
• Jd-gui
• A proxy tools like brup Suite or Zap
• Appie(set of many tools for windows)
• Santaku(an operating system for mobile apps pen testing like Kali)
copyright 2017 | Romansh Yadav | All right reserved.
25. Setup small Lab
• Download Genymotion with virtual machine and install.
• Download Appie(only for windows) tool kit and install.
• Drozer
• mobSF
• Alternative emulator nox
copyright 2017 | Romansh Yadav | All right reserved.
26. Vulnerable apps
• Sieve
• Diva.
• FourGoats.
• Herd-Financial.
copyright 2017 | Romansh Yadav | All right reserved.
27. Owasp top 10 -2014
for Mobile security
copyright 2017 | Romansh Yadav | All right reserved.
29. • A testing web server was setup to provide web service for mobile websites
to access. It demonstrated how weak server side controls would result in
unintended access of the web services.
• In order for this vulnerability to be exploited, the organization must expose
a web service orAPI call that is consumed by the mobile app.
copyright 2017 | Romansh Yadav | All right reserved.
30. • The exposed service or API call is implemented using insecure coding
techniques that produce an OWASPTopTen vulnerability within the server.
Through the mobile interface, an attacker is able to feed malicious inputs or
unexpected sequences of events to the vulnerable endpoint.
copyright 2017 | Romansh Yadav | All right reserved.
32. • In this vulnerability developer stored data locally.
• By default, files that you create on internal storage are accessible only to
your app.This protection is implemented by Android and is sufficient for
most applications.
copyright 2017 | Romansh Yadav | All right reserved.
33. • But developers often use MODE_WORLD_READBALE &
MODE_WORLD_WRITABLE to provide those file to some application but
this doesn’t limit other apps(Malicious) from accessing them.
• Path for local storage- data/data/app-package-name/
• Many time it can be stored in external storage
copyright 2017 | Romansh Yadav | All right reserved.
34. Demo
• Let’s check data/data/app-package-name/ directory
• Let’s check either application is using any content provide with exported
permission.
• Let’s also check the external storage(sdcard)
copyright 2017 | Romansh Yadav | All right reserved.
36. • Transfer data from client to server in plain text.
• Now a days most application prefer to send data over Secure Channel to
prevent interception and leaking to an malicious user.
• We can check this kind of vulnerability by any proxy tool.
• We will use burpsuite.
copyright 2017 | Romansh Yadav | All right reserved.
37. • Now we are going to set a proxy in our android device/emulator to intercept
the traffic between application and the server. If you are using
Genymotionor Nox then go toWifi under Settings. TapWiredSSID for a
While and then tap on Modify Network.
• In proxy settings, choose manual then enter IP Address and port on which
Burp Suite is listening.
• Now device http traffic can be intercepted by Burp Suite.
copyright 2017 | Romansh Yadav | All right reserved.
38. For https traffic
• For https traffic we have to install the burp self sign certificate.
• Just type https://burp or https://ipwithlistinerport.
• Download certificate and go to security install from the sd card, give a name
with .cert extension.
• Go to trusted credential and look user tab, you will find a PortSwigger CA.
copyright 2017 | Romansh Yadav | All right reserved.
39. SSl Certificate Pinning
• It means hard-coding the certificate known to be used by the server in the
mobile application.The app can then ignore the device’s trust store and rely
on its own, and allow only SSL connections to hosts signed with certificates
stored inside the application.
copyright 2017 | Romansh Yadav | All right reserved.
40. Bypassing ssl certificate pinning
• There are two bypass SSL Certificate Pinning, first by changing the source
code and other by Android-SSL-Trust-Killer. Changing source code is
always a tedious Job, because every Application has it’s own
implementation of Encryption.
copyright 2017 | Romansh Yadav | All right reserved.
41. • We would instead take a simpler path for now, will install Android SSL-
Trust-Killer application in the android device which will bypass SSL
Certificate Pinning for nearly all application.
• Let’s do this.
copyright 2017 | Romansh Yadav | All right reserved.
43. • It also called Logging based vulnerability.
• When application accidently leaks the data.
• If an application crashes during runtime and it saves logs somewhere.
copyright 2017 | Romansh Yadav | All right reserved.
44. • Often Developers leave debugging information publicly. So any application
with READ_LOGS permission can access those logs and can gain sensitive
information through that.
• We can use logcat or pidcat for checking this kind of vulnerability.
• Let’s do this.
• adb logcat pid or packagename
copyright 2017 | Romansh Yadav | All right reserved.
46. • After authentication on an Android Application , it shift to a new activity
which basically users are aware off. But developers keep those activities
exported and even without custom permissions.
• Example – directly start a after login activity without login
• Directly open OTP activity without card number and pin or cvs.
• Username enumeration via Reset password.
• Let’s do this.
copyright 2017 | Romansh Yadav | All right reserved.
47. • run app.activity.start --component org.owasp.goatdroid.herdfinancial
org.owasp.goatdroid.herdfinancial.activities.Main
copyright 2017 | Romansh Yadav | All right reserved.
48. • In the authorization vulnerability we simply bypass the privilege, we can also
called it privilege escalation
• Horizontally -: normal user to normal user
• Vertical -: normal user to root user.
• Let’s do this.
copyright 2017 | Romansh Yadav | All right reserved.
50. • This kind of vulnerability occur when we hardcoded the sensitive
information like username, password.
• Managing Private key of any encryption algorithm.
• Using poor algorithm (RC4, MD4,SHA1).
• Let’s do this.
copyright 2017 | Romansh Yadav | All right reserved.
51. .
• Jg-Gui and open up the StatmentDBHelper class.
• you can open UserInfoDBHelper class .
• You can see above that password for encrypting db files are stored in
HerdFinancial Application. Passwords
are hammer and havey0us33nb@seball . So anyone with HerdFinancial
Application can get password using reverse engineering and then decrypt
the content using those keys
copyright 2017 | Romansh Yadav | All right reserved.
53. • Sql injection-simple as we used in web application(Boolean based )
• JavaScript Injection: - If you have yourGoogle account attached to device
then you can use yourGoogle account in Android Browser without
authentication.
• Let’s see Diva input validation 1 example
copyright 2017 | Romansh Yadav | All right reserved.
54. • Mobile malware or other malicious apps may perform a binary attack
against the presentation layer (HTML, JavaScript, Cascading Style Sheets )
or the actual binary of the mobile app’s executable.These code injections
are executed either by the mobile app’s framework or the binary itself at
run-time
copyright 2017 | Romansh Yadav | All right reserved.
56. • Your mobile application can accept data from all kinds of sources. In most
cases this will be an Inter Process Communication (IPC) mechanism.
• Inter Process Communication happened with the help of the intent.
• intent is basically a message that is passed between components (such as
Activities, Services, Broadcast Receivers, and Content Providers)
copyright 2017 | Romansh Yadav | All right reserved.
57. To be simple Intent can be used for
• To start anActivity, typically opening a user interface for an app
• As broadcasts to inform the system and apps of changes
• To start, stop, and communicate with a background service
• To access data via ContentProviders
• As callbacks to handle events.
copyright 2017 | Romansh Yadav | All right reserved.
58. • run app.package.attacksurface com.mwr.example.sieve
• wecan see there are two exported Content Providers.
• run app.provider.finuri com.mwr.example.sieve
• So by using the app.provider.finduri modules we have found some of the
exported content provider URIs which can access by other apps installed on
the same devices.
• We can see that there are two similar URIS
copyright 2017 | Romansh Yadav | All right reserved.
61. • Session handling is very important part after authentication has been done.
• No session destruction at server side-
when user opt for logout then applications just send a null cookie that
session cookie is valid on server side and is not destroyed after user opted
for logout feature.
• Cookie not set as Secure
The secure flag is an option that can be set by the application server when
sending a new cookie to the user within an HTTP Response.
copyright 2017 | Romansh Yadav | All right reserved.
63. • Android Application are delivered through an .apk file format which an
adversary can reverse engineer it and can see all the code contained in it.
• D2j-dex2jar.
• Then open the jar file with jd-gui.
• Also attacker can also insert the malicious code, recompile it and deliver to
normal users.
• Let’s do a reverse shell demo.
copyright 2017 | Romansh Yadav | All right reserved.
64. The power of drozer
• Drozer is a framework forAndroid security assessments developed by MWR
Labs.
• It is one of the best Android security assessment tools available forAndroid
Security Assessments.
• https://www.mwrinfosecurity.com/products/drozer/community-edition/
copyright 2017 | Romansh Yadav | All right reserved.
65. • To start working with Drozer for your assessments, we need to connect the
Drozer console we have on the workstation and agent sitting on the
emulator.
• To do this, start the agent on your emulator and run the following command
to port forward. Make sure you are running the embedded server when
launching the agent.
• adb forward tcp:31415 tcp:31415
• Drozer console connect
copyright 2017 | Romansh Yadav | All right reserved.
67. • https://github.com/MobSF/Mobile-Security-Framework-MobSF
• Python 2.7 –download and install
• Oracle JDK 1.7 or above
• c:python27python.exe -m pip install -r "pathrequirements.txt“
• c:python27python.exe "pathmanage.py“ runserver
copyright 2017 | Romansh Yadav | All right reserved.
68. • You can navigate to http://localhost:8000/ to access the MobSFWeb
interface.
• The pip command is a tool for installing and managing Python packages.
copyright 2017 | Romansh Yadav | All right reserved.