TA
Uploaded byTaseen Ali
133 views

mobsf.pdf

Ajin Abraham presented Mobile Security Framework (MobSF), an open source tool for mobile application security testing. MobSF includes static and dynamic analysis as well as a web API fuzzer. Static analysis scans the app code and binaries to detect vulnerabilities. Dynamic analysis monitors the app's network traffic and behavior through an agent. The web API fuzzer tests APIs for issues like IDOR, SSRF, and XXE. MobSF provides automated security testing to help mobile app developers and penetration testers.

Embed presentation

Download to read offline
Ajin Abraham
About Me Security Engineering @ Next Gen Runtime Application Self Protection (RASP) Author of OWASP Xenotix XSS Exploit Framework, Mobile Security Framework. Teach Security via https://opsecx.com Blog about Security: http://opensecurity.in
The Takeaways A FREE and Open Source Security Tool for Mobile App Security Assessment. Mobile App Pentesters/Mobile Malware Analysts - How to make your job easier with MobSF. Developers – Build secure mobile Apps identifying vulnerabilities at all stages of development. (SDLC Integration) Web Pentesters – REST API Fuzzer capable of detecting vulnerabilities like SSRF, XXE, IDOR etc.
Agenda What is MobSF? MobSF Architecture Static Analyzer Dynamic Analyzer Web API Fuzzer Static Analysis Static Analysis & some Statistics Top Indian and European Bank Mobile Apps Top Indian and European Wallet Mobile Apps Observations Dynamic Analysis Dynamic SSL Testing Exported Activity Tester Challenges in Dynamic Analysis Dynamic Analysis on Custom VM/ Rooted Android Device. Web API Fuzzer Vulnerabilities API Fuzzer detects. Explains the API Fuzzer Logic. Conclusion
What is MobSF? Mobile Security Framework is an open source mobile application (Android/iOS) automated pentesting framework capable of performing end to end security testing of mobile Apps. Android iOS
Hosted in your environment. Your application and data is never send to the cloud.
MobSF Architecture
Static Analyzer Mobile Security Framework INPUT OUTPUT REPORT
Demo Static Analysis & Report Generation
Static Analysis & Some Statistics Static Analysis on Top Financial Apps - Criteria SSL bypass in Native Code SSL bypass in WebView Weak Crypto Remote Web View Debugging Hardcoded Secrets
Top Indian Bank Apps Analyzed
Face palm
Top Indian Wallet Apps Analyzed
Top EU Bank Apps Analyzed
Top EU Wallet Apps Analyzed
Observations State of Mobile App Security, Not evolved as Web Security. Most common issue are: Indian Apps: SSL Bypass in (Both Native Code and WebView) European Apps : Weak Crypto and Hardcoded Secrets SSL Error bypassed in WebViews are really really bad.
Real-world Exploitation
Dynamic Analyzer Mobile Security Framework INPUT Android VM Or Android Device REPORT OUTPUT
Dynamic Analyzer - Architecture Dynamic Analyzer AGENTS Install and Run APK HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM/Device Application Data Agent Collected Information Start HTTP(S) Web Proxy
DEMO (LockX)
Dynamic SSL Testing Dynamically verify if SSL connections are securely implemented. Disable JustTrustMe and Remove MobSF Root CA. If you can still access the decrypted HTTPS Web Traffic then that means the app is bypassing SSL errors.
Exported Activity Tester Android Exported Activities. DEMO
Challenges in Dynamic Analysis Some Android Apps are built with security in mind. Anti VM Detection Anti Root Detection Anti MITM with Certificate Pinning. Missing Libraries/Dependencies Some Apps / Malwares have sophisticated methods to detect Virtual Machines.
How to deal with these Challenges API overriding with Xposed Framework Anti VM Detection Bypass –> Android Blue Pill Anti Root Detection Bypass -> RootCloak Anti MITM Certificate Pinning Bypass -> JustTrustMe APK smali Patching, Custom Xposed Module For sophisticated apps and malware, Use a real device for dynamic analysis.
Dynamic Analysis on Device MobSFy Script – Convert your VM/ Device to support MobSF Dynamic Analysis Documentation here: https://github.com/ajinabraham/Mobile-Security- Framework-MobSF/wiki/2.-Configure-MobSF-Dynamic- Analysis-Environment-in-your-Android-Device-or-VM
Web API Fuzzer • Login API • Pin API • Register API • Logout API Select • Select Scope URLs of Scan • Select Scope Vulnerabilities Web API Fuzzing Logic REPORT OUTPUT Web Request DB
Fuzzing REST APIs Why most web scanners suck at API Testing? We have knowledge about the application and generic API routes (Login, Logout, Register). So we use more of Whitebox approach than Blackbox approach. Detects vulnerabilities like IDOR, SSRF and XXE.
What We Detect XXE SSRF IDOR Directory Traversal or Path Traversal Logical and Session Related API Rate Limiting
How we Detect
SSRF & XXE API Server Web API Fuzzer MobSF Cloud Server Cloud Server: APITester/cloud/cloud_server.py
Insecure Direct Object Reference (IDOR) Without Credentials. With multiple user credentials (needs two login attempts) Web API Fuzzer API Server Request with Auth Header/ Cookie Request without Auth Header/ Cookie API Server Web API Fuzzer Request with User1’s Auth Header/Cookie Repeat the Request with a User2’s Auth Header/Cookie
Session Related Checks Web API Fuzzer API Server Calls Logout API Access Resource with expired Auth Header/Cookie Access Resource with Auth Header/Cookie
Rate Limiter Web API Fuzzer API Server Brute force Login API and Register API
Other Checks Security Headers and Info Gathering Directory/ Path Traversal
DEMO
What's Coming Soon? Windows App Security Analyzer. iOS App Dynamic Analysis with Device. API Fuzzer to support detection of SQLi and RCE. Export Proxy logs to BurpSuite/IronWASP/ZAP
Useful Links Source: https://github.com/ajinabraham/Mobile-Security-Framework Issues: https://github.com/ajinabraham/Mobile-Security- Framework/issues Documentation: https://github.com/ajinabraham/Mobile-Security- Framework-MobSF/wiki Video Course: https://opsecx.com/index.php/product/automated- mobile-application-security-assessment-with-mobsf/
QA @ajinabraham ajin25@gmail.com Thanks & Credits • Sachinraj Shetty • Kamaiah Nadavala • Bharadwaj Machiraju • Yashin Mehboobe • Anto Joseph • Tim Brown • Thomas Abraham • Graphics/Image Owners

More Related Content

PDF
Android pentesting
byMykhailo Antonishyn
 
PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
byAjin Abraham
 
PPTX
Android Penetration testing - Day 2
byMohammed Adam
 
PDF
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
byShadowman Kung
 
PPTX
Android pentesting
byMykhailo Antonishyn
 
PPTX
Droidcon mobile security
byJudy Ngure
 
PDF
Security testing in mobile applications
byJose Manuel Ortega Candel
 
PPTX
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
byAjin Abraham
 
Android pentesting
byMykhailo Antonishyn
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
byAjin Abraham
 
Android Penetration testing - Day 2
byMohammed Adam
 
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
byShadowman Kung
 
Android pentesting
byMykhailo Antonishyn
 
Droidcon mobile security
byJudy Ngure
 
Security testing in mobile applications
byJose Manuel Ortega Candel
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
byAjin Abraham
 

Similar to mobsf.pdf

PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
PDF
Getting started with hacking android & i os apps tools, techniques and re...
byn|u - The Open Security Community
 
PPTX
Mobile SF
byyarden hanan
 
PDF
Mobile App Security Testing: Tools, Techniques & Insights
bydigitaljignect
 
PDF
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
byMatt Tesauro
 
PDF
AppSec PNW: Android and iOS Application Security with MobSF
byAjin Abraham
 
PPTX
Mobile Application Security Testing (Static Code Analysis) of Android App
byAbhilash Venkata
 
PPTX
Pentesting Android Apps
byAbdelhamid Limami
 
PDF
apidays New York 2023 - Android Applications and APIs Hacking, Gabrielle Botb...
byapidays
 
PPTX
Mobile security and drozer tool demo
byGowthamraj Palani
 
ODP
Mobile Apps Security Testing -1
byKrisshhna Daasaarii
 
PPTX
18-mobile-malware.pptx
bysundar110567
 
PPTX
Getting Started with API Security Testing
bySmartBear
 
PDF
Top 15 Mobile Hacking Tools for Android and iOS Testing.pdf
bymanisha06650
 
PPTX
Rapid Android Application Security Testing
byNutan Kumar Panda
 
PDF
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
byTEST Huddle
 
PDF
Understanding Mobile App Security Testing_ What It Is and How to Perform It.pdf
bykalichargn70th171
 
PPTX
Windows Phone 8 Security and Testing WP8 Apps
byJorge Orchilles
 
PDF
Mobile Application Security Threats through the Eyes of the Attacker
bybugcrowd
 
PPTX
Building a Mobile Security Program
byDenim Group
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
Getting started with hacking android & i os apps tools, techniques and re...
byn|u - The Open Security Community
 
Mobile SF
byyarden hanan
 
Mobile App Security Testing: Tools, Techniques & Insights
bydigitaljignect
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
byMatt Tesauro
 
AppSec PNW: Android and iOS Application Security with MobSF
byAjin Abraham
 
Mobile Application Security Testing (Static Code Analysis) of Android App
byAbhilash Venkata
 
Pentesting Android Apps
byAbdelhamid Limami
 
apidays New York 2023 - Android Applications and APIs Hacking, Gabrielle Botb...
byapidays
 
Mobile security and drozer tool demo
byGowthamraj Palani
 
Mobile Apps Security Testing -1
byKrisshhna Daasaarii
 
18-mobile-malware.pptx
bysundar110567
 
Getting Started with API Security Testing
bySmartBear
 
Top 15 Mobile Hacking Tools for Android and iOS Testing.pdf
bymanisha06650
 
Rapid Android Application Security Testing
byNutan Kumar Panda
 
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
byTEST Huddle
 
Understanding Mobile App Security Testing_ What It Is and How to Perform It.pdf
bykalichargn70th171
 
Windows Phone 8 Security and Testing WP8 Apps
byJorge Orchilles
 
Mobile Application Security Threats through the Eyes of the Attacker
bybugcrowd
 
Building a Mobile Security Program
byDenim Group
 

Recently uploaded

PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 

mobsf.pdf

  • 1.
  • 2.
    About Me Security Engineering@ Next Gen Runtime Application Self Protection (RASP) Author of OWASP Xenotix XSS Exploit Framework, Mobile Security Framework. Teach Security via https://opsecx.com Blog about Security: http://opensecurity.in
  • 3.
    The Takeaways A FREEand Open Source Security Tool for Mobile App Security Assessment. Mobile App Pentesters/Mobile Malware Analysts - How to make your job easier with MobSF. Developers – Build secure mobile Apps identifying vulnerabilities at all stages of development. (SDLC Integration) Web Pentesters – REST API Fuzzer capable of detecting vulnerabilities like SSRF, XXE, IDOR etc.
  • 4.
    Agenda What is MobSF? MobSFArchitecture Static Analyzer Dynamic Analyzer Web API Fuzzer Static Analysis Static Analysis & some Statistics Top Indian and European Bank Mobile Apps Top Indian and European Wallet Mobile Apps Observations Dynamic Analysis Dynamic SSL Testing Exported Activity Tester Challenges in Dynamic Analysis Dynamic Analysis on Custom VM/ Rooted Android Device. Web API Fuzzer Vulnerabilities API Fuzzer detects. Explains the API Fuzzer Logic. Conclusion
  • 5.
    What is MobSF? MobileSecurity Framework is an open source mobile application (Android/iOS) automated pentesting framework capable of performing end to end security testing of mobile Apps. Android iOS
  • 6.
    Hosted in yourenvironment. Your application and data is never send to the cloud.
  • 7.
  • 8.
    Static Analyzer Mobile SecurityFramework INPUT OUTPUT REPORT
  • 9.
    Demo Static Analysis &Report Generation
  • 10.
    Static Analysis &Some Statistics Static Analysis on Top Financial Apps - Criteria SSL bypass in Native Code SSL bypass in WebView Weak Crypto Remote Web View Debugging Hardcoded Secrets
  • 11.
    Top Indian BankApps Analyzed
  • 12.
  • 13.
    Top Indian WalletApps Analyzed
  • 14.
    Top EU BankApps Analyzed
  • 15.
    Top EU WalletApps Analyzed
  • 16.
    Observations State of MobileApp Security, Not evolved as Web Security. Most common issue are: Indian Apps: SSL Bypass in (Both Native Code and WebView) European Apps : Weak Crypto and Hardcoded Secrets SSL Error bypassed in WebViews are really really bad.
  • 17.
  • 18.
    Dynamic Analyzer Mobile SecurityFramework INPUT Android VM Or Android Device REPORT OUTPUT
  • 19.
    Dynamic Analyzer - Architecture DynamicAnalyzer AGENTS Install and Run APK HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM/Device Application Data Agent Collected Information Start HTTP(S) Web Proxy
  • 20.
  • 21.
    Dynamic SSL Testing Dynamicallyverify if SSL connections are securely implemented. Disable JustTrustMe and Remove MobSF Root CA. If you can still access the decrypted HTTPS Web Traffic then that means the app is bypassing SSL errors.
  • 22.
    Exported Activity Tester AndroidExported Activities. DEMO
  • 23.
    Challenges in Dynamic Analysis SomeAndroid Apps are built with security in mind. Anti VM Detection Anti Root Detection Anti MITM with Certificate Pinning. Missing Libraries/Dependencies Some Apps / Malwares have sophisticated methods to detect Virtual Machines.
  • 24.
    How to dealwith these Challenges API overriding with Xposed Framework Anti VM Detection Bypass –> Android Blue Pill Anti Root Detection Bypass -> RootCloak Anti MITM Certificate Pinning Bypass -> JustTrustMe APK smali Patching, Custom Xposed Module For sophisticated apps and malware, Use a real device for dynamic analysis.
  • 25.
    Dynamic Analysis onDevice MobSFy Script – Convert your VM/ Device to support MobSF Dynamic Analysis Documentation here: https://github.com/ajinabraham/Mobile-Security- Framework-MobSF/wiki/2.-Configure-MobSF-Dynamic- Analysis-Environment-in-your-Android-Device-or-VM
  • 26.
    Web API Fuzzer •Login API • Pin API • Register API • Logout API Select • Select Scope URLs of Scan • Select Scope Vulnerabilities Web API Fuzzing Logic REPORT OUTPUT Web Request DB
  • 27.
    Fuzzing REST APIs Whymost web scanners suck at API Testing? We have knowledge about the application and generic API routes (Login, Logout, Register). So we use more of Whitebox approach than Blackbox approach. Detects vulnerabilities like IDOR, SSRF and XXE.
  • 28.
    What We Detect XXE SSRF IDOR DirectoryTraversal or Path Traversal Logical and Session Related API Rate Limiting
  • 29.
  • 30.
    SSRF & XXE APIServer Web API Fuzzer MobSF Cloud Server Cloud Server: APITester/cloud/cloud_server.py
  • 31.
    Insecure Direct ObjectReference (IDOR) Without Credentials. With multiple user credentials (needs two login attempts) Web API Fuzzer API Server Request with Auth Header/ Cookie Request without Auth Header/ Cookie API Server Web API Fuzzer Request with User1’s Auth Header/Cookie Repeat the Request with a User2’s Auth Header/Cookie
  • 32.
    Session Related Checks WebAPI Fuzzer API Server Calls Logout API Access Resource with expired Auth Header/Cookie Access Resource with Auth Header/Cookie
  • 33.
    Rate Limiter Web API Fuzzer APIServer Brute force Login API and Register API
  • 34.
    Other Checks Security Headersand Info Gathering Directory/ Path Traversal
  • 35.
  • 36.
    What's Coming Soon? WindowsApp Security Analyzer. iOS App Dynamic Analysis with Device. API Fuzzer to support detection of SQLi and RCE. Export Proxy logs to BurpSuite/IronWASP/ZAP
  • 37.
    Useful Links Source: https://github.com/ajinabraham/Mobile-Security-Framework Issues:https://github.com/ajinabraham/Mobile-Security- Framework/issues Documentation: https://github.com/ajinabraham/Mobile-Security- Framework-MobSF/wiki Video Course: https://opsecx.com/index.php/product/automated- mobile-application-security-assessment-with-mobsf/
  • 38.
    QA @ajinabraham ajin25@gmail.com Thanks & Credits •Sachinraj Shetty • Kamaiah Nadavala • Bharadwaj Machiraju • Yashin Mehboobe • Anto Joseph • Tim Brown • Thomas Abraham • Graphics/Image Owners