This document summarizes a presentation on mobile security testing given by Sven Schleier and Ryan Teoh. It discusses the OWASP Mobile Security Project, including the Mobile Application Security Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG). The MASVS defines security best practices for mobile apps, while the MSTG provides a manual for testing mobile app security. The presentation demonstrates techniques for bypassing SSL pinning and extracting Android keys using Frida during dynamic analysis. It highlights challenges around assessing anti-reversing defenses and the need for practical reverse engineering skills in mobile security testing.
2. Agenda
• OWASP Mobile Security Project
• Mobile AppSec Verification Standard (MASVS)
• Automation of the MASVS
• Mobile Security Testing Guide (MSTG)
• Reverse Engineering of Mobile Apps
3. # /usr/bin/whoami
• Hi everyone, my name is Sven
• Managing Principal Consultant at Vantage Point Security
• Professional Penetration tester since 2010
• Security Architect for Web and Mobile Apps during SDLC
• One of the project leaders for:
• OWASP Mobile Security Testing Guide (MSTG) and
• Mobile AppSec Verification Standard (MASVS)
4. Why Mobile Application Security?
Application
Physical
Network
HTTP(s)
Attack Surface
• It all started with Network
& Physical Security
• Protecting the perimeter
• Ensuring endpoints are
secure
• Application Security plays
an important part
• But, different skills are
required to support Mobile
Applications Security
5. Why Mobile Application Security?
Mobile Applications are different compared to Web Apps:
Different Attack Surface (examples)
Interaction with the OS through APIs or other apps through IPC
Local Storage
Local Authentication (scanning fingerprint/face/iris)
Reverse Engineering
7. Why Mobile Application Security?
Mobile Applications are different compared to Web Apps:
Different Vulnerabilities (examples)
Disclosure of sensitive data on the mobile device, through
• Storing data in cleartext
• Logging
• Exposing in memory
Build settings and code quality
What about CSRF?
What about XSS?
Don't blindly trust your scanning tool's output!
8. Why Mobile Application Security?
Mobile Applications are different compared to Web Apps:
https://twitter.com/natashenka/status/941737682803159040
9. OWASP Mobile Security Project – Our “Products”
Mobile Security
Testing Guide
Around 550+ pages
Free Ebook
https://leanpub.com/mobile-
security-testing-guide
Hardcopy, Printed Book (soon)!
Mobile AppSec
Verification Standard
PDF Download
Mobile AppSec
Checklist
Excel L
https://github.com/OWASP/owasp-
mstg/tree/master/Checklists
https://github.com/OWASP/
owasp-masvs/releases
11. OWASP Mobile Application Security Verification Standard (MASVS)
• Started as a fork of the OWASP ASVS
• Formalizes best practices
• Mobile-specific, high-level, OS-agnostic
12. OWASP Mobile Application Security Verification Standard (MASVS)
V2: Data Storage and Privacy Requirements
14. Why Mobile Application Security?
Mobile Applications are different compared to Web Apps:
15. OWASP Mobile Application Security Verification Standard (MASVS)
https://github.com/OWASP/owasp-masvs/issues/117
Opinions, opinons, opinions…
16. OWASP Mobile Application Security Verification Standard (MASVS)
Our Philosophy
44Security Requirements (Level 1)
18 Defense-in-Depth Measures (Level 2)
12Anti-Reversing Controls
Covered in 8domains
17. OWASP Mobile Application Security Verification Standard (MASVS)
Keeping Things Flexible: Requirement “Levels”
18. OWASP Mobile Application Security Verification Standard (MASVS)
MASVS-Level 1 (L1): Security best practices applicable to all mobile apps. Example:
19. OWASP Mobile Application Security Verification Standard (MASVS)
MASVS-Level 2 (L2): Defense-in-depth controls for sensitive apps (e.g. financial transactions). Example:
20. OWASP Mobile Application Security Verification Standard (MASVS)
MASVS- Resiliency Against Reverse Engineering and Tampering (R):
The app has state-of-the-art security, and is also resilient against specific, clearly defined client-side
attacks such as tampering, modding, or reverse engineering to extract sensitive code or data.
21. OWASP Mobile Application Security Verification Standard (MASVS)
Ok, so why are security
requirements so important?
To avoid this: Pentesters after
turning a report in...
22. OWASP Mobile Application Security Verification Standard (MASVS)
How to use the MASVS (or how to shift left and build security in)
During early stages of development:
• Basis for (future) design decisions and enhancements
• Helps building internal baselines for Mobile Security and Coding Guidelines
• To determine security requirements early on. For example:
While Implementing:
• Track the security requirements during development
• Redefine security requirements when business requirements are changing
During Penetration Test:
• Share the status of your security requirements with the tester
23. OWASP MASVS – Automation with BDD
• MASVS is becoming the standard de facto for mobile security testing
• All the checks are currently performed manually by pentesters, security engineers,
developers etc.
• Well described test cases and detailed using a simple descriptive language
• We can automate some of them
• Testing need to adapt to Agile WOW
• Having these tests integrated in the CI/CD would benefit development
Disclaimer: Research by Davide Cioccia
https://www.owasp.org/images/f/fb/V2_-_OWASP_Buscharest_Davide_Cioccia.pdf
24. OWASP MASVS – Automation with BDD
Requirements Design Code Build Test Release
Security Requirements
Threat modeling
(abuse case generation)
Threat based security
controls & test specification
Implement BDD
standardized security tests
Implement BDD
application specific
security tests
Test against acceptance
environment
MSTG Test cases
MASVS Checklist
Manual PT
Identify the flaw
Patch the flaw
25. OWASP MASVS – Automation with BDD
Requirements Design Code Build Test Release
Security Requirements
Threat modeling
(abuse case generation)
Threat based security
controls & test specification
Implement BDD
standardized security tests
Implement BDD
application specific
security tests
Test against acceptance
environment
MSTG Test cases
MASVS Checklist
Manual PT
Identify the flaw
Patch the flaw
27. OWASP MASVS – Automation with BDD
.features
• A feature file is an entry point to the Cucumber tests.
This is a file where you will describe your tests in
Descriptive language (Like English).
• It’s described in Gherkin Syntax*
• Contains:
– Feature: describes the feature we are going to test
– Scenario(s): describe the behavior of the test
* https://github.com/cucumber/cucumber/wiki/Gherkin
28. OWASP MASVS – Automation
Steps
• Implementation of the Gherkin syntax
• Ruby function with parameters in
input
• We are going to use the android tools
to perform analysis on the device
30. OWASP MASVS – Automation
BDD Mobile security testing with OWASP MASVS, OWASP MSTG and Calabash
by Davide Cioccia
https://www.owasp.org/images/f/fb/V2_-_OWASP_Buscharest_Davide_Cioccia.pdf
Github Repo:
https://github.com/ing-bank/bdd-mobile-security-automation-framework/
31. We are getting Mainstream J
https://t.co/a6XztoKHz8
OWASP Mobile Application Security Verification Standard (MASVS)
32. OWASP Mobile Application Security Verification Standard (MASVS)
Version 1.1 was released last week!
ü Download it
ü Read it
ü Use it
ü Give Feedback! Create an issue:
https://github.com/OWASP/owasp-masvs/issues
MASVS
Github - https://goo.gl/YMCC8B
Gitbook - https://goo.gl/cLqTQE
ePub - https://goo.gl/P7b9Lm
Export as Doc - https://goo.gl/ySSbLJ
We also have translations into Spanish and Russian!
Interested in doing a Chinese version? Ping me J
34. OWASP Mobile Security Testing Guide Standard (MSTG)
• Manual for testing security maturity of mobile Apps
• Maps directly to the MASVS requirements
• Focusing on iOS and Android native applications
• Goal is to ensure completeness of mobile app security testing through a
consistent testing methodology
• For security checks of the endpoint the OWASP Web Application Testing Guide
should be used
What is the Mobile Security Testing Guide (MSTG)?
35. OWASP Mobile Security Testing Guide Standard (MSTG)
Structure
• General Testing Guide
• Android Testing Guide
• iOS Testing Guide
Gitbook: https://mobile-security.gitbook.io/mobile-security-testing-guide/
ePub Download: https://leanpub.com/mobile-security-testing-guide
36. OWASP Mobile Security Testing Guide Standard (MSTG)
How does a penetration tester usually test iOS Apps?
Jailbroken device Dynamic instrumentation on
non-jailbroken device
Cydia
Full Root Access
Repackage the app with a dynamic
library called Frida
X
See also: https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-
guide/tampering-and-reverse-engineering-on-ios#dynamic-analysis-on-non-jailbroken-devices
37. OWASP Mobile Security Testing Guide Standard (MSTG)
Truststore
What is SSL Pinning again?
CA (Certificate
Authority) or
Root CA
Server
Intermediate
Certificate
TLS
(Leaf)
Certificate
X.509 v3 Digital Certificate:
38. OWASP Mobile Security Testing Guide Standard (MSTG)
Dynamic Instrumentation - Bypassing SSL Pinning
Snapchat
DEMO
39. OWASP Mobile Security Testing Guide Standard (MSTG)
Where can I get it?
MSTG
Github - https://goo.gl/k5z9Fs
Gitbook - https://goo.gl/SH6bK3
ePub - https://goo.gl/oNCFCJ
Export as Doc - https://goo.gl/FvTftn
ü Download it
ü Read it
ü Use it
ü Give Feedback! Create an issue
https://github.com/OWASP/owasp-mstg/issues
40. OWASP Mobile Security Testing Guide Standard (MSTG)
What’s next?
• Q3/2018 publish the book as hard copy
• Training at OWASP AppSec USA 2018 (https://goo.gl/yf61nG)
So then it’s done, right? No…
• Updates for iOS 11/12
• Updates for Android O/P
• Mobile Application Frameworks are missing (Apache Cordova, PhoneGap..)
• Code samples for Kotlin, Swift
• Check our project page - https://github.com/OWASP/owasp-mstg/projects/2
41. 82 Contributors to the MSTG according to GitHub!
Thanks for all the hard and great work to make this project a success!
Authors Co-Authors Top Contributors Reviewers Editors
Bernhard Mueller
Sven Schleier
Romuald Szkudlarek
Jeroen Willemsen
Pawel Rzepa
Francesco Stillavato
Andreas Happe
Alexander Anthuk
Henry Hoggard
Wen Bin Kong
Abdessamad Temmar
Bolot Kerimbaev
Slawomir Kosowski
Sjoerd Langkemper
Anant Shrivastava
Heaven Hodges
Caitlin Andrews
Nick Epson
Anita Diamond
Anna Szkudlarek
Be part of an awesome journey and contribute to the MSTG!
We are searching for additional authors, reviewers and editors.
https://github.com/OWASP/owasp-mstg#contributions-feature-requests-and-feedback
The full list of contributors is available on GitHub:
https://github.com/OWASP/owasp-mstg/graphs/contributors
44. OWASP Mobile Security Testing Guide Standard (MSTG)
Reverse Engineering in the MSTG
Security Testers have no good way of dealing
with mobile
software protections
45. OWASP Mobile Security Testing Guide Standard (MSTG)
Pentesters and Developers are confused
Report with security issue: « Lack of Obfuscation »
What are the developers supposed to do?
• MinifyEnabled = true?
• Maybe encrypt strings?
• Apply complex control flow obfuscation?
• Maybe use some whitebox crypto?
The MSTG offers a proper assessment methodology.
46. OWASP Mobile Security Testing Guide Standard (MSTG)
Skills Needed For Assessing Anti-Reversing Schemes
Determine whether using software protections are used appropriately
• Every software protection scheme can be defeated
• Never to be used as a replacement for security controls
• Viable uses: IP protection, DRM, preventing modding / cheating,
hardening against code injection / instrumentation
48. OWASP Mobile Security Testing Guide Standard (MSTG)
Reverse Engineering Content
• Building a reverse engineering environment for free
• Static and dynamic analysis
49. OWASP Mobile Security Testing Guide Standard (MSTG)
Reverse Engineering Content
• Tampering, patching and runtime instrumentation
50. Demo
Target: MSTG Hacking Playground - Android
Case #1: SSL Pinning
Objective: Demonstrate SSL Pinning using Frida
Case #2: Android keys extraction
Objective: Key extraction using Frida
51. SSL Pinning
• Understand the Decompile code
• Identify Class
• Identify Methods
• Identify argument and retval
• Instrument the methods
52. SSL Pinning
• Understand the Decompile code
• bytecode-viewer
• Identify Class
• “OMTG_NETW_004_SSL_Pinning_Certificate.class”
• Identify Methods
• HTTPSssLPinning()
• Identify argument and retval
• “java.io.InputStream”
• Instrument the methods
• Replacing multiple methods
53. Android Keys
• “Key material never enters the application process. If the app's
process is compromised, the attacker may be able to use the app's
keys but will not be able to extract their key material.”
• Depending on devices Key material may be bound to Secure hardware
(e.g Trusted Execution Environment(TEE) or Secure Element(SE))
• Lets check if we are able to extract the key material using Frida.
54. Key Extraction
• Hook decryptString() function
• Hook Cipher.init() function
• Print Different message based on opcode
• Print Public key
• Print Private key
• Bypass isEngineBased checks
• Cast it to OpenSSLPrivateKe
55. Conclusion
• Private key can be extract when we cast it into
OpenSSLRSAPrivateKey
• After inspection, we still cannot find methods to get the
privateExponent. As there is no method we can hook to even
try get it :(
Frida Scripts used in Demos:
https://github.com/ryantzj/null-frida-script/tree/master
56. OWASP Mobile Security Testing Guide Standard (MSTG)
Practical Challenges!
« UnCrackable Mobile Apps »
https://github.com/OWASP/owasp-mstg/tree/master/Crackmes
Kudos to Bernhard Mueller (@bernhardm) who mainly
did the Reverse Engineering Chapters and Crackmes