Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
•
2 likes•1,032 views
From the creators behind top mobile tools R2 and FRIDA, get the inside scoop on the R2 and FRIDA OSS projects. Led by NowSecure Research Team including David Weinstein, Ole André and Pancake (Sergi Àlvarez), this webinar speaks to our favorite mobile AST OSS projects. Peek behind the curtain on these tools, check out on their latest updates, and learn about potential future enhancements.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Similar to Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA (20)
More from NowSecure
More from NowSecure (10)
Recently uploaded
Recently uploaded (20)
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
- 1. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information.
- 2. 85% 3rd Party AppStore Apps Violate OWASP MOBILE TOP 10 26% Custom Apps have at least 1 high risk flaw 82% of all digital time now spent on Mobile- only & Multi-platform more likely to leak account credentials Biz Apps 3X Source: NowSecure Software and Research Data 2016-2017 50% Android Apps dynamically load code missed by static analysis 2 35% Have un-encrypted data transmission
- 4. ● ● ● ●
- 8. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ 8 ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪Cross origin resource sharing ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
- 9. iOS APPS Dynamic code and assets MITM attacks Take the the attacker POV to test across app, compiler, data at rest, data in transit, OS, HW & SW during and after running the mobile app iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE Buffer overflows Race conditions Forensic artifacts Malware Contact hijacking TARGET APP
- 10. .java files compiler .class files dx tool .dex filesAPK builder.apk files Jar signer .so files resources
- 11. STATIC SOURCE TESTING STATIC BINARY TESTING DYNAMIC BINARY TESTING BEHAVIORAL BINARY TESTING Observe the behavior of the app during runtime using insight from static and dynamic test results to identify actions that could be exploited by an attacker and compare to known patterns Uses dynamic binary instrumentation to trace functions and API calls Analyze the binary to identify vulnerabilities post compile, including 3rd party libraries Analyze the source strings to identify vulnerable code
- 14. ● ● ● ● ○ ● ○
- 18. ● ● ● ●
- 19. ● ● ● ○ ○ ● ○
- 20. ● ● ● ●
- 22. ● ○ ● ○ ● ○ ●
- 32. ● ● ● ● ●
- 33. ● ● ● ● ● ●
- 34. ● ○ ● ●
- 35. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Recommendations & Next Steps
- 36. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. BEST PRACTICE RECOMMENDATION 1. Get involved with OSS security tools a. Exploring tools like mitmproxy, androguard, apkid b. Start by visiting communities/blogs/website such as Caleb Fenton’s blog, follow @oleavr, @trufae, @mrmacete, @insitusec, @pof, @Morpheus______, @MobileSecurity_ 2. Level up with great tools like frida (@fridadotre), radare (@radareorg) and r2frida a. Leverage the links provided in this webinar for more information b. Grab a bug report/feature request and submit a pull request! 3. Investigate commercial software mobile AppSec testing tools that leverage OSS tools a. Explore automation to eliminate manual redundant work b. Explore integration into Dev/CI/CD tools for security shift left towards development
- 38. 38