• No results found

Mobile Security Framework

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Mobile Security Framework"

Copied!
38
0
0

Loading.... (view fulltext now)

Download now ( 38 Page )

Full text

(1)

Ajin Abraham

Automated Mobile Application

Security Testing with

(2)

About Me

!   Security Consultant @ Yodlee

!   Security Engineering @ IMMUNIO

!   Next Gen Runtime Application Self Protection

(RASP)

!   Author of OWASP Xenotix XSS Exploit

Framework, Mobile Security Framework.

!   Teach Security via https://opsecx.com

(3)
(4)

The Takeaways

!   A FREE and Open Source Security Tool for Mobile

App Security Assessment.

!   Mobile App Pentesters/Mobile Malware Analysts -

How to make your job easier with MobSF.

!   Developers – Build secure mobile Apps identifying

vulnerabilities at all stages of development. (SDLC Integration)

!   Web Pentesters – REST API Fuzzer capable of

(5)

Agenda

!   What is MobSF?

!   MobSF Architecture

!   Static Analyzer !   Dynamic Analyzer !   Web API Fuzzer

!   Static Analysis

!   Static Analysis & some

Statistics

!   Top Indian Bank Mobile Apps !   Top Indian Wallet Mobile Apps !   Observations

!   Dynamic Analysis

!   Dynamic SSL Testing !   Exported Activity Tester

!   Challenges in Dynamic Analysis !   Dynamic Analysis on Custom VM/

Rooted Android Device.

!   Web API Fuzzer

!   Vulnerabilities API Fuzzer detects. !   Explains the API Fuzzer Logic.

(6)

What is MobSF?

Mobile Security Framework

is an open source mobile application (Android/iOS) automated pentesting framework

capable of performing end to end security testing of mobile Apps.

(7)

Hosted in your environment. Your application and data is never send to the cloud.

(8)
(9)

Static Analyzer

Mobile Security Framework

INPUT OUTPUT

(10)

Demo

Static Analysis & Report Generation (Diva)

(11)

Static Analysis & Some Statistics

!   Static Analysis on Top Financial Apps - Criteria

!   SSL bypass in Native Code !   SSL bypass in WebView

!   Remote Web View Debugging !   Hardcoded Secrets

(12)
(13)
(14)
(15)

Observations

!   State of Mobile App Security, Not evolved as Web

Security.

!   Most common issue is SSL Bypass in (Both

Native Code and WebView)

!   SSL Error bypassed in WebViews are really

(16)
(17)

Dynamic Analyzer

Mobile Security Framework

INPUT Android VM

Or

Android Device

REPORT OUTPUT

(18)

Dynamic Analyzer - Architecture

Dynamic Analyzer AGENTS

Install and Run APK

HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM/Device Application Data

Agent Collected Information

(19)

DEMO

(20)

Dynamic SSL Testing

!   Dynamically verify if SSL connections are securely

implemented.

!   Disable JustTrustMe and Remove MobSF Root CA.

!   If you can still access the decrypted HTTPS Web Traffic

(21)

Exported Activity Tester

!   Android Exported Activities.

(22)

Challenges in Dynamic Analysis

!   Some Android Apps are built with security in

mind.

!   Anti VM Detection !   Anti Root Detection

!   Anti MITM with Certificate Pinning.

!   Some Apps / Malwares have sophisticated

(23)

How to deal with these Challenges

!   API overriding with Xposed Framework

!  Anti VM Detection Bypass –> Android Blue Pill !  Anti Root Detection Bypass -> RootCloak

!  Anti MITM Certificate Pinning Bypass -> JustTrustMe !   APK smali Patching.

!   For sophisticated apps and malware, Use a real device

(24)

Dynamic Analysis on Device

! MobSFy Script – Convert your VM/ Device to support MobSF

Dynamic Analysis

!   Documentation here:

https://github.com/ajinabraham/Mobile-Security-Framework-

MobSF/wiki/2.-Configure-MobSF-Dynamic-Analysis-Environment-in-your-Android-Device-or-VM

!   DEMO : Weak Crypto

!   Java - String hashCode() Method

(25)

Web API Fuzzer

•  Login API •  Pin API •  Register API •  Logout API Select

•  Select Scope URLs of Scan

•  Select Scope Vulnerabilities

Web API Fuzzing Logic

REPORT OUTPUT

Web Request DB

(26)

Fuzzing REST APIs

!   Why most web scanners suck at API Testing? !   We have knowledge about the application and

generic API routes (Login, Logout, Register).

!   So we use more of Whitebox approach than

Blackbox approach.

(27)

What We Detect

!   XXE !   SSRF !   IDOR

!   Directory Traversal or Path Traversal !   Logical and Session Related

(28)
(29)

SSRF & XXE

API Server

Web API Fuzzer

MobSF Cloud Server

(30)

Insecure Direct Object Reference (IDOR)

!   Without Credentials.

!   With multiple user credentials (needs two login attempts)

Web API

Fuzzer API Server

Request with Auth Header/ Cookie

Request without Auth Header/ Cookie

API Server Web API

Fuzzer

Request with User1’s Auth Header/Cookie

Repeat the Request with a User2’s Auth Header/Cookie

(31)

Session Related Checks

Web API

Fuzzer API Server

Calls Logout API

Access Resource with expired Auth Header/Cookie Access Resource with Auth Header/Cookie

(32)

Rate Limiter

Web API

Fuzzer API Server

(33)

Other Checks

!   Security Headers and Info Gathering !   Directory/ Path Traversal

(34)
(35)

What's Coming Soon?

!   Windows App Security Analyzer. !   iOS App Dynamic Analysis.

!   API Fuzzer to support detection of SQLi and

RCE.

(36)

Stakeholders

!   Looks like people are interested!

(37)

Useful Links

!   Source: https://github.com/ajinabraham/Mobile-Security-Framework !   Issues: https://github.com/ajinabraham/Mobile-Security-Framework/ issues !   Documentation: https://github.com/ajinabraham/Mobile-Security-Framework-MobSF/wiki !   Video Course: https://opsecx.com/index.php/product/automated-mobile-application-security-assessment-with-mobsf/

(38)

QA

@ajinabraham

ajin25@gmail.com

Thanks & Credits

•  Sachinraj Shetty •  Kamaiah Nadavala •  Bharadwaj Machiraju •  Yashin Mehboobe •  Anto Joseph •  Tim Brown •  Thomas Abraham •  Graphics/Image Owners

References

Download now ( PDF - 38 Page - 2.89 MB )

Related documents

Do revised giant panda population estimates aid in their conservation?

Giant panda population estimates for Wanglang Nature Reserve derived by differentiating individuals from bite sizes of bamboo fragments in feces.. Data were collected during each of

How To Treat Shima Lipolaser

I hereby authorize Orlando Spinal Aid Center to perform the Shima LipoLaser procedure for the purpose of aesthetic body contouring and girth ( initials )..

Religious Openness to Secularism (ROSE): Effect of Cognitive Style on Defensiveness and Religiosity

experiment, religious individuals who are experimentally induced to favor an analytical cognitive style through a writing task will report reduced belief in God and defensiveness

For a history of my professional and ministerial life, please see below:

From serving as youth pastor at two churches early in my ministry to being appointed over small groups in one of the top 20 fastest growing churches in the nation (First

SmartStruxure Solution. Powered by StruxureWare Building Operation v1.3

IT IP Technology Servers Computers Wiring Closet Routers Switches Phones White Space Management IT Applications Network Management Systems IT / Server Room management

Prime Enrollees Consumer Watch

Prime enrollees FY2018 51 Value is not significantly different than benchmark Prime enrollees FY2019 41 Significantly lower than benchmark (p < .05) Prime enrollees FY2020

[ ] ASTRONOMY AN EASY GUIDE TO EXPLORING THE UNIVERSE GETTING STARTED NORTHERN HEMISPHERE VERSION INCLUDES A MOON MAP AND STAR CHARTS

Turn the chart around so the edge marked with the direction you’re facing is right-reading.. The stars above this horizon on the map now match the stars in front

Evaluation of resistance to Spodoptera frugiperda in sweet and field corn genotypes

The results showed that the sweet corn genotypes, Teea Dulce, MG 161, Doce Flor da Serra, Doce Cubano and Tropical Plus, tend to have antibiosis as resistance mechanism to