eLearnSecurity Mobile Application Penetration Testing (eMAPT
Android software contains an open-source Linux Kernel having collection of number of You can take any Linux and install pentesting tools on it ...
White Paper: Pentesting Android Apps on Mac
Jul 19 2015 Mobile application penetration testing has experienced a significant ... Install stand-alone SDK tools for Mac from developer.android.com.
Pentest dapplications Android
Cédric BERTRAND. • Novembre 2012. Pentest d'une application. Android dans le répertoire <$SDK/tools/ddms> et peut être rattaché à un device réel ou à.
Alexander Subbotin OWASP Bucharest AppSec 2018
May 8 2018 Tales of Practical Android Penetration Testing ... 95 % of time we are using the same (few) tools ... Drozer (android app analysis).
Android Based Penetration Testing Framework
The Premium Embedded/Android consulting and Training firm. ? Founder and (former) CTO of Nubo Software. ? The first Remote Android Workspace.
penetration Testing for Android Applications with Santoku Linux
tools such as AFLogical Dex2jar
Penetration Frameworks and Development Issues in Secure Mobile
Jun 24 2021 Therefore
OWASP German Chapter Stammtisch Initiative/Ruhrpott
Android App Pentest Workshop 101 Setup of a Mobile Application Pentest Environment ... Your VM comes with several pre-installed tools such as: – Android ...
Android Mobile Application Pentesting
Apr 29 2018 Linux Kernel. Android Runtime. Native Libraries. Application framework. Application. Taken from learning pentesting for android device ...
Penetration frameworks and development issues in secure mobile
What are the different penetration test frameworks and tools and how they help in developing a secure application? RQ2. What challenges Android app
Tales of Practical Android Penetration Testing
(Mobile Pentest Toolkit)Alexander Subbotin
OWASP BucharestAppSec2018
About Me
About Me
IT Security Consultant (https://subbotin.de)
Penetration Tester/Ethical Hacker with 5 years experience Working for enterprise (banking industry, telecommunication companies, wholesale, etc.)Trainer for Android and Web Pentesting
Author and Maintainer of Awesome Pentest CheatsheetsprojectBug Hunter
Yahoo on HackerOnehttps://hackerone.com/coreb1t
Setup Pentest Environment
Requirements:
Kali like distribution for mobile penetration testingUpdates for most used tools
Extensibility
Setup Pentest Environment -Current status
DistributionNotesLast Update
MobiSecLast update 3 years ago3 years ago
SantokuBased on Ubuntu 14.04
Vezir ProjectBased on Ubuntu 15.04 2,5 years ago
AppleFor Window only2018-05-08
Android TamerManually updated to last
versions of platform-tools,Android SDK, Android
Studio and much more
Setup Pentest Environment
Do we really need to use separated
environment/VM?95 % of time we are using the same (few) tools
adbJava Decompiler
Tools for static analysis
Tools for dynamic analysis
Debugger
Tools allowing runtime modification
That is how the idea for
Mobile-Pentest-Toolkit (MPT) was born
For each category of tools use just one tool
apktool signapk pidcat abeCan you remember all the command line
parameters for the mentioned tools?Example:
jarsigner-verbose -sigalgSHA1withRSA -digestalgSHA1 -keystoreYou have to specify whatto do and not how.
MPT provides a simplest interface to your
tooling related to android security testing.Setup Pentest Environment -Tools
MPT implements a simple package manager
Currently supported git, http, and zip installationSetup Pentest Environment -Device
Install Pentest tools
XposedFramework
Drozer
JustTrustMe(xposedplugin)
Inspeckage(xposedplugin)
Setup Pentest Environment -Device
Install Pentest tools
Setup Pentest Environment -Pentest
Install the app
Create configuration
Allows to use MPT from everywhere
Setup Pentest Environment -Pentest
Install the app
Create configuration
Allows to use MPT from everywhere
Startingyourfavoritetools
jd-gui(source code review)Drozer(androidappanalysis)
mobSF(staticanalysis) frida adblogcat Is the output really readable?OWASP testingmethodologyʹInsecureData Storage
Solution: use pidcat
coloredoutput for only on processOWASP testingmethodologyʹInsecureData Storage
Backup Option
Compare two states of application
OWASP testingmethodologyʹInsecureData Storage
Using --backup option create 2 backups for different statesOWASP testingmethodologyʹInsecureData Storage
after login the /data/data/Other challenges
Dynamic analysis
Dynamic instrumentation and runtime
hooking (Frida)Root Detection Bypass
SSL Pinning Bypass
Other challenges
Dynamic analysis -Inspeckage
Other challenges
Dynamic instrumentation and runtime
hooking (Frida) Download a proper Frida version and execute Frida on the device (--fridaoption)Other challenges
Dynamic instrumentation and runtime
hooking (Frida)Use fridato hook cryptographic functions
Other challenges
Dynamic instrumentation and runtime
hooking (Frida)Use fridato hook cryptographic
functionsOther challenges
Root Detection Bypass
Disableroot detectionat runtime
usingfridaOther challenges
SSL Pinning Bypass
Other helpful tools
Objection-is a runtime mobile exploration toolkit, powered byFridaworking on not rooted and jailbroken devices. https://github.com/sensepost/objectionAppMon-automated framework for monitoring and
tampering system API calls of native iOS and android apps https://github.com/dpnishant/appmon House-runtime mobile application analysis toolkit with aWeb GUI, powered byFrida
https://github.com/nccgroup/houseMPT -Overview
Setup Pentest Environment
ToolsDevice
Config
Simple Interface to interact with pentesttools
Allows to perform static, dynamic analysis
Support to bypass SSL certificate pinning and root detectionSupports zshautocompletion
Further Ideas
Automatically rebuild apkwith backup and debug flags enabled (in progress) Automatically generate PoCsforsending broadcast messages and start activities and services (in progress)Integrate file explorer for files on the devices
Generate Frida hooks for selected code (method) on the flyImplement anti-debugging bypass (in progress)
Thank you for your attention!
Alexander Subbotin
@coreb1t @coreb1tquotesdbs_dbs17.pdfusesText_23[PDF] android app requirements
[PDF] android app security testing checklist
[PDF] android application architecture diagram example
[PDF] android application development lab manual jntuh
[PDF] android application development lecture notes
[PDF] android application development notes pdf
[PDF] android application development syllabus
[PDF] android application development syllabus jntuh
[PDF] android application development using kotlin
[PDF] android application development with kotlin
[PDF] android application final year project report pdf
[PDF] android application hacker's handbook pdf
[PDF] android application penetration testing
[PDF] android application quotation