Mobile Application Security Testing
It is imperative that user data company data
QBurst
Due to its popularity Android is more prone to attacks. Objective. This white paper elucidates the necessity of security testing mobile applications
Mobile Application Security Testing
security testing approach will cover all the possible threats and attack vectors that affect the mobile app landscape. OUR UNDERSTANDING. • Mobile devices
OWASP Mobile Application Security Verification Standard
The. MASVS is a community effort to establish a framework of security requirements needed to design develop and test secure mobile apps on iOS and Android. The
Android Mobile Application Pentesting
29 avr. 2018 OWASP Mobile top 10 Vulnerability. First step into android mobile application penetration testing is to try reverse engineer the application ...
MOBILE APPLICATION SECURITY WITH OPEN-SOURCE TOOLS
Instances of web-application security issues which lead to breaches . Setting up a Mobile Testing lab . ... SecureCodingGuide.pdf. Static Analysis.
Mobile Application Security Testing
Why Mobile Security? • Purpose of Decompiling Mobile Applications?! • Methodology of Decompilation. • Live Demo's: – Windows Phone App. – Android App.
Mobile Application Security Testing
property is secured and handled properly on all mobile apps. Hence mobile app security testing is critical to meeting today's security threats.
Mobile Application Security
EECS 710 -? Fall 2012. Mobile Application. Security. Himanshu Dwivedi. Chris Clark. David Thiel. Presented by. Bharath Padmanabhan
[PDF] Mobile Application Security Testing
What the tools which can be used to Decompile? •Can Decompilation be done on all platforms? 1 WINDOWS PHONE / WINDOWS MOBILE ? 2 ANDROID ? 3
[PDF] Mobile Application Security Testing - Mphasis
These facts and figures clearly state that mobile application should be subjected to periodic scan to identify vulnerabilities and subsequent fixing methods in
[PDF] Mobile Application Security Testing - Deloitte
Our comprehensive mobile security testing approach will cover all the possible threats and attack vectors that affect the mobile app landscape Typical
[PDF] Automated Security Testing of Android Applications for Secure
Guide [8] which is a comprehensive manual for mobile application security testing and reverse engineering devoted to the iOS and Android mobile platforms
[PDF] The Challenges of Testing Mobile Applications - Bright Security
Mobile application security testing helps pinpoint weaknesses in application's code logic and behavior to minimize likelihood of breaches theft and abuse
Our apologies That page was moved or deleted - QBurst
Cookies are small text files that allow us to create the best browsing experience for Productivity Cross-Industry App Development Testing Monitoring
[PDF] MOBILE APPLICATION PENETRATION TESTING
1 Page Mobile Application Penetration Testing Native mobile apps are apk (Android) ipa (iOS) or app (Windows) files that contain all the
[PDF] Fortify on Demand Mobile Application Security Testing Micro Focus
Protect Mobile Applications throughout the Software Development Lifecycle Organizations are faced with rapidly expanding application portfolios both in
Mobile Application Security Penetration Testing Based on OWASP
Testing of unsafe data storage is done in many ways namely by testing the security of internal storage external storage content service providers log files
[PDF] MOBILE APPLICATION SECURITY WITH OPEN-SOURCE TOOLS
Decentralized security ownership in application development Setting up a Mobile Testing lab To find storage of credentials in PList files or
What is mobile application security testing?
What is Mobile Application Security Testing? Mobile application security testing involves testing a mobile app in ways that a malicious user would try to attack it. Effective security testing begins with an understanding of the application's business purpose and the types of data it handles.How to test security testing in mobile application?
Use of SAST, DAST, and IAST techniques
Tools such as Klocwork and Checkmarx are useful for achieving SAST. Dynamic application security testing (DAST) focuses on a running app. DAST scan apps to check for any loopholes that may lead to security risks.Which are the 11 effective mobile application testing strategies?
Top Mobile App Testing Strategies
QA involvement with business and product teams earlier in development. OS testing and support. Device testing. Network connectivity testing. Battery testing. Security testing. Automated testing. Progressive rollout strategies.Step-by-Step Mobile Application Testing Process
11.Preparation and Strategy Formulation. 22.Identification of Essential Testing Types. 33.Design of Test Script and Test Case. 44.Setup of Testing Environment. 55.Manual Testing and Automated Testing. 66.Usability and User Interface Testing. 77.Compatibility Testing.
Cracking the Code of Mobile
Application
-Sreenarayan APaladion Mobile Security Team
Take Away for the day
Why Mobile Security?
Purpose of Decompiling Mobile Applications?!
Methodology of Decompilation
Windows Phone App
Android App
iOS (iPhone / iPad App)Blackberry Apps / Nokia App [Jar Files]
Blackberry Apps [COD Files]
Why is security relevant for Mobile Platform?
400% Increase in the number for Organizations Developing Mobile Platform
based applications.300% Increase in the no of Mobile Banking Applications.
500% Increase in the number of people using the Mobile Phones for their day to
day transactions.82% Chances of end users not using their Mobile Phones with proper caution.
79% Chances of Mobile Phone users Jail Breaking their Phones.
65% Chances of Mobile Phone users not installing Anti-virus on their Mobile
Phones.
71% Chances of any application to get
misused.57% Chances of a user losing his sensitive credentials to a hacker.
Market Statistics of Mobile Users
Mobile Market Trends
Different Types of Mobile Applications
Mobile Browser based Mobile Applications
Native Mobile Applications
Hybrid Mobile Applications
Different Types of Mobile Applications
Different Types of Mobile Architecture
Browser
AppHybrid App
Why did we learn the above types??
Which applications can be Decompiled?
Browser based Mobile Applications ?
Native Mobile Applications ?
Hybrid Mobile Applications ?
We have to get to know of the basics!
Cracking the Mobile Application Code
Cracking the Mobile Application Code
What do you mean by Decompilation? -> What is Compilation?What do you mean by Reverse Engineering?
Questions to be answered ahead:
What are the goals/purposeof Cracking the code?
What is the methodologyof Decompilation?
What the tools which can be used to Decompile?
Can Decompilation be done on all platforms?
1.WINDOWS PHONE / WINDOWS MOBILE ?
2.ANDROID ?
3.iPHONE/ iPAD?
4.BLACKBERRY ?
5.NOKIA ?
Goal of Cracking the Mobile Application Code
Goals of Cracking the Source Code
͞UNDERSTAND THE WORKING OF THE APPLICATION AND TO FIGURE OUTTHE LOOPHOLES͊"
To find Treasure Key Words like: password , keys , sql, algo, AES, DES,Base64, etc
Figure out the Algorithms Used and their keys.
By-passing the client side checks by rebuilding the app. E.g. Password in Banking Application (Sensitive Information)E.g. Angry Birds Malware (Stealing Data)
E.g. ZitmoMalware (Sending SMS)
We have understood the goals, how to achieve them? Methodology.Methodology of Cracking
Methodology / Study
Step 1ͻGaining access to the executable (.apk / .xap/ .jar / .cod / .jad.. ) Step 2ͻUnderstanding the Technologyused to code the application. Step 3ͻFinding out ways to derive the Object Code from the Executable. Step 4ͻFiguring out a way to derive the Class Filesfrom the Object Code.Step 5
ͻFiguring out a way to derive the Function Definitions from the Object Code Lets us understand the methodology in all platforms..Demo -Reverse Engineer the Windows Phone
Application
Toolsused:
-De-compresser(Winrar/ Winzip/ 7zip) -.NetDecompiler(ILSpy) -Visual Studio / Notepad Steps1.. xap-> .dll
2..dll-> .csproject
DemoMitigation
1.Free Obfuscator (diff. to read): http://confuser.codeplex.com/
2.Dotfuscator(program flow) : Link
Demo -Reverse Engineer the Android
Application
Toolsused:
-De-compresser(Winrar/ Winzip/ 7zip) -Dex2jar Tool (Command Line) -Java Decompiler/ Jar decompiler(JD-GUI, etc) Steps1..apk -> .dex
2..dex-> .jar
3..jar -> .java
DemoMitigation
1.Obfuscation Free Tool: http://proguard.sourceforge.net/
Demo -Reverse Engineer the Blackberry
Application
Toolsused:
-JD -GUI (Java Decompiler) -Notepad There are two types of Application files found in Blackberry:1..Jar (.jad-> .jar)
2..Cod (.jad-> .cod (Blackberry Code Files)
Steps1..jar -> .java (JD-GUI) -> Notepad
Or1..cod -> codec Tool -> Notepad
DemoMitigation
1.Obfuscation Free Tool: http://proguard.sourceforge.net/
Demo -Reverse Engineer the iOS Application
Toolsused:
-iExplorer -Windows Explorer -oTool -Class-dump-z Steps1..app -> Garbage (Object Code) (DVM)
2.Object Code -> Class definitions
Demo Limitations: Apple changes the IDE every release leading to challenges.Mitigation
1.Obfuscation Free Tool: http://proguard.sourceforge.net/
Palisade Articles
iOS vsAndroid TestingMobile Data Encryption
Mobile Application Security Testing
Demystifying the Android Malware
$QGquotesdbs_dbs17.pdfusesText_23[PDF] mobile application testing checklist xls
[PDF] mobile apps for language learning pdf
[PDF] mobile computing applications
[PDF] mobile computing architecture
[PDF] mobile computing framework
[PDF] mobile computing functions pdf
[PDF] mobile computing functions ppt
[PDF] mobile computing through internet
[PDF] mobile computing tutorial
[PDF] mobile development design patterns
[PDF] mobile device industry analysis
[PDF] mobile financial services companies
[PDF] mobile hacker's handbook pdf
[PDF] mobile hackers handbook pdf