[PDF] android set id in xml
[PDF] android sqlite database and content provider pdf
[PDF] android studio 3.0 development essentials android 8 edition pdf free download
[PDF] android studio 3.0 development essentials android 8th edition pdf
[PDF] android studio 3.0 development essentials android 8 edition free download
[PDF] android studio 3.0 development essentials android 8 edition pdf
[PDF] android studio 3.0 development essentials android 8 edition pdf download
[PDF] android studio 3.0 development essentials android 8 edition pdf free download
[PDF] android studio 3.0 development essentials android 8th edition pdf
[PDF] android studio 3.0 development essentials pdf free download
[PDF] android studio 3.0 development essentials source code download
[PDF] android studio 3.0 development essentials — android 8 edition
[PDF] android studio 3.2 development essentials
[PDF] android studio 3.2 development essentials android 9 edition
[PDF] android studio 3.2 development essentials android 9 edition pdf
Introduction to Mobile
Security Testing
Approaches and Examples using OWASP MSTG
OWASP German Day 20.11.2018
Carlos Holguera
$ whoami
Security Engineer working at ESCRYPT GmbH
since 2012
Area of expertise:
Mobile & Automotive Security Testing
Security Testing Automation
Carlos Holguera olढ़࠹era
@grepharder Index 1Why?
2FromtheStandard totheGuide
3Vulnerability Analysis
4Information Gathering
6Penetration Testing
7Final Demos
1Why? Why?
Trustworthy sources?
Right Methodology?
Latest Techniques?
9MASVS is the WHAT
9MSTG is the HOW
Online videos,
articles, trainings ??
2FromtheStandard
totheGuide
FromtheStandard totheGuide
FromtheStandard totheGuide
OWASP Mobile ApplicationSecurity VerificationStandard
Read iton GitBookOpen on GitHub
From the Standard to the Guide
OWASP Mobile Application Security Verification Standard
How? MSTG
OS agnostic
From the Standard to the Guide
OWASP Mobile Application Security Verification Standard
Get from GitHubfork & customize
dep. on target
FromtheStandard totheGuide
OWASP Mobile Security Testing Guide
Read iton GitBookOpen on GitHub
FromtheStandard totheGuide
OWASP Mobile Security Testing Guide
MASVS Refs. on
each chapter
GitHub Search or clone & grep
3 VulnerabilityAnalysis
VulnerabilityAnalysis
Static Analysis (SAST)
Manual Code Review
grep& line-by-line examination
expert codereviewer proficient in both
language and frameworks
Automatic Code Analysis
Speed up the review
Predefined set of rules or industry best
practices
False positives! A security professional
must always review the results.
Dynamic Analysis (DAST)
Testing and evaluation of apps
Real-time execution
Manual
Automatic
Examples of checks
disclosure of data in transit
authentication and authorization issues
server configuration errors.
Recommendation: SAST + DAST + security
professional
Vulnerability Analysis
*OWASP, Mobile Security Testing Guide, 2018 (0x05d-Testing-Data-Storage.html)Whattoverify& how.
Incl. References to
MASVS Requirements
Based on MASVS
The MSTG Hacking
Playground App
VulnerabilityAnalysis
Demo App
Open on GitHub
Example: Android originalsource code
VulnerabilityAnalysis
Manual Code Review
Example: Android decompiledsource code
VulnerabilityAnalysis
Manual Code Review
VulnerabilityAnalysis
Manual Code Review
Example: iOS originalsource code
*OWASP iGoat A Learning Tool for iOS App Pentesting and Security, 2018 (iGoat)
VulnerabilityAnalysis
Manual Code Review
Example: iOS disassembled´VRXUŃH ŃRGHµ
VulnerabilityAnalysis
Automatic Code Analysis
Example: Static Analyzer
must be always evaluated by a professional
4Information Gathering
Information Gathering
Information Gathering
Identifies
General Information
Sensitive Information
about the OS and its APIs
Evaluates the risk by understanding
Existing Vulnerabilities
Existing Exploits
Information Gathering
*OWASP, Mobile Security Testing Guide, 2018 (0x05a-Platform-Overview.html)
Information Gathering
Example: Open OMTG_DATAST_011_Memory.javaand observe the decryptStringimplementation.
Information Gathering
Let me google
POMP IRU \RX¬
Information Gathering
Got all original crypto code
inclusive crypto params.
5Penetration Testing
Penetration Testing
Preparation
Coordination with the client
Define scope/ focus
Request source code
Release and debug apps
Understand customer worries
Identifying Sensitive Data
at rest: file
in use: address space
in transit: txto endpoint, IPC
Intelligence Gathering
Environmental info
Goals and intended use (e.g. Flashlight)
What if compromised?
Architectural Info
Runtime protections (jailbreak,
emulator..?)
Which OS (old versions?)
Network Security
Secure Storage (what, why, how?)
Penetration Testing
Mapping
Based on all previous information
UNDERSTAND the target
LIST potential vulnerabilities
DRAW sensitive data flow
DESIGN a test plan, use MASVS
Complement with automated scanning
and manually exploring the app
Exploitation
Exploit the vulnerabilities identified
during the previous phase
UsetheMSTG
Find the true positives
Reporting
Essential to the client
Not so fun?
It makes you the bad guy
Security not integrated early enough in
the SDLC? *OWASP, Mobile Security Testing Guide, 2018 (0x04b-Mobile-App-Security-Testing.html)
Penetration Testing
Penetration Testing is conducted in four phases*
*NIST, Technical Guide to Information Security Testing and Assessment, 2008
Penetration Testing
However
)Multiple attack vectors )Multiple steps )Different combinations give different full attack vectors
Penetration Testing
Download the app
Read the
logs
Dex to jar
What do you want?
Inspect the code
The plain text?
get smali
Replicate crypto operations in java
debug unpack it
Patch smali
hooking decompile
It's android, be happy!
The plain text 9
Re-package
Re-sign
Re-install
javac run
Find stuff: keys, cipherText,
classes
Make the app
debuggablegooglelogcat
Penetration Testing
Demo Spoiler
Penetration Testing
Techniques
decompilation disassembly code injection binary patchingdebugging dynamic binary instrumentation fuzzing traffic dump traffic interception man-in-the-middle method tracingtampering hooking root detection
Penetration Testing
One for Android,
one for iOS. All happy - *OWASP, Mobile Security Testing Guide, 2018 (0x05c-Reverse-Engineering-and-Tampering.html)
Penetration Testing
*OWASP, Mobile Security Testing Guide, 2018 (0x05c-Reverse-Engineering-and-Tampering.html)
Penetration Testing
Penetration Testing
Example Scenario Automotive-Mobile Testing
Bluetooth
Mobile
Apps CAN 8 9
04 FX XX XX XX XF FF
03 2X XX XX XX X5 55
03 2X XX XX XX X5 55
04 FX XX XX XX XF FF
6Demo 1 Mobile Penetration
Testing
Demo 1
App: MSTG-Hacking-Playground(011_MEMORY)
Demo 1
Download the app
Read the
logs
Dex to jar
What do you want?
Inspect the code
The plain text?
get smali
Replicate crypto operations in java
debug unpack it
Patch smali
hooking decompile
It's android, be happy!
The plain text 9
Re-package
Re-sign
Re-install
javac run
Find stuff: keys, cipherText,
classes
Make the app
debuggablegooglelogcat
Demo 1
Download the app
Dex to jar
What do you want?
Inspect the code
The plain text?
unpack it hooking decompile
It's android, be happy!
The plain text 9
Find stuff: keys, cipherText,
classes google
Demo 1
Demo 1
6Demo 2 Mobile Penetration
Testing
Demo 2
App: MSTG-Hacking-Playground(001_KEYSTORE)
Download the app
Dex to jar
What do you want?
Inspect the code
The crypto keys
get smali debug unpack it
Patch smali
hooking decompile
It's android, be happy!
The crypto keys 9
Re-package
Re-sign
Re-install
Find stuff: keys, classes
Make the app
debuggablegoogle
Demo 2
Download the app
Dex to jar
What do you want?
Inspect the code
The crypto keys
unpack it hooking decompile
It's android, be happy!
The crypto keys 9
Find stuff: keys, classes
google
Demo 2
Demo 2
Demo 2
Demo 2
Takeaways
9Read the MSTG
9Use the MASVS
9Play with Crackmes
9grepharder
9Learn
9Learn
9Contribute!
9Have fun :)
References
RTFMSTG
OWASP Mobile Security Testing Guide
https://github.com/OWASP/owasp-mstg OWASP Mobile Application Security Verification Standard https://github.com/OWASP/owasp-masvs OWASP iGoat-A Learning Tool for iOS App Pentesting and Security https://github.com/OWASP/igoat
OWASP MSTG-Hacking-Playground Android App
OWASP MSTG Crackmes
References
Thankyou, anyquestions?
quotesdbs_dbs14.pdfusesText_20