[PDF] Introduction to Mobile Security Testing - German OWASP Day PDF 2018-god-holguera.pdf

Example: Android decompiled source code Vulnerability Analysis Manual OWASP, Mobile Security Testing Guide, 2018 (0x05a-Platform-Overview html)

Security • Expert for Mobile App Testing • Developed the Mobile Security Testing Motivation for Mobile Security Testing Guidelines for Android and iOS

[PDF] Fixing Mobile AppSec The OWASP Mobile Security Testing Project

•One of the project leaders for the OWASP Mobile Security Testing Guide (MSTG) and Mobile •Focusing on iOS and Android native applications •Goal is to

[PDF] Introduction to Mobile Security Testing - German OWASP Day

Example: Android decompiled source code Vulnerability Analysis Manual OWASP, Mobile Security Testing Guide, 2018 (0x05a-Platform-Overview html)

[PDF] OWASP Mobile Security Testing Guide

Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps He is a

[PDF] Analysis of testing approaches to Android mobile - CEUR-WSorg

The Mobile Security Testing Guide (MSTG): The MSTG is a manual for testing the security of mobile apps It provides verification instructions for the requirements

[PDF] OWASP MOBILE SECURITY TESTING GUIDE - RandoriSec

10 déc 2019 · MOBILE SECURITY TESTING: LE GUIDE ▸ 3 grandes parties : une section générale, une section Android, une section iOS ▸ + 500 pages

[PDF] Penetration Testing of Android-based Smartphones - CORE

Nmap 5 5: Nmap is a popular and widely useful tool for port scanning It includes a network scanning guide and it is a free and open source utility for network

[PDF] Mobile Application Security Testing - Deloitte

rooted Android devices along with specialised tools are required to execute fine grained mobile app security tests Skill sets Mobile app security testing requires

[PDF] MOBILE APPLICATION SECURITY WITH OPEN-SOURCE TOOLS

Android mobile app asks for permissions like any other app when installing in the controls to mitigate such risks, security tools, mobile security testing guide,

Introduction to Mobile

Security Testing

Approaches and Examples using OWASP MSTG

OWASP German Day 20.11.2018

Carlos Holguera

$ whoami

Security Engineer working at ESCRYPT GmbH

since 2012

Area of expertise:

Mobile & Automotive Security Testing

Security Testing Automation

Carlos Holguera ΀olढ़࠹era΁

@grepharder Index 1Why?

2FromtheStandard totheGuide

3Vulnerability Analysis

4Information Gathering

6Penetration Testing

7Final Demos

1Why? Why?

Trustworthy sources?

Right Methodology?

Latest Techniques?

9MASVS is the WHAT

9MSTG is the HOW

Online videos,

articles, trainings ??

2FromtheStandard

totheGuide

FromtheStandard totheGuide

OWASP Mobile ApplicationSecurity VerificationStandard

Read iton GitBookOpen on GitHub

From the Standard to the Guide

OWASP Mobile Application Security Verification Standard

How? MSTG

OS agnostic

From the Standard to the Guide

OWASP Mobile Application Security Verification Standard

Get from GitHubfork & customize

dep. on target

FromtheStandard totheGuide

OWASP Mobile Security Testing Guide

Read iton GitBookOpen on GitHub

FromtheStandard totheGuide

OWASP Mobile Security Testing Guide

MASVS Refs. on

each chapter

GitHub Search or clone & grep

3 VulnerabilityAnalysis

VulnerabilityAnalysis

Static Analysis (SAST)

Manual Code Review

grep& line-by-line examination

expert codereviewer proficient in both

language and frameworks

Automatic Code Analysis

Speed up the review

Predefined set of rules or industry best

practices

False positives! A security professional

must always review the results.

Dynamic Analysis (DAST)

Testing and evaluation of apps

Real-time execution

Manual

Automatic

Examples of checks

disclosure of data in transit

authentication and authorization issues

server configuration errors.

Recommendation: SAST + DAST + security

professional

Vulnerability Analysis

*OWASP, Mobile Security Testing Guide, 2018 (0x05d-Testing-Data-Storage.html)Whattoverify& how.

Incl. References to

MASVS Requirements

Based on MASVS

The MSTG Hacking

Playground App

VulnerabilityAnalysis

Demo App

Open on GitHub

Example: Android originalsource code

VulnerabilityAnalysis

Manual Code Review

Example: Android decompiledsource code

VulnerabilityAnalysis

Manual Code Review

VulnerabilityAnalysis

Manual Code Review

Example: iOS originalsource code

*OWASP iGoat A Learning Tool for iOS App Pentesting and Security, 2018 (iGoat)

VulnerabilityAnalysis

Manual Code Review

Example: iOS disassembled´VRXUŃH ŃRGHµ

VulnerabilityAnalysis

Automatic Code Analysis

Example: Static Analyzer

must be always evaluated by a professional

4Information Gathering

Information Gathering

Identifies

General Information

Sensitive Information

about the OS and its APIs

Evaluates the risk by understanding

Existing Vulnerabilities

Existing Exploits

Information Gathering

*OWASP, Mobile Security Testing Guide, 2018 (0x05a-Platform-Overview.html)

Information Gathering

Example: Open OMTG_DATAST_011_Memory.javaand observe the decryptStringimplementation.

Information Gathering

Let me google

POMP IRU \RX¬

Information Gathering

Got all original crypto code

inclusive crypto params.

5Penetration Testing

Penetration Testing

Preparation

Coordination with the client

Define scope/ focus

Request source code

Release and debug apps

Understand customer worries

Identifying Sensitive Data

at rest: file

in use: address space

in transit: txto endpoint, IPC

Intelligence Gathering

Environmental info

Goals and intended use (e.g. Flashlight)

What if compromised?

Architectural Info

Runtime protections (jailbreak,

emulator..?)

Which OS (old versions?)

Network Security

Secure Storage (what, why, how?)

Penetration Testing

Mapping

Based on all previous information

UNDERSTAND the target

LIST potential vulnerabilities

DRAW sensitive data flow

DESIGN a test plan, use MASVS

Complement with automated scanning

and manually exploring the app

Exploitation

Exploit the vulnerabilities identified

during the previous phase

UsetheMSTG

Find the true positives

Reporting

Essential to the client

Not so fun?

It makes you the bad guy

Security not integrated early enough in

the SDLC? *OWASP, Mobile Security Testing Guide, 2018 (0x04b-Mobile-App-Security-Testing.html)

Penetration Testing

Penetration Testing is conducted in four phases*

*NIST, Technical Guide to Information Security Testing and Assessment, 2008

Penetration Testing

However

)Multiple attack vectors )Multiple steps )Different combinations give different full attack vectors

Penetration Testing

Download the app

Read the

logs

Dex to jar

What do you want?

Inspect the code

The plain text?

get smali

Replicate crypto operations in java

debug unpack it

Patch smali

hooking decompile

It's android, be happy!

The plain text 9

Re-package

Re-sign

Re-install

javac run

Find stuff: keys, cipherText,

classes

Make the app

debuggablegooglelogcat

Penetration Testing

Demo Spoiler

Penetration Testing

Techniques

decompilation disassembly code injection binary patchingdebugging dynamic binary instrumentation fuzzing traffic dump traffic interception man-in-the-middle method tracingtampering hooking root detection

Penetration Testing

One for Android,

one for iOS. All happy - *OWASP, Mobile Security Testing Guide, 2018 (0x05c-Reverse-Engineering-and-Tampering.html)

Penetration Testing

*OWASP, Mobile Security Testing Guide, 2018 (0x05c-Reverse-Engineering-and-Tampering.html)

Penetration Testing

Example Scenario Automotive-Mobile Testing

Bluetooth

Mobile

Apps CAN 8 9

04 FX XX XX XX XF FF

03 2X XX XX XX X5 55

04 FX XX XX XX XF FF

6Demo 1 Mobile Penetration

Testing

Demo 1

App: MSTG-Hacking-Playground(011_MEMORY)

Demo 1

Download the app

Read the

logs

Dex to jar

What do you want?

Inspect the code

The plain text?

get smali

Replicate crypto operations in java

debug unpack it

Patch smali

hooking decompile

It's android, be happy!

The plain text 9

Re-package

Re-sign

Re-install

javac run

Find stuff: keys, cipherText,

classes

Make the app

debuggablegooglelogcat

Demo 1

Download the app

Dex to jar

What do you want?

Inspect the code

The plain text?

unpack it hooking decompile

It's android, be happy!

The plain text 9

Find stuff: keys, cipherText,

classes google

Demo 1

6Demo 2 Mobile Penetration

Testing

Demo 2

App: MSTG-Hacking-Playground(001_KEYSTORE)

Download the app

Dex to jar

What do you want?

Inspect the code

The crypto keys

get smali debug unpack it

Patch smali

hooking decompile

It's android, be happy!

The crypto keys 9

Re-package

Re-sign

Re-install

Find stuff: keys, classes

Make the app

debuggablegoogle

Demo 2

Download the app

Dex to jar

What do you want?

Inspect the code

The crypto keys

unpack it hooking decompile

It's android, be happy!

The crypto keys 9

Find stuff: keys, classes

google

Demo 2

Takeaways

9Read the MSTG

9Use the MASVS

9Play with Crackmes

9grepharder

9Learn

9Contribute!

9Have fun :)

References

RTFMSTG

OWASP Mobile Security Testing Guide

https://github.com/OWASP/owasp-mstg OWASP Mobile Application Security Verification Standard https://github.com/OWASP/owasp-masvs OWASP iGoat-A Learning Tool for iOS App Pentesting and Security https://github.com/OWASP/igoat

[PDF] [PDF] Introduction to Mobile Security Testing - German OWASP Day

Introduction to Mobile

Security Testing

Approaches and Examples using OWASP MSTG

OWASP German Day 20.11.2018

Carlos Holguera

Security Engineer working at ESCRYPT GmbH

Area of expertise:

Mobile & Automotive Security Testing

Security Testing Automation

Carlos Holguera ΀olढ़࠹era΁

2FromtheStandard totheGuide

3Vulnerability Analysis

4Information Gathering

6Penetration Testing

7Final Demos

Trustworthy sources?

Right Methodology?

Latest Techniques?

9MASVS is the WHAT

9MSTG is the HOW

Online videos,

2FromtheStandard

FromtheStandard totheGuide

FromtheStandard totheGuide

Read iton GitBookOpen on GitHub

From the Standard to the Guide

How? MSTG

OS agnostic

From the Standard to the Guide

Get from GitHubfork & customize

FromtheStandard totheGuide

OWASP Mobile Security Testing Guide

Read iton GitBookOpen on GitHub

FromtheStandard totheGuide

OWASP Mobile Security Testing Guide

MASVS Refs. on

GitHub Search or clone & grep

3 VulnerabilityAnalysis

VulnerabilityAnalysis

Static Analysis (SAST)

Manual Code Review

grep& line-by-line examination

expert codereviewer proficient in both

Automatic Code Analysis

Speed up the review

Predefined set of rules or industry best

False positives! A security professional

Dynamic Analysis (DAST)

Testing and evaluation of apps

Real-time execution

Manual

Automatic

Examples of checks

disclosure of data in transit

authentication and authorization issues

server configuration errors.

Recommendation: SAST + DAST + security

Vulnerability Analysis

Incl. References to

MASVS Requirements

Based on MASVS

The MSTG Hacking

Playground App

VulnerabilityAnalysis

Demo App

Open on GitHub

Example: Android originalsource code

VulnerabilityAnalysis

Manual Code Review

Example: Android decompiledsource code

VulnerabilityAnalysis

Manual Code Review

VulnerabilityAnalysis

Manual Code Review

Example: iOS originalsource code

VulnerabilityAnalysis

Manual Code Review

VulnerabilityAnalysis

Automatic Code Analysis

Security Engineer working at ESCRYPT GmbH

Area of expertise:

Trustworthy sources?

Right Methodology?

Latest Techniques?

grep& line-by-line examination

expert codereviewer proficient in both

Speed up the review

Predefined set of rules or industry best

False positives! A security professional

Real-time execution

Manual

Automatic

disclosure of data in transit

authentication and authorization issues

server configuration errors.

General Information

Sensitive Information

Existing Vulnerabilities

Existing Exploits

Define scope/ focus

Request source code

Release and debug apps

Understand customer worries

at rest: file

in use: address space

in transit: txto endpoint, IPC

Goals and intended use (e.g. Flashlight)

What if compromised?

Runtime protections (jailbreak,

Which OS (old versions?)

Network Security

Secure Storage (what, why, how?)

UNDERSTAND the target

LIST potential vulnerabilities

DRAW sensitive data flow

DESIGN a test plan, use MASVS

Exploit the vulnerabilities identified

UsetheMSTG

Find the true positives

Essential to the client

Not so fun?

It makes you the bad guy

Security not integrated early enough in