automated security analysis of android & ios applications with mobile security framework - c0c0n...
TRANSCRIPT
![Page 1: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/1.jpg)
Ajin Abraham
Automated Security Analysis of Android & iOS Applications with Mobile Security Framework
![Page 2: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/2.jpg)
About MeApplication Security Engineer, YodleeAuthor of OWASP Xenotix XSS Exploit Framework, Mobile Security Framework.Co-Organizer of X0RC0NF.Blog about Security: http://opensecurity.in
![Page 3: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/3.jpg)
![Page 4: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/4.jpg)
The Takeaways
A Free and Open Source ToolMobile App Pentesters/Malware Analysts - How to make your life easier.Developers – Build secure mobile Apps by detecting vulnerabilities at earlier stages of development.For the Rest – Some new Information.
![Page 5: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/5.jpg)
WTF is it?Mobile Security Framework is an open source mobile application (Android/iOS) automated pentesting framework capable of performing static and dynamic security analysis*.
Android iOS
![Page 6: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/6.jpg)
Hosted in your environment. Your application and data is never send to the cloud.
![Page 7: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/7.jpg)
Basic Requirements
iOS
• Python 2.7• Django 1.8• Oracle Java - JDK 1.7+• Oracle VirtualBox• Mac
Android
• Python 2.7• Django 1.8• Oracle Java - JDK
1.7+• Oracle VirtualBox
![Page 8: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/8.jpg)
Static Analyzer
Mobile Security Framework
INPUT OUTPUT
REPORT
![Page 9: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/9.jpg)
Static AnalysisAndroid Binary
INFORMATION GATHERINGDECOMPILE TO JAVA & SMALIPERMISSION ANALYSISMANIFEST ANALYSISJAVA CODE ANALYSISANDROID API INFOFILE ANALYSISURLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTSREPORT GENERATION
![Page 10: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/10.jpg)
Static AnalysisAndroid Source
INFORMATION GATHERINGDECOMPILE TO JAVA & SMALIPERMISSION ANALYSISMANIFEST ANALYSISJAVA CODE ANALYSISANDROID API INFOFILE ANALYSISURLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTSREPORT GENERATION
![Page 11: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/11.jpg)
DEMOStatic Analysis of APKStatic Analysis of Zipped Source Code
![Page 12: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/12.jpg)
Static AnalysisiOS - Binary
BASIC INFORMATIONBINARY ANALYSISFILE ANALYSISLIBRARIESREPORT GENERATION
iOS - SourceBASIC INFORMATIONCODE ANALYSISiOS API INFORMATIONFILE ANALYSISURL, EMAIL, FILES, LIBRARIESREPORT GENERATION
![Page 13: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/13.jpg)
DEMOStatic Analysis of IPA BinaryStatic Analysis of Zipped Source Code
![Page 14: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/14.jpg)
Dynamic Analyzer
Mobile Security Framework
INPUT
Android VMREPORT
OUTPUT
![Page 15: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/15.jpg)
Dynamic Analyzer - Architecture
Dynamic Analyzer
AGENTS
Install and Run APK
HTTP(S) Proxy
Invoke Agents in VM
Results
HTTP(S) Traffic
Android VM
Application Data
Agent Collected Information
Start HTTP(S) Web Proxy
![Page 16: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/16.jpg)
Dynamic AnalysisSCREENSHOTCAPTURE HTTP(S) TRAFFICLOGCAT and DUMPSYSDYNAMIC API MONITORDYNAMIC URLS and EMAILS MONITORAPPLICATION DATA DUMPERFILE ANALYSIS ON APPLICATION DATAREPORT GENERATIONUNDER DEVELOPMENT
![Page 17: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/17.jpg)
DEMODynamic Analysis of Android Application
![Page 18: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/18.jpg)
Some Real World ResultsMobile Security Framework – Bypassing PIN in Whisper Android Application - http://opensecurity.in/mobile-security-framework-bypassing-pin-in-whisper-android-application/AppLock MITM Password Reset Vulnerability - http://opensecurity.in/applock-mitm-password-reset-vulnerability/
![Page 19: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/19.jpg)
AppLock MITM Password Reset Vulnerability DEMO
![Page 20: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/20.jpg)
ANDROID MALWARE ANALYSIS DEMO
![Page 21: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/21.jpg)
Future PlansLooks like people are interested!
![Page 22: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/22.jpg)
In Aplha DevWeb Service Testing/REST API testing for Hybrid Applications.Dynamic Analysis Support for Real Android and iOS Devices. Anti VM/Sandbox Detection Bypass.IDOR and Cross Talk Detection support in Proxy.Better Front End.DB Support.Scheduled Scans.
![Page 23: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/23.jpg)
What you can do?Download, Test, ContributeSource: https://github.com/ajinabraham/YSO-Mobile-Security-FrameworkIssues: https://github.com/ajinabraham/YSO-Mobile-Security-Framework/issues
![Page 24: Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015](https://reader030.vdocuments.site/reader030/viewer/2022021422/587058d71a28aba2118b6007/html5/thumbnails/24.jpg)
QA
@[email protected]://opensecurity.in
Thanks• Bharadwaj Machiraju• Anto Joseph• Tim Brown• Thomas Abraham• Graphics/Image Owners