SlideShare a Scribd company logo

Untitled 1

Download as PPTX, PDF
Sergey Kochergan
Sergey Kochergan
Technology
1 of 27
Security Testing of Mobile Applications (Android - BlackBerry - iOS)
Introduction to Android Security & AppUse Mobile application threat model - What makes mobile application security so different? • The Android linux OS security • The Dalvik VM • The Android security mechanisms • Application file system isolation • The permission model • Least privilege model • Database isolation • The Android emulator VS. physical device • The AppUse VM ("Android Pen-test Platform Unified Standalone Environment") • The Android Debug Bridge (ADB) • The logcat interface
Traffic Analysis and Manipulation • Intro to server side attacks - SQL injection, XSS • Insecure remote Authentication - client id, IMEI, etc. • Insecure session management • authorization • Traffic interception • Using proxies and sniffers • Importing SSL certificates & trusted CA's • Sensitive information transmission • Bypassing server certificate validations • Exposing insecure traffic
Insecure data K11storage • Exploring deployed application files at the /data/data directory • The file system security model • Insecure file system permissions • Insecure storage of sensitive data in files • The SDcard • The SQLite Database storage • Using sqlite browser • Application shared preferences storage • Storage of sensitive data at the server side • Secrets in code • Insecure log exposure • Bad cryptography
Reverse engineering the application binaries • The APK file package • APK extraction - Investigating layout, manifest, permissions and binaries • Extracting the content of the classes.dex file • Using smali/baksmali Dalvik assembler/disassembler • Using jasmin/jasper JVM assembler/disassembler • Decompilation • Using dex2jar • Identifying interesting API calls - file access, networking, SDcard access, SQLite, etc • Identifying insecure code - certificate validation bypass, insecure xml parsing, clipboard access, geo-location, address book, client xss and html injection, etc. • Finding hard coded secrets in code • Using Android Lint • Code patching and modification • Recreating and resigning the modified APK
Android application components security • Major component types - Activity, Service, Content provider, Broadcast receiver • The Intent message • Components and the manifest file • Using manifest explorer • Component permissions and visibility • Activating components • Accessing restricted screens • Attacking content providers and client side sql injection • Direct component invocation by unauthorized apps
Analyzing Runtime Analysis • Monitoring process activity • Observing file access • Monitoring network connectivity • Debugging • Setting breakpoints • Memory dumping and analysis • Analyzing logs using logcat
Android Platform Security Architecture Android seeks to be the most secure and usable operating system for mobile platforms by re-purpo  Protect user data  Protect system resources (including the network)  Provide application isolation To achieve these objectives, Android provides these key security features:  Robust security at the OS level through the Linux kernel  Mandatory application sandbox for all applications  Secure interprocess communication  Application signing  Application-defined and user-granted permissions The sections below describe these and other security features of the Android platform. Figure 1 summarizes the security components and considera
New Android's Feature will Regularly Scan Your Apps Recently Google has officially announced to increase the security of Android users by adding a new feature to android which will regularly scan all the The new feature by Google would be a part of Verify Apps feature which is already protecting android users from harmful apps installed by third party The feature will scan for spywares , malwares , sending unauthorized messages and in-app installations for changes in app activity after it is installed
The first comprehensive guide to discovering and preventing attacks on the Android OS As the Android operating system continues to increase its share of the smartphone market, smartphone hacking remains a growing threat. Written b If you are a mobile device administrator, security researcher, Android app developer, or consultant responsible for evaluating Android security, you w A crack team of leading Android security researchers explain Android security risks, security design and architecture, rooting, fuzz testing, and vulne Covers Android application building blocks and security as well as debugging and auditing Android apps Prepares mobile device administrators, security researchers, Android app developers, and security consultants to defend Android systems against a Android Hacker's Handbook is the first comprehensive resource for IT professionals charged with smartphone security.
IT Policy: -Primary policy for all protection mechanisms Access to Network/Resources/Settings Prohibited and Mandatory installations of apps Controlling third-party Java application permissions -Per-Handset + Global Policy stored on BES -Initial Policy is signed by master key at pairing Stored in NV RAM Future updates OTA must be signed by master key
Application Controls: - All applications run in the JVM - IT Policy controls how the applications interact -Developed with the user and company in mind Most restrictive overlap - I9 application control policy categories Cross Application Control -Hardware -Network domnains -PIM data/ applications -Inter-application communication -Browser -User Autherntication and Settings -Input Simulation -MDS
Code signing - Core BB applications must be RIM Signed - Class files verified for interface compliance - No user-defined class loaders -No Java Native Interface or user extensions -System classes cannot be overridden
Data Security -Java RMS offers various forms of crypto -Keys must be explicitly shared by apps -PIM protected by Blackberry Attachment Service Renders and decrypts data on the BES Sends rasterized information to display Avoids image exploits Manages PGP on BES
The iOS Security Model Apple has incorporated four layers of security in iOS to protect the user and their data. Device Security Techniques to prevent an unauthorized individual from using the device Data Security Techniques to protect the data stored on the device, even if the device is stolen Network Security Tools to encrypt data while it is in transit across a network Application Security Mechanisms to secure the operating system and isolate applications while they are running
Information gathering Observe application behavior Determine the application’s data states (at rest, in transit or on display) and sensitivity Identify access methods Identify what frameworks are in use Identify server side APIs that are in use Identify what protocols are in use Identify other applications or services with which the application interacts Decrypt Appstore binaries: the .ipa will be decrypted at runtime by the kernel’s mach loader. Cydia has several applications available: Crackulo Determine the architecture the application was compiled for: otool –f <app name> or lipo -info <app>. Get information about what functions, classes and methods are referenced in the application and in the dynamically loaded libraries. Use nm <a List the dynamic dependencies. Use otool –L <app name> Dump the load commands for the application. Use otool –l <app name> Dump the runtime information from the compiled application. Identify each class compiled into the program and its associated methods, instanc Dump the keychain using dump_keychain to reveal application specific credentials and passwords if stored in the keychain. Determine the security features in place: Locate the PIE (Position Independent Executable) - an app compiled without PIE (using the “–fPIE –pie” flag) will load the executable at a fixed Stack smashing protection - specify the –fstack-protector-all compiler flag. A “canary” is placed on the stack to protect the saved base pointer, s
iPhone Analyzer allows you to forensically examine or recover data from in iOS device. It principally works by importing backups produced from iTunes or third party software, and providing you with a rich interface to explore, analyze and recover data in human readable formats. Because it works from the backup files everything is forensically safe, and no changes are made to the data. IPhone Analyzer is now free for Personal use
If you’re an app developer with a solid foundation in Objective-C, this book is an absolute must—chances are very high that your company’s iOS app This guide illustrates several types of iOS attacks, as well as the tools and techniques that hackers use. You’ll learn best practices to help protect yo  Examine subtle vulnerabilities in real-world applications—and avoid the same problems in your apps  Learn how attackers infect apps with malware through code injection  Discover how attackers defeat iOS keychain and data-protection encryption  Use a debugger and custom code injection to manipulate the runtime Objective-C environment  Prevent attackers from hijacking SSL sessions and stealing traffic  Securely delete files and design your apps to prevent forensic data leakage  Avoid debugging abuse, validate the integrity of run-time classes, and make your code harder to trace
Top 10 Mobile Risks M1 : Weak Server Side Controls M2 : Insecure Data Storage M3 : Insufficient Transport Layer Protection M4 : Unintended Data Leakage M5 : Poor Authorization and Authentication M6 : Broken Cryptography M7 : Client Side Injection M8 : Security Decisions Via Untrusted Inputs M9 : Improper Session Handling M10: Lack of Binary Protections
What is the Heartbleed bug? It’s an OpenSSL vulnerability. OpenSSL is a security protocol that encrypts communications between your computer (or device) and a Web server. A Most websites, many operating systems, and many apps use OpenSSL. It’s everywhere, and one version of it has a critical bug that lets hackers exp Which operating systems are affected: iOS devices are safe. Windows Phone OS is likely safe. BlackBerry is “investigating.” Android is vulnerable if you have version 4.1.1, according to Google.
OWASP Mobile Security Project - MobiSec The MobiSec Live Environment Mobile Testing Framework project is a live environment for testing m
Thank you!

Recommended

Security framework for connected devices
Security framework for connected devicesSecurity framework for connected devices
Security framework for connected devices
HCL Technologies
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Generic threats to mobile application
Generic threats to mobile applicationGeneric threats to mobile application
Generic threats to mobile application
Vikrant Kansal
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
GTestClub
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Symantec
 

Recommended

Security framework for connected devices
Security framework for connected devicesSecurity framework for connected devices
Security framework for connected devices
HCL Technologies
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Generic threats to mobile application
Generic threats to mobile applicationGeneric threats to mobile application
Generic threats to mobile application
Vikrant Kansal
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
GTestClub
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Symantec
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
Rajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
NorazlinaAbdullah4
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
Ammar WK
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
Arvind Bhardwaj [AB]
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
Muhammad Shehata
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
TekRevol LLC
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
dotnetcode
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
Bill Ross
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurance
bdemchak
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
IoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignIoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control Design
Priyanka Aash
 
Security testing
Security testingSecurity testing
Security testing
baskar p
 
Firebase analytics for_android _ i_os
Firebase analytics for_android _ i_osFirebase analytics for_android _ i_os
Firebase analytics for_android _ i_os
baroqueworksdev
 
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
it-people
 
Firebase
FirebaseFirebase
Firebase
TriState Technology
 

More Related Content

What's hot

Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Security testing
Security testingSecurity testing
Security testing
baskar p
 

What's hot (19)

Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
 
Owasp
Owasp Owasp
Owasp
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurance
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
IoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignIoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control Design
 
Security testing
Security testingSecurity testing
Security testing
 

Viewers also liked

Android security model
Android security modelAndroid security model
Android security model
rrand1
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 

Viewers also liked (17)

Firebase analytics for_android _ i_os
Firebase analytics for_android _ i_osFirebase analytics for_android _ i_os
Firebase analytics for_android _ i_os
 
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
 
Firebase
FirebaseFirebase
Firebase
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Firebase Android
Firebase AndroidFirebase Android
Firebase Android
 
Android security model
Android security modelAndroid security model
Android security model
 
Introduction, Examples - Firebase
Introduction, Examples - Firebase Introduction, Examples - Firebase
Introduction, Examples - Firebase
 
Android system security
Android system securityAndroid system security
Android system security
 
Introduction to Firebase with Android and Beyond...
Introduction to Firebase with Android and Beyond...Introduction to Firebase with Android and Beyond...
Introduction to Firebase with Android and Beyond...
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Introduction to Firebase [Google I/O Extended Bangkok 2016]
Introduction to Firebase [Google I/O Extended Bangkok 2016]Introduction to Firebase [Google I/O Extended Bangkok 2016]
Introduction to Firebase [Google I/O Extended Bangkok 2016]
 
Android security
Android securityAndroid security
Android security
 

Similar to Untitled 1

Mobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingMobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security Training
Tonex
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
Ravishankar Kumar
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
Mykhailo Antonishyn
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
IBM Security
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 

Similar to Untitled 1 (20)

CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
 
Mobile security
Mobile securityMobile security
Mobile security
 
The Ultimate Security Checklist Before Launching Your Android App
The Ultimate Security Checklist Before Launching Your Android AppThe Ultimate Security Checklist Before Launching Your Android App
The Ultimate Security Checklist Before Launching Your Android App
 
Mobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingMobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security Training
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
 
OS-Project-Report-Team-8
OS-Project-Report-Team-8OS-Project-Report-Team-8
OS-Project-Report-Team-8
 
Top 6 Android Security Best Practices for App Development
Top 6 Android Security Best Practices for App DevelopmentTop 6 Android Security Best Practices for App Development
Top 6 Android Security Best Practices for App Development
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Recently uploaded (20)

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Untitled 1

  • 1. Security Testing of Mobile Applications (Android - BlackBerry - iOS)
  • 2. Introduction to Android Security & AppUse Mobile application threat model - What makes mobile application security so different? • The Android linux OS security • The Dalvik VM • The Android security mechanisms • Application file system isolation • The permission model • Least privilege model • Database isolation • The Android emulator VS. physical device • The AppUse VM ("Android Pen-test Platform Unified Standalone Environment") • The Android Debug Bridge (ADB) • The logcat interface
  • 3. Traffic Analysis and Manipulation • Intro to server side attacks - SQL injection, XSS • Insecure remote Authentication - client id, IMEI, etc. • Insecure session management • authorization • Traffic interception • Using proxies and sniffers • Importing SSL certificates & trusted CA's • Sensitive information transmission • Bypassing server certificate validations • Exposing insecure traffic
  • 4. Insecure data K11storage • Exploring deployed application files at the /data/data directory • The file system security model • Insecure file system permissions • Insecure storage of sensitive data in files • The SDcard • The SQLite Database storage • Using sqlite browser • Application shared preferences storage • Storage of sensitive data at the server side • Secrets in code • Insecure log exposure • Bad cryptography
  • 5. Reverse engineering the application binaries • The APK file package • APK extraction - Investigating layout, manifest, permissions and binaries • Extracting the content of the classes.dex file • Using smali/baksmali Dalvik assembler/disassembler • Using jasmin/jasper JVM assembler/disassembler • Decompilation • Using dex2jar • Identifying interesting API calls - file access, networking, SDcard access, SQLite, etc • Identifying insecure code - certificate validation bypass, insecure xml parsing, clipboard access, geo-location, address book, client xss and html injection, etc. • Finding hard coded secrets in code • Using Android Lint • Code patching and modification • Recreating and resigning the modified APK
  • 6. Android application components security • Major component types - Activity, Service, Content provider, Broadcast receiver • The Intent message • Components and the manifest file • Using manifest explorer • Component permissions and visibility • Activating components • Accessing restricted screens • Attacking content providers and client side sql injection • Direct component invocation by unauthorized apps
  • 7. Analyzing Runtime Analysis • Monitoring process activity • Observing file access • Monitoring network connectivity • Debugging • Setting breakpoints • Memory dumping and analysis • Analyzing logs using logcat
  • 8. Android Platform Security Architecture Android seeks to be the most secure and usable operating system for mobile platforms by re-purpo  Protect user data  Protect system resources (including the network)  Provide application isolation To achieve these objectives, Android provides these key security features:  Robust security at the OS level through the Linux kernel  Mandatory application sandbox for all applications  Secure interprocess communication  Application signing  Application-defined and user-granted permissions The sections below describe these and other security features of the Android platform. Figure 1 summarizes the security components and considera
  • 9.
  • 10. New Android's Feature will Regularly Scan Your Apps Recently Google has officially announced to increase the security of Android users by adding a new feature to android which will regularly scan all the The new feature by Google would be a part of Verify Apps feature which is already protecting android users from harmful apps installed by third party The feature will scan for spywares , malwares , sending unauthorized messages and in-app installations for changes in app activity after it is installed
  • 11. The first comprehensive guide to discovering and preventing attacks on the Android OS As the Android operating system continues to increase its share of the smartphone market, smartphone hacking remains a growing threat. Written b If you are a mobile device administrator, security researcher, Android app developer, or consultant responsible for evaluating Android security, you w A crack team of leading Android security researchers explain Android security risks, security design and architecture, rooting, fuzz testing, and vulne Covers Android application building blocks and security as well as debugging and auditing Android apps Prepares mobile device administrators, security researchers, Android app developers, and security consultants to defend Android systems against a Android Hacker's Handbook is the first comprehensive resource for IT professionals charged with smartphone security.
  • 12.
  • 13. IT Policy: -Primary policy for all protection mechanisms Access to Network/Resources/Settings Prohibited and Mandatory installations of apps Controlling third-party Java application permissions -Per-Handset + Global Policy stored on BES -Initial Policy is signed by master key at pairing Stored in NV RAM Future updates OTA must be signed by master key
  • 14. Application Controls: - All applications run in the JVM - IT Policy controls how the applications interact -Developed with the user and company in mind Most restrictive overlap - I9 application control policy categories Cross Application Control -Hardware -Network domnains -PIM data/ applications -Inter-application communication -Browser -User Autherntication and Settings -Input Simulation -MDS
  • 15. Code signing - Core BB applications must be RIM Signed - Class files verified for interface compliance - No user-defined class loaders -No Java Native Interface or user extensions -System classes cannot be overridden
  • 16. Data Security -Java RMS offers various forms of crypto -Keys must be explicitly shared by apps -PIM protected by Blackberry Attachment Service Renders and decrypts data on the BES Sends rasterized information to display Avoids image exploits Manages PGP on BES
  • 17. The iOS Security Model Apple has incorporated four layers of security in iOS to protect the user and their data. Device Security Techniques to prevent an unauthorized individual from using the device Data Security Techniques to protect the data stored on the device, even if the device is stolen Network Security Tools to encrypt data while it is in transit across a network Application Security Mechanisms to secure the operating system and isolate applications while they are running
  • 18.
  • 19. Information gathering Observe application behavior Determine the application’s data states (at rest, in transit or on display) and sensitivity Identify access methods Identify what frameworks are in use Identify server side APIs that are in use Identify what protocols are in use Identify other applications or services with which the application interacts Decrypt Appstore binaries: the .ipa will be decrypted at runtime by the kernel’s mach loader. Cydia has several applications available: Crackulo Determine the architecture the application was compiled for: otool –f <app name> or lipo -info <app>. Get information about what functions, classes and methods are referenced in the application and in the dynamically loaded libraries. Use nm <a List the dynamic dependencies. Use otool –L <app name> Dump the load commands for the application. Use otool –l <app name> Dump the runtime information from the compiled application. Identify each class compiled into the program and its associated methods, instanc Dump the keychain using dump_keychain to reveal application specific credentials and passwords if stored in the keychain. Determine the security features in place: Locate the PIE (Position Independent Executable) - an app compiled without PIE (using the “–fPIE –pie” flag) will load the executable at a fixed Stack smashing protection - specify the –fstack-protector-all compiler flag. A “canary” is placed on the stack to protect the saved base pointer, s
  • 20. iPhone Analyzer allows you to forensically examine or recover data from in iOS device. It principally works by importing backups produced from iTunes or third party software, and providing you with a rich interface to explore, analyze and recover data in human readable formats. Because it works from the backup files everything is forensically safe, and no changes are made to the data. IPhone Analyzer is now free for Personal use
  • 21. If you’re an app developer with a solid foundation in Objective-C, this book is an absolute must—chances are very high that your company’s iOS app This guide illustrates several types of iOS attacks, as well as the tools and techniques that hackers use. You’ll learn best practices to help protect yo  Examine subtle vulnerabilities in real-world applications—and avoid the same problems in your apps  Learn how attackers infect apps with malware through code injection  Discover how attackers defeat iOS keychain and data-protection encryption  Use a debugger and custom code injection to manipulate the runtime Objective-C environment  Prevent attackers from hijacking SSL sessions and stealing traffic  Securely delete files and design your apps to prevent forensic data leakage  Avoid debugging abuse, validate the integrity of run-time classes, and make your code harder to trace
  • 22. Top 10 Mobile Risks M1 : Weak Server Side Controls M2 : Insecure Data Storage M3 : Insufficient Transport Layer Protection M4 : Unintended Data Leakage M5 : Poor Authorization and Authentication M6 : Broken Cryptography M7 : Client Side Injection M8 : Security Decisions Via Untrusted Inputs M9 : Improper Session Handling M10: Lack of Binary Protections
  • 23. What is the Heartbleed bug? It’s an OpenSSL vulnerability. OpenSSL is a security protocol that encrypts communications between your computer (or device) and a Web server. A Most websites, many operating systems, and many apps use OpenSSL. It’s everywhere, and one version of it has a critical bug that lets hackers exp Which operating systems are affected: iOS devices are safe. Windows Phone OS is likely safe. BlackBerry is “investigating.” Android is vulnerable if you have version 4.1.1, according to Google.
  • 24.
  • 25. OWASP Mobile Security Project - MobiSec The MobiSec Live Environment Mobile Testing Framework project is a live environment for testing m
  • 26.