SlideShare une entreprise Scribd logo

Mobile application security

Télécharger en tant que PPTX, PDF
Shubhneet Goel
Shubhneet Goel
FormationTechnologie
1  sur  48
// …. and That’s all.
 Part 1: Mobile Application Security  Part 2: Pentesting Mobile Application  Part 3: Owasp Top Ten Mobile Application Risk  Part 4: Case Study & Demonstrations.
 Introduction to Mobile Application Security.  Mobile Security Stack.  Mobile Threat Model  Modus Operandi for Mobile Application Audit.  Roadblocks  Future of Mobile Application Security
 Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose operating system.  In this respect many of the risks are similar to those of traditional spyware, Trojan software, and insecurely designed apps.  Mobile devices are designed around personal and communication functionality which makes the mobile application and mobile security risks different from the top traditional computing risks.
 Infrastructure Layer  Lowest Layer  Protocols ▪ CDMA,GSM ▪ GPS ▪ SMS,MMS  Hardware Layer  Smartphone/Tablet  Firmware  Operating System Layer  Symbian S40/S60  Froyo,Gingerbread  Application Layer
1. Dynamic Analysis 1. Debug the Running App (on device or in emulator) 2. Analyze Network Traffic 3. Analyze Remote Services (Http/SOAP/etc) 2. Static Anlysis 1. Get Application 1. Extract application from device 2. Receive application package from developers 2. Source code review 3. Reverse engineering 4. Disassembly 5. Patching
 OWASP guidelines, procedures for testing are not yet available like Web applications.  Mobile application also includes vulnerabilities in the underlying architecture (OS & Vendor specific) unlike web application in which only application vulnerabilities are concerned.  Applications can use various modes of communications like SMS,MMS,EDGE, GPRS,3G and WiFi due to which security testing becomes difficult.  Simulator's have their own limitations:  Can not simulate SMS communication (In case of communicating with SMS Gateway ) though, they provide mechanism to send & receive sms between simulators.  Simulator’s don’t allow intercepting installed applications traffic.  ( It has to be done, forcefully by interjecting an application into running simulator to intercept network communication from that process)
 Pen testing Mobile Application – Android  Background.  Setting up the Test Environment.  Setting up a proxy.  Android Application Penetration Testing Toolkit.  Reverse Engineering Android Applications  File Permissions in android
 Android is a Linux based platform developed by Google and the open handset alliance.  Application programming for it is done exclusively in java.  The android operating system software stack consist of java applications running on a Dalvik virtual machine (DVK).  The current version as of august 2010 is 2.2. there are over 90,00 application available in the android market.
 There are several ways to test mobile application e.g:  Using burp with a proxy.  Using a phone emulator with a proxy.  Using a phone to test and proxy outgoing phone data to a PC.  Requirements:  Computer running a Windows OS.  Java 6  Eclipse SDk – Helios/Indigo  Android 3.5 SDK  Burp! Proxy
 If Application using is using HTTP(s), or is a website that you are testing on Android browser, the next step is to setup a proxy tool such as Burp!  There are 4 main ways of setting up such a proxy:
 Specify the proxy details when starting the emulator using the command below. This command is to use a proxy listening on port 8080  Emulator -avd testavd -http-proxy http://localhost:8080
 The second option is to specify the proxy details in the emulator APN setting as shown below:  Home-> Menu-> Wireless & networks > Mobile Network -> Access Point Names  Update the following: NAME: Internet APN: Internet Proxy: IP address of your Computer USERNAME: <N/A> PASSWORD:<N/A>
 The third option is to specify it using the adb shell using the export command to set an environment variable, for example:  Export HTTP_PROXY=http://localhost:8080
 Final alternative is by changing the proxy setting in the settings database from where the android web browser reads. The settings database uses SQLite.  Familiarity with basic SQL commands is recommended if your plan to use this method. Change the hostname and port information appropriately using the below command:
 Dynamic Analysis Tools ▪ ADB ▪ Manifest Explorer ▪ Intent Sniffer ▪ Busybox ▪ Strace ▪ Procrank  Static Analysis ▪ Disassembly ▪ Dex2jar ▪ Baksmali ▪ Reverse Engineering ▪ JD-GUI
1. ADB 2. Manifest Explorer 3. Intent Sniffer 4. Busy box 5. Strace 6. Procrank
 Android Debug Bridge: It is part of the Android SDK. It has it’s own shell, which allows you to execute linux commands such as ls –l . The android developer’s guide lists the full range of ADB commands but we highlight a few below:  ADB could be used to locate all the emulators and android devices connected to the computer to the computer using the command below:  adb devices
 In our case the command found one instance of the emulator running. If multiple instances are running you can use the –s option in order to run commands against a specific device or emulator.  Adb –s emulator-5554 install Foobar.apk  Another important provided by the adb is to push or pull files to and from the device/Emulator.
 Every application running on android has an AndroidManifest.xml file. This file is very important from a security perspective as it defines the permission an application request. The Manifest Explorer tool is a utility that allows you to review this xml file with ease when testing it is important to verify that the application follows the principle of “Least privilege” and does not use permission that are ot required for it to function.
 Intent is a mechanism in android to move data process. It forms the core of android’s Inter process Communication (IPC). Inetnts could indicate a number of actions such as startservice, sendbroadcast etc. The Intent Sniffer tool performs monitoring of Intents.
 Busybox provides some linux commands that could be useful during the penetration testing process. It extends the capability of android’s toolbox. In order to install busybox you can go through the following steps:  Download the busybox
1. Disassembly 1. Dex2jar 2. Baksmali 2. Reverse Engineering 1. Java Application Decompiler (JAD-Gui)
Dissembler: is a computer program that translate machine language into assembly language ( The inverse operating of an assembler). A dissembler differs from a decompiler which targets a high level language rather than an assembly language. Reverse Engineering: Reverse engineering involves reversing a program's machine code (the string of 0s and 1s that are sent to the logic processor) back into the source code that it was written in, using program language statements.
 Android file permission uses the same model as Linux, to check the permissions of a file, go to the ADB shell and type ls –l.  Every .apk file installed on the emulator has its own unique user ID.  This prevents one application from accessing the other application’s data, any file created by the application will be assigned that application’s user ID and will not normally accessible to other applications.
 Owasp Top Ten Mobile Application Risk’s.  M1: Insecure Data Storage  M2: Weak Server Side Controls  M3: Insufficient Transport Layer Protection  M4:Client Side Injection  M5: Poor Authorization & Authentication  M6: Improper Session Handling  M7: Security Decision Via Untrusted Inputs  M8: Side channel Data Leakage  M9: Broken Cryptography  M10: Sensitive Information Disclosure.
 Case Study:  Facebook.apk : Pentesting a real world Application  Demonstrations:  Reverse Engineering a first Trojan for Android Malware.
1. Anant Srivastav Blog http://anantshri.info/ 2. Ankur Bhargava Http://www.hakers.info/site/ 3. http://www.veracode.com
Mobile application security

Recommandé

Mobile Threats and Trends Changing Mobile App Security
Mobile Threats and Trends Changing Mobile App SecurityMobile Threats and Trends Changing Mobile App Security
Mobile Threats and Trends Changing Mobile App Security
DevOps.com
 
Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Mobile Apps Security Testing -3
Mobile Apps Security Testing -3
Krisshhna Daasaarii
 
COVERT app
COVERT appCOVERT app
COVERT app
itba9
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
Ajith Kp
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Idexcel Technologies
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
Fraunhofer AISEC
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 

Recommandé

Mobile Threats and Trends Changing Mobile App Security
Mobile Threats and Trends Changing Mobile App SecurityMobile Threats and Trends Changing Mobile App Security
Mobile Threats and Trends Changing Mobile App Security
DevOps.com
 
Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Mobile Apps Security Testing -3
Mobile Apps Security Testing -3
Krisshhna Daasaarii
 
COVERT app
COVERT appCOVERT app
COVERT app
itba9
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
Ajith Kp
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Idexcel Technologies
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
Fraunhofer AISEC
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
Krisshhna Daasaarii
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
PVS-Studio
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
Ids 008 buffer overflow
Ids 008 buffer overflowIds 008 buffer overflow
Ids 008 buffer overflow
jyoti_lakhani
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
Jose Manuel Ortega Candel
 
Android security
Android securityAndroid security
Android security
Mohamed Alharbi
 
PROP - P ATRONAGE OF PHP W EB A PPLICATIONS
PROP - P ATRONAGE OF PHP W EB A PPLICATIONSPROP - P ATRONAGE OF PHP W EB A PPLICATIONS
PROP - P ATRONAGE OF PHP W EB A PPLICATIONS
ijcsit
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
sri indu 1213 it
sri indu 1213 itsri indu 1213 it
sri indu 1213 it
jignash
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
n|u - The Open Security Community
 
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
IJNSA Journal
 
Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sandboxing (Distributed computing)
Sandboxing (Distributed computing)
Sri Prasanna
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love Android
Michael Rushanan
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
Vandana Verma
 
IRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable Software
IRJET Journal
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Permission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior inPermission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior in
chaitrabhat777
 
Java & The Android Stack: A Security Analysis
Java & The Android Stack: A Security AnalysisJava & The Android Stack: A Security Analysis
Java & The Android Stack: A Security Analysis
Pragati Rai
 

Contenu connexe

Tendances

SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
IJNSA Journal
 
Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sandboxing (Distributed computing)
Sandboxing (Distributed computing)
Sri Prasanna
 

Tendances (19)

SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Ids 008 buffer overflow
Ids 008 buffer overflowIds 008 buffer overflow
Ids 008 buffer overflow
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
Android security
Android securityAndroid security
Android security
 
PROP - P ATRONAGE OF PHP W EB A PPLICATIONS
PROP - P ATRONAGE OF PHP W EB A PPLICATIONSPROP - P ATRONAGE OF PHP W EB A PPLICATIONS
PROP - P ATRONAGE OF PHP W EB A PPLICATIONS
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
sri indu 1213 it
sri indu 1213 itsri indu 1213 it
sri indu 1213 it
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
 
Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sandboxing (Distributed computing)
Sandboxing (Distributed computing)
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love Android
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
IRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable Software
 

En vedette

Java & The Android Stack: A Security Analysis
Java & The Android Stack: A Security AnalysisJava & The Android Stack: A Security Analysis
Java & The Android Stack: A Security Analysis
Pragati Rai
 
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
Giuseppe La Torre
 
Android security
Android securityAndroid security
Android security
Krazy Koder
 

En vedette (12)

Android Security
Android SecurityAndroid Security
Android Security
 
Permission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior inPermission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior in
 
Java & The Android Stack: A Security Analysis
Java & The Android Stack: A Security AnalysisJava & The Android Stack: A Security Analysis
Java & The Android Stack: A Security Analysis
 
From java to android a security analysis
From java to android a security analysisFrom java to android a security analysis
From java to android a security analysis
 
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
 
[Presentation] Automated Model-Based Android GUI Testing using Multi-Level GU...
[Presentation] Automated Model-Based Android GUI Testing using Multi-Level GU...[Presentation] Automated Model-Based Android GUI Testing using Multi-Level GU...
[Presentation] Automated Model-Based Android GUI Testing using Multi-Level GU...
 
Android security
Android securityAndroid security
Android security
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of Android
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Android security
Android securityAndroid security
Android security
 

Similaire à Mobile application security

Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Positive Hack Days
 
Google android white paper
Google android white paperGoogle android white paper
Google android white paper
Sravan Reddy
 
Final_Presentation_FlowDroid
Final_Presentation_FlowDroidFinal_Presentation_FlowDroid
Final_Presentation_FlowDroid
Kruti Sharma
 
Mediating Applications on the Android System
Mediating Applications on the Android SystemMediating Applications on the Android System
Mediating Applications on the Android System
Nizar Maan
 
Mobile testingartifacts
Mobile testingartifactsMobile testingartifacts
Mobile testingartifacts
Pragya Rastogi
 
Android security
Android securityAndroid security
Android security
Dr Amira Bibo
 
Android security
Android securityAndroid security
Android security
Dr Amira Bibo
 

Similaire à Mobile application security (20)

Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
A case study of malware detection and removal in android apps
A case study of malware detection and removal in android appsA case study of malware detection and removal in android apps
A case study of malware detection and removal in android apps
 
Android Overview
Android OverviewAndroid Overview
Android Overview
 
Android
AndroidAndroid
Android
 
Google android white paper
Google android white paperGoogle android white paper
Google android white paper
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Final_Presentation_FlowDroid
Final_Presentation_FlowDroidFinal_Presentation_FlowDroid
Final_Presentation_FlowDroid
 
Mediating Applications on the Android System
Mediating Applications on the Android SystemMediating Applications on the Android System
Mediating Applications on the Android System
 
Garbage Management using Android Smartphone
Garbage Management using Android SmartphoneGarbage Management using Android Smartphone
Garbage Management using Android Smartphone
 
Mobile testingartifacts
Mobile testingartifactsMobile testingartifacts
Mobile testingartifacts
 
Android security
Android securityAndroid security
Android security
 
Android security
Android securityAndroid security
Android security
 
Android 101 Session @thejunction32
Android 101 Session @thejunction32Android 101 Session @thejunction32
Android 101 Session @thejunction32
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
 
Hacking android apps by srini0x00
Hacking android apps by srini0x00Hacking android apps by srini0x00
Hacking android apps by srini0x00
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
 
Learn mobile app testing in simple way
Learn mobile app testing in simple way Learn mobile app testing in simple way
Learn mobile app testing in simple way
 

Dernier

Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
Chris Hunter
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 

Dernier (20)

Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 

Mobile application security

  • 1. // …. and That’s all.
  • 2.
  • 3. Part 1: Mobile Application Security  Part 2: Pentesting Mobile Application  Part 3: Owasp Top Ten Mobile Application Risk  Part 4: Case Study & Demonstrations.
  • 4.
  • 5. Introduction to Mobile Application Security.  Mobile Security Stack.  Mobile Threat Model  Modus Operandi for Mobile Application Audit.  Roadblocks  Future of Mobile Application Security
  • 6. Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose operating system.  In this respect many of the risks are similar to those of traditional spyware, Trojan software, and insecurely designed apps.  Mobile devices are designed around personal and communication functionality which makes the mobile application and mobile security risks different from the top traditional computing risks.
  • 7. Infrastructure Layer  Lowest Layer  Protocols ▪ CDMA,GSM ▪ GPS ▪ SMS,MMS  Hardware Layer  Smartphone/Tablet  Firmware  Operating System Layer  Symbian S40/S60  Froyo,Gingerbread  Application Layer
  • 8.
  • 9. 1. Dynamic Analysis 1. Debug the Running App (on device or in emulator) 2. Analyze Network Traffic 3. Analyze Remote Services (Http/SOAP/etc) 2. Static Anlysis 1. Get Application 1. Extract application from device 2. Receive application package from developers 2. Source code review 3. Reverse engineering 4. Disassembly 5. Patching
  • 10.
  • 11.
  • 12. OWASP guidelines, procedures for testing are not yet available like Web applications.  Mobile application also includes vulnerabilities in the underlying architecture (OS & Vendor specific) unlike web application in which only application vulnerabilities are concerned.  Applications can use various modes of communications like SMS,MMS,EDGE, GPRS,3G and WiFi due to which security testing becomes difficult.  Simulator's have their own limitations:  Can not simulate SMS communication (In case of communicating with SMS Gateway ) though, they provide mechanism to send & receive sms between simulators.  Simulator’s don’t allow intercepting installed applications traffic.  ( It has to be done, forcefully by interjecting an application into running simulator to intercept network communication from that process)
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19. Pen testing Mobile Application – Android  Background.  Setting up the Test Environment.  Setting up a proxy.  Android Application Penetration Testing Toolkit.  Reverse Engineering Android Applications  File Permissions in android
  • 20. Android is a Linux based platform developed by Google and the open handset alliance.  Application programming for it is done exclusively in java.  The android operating system software stack consist of java applications running on a Dalvik virtual machine (DVK).  The current version as of august 2010 is 2.2. there are over 90,00 application available in the android market.
  • 21.
  • 22. There are several ways to test mobile application e.g:  Using burp with a proxy.  Using a phone emulator with a proxy.  Using a phone to test and proxy outgoing phone data to a PC.  Requirements:  Computer running a Windows OS.  Java 6  Eclipse SDk – Helios/Indigo  Android 3.5 SDK  Burp! Proxy
  • 23.
  • 24. If Application using is using HTTP(s), or is a website that you are testing on Android browser, the next step is to setup a proxy tool such as Burp!  There are 4 main ways of setting up such a proxy:
  • 25. Specify the proxy details when starting the emulator using the command below. This command is to use a proxy listening on port 8080  Emulator -avd testavd -http-proxy http://localhost:8080
  • 26. The second option is to specify the proxy details in the emulator APN setting as shown below:  Home-> Menu-> Wireless & networks > Mobile Network -> Access Point Names  Update the following: NAME: Internet APN: Internet Proxy: IP address of your Computer USERNAME: <N/A> PASSWORD:<N/A>
  • 27. The third option is to specify it using the adb shell using the export command to set an environment variable, for example:  Export HTTP_PROXY=http://localhost:8080
  • 28. Final alternative is by changing the proxy setting in the settings database from where the android web browser reads. The settings database uses SQLite.  Familiarity with basic SQL commands is recommended if your plan to use this method. Change the hostname and port information appropriately using the below command:
  • 29.
  • 30.  Dynamic Analysis Tools ▪ ADB ▪ Manifest Explorer ▪ Intent Sniffer ▪ Busybox ▪ Strace ▪ Procrank  Static Analysis ▪ Disassembly ▪ Dex2jar ▪ Baksmali ▪ Reverse Engineering ▪ JD-GUI
  • 31. 1. ADB 2. Manifest Explorer 3. Intent Sniffer 4. Busy box 5. Strace 6. Procrank
  • 32. Android Debug Bridge: It is part of the Android SDK. It has it’s own shell, which allows you to execute linux commands such as ls –l . The android developer’s guide lists the full range of ADB commands but we highlight a few below:  ADB could be used to locate all the emulators and android devices connected to the computer to the computer using the command below:  adb devices
  • 33. In our case the command found one instance of the emulator running. If multiple instances are running you can use the –s option in order to run commands against a specific device or emulator.  Adb –s emulator-5554 install Foobar.apk  Another important provided by the adb is to push or pull files to and from the device/Emulator.
  • 34. Every application running on android has an AndroidManifest.xml file. This file is very important from a security perspective as it defines the permission an application request. The Manifest Explorer tool is a utility that allows you to review this xml file with ease when testing it is important to verify that the application follows the principle of “Least privilege” and does not use permission that are ot required for it to function.
  • 35.
  • 36. Intent is a mechanism in android to move data process. It forms the core of android’s Inter process Communication (IPC). Inetnts could indicate a number of actions such as startservice, sendbroadcast etc. The Intent Sniffer tool performs monitoring of Intents.
  • 37. Busybox provides some linux commands that could be useful during the penetration testing process. It extends the capability of android’s toolbox. In order to install busybox you can go through the following steps:  Download the busybox
  • 38. 1. Disassembly 1. Dex2jar 2. Baksmali 2. Reverse Engineering 1. Java Application Decompiler (JAD-Gui)
  • 39. Dissembler: is a computer program that translate machine language into assembly language ( The inverse operating of an assembler). A dissembler differs from a decompiler which targets a high level language rather than an assembly language. Reverse Engineering: Reverse engineering involves reversing a program's machine code (the string of 0s and 1s that are sent to the logic processor) back into the source code that it was written in, using program language statements.
  • 40. Android file permission uses the same model as Linux, to check the permissions of a file, go to the ADB shell and type ls –l.  Every .apk file installed on the emulator has its own unique user ID.  This prevents one application from accessing the other application’s data, any file created by the application will be assigned that application’s user ID and will not normally accessible to other applications.
  • 41.
  • 42.
  • 43.
  • 44. Owasp Top Ten Mobile Application Risk’s.  M1: Insecure Data Storage  M2: Weak Server Side Controls  M3: Insufficient Transport Layer Protection  M4:Client Side Injection  M5: Poor Authorization & Authentication  M6: Improper Session Handling  M7: Security Decision Via Untrusted Inputs  M8: Side channel Data Leakage  M9: Broken Cryptography  M10: Sensitive Information Disclosure.
  • 45.
  • 46. Case Study:  Facebook.apk : Pentesting a real world Application  Demonstrations:  Reverse Engineering a first Trojan for Android Malware.
  • 47. 1. Anant Srivastav Blog http://anantshri.info/ 2. Ankur Bhargava Http://www.hakers.info/site/ 3. http://www.veracode.com