introduction to mobile security testing
play

Introduction to Mobile Security Testing Approaches and Examples - PowerPoint PPT Presentation

Sep 09, 2022 •212 likes •790 views

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera $ whoami Carlos Holguera [olera] Security Engineer working at ESCRYPT GmbH since 2012 Area of expertise:

  1. Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera

  2. $ whoami Carlos Holguera [olˈɣera]  Security Engineer working at ESCRYPT GmbH since 2012  Area of expertise: – Mobile & Automotive Security Testing – Security Testing Automation @grepharder

  3. Index 1 Why? 2 From the Standard to the Guide 3 Vulnerability Analysis 4 Information Gathering 6 Penetration Testing 7 Final Demos

  4. 1 Why?

  5. Why? Online videos, articles, trainings ??  Trustworthy sources?  Right Methodology?  Latest Techniques?  MASVS is the WHAT  MSTG is the HOW

  6. 2 From the Standard to the Guide

  7. From the Standard to the Guide

  8. From the Standard to the Guide OWASP Mobile Application Security Verification Standard Open on GitHub Read it on GitBook

  9. From the Standard to the Guide OWASP Mobile Application Security Verification Standard OS agnostic How? MSTG

  10. From the Standard to the Guide OWASP Mobile Application Security Verification Standard fork & customize Get from GitHub dep. on target

  11. From the Standard to the Guide OWASP Mobile Security Testing Guide Open on GitHub Read it on GitBook

  12. From the Standard to the Guide OWASP Mobile Security Testing Guide GitHub Search or clone & grep MASVS Refs. on each chapter

  13. 3 Vulnerability Analysis

  14. Vulnerability Analysis Static Analysis (SAST) Dynamic Analysis (DAST) Manual Code Review Testing and evaluation of apps   grep & line-by-line examination Real-time execution  Manual  expert code reviewer proficient in both  Automatic language and frameworks Automatic Code Analysis Examples of checks  Speed up the review  disclosure of data in transit  Predefined set of rules or industry best  authentication and authorization issues practices  server configuration errors.  False positives! A security professional must always review the results.  False negatives! Even worse … Recommendation: SAST + DAST + security professional

  15. Vulnerability Analysis Based on MASVS * OWASP, Mobile Security Testing Guide, 2018 (0x05d-Testing-Data-Storage.html) What to verify & how. Incl. References to MASVS Requirements

  16. Vulnerability Analysis Demo App The MSTG Hacking Playground App Open on GitHub

  17. Vulnerability Analysis Manual Code Review Example: Android origin inal al source code

  18. Vulnerability Analysis Manual Code Review Example: Android decompile ledsource code

  19. Vulnerability Analysis Manual Code Review Example: iOS orig iginal inal source code * OWASP iGoat A Learning Tool for iOS App Pentesting and Security, 2018 (iGoat)

  20. Vulnerability Analysis Manual Code Review Example: iOS disas assemble led “source code”

  21. Vulnerability Analysis Automatic Code Analysis Exam ample le: Static ic Analy lyzer must be always evaluated by a professional

  22. 4 Information Gathering

  23. Information Gathering Information Gathering Identifies  General Information  Sensitive Information … on the target that is publically available. E.g. about the OS and its APIs Evaluates the risk by understanding  Existing Vulnerabilities  Existing Exploits … especially from third party software.

  24. Information Gathering * OWASP, Mobile Security Testing Guide, 2018 (0x05a-Platform-Overview.html)

  25. Information Gathering Exam ample le: Open OMTG_DATAST_011_Memory.j .jav ava and and observe the decryptSt String im imple lementat atio ion.

  26. Information Gathering Let me google gle that for you…

  27. Information Gathering Got all original crypto code inclusive crypto params.

  28. 5 Penetration Testing

  29. Penetration Testing Preparation Intelligence Gathering Coordination with the client Environmental info  Goals and intended use (e.g. Flashlight)  Define scope / focus  What if compromised?  Request source code  Release and debug apps  Understand customer worries Architectural Info  Runtime protections (jailbreak, Identifying Sensitive Data emulator..?)  Which OS (old versions?)  at rest: file  Network Security  in use: address space  Secure Storage (what, why, how?)  in transit: tx to endpoint, IPC

  30. Penetration Testing Mapping Exploitation  Exploit the vulnerabilities identified Based on all previous information during the previous phase  Use the MSTG  UNDERSTAND the target  Find the true positives  LIST potential vulnerabilities  DRAW sensitive data flow  DESIGN a test plan , use MASVS Reporting Complement with automated scanning and manually exploring the app  Essential to the client  Not so fun?  It makes you the bad guy  Security not integrated early enough in the SDLC?

  31. Penetration Testing * OWASP, Mobile Security Testing Guide, 2018 (0x04b-Mobile-App-Security-Testing.html)

  32. Penetration Testing Penetration Testing is conducted in four phases* * NIST, Technical Guide to Information Security Testing and Assessment, 2008

  33. Penetration Testing However  Multiple attack vectors  Multiple steps  Different combinations give different full attack vectors So penetration testing usually looks more like this …

  34. Penetration Testing Demo Spoiler Replicate crypto operations in java Download the app Patch smali unpack it Re-package javac get smali It’s android, be happy! Re-sign run Dex to jar Re-install Make the app debuggable decompile google logcat debug Find stuff: keys, cipherText, Inspect the code Read the classes logs What do you want? The plain text  The plain text? hooking

  35. Penetration Testing Techniques decompilation fuzzing traffic interception method tracing code injection tampering disassembly hooking traffic root detection dump man-in-the-middle dynamic binary instrumentation debugging binary patching

  36. Penetration Testing One for Android, one for iOS. All happy 

  37. Penetration Testing * OWASP, Mobile Security Testing Guide, 2018 (0x05c-Reverse-Engineering-and-Tampering.html)

  38. Penetration Testing * OWASP, Mobile Security Testing Guide, 2018 (0x05c-Reverse-Engineering-and-Tampering.html)

  39. Penetration Testing Example Scenario Automotive-Mobile Testing  03 2X XX XX XX X5 55  04 FX XX XX XX XF FF CAN Bluetooth Mobile Apps 03 2X XX XX XX X5 55 04 FX XX XX XX XF FF

  40. 6 Demo 1 Mobile Penetration Testing Let‘s decrypt that encrypted string!

  41. Demo 1 App: MSTG-Hacking-Playground(011_MEMORY)

  42. Demo 1 Replicate crypto operations in java Download the app Patch smali unpack it Re-package javac get smali It’s android, be happy! Re-sign run Dex to jar Re-install Make the app debuggable decompile google logcat debug Find stuff: keys, cipherText, Inspect the code Read the classes logs What do you want? The plain text  The plain text? hooking

  43. Demo 1 Download the app unpack it It’s android, be happy! Dex to jar decompile google Find stuff: keys, cipherText, Inspect the code classes What do you want? The plain text  The plain text? hooking

  44. Demo 1

  45. Demo 1

  46. 6 Demo 2 Mobile Penetration Testing Let‘s get the crypto keys!

  47. Demo 2 App: MSTG-Hacking-Playground(001_KEYSTORE)

  48. Demo 2 Download the app Patch smali Re-package unpack it get smali It’s android, be happy! Re-sign Dex to jar Re-install Make the app debuggable decompile google debug Inspect the code Find stuff: keys, classes What do you want? The crypto keys  The crypto keys hooking

  49. Demo 2 Download the app unpack it It’s android, be happy! Dex to jar decompile google Inspect the code Find stuff: keys, classes What do you want? The crypto keys  The crypto keys hooking

  50. Demo 2

  51. Demo 2

  52. Demo 2

  53. Takeaways  Read the MSTG  Use the MASVS  Play with Crackmes  grep harder  Learn  Learn  Contribute!  Have fun :)

  54. References RTFM STG

  55. References  OWASP Mobile Security Testing Guide https://mobile-security.gitbook.io/mobile-security-testing-guide https://github.com/OWASP/owasp-mstg  OWASP Mobile Application Security Verification Standard https://mobile-security.gitbook.io/masvs/ https://github.com/OWASP/owasp-masvs  OWASP iGoat - A Learning Tool for iOS App Pentesting and Security https://github.com/OWASP/igoat  OWASP MSTG-Hacking-Playground Android App https://github.com/OWASP/MSTG-Hacking-Playground  OWASP MSTG Crackmes https://github.com/OWASP/owasp-mstg/tree/master/Crackmes

  56. Thank you, any questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device Security 2013 Boston, MA Presen sented ted by: Francis Brown & Joe DeMesy Bishop Fox www.bishopfox.com Introductions VERY QUICKLY

3.77k views • 83 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction Statistics of Mobile Usage Current State of Mobile Security Recent Attacks Various Mobile Threats Security & Privacy

1.03k views • 57 slides
Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Spring 2018 CS 155 Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories n Physical, platform malware, malicious apps Defense against physical theft Thurs

1.28k views • 64 slides
Mobile Application Security Testing ASSES SESSMENT NT & CODE REVIEW EW st 2014 Sept. t.

Mobile Application Security Testing ASSES SESSMENT NT & CODE REVIEW EW st 2014 Sept. t.

Mobile Application Security Testing ASSES SESSMENT NT & CODE REVIEW EW st 2014 Sept. t. 31 31 st Presenters ITAC 2014 Bishop Fox Francis Brown Partner Joe DeMesy Security Associate 2 2 Int ntrodu roductions ctions

1.32k views • 86 slides
Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

583 views • 56 slides
Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps Defense

1.17k views • 93 slides
Testing Mobile Apps CS 4720 Mobile Application Development CS 4720 Testing! The most

Testing Mobile Apps CS 4720 Mobile Application Development CS 4720 Testing! The most

Testing Mobile Apps CS 4720 Mobile Application Development CS 4720 Testing! The most important thing we never teach you to do! Consider how most projects go in your undergrad career: Requirements elicitation? We give you a

178 views • 17 slides
What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University tl;dr The computers inside the computer Every chip has one or more CPUs inside; they have exploitable bugs

1.23k views • 87 slides
Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E. Simos SBA Research Applied & Computational Mathematics Division Seminar Series National Institute of Standards and Technology (NIST) Gaithersburg,

675 views • 50 slides
Introduction Design Key Scheduling Keystream Generation Security

Introduction Design Key Scheduling Keystream Generation Security

MARC: Modified ARC4 Jianliang Zheng and Jie Li The City University of New York Contents Introduction Design Key Scheduling Keystream Generation Security Statistical Testing Performance Testing Introduction RC4

588 views • 16 slides
Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues. Mobile access is expected to become the main access method. Services and mobile commerce (mCommerce) are expected to become a major business.

818 views • 20 slides
Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction to STIG SUSE STIG Automation Demo Time Whats next? What is SCAP? The Security Content Automation Protocol is a multi-purpose

684 views • 37 slides
CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Announcement Course Evaluations Now online Will be available from Friday, Dec 7 Will also allow students to do

864 views • 50 slides
Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular testing aims to

1.06k views • 54 slides
Announcements Reprogramming HW2: Due on 3/16 (Wed), 2:30pm Mat: mobile code Hard

Announcements Reprogramming HW2: Due on 3/16 (Wed), 2:30pm Mat: mobile code Hard

Middleware for Wireless Announcements Reprogramming HW2: Due on 3/16 (Wed), 2:30pm Mat: mobile code Hard deadline! Agilla: mobile agent Midterm Open book, note Chenyang Lu CSE 467S 1 Chenyang Lu CSE 467S 2

360 views • 5 slides
Repackman: Automatic Repackaging of Android Apps Aleieldin Salem , F. Franziska Paulus, Alexander

Repackman: Automatic Repackaging of Android Apps Aleieldin Salem , F. Franziska Paulus, Alexander

Repackman: Automatic Repackaging of Android Apps Aleieldin Salem , F. Franziska Paulus, Alexander Pretschner Technische Universitt Mnchen Garching bei Mnchen {salem, paulusf, pretschn @in.tum.de} Montpellier, 04.09.2018 Abstract

629 views • 23 slides
An Architecture for Distributed Spatial Configuration of Context Aware Applications 2nd

An Architecture for Distributed Spatial Configuration of Context Aware Applications 2nd

An Architecture for Distributed Spatial Configuration of Context Aware Applications 2nd International Conference on Mobile and Ubiquitous Multimedia Martin Wagner and Gudrun Klinker Augmented Reality Group Institut fr Informatik Technische

511 views • 28 slides
Concurrency in Clients Prof. Chuan-Ming Liu Computer Science and Information Engineering

Concurrency in Clients Prof. Chuan-Ming Liu Computer Science and Information Engineering

Mobile Computing & Software Engineering Lab Concurrency in Clients Prof. Chuan-Ming Liu Computer Science and Information Engineering National Taipei University of Technology Taipei, TAIWAN NTUT, TAIWAN 1 Mobile Computing & Software

824 views • 24 slides
PerfProbe: A Systematic, Cross-Layer Performance Diagnosis Framework for Mobile Platforms David

PerfProbe: A Systematic, Cross-Layer Performance Diagnosis Framework for Mobile Platforms David

PerfProbe: A Systematic, Cross-Layer Performance Diagnosis Framework for Mobile Platforms David Ke Hong , Ashkan Nikravesh, Z. Morley Mao, Mahesh Ketkar, and Michael Kishinevsky. 1 Unpredictable performance problem How to effectively

389 views • 28 slides
Code Reusability Tools for Programming Mobile Robots Carle Ct, Dominic Ltourneau,

Code Reusability Tools for Programming Mobile Robots Carle Ct, Dominic Ltourneau,

Code Reusability Tools for Programming Mobile Robots Carle Ct, Dominic Ltourneau, Franois Michaud, Jean-Marc Valin, Yannick Brosseau, Clment Raevsky, Mathieu Lemay, Victor Tran LABORIUS Department of Electrical Engineering and

443 views • 17 slides
Jailbreaking CS 161: Computer Security Prof. David Wagner April 27, 2016 Types of attacks

Jailbreaking CS 161: Computer Security Prof. David Wagner April 27, 2016 Types of attacks

Jailbreaking CS 161: Computer Security Prof. David Wagner April 27, 2016 Types of attacks Jailbreaking Rooting Unlocking iOS Jailbreak iPhone used a protocol which allowed iTunes to write arbitrary files on iPhones filesystem

151 views • 12 slides
M ARVIN : Efficient And Comprehensive Mobile App Classification Through Static and Dynamic

M ARVIN : Efficient And Comprehensive Mobile App Classification Through Static and Dynamic

M ARVIN : Efficient And Comprehensive Mobile App Classification Through Static and Dynamic Analysis Martina Lindorfer, Matthias Neugschwandtner, Christian Platzer SBA Research, Vienna, Austria IBM Research, Zurich, Switzerland International

394 views • 25 slides

More recommend