Introduction to Mobile Security Testing Approaches and Examples - - PowerPoint PPT Presentation

introduction to mobile security testing
SMART_READER_LITE
LIVE PREVIEW

Introduction to Mobile Security Testing Approaches and Examples - - PowerPoint PPT Presentation

Sep 09, 2022 212 likes •793 views

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera $ whoami Carlos Holguera [olera] Security Engineer working at ESCRYPT GmbH since 2012 Area of expertise:

slide-1
SLIDE 1

Introduction to Mobile Security Testing

Approaches and Examples using OWASP MSTG

OWASP German Day 20.11.2018 Carlos Holguera

slide-2
SLIDE 2

$ whoami

  • Security Engineer working at ESCRYPT GmbH

since 2012

  • Area of expertise:

– Mobile & Automotive Security Testing – Security Testing Automation

Carlos Holguera [olˈɣera]

@grepharder

slide-3
SLIDE 3

Index

1 Why? 2 From the Standard to the Guide 3 Vulnerability Analysis 4 Information Gathering 6 Penetration Testing 7 Final Demos

slide-4
SLIDE 4

1 Why?

slide-5
SLIDE 5

Why?

  • Trustworthy sources?
  • Right Methodology?
  • Latest Techniques?

MASVS is the WHAT MSTG is the HOW

Online videos, articles, trainings ??

slide-6
SLIDE 6

2 From the Standard to the Guide

slide-7
SLIDE 7

From the Standard to the Guide

slide-8
SLIDE 8

From the Standard to the Guide

OWASP Mobile Application Security Verification Standard

Read it on GitBook Open on GitHub

slide-9
SLIDE 9

From the Standard to the Guide

OWASP Mobile Application Security Verification Standard

How? MSTG OS agnostic

slide-10
SLIDE 10

From the Standard to the Guide

OWASP Mobile Application Security Verification Standard

Get from GitHub fork & customize

  • dep. on target
slide-11
SLIDE 11

From the Standard to the Guide

OWASP Mobile Security Testing Guide

Read it on GitBook Open on GitHub

slide-12
SLIDE 12

From the Standard to the Guide

OWASP Mobile Security Testing Guide

MASVS Refs. on each chapter GitHub Search or clone & grep

slide-13
SLIDE 13

3 Vulnerability Analysis

slide-14
SLIDE 14

Vulnerability Analysis

Static Analysis (SAST)

Manual Code Review

  • grep & line-by-line examination
  • expert code reviewer proficient in both

language and frameworks

Automatic Code Analysis

  • Speed up the review
  • Predefined set of rules or industry best

practices

  • False positives! A security professional

must always review the results.

  • False negatives! Even worse …

Dynamic Analysis (DAST)

Testing and evaluation of apps

  • Real-time execution
  • Manual
  • Automatic

Examples of checks

  • disclosure of data in transit
  • authentication and authorization issues
  • server configuration errors.

Recommendation: SAST + DAST + security professional

slide-15
SLIDE 15

Vulnerability Analysis

* OWASP, Mobile Security Testing Guide, 2018 (0x05d-Testing-Data-Storage.html)

What to verify & how.

  • Incl. References to

MASVS Requirements Based on MASVS

slide-16
SLIDE 16

The MSTG Hacking Playground App

Vulnerability Analysis

Demo App

Open on GitHub

slide-17
SLIDE 17

Example: Android origin inal al source code

Vulnerability Analysis

Manual Code Review

slide-18
SLIDE 18

Example: Android decompile ledsource code

Vulnerability Analysis

Manual Code Review

slide-19
SLIDE 19

Vulnerability Analysis

Manual Code Review

Example: iOS orig iginal inal source code

* OWASP iGoat A Learning Tool for iOS App Pentesting and Security, 2018 (iGoat)

slide-20
SLIDE 20

Vulnerability Analysis

Manual Code Review

Example: iOS disas assemble led “source code”

slide-21
SLIDE 21

Vulnerability Analysis

Automatic Code Analysis

Exam ample le: Static ic Analy lyzer

must be always evaluated by a professional

slide-22
SLIDE 22

4 Information Gathering

slide-23
SLIDE 23

Information Gathering

Information Gathering

Identifies

  • General Information
  • Sensitive Information

… on the target that is publically available. E.g. about the OS and its APIs

Evaluates the risk by understanding

  • Existing Vulnerabilities
  • Existing Exploits

… especially from third party software.

slide-24
SLIDE 24

Information Gathering

* OWASP, Mobile Security Testing Guide, 2018 (0x05a-Platform-Overview.html)

slide-25
SLIDE 25

Information Gathering

Exam ample le: Open OMTG_DATAST_011_Memory.j .jav ava and and observe the decryptSt String im imple lementat atio ion.

slide-26
SLIDE 26

Information Gathering

Let me google gle that for you…

slide-27
SLIDE 27

Information Gathering

Got all original crypto code inclusive crypto params.

slide-28
SLIDE 28

5 Penetration Testing

slide-29
SLIDE 29

Penetration Testing

Preparation

Coordination with the client

  • Define scope / focus
  • Request source code
  • Release and debug apps
  • Understand customer worries

Identifying Sensitive Data

  • at rest:

file

  • in use:

address space

  • in transit:

tx to endpoint, IPC

Intelligence Gathering

Environmental info

  • Goals and intended use (e.g. Flashlight)
  • What if compromised?

Architectural Info

  • Runtime protections (jailbreak,

emulator..?)

  • Which OS (old versions?)
  • Network Security
  • Secure Storage (what, why, how?)
slide-30
SLIDE 30

Penetration Testing

Mapping

Based on all previous information

  • UNDERSTAND the target
  • LIST potential vulnerabilities
  • DRAW sensitive data flow
  • DESIGN a test plan, use MASVS

Complement with automated scanning and manually exploring the app

Exploitation

  • Exploit the vulnerabilities identified

during the previous phase

  • Use the MSTG
  • Find the true positives

Reporting

  • Essential to the client
  • Not so fun?
  • It makes you the bad guy
  • Security not integrated early enough in

the SDLC?

slide-31
SLIDE 31

* OWASP, Mobile Security Testing Guide, 2018 (0x04b-Mobile-App-Security-Testing.html)

Penetration Testing

slide-32
SLIDE 32

Penetration Testing is conducted in four phases*

* NIST, Technical Guide to Information Security Testing and Assessment, 2008

Penetration Testing

slide-33
SLIDE 33

However

 Multiple attack vectors  Multiple steps  Different combinations give different full attack vectors

So penetration testing usually looks more like this …

Penetration Testing

slide-34
SLIDE 34

Download the app

Read the logs

Dex to jar

What do you want?

Inspect the code

The plain text?

get smali

Replicate crypto operations in java

debug

unpack it

Patch smali hooking

decompile

It’s android, be happy!

The plain text  Re-package Re-sign Re-install

javac run

Find stuff: keys, cipherText, classes Make the app debuggable

google

logcat

Penetration Testing

Demo Spoiler

slide-35
SLIDE 35

Penetration Testing

Techniques

decompilation disassembly code injection binary patching debugging dynamic binary instrumentation fuzzing traffic dump traffic interception man-in-the-middle method tracing tampering hooking root detection

slide-36
SLIDE 36

Penetration Testing

One for Android,

  • ne for iOS. All happy 
slide-37
SLIDE 37

* OWASP, Mobile Security Testing Guide, 2018 (0x05c-Reverse-Engineering-and-Tampering.html)

Penetration Testing

slide-38
SLIDE 38

* OWASP, Mobile Security Testing Guide, 2018 (0x05c-Reverse-Engineering-and-Tampering.html)

Penetration Testing

slide-39
SLIDE 39

Penetration Testing

Example Scenario Automotive-Mobile Testing

Bluetooth Mobile Apps CAN  

04 FX XX XX XX XF FF 03 2X XX XX XX X5 55 03 2X XX XX XX X5 55 04 FX XX XX XX XF FF

slide-40
SLIDE 40

6 Demo 1 Mobile Penetration Testing

Let‘s decrypt that encrypted string!

slide-41
SLIDE 41

Demo 1

App: MSTG-Hacking-Playground(011_MEMORY)

slide-42
SLIDE 42

Demo 1

Download the app

Read the logs

Dex to jar

What do you want?

Inspect the code

The plain text?

get smali

Replicate crypto operations in java

debug

unpack it

Patch smali hooking

decompile

It’s android, be happy!

The plain text  Re-package Re-sign Re-install

javac run

Find stuff: keys, cipherText, classes Make the app debuggable

google

logcat

slide-43
SLIDE 43

Demo 1

Download the app Dex to jar

What do you want?

Inspect the code

The plain text?

unpack it

hooking

decompile

It’s android, be happy!

The plain text 

Find stuff: keys, cipherText, classes

google

slide-44
SLIDE 44

Demo 1

slide-45
SLIDE 45

Demo 1

slide-46
SLIDE 46

6 Demo 2 Mobile Penetration Testing

Let‘s get the crypto keys!

slide-47
SLIDE 47

Demo 2

App: MSTG-Hacking-Playground(001_KEYSTORE)

slide-48
SLIDE 48

Download the app Dex to jar

What do you want?

Inspect the code

The crypto keys

get smali

debug

unpack it

Patch smali hooking

decompile

It’s android, be happy!

The crypto keys 

Re-package Re-sign Re-install

Find stuff: keys, classes

Make the app debuggable

google

Demo 2

slide-49
SLIDE 49

Download the app Dex to jar

What do you want?

Inspect the code

The crypto keys

unpack it

hooking

decompile

It’s android, be happy!

The crypto keys 

Find stuff: keys, classes google

Demo 2

slide-50
SLIDE 50

Demo 2

slide-51
SLIDE 51

Demo 2

slide-52
SLIDE 52

Demo 2

slide-53
SLIDE 53

Takeaways

Read the MSTG Use the MASVS Play with Crackmes grepharder Learn Learn Contribute! Have fun :)

slide-54
SLIDE 54

References

RTFMSTG

slide-55
SLIDE 55
  • OWASP Mobile Security Testing Guide

https://mobile-security.gitbook.io/mobile-security-testing-guide https://github.com/OWASP/owasp-mstg

  • OWASP Mobile Application Security Verification Standard

https://mobile-security.gitbook.io/masvs/ https://github.com/OWASP/owasp-masvs

  • OWASP iGoat - A Learning Tool for iOS App Pentesting and Security

https://github.com/OWASP/igoat

  • OWASP MSTG-Hacking-Playground Android App

https://github.com/OWASP/MSTG-Hacking-Playground

  • OWASP MSTG Crackmes

https://github.com/OWASP/owasp-mstg/tree/master/Crackmes

References

slide-56
SLIDE 56

Thank you, any questions?