Upload
ajin-abraham
View
4.689
Download
6
Embed Size (px)
Citation preview
Ajin Abraham
Automated Security Analysis of Android & iOS Applications with Mobile Security Framework
About MeApplication Security Engineer, YodleeAuthor of OWASP Xenotix XSS Exploit Framework, Mobile Security Framework.Co-Organizer of X0RC0NF.Blog about Security: http://opensecurity.in
The Takeaways
A Free and Open Source ToolMobile App Pentesters/Malware Analysts - How to make your life easier.Developers – Build secure mobile Apps by detecting vulnerabilities at earlier stages of development.For the Rest – Some new Information.
WTF is it?Mobile Security Framework is an open source mobile application (Android/iOS) automated pentesting framework capable of performing static and dynamic security analysis*.
Android iOS
Hosted in your environment. Your application and data is never send to the cloud.
Basic Requirements
iOS
• Python 2.7• Django 1.8• Oracle Java - JDK 1.7+• Oracle VirtualBox• Mac
Android
• Python 2.7• Django 1.8• Oracle Java - JDK
1.7+• Oracle VirtualBox
Static Analyzer
Mobile Security Framework
INPUT OUTPUT
REPORT
Static AnalysisAndroid Binary
INFORMATION GATHERINGDECOMPILE TO JAVA & SMALIPERMISSION ANALYSISMANIFEST ANALYSISJAVA CODE ANALYSISANDROID API INFOFILE ANALYSISURLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTSREPORT GENERATION
Static AnalysisAndroid Source
INFORMATION GATHERINGDECOMPILE TO JAVA & SMALIPERMISSION ANALYSISMANIFEST ANALYSISJAVA CODE ANALYSISANDROID API INFOFILE ANALYSISURLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTSREPORT GENERATION
DEMOStatic Analysis of APKStatic Analysis of Zipped Source Code
Static AnalysisiOS - Binary
BASIC INFORMATIONBINARY ANALYSISFILE ANALYSISLIBRARIESREPORT GENERATION
iOS - SourceBASIC INFORMATIONCODE ANALYSISiOS API INFORMATIONFILE ANALYSISURL, EMAIL, FILES, LIBRARIESREPORT GENERATION
DEMOStatic Analysis of IPA BinaryStatic Analysis of Zipped Source Code
Dynamic Analyzer
Mobile Security Framework
INPUT
Android VMREPORT
OUTPUT
Dynamic Analyzer - Architecture
Dynamic Analyzer
AGENTS
Install and Run APK
HTTP(S) Proxy
Invoke Agents in VM
Results
HTTP(S) Traffic
Android VM
Application Data
Agent Collected Information
Start HTTP(S) Web Proxy
Dynamic AnalysisSCREENSHOTCAPTURE HTTP(S) TRAFFICLOGCAT and DUMPSYSDYNAMIC API MONITORDYNAMIC URLS and EMAILS MONITORAPPLICATION DATA DUMPERFILE ANALYSIS ON APPLICATION DATAREPORT GENERATIONUNDER DEVELOPMENT
DEMODynamic Analysis of Android Application
Some Real World ResultsMobile Security Framework – Bypassing PIN in Whisper Android Application - http://opensecurity.in/mobile-security-framework-bypassing-pin-in-whisper-android-application/AppLock MITM Password Reset Vulnerability - http://opensecurity.in/applock-mitm-password-reset-vulnerability/
AppLock MITM Password Reset Vulnerability DEMO
ANDROID MALWARE ANALYSIS DEMO
Future PlansLooks like people are interested!
In Aplha DevWeb Service Testing/REST API testing for Hybrid Applications.Dynamic Analysis Support for Real Android and iOS Devices. Anti VM/Sandbox Detection Bypass.IDOR and Cross Talk Detection support in Proxy.Better Front End.DB Support.Scheduled Scans.
What you can do?Download, Test, ContributeSource: https://github.com/ajinabraham/YSO-Mobile-Security-FrameworkIssues: https://github.com/ajinabraham/YSO-Mobile-Security-Framework/issues
QA
@[email protected]://opensecurity.in
Thanks• Bharadwaj Machiraju• Anto Joseph• Tim Brown• Thomas Abraham• Graphics/Image Owners