introduction to mobile security testing
play

Introduction to Mobile Security Testing Approaches and Examples - PowerPoint PPT Presentation

Sep 09, 2022 •212 likes •791 views

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera $ whoami Carlos Holguera [olera] Security Engineer working at ESCRYPT GmbH since 2012 Area of expertise:

  1. Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera

  2. $ whoami Carlos Holguera [olˈɣera]  Security Engineer working at ESCRYPT GmbH since 2012  Area of expertise: – Mobile & Automotive Security Testing – Security Testing Automation @grepharder

  3. Index 1 Why? 2 From the Standard to the Guide 3 Vulnerability Analysis 4 Information Gathering 6 Penetration Testing 7 Final Demos

  4. 1 Why?

  5. Why? Online videos, articles, trainings ??  Trustworthy sources?  Right Methodology?  Latest Techniques?  MASVS is the WHAT  MSTG is the HOW

  6. 2 From the Standard to the Guide

  7. From the Standard to the Guide

  8. From the Standard to the Guide OWASP Mobile Application Security Verification Standard Open on GitHub Read it on GitBook

  9. From the Standard to the Guide OWASP Mobile Application Security Verification Standard OS agnostic How? MSTG

  10. From the Standard to the Guide OWASP Mobile Application Security Verification Standard fork & customize Get from GitHub dep. on target

  11. From the Standard to the Guide OWASP Mobile Security Testing Guide Open on GitHub Read it on GitBook

  12. From the Standard to the Guide OWASP Mobile Security Testing Guide GitHub Search or clone & grep MASVS Refs. on each chapter

  13. 3 Vulnerability Analysis

  14. Vulnerability Analysis Static Analysis (SAST) Dynamic Analysis (DAST) Manual Code Review Testing and evaluation of apps   grep & line-by-line examination Real-time execution  Manual  expert code reviewer proficient in both  Automatic language and frameworks Automatic Code Analysis Examples of checks  Speed up the review  disclosure of data in transit  Predefined set of rules or industry best  authentication and authorization issues practices  server configuration errors.  False positives! A security professional must always review the results.  False negatives! Even worse … Recommendation: SAST + DAST + security professional

  15. Vulnerability Analysis Based on MASVS * OWASP, Mobile Security Testing Guide, 2018 (0x05d-Testing-Data-Storage.html) What to verify & how. Incl. References to MASVS Requirements

  16. Vulnerability Analysis Demo App The MSTG Hacking Playground App Open on GitHub

  17. Vulnerability Analysis Manual Code Review Example: Android origin inal al source code

  18. Vulnerability Analysis Manual Code Review Example: Android decompile ledsource code

  19. Vulnerability Analysis Manual Code Review Example: iOS orig iginal inal source code * OWASP iGoat A Learning Tool for iOS App Pentesting and Security, 2018 (iGoat)

  20. Vulnerability Analysis Manual Code Review Example: iOS disas assemble led “source code”

  21. Vulnerability Analysis Automatic Code Analysis Exam ample le: Static ic Analy lyzer must be always evaluated by a professional

  22. 4 Information Gathering

  23. Information Gathering Information Gathering Identifies  General Information  Sensitive Information … on the target that is publically available. E.g. about the OS and its APIs Evaluates the risk by understanding  Existing Vulnerabilities  Existing Exploits … especially from third party software.

  24. Information Gathering * OWASP, Mobile Security Testing Guide, 2018 (0x05a-Platform-Overview.html)

  25. Information Gathering Exam ample le: Open OMTG_DATAST_011_Memory.j .jav ava and and observe the decryptSt String im imple lementat atio ion.

  26. Information Gathering Let me google gle that for you…

  27. Information Gathering Got all original crypto code inclusive crypto params.

  28. 5 Penetration Testing

  29. Penetration Testing Preparation Intelligence Gathering Coordination with the client Environmental info  Goals and intended use (e.g. Flashlight)  Define scope / focus  What if compromised?  Request source code  Release and debug apps  Understand customer worries Architectural Info  Runtime protections (jailbreak, Identifying Sensitive Data emulator..?)  Which OS (old versions?)  at rest: file  Network Security  in use: address space  Secure Storage (what, why, how?)  in transit: tx to endpoint, IPC

  30. Penetration Testing Mapping Exploitation  Exploit the vulnerabilities identified Based on all previous information during the previous phase  Use the MSTG  UNDERSTAND the target  Find the true positives  LIST potential vulnerabilities  DRAW sensitive data flow  DESIGN a test plan , use MASVS Reporting Complement with automated scanning and manually exploring the app  Essential to the client  Not so fun?  It makes you the bad guy  Security not integrated early enough in the SDLC?

  31. Penetration Testing * OWASP, Mobile Security Testing Guide, 2018 (0x04b-Mobile-App-Security-Testing.html)

  32. Penetration Testing Penetration Testing is conducted in four phases* * NIST, Technical Guide to Information Security Testing and Assessment, 2008

  33. Penetration Testing However  Multiple attack vectors  Multiple steps  Different combinations give different full attack vectors So penetration testing usually looks more like this …

  34. Penetration Testing Demo Spoiler Replicate crypto operations in java Download the app Patch smali unpack it Re-package javac get smali It’s android, be happy! Re-sign run Dex to jar Re-install Make the app debuggable decompile google logcat debug Find stuff: keys, cipherText, Inspect the code Read the classes logs What do you want? The plain text  The plain text? hooking

  35. Penetration Testing Techniques decompilation fuzzing traffic interception method tracing code injection tampering disassembly hooking traffic root detection dump man-in-the-middle dynamic binary instrumentation debugging binary patching

  36. Penetration Testing One for Android, one for iOS. All happy 

  37. Penetration Testing * OWASP, Mobile Security Testing Guide, 2018 (0x05c-Reverse-Engineering-and-Tampering.html)

  38. Penetration Testing * OWASP, Mobile Security Testing Guide, 2018 (0x05c-Reverse-Engineering-and-Tampering.html)

  39. Penetration Testing Example Scenario Automotive-Mobile Testing  03 2X XX XX XX X5 55  04 FX XX XX XX XF FF CAN Bluetooth Mobile Apps 03 2X XX XX XX X5 55 04 FX XX XX XX XF FF

  40. 6 Demo 1 Mobile Penetration Testing Let‘s decrypt that encrypted string!

  41. Demo 1 App: MSTG-Hacking-Playground(011_MEMORY)

  42. Demo 1 Replicate crypto operations in java Download the app Patch smali unpack it Re-package javac get smali It’s android, be happy! Re-sign run Dex to jar Re-install Make the app debuggable decompile google logcat debug Find stuff: keys, cipherText, Inspect the code Read the classes logs What do you want? The plain text  The plain text? hooking

  43. Demo 1 Download the app unpack it It’s android, be happy! Dex to jar decompile google Find stuff: keys, cipherText, Inspect the code classes What do you want? The plain text  The plain text? hooking

  44. Demo 1

  45. Demo 1

  46. 6 Demo 2 Mobile Penetration Testing Let‘s get the crypto keys!

  47. Demo 2 App: MSTG-Hacking-Playground(001_KEYSTORE)

  48. Demo 2 Download the app Patch smali Re-package unpack it get smali It’s android, be happy! Re-sign Dex to jar Re-install Make the app debuggable decompile google debug Inspect the code Find stuff: keys, classes What do you want? The crypto keys  The crypto keys hooking

  49. Demo 2 Download the app unpack it It’s android, be happy! Dex to jar decompile google Inspect the code Find stuff: keys, classes What do you want? The crypto keys  The crypto keys hooking

  50. Demo 2

  51. Demo 2

  52. Demo 2

  53. Takeaways  Read the MSTG  Use the MASVS  Play with Crackmes  grep harder  Learn  Learn  Contribute!  Have fun :)

  54. References RTFM STG

  55. References  OWASP Mobile Security Testing Guide https://mobile-security.gitbook.io/mobile-security-testing-guide https://github.com/OWASP/owasp-mstg  OWASP Mobile Application Security Verification Standard https://mobile-security.gitbook.io/masvs/ https://github.com/OWASP/owasp-masvs  OWASP iGoat - A Learning Tool for iOS App Pentesting and Security https://github.com/OWASP/igoat  OWASP MSTG-Hacking-Playground Android App https://github.com/OWASP/MSTG-Hacking-Playground  OWASP MSTG Crackmes https://github.com/OWASP/owasp-mstg/tree/master/Crackmes

  56. Thank you, any questions?

Recommend

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device Security 2013 Boston, MA Presen sented ted by: Francis Brown & Joe DeMesy Bishop Fox www.bishopfox.com Introductions VERY QUICKLY

3.77k views • 83 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction Statistics of Mobile Usage Current State of Mobile Security Recent Attacks Various Mobile Threats Security & Privacy

1.03k views • 57 slides
Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Spring 2018 CS 155 Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories n Physical, platform malware, malicious apps Defense against physical theft Thurs

1.28k views • 64 slides
Mobile Application Security Testing ASSES SESSMENT NT & CODE REVIEW EW st 2014 Sept. t.

Mobile Application Security Testing ASSES SESSMENT NT & CODE REVIEW EW st 2014 Sept. t.

Mobile Application Security Testing ASSES SESSMENT NT & CODE REVIEW EW st 2014 Sept. t. 31 31 st Presenters ITAC 2014 Bishop Fox Francis Brown Partner Joe DeMesy Security Associate 2 2 Int ntrodu roductions ctions

1.32k views • 86 slides
Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

583 views • 56 slides
Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps Defense

1.17k views • 93 slides
Testing Mobile Apps CS 4720 Mobile Application Development CS 4720 Testing! The most

Testing Mobile Apps CS 4720 Mobile Application Development CS 4720 Testing! The most

Testing Mobile Apps CS 4720 Mobile Application Development CS 4720 Testing! The most important thing we never teach you to do! Consider how most projects go in your undergrad career: Requirements elicitation? We give you a

178 views • 17 slides
What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University tl;dr The computers inside the computer Every chip has one or more CPUs inside; they have exploitable bugs

1.23k views • 87 slides
Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E. Simos SBA Research Applied & Computational Mathematics Division Seminar Series National Institute of Standards and Technology (NIST) Gaithersburg,

675 views • 50 slides
Introduction Design Key Scheduling Keystream Generation Security

Introduction Design Key Scheduling Keystream Generation Security

MARC: Modified ARC4 Jianliang Zheng and Jie Li The City University of New York Contents Introduction Design Key Scheduling Keystream Generation Security Statistical Testing Performance Testing Introduction RC4

588 views • 16 slides
Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues. Mobile access is expected to become the main access method. Services and mobile commerce (mCommerce) are expected to become a major business.

819 views • 20 slides
Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction to STIG SUSE STIG Automation Demo Time Whats next? What is SCAP? The Security Content Automation Protocol is a multi-purpose

684 views • 37 slides
CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Announcement Course Evaluations Now online Will be available from Friday, Dec 7 Will also allow students to do

864 views • 50 slides
Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular testing aims to

1.06k views • 54 slides
Examining the Practicality of Ethernet for Mobile Backhaul Through Interoperability Testing

Examining the Practicality of Ethernet for Mobile Backhaul Through Interoperability Testing

Examining the Practicality of Ethernet for Mobile Backhaul Through Interoperability Testing Carsten Rossenhvel, Managing Director European Advanced Networking Test Center EANTC Introduction Providing independent network quality assurance

486 views • 25 slides
Security Regression Addressing Security Regression by Unit Testing Christopher Grayson

Security Regression Addressing Security Regression by Unit Testing Christopher Grayson

Security Regression Addressing Security Regression by Unit Testing Christopher Grayson @_lavalamp Introduction WHOAMI ATL Web development Academic researcher Haxin all the things (but I rlllly like networks) Founder

472 views • 35 slides
Why did we Mobile Testing Process pz.tt/ict19 develop this methodology? www.accessibilityoz.com

Why did we Mobile Testing Process pz.tt/ict19 develop this methodology? www.accessibilityoz.com

29/04/2020 Why did we Mobile Testing Process pz.tt/ict19 develop this methodology? www.accessibilityoz.com gian@accessibilityoz.com @accessibilityoz accessibilityoz.com 1 2 Introduction ICT Accessibility Testing Symposium has developed a

626 views • 18 slides
Mobile App Security An introduction Marc Obrador Who am I? Marc Obrador Co-founder & Head

Mobile App Security An introduction Marc Obrador Who am I? Marc Obrador Co-founder & Head

Mobile App Security An introduction Marc Obrador Who am I? Marc Obrador Co-founder & Head of Product Architecture @ Build38 Barcelona marc@build38.com @marcobrador /in/marc-obrador Build38 | Intro to Mobile App Security February 2020

808 views • 32 slides
Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva 12/12/2016 Jrmy MATOS whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products

867 views • 22 slides
Mobile Communications Mobile Communications Confidentiality Security No access to information

Mobile Communications Mobile Communications Confidentiality Security No access to information

Security Requirements Authorization Which objects are accessible by whom? Authentication Reliable identification of users identity . Mobile Communications Mobile Communications Confidentiality Security No access to information for

577 views • 11 slides
Introduction to Jest testing framework Painless JavaScript Testing platform Vasyl Boroviak

Introduction to Jest testing framework Painless JavaScript Testing platform Vasyl Boroviak

Introduction to Jest testing framework Painless JavaScript Testing platform Vasyl Boroviak Transform your inspection process with smart, mobile forms. checklists into digital forms and access them on site, in the field, where Typical set of

405 views • 28 slides
Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices Presented by Michael Harris [MS, CISSP, WAPT] Systems Security Analyst University of Missouri Overview What data needs to be protected, what

407 views • 18 slides

More recommend