This document provides an overview of mobile application security testing. It discusses the mobile security stack including the infrastructure, hardware, operating system and application layers. It then covers topics like mobile threat modeling, mobile application auditing techniques including dynamic and static analysis. The document also discusses the OWASP top 10 mobile risks and provides case studies and demonstrations on pentesting real mobile applications and reverse engineering Android malware.
3. Part 1: Mobile Application Security
Part 2: Pentesting Mobile Application
Part 3: Owasp Top Ten Mobile Application Risk
Part 4: Case Study & Demonstrations.
4.
5. Introduction to Mobile Application Security.
Mobile Security Stack.
Mobile Threat Model
Modus Operandi for Mobile Application Audit.
Roadblocks
Future of Mobile Application Security
6. Modern mobile applications run on mobile devices
that have the functionality of a desktop or laptop
running a general purpose operating system.
In this respect many of the risks are similar to those of
traditional spyware, Trojan software, and insecurely
designed apps.
Mobile devices are designed around personal and
communication functionality which makes the mobile
application and mobile security risks different from
the top traditional computing risks.
9. 1. Dynamic Analysis
1. Debug the Running App (on device or in emulator)
2. Analyze Network Traffic
3. Analyze Remote Services (Http/SOAP/etc)
2. Static Anlysis
1. Get Application
1. Extract application from device
2. Receive application package from developers
2. Source code review
3. Reverse engineering
4. Disassembly
5. Patching
10.
11.
12. OWASP guidelines, procedures for testing are not yet available like Web
applications.
Mobile application also includes vulnerabilities in the underlying
architecture (OS & Vendor specific) unlike web application in which only
application vulnerabilities are concerned.
Applications can use various modes of communications like
SMS,MMS,EDGE, GPRS,3G and WiFi due to which security testing
becomes difficult.
Simulator's have their own limitations:
Can not simulate SMS communication (In case of communicating with SMS Gateway )
though, they provide mechanism to send & receive sms between simulators.
Simulator’s don’t allow intercepting installed applications traffic.
( It has to be done, forcefully by interjecting an application into running
simulator to intercept network communication from that process)
13.
14.
15.
16.
17.
18.
19. Pen testing Mobile Application – Android
Background.
Setting up the Test Environment.
Setting up a proxy.
Android Application Penetration Testing Toolkit.
Reverse Engineering Android Applications
File Permissions in android
20. Android is a Linux based platform developed by
Google and the open handset alliance.
Application programming for it is done exclusively in
java.
The android operating system software stack consist
of java applications running on a Dalvik virtual
machine (DVK).
The current version as of august 2010 is 2.2. there are
over 90,00 application available in the android market.
21.
22. There are several ways to test mobile application e.g:
Using burp with a proxy.
Using a phone emulator with a proxy.
Using a phone to test and proxy outgoing phone data to
a PC.
Requirements:
Computer running a Windows OS.
Java 6
Eclipse SDk – Helios/Indigo
Android 3.5 SDK
Burp! Proxy
23.
24. If Application using is using HTTP(s), or is a
website that you are testing on Android
browser, the next step is to setup a proxy tool
such as Burp!
There are 4 main ways of setting up such a
proxy:
25. Specify the proxy details when starting the
emulator using the command below. This
command is to use a proxy listening on port
8080
Emulator -avd testavd -http-proxy http://localhost:8080
26. The second option is to specify the proxy details in the emulator
APN setting as shown below:
Home-> Menu-> Wireless & networks > Mobile Network -> Access
Point Names
Update the following:
NAME: Internet
APN: Internet
Proxy: IP address of your
Computer
USERNAME: <N/A>
PASSWORD:<N/A>
27. The third option is to specify it using the adb shell
using the export command to set an environment
variable, for example:
Export HTTP_PROXY=http://localhost:8080
28. Final alternative is by changing the proxy setting in
the settings database from where the android web
browser reads. The settings database uses SQLite.
Familiarity with basic SQL commands is
recommended if your plan to use this method.
Change the hostname and port information
appropriately using the below command:
32. Android Debug Bridge: It is part of the Android SDK. It has
it’s own shell, which allows you to execute linux commands
such as ls –l . The android developer’s guide lists the full
range of ADB commands but we highlight a few below:
ADB could be used to locate all the emulators and android
devices connected to the computer to the computer using
the command below:
adb devices
33. In our case the command found one instance
of the emulator running. If multiple instances
are running you can use the –s option in order
to run commands against a specific device or
emulator.
Adb –s emulator-5554 install Foobar.apk
Another important provided by the adb is to
push or pull files to and from the
device/Emulator.
34. Every application running on android has an
AndroidManifest.xml file. This file is very
important from a security perspective as it
defines the permission an application request.
The Manifest Explorer tool is a utility that allows
you to review this xml file with ease when
testing it is important to verify that the
application follows the principle of “Least
privilege” and does not use permission that are
ot required for it to function.
35.
36. Intent is a mechanism in android to move
data process. It forms the core of android’s
Inter process Communication (IPC). Inetnts
could indicate a number of actions such as
startservice, sendbroadcast etc. The Intent
Sniffer tool performs monitoring of Intents.
37. Busybox provides some linux commands that
could be useful during the penetration testing
process. It extends the capability of android’s
toolbox. In order to install busybox you can
go through the following steps:
Download the busybox
39. Dissembler: is a computer program that translate
machine language into assembly language ( The
inverse operating of an assembler). A dissembler
differs from a decompiler which targets a high level
language rather than an assembly language.
Reverse Engineering: Reverse engineering involves
reversing a program's machine code (the string of 0s
and 1s that are sent to the logic processor) back into
the source code that it was written in, using
program language statements.
40. Android file permission uses the same model as Linux, to check the
permissions of a file, go to the ADB shell and type ls –l.
Every .apk file installed on the emulator has its own unique user ID.
This prevents one application from accessing the other application’s
data, any file created by the application will be assigned that
application’s user ID and will not normally accessible to other
applications.
41.
42.
43.
44. Owasp Top Ten Mobile Application Risk’s.
M1: Insecure Data Storage
M2: Weak Server Side Controls
M3: Insufficient Transport Layer Protection
M4:Client Side Injection
M5: Poor Authorization & Authentication
M6: Improper Session Handling
M7: Security Decision Via Untrusted Inputs
M8: Side channel Data Leakage
M9: Broken Cryptography
M10: Sensitive Information Disclosure.
45.
46. Case Study:
Facebook.apk : Pentesting a real world Application
Demonstrations:
Reverse Engineering a first Trojan for Android
Malware.