SlideShare a Scribd company logo

AppSec PNW: Android and iOS Application Security with MobSF

Ajin Abraham, profile picture
Ajin Abraham

The document introduces MobSF, an open-source mobile application security tool designed for static and dynamic analysis, aiding developers, security engineers, and malware analysts in identifying security issues in mobile applications. It outlines the history, functionality, and contributions of MobSF, highlighting its integration with CI/CD pipelines and support for various file formats. Additionally, the document provides insights into the tool's operation, audience, and enterprise support offerings.

Technology
Related topics:
Mobile Security InsightsMalware Analysis Guide
1 of 18
Downloaded 62 times
1
2
3
4
5
6
7
8
Most read
9
10
Most read
11
12
13
14
15
16
17
18
Most read
Ajin Abraham Android and iOS Application Security with MobSF Mobile Application Security simpli fi ed
#whoami • Senior Application Security Engineer @ Chime Financial • Application Security & Security Engineering ~10 years • Authored couple of open source security projects • MobSF, nodejsscan, OWASP Xenotix etc. • Published research at Hack In Paris, Hack In the Box, PHDays, OWASP AppSec, Blackhat Arsenal, Nullcon etc. • Security Blog: ajinabraham.com Consultancy: opensecurity.ca Disclaimer: All images used in this presentation belongs to their respective owners.
What is MobSF? Free & Open Source Mobile Application Security tool • Shipped as dockerized Python Django web application. • Supports all the popular binary and source code formats. • Supports Dynamic Analysis & Instrumented Security testing with popular emulators and virtual machines.
History & Stats MobSF Timeline • Open Source, licensed under GPL v3. • Started out in Dec 2014 as an automation for repetitive task at work. • Today we have contributors (90+) from all over the world. • Actively developed and maintained. • Free Slack Community Support Channel. • 1450+ closed issues, 870+ pull requests, 44 releases.
Before MobSF How do I analyze Mobile applications in-house? • Static Analysis: • Di ff erent tools for decompiling, disassembling, SAST, converting, reporting • Convert binary fi les to readable formats (ex: Binary XML/PLIST -> Text XML/PLIST) • Disassemble & Decompile (ex: APK (DEX) -> JAR -> SMALI/JAVA) • Binary Analysis of MachO/ELF/DEX/.so/.dylib • Specialized tools for parsing and data extraction • SAST, SCA, Secret Scanning etc. on code and con fi guration fi les • Dynamic Analysis: • Con fi guring a rooted and jail broken device/virtual machine • Con fi gure HTTPs proxy and install certi fi cates • Bypass TLS/cert pinning, root detection, anti-debug checks • Install and setup instrumentation tools • Log analysis, memory analysis, fi le system analysis.
After MobSF Tada 🎉!
Target Audience How can MobSF help you? • Developers: Identify security issues as and when applications are being developed. • Security Engineers/Pentesters: Perform interactive security assessment of Mobile apps. • DevSecOps Engineers: Integrate MobSF in your CI/CD pipeline for shift left coverage. • Malware Analysts: Identify malicious behaviour, patterns in code and at runtime. • Layman: Anyone who is concerned about the privacy and security of the mobile applications they are using.
How does it work? Static Analysis [INFO] 14/Jun/2024 20:21:05 - MIME Type: application/vnd.android.package-archive FILE: beetlebug.apk [INFO] 14/Jun/2024 20:21:05 - Performing Static Analysis of Android APK [INFO] 14/Jun/2024 20:21:05 - Scan Hash: 6ea61e5468c39ef4b9650661849a843e [INFO] 14/Jun/2024 20:21:05 - Starting Analysis on: beetlebug.apk [INFO] 14/Jun/2024 20:21:05 - Generating Hashes [INFO] 14/Jun/2024 20:21:05 - Unzipping [INFO] 14/Jun/2024 20:21:05 - APK Extracted [INFO] 14/Jun/2024 20:21:05 - Getting Hardcoded Certificates/Keystores [INFO] 14/Jun/2024 20:21:05 - Getting AndroidManifest.xml from APK [INFO] 14/Jun/2024 20:21:05 - Converting AXML to XML [INFO] 14/Jun/2024 20:21:07 - Parsing AndroidManifest.xml [INFO] 14/Jun/2024 20:21:07 - Parsing APK with androguard [INFO] 14/Jun/2024 20:21:07 - Starting analysis on AndroidManifest.xml [INFO] 14/Jun/2024 20:21:07 - Extracting Manifest Data [INFO] 14/Jun/2024 20:21:07 - Performing Static Analysis on: Beetlebug (app.beetlebug) [INFO] 14/Jun/2024 20:21:07 - Fetching Details from Play Store: app.beetlebug [INFO] 14/Jun/2024 20:21:07 - Manifest Analysis Started [INFO] 14/Jun/2024 20:21:08 - App Link Assetlinks Check - [app.beetlebug.ctf.DeeplinkAccountActivity] https://beetlebug.com [INFO] 14/Jun/2024 20:21:08 - Checking for Malware Permissions [INFO] 14/Jun/2024 20:21:08 - Fetching icon path [INFO] 14/Jun/2024 20:21:08 - Library Binary Analysis Started [INFO] 14/Jun/2024 20:21:08 - Reading Code Signing Certificate [INFO] 14/Jun/2024 20:21:08 - Getting Signature Versions [INFO] 14/Jun/2024 20:21:08 - Running APKiD 2.1.5 [INFO] 14/Jun/2024 20:21:10 - Trackers Database is up-to-date [INFO] 14/Jun/2024 20:21:10 - Detecting Trackers [INFO] 14/Jun/2024 20:21:12 - APK -> JAVA [INFO] 14/Jun/2024 20:21:12 - Decompiling to Java with jadx [INFO] 14/Jun/2024 20:21:20 - DEX -> SMALI [INFO] 14/Jun/2024 20:21:20 - Converting classes9.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes8.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes11.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes10.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes3.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes2.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes6.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes7.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes5.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes4.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Code Analysis Started on - java_source [INFO] 14/Jun/2024 20:22:03 - Android SAST Completed [INFO] 14/Jun/2024 20:22:03 - Android API Analysis Started [INFO] 14/Jun/2024 20:22:47 - Android Permission Mapping Started [INFO] 14/Jun/2024 20:22:53 - Android Permission Mapping Completed [INFO] 14/Jun/2024 20:22:53 - Finished Code Analysis, Email and URL Extraction [INFO] 14/Jun/2024 20:22:53 - Extracting Data from APK [INFO] 14/Jun/2024 20:22:53 - Extracting Data from Source Code [INFO] 14/Jun/2024 20:22:54 - Detecting Firebase URL(s) [INFO] 14/Jun/2024 20:22:55 - Performing Malware Check on extracted Domains [INFO] 14/Jun/2024 20:22:55 - Maltrail Database is up-to-date [INFO] 14/Jun/2024 20:22:56 - Saving to Database }Extract app binary, generate hashes }Convert Plist/Manifest Files, Analyze Plist/Manifest fi les for vulnerabilities and miscon fi gurations Analyze Application Permissions, Network con fi gurations, IPC con fi gurations }Perform Binary Analysis on Shared/Dynamic libs Run specialized binary analysis tools against the application Identify privacy concerns such as trackers }Convert binaries to human readable code formats Decompile the code to SAST friendly languages } SAST, API Analysis and Permission Mapping } Information Gathering, Secrets and other sensitive data extraction Geolocation, malicious domain check
DEMO: Static Analysis Android SAST AppSec Scorecard iOS SAST
How does it work? Dynamic Analysis Android APK iOS IPA Jailbroken iOS VM / Rooted Android VM Corellium API MobSF Agents MobSF Agents MobSF Agents Scripts Helpers HTTPs Proxy Report, Logs, Raw data
DEMO: Dynamic Analysis Dynamic Analyzer Report Generation
DEMO: Deeplink Exploitation Static Analysis Dynamic Veri fi cation
DEMO: Solve CTF Challenges Android CTF Challenge iOS CTF Challenge
DEMO: Defeat a Malware Static Analysis Hints Dynamic Analysis
DevSecOps MobSF in CI/CD: REST APIs
DevSecOps MobSF SAST in CI/CD • pip install mobsfscan mobsfscan <source_code_path> • CLI and Library mobsfscan GitHub action
Enterprise Ready Enterprise support services • Multi user authentication and access control • SAML 2.0 SSO support • SLA bound priority feature requests, bug fi xes & consultancy (paid) • Everything goes back to the community
Question? Thanks for listening • Kudos 🎉 to core contributors Magaofei, Matan, & Vincent • Github: https://github.com/MobSF/Mobile- Security-Framework-MobSF • Documentation: https://mobsf.github.io/docs/ • Support Slack Channel: https://mobsf.slack.com • Contact: ajin<AT>opensecurity.in | @ajinabraham

More Related Content

PDF
Security Process in DevSecOps
Opsta
 
PDF
Threat Modeling Basics with Examples
Sanjeev Kumar Jaiswal
 
PPTX
Password Cracking
Sagar Verma
 
PDF
What is Open Source Intelligence (OSINT)
Molfar
 
PPT
IT Security Awareness-v1.7.ppt
OoXair
 
PPTX
Tracking and positioning of mobile in telecommunication network
Krishna Ghanva
 
PDF
IoT Security
Narudom Roongsiriwong, CISSP
 
PDF
Osint presentation nov 2019
Priyanka Aash
 
Security Process in DevSecOps
Opsta
 
Threat Modeling Basics with Examples
Sanjeev Kumar Jaiswal
 
Password Cracking
Sagar Verma
 
What is Open Source Intelligence (OSINT)
Molfar
 
IT Security Awareness-v1.7.ppt
OoXair
 
Tracking and positioning of mobile in telecommunication network
Krishna Ghanva
 
IoT Security
Narudom Roongsiriwong, CISSP
 
Osint presentation nov 2019
Priyanka Aash
 

What's hot (20)

PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
PDF
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 
PPTX
Mastering Java Bytecode With ASM - 33rd degree, 2012
Anton Arhipov
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
PDF
Unlocking the Power of ChatGPT and AI in Testing - NextSteps, presented by Ap...
Applitools
 
PPTX
Different types of mobile apps
MVM Infotech Co. Ltd.
 
PPTX
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
PPTX
Firebase
TriState Technology
 
PPTX
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
PPT
Soa testing soap ui (2)
Knoldus Inc.
 
PDF
Mobile Application Security
cclark_isec
 
PPTX
Mobile Web Apps
Athhar Ahamed
 
PPTX
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
PDF
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
PPT
Malware Analysis Made Simple
Paul Melson
 
PPTX
API Testing Presentations.pptx
ManmitSalunke
 
DOCX
Api testing bible using postman
Abhishek Saxena
 
PPTX
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
PPTX
Appium Presentation
OmarUsman6
 
PPTX
OK Google, How Do I Red Team GSuite?
Beau Bullock
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 
Mastering Java Bytecode With ASM - 33rd degree, 2012
Anton Arhipov
 
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
Unlocking the Power of ChatGPT and AI in Testing - NextSteps, presented by Ap...
Applitools
 
Different types of mobile apps
MVM Infotech Co. Ltd.
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
Firebase
TriState Technology
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Soa testing soap ui (2)
Knoldus Inc.
 
Mobile Application Security
cclark_isec
 
Mobile Web Apps
Athhar Ahamed
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
Malware Analysis Made Simple
Paul Melson
 
API Testing Presentations.pptx
ManmitSalunke
 
Api testing bible using postman
Abhishek Saxena
 
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Appium Presentation
OmarUsman6
 
OK Google, How Do I Red Team GSuite?
Beau Bullock
 
Ad

Similar to AppSec PNW: Android and iOS Application Security with MobSF (20)

PPTX
Android Penetration testing - Day 2
Mohammed Adam
 
PPTX
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
PDF
mobsf.pdf
Taseen Ali
 
PDF
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Márcio Rosa
 
PDF
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
tdc-globalcode
 
PPTX
ModSecurity 3.0 and NGINX: Getting Started
NGINX, Inc.
 
PDF
NFC and the Salesforce Mobile SDK
Salesforce Developers
 
PDF
Attacking and Defending Mobile Applications
Jerod Brennen
 
PPTX
Droidcon mobile security
Judy Ngure
 
PPT
Nfc sfdc mobile_sdk
Cory Cowgill
 
PDF
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
PDF
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
Shadowman Kung
 
PDF
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Software Integrity Group
 
PDF
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
DOCX
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
PDF
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
PPTX
Automated_Malware_Detection_Website_Plan.pptx
praharsh23bcy10246
 
PDF
SecurifyLabs & Tiki @ Countermeasure 2014
securifylabs
 
PPTX
Native - Hybrid - Web Mobile Architectures
Phong Le Duy
 
Android Penetration testing - Day 2
Mohammed Adam
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
mobsf.pdf
Taseen Ali
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Márcio Rosa
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
tdc-globalcode
 
ModSecurity 3.0 and NGINX: Getting Started
NGINX, Inc.
 
NFC and the Salesforce Mobile SDK
Salesforce Developers
 
Attacking and Defending Mobile Applications
Jerod Brennen
 
Droidcon mobile security
Judy Ngure
 
Nfc sfdc mobile_sdk
Cory Cowgill
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
Shadowman Kung
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Software Integrity Group
 
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
Automated_Malware_Detection_Website_Plan.pptx
praharsh23bcy10246
 
SecurifyLabs & Tiki @ Countermeasure 2014
securifylabs
 
Native - Hybrid - Web Mobile Architectures
Phong Le Duy
 
Ad

More from Ajin Abraham (20)

PDF
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
PDF
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
PPTX
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
PDF
Hacking Tizen: The OS of everything - Whitepaper
Ajin Abraham
 
PPTX
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
PPTX
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham
 
PPTX
Abusing Google Apps and Data API: Google is My Command and Control Center
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Ajin Abraham
 
PDF
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
Ajin Abraham
 
PPTX
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Ajin Abraham
 
PDF
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Ajin Abraham
 
PDF
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
PDF
Xenotix XSS Exploit Framework: Clubhack 2012
Ajin Abraham
 
PDF
Wi-Fi Security with Wi-Fi P+
Ajin Abraham
 
PDF
Shellcoding in linux
Ajin Abraham
 
PPTX
Phishing With Data URI
Ajin Abraham
 
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Hacking Tizen: The OS of everything - Whitepaper
Ajin Abraham
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham
 
Abusing Google Apps and Data API: Google is My Command and Control Center
Ajin Abraham
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Ajin Abraham
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham
 
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Ajin Abraham
 
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
Ajin Abraham
 
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Ajin Abraham
 
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Ajin Abraham
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
Xenotix XSS Exploit Framework: Clubhack 2012
Ajin Abraham
 
Wi-Fi Security with Wi-Fi P+
Ajin Abraham
 
Shellcoding in linux
Ajin Abraham
 
Phishing With Data URI
Ajin Abraham
 

Recently uploaded (20)

PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Cloud computing and distributed systems.
kkkkkhan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Encapsulation theory and applications.pdf
gurumoop
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Approach and Philosophy of On baking technology
30anthuong17
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 

AppSec PNW: Android and iOS Application Security with MobSF

  • 1. Ajin Abraham Android and iOS Application Security with MobSF Mobile Application Security simpli fi ed
  • 2. #whoami • Senior Application Security Engineer @ Chime Financial • Application Security & Security Engineering ~10 years • Authored couple of open source security projects • MobSF, nodejsscan, OWASP Xenotix etc. • Published research at Hack In Paris, Hack In the Box, PHDays, OWASP AppSec, Blackhat Arsenal, Nullcon etc. • Security Blog: ajinabraham.com Consultancy: opensecurity.ca Disclaimer: All images used in this presentation belongs to their respective owners.
  • 3. What is MobSF? Free & Open Source Mobile Application Security tool • Shipped as dockerized Python Django web application. • Supports all the popular binary and source code formats. • Supports Dynamic Analysis & Instrumented Security testing with popular emulators and virtual machines.
  • 4. History & Stats MobSF Timeline • Open Source, licensed under GPL v3. • Started out in Dec 2014 as an automation for repetitive task at work. • Today we have contributors (90+) from all over the world. • Actively developed and maintained. • Free Slack Community Support Channel. • 1450+ closed issues, 870+ pull requests, 44 releases.
  • 5. Before MobSF How do I analyze Mobile applications in-house? • Static Analysis: • Di ff erent tools for decompiling, disassembling, SAST, converting, reporting • Convert binary fi les to readable formats (ex: Binary XML/PLIST -> Text XML/PLIST) • Disassemble & Decompile (ex: APK (DEX) -> JAR -> SMALI/JAVA) • Binary Analysis of MachO/ELF/DEX/.so/.dylib • Specialized tools for parsing and data extraction • SAST, SCA, Secret Scanning etc. on code and con fi guration fi les • Dynamic Analysis: • Con fi guring a rooted and jail broken device/virtual machine • Con fi gure HTTPs proxy and install certi fi cates • Bypass TLS/cert pinning, root detection, anti-debug checks • Install and setup instrumentation tools • Log analysis, memory analysis, fi le system analysis.
  • 7. Target Audience How can MobSF help you? • Developers: Identify security issues as and when applications are being developed. • Security Engineers/Pentesters: Perform interactive security assessment of Mobile apps. • DevSecOps Engineers: Integrate MobSF in your CI/CD pipeline for shift left coverage. • Malware Analysts: Identify malicious behaviour, patterns in code and at runtime. • Layman: Anyone who is concerned about the privacy and security of the mobile applications they are using.
  • 8. How does it work? Static Analysis [INFO] 14/Jun/2024 20:21:05 - MIME Type: application/vnd.android.package-archive FILE: beetlebug.apk [INFO] 14/Jun/2024 20:21:05 - Performing Static Analysis of Android APK [INFO] 14/Jun/2024 20:21:05 - Scan Hash: 6ea61e5468c39ef4b9650661849a843e [INFO] 14/Jun/2024 20:21:05 - Starting Analysis on: beetlebug.apk [INFO] 14/Jun/2024 20:21:05 - Generating Hashes [INFO] 14/Jun/2024 20:21:05 - Unzipping [INFO] 14/Jun/2024 20:21:05 - APK Extracted [INFO] 14/Jun/2024 20:21:05 - Getting Hardcoded Certificates/Keystores [INFO] 14/Jun/2024 20:21:05 - Getting AndroidManifest.xml from APK [INFO] 14/Jun/2024 20:21:05 - Converting AXML to XML [INFO] 14/Jun/2024 20:21:07 - Parsing AndroidManifest.xml [INFO] 14/Jun/2024 20:21:07 - Parsing APK with androguard [INFO] 14/Jun/2024 20:21:07 - Starting analysis on AndroidManifest.xml [INFO] 14/Jun/2024 20:21:07 - Extracting Manifest Data [INFO] 14/Jun/2024 20:21:07 - Performing Static Analysis on: Beetlebug (app.beetlebug) [INFO] 14/Jun/2024 20:21:07 - Fetching Details from Play Store: app.beetlebug [INFO] 14/Jun/2024 20:21:07 - Manifest Analysis Started [INFO] 14/Jun/2024 20:21:08 - App Link Assetlinks Check - [app.beetlebug.ctf.DeeplinkAccountActivity] https://beetlebug.com [INFO] 14/Jun/2024 20:21:08 - Checking for Malware Permissions [INFO] 14/Jun/2024 20:21:08 - Fetching icon path [INFO] 14/Jun/2024 20:21:08 - Library Binary Analysis Started [INFO] 14/Jun/2024 20:21:08 - Reading Code Signing Certificate [INFO] 14/Jun/2024 20:21:08 - Getting Signature Versions [INFO] 14/Jun/2024 20:21:08 - Running APKiD 2.1.5 [INFO] 14/Jun/2024 20:21:10 - Trackers Database is up-to-date [INFO] 14/Jun/2024 20:21:10 - Detecting Trackers [INFO] 14/Jun/2024 20:21:12 - APK -> JAVA [INFO] 14/Jun/2024 20:21:12 - Decompiling to Java with jadx [INFO] 14/Jun/2024 20:21:20 - DEX -> SMALI [INFO] 14/Jun/2024 20:21:20 - Converting classes9.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes8.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes11.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes10.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes3.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes2.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes6.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes7.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes5.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Converting classes4.dex to Smali Code [INFO] 14/Jun/2024 20:21:20 - Code Analysis Started on - java_source [INFO] 14/Jun/2024 20:22:03 - Android SAST Completed [INFO] 14/Jun/2024 20:22:03 - Android API Analysis Started [INFO] 14/Jun/2024 20:22:47 - Android Permission Mapping Started [INFO] 14/Jun/2024 20:22:53 - Android Permission Mapping Completed [INFO] 14/Jun/2024 20:22:53 - Finished Code Analysis, Email and URL Extraction [INFO] 14/Jun/2024 20:22:53 - Extracting Data from APK [INFO] 14/Jun/2024 20:22:53 - Extracting Data from Source Code [INFO] 14/Jun/2024 20:22:54 - Detecting Firebase URL(s) [INFO] 14/Jun/2024 20:22:55 - Performing Malware Check on extracted Domains [INFO] 14/Jun/2024 20:22:55 - Maltrail Database is up-to-date [INFO] 14/Jun/2024 20:22:56 - Saving to Database }Extract app binary, generate hashes }Convert Plist/Manifest Files, Analyze Plist/Manifest fi les for vulnerabilities and miscon fi gurations Analyze Application Permissions, Network con fi gurations, IPC con fi gurations }Perform Binary Analysis on Shared/Dynamic libs Run specialized binary analysis tools against the application Identify privacy concerns such as trackers }Convert binaries to human readable code formats Decompile the code to SAST friendly languages } SAST, API Analysis and Permission Mapping } Information Gathering, Secrets and other sensitive data extraction Geolocation, malicious domain check
  • 9. DEMO: Static Analysis Android SAST AppSec Scorecard iOS SAST
  • 10. How does it work? Dynamic Analysis Android APK iOS IPA Jailbroken iOS VM / Rooted Android VM Corellium API MobSF Agents MobSF Agents MobSF Agents Scripts Helpers HTTPs Proxy Report, Logs, Raw data
  • 11. DEMO: Dynamic Analysis Dynamic Analyzer Report Generation
  • 12. DEMO: Deeplink Exploitation Static Analysis Dynamic Veri fi cation
  • 13. DEMO: Solve CTF Challenges Android CTF Challenge iOS CTF Challenge
  • 14. DEMO: Defeat a Malware Static Analysis Hints Dynamic Analysis
  • 16. DevSecOps MobSF SAST in CI/CD • pip install mobsfscan mobsfscan <source_code_path> • CLI and Library mobsfscan GitHub action
  • 17. Enterprise Ready Enterprise support services • Multi user authentication and access control • SAML 2.0 SSO support • SLA bound priority feature requests, bug fi xes & consultancy (paid) • Everything goes back to the community
  • 18. Question? Thanks for listening • Kudos 🎉 to core contributors Magaofei, Matan, & Vincent • Github: https://github.com/MobSF/Mobile- Security-Framework-MobSF • Documentation: https://mobsf.github.io/docs/ • Support Slack Channel: https://mobsf.slack.com • Contact: ajin<AT>opensecurity.in | @ajinabraham