SlideShare a Scribd company logo

Droidcon mobile security

Download as PPTX, PDF
J
Judy Ngure

This document discusses the importance of mobile application security and penetration testing. It describes penetration testing as discovering vulnerabilities before attackers through vulnerability detection, comprehensive penetration attempts, and analysis/reporting. The document outlines static and dynamic analysis methods used for Android application security assessments. These include code review, function hooking, runtime debugging, and analyzing data at rest and in transit. It promotes understanding how applications work through reverse engineering, decompilation, and deobfuscation. The methodology uses tools like MARA, MobSF, Xposed, Frida, and BurpSuite.

Technology
1 of 19
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
DroidCon Mobile security Penetration testing Android Applications
Whoami Role: Senior QA engineer ScanGroup Interests: Appsec as whole( i love code) Twitter: @Judy_infosec Co-founder : @WistSecurity Kenya
Whoami Role: Security Analyst Interests: Mobile Security and Network Security Monitoring Projects: https://github.com/xtiankisutsa/swaraVM Twitter: @PurpleR0b0t Affiliate : Africa Hackon
Importance of Mobile Application Security ▪ To ensure mobile applications are developed with security in mind. Can you imagine being a developer who not only knows how to develop mobile applications but understands and knows how to secure mobile applications? ▪ To be able to spot a malicious application ▪ To ensure you comply with mobile security standards e.g. OWASP ▪ To ensure the user’s data is secured and confidentiality is maintained
Importance of Mobile Application Security ▪ To protect the application and the service from malicious attackers ▪ To be able to build well secured mobile applications.
Penetration testing...what is pentesting? What is penetration testing- A penetration test is the act of discovering security weaknesses or vulnerabilities in a system before they are discovered by an attacker . A pentest is comprehensive in ways where you conduct every bit of a security test known to man: what do i mean 1. Vulnerability detection 2. Penetration attempt (very comprehensive) 3. Analysis and reporting
Types of Analysis ● Static Analysis Static analysis is performed in a non-runtime environment. Typically a static analysis tool will inspect program code for all possible runtime behaviors and seek out coding flaws, back doors, and potentially malicious code.
Types of Analysis ● Dynamic Analysis Dynamic analysis entails executing the application, typically in an instrumented or monitored manner, to garner more concrete information on its behavior. This often entails tasks like ascertaining artifacts the application leaves on the file system, observing network traffic, monitoring process behavior...basically all things that occur during execution.
Android Application Security Assessment Methodology The methodology we use encompasses the Open Web Application Security Project (OWASP) Mobile Testing guide (including the OWASP Mobile Top 10 2016-Top 10). Our approach leverages on proprietary open source and bespoke tools using a consistent and repeatable process. Some of the tools that are used for testing android applications are; ▪ MARA Framework ▪ MobSF ▪ Xposed Framework ▪ Frida ▪ Burpsuite ▪ Alternatively you can install Swara VM or santoku that has all tools
What Next? ➔ Reverse Engineering Reverse Engineering is taking something apart to see how it works. Why Reverse Engineer Mobile Applications? • Taking something apart to understand how it works. • To understand how it works • To determine how secure it was built (security assessment) • To determine interoperability • You get paid to break into them (mobile app pentester) • To identify vulnerabilities :)
Reverse Engineering 1. De-compilation The Android APK bundle contains the application binary which is compiled in the dex file format for the Dalvik virtual machine. The purpose of de-compilation is to gain access to the pseudo source code for manual review. This can be achieved using the MARA Framework.
Reverse Engineering 2. De-obfuscation (Where appropriate) Obfuscation is a technique in which initial code of application is intentionally made to be unclear to humans. Where the source code for the mobile application binary has been obfuscated, we will attempt to de-obfuscate. This can be done using MARA Framework which makes use of a tool called apk-deguard that attempts to reverse the process of obfuscation performed by Android obfuscation tools.
Reverse Engineering ▪ Rename Obfuscation Renaming alters the name of methods and variables. It makes the decompiled source harder for a human to understand.
Static Analysis 1. Code Review Manual static code analysis is conducted on source code (if available), or on partial/pseudo source where code has been decompiled, to identify security issues. Automated Static Analysis can be performed using tools such as the Mobile Security Framework (MobSF), an all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis and Appknox, a mobile app security testing solution to detect and fix vulnerabilities in mobile apps using a combination of automated and manual tests.
Dynamic Analysis 1. Function Hooking When source code is not accessible or limited, function hooking provides another method to analyse the mobile application for security vulnerabilities. This is typically achieved using tools such as the XposedFramework which record and can be used to modify API calls made by an application, including function calls, arguments and return values
Dynamic Analysis 2. Run-time debugging Android applications that are flagged as debuggable not only pose a security concern but can also be leveraged to better analyse the mobile application. Using debug tools such as Android Debug Bridge (adb) to attach to the mobile application running process, you can be able to analyse the mobile applications behaviour, and conduct in- memory manipulation.
Data at Rest Analysis A thorough review of the device file system is conducted to identify any sensitive residual data that may be exposed following normal use of the mobile app. This includes analysing caches and persistent app stores for sensitive data. Examples of places to look are, Shared Preferences and the SQlite Databases.
Data in Transit Analysis During normal use of the mobile app, all communication methods are analysed to identify sensitive data in transit that should be encrypted, and to assess the strength of encryption, if in use. This can be achieved using proxy tools such as Burp Suite that lets you intercept, inspect and modify the raw traffic passing in both directions (communication between the client and the server).
DEMO Reverse engineering using MARA Framework. HAPPY HACKING!

More Related Content

PDF
Challenges in Testing Mobile App Security
Cygnet Infotech
 
PDF
Cyber security series Application Security
Jim Kaplan CIA CFE
 
PDF
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
PDF
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
TekRevol LLC
 
ODP
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
PPTX
Web and Mobile Application Security
Prateek Jain
 
PDF
Security testing in mobile applications
Jose Manuel Ortega Candel
 
PDF
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Challenges in Testing Mobile App Security
Cygnet Infotech
 
Cyber security series Application Security
Jim Kaplan CIA CFE
 
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
TekRevol LLC
 
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
Web and Mobile Application Security
Prateek Jain
 
Security testing in mobile applications
Jose Manuel Ortega Candel
 
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 

What's hot (20)

PPTX
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
PPTX
Security testing of mobile applications
GTestClub
 
PPT
Application Security
Reggie Niccolo Santos
 
PDF
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 
PDF
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
PDF
Intrusion Detection Systems By Anamoly-Based Using Neural Network
IOSR Journals
 
PPTX
Penetrating Android Aapplications
Roshan Thomas
 
PPTX
Tony Hodgson (Brainwaive LLC): Enterprise AR Cyber Security – Breaking Down B...
AugmentedWorldExpo
 
PPT
Application Security
florinc
 
PPTX
Application security
Hagar Alaa el-din
 
PDF
OWASP Thailand-Beyond the Penetration Testing
Prathan Phongthiproek
 
PDF
Security Testing Mobile Applications
Denim Group
 
PPT
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
PDF
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
PDF
Gloriolesoft Consulting Security and Privacy Offering
Debasis Chakraborty
 
PDF
Jump-Start The MASVS
Prathan Phongthiproek
 
PPT
Web Application Security Testing
Marco Morana
 
PPTX
Penetration testing reporting and methodology
Rashad Aliyev
 
PDF
Mobile Application Security
cclark_isec
 
PDF
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Security testing of mobile applications
GTestClub
 
Application Security
Reggie Niccolo Santos
 
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
Intrusion Detection Systems By Anamoly-Based Using Neural Network
IOSR Journals
 
Penetrating Android Aapplications
Roshan Thomas
 
Tony Hodgson (Brainwaive LLC): Enterprise AR Cyber Security – Breaking Down B...
AugmentedWorldExpo
 
Application Security
florinc
 
Application security
Hagar Alaa el-din
 
OWASP Thailand-Beyond the Penetration Testing
Prathan Phongthiproek
 
Security Testing Mobile Applications
Denim Group
 
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Gloriolesoft Consulting Security and Privacy Offering
Debasis Chakraborty
 
Jump-Start The MASVS
Prathan Phongthiproek
 
Web Application Security Testing
Marco Morana
 
Penetration testing reporting and methodology
Rashad Aliyev
 
Mobile Application Security
cclark_isec
 
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Ad

Similar to Droidcon mobile security (20)

PDF
All You Need to Know About Application Security Testing.pdf
kalichargn70th171
 
PDF
Penetration Testing Services_ Comprehensive Guide 2024.pdf
qualysectechnology98
 
PPTX
Top 10 Mobile Hacking Tools – 2025 Edition
anishachhikara2122
 
PPTX
Android pentesting
Mykhailo Antonishyn
 
PDF
Top Mobile Application Penetration Testing Tools for Android and iOS.pdf
ElanusTechnologies
 
PDF
Malware Bytes – Advanced Fault Analysis
IRJET Journal
 
PPTX
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 
PDF
Why Mobile App Penetration Testing Matters.pdf
CyberPro Magazine
 
PDF
Tips To Protect Your Mobile App from Hackers.pdf
FuGenx Technologies
 
PPTX
Untitled 1
Sergey Kochergan
 
PDF
Understanding Mobile App Security Testing_ What It Is and How to Perform It.pdf
flufftailshop
 
PPTX
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
Agile Testing Alliance
 
PDF
Understanding Mobile App Security Testing_ What It Is and How to Perform It.pdf
kalichargn70th171
 
PDF
Mobile Banking Security: Challenges, Solutions
Cognizant
 
PPTX
FALCON.pptx
AvinashRanjan80
 
PDF
MACHINE LEARNING APPROACH TO LEARN AND DETECT MALWARE IN ANDROID
IRJET Journal
 
PDF
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Tyler Shields
 
PPTX
apidays New York 2025 - Why an SDK is Needed to Protect APIs from Mobile Apps...
apidays
 
ODP
Mobile App Security Testing -2
Krisshhna Daasaarii
 
PDF
Ownux Global June 2023
Bella Nirvana Center
 
All You Need to Know About Application Security Testing.pdf
kalichargn70th171
 
Penetration Testing Services_ Comprehensive Guide 2024.pdf
qualysectechnology98
 
Top 10 Mobile Hacking Tools – 2025 Edition
anishachhikara2122
 
Android pentesting
Mykhailo Antonishyn
 
Top Mobile Application Penetration Testing Tools for Android and iOS.pdf
ElanusTechnologies
 
Malware Bytes – Advanced Fault Analysis
IRJET Journal
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 
Why Mobile App Penetration Testing Matters.pdf
CyberPro Magazine
 
Tips To Protect Your Mobile App from Hackers.pdf
FuGenx Technologies
 
Untitled 1
Sergey Kochergan
 
Understanding Mobile App Security Testing_ What It Is and How to Perform It.pdf
flufftailshop
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
Agile Testing Alliance
 
Understanding Mobile App Security Testing_ What It Is and How to Perform It.pdf
kalichargn70th171
 
Mobile Banking Security: Challenges, Solutions
Cognizant
 
FALCON.pptx
AvinashRanjan80
 
MACHINE LEARNING APPROACH TO LEARN AND DETECT MALWARE IN ANDROID
IRJET Journal
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Tyler Shields
 
apidays New York 2025 - Why an SDK is Needed to Protect APIs from Mobile Apps...
apidays
 
Mobile App Security Testing -2
Krisshhna Daasaarii
 
Ownux Global June 2023
Bella Nirvana Center
 
Ad

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Encapsulation theory and applications.pdf
gurumoop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Teaching material agriculture food technology
LiaRayya
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 

Droidcon mobile security

  • 2. Whoami Role: Senior QA engineer ScanGroup Interests: Appsec as whole( i love code) Twitter: @Judy_infosec Co-founder : @WistSecurity Kenya
  • 3. Whoami Role: Security Analyst Interests: Mobile Security and Network Security Monitoring Projects: https://github.com/xtiankisutsa/swaraVM Twitter: @PurpleR0b0t Affiliate : Africa Hackon
  • 4. Importance of Mobile Application Security ▪ To ensure mobile applications are developed with security in mind. Can you imagine being a developer who not only knows how to develop mobile applications but understands and knows how to secure mobile applications? ▪ To be able to spot a malicious application ▪ To ensure you comply with mobile security standards e.g. OWASP ▪ To ensure the user’s data is secured and confidentiality is maintained
  • 5. Importance of Mobile Application Security ▪ To protect the application and the service from malicious attackers ▪ To be able to build well secured mobile applications.
  • 6. Penetration testing...what is pentesting? What is penetration testing- A penetration test is the act of discovering security weaknesses or vulnerabilities in a system before they are discovered by an attacker . A pentest is comprehensive in ways where you conduct every bit of a security test known to man: what do i mean 1. Vulnerability detection 2. Penetration attempt (very comprehensive) 3. Analysis and reporting
  • 7. Types of Analysis ● Static Analysis Static analysis is performed in a non-runtime environment. Typically a static analysis tool will inspect program code for all possible runtime behaviors and seek out coding flaws, back doors, and potentially malicious code.
  • 8. Types of Analysis ● Dynamic Analysis Dynamic analysis entails executing the application, typically in an instrumented or monitored manner, to garner more concrete information on its behavior. This often entails tasks like ascertaining artifacts the application leaves on the file system, observing network traffic, monitoring process behavior...basically all things that occur during execution.
  • 9. Android Application Security Assessment Methodology The methodology we use encompasses the Open Web Application Security Project (OWASP) Mobile Testing guide (including the OWASP Mobile Top 10 2016-Top 10). Our approach leverages on proprietary open source and bespoke tools using a consistent and repeatable process. Some of the tools that are used for testing android applications are; ▪ MARA Framework ▪ MobSF ▪ Xposed Framework ▪ Frida ▪ Burpsuite ▪ Alternatively you can install Swara VM or santoku that has all tools
  • 10. What Next? ➔ Reverse Engineering Reverse Engineering is taking something apart to see how it works. Why Reverse Engineer Mobile Applications? • Taking something apart to understand how it works. • To understand how it works • To determine how secure it was built (security assessment) • To determine interoperability • You get paid to break into them (mobile app pentester) • To identify vulnerabilities :)
  • 11. Reverse Engineering 1. De-compilation The Android APK bundle contains the application binary which is compiled in the dex file format for the Dalvik virtual machine. The purpose of de-compilation is to gain access to the pseudo source code for manual review. This can be achieved using the MARA Framework.
  • 12. Reverse Engineering 2. De-obfuscation (Where appropriate) Obfuscation is a technique in which initial code of application is intentionally made to be unclear to humans. Where the source code for the mobile application binary has been obfuscated, we will attempt to de-obfuscate. This can be done using MARA Framework which makes use of a tool called apk-deguard that attempts to reverse the process of obfuscation performed by Android obfuscation tools.
  • 13. Reverse Engineering ▪ Rename Obfuscation Renaming alters the name of methods and variables. It makes the decompiled source harder for a human to understand.
  • 14. Static Analysis 1. Code Review Manual static code analysis is conducted on source code (if available), or on partial/pseudo source where code has been decompiled, to identify security issues. Automated Static Analysis can be performed using tools such as the Mobile Security Framework (MobSF), an all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis and Appknox, a mobile app security testing solution to detect and fix vulnerabilities in mobile apps using a combination of automated and manual tests.
  • 15. Dynamic Analysis 1. Function Hooking When source code is not accessible or limited, function hooking provides another method to analyse the mobile application for security vulnerabilities. This is typically achieved using tools such as the XposedFramework which record and can be used to modify API calls made by an application, including function calls, arguments and return values
  • 16. Dynamic Analysis 2. Run-time debugging Android applications that are flagged as debuggable not only pose a security concern but can also be leveraged to better analyse the mobile application. Using debug tools such as Android Debug Bridge (adb) to attach to the mobile application running process, you can be able to analyse the mobile applications behaviour, and conduct in- memory manipulation.
  • 17. Data at Rest Analysis A thorough review of the device file system is conducted to identify any sensitive residual data that may be exposed following normal use of the mobile app. This includes analysing caches and persistent app stores for sensitive data. Examples of places to look are, Shared Preferences and the SQlite Databases.
  • 18. Data in Transit Analysis During normal use of the mobile app, all communication methods are analysed to identify sensitive data in transit that should be encrypted, and to assess the strength of encryption, if in use. This can be achieved using proxy tools such as Burp Suite that lets you intercept, inspect and modify the raw traffic passing in both directions (communication between the client and the server).
  • 19. DEMO Reverse engineering using MARA Framework. HAPPY HACKING!