SlideShare a Scribd company logo

Gursev kalra _mobile_application_security_testing - ClubHack2009

ClubHack, profile picture
ClubHack

The document discusses mobile application security testing. It introduces the presenter and covers browser-based and installable mobile apps. It then describes various methods for intercepting mobile application traffic such as using proxies and importing certificates. The conclusion emphasizes that mobile apps require secure development practices due to accessing sensitive data and extending network boundaries.

Technology
Related topics:
Mobile Apps Overview
1 of 16
Downloaded 55 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Mobile Application Security Testing Gursev Kalra Dec 5, 2009
Agenda ►Introduction ►Browser Based Mobile Applications ►Installable Mobile Applications ►Intercepting Application Traffic ►Various Traffic Interception Schemes ►Mobile Traffic and SSL ►Conclusion www.foundstone.com © 2008, McAfee, Inc.
Introduction ►Who am I? ■ Senior Security Consultant – Foundstone Professional Services ■ Web Applications, Networks… www.foundstone.com © 2008, McAfee, Inc.
Introduction ►Mobile Applications ■ Tremendous growth in consumer and business mobile applications ■ Many new players ■ Security aspects might get overlooked www.foundstone.com © 2008, McAfee, Inc.
Browser Based Mobile Applications www.foundstone.com © 2008, McAfee, Inc.
Installable Mobile Applications www.foundstone.com © 2008, McAfee, Inc.
Intercepting Application Traffic for Nokia S40 Series Phones • Set up a custom web proxy and obtain its IP and port • Edit the configuration WML and change proxy IP and port to the custom web proxy • Compile WML to a provisioning (WBXML) file • Transfer the new settings to S40 mobile phone • Activate custom settings and access the Internet using new settings www.foundstone.com © 2008, McAfee, Inc.
Intercepting Application Traffic for Nokia S60 Series Phones • Set up a custom web proxy and obtain its IP and port • Create duplicate of existing Access Point settings • For the copy created, change the proxy IP and port to the custom proxy • Access Internet using custom proxy settings www.foundstone.com © 2008, McAfee, Inc.
Proxy With Public IP Address  Phone with Application  Access Point: Service provider default settings  Proxy Server Address: W1.X2.Y3.Z4 (Public IP)  Port Number: 8888 Internet  Public IP: W1.X2.Y3.Z4  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888 W1.X2.Y3.Z4 www.foundstone.com © 2008, McAfee, Inc.
Proxy On WLAN  Phone with Application  WLAN Netw. Name: PenTest Internet  WLAN Mode: WPA2  Proxy Server Address: SSID: PenTest 192.168.30.102 IP: 192.168.30.100  Port Number: 8888 192.168.30.101  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888 www.foundstone.com 192.168.30.102 © 2008, McAfee, Inc.
Proxy With One Phone Internet  Public IP - Connected to Internet via Mobile Phone Modem  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888  Phone with Application  Phone as a Modem  Access Point: Service provider default W1.X2.Y3.Z4 settings  Proxy Server Address: W1.X2.Y3.Z4 www.foundstone.com  Port Number: 8888 © 2008, McAfee, Inc.
Proxy With External Internet Connection Internet  Phone with Application  Access Point: Service provider default settings  Proxy Server Address: W1.X2.Y3.Z4  Port Number: 8888 USB Modem  Public IP - Connected to Internet via Mobile Phone Modem  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888 W1.X2.Y3.Z4 www.foundstone.com © 2008, McAfee, Inc.
Mobile Traffic Interception and SSL • Export your web proxy’s certificated in DER format • Copy the certificate file to a web server • Set the MIME type of the directory to which the certificate is copied to application/x-x509-ca-cert • Use the mobile web browser to browse to the certificate file • Import the certificate when prompted • Delete the un-trusted certificate after testing www.foundstone.com © 2008, McAfee, Inc.
Conclusion ►Mobile applications extend traditional network boundaries and introduce new avenues of attack ►They often have access to sensitive business and personal information ►They are constantly challenging and extending their reach ►Security is critical and should be part of SDLC!! www.foundstone.com © 2008, McAfee, Inc.
Queries www.foundstone.com © 2008, McAfee, Inc.
Thank You Gursev Kalra gursev(dot)kalra(at)foundstone(dot)com www.foundstone.com © 2008, McAfee, Inc.

More Related Content

PDF
How to hack a telecom and stay alive
qqlan
 
PPTX
How to Hack a Telecom and Stay Alive
Positive Hack Days
 
PDF
10.1.1.64.2504
Dan Drumm
 
PDF
Abdullah Al Mamun 062507056
mashiur
 
PPTX
Protect your IPPBX against VOIP attacks
Rohan Fernandes
 
PPTX
Zayo presentation6 29-11
Ann Treacy
 
PDF
Introduction of ferrari 4 g mobile wi fi-english
Husham Elhag
 
PPTX
Zayo Group Overview
cbrandt69
 
How to hack a telecom and stay alive
qqlan
 
How to Hack a Telecom and Stay Alive
Positive Hack Days
 
10.1.1.64.2504
Dan Drumm
 
Abdullah Al Mamun 062507056
mashiur
 
Protect your IPPBX against VOIP attacks
Rohan Fernandes
 
Zayo presentation6 29-11
Ann Treacy
 
Introduction of ferrari 4 g mobile wi fi-english
Husham Elhag
 
Zayo Group Overview
cbrandt69
 

What's hot (8)

PDF
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PROIDEA
 
PDF
SIP, Unified Communications (UC) and Security
Dan York
 
PDF
Building a WebRTC Communication and collaboration platform - techleash barcamp
ALTANAI BISHT
 
KEY
Vibe headline benefits 0411
Robbie Graham
 
PDF
Yeastar My pbx u100_datasheet_en
Erick E. Guillén Araya
 
PDF
Product Overview: April 2015 (Si3D)
SI3D systems
 
PDF
Yeastar My pbx u200_datasheet_en
Erick E. Guillén Araya
 
PDF
WebRTC Opens the Floodgates
Christina Inge
 
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PROIDEA
 
SIP, Unified Communications (UC) and Security
Dan York
 
Building a WebRTC Communication and collaboration platform - techleash barcamp
ALTANAI BISHT
 
Vibe headline benefits 0411
Robbie Graham
 
Yeastar My pbx u100_datasheet_en
Erick E. Guillén Araya
 
Product Overview: April 2015 (Si3D)
SI3D systems
 
Yeastar My pbx u200_datasheet_en
Erick E. Guillén Araya
 
WebRTC Opens the Floodgates
Christina Inge
 

Viewers also liked (17)

PDF
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 
PPTX
Mobile Application Security Testing (Static Code Analysis) of Android App
Abhilash Venkata
 
PDF
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
PPTX
Cybersecurity Best Practices in Financial Services
John Rapa
 
PDF
How to scale mobile application security testing
NowSecure
 
ODP
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
PPT
iOS Application Pentesting
n|u - The Open Security Community
 
PPTX
Web and Mobile Application Security
Prateek Jain
 
PPTX
Basic Guide For Mobile Application Testing
Sourabh Kasliwal
 
PDF
Security Testing Mobile Applications
Denim Group
 
PPTX
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
PPTX
The curious case of mobile app security.pptx
Ankit Giri
 
PPTX
Pentesting iOS Applications
jasonhaddix
 
PDF
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Idexcel Technologies
 
PDF
Mobile Application Security
cclark_isec
 
PPT
Security testing
baskar p
 
PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Abhilash Venkata
 
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
Cybersecurity Best Practices in Financial Services
John Rapa
 
How to scale mobile application security testing
NowSecure
 
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
iOS Application Pentesting
n|u - The Open Security Community
 
Web and Mobile Application Security
Prateek Jain
 
Basic Guide For Mobile Application Testing
Sourabh Kasliwal
 
Security Testing Mobile Applications
Denim Group
 
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
The curious case of mobile app security.pptx
Ankit Giri
 
Pentesting iOS Applications
jasonhaddix
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Idexcel Technologies
 
Mobile Application Security
cclark_isec
 
Security testing
baskar p
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 

Similar to Gursev kalra _mobile_application_security_testing - ClubHack2009 (20)

PDF
Attacking Blackberry For Phun and Profit
Ammar WK
 
PDF
Layer 7: Securing Web 2.0 - What You Need to Know
CA API Management
 
PDF
Introduction to Small Business Server 2003 Part 2
Robert Crane
 
PPTX
INFT132 093 03 Web Concepts
Michael Rees
 
PDF
Top Ten Web Attacks
Ajay Ohri
 
PPTX
Consuming Web Services in Microsoft Silverlight 3
goodfriday
 
PDF
Web 2 And Application Delivery Public
Lori MacVittie
 
PPTX
Developing and Deploying Applications on Internet Information Services (IIS)
goodfriday
 
PPTX
Developing and Deploying Applications on Internet Information Services (IIS)
goodfriday
 
PPTX
Dousing the Flame: How This Tom Clancy-Esque Attack Worked and What Should ...
Lumension
 
PPTX
Implementing transparent proxy server with acl
Takahiro Arai
 
PPTX
MoMoAthens Cross-Screen_Introduction to Webinos by Webinos
Mobile Monday Athens
 
DOCX
อินเทอร์เน็ต
Pp'dan Phuengkun
 
PDF
Scalable Internet Servers and Load Balancing
Information Technology
 
PDF
Surge 2012 fred_moyer_lightning
Fred Moyer
 
PDF
Aus cert event_2010
Palo Alto Networks
 
PDF
HWIOS Websocket CMS explained
os-networks
 
PDF
Live question » 修改华为hg255 d超级密码,改用原路由
fuwotest123
 
KEY
Plone Deployment (PloneConf Edition)
Steve McMahon
 
PDF
Xfocus xcon 2008_aks_oknock
ownerkhan
 
Attacking Blackberry For Phun and Profit
Ammar WK
 
Layer 7: Securing Web 2.0 - What You Need to Know
CA API Management
 
Introduction to Small Business Server 2003 Part 2
Robert Crane
 
INFT132 093 03 Web Concepts
Michael Rees
 
Top Ten Web Attacks
Ajay Ohri
 
Consuming Web Services in Microsoft Silverlight 3
goodfriday
 
Web 2 And Application Delivery Public
Lori MacVittie
 
Developing and Deploying Applications on Internet Information Services (IIS)
goodfriday
 
Developing and Deploying Applications on Internet Information Services (IIS)
goodfriday
 
Dousing the Flame: How This Tom Clancy-Esque Attack Worked and What Should ...
Lumension
 
Implementing transparent proxy server with acl
Takahiro Arai
 
MoMoAthens Cross-Screen_Introduction to Webinos by Webinos
Mobile Monday Athens
 
อินเทอร์เน็ต
Pp'dan Phuengkun
 
Scalable Internet Servers and Load Balancing
Information Technology
 
Surge 2012 fred_moyer_lightning
Fred Moyer
 
Aus cert event_2010
Palo Alto Networks
 
HWIOS Websocket CMS explained
os-networks
 
Live question » 修改华为hg255 d超级密码,改用原路由
fuwotest123
 
Plone Deployment (PloneConf Edition)
Steve McMahon
 
Xfocus xcon 2008_aks_oknock
ownerkhan
 

More from ClubHack (20)

PDF
India legal 31 october 2014
ClubHack
 
PPTX
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
ClubHack
 
PPT
Cyber Insurance
ClubHack
 
PPTX
Summarising Snowden and Snowden as internal threat
ClubHack
 
PPTX
Fatcat Automatic Web SQL Injector by Sandeep Kamble
ClubHack
 
PDF
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
 
PDF
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
ClubHack
 
PPTX
Smart Grid Security by Falgun Rathod
ClubHack
 
PPTX
Legal Nuances to the Cloud by Ritambhara Agrawal
ClubHack
 
PPT
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
PDF
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
ClubHack
 
PPTX
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
PPTX
Critical Infrastructure Security by Subodh Belgi
ClubHack
 
PPTX
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
ClubHack
 
PDF
XSS Shell by Vandan Joshi
ClubHack
 
PDF
Clubhack Magazine Issue February 2012
ClubHack
 
PDF
ClubHack Magazine issue 26 March 2012
ClubHack
 
PDF
ClubHack Magazine issue April 2012
ClubHack
 
PDF
ClubHack Magazine Issue May 2012
ClubHack
 
PDF
ClubHack Magazine – December 2011
ClubHack
 
India legal 31 october 2014
ClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
ClubHack
 
Cyber Insurance
ClubHack
 
Summarising Snowden and Snowden as internal threat
ClubHack
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
ClubHack
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
ClubHack
 
Smart Grid Security by Falgun Rathod
ClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
ClubHack
 
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
ClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
Critical Infrastructure Security by Subodh Belgi
ClubHack
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
ClubHack
 
XSS Shell by Vandan Joshi
ClubHack
 
Clubhack Magazine Issue February 2012
ClubHack
 
ClubHack Magazine issue 26 March 2012
ClubHack
 
ClubHack Magazine issue April 2012
ClubHack
 
ClubHack Magazine Issue May 2012
ClubHack
 
ClubHack Magazine – December 2011
ClubHack
 

Recently uploaded (20)

DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
KodekX | Application Modernization Development
KodekX
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Cloud computing and distributed systems.
kkkkkhan
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 

Gursev kalra _mobile_application_security_testing - ClubHack2009

  • 1. Mobile Application Security Testing Gursev Kalra Dec 5, 2009
  • 2. Agenda ►Introduction ►Browser Based Mobile Applications ►Installable Mobile Applications ►Intercepting Application Traffic ►Various Traffic Interception Schemes ►Mobile Traffic and SSL ►Conclusion www.foundstone.com © 2008, McAfee, Inc.
  • 3. Introduction ►Who am I? ■ Senior Security Consultant – Foundstone Professional Services ■ Web Applications, Networks… www.foundstone.com © 2008, McAfee, Inc.
  • 4. Introduction ►Mobile Applications ■ Tremendous growth in consumer and business mobile applications ■ Many new players ■ Security aspects might get overlooked www.foundstone.com © 2008, McAfee, Inc.
  • 5. Browser Based Mobile Applications www.foundstone.com © 2008, McAfee, Inc.
  • 6. Installable Mobile Applications www.foundstone.com © 2008, McAfee, Inc.
  • 7. Intercepting Application Traffic for Nokia S40 Series Phones • Set up a custom web proxy and obtain its IP and port • Edit the configuration WML and change proxy IP and port to the custom web proxy • Compile WML to a provisioning (WBXML) file • Transfer the new settings to S40 mobile phone • Activate custom settings and access the Internet using new settings www.foundstone.com © 2008, McAfee, Inc.
  • 8. Intercepting Application Traffic for Nokia S60 Series Phones • Set up a custom web proxy and obtain its IP and port • Create duplicate of existing Access Point settings • For the copy created, change the proxy IP and port to the custom proxy • Access Internet using custom proxy settings www.foundstone.com © 2008, McAfee, Inc.
  • 9. Proxy With Public IP Address  Phone with Application  Access Point: Service provider default settings  Proxy Server Address: W1.X2.Y3.Z4 (Public IP)  Port Number: 8888 Internet  Public IP: W1.X2.Y3.Z4  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888 W1.X2.Y3.Z4 www.foundstone.com © 2008, McAfee, Inc.
  • 10. Proxy On WLAN  Phone with Application  WLAN Netw. Name: PenTest Internet  WLAN Mode: WPA2  Proxy Server Address: SSID: PenTest 192.168.30.102 IP: 192.168.30.100  Port Number: 8888 192.168.30.101  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888 www.foundstone.com 192.168.30.102 © 2008, McAfee, Inc.
  • 11. Proxy With One Phone Internet  Public IP - Connected to Internet via Mobile Phone Modem  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888  Phone with Application  Phone as a Modem  Access Point: Service provider default W1.X2.Y3.Z4 settings  Proxy Server Address: W1.X2.Y3.Z4 www.foundstone.com  Port Number: 8888 © 2008, McAfee, Inc.
  • 12. Proxy With External Internet Connection Internet  Phone with Application  Access Point: Service provider default settings  Proxy Server Address: W1.X2.Y3.Z4  Port Number: 8888 USB Modem  Public IP - Connected to Internet via Mobile Phone Modem  Paros/Fiddler/Burp/Charles: Web Proxy running on port 8888 W1.X2.Y3.Z4 www.foundstone.com © 2008, McAfee, Inc.
  • 13. Mobile Traffic Interception and SSL • Export your web proxy’s certificated in DER format • Copy the certificate file to a web server • Set the MIME type of the directory to which the certificate is copied to application/x-x509-ca-cert • Use the mobile web browser to browse to the certificate file • Import the certificate when prompted • Delete the un-trusted certificate after testing www.foundstone.com © 2008, McAfee, Inc.
  • 14. Conclusion ►Mobile applications extend traditional network boundaries and introduce new avenues of attack ►They often have access to sensitive business and personal information ►They are constantly challenging and extending their reach ►Security is critical and should be part of SDLC!! www.foundstone.com © 2008, McAfee, Inc.
  • 15. Queries www.foundstone.com © 2008, McAfee, Inc.
  • 16. Thank You Gursev Kalra gursev(dot)kalra(at)foundstone(dot)com www.foundstone.com © 2008, McAfee, Inc.