SlideShare a Scribd company logo

Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015

Download as pptx, pdf
Ajin Abraham
Ajin Abraham

Ajin Abraham presents the Mobile Security Framework, an open source tool for automating security analysis of Android and iOS mobile applications. It performs static analysis on application binaries and source code to detect vulnerabilities. It also includes dynamic analysis capabilities like monitoring network traffic, system calls and application data during runtime. The tool is hosted locally and does not send any data to the cloud. The talk demonstrates the tool's static and dynamic analysis features and provides examples of vulnerabilities it has discovered in real world applications. Future plans are discussed to add additional testing capabilities and improve the tool. Users are encouraged to download, test and contribute to the open source project.

Education
1 of 24
Downloaded 232 times
1
2
3
Most read
4
5
Most read
6
7
8
9
10
Most read
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Ajin Abraham Automated Security Analysis of Android & iOS Applications with Mobile Security Framework
About Me Application Security Engineer, Yodlee Author of OWASP Xenotix XSS Exploit Framework, Mobile Security Framework. Co-Organizer of X0RC0NF. Blog about Security: http://opensecurity.in
Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015
The Takeaways A Free and Open Source Tool Mobile App Pentesters/Malware Analysts - How to make your life easier. Developers – Build secure mobile Apps by detecting vulnerabilities at earlier stages of development. For the Rest – Some new Information.
WTF is it? Mobile Security Framework is an open source mobile application (Android/iOS) automated pentesting framework capable of performing static and dynamic security analysis*. Android iOS
Hosted in your environment. Your application and data is never send to the cloud.
Basic Requirements iOS • Python 2.7 • Django 1.8 • Oracle Java - JDK 1.7+ • Oracle VirtualBox • Mac Android • Python 2.7 • Django 1.8 • Oracle Java - JDK 1.7+ • Oracle VirtualBox
Static Analyzer Mobile Security Framework INPUT OUTPUT REPORT
Static Analysis Android Binary INFORMATION GATHERING DECOMPILE TO JAVA & SMALI PERMISSION ANALYSIS MANIFEST ANALYSIS JAVA CODE ANALYSIS ANDROID API INFO FILE ANALYSIS URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS REPORT GENERATION
Static Analysis Android Source INFORMATION GATHERING DECOMPILE TO JAVA & SMALI PERMISSION ANALYSIS MANIFEST ANALYSIS JAVA CODE ANALYSIS ANDROID API INFO FILE ANALYSIS URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS REPORT GENERATION
DEMO Static Analysis of APK Static Analysis of Zipped Source Code
Static Analysis iOS - Binary BASIC INFORMATION BINARY ANALYSIS FILE ANALYSIS LIBRARIES REPORT GENERATION iOS - Source BASIC INFORMATION CODE ANALYSIS iOS API INFORMATION FILE ANALYSIS URL, EMAIL, FILES, LIBRARIES REPORT GENERATION
DEMO Static Analysis of IPA Binary Static Analysis of Zipped Source Code
Dynamic Analyzer Mobile Security Framework INPUT Android VM REPORT OUTPUT
Dynamic Analyzer - Architecture Dynamic Analyzer AGENTS Install and Run APK HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM Application Data Agent Collected Information Start HTTP(S) Web Proxy
Dynamic Analysis SCREENSHOT CAPTURE HTTP(S) TRAFFIC LOGCAT and DUMPSYS DYNAMIC API MONITOR DYNAMIC URLS and EMAILS MONITOR APPLICATION DATA DUMPER FILE ANALYSIS ON APPLICATION DATA REPORT GENERATION UNDER DEVELOPMENT
DEMO Dynamic Analysis of Android Application
Some Real World Results Mobile Security Framework – Bypassing PIN in Whisper Android Application - http://opensecurity.in/mobile- security-framework-bypassing-pin-in-whisper-android- application/ AppLock MITM Password Reset Vulnerability - http://opensecurity.in/applock-mitm-password-reset- vulnerability/
AppLock MITM Password Reset Vulnerability DEMO
ANDROID MALWARE ANALYSIS DEMO
Future Plans Looks like people are interested!
In Aplha Dev Web Service Testing/REST API testing for Hybrid Applications. Dynamic Analysis Support for Real Android and iOS Devices. Anti VM/Sandbox Detection Bypass. IDOR and Cross Talk Detection support in Proxy. Better Front End. DB Support. Scheduled Scans.
What you can do? Download, Test, Contribute Source: https://github.com/ajinabraham/YSO-Mobile- Security-Framework Issues: https://github.com/ajinabraham/YSO-Mobile- Security-Framework/issues
QA @ajinabraham ajin25@gmail.com http://opensecurity.in Thanks • Bharadwaj Machiraju • Anto Joseph • Tim Brown • Thomas Abraham • Graphics/Image Owners

More Related Content

What's hot (20)

PPTX
Dynamic Security Analysis & Static Security Analysis for Android Apps.
VodqaBLR
 
PDF
Android animation
Krazy Koder
 
PDF
Security testing in mobile applications
Jose Manuel Ortega Candel
 
PDF
Android pentesting
Mykhailo Antonishyn
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
PPTX
Burpsuite 101
n|u - The Open Security Community
 
PPTX
OWASP Top Ten 2017
Michael Furman
 
PDF
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
HackIT Ukraine
 
PDF
Security Testing Mobile Applications
Denim Group
 
PDF
OWASP API Security Top 10 - API World
42Crunch
 
PPTX
Pentesting Android Apps
Abdelhamid Limami
 
PDF
Android application penetration testing
Roshan Kumar Gami
 
PPTX
SSRF For Bug Bounties
OWASP Nagpur
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
PDF
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
PDF
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
apidays
 
PDF
SSRF workshop
Ivan Novikov
 
PDF
Mobile Application Security
cclark_isec
 
PPTX
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
PPTX
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
VodqaBLR
 
Android animation
Krazy Koder
 
Security testing in mobile applications
Jose Manuel Ortega Candel
 
Android pentesting
Mykhailo Antonishyn
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Burpsuite 101
n|u - The Open Security Community
 
OWASP Top Ten 2017
Michael Furman
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
HackIT Ukraine
 
Security Testing Mobile Applications
Denim Group
 
OWASP API Security Top 10 - API World
42Crunch
 
Pentesting Android Apps
Abdelhamid Limami
 
Android application penetration testing
Roshan Kumar Gami
 
SSRF For Bug Bounties
OWASP Nagpur
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
apidays
 
SSRF workshop
Ivan Novikov
 
Mobile Application Security
cclark_isec
 
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 

Similar to Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015 (20)

PPTX
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
PPTX
Android Penetration testing - Day 2
Mohammed Adam
 
PDF
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
Shadowman Kung
 
PPTX
Droidcon mobile security
Judy Ngure
 
PPTX
Virtue Security - The Art of Mobile Security 2013
Virtue Security
 
PDF
Attacking and Defending Mobile Applications
Jerod Brennen
 
PPTX
Building a Mobile Security Program
Denim Group
 
PDF
iOS Application Security And Static Analysis.pdf
Cyber security professional services- Detox techno
 
PPTX
Untitled 1
Sergey Kochergan
 
PPTX
Security testing of mobile applications
GTestClub
 
PDF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
PPTX
Mobile App Penetration Testing Bsides312
wphillips114
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
PPTX
Rapid Android Application Security Testing
Nutan Kumar Panda
 
PPTX
Hacking mobile apps
kunwaratul hax0r
 
PDF
Top Mobile Application Penetration Testing Tools for Android and iOS.pdf
ElanusTechnologies
 
PPTX
Top 10 Mobile Hacking Tools – 2025 Edition
anishachhikara2122
 
PDF
BYOM Build Your Own Methodology (in Mobile Forensics)
Reality Net System Solutions
 
PDF
mobsf.pdf
Taseen Ali
 
PPTX
iOS Application Static Analysis - Deepika Kumari.pptx
deepikakumari643428
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
Android Penetration testing - Day 2
Mohammed Adam
 
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
Shadowman Kung
 
Droidcon mobile security
Judy Ngure
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security
 
Attacking and Defending Mobile Applications
Jerod Brennen
 
Building a Mobile Security Program
Denim Group
 
iOS Application Security And Static Analysis.pdf
Cyber security professional services- Detox techno
 
Untitled 1
Sergey Kochergan
 
Security testing of mobile applications
GTestClub
 
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Mobile App Penetration Testing Bsides312
wphillips114
 
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Hacking mobile apps
kunwaratul hax0r
 
Top Mobile Application Penetration Testing Tools for Android and iOS.pdf
ElanusTechnologies
 
Top 10 Mobile Hacking Tools – 2025 Edition
anishachhikara2122
 
BYOM Build Your Own Methodology (in Mobile Forensics)
Reality Net System Solutions
 
mobsf.pdf
Taseen Ali
 
iOS Application Static Analysis - Deepika Kumari.pptx
deepikakumari643428
 
Ad

More from Ajin Abraham (20)

PDF
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
PDF
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
PPTX
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
PDF
Hacking Tizen: The OS of everything - Whitepaper
Ajin Abraham
 
PPTX
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
PPTX
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham
 
PPTX
Abusing Google Apps and Data API: Google is My Command and Control Center
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Ajin Abraham
 
PDF
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
Ajin Abraham
 
PPTX
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Ajin Abraham
 
PDF
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Ajin Abraham
 
PDF
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
PDF
Xenotix XSS Exploit Framework: Clubhack 2012
Ajin Abraham
 
PDF
Wi-Fi Security with Wi-Fi P+
Ajin Abraham
 
PDF
Shellcoding in linux
Ajin Abraham
 
PPTX
Phishing With Data URI
Ajin Abraham
 
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Hacking Tizen: The OS of everything - Whitepaper
Ajin Abraham
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham
 
Abusing Google Apps and Data API: Google is My Command and Control Center
Ajin Abraham
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Ajin Abraham
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham
 
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Ajin Abraham
 
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
Ajin Abraham
 
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Ajin Abraham
 
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Ajin Abraham
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
Xenotix XSS Exploit Framework: Clubhack 2012
Ajin Abraham
 
Wi-Fi Security with Wi-Fi P+
Ajin Abraham
 
Shellcoding in linux
Ajin Abraham
 
Phishing With Data URI
Ajin Abraham
 
Ad

Recently uploaded (20)

PDF
CAD25 Gbadago and Fafa Presentation Revised-Aston Business School, UK.pdf
Kweku Zurek
 
PDF
Nanotechnology and Functional Foods Effective Delivery of Bioactive Ingredien...
rmswlwcxai8321
 
PDF
Learning Styles Inventory for Senior High School Students
Thelma Villaflores
 
PPTX
How to Configure Refusal of Applicants in Odoo 18 Recruitment
Celine George
 
DOCX
ANNOTATION on objective 10 on pmes 2022-2025
joviejanesegundo1
 
PPTX
Photo chemistry Power Point Presentation
mprpgcwa2024
 
PDF
Our Guide to the July 2025 USPS® Rate Change
Postal Advocate Inc.
 
PPTX
ENGLISH -PPT- Week1 Quarter1 -day-1.pptx
garcialhavz
 
PPTX
Elo the Hero is an story about a young boy who became hero.
TeacherEmily1
 
PDF
Public Health For The 21st Century 1st Edition Judy Orme Jane Powell
trjnesjnqg7801
 
PPTX
A Case of Identity A Sociological Approach Fix.pptx
Ismail868386
 
PPTX
How to Add New Item in CogMenu in Odoo 18
Celine George
 
PDF
Romanticism in Love and Sacrifice An Analysis of Oscar Wilde’s The Nightingal...
KaryanaTantri21
 
PPTX
How to use grouped() method in Odoo 18 - Odoo Slides
Celine George
 
PPTX
Tanja Vujicic - PISA for Schools contact Info
EduSkills OECD
 
PPTX
SYMPATHOMIMETICS[ADRENERGIC AGONISTS] pptx
saip95568
 
PPTX
Aerobic and Anaerobic respiration and CPR.pptx
Olivier Rochester
 
PDF
Andreas Schleicher_Teaching Compass_Education 2040.pdf
EduSkills OECD
 
DOCX
MUSIC AND ARTS 5 DLL MATATAG LESSON EXEMPLAR QUARTER 1_Q1_W1.docx
DianaValiente5
 
PPTX
How to Manage Wins & Losses in Odoo 18 CRM
Celine George
 
CAD25 Gbadago and Fafa Presentation Revised-Aston Business School, UK.pdf
Kweku Zurek
 
Nanotechnology and Functional Foods Effective Delivery of Bioactive Ingredien...
rmswlwcxai8321
 
Learning Styles Inventory for Senior High School Students
Thelma Villaflores
 
How to Configure Refusal of Applicants in Odoo 18 Recruitment
Celine George
 
ANNOTATION on objective 10 on pmes 2022-2025
joviejanesegundo1
 
Photo chemistry Power Point Presentation
mprpgcwa2024
 
Our Guide to the July 2025 USPS® Rate Change
Postal Advocate Inc.
 
ENGLISH -PPT- Week1 Quarter1 -day-1.pptx
garcialhavz
 
Elo the Hero is an story about a young boy who became hero.
TeacherEmily1
 
Public Health For The 21st Century 1st Edition Judy Orme Jane Powell
trjnesjnqg7801
 
A Case of Identity A Sociological Approach Fix.pptx
Ismail868386
 
How to Add New Item in CogMenu in Odoo 18
Celine George
 
Romanticism in Love and Sacrifice An Analysis of Oscar Wilde’s The Nightingal...
KaryanaTantri21
 
How to use grouped() method in Odoo 18 - Odoo Slides
Celine George
 
Tanja Vujicic - PISA for Schools contact Info
EduSkills OECD
 
SYMPATHOMIMETICS[ADRENERGIC AGONISTS] pptx
saip95568
 
Aerobic and Anaerobic respiration and CPR.pptx
Olivier Rochester
 
Andreas Schleicher_Teaching Compass_Education 2040.pdf
EduSkills OECD
 
MUSIC AND ARTS 5 DLL MATATAG LESSON EXEMPLAR QUARTER 1_Q1_W1.docx
DianaValiente5
 
How to Manage Wins & Losses in Odoo 18 CRM
Celine George
 

Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015

  • 1. Ajin Abraham Automated Security Analysis of Android & iOS Applications with Mobile Security Framework
  • 2. About Me Application Security Engineer, Yodlee Author of OWASP Xenotix XSS Exploit Framework, Mobile Security Framework. Co-Organizer of X0RC0NF. Blog about Security: http://opensecurity.in
  • 4. The Takeaways A Free and Open Source Tool Mobile App Pentesters/Malware Analysts - How to make your life easier. Developers – Build secure mobile Apps by detecting vulnerabilities at earlier stages of development. For the Rest – Some new Information.
  • 5. WTF is it? Mobile Security Framework is an open source mobile application (Android/iOS) automated pentesting framework capable of performing static and dynamic security analysis*. Android iOS
  • 6. Hosted in your environment. Your application and data is never send to the cloud.
  • 7. Basic Requirements iOS • Python 2.7 • Django 1.8 • Oracle Java - JDK 1.7+ • Oracle VirtualBox • Mac Android • Python 2.7 • Django 1.8 • Oracle Java - JDK 1.7+ • Oracle VirtualBox
  • 8. Static Analyzer Mobile Security Framework INPUT OUTPUT REPORT
  • 9. Static Analysis Android Binary INFORMATION GATHERING DECOMPILE TO JAVA & SMALI PERMISSION ANALYSIS MANIFEST ANALYSIS JAVA CODE ANALYSIS ANDROID API INFO FILE ANALYSIS URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS REPORT GENERATION
  • 10. Static Analysis Android Source INFORMATION GATHERING DECOMPILE TO JAVA & SMALI PERMISSION ANALYSIS MANIFEST ANALYSIS JAVA CODE ANALYSIS ANDROID API INFO FILE ANALYSIS URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS REPORT GENERATION
  • 11. DEMO Static Analysis of APK Static Analysis of Zipped Source Code
  • 12. Static Analysis iOS - Binary BASIC INFORMATION BINARY ANALYSIS FILE ANALYSIS LIBRARIES REPORT GENERATION iOS - Source BASIC INFORMATION CODE ANALYSIS iOS API INFORMATION FILE ANALYSIS URL, EMAIL, FILES, LIBRARIES REPORT GENERATION
  • 13. DEMO Static Analysis of IPA Binary Static Analysis of Zipped Source Code
  • 14. Dynamic Analyzer Mobile Security Framework INPUT Android VM REPORT OUTPUT
  • 15. Dynamic Analyzer - Architecture Dynamic Analyzer AGENTS Install and Run APK HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM Application Data Agent Collected Information Start HTTP(S) Web Proxy
  • 16. Dynamic Analysis SCREENSHOT CAPTURE HTTP(S) TRAFFIC LOGCAT and DUMPSYS DYNAMIC API MONITOR DYNAMIC URLS and EMAILS MONITOR APPLICATION DATA DUMPER FILE ANALYSIS ON APPLICATION DATA REPORT GENERATION UNDER DEVELOPMENT
  • 17. DEMO Dynamic Analysis of Android Application
  • 18. Some Real World Results Mobile Security Framework – Bypassing PIN in Whisper Android Application - http://opensecurity.in/mobile- security-framework-bypassing-pin-in-whisper-android- application/ AppLock MITM Password Reset Vulnerability - http://opensecurity.in/applock-mitm-password-reset- vulnerability/
  • 19. AppLock MITM Password Reset Vulnerability DEMO
  • 21. Future Plans Looks like people are interested!
  • 22. In Aplha Dev Web Service Testing/REST API testing for Hybrid Applications. Dynamic Analysis Support for Real Android and iOS Devices. Anti VM/Sandbox Detection Bypass. IDOR and Cross Talk Detection support in Proxy. Better Front End. DB Support. Scheduled Scans.
  • 23. What you can do? Download, Test, Contribute Source: https://github.com/ajinabraham/YSO-Mobile- Security-Framework Issues: https://github.com/ajinabraham/YSO-Mobile- Security-Framework/issues