Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015

Oct 9, 2015Download as pptx, pdf

7 likes26,479 views

Ajin Abraham presents the Mobile Security Framework, an open source tool for automating security analysis of Android and iOS mobile applications. It performs static analysis on application binaries and source code to detect vulnerabilities. It also includes dynamic analysis capabilities like monitoring network traffic, system calls and application data during runtime. The tool is hosted locally and does not send any data to the cloud. The talk demonstrates the tool's static and dynamic analysis features and provides examples of vulnerabilities it has discovered in real world applications. Future plans are discussed to add additional testing capabilities and improve the tool. Users are encouraged to download, test and contribute to the open source project.

Ajin Abraham
Automated Security Analysis
of Android & iOS Applications
with Mobile Security
Framework

About Me
Application Security Engineer, Yodlee
Author of OWASP Xenotix XSS Exploit
Framework, Mobile Security Framework.
Co-Organizer of X0RC0NF.
Blog about Security: http://opensecurity.in

Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015

Most read

Dynamic Analysis
SCREENSHOT
CAPTURE HTTP(S) TRAFFIC
LOGCAT and DUMPSYS
DYNAMIC API MONITOR
DYNAMIC URLS and EMAILS MONITOR
APPLICATION DATA DUMPER
FILE ANALYSIS ON APPLICATION DATA
REPORT GENERATION
UNDER DEVELOPMENT

DEMO
Dynamic Analysis of Android Application

Some Real World Results
Mobile Security Framework – Bypassing PIN in Whisper
Android Application - http://opensecurity.in/mobile-
security-framework-bypassing-pin-in-whisper-android-
application/
AppLock MITM Password Reset Vulnerability -
http://opensecurity.in/applock-mitm-password-reset-
vulnerability/

AppLock MITM Password
Reset Vulnerability DEMO

Future Plans
Looks like people are interested!

In Aplha Dev
Web Service Testing/REST API testing for Hybrid
Applications.
Dynamic Analysis Support for Real Android and iOS
Devices.
Anti VM/Sandbox Detection Bypass.
IDOR and Cross Talk Detection support in Proxy.
Better Front End.
DB Support.
Scheduled Scans.

What you can do?
Download, Test, Contribute
Source: https://github.com/ajinabraham/YSO-Mobile-
Security-Framework
Issues: https://github.com/ajinabraham/YSO-Mobile-
Security-Framework/issues

QA
@ajinabraham
ajin25@gmail.com
http://opensecurity.in
Thanks
• Bharadwaj Machiraju
• Anto Joseph
• Tim Brown
• Thomas Abraham
• Graphics/Image Owners

The Takeaways
A Free and Open Source Tool
Mobile App Pentesters/Malware Analysts -
How to make your life easier.
Developers – Build secure mobile Apps by
detecting vulnerabilities at earlier stages of
development.
For the Rest – Some new Information.

WTF is it?
Mobile Security Framework is an open source
mobile application (Android/iOS) automated pentesting
framework capable of performing static and dynamic
security analysis*.
Android iOS

Hosted in your environment. Your application and
data is never send to the cloud.

Basic Requirements
iOS
• Python 2.7
• Django 1.8
• Oracle Java - JDK 1.7+
• Oracle VirtualBox
• Mac
Android
• Python 2.7
• Django 1.8
• Oracle Java - JDK
1.7+
• Oracle VirtualBox

Static Analyzer
Mobile Security Framework
INPUT OUTPUT
REPORT

Static Analysis
Android Binary
INFORMATION GATHERING
DECOMPILE TO JAVA & SMALI
PERMISSION ANALYSIS
MANIFEST ANALYSIS
JAVA CODE ANALYSIS
ANDROID API INFO
FILE ANALYSIS
URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS
REPORT GENERATION

Static Analysis
Android Source
INFORMATION GATHERING
DECOMPILE TO JAVA & SMALI
PERMISSION ANALYSIS
MANIFEST ANALYSIS
JAVA CODE ANALYSIS
ANDROID API INFO
FILE ANALYSIS
URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS
REPORT GENERATION

DEMO
Static Analysis of APK
Static Analysis of Zipped Source Code

Static Analysis
iOS - Binary
BASIC INFORMATION
BINARY ANALYSIS
FILE ANALYSIS
LIBRARIES
REPORT GENERATION
iOS - Source
BASIC INFORMATION
CODE ANALYSIS
iOS API INFORMATION
FILE ANALYSIS
URL, EMAIL, FILES, LIBRARIES
REPORT GENERATION

DEMO
Static Analysis of IPA Binary
Static Analysis of Zipped Source Code

Dynamic Analyzer
Mobile Security Framework
INPUT
Android VM
REPORT
OUTPUT

Dynamic Analyzer -
Architecture
Dynamic Analyzer
AGENTS
Install and Run APK
HTTP(S) Proxy
Invoke Agents in VM
Results
HTTP(S) Traffic
Android VM
Application Data
Agent Collected Information
Start HTTP(S) Web Proxy

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham

Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.

OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner

OWASP API Security Top 10 - API World42Crunch

This document outlines the OWASP API Security Top 10 project which identifies the top 10 risks associated with modern application programming interfaces (APIs). It describes each of the top 10 risks, including broken authentication, excessive data exposure, lack of resources and rate limiting, and insufficient logging and monitoring. For each risk, it provides real-world examples of APIs that have been exploited and mitigation strategies are proposed. Additional resources for the project are listed at the end.

Android pentestingMykhailo Antonishyn

This document provides an overview of methodology and tools for testing the security of Android applications. It discusses static testing tools like MobSF, AndroBugs, QARK and VCG scanner that can analyze Android app code without executing the app. It also covers dynamic testing tools like BurpSuite, Inspeckage, LogCat, MobSF and Drozer that allow analyzing an app's behavior while it is executing. The document provides descriptions and links for each tool to help understand their capabilities and how they can be used for Android pentesting.

Firebase Overviewaashutosh kumar

Mobile Application Securitycclark_isec

Api Testing.pdfJitendraYadav351971

API stands for Application Programming Interface and allows communication between different software applications or services. It acts as a messenger that takes orders from clients and returns responses. API testing is important as it validates APIs and their integration with services, and missed cases in API testing can cause major problems in production. Common HTTP methods used in APIs include GET, POST, PUT, PATCH, DELETE, and OPTIONS. Tools like Postman can be used to test APIs by sending requests and validating responses.

Google FirebaseAliZaidi94

Firebase is a mobile and web app development platform owned by Google that provides tools and services to help developers build high-quality apps. It started as a startup called Envolve in 2011 that provided real-time data syncing across devices. After being acquired by Google in 2014, Firebase expanded its offerings and now integrates with various Google services. Firebase provides tools to help with app development, testing, analytics, cloud services, and more.

Postman An Introduction for Testers, October 26 2022.pptxPostman

Join us for a one-hour, introductory Postman learning session geared specifically for API testers. In this session, you’ll learn how to test the functionality and reliability of an API. Here’s what we’ll do in this session: - Send a request and inspect a response - Use a test snippet - Write custom tests - Extract data from one request to use in another with variables - Save and run tests as collections - Explain different types of tests that can be written in Postman - Run a test locally using the Postman Collection Runner

What is an API Gateway?LunchBadger

AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham

Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application. This talk covers: Using MobSF for static analysis of mobile applications. Interactive dynamic security assessment of Android and iOS applications. Solving Mobile app CTF challenges. Reverse engineering and runtime analysis of Mobile malware. How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.

Android pentestingMykhailo Antonishyn

Assessment process of Android application vulnerability such as methods, check-lists, tools and runtime manipulation. Agenda: 1. Methodic's - OWASP TOP 10 2016, MSTG, MASVS 2. Static testing - MobSF, AndroBug Framework, QARG, VCG scanner 3. Dynamic testing - BurpSuite, Inspekage, LogCat, MobSF, Drozer, Frida framework #cybersecurity #mobilepentesting #applicationsecurity #UP2IT #accesssoftek #bytecode

The fundamentals of Android and iOS app securityNowSecure

Looking for a high-intensity bootcamp covering the basics of secure mobile development? This slideshare was originally presented by mobile security expert and NowSecure CEO Andrew Hoog for a 60-minute workshop at Security by Design covering the following topics: + Introduction to identifying security flaws in mobile apps (and how to avoid them) + Examples of secure and insecure mobile apps and how to secure them + Overview of secure mobile development based on the NowSecure Secure Mobile Development Best Practices

Security Testing Mobile ApplicationsDenim Group

The document discusses security testing of mobile applications. It outlines common threats like accessing sensitive stored data, intercepting data in transit, and exploiting tainted inputs. The document demonstrates analyzing an example Android app to identify potential issues, including looking at application binaries, network traffic, and content handlers. It also briefly discusses SQL injection risks for mobile apps.

Secure SDLC for Software Shreeraj Shah

The document discusses secure software development lifecycles and application security. It notes that security is often not considered during traditional SDLC processes. It advocates doing threat modeling and source code analysis to integrate security. It also discusses differences between blackbox and whitebox testing approaches, and analyzing applications at the source code level versus object code level.

Pentesting Android ApplicationsCláudio André

Source Code Analysis with SASTBlueinfy Solutions

The document discusses source code analysis techniques for detecting vulnerabilities. It describes several methodologies used in source code analysis tools, including style checking, semantic analysis, and deep flow analysis. Semantic analysis builds an abstract syntax tree to simulate code execution and check for faults. Deep flow analysis extends semantic analysis to generate control and data flow graphs to find issues like race conditions. The document also provides examples of source code vulnerabilities that can be detected, such as a buffer overflow, and discusses how tools can analyze source code, bytecode, and detect entry points vulnerable to attacks.

APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays

APIsecure 2023 - The world's first and only API security conference March 14 & 15, 2023 Android Applications and API Hacking Gabrielle Botbol, Ethical Hacker |Award-winning Pentester | Artemis Red Team | Board Member | Speaker | Mentor ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Micro Frontends ArchitectureRag Dhiman

The document discusses the evolution of frontend architectures from monolithic to microservices-based approaches. In the past, frontends and backends were combined in a single monolith application. Now, microservices have separated the backend into independent services while frontends have evolved into independent micro frontends. In the future, micro frontends will be developed independently but composed together with a base application and routed to by an API gateway along with separate microservices for individual products, baskets, and advertising.

Web ApplicationSameer Poudel

A web application is an application that is accessed via a web browser and uses browser-supported programming languages like HTML, PHP, JavaScript, and XML. It allows software to be updated without users having to update any software and can be accessed from anywhere through a web browser. The history of web applications began in 1995 with JavaScript being introduced to create dynamic elements on web pages. Technologies like Flash, Ajax, and HTML5 have continued advancing the capabilities of web applications. Web applications provide advantages like cross-platform access from any device with a browser and easy updating without software installations. However, they also rely on internet connections and server availability.

Software Composition Analysis Deep DiveUlisses Albuquerque

security misconfigurationsMegha Sahu

The document discusses security misconfiguration as the sixth most dangerous web application vulnerability according to the OWASP Top 10. It defines security misconfiguration as improper configuration settings that can enable attacks. The document outlines how attackers exploit default passwords and privileges, and provides examples of misconfigured systems. It recommends ways to prevent misconfiguration like changing defaults, deleting unnecessary accounts, and keeping systems updated. The document demonstrates how to detect hidden URLs and directory listings using Burp Suite and concludes that misconfiguration poses a high risk if not properly safeguarded against.

OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov

Pentesting Android AppsAbdelhamid Limami

This document discusses pentesting Android apps. It provides an overview of Android architecture and common attack surfaces, including the client software, communications channels, and server-side infrastructure. It describes setting up an environment for app analysis, exploiting vulnerabilities like insecure storage and logical flaws. The document demonstrates capturing network requests, reverse engineering apps, and provides developer tips to improve security like encrypting sensitive data and input sanitization.

Android Security & Penetration TestingSubho Halder

Mobile App Security Testing -2Krisshhna Daasaarii

This document provides an agenda for mobile app security testing. It discusses topics like mobile OS versions, the mobile app SDLC, testing techniques, vulnerabilities, and security tools. Testing approaches include black box testing, code review, penetration testing and security assessments. Real devices are preferred over emulators due to limitations like missing features and network behavior issues. Common vulnerabilities discussed are cross-site scripting, SQL injection, and client-side injection. Popular security tools mentioned are ZAP, IBM AppScan, HP Fortify, and VeraCode. A three-tiered approach of testing the client, network and server layers is recommended for building secure mobile apps.

Selenium pptPavan Kumar

This document provides an overview of Selenium, an open source tool for automating web application testing. It discusses Selenium's features, components including Selenium IDE, RC, and Grid. It also covers Selenium commands called Selenium and how to perform testing with Selenium by writing reusable scripts and validating applications with conditionals. Selenium allows testing across browsers and OS using different programming languages in a flexible and cost-effective manner compared to other testing tools.

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham

Mobile Security Framework is an open source automated mobile application testing framework capable of static and dynamic analysis of Android and iOS apps. It performs various analyses including permission analysis, API monitoring, and HTTP traffic analysis. The framework supports analyzing APK, IPA, and source code. It is available on GitHub and includes demos of static analysis on sample APK and IPA files. The presentation also describes a mobile security CTF challenge involving two Android apps, GETSECRET and SENDSECRET, that can be solved by analyzing the apps with Mobile Security Framework or other reversing techniques.

Security testing in mobile applicationsJose Manuel Ortega Candel

José Manuel Ortega Candel presented on security testing in mobile applications. The presentation covered static and dynamic application security testing, vulnerabilities, security risks, and best practices for mobile security testing. It discussed analyzing application source code, network traffic, and runtime behavior to identify issues. The document also provided examples of common mobile vulnerabilities and tools that can be used to conduct security testing on both Android and iOS applications.

More Related Content

What's hot (20)

Google FirebaseAliZaidi94

Postman An Introduction for Testers, October 26 2022.pptxPostman

What is an API Gateway?LunchBadger

AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham

Android pentestingMykhailo Antonishyn

The fundamentals of Android and iOS app securityNowSecure

Security Testing Mobile ApplicationsDenim Group

Secure SDLC for Software Shreeraj Shah

Pentesting Android ApplicationsCláudio André

Source Code Analysis with SASTBlueinfy Solutions

APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays

Micro Frontends ArchitectureRag Dhiman

Web ApplicationSameer Poudel

Software Composition Analysis Deep DiveUlisses Albuquerque

security misconfigurationsMegha Sahu

OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov

Pentesting Android AppsAbdelhamid Limami

Android Security & Penetration TestingSubho Halder

Mobile App Security Testing -2Krisshhna Daasaarii

Selenium pptPavan Kumar

Google FirebaseAliZaidi94

Postman An Introduction for Testers, October 26 2022.pptxPostman

What is an API Gateway?LunchBadger

AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham

Android pentestingMykhailo Antonishyn

The fundamentals of Android and iOS app securityNowSecure

Security Testing Mobile ApplicationsDenim Group

Secure SDLC for Software Shreeraj Shah

Pentesting Android ApplicationsCláudio André

Source Code Analysis with SASTBlueinfy Solutions

APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays

Micro Frontends ArchitectureRag Dhiman

Web ApplicationSameer Poudel

Software Composition Analysis Deep DiveUlisses Albuquerque

security misconfigurationsMegha Sahu

OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov

Pentesting Android AppsAbdelhamid Limami

Android Security & Penetration TestingSubho Halder

Mobile App Security Testing -2Krisshhna Daasaarii

Selenium pptPavan Kumar

Similar to Automated Security Analysis of Android & iOS Applications with Mobile Security Framework - c0c0n 2015 (20)

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham

Security testing in mobile applicationsJose Manuel Ortega Candel

Android Penetration testing - Day 2Mohammed Adam

PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdfShadowman Kung

Droidcon mobile securityJudy Ngure

This document discusses the importance of mobile application security and penetration testing. It describes penetration testing as discovering vulnerabilities before attackers through vulnerability detection, comprehensive penetration attempts, and analysis/reporting. The document outlines static and dynamic analysis methods used for Android application security assessments. These include code review, function hooking, runtime debugging, and analyzing data at rest and in transit. It promotes understanding how applications work through reverse engineering, decompilation, and deobfuscation. The methodology uses tools like MARA, MobSF, Xposed, Frida, and BurpSuite.

Virtue Security - The Art of Mobile Security 2013Virtue Security

The document discusses mobile application security testing. It covers examining platform security issues on iOS and Android, such as cached screen shots and text fields on iOS and permissions on Android. It also discusses pentesting mobile apps through man-in-the-middle attacks, analyzing app logic and client-side controls, and static analysis. Additional topics include various attack vectors, hardware and carrier security concerns, and the current and future state of mobile security.

Attacking and Defending Mobile ApplicationsJerod Brennen

Building a Mobile Security ProgramDenim Group

Grab the Secure Mobile Application Development Reference here - http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html Are you looking to build a program to ensure maximum mobile security coverage? If you are tasked with putting together a security testing program to address risk with internally developed mobile applications, there is no shortage of technical and process factors to consider. It is also critical to balance the security with a positive end-user experience, helping propel the overall brand forward - safely. Without proper mobile security, one significant loss can quickly destroy the trust foundation your company has worked years to craft. This webinar will provide the security leader an overview of the challenges associated with mobile testing, certain technologies that one can use to identify mobile application vulnerabilities, and repeatable process strategies that will help build the foundation for a recurring testing program. The session will provide attendees a broad understanding of mobile technologies, as well as a mobile testing launch checklist that will help your organization go from ground floor to a fully-functioning testing program in 30 days. The session will also include: An overview of the major mobile technologies and their defining attributes An overview of how iOS and Android handle certain security issues differently via the Denim Group Mobile Development Reference Guide An overview of a typical mobile application architecture and how it differs from a web application environment How important web services are to a typical mobile architecture The limitations of automated testing and how to augment security reviews to overcome testing gaps How to make a program repeatable and economically feasible without disrupting the software development process

iOS Application Security And Static Analysis.pdfCyber security professional services- Detox techno

Untitled 1Sergey Kochergan

The document provides an overview of security testing techniques for mobile applications on different platforms like Android, BlackBerry and iOS. It discusses topics like application threat models, traffic analysis and manipulation, insecure data storage, reverse engineering application binaries, analyzing application components and runtime behavior. The document also mentions tools used for tasks like decompilation, debugging, monitoring network/file activity. Specific platform security features for Android, BlackBerry and iOS are outlined.

Security testing of mobile applicationsGTestClub

The document provides an overview of security testing techniques for mobile applications on various platforms including Android, BlackBerry, and iOS. It discusses topics such as application threat models, traffic analysis and manipulation, insecure data storage, reverse engineering application binaries, analyzing application components and runtime behavior. The goal is to identify vulnerabilities that could impact the confidentiality, integrity or availability of the mobile application or user data.

Mobile App Penetration Testing Bsides312wphillips114

Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions

This document discusses mobile code mining for discovery and exploits. It introduces the speaker, Hemil Shah, and provides an overview of mobile infrastructure, apps, and changes in the mobile environment compared to web. It then discusses several mobile attacks including insecure storage, insecure network communication, UI impersonation, activity monitoring, and system modification. It also covers decompiling Android apps and analyzing app code for security issues.

Rapid Android Application Security TestingNutan Kumar Panda

Hacking mobile appskunwaratul hax0r

Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR

Top Mobile Application Penetration Testing Tools for Android and iOS.pdfElanusTechnologies

Mobile application penetration testing is used to evaluate the security of native mobile apps developed for Android and iOS. It involves testing data security both at rest and in transit, as well as identifying vulnerabilities using automated tools and manual techniques. Penetration testing can locate flaws in code, systems, applications, databases, and APIs to harden apps and prevent hackers from exploiting vulnerabilities. The document provides a list of important mobile application penetration testing tools for Android and iOS.

Top 10 Mobile Hacking Tools – 2025 Editionanishachhikara2122

Explore the most powerful and widely-used mobile hacking tools in cybersecurity today. This presentation covers top tools like MobSF, Frida, Hopper, Ghidra, Objection, and more—highlighting their core features, use cases, platforms, and practical tips. Whether you're a security researcher, ethical hacker, or mobile app developer, this slide deck offers a well-rounded introduction to both static and dynamic analysis tools for Android and iOS. Ideal for training, awareness, and professional development.

BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions

This document provides guidance on building your own mobile forensics methodology (BYOM). It discusses the needs, knowledge, tools, and suggested readings required for mobile forensics. The document outlines knowledge required about mobile operating systems, file systems, file formats, and programming. It also lists commercial, open-source, and hardware tools that can be used and provides information on training resources, best practices, workflows, and standardization in mobile forensics. The goal is to help practitioners develop their own customized mobile forensics methodology.

mobsf.pdfTaseen Ali

Ajin Abraham presented Mobile Security Framework (MobSF), an open source tool for mobile application security testing. MobSF includes static and dynamic analysis as well as a web API fuzzer. Static analysis scans the app code and binaries to detect vulnerabilities. Dynamic analysis monitors the app's network traffic and behavior through an agent. The web API fuzzer tests APIs for issues like IDOR, SSRF, and XXE. MobSF provides automated security testing to help mobile app developers and penetration testers.

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham

Security testing in mobile applicationsJose Manuel Ortega Candel

Android Penetration testing - Day 2Mohammed Adam

PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdfShadowman Kung

Droidcon mobile securityJudy Ngure

Virtue Security - The Art of Mobile Security 2013Virtue Security

Attacking and Defending Mobile ApplicationsJerod Brennen

Building a Mobile Security ProgramDenim Group

iOS Application Security And Static Analysis.pdfCyber security professional services- Detox techno

Untitled 1Sergey Kochergan

Security testing of mobile applicationsGTestClub

Mobile App Penetration Testing Bsides312wphillips114

Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions

Rapid Android Application Security TestingNutan Kumar Panda

Hacking mobile appskunwaratul hax0r

Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR

Top Mobile Application Penetration Testing Tools for Android and iOS.pdfElanusTechnologies

Top 10 Mobile Hacking Tools – 2025 Editionanishachhikara2122

BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions

mobsf.pdfTaseen Ali

More from Ajin Abraham (20)

Injecting Security into Web apps at Runtime WhitepaperAjin Abraham

This document discusses a method called Runtime Application Self Defence (RASP) to securely inject protections into web applications at runtime without requiring code changes. RASP works by hooking into critical APIs, learning an application's behavior to generate rules, and then monitoring for context breaks to prevent attacks like SQL injection and cross-site scripting. The key advantages of RASP over traditional WAFs are that it operates from within the application so it understands the application context and can prevent zero-day attacks.

Injecting Security into vulnerable web apps at RuntimeAjin Abraham

Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet. In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham

Tizen is an open source operating system that can run on various devices including smart TVs and IoT devices. It uses a security model that isolates applications using SMACK mandatory access control and enforces content security policies for web applications. The presentation discusses hacking techniques tested against Tizen like exploiting shellshock vulnerabilities, bypassing address space layout randomization protections, and circumventing content security policies. It also provides an overview of methodologies for analyzing Tizen application security like static analysis of manifest and configuration files, decompiling native applications, and network analysis using a proxy. Overall the presentation evaluates the security of Tizen and highlights some implementation issues found.

Hacking Tizen: The OS of everything - WhitepaperAjin Abraham

Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture. The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered. Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP). Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. As a bonus, an overview of pentesting Tizen applications will also be presented along with some of the security implications. There will be comparisons made to traditional Android applications and how these security issues differ with Tizen.

Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham

Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported. Tizen IVI (in-vehicle infotainment) Tizen Mobile Tizen TV, and Tizen Wearable Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained. The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen. For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc. Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.

Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham

This document outlines security vulnerabilities in Firefox add-ons and demonstrates proof of concept exploits. It discusses how Firefox add-ons have full privileges without sandboxing, allowing exploits like keyloggers and downloading executables. Attack techniques to spread malicious add-ons like social engineering and tabnabbing are described. Mitigations include updating Firefox, using antivirus software, and disabling session restoring. The document aims to demonstrate weaknesses to motivate the Firefox team to improve add-on security.

Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham

Abusing Google Apps and Data API: Google is My Command and Control CenterAjin Abraham

Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Ajin Abraham

Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentAjin Abraham

Exploit Research and Development Megaprimer: Buffer overflow for beginnersAjin Abraham

OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013Ajin Abraham

Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013Ajin Abraham

Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Ajin Abraham

Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham

The paper is about abusing and exploiting Firefox add-on Security model and explains how JavaScript functions, XPCOM and XPConnect interfaces, technologies like CORS and WebSocket, Session storing and full privilege execution can be abused by a hacker for malicious purposes. The widely popular browser add-ons can be targeted by hackers to implement new malicious attack vectors resulting in confidential data theft and full system compromise. This paper is supported by proof of concept add-ons which abuse and exploits the add-on coding in Firefox 17, the release which Mozilla boasts to have a more secure architecture against malicious plugins and add-ons. The proof of concept includes the implementation of a Local keylogger, a Remote keylogger, stealing Linux password files, spawning a Reverse Shell, stealing the authenticated Firefox session data, and Remote DDoS attack. All of these attack vectors are fully undetectable against anti-virus solutions and can bypass protection mechanisms.

Xenotix XSS Exploit Framework: Clubhack 2012 Ajin Abraham

Wi-Fi Security with Wi-Fi P+Ajin Abraham

After analyzing vulnerabilities in Wi-Fi security standards like WEP, WPA, and WPA2, the authors propose a new security architecture called Wi-Fi P+ that acts as an additional security layer over WPA/WPA2. Wi-Fi P+ encrypts plain text data transmitted during the WPA handshake process and includes additional security features like MAC address filtering, intrusion detection, and a VPN for more secure data transmission. The authors argue that Wi-Fi P+ provides a simpler yet more secure solution compared to existing Wi-Fi security protocols.

Shellcoding in linuxAjin Abraham

Shellcode is machine code that executes a shell when run. This document discusses shellcode, including: - Shellcode injects machine code into a vulnerable application to spawn a shell. - Three examples of shellcode are provided: an exit system call, displaying a message, and spawning a shell. - Registers, assembly instructions, and system calls used in Linux are explained for creating shellcode.

Phishing With Data URIAjin Abraham

Data URI schemes allow embedding data directly in web pages rather than linking to external resources. Phishers have started using Data URI schemes to conduct phishing without hosting fake pages on websites - instead embedding the phishing content directly through base64 encoding. This avoids the need for external hosting and makes the phishing harder to detect, though it has limitations in browser support and ability to inject content into other sites.