Professional Documents
Culture Documents
OWASP IL 2012
About me
Founder of AppSec Labs Application security expert Book author
Managed Code Rootkits (Syngress)
Expert application security company focusing mainly on Web & Mobile apps Cutting edge application security services
Penetration testing Training Developers, IT Consulting Secure coding
Agenda
Introduction to mobile security Android PT workspace Common Mistakes & Attack Vectors AppUse VM for mobile PenTesting
AppUse
Formal definition: Android Pen-test Platform Unified Standalone Environment Informal definition: App + Abuse = AppUse In short - Open source Linux VM loaded with everything needed for Android application PT (custom emulator, tools, IDE, practice apps, etc.) Download: https://appsec-labs.com/AppUse
Unprotected communication
Another old school.. Not using any transport encryption such as SSL..
No encryption No server side authentication
Even if the app does restrict access (as opposed to previous slide), its still a problem
Device can get lost Device can be stoled
DEMO - Dropbox
Intent DoS
Android applications frequently process intents received from other applications. Many times theres no input validation, which can DoS the service
Example - null checks on IPC input
Null dereferences cause an application to crash, and can thus be used to as a DoS
Replace internal Android VM internal parts of code to Create a pentester friendly environment
Disable security mechanisms (ex: SSL checks) Hook into important functions Change return values, parameters, etc. Get notification when specific function is called Break on function execution
Summary
Mobile app security is more important than ever Mobile App PT requires different skills & tools than traditional Web App PT Dont reinvent the wheel. Use AppUse for your mobile PenTesting (new version soon!!!) https://appsec-labs.com/AppUse We provide mobile app security hands-on training
Hacking Secure coding