Intro to Mobile Device Testing

Slides:



Advertisements
Similar presentations
Why Eve & Mallory Love Android
Advertisements

The Mobile Threat Landscape
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
Kevin Stadmeyer Garrett Held COPYRIGHT TRUSTWAVE 2011 CONFIDENTIAL Hacking (and Defending) iPhone Applications.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Man-In-The-Front Ray Kelly.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6 Ways to Build an Insecure.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security issues for mobile devices Cvetko Andreeski.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
OWASP Mobile Top 10 Why They Matter and What We Can Do
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Course 201 – Administration, Content Inspection and SSL VPN
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
FORESEC Academy FORESEC Academy Security Essentials (II)
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
Mobile Device Security
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
An Inside Look at Mobile Security Android & iOS Zachary Hance & Andrew Phifer Dr Harold Grossman.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Android Security Auditing Slides and projects at samsclass.info.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
Hands-On with RailsGoat WEB APPLICATION SECURITY TESTING.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Web Applications Testing By Jamie Rougvie Supported by.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Deconstructing API Security
Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.
Wireless and Mobile Security
Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.
Adding Trojans to Apps Slides and projects at samsclass.info.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Internet Information Server 6.0 & new management features.
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security VPN R75 (SecureClient Next Generation)
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.
INTRODUCTION CHARLES MUIRURI
Module 51 (Mobile Device Fundamentals - Android)
“New security software vendors are coming into the marketplace offering solutions that provide support to the development environment. Example vendors.
Web Application Vulnerabilities
Hotspot Shield Protect Your Online Identity
Securing Your Web Application in Azure with a WAF
TOPIC: Web Security (Part-4)
Virtual Private Networks
Securing the Network Perimeter with ISA 2004
Relevance of the OWASP Top 10
Intro to Ethical Hacking
NSE4-5.4 Dumps
Advanced Penetration testing
Presented by Hussein Almulla
SUBMISSION TITLE Srinivas Munigala & Principal QA Engineer
An Android Hacker’s Toolbox
Application protection
NETWORK TOOL -SOWMYASRI KONIJETI.
Device Performance Testing
HACKIN G CITRIX.
Hacking web applications
Leo McCavana, OWASP Belfast, October 1st, 2015
The Hacking Suite For Governmental Interception
Presentation transcript:

Intro to Mobile Device Testing

$whoami Damian Profancik Senior Security Consultant NCC Group (formerly iSEC Partners) damian.profancik@nccgroup.trust @integrisec

North America Europe Australia Atlanta Austin Chicago New York San Francisco Seattle Sunnyvale Europe Manchester - Head Office Amsterdam Cheltenham Copenhagen Edinburgh Glasgow Leatherhead London Luxembourg Milton Keynes Munich Zurich Australia Sydney

Agenda What? Why? Attack Surface How?

What? iOS (iPhone/iPad) Android (Phones/Tablets) Windows Phone

Why? Ubiquitous Critical data Authentication

Attack Surface Web Server APIs Network Traffic Data on Device Data in Logs Data in Memory Application Source Code

How?

Jailbreak/Root Breaks app sandbox Access file system Allows SSH Allows debugging Disable protections (SSL pinning, JB/Root detection)

Bypass Jailbreak/Root Detection iOS tsProtector P Snoop-it Xcon Android RootCloak

Tools (APIs/Network) Proxy Burp OWASP ZAP Fiddler

Proxying Traffic Set proxy to listen on all interfaces

Proxying Traffic Download proxy CA certificate

Proxying Traffic Install CA certificate on device

Proxying Traffic Redirect traffic to proxy with Wifi Settings

Proxying Traffic Redirect traffic to proxy with VPN Windows: PPTP VPN – Routing and Remote Access Mac: VPNActivator

Proxying Traffic Redirect traffic to proxy with VPN

Bypass Certificate Pinning iOS SSL Kill Switch Snoop-it Android Android-SSL-TrustKiller

Attack Web Server APIs OWASP Top 10 (SQLi, XSS, XXE, etc.) Session Management Authentication/Authorization Logic Flaws Information Leaks

Analyze Network Traffic and Transport Sensitive Information in URLs HTTP SSL v2/v3 Invalid Certificates Weak Ciphers Insecure Renegotiation

Tools (Device Data/Logs) iOS SSH/SCP iFunbox iFile SQLite Reader Xcode (Plist) Keychain-Dumper Snoop-it class-dump-z gdb Android SSH/SCP SQLite Reader Android Studio keytool XML files adb

Tools (iFunbox)

Tools (Snoop-it)

Tools (iOS Logs – Xcode)

Tools (Android – Android Studio)

Tools (Device Memory) iOS Android gdb adb Android Monitor Heap Dump Allocation Tracker

What To Look For Credentials Encryption Keys Cookies Payment Cards Personally Identifiable Information Screenshots Session Tokens Cached Data

Attacking the App SQLite Injection Device XSS WebViews/JavaScript Bridge

Source Code Analysis Android iOS dex2jar apktool JAD Android Studio gdb Xcode

Q/A

Resources OWASP Mobile Top 10 - https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_- _Top_Ten_Mobile_Risks iOS Testing Cheatsheet - https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet Android Testing Cheatsheet - https://www.owasp.org/index.php/Android_Testing_Cheat_Sheet

Resources Network Android SSLyze - https://github.com/nabla-c0d3/sslyze Burp Suite - https://portswigger.net/burp Android Android Studio - http://developer.android.com/sdk/index.html Android-SSL-TrustKiller - https://github.com/iSECPartners/Android-SSL-TrustKiller dex2jar - https://github.com/pxb1988/dex2jar Apktool - http://ibotpeaches.github.io/Apktool/ JAD - http://varaneckas.com/jad/

Resources iOS Xcode - https://developer.apple.com/xcode/download/ SSL Kill Switch - https://github.com/iSECPartners/ios-ssl-kill-switch iFunbox - http://www.i-funbox.com/ snoop-it - https://code.google.com/archive/p/snoop-it/ class-dump-z - https://github.com/nygard/class-dump Keychain-Dumper - https://github.com/ptoomey3/Keychain-Dumper

$whoami Damian Profancik Senior Security Consultant NCC Group (formerly iSEC Partners) damian.profancik@nccgroup.trust @integrisec

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.