Automation In Android & iOS Application Security Review

Presented at DeepSec 2013 „Secrets, Failures, and Visions“, Unknown date/time (Unknown duration).

Mobile application hacking and its security is becoming a major concern in today's world - especially with BYOD and user's jailbreaking/rooting their devices. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI Jacking, Tab Jacking, Traffic redirection, Logical attacks, hard coded keys and a few other. It is imperative to scan these applications before loading and launching. Currently scanning and vulnerability detection are two major issues for mobile applications. Attacking techniques and exploit delivery on different platforms are evolving, protection is even tougher as code bases are different. Amongst the mobile attacks, local storage being the key target for attacks which affect the security and privacy of the user. What we really need right now is a automated program to penetrate local storage of the most widely used mobile platforms (Android and iOS). Interestingly, Android SDK provides an API which can be used to monitor file systems. On the iOS, one needs to jailbreak a device to attack local storage. Along with the presentation, free tools (Separate for android and iOS) will be released. The Android tool uses API to monitor the Android file system where the iOS tool relies on OS features. Methodology to perform the application penetration testing using the tools will be demonstrated along with several different demonstrations on attacking local storage for both platforms. The presentation will conclude with a list of interesting spots on Android and iOS for penetration testers to exploit local storage.

Presenters:

  • Hemil Shah - eSphere Security Solutions Pvt Ltd
    Hemil Shah, CISSP, CSSLP, ACP is the founder and Director of eSphere Security, a company that provides professional services in the security area. He is also on advisory board at several security companies and a regular speaker/trainer at some of the best security conference. He has published several tools and whitepapers and has given talks and lectures at numerous conferences including OWASP, HITB, HackCon, SyScan and NullCon. Hemil is an expert in Mobile Application Security, Application Security, researching new methodologies and training designs. He has performed more than 1000 security consulting assignments in the area of penetration testing, code review, web application assessment, security architecture review and Mobile application security review.

Links:

Similar Presentations: