Mobile Security Testing Guide Hands-On (closed)

Presented at DeepSec 2020 „The Masquerade“, Unknown date/time (Unknown duration).

LIVE ONLINE TRAINING Did you ever struggle to use Frida? Do you ever wanted to know how to intercept traffic on a Fluter App and bypass SSL Pinning on Android and iOS? Or were just curious if it's possible to do a proper penetration test on a non-jailbroken iOS device? If so, this training is perfect for you. All of these topics and more will be covered during our hands-on course that is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide on modern mobile security testing for both iOS and Android. This course will provide a customized mobile testing environment including many hands-on mobile security challenges. Wide ranges of topics will be covered such as Mobile Operating System fundamentals to using Frida (Dynamic Instrumentation Framework) to bypass client-side security controls. What attendees will learn This course is developed for: - Penetration Testers that want to achieve full coverage when testing a mobile app and know how to work with an accepted industry standard for mobile testing - Developers that want to understand how attacks against their mobile apps are executed and how they can be improved by implementing security best practices. The goal of this course is to learn: - the technical skills to execute a penetration test against iOS and Android mobile applications - utilise the OWASP Mobile Security Testing Guide (MSTG) as a baseline and comprehensive methodology during mobile security assessments. - How to mitigate vulnerabilities in mobile apps and implement the latest best practices This training will mainly focus on: - iOS and Android security fundamentals to understand the security mechanisms that are in place by the OS - Preparing a penetration testing environment for iOS and Android and clarifying the limitations and benefits of each (real device, emulator, jailbroken, rooted etc.) - Hands-on exercises that are based on iOS and Android Apps that are build specifically for each test case to gain an understanding of different vulnerabilities - Demonstrate implementation of the latest security best practices to mitigate vulnerabilities in mobile apps or reduce the attack surface - Demonstrating methodology on conducting iOS application testing with a jailbroken and non-jailbroken device - Introduction into dynamic instrumentation by using Frida and different tools powered by Frida (e.g. objection) - Reverse Engineering of iOS and Android Apps to bypass client-side security controls, such as disabling Root Detection or SSL Pinning Attendees will be provided with the following content: - All slides in PDF format used for Day 1 and Day 2 - Toolkit including all tools and scripts used during the training (Access to private Github repo) - Several iOS and Android Apps that are used for the exercises (Access to private Github repo) Prerequisites The following prerequisites need to be fulfilled by the participants in order to be able to execute and follow all exercises: - MacBook with at least 8 GB Ram, 40GB of free disk space and a stable internet connection - Full administrative access to disable AV or Firewall in case of any issues with the environment - VirtualBox installed - Xcode installed An iOS or Android hardware device is not needed by the participants and will also not provided. The hands-on exercises for the Android training will instead be executed in a cloud-based, virtualized environment that allows attendees to access a rooted Android device. One Android instance will be provided for each participant. The iOS training will be executed with the iOS Simulator. The source code of the vulnerable apps will be shared with the students and different attacks can be executed and fixes can be applied. We will also offer 20 min support windows, 1 week before the training for all students, to make sure that the setup is up and working prior to the training. The participants should have a basic understanding of mobile apps, interest in security and learning new things and basic experience with the command line. Detailed Outline Day 1 - Android: Module 1: Overview of Android Platform and Security Mechanisms: - Android Security Architecture (Bootloader, Permission model, Sandboxing etc.) - App Communication with the Operating System (IPC, Intent etc.) - Runtime Environment (Dalvik vs. ART) Module 2: Creating an Android Testing Environment - Android Debug Bridge (ADB) - Setting up an Android Genymotion instance in the cloud for testing - Differences and limitations between testing in an emulator/simulator and a physical device Module 3: Android Application Structure - Decompiling an APK - APK file structure - Understanding and analysing the AndroidManifest.xml - Repackaging and analysing an app with Network Security Configuration Module 4: Static Analysis - Identifying a Deeplink vulnerability in a Kotlin App - Exploiting the Deeplink vulnerability - Automated Static Analysis with MobSF; showing quick wins and it's limitations to identify the Deeplink vulnerability Module 5: Analysis of Network Traffic - Proxying HTTP traffic by using Burp Suite - Analysing apps build on frameworks that are not using the system Proxy; Students will be intercepting an app build with Flutter - Capturing all outgoing (non-HTTP) traffic on the Android device, by chaining tcpdump, netcat, adb and Wireshark together - Piping network traffic from an Android device to your laptop through USB by using adb reverse, e.g. in case of client isolation in the Wifi network Module 6: Dynamic Instrumentation 101 Android - Introduction into Frida and it's basics (hooking, overloading, usage of Frida CLI and Frida scripts etc.) - Identify and hook functions of an Android App - Using Frida Server on a rooted device Module 7: Reverse Engineering - Bypassing Root detection - Introduction into various ways of implementing root detection - Using Dynamic Instrumentation to bypass multiple root detection functions and compare it to other techniques, such as patching Smali and using Xposed (Pros/Cons) Module 8: Bypassing SSL Pinning - Overview of SSL Pinning functionality and implementation - Show different ways of bypassing SSL Pinning, by using Xposed (rooted device) and Objection (non-rooted device) - Show ways of bypassing Network Security Configuration Module 9: Testing for Sensitive Data in Local Storage (Shared Preferences, SQLite Databases, Internal and External Storage) and secure usage of KeyStore CTF: Investigate an app with the newly learned skills and win a price! Day 2 - iOS Module 1: Overview of iOS Platform and Security Mechanisms - iOS Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave) - Explaining IPA Container and Structure on the iOS File System Module 2: Creating an iOS Testing Environment - Testing with and without Jailbreak and it's limitations - Testing in an emulator compared to a real device - Setting up the iOS Simulator and Xcode - Describing various ways of installing iOS Apps Module 3: Demonstration of testing iOS Apps without Jailbreak: - Repackaging an IPA with the Frida Gadget by using Objection - Overview of Objection and it's limitations Module 4: Static Analysis - Decrypting an app with Fairplay Encryption by using clutch or frida-ios-dump - Using class-dump - Analyzing 3rd party libraries in iOS Apps for vulnerabilities - Automated Static Analysis with MobSF - Review Info.plist for misconfigurations, such as App Transport Security (ATS) Module 5: Dynamic Instrumentation 101 iOS - Recap of Frida and it's basics (hooking, overloading, usage of Frida CLI and Frida scripts etc.) - Identify and hook functions of an iOS App - Using Frida for testing iOS Apps Module 6: Dynamic Analysis - Capturing HTTP traffic through Burp Suite - Piping network traffic from an iOS device to the laptop via USB by using usbmuxd, e.g. in case of client isolation in the Wifi network - Analysing all non-HTTP traffic through a remote virtual interface on macOS Module 7: Bypassing SSL Pinning - Identifying usage of SSL Pinning - Lab to show different ways of bypassing SSL Pinning, by using SSL Kill Switch (jailbroken device) and by using Objection (non-jailbroken device) Module 8: Testing for Touch ID /Face ID Bypass - Overview of Touch ID / Face ID functionality and implementations - Bypassing Biometric authentication through Needle and Objection Module 9: Testing for Sensitive Data in Local Storage - Explanation of different ways to store data on iOS (Core Data, plist, Sqlitedb etc.) and how to store it securely by using the Keychain - Analyse local storage by using Objection, Passionfruit and Xcode Module 10: Testing Stateless Authentication with JSON Web Token (JWT) in an iOS App - Dynamic Testing by using Burp Suite - Analyse storage for access tokens - Apply known attacks against JWT Module 11: Hands-on: Reverse Engineering - Basic Reverse Engineering of an iOS app - Bypassing Client-Side Security controls such as jailbreak or simulator detection through dynamic instrumentation with Frida CTF: Investigate an app with the newly learned skills and win a price!

Presenters:

  • Sven Schleier - Sven Schleier & Ryan Teoh
    Sven made several stops at big consultant companies and small boutique firms in Germany and Singapore and became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC. Besides his day job Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide and OWASP Mobile Application Security Verification Standard and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile and Web Application Security worldwide to different audiences, ranging from developers to students and penetration testers. LinkedIn:  Ryan Teoh (OSCE, OSCP, CRT) is a Security Engineer at Grab with a strong focus on Mobile Security. He spends a considerable amount of time in iOS kernel exploitation, contributing to the iOS security testing chapter and the iOS Crackmes which are part of the OWASP Mobile Security Testing Guide. That aside, he is active on both private and public bug bounty programs and has successfully bagged several critical mobile security bugs. Ryan is a strong believer in knowledge sharing - initiated a security blog on top of facilitating workshops to security engineers, developers and students about mobile security, dynamic instrumentation and reverse engineering of mobile applications. LinkedIn: 
  • Ryan Teoh - Sven Schleier & Ryan Teoh
    Sven made several stops at big consultant companies and small boutique firms in Germany and Singapore and became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC. Besides his day job Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide and OWASP Mobile Application Security Verification Standard and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile and Web Application Security worldwide to different audiences, ranging from developers to students and penetration testers. LinkedIn:  Ryan Teoh (OSCE, OSCP, CRT) is a Security Engineer at Grab with a strong focus on Mobile Security. He spends a considerable amount of time in iOS kernel exploitation, contributing to the iOS security testing chapter and the iOS Crackmes which are part of the OWASP Mobile Security Testing Guide. That aside, he is active on both private and public bug bounty programs and has successfully bagged several critical mobile security bugs. Ryan is a strong believer in knowledge sharing - initiated a security blog on top of facilitating workshops to security engineers, developers and students about mobile security, dynamic instrumentation and reverse engineering of mobile applications. LinkedIn: 

Links:

Similar Presentations: