Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2
4
Motivation
5
[1] https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
6
OWASP Mobile Security Project
7
Top 10 Mobile Risks - Final List 2014
OWASP Mobile Security Project
8
The Mobile Top Ten 2016
OWASP Mobile Security Project
9
OWASP Mobile Security Project
MASVS MSTG
Checklist
10
OWASP MSTG
The OWASP Mobile Security Testing Guide
(MSTG) is a comprehensive manual for testing
the security of mobile apps. It describes
processes and techniques for verifying the
requirements listed in the [Mobile Application
Security Verification Standard (MASVS)] and
provides a baseline for complete and consistent
security tests.
11
12
OWASP MASVS
Is a standard for mobile app security. It can be
used by mobile software architects and
developers seeking to develop secure mobile
applications, as well as security testers to
ensure completeness and consistency of test
results.
The MASVS defines two strict security verification
levels (L1 and L2), as well a set of reverse
engineering resiliency requirements (MASVS-R)
that is flexible, i.e. adaptable to an app-specific
threat model. MASVS-L1 and MASVS-L2 contain
generic security requirements and are
recommended for all mobile apps (L1) and apps
that handle highly sensitive data (L2).
MASVS-R covers additional protective controls that
can be applied if preventing client-side threats is a
design goal.
Fuente: Mobile AppSec Verification v 0.9
[Latest release: version 0.9.4]
13
Security Verification Level
Security Verification Levels. MASVS-L1 provides a solid security baseline that
is appropriate for most mobile apps. MASVS-L2 adds defense-in-depth-
controls. MASVS-R represents an optional protective layer for impeding
reverse engineering and tampering.
14
OWASP MASVS Requriments
15
OWASP MASVS – Verification Requirements
14
13
12
12
11
10
10
09
8
08
6
06
05 Num. Controls
4
0
ur
e ge hy t io
n rk rm lit
y
i ng
ct ora rap a t wo t fo ua ers
i te t
og tic e la Q v
ch .S pt en .N .P e Re
Ar V2 ry t h V5
V 6 od .
. .C Au . C V8
V1 3 . V7
V V4
74 Controls
16
OWASP MASVS Checklist
17
Mobile Security & Tools
18
19
FRIDA
Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers. Frida is:
– Scriptable
– Portable
– Free
– Battle tested
Frida “lets you inject snippets of JavaScript or your own library
into native apps on Windows, macOS, Linux, iOS, Android, and
QNX.” [3]
[3] https://github.com/frida/frida
20
Using FRIDA
Requirements:
– Frida version 10.6.21
– Frida-server-10.6.21-android-x86.xz (tested in Android 7)
– Android emulator with Android 7.0 x86
– The app for Android [frida.re]
V01 demo
21
22
[4] https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk
23
drozer
[1] Install drozer: sdk-linux/platform-tools $ ./adb install 'drozer-agent-2.3.4.apk'
[2] Port forwarding: sdk-linux/platform-tools$ ./adb forward tcp:31415 tcp:31415
[3] Connet to the device: $ drozer console connect
24
Zap proxy
25
[1] CREACIÓN DEL CERTIFICADO
1. Settings
2. Cellular networks 5. Proxy: IP del PC.
3. Access Point Names 6. Puerto: del ZAP Proxy (8080)
4. Seleccionar red 7. Grabar
V1 Architecture, design and threat modeling
Security be considered throughout all
phases of development, the architecture
of the mobile app, and that the functional
and security roles of all components.
Requirements pertaining to architecture and
design of the app.
Threat modeling, secure SDLC, Key
management.
28
V2 Data storage and privacy
● Testing Local Storage for Sensitive Data
● Shared Preferences
● SQLite Database (Unencrypted)
● Manifest.XML
V04 demo
31
V2 Data storage and privacy
35
V3 Cryptography verification
script
37
V4 Authentication and session management
● Problems with Authentication and Authorization
38
V5 Network communication
39
V5 Network communication
com/loopj/android/http/MySSLSocketFactory.java
40
V6 Interaction with the environment
The controls in this group ensure that the app uses platform
APIs and standard components in a secure manner.
– The app only request minimun set of permissions
– JavaScript is disabled in WebViews
– The app detects whether it is being executed on a
rooted or jailbroken device
– The app does not export sensitive functionality via
custom URL schemes, unless thesemechanisms
are properly protected.
41
V7 Code quality and build setting
The goal of this control is to ensure that basic security coding
practices are followed in developing the app, and that "free"
security features offered by the compiler are activated.
– The app is signed and provisioned with valid certificate.
– Debugging symbols have been removed from native binaries.
– Debugging code has been removed, and the app does not
log verbose errors or debugging messages.
– The app catches and handles possible exceptions.
– Error handling logic in security controls denies access by
default.
V6 demo
43
V8 Resiliency against reverse engineering
Covers software protection measures that are recommended for apps that process,
or give access to, sensitive data or functionality. The app detects, and responds to:
– the presence of a rooted or jailbroken device
– a debugger being attached.
– tampering with executable files and critical data
– the presence of reverse engineering tools
– tampering the code and data
● All executable files and libraries belonging to the app are either encrypted on the
file level
● Obfuscation is applied to programmatic defenses, which in turn impede de-
obfuscation via dynamic analysis.
● The app implements a 'device binding' functionality
44
V8 Resiliency against reverse engineering
45
Protections ?
46
https://media.kaspersky.com/en/business-security/KFP%20SDK%20Data%20Sheet%20March%202015.pdf
47
Protections
49
https://data.eventworld.cz/file/cybersecurity2014_II_temp/prezentace/12_30_Kaspersky_Fraud_Prevention_SOLUTION_Cyber_Security2014.pdf
ELK Como herramienta forense
● Elasticsearch Logstash Kibana
– Conjunto de herramientas que permiten analizar grandes
volúmenes de información de eventos tales como Logs, CSV, etc.
– Facilita el análisis forense de red
– Actualmente disponible la versión 6
– Indrodujo el concepto de machine learning para detectar
anonmalías.
– El machine learning se puede aplicar en la investigación de
aplicaciones móviles, usando como inputs las clases
reverseados, logs generados por logcat y datos generados por las
aplicaciones en tiempo real.
50
ELK Stack
52
Nuevos proyecos
● Traducción al Español
– 80% avanzado de la versión
0.9 del OWASP MASVS
– Traduccón del manual
● Uso de ELK para revisar eventos
– Análisis de logs en apps
53
References
● [1] Drozer Guide, https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf
● [2] Android InsecureBankV2, Vulnerable Android application for developers and security enthusiasts to learn
about Android insecurities, https://github.com/dineshshetty/Android-InsecureBankv2
● [3] OWASP MSTG, https://github.com/OWASP/owasp-mstg
● [4] FRIDA, Dynamic instrumentation toolkit, https://www.frida.re/
● [5] OWASP Zed Attack Proxy, https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
● [6] OWASP Mobile Security Project,
https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
https://www.dropbox.com/sh/d143o6tbkdx4w4l/AAAQlpmnCpHCgiBqZkgXPSTKa?dl=0
● [7] Vijay Kumar Velu, Mobile Application Penetration Testing
● [8] Prashant Verma,Akshay Dixit, Mobile Device Exploitation Cookbook
● [9] Nikolay Elenkov, Android Security Internals
54