Professional Documents
Culture Documents
PTS2022 Talk 19 MobSF For Penetration Testers - 0
PTS2022 Talk 19 MobSF For Penetration Testers - 0
PTS2022 Talk 19 MobSF For Penetration Testers - 0
2 / 36
Introduction 3
Source: Mobile Vs. Desktop Internet Usage (Latest 2022 Data) - BroadbandSearch https://www.broadbandsearch.net/blog/mobile-
desktop-internet-usage-statistics
3 / 36
Agenda 4
4 / 36
5
Mobiles applications
5 / 36
Mobile Application 6
Nowadays
Android
iOS
From the past
Windows Phone
Blackberry
Window Mobile
Symbian
...
6 / 36
Android application 7
7 / 36
iOS application 8
IPA
A ZIP file containing application resources and binaries (machO
files)
8 / 36
Mobile application review 9
9 / 36
10
MobSF
10 / 36
MobSF 11
Mobile SecurityFramework
Licence: GPL 3
Available on GitHub
https://github.com/MobSF/Mobile-Security-Framework-MobSF
Online analyzer
https://mobsf.live/
11 / 36
MobSF Features 12
Android review
Application: Static and dynamic analysis
Source code: Static analysis
iOS review
Application: Static analysis
Source code: Static analysis
Windows Phone App
Static Analysis
12 / 36
MobSF installation 13
13 / 36
MobSF architecture 14
14 / 36
What are we missing 15
15 / 36
16
16 / 36
Mobile application security review 17
Demo time!
17 / 36
Mobile application security review 18
App Score
Quick overview for security score
SDK Version and Android Code Version
Application Signer Record
Quickly identified issuer and verify certificate
Here first check for countermeasure
Cipher Algo for signing
Code Signing
18 / 36
Mobile application security review 19
Application Permissions
What they need for working.
Quickly identify dangerous permissions for pentester
Attack scenarios for red teamer
Manifest Analysis
The manifest file record also reveals the security flaws found in
the target application
Need to understand the architecture of the Android OS to assess
its actual criticalness
A good starting point for analysis, but can be huge too
19 / 36
Mobile application security review 20
Code Analysis
Analysis result of java-code by a static analyzer
Detect here countermeasures like
Anti Root
Pinning
Can be false positive and need to be check by reading code
NIAP Analysis
Good conformity
Pentester? Your first free vulnerabilities
20 / 36
Mobile application security review 21
21 / 36
Mobile application analysis 22
22 / 36
Mobile application analysis 23
23 / 36
Mobile application analysis 24
24 / 36
Limits 25
Hardcoded Secrets
does not check into plist files (IPA)
does not check for specific patterns in strings values
BASIC BASE64
proto://user:pass@domain
25 / 36
Let’s use the API 26
26 / 36
Let’s use the API 27
27 / 36
Automation 28
28 / 36
Find credentials and keep digging 29
29 / 36
Find credentials and keep digging 30
builder.scheme("https").authority("webapp.customer.tld").appendPath(context.getR
esources().getString(R.string.HiddenFolder));
[...]
} catch (Exception e) {
e.toString();
}
30 / 36
Find credentials and keep digging 31
31 / 36
Automation issues 32
False positive
Auth BASIC detection
Plist analysis
Maybe more
Patterns are handle into the script
no external database/JSON file/whatever
32 / 36
Scan multiple applications 33
33 / 36
34
MobSF limitations
(as a pentester)
34 / 36
MobSF Limitations 35
35 / 36
36
https://www.linkedin.com/company/synacktiv
https://twitter.com/synacktiv
Our publications: https://synacktiv.com