3mobile Security Session 3 OWASP Top 10 - YouTube

4/26/24, 3:44 PM Mobile Security Session 3 OWASP top 10 - YouTube
Subtitles Bilingual
00:02 this is our third session first session we discussed about the source code analysis and how do we
perform static analysis and Code walkthrough that is the first session in the second session we covered
about
00:16 some of the tools for exploitation basically msf minimum and Metasploit these are the two tools which
we used for exploitation purpose how to create the back door and how to download the APK how can
we
00:31 inject the payload into the signed APK these are the things we discussed in a second session along with
the Practical labs in today's session we are going to talk about the owsp top 10 of the mobile and SSL
00:46 pinning how to bypass SSL pin mostly it will be like theoretical uh the reason is we don't have the
emulator ready for performing the labs and moreover because of the time constraints we'll try to cover
like from the interview
00:59 perspective what kind of questions they expect and how do we answer it okay consisting that whatever
the topics I have covered in the last two classes those are enough from the SAS perspective and from
the dashed
01:13 perspective we are going to do it in today's session does anyone know what are the vodably SP top 10
vulnerabilities of the mobile it will be similar to the web application most of the vulnerabilities will be
similar to the web application
01:30 only thing is you just need to correlate that with respect to the mobile app give me one one
vulnerability that is there in the wsp top 10 of the mobile search for it I'll walk through one of her and in
a
01:55 very simpler and easier manner so that whenever someone asks you about mobile pen testing you
should say like I have worked on the Android source code analysis and dashed as part of source code I
worked on the ZX I worked on the
02:08 mob SF I am familiar with scanning with mob SF for both SAS and dust ZX we try to load the APK where
it will try to list some of the class files yes insecure authentication is one of the awsb top 10 of the
mobile currently
02:28 they are in the beta version of 2023 still it is not done these are the upcoming top 10 you can say but
we'll go through the 2016 version of it these are the top 10 list uh the mobile top 10 vulnerabilities as
02:44 per wsp in the 2016 and even now 2023 version is about to prepare now okay they are working on it as
of now it is in the beta after beta we'll get the actual top 10.
https://www.youtube.com/watch?v=HlRJBvhrpEI 1/13
03:02 okay fine the first one is improper platform usage when we say platform it is basically Android mobile
Android mobile is a and there are some recommendations how we can develop the application right
you are not following those
03:19 standards you are not following common security standards common practices while developing the
application simple example is you are not using the inbuilt inbuilt secure functions for developing this
application application or mobile app
03:38 right that's the reason these kind of issues will come up one of the best example I can say is so we are
not following the proper guidelines but some of the guidelines let me check if they are given you can
consider this improper platform
04:20 you says yes improper secure design and improper implementation of the policies permissions basically
failures in this platform permissions we have discussed about Android manifest.xml and as per the
recommendations debugging is not
04:35 allowed debugging flag has to be disabled in the production you try to enable not following the
common security standards for the mobile platform then that kind of issue will come right too many
permissions original
04:49 permissions this is this is one of the example for improper platform usage they have given some attack
scenarios as well go through this link individually everyone okay the next one is insecure data storage
05:09 as part of insecure data storage we discussed about some vulnerabilities in the source code analysis
what is that anyone remember what is the manifest.xml element or the permission which will allow this
insecure data
05:32 storage vulnerability allow backup is a security flag yes allow backup is a security flag in the basically it
is a permission in the Android manifest.xml should we set it to true or false anyone in Secure data
storage
05:53 hello backup should we set it to true or false what is the ideal recommendation we have to set it to false
if you set it to true it is possible for other applications within that mobile mobile platform
06:16 can copy our data that is the reason we need to implement secure data storage the app one in your
mobile data should not be accessible to the app to in your mobile that is what this insecure data
storage vulnerability is
06:34 all about okay and of course even any external applications external third body applications also should
not be able to access the mobile app data what in case if the other applications are able to access there
will be some
06:53 kind of a malware or external third party Services which will be easily able to access our data sensitive
data it can be personal data or financial data right and you should not do any kind of rooting or gel gel
breaking which will
07:12 try to compromise this data data storage security and they have given some technical impacts as well
you guys go through these technical impacts individually how does this insecute data storage happens
because of the operating system
07:42 Android operating system and the framework that is used for developing the app or the compiler
environment new hardware rooting or gel blocking devices whenever you enable routing or jail broken
it will be like a developer
07:57 mode there will not be any kind of security standards which will allow for the which will allow art
attackers to read the data easily from your mobile app okay that's how like the data gets leaked and the
sources are these are
08:11 some of the sources SQL database logs XML data external cards and Cloud syncing in Secure data
storage that is the second one insecure communication can anyone tell me what what should we do for
secure communication within the
08:31 mobile applications we have to enable TLS right along with TNS TLS there is a concept called anyone
what is the concept that is implemented in mobile applications to avoid man in the middle attack man
in the middle attack
08:57 of course when we have to enable TLS communication along with that there is a very very important
concept where we try to enable the DLS concept to avoid man in the middle attack clients and client
server communication
09:17 is there client is able to communicate with the server by using SSL connection which is nothing but DLS
attacker will try to intercept the request between client and server for performing man in the middle
attacks
09:30 okay discussing that what what leads to the insecure communication last one minute how many of you
have heard SSL pinning SSL pinning secure socket layer no one okay we are going to discuss about SSL
pinning how to bypass SSR
10:06 pending in the last few minutes so for insecure communication vulnerability to avoid that vulnerability
you need to enable TLS and also you need to enable SSL pending uh the uh and you need to check for
10:21 different kinds of channels when you if there is a mobile you can have have a communication by using
Wi-Fi by using infrared or by using uh cell towers proxies network devices lot of channels are there you
need to ensure
10:39 that all these channels are you are communicating through all these channels in a secure manner okay
this is all about insecure communication and how do we prevent this insecure communication definitely
we
10:53 need to use TLS right TLS for communication and DLS server authentication purpose what else we have
business impact if someone are able to do the man in the middle attack they will be able to read this
institute data
11:11 which will lead to the compromise of personal information and financial information listed some of the
channels like TCP Wi-Fi Bluetooth audio infrared GSM 3G SMS lot of channels are there where your
mobile
11:29 platform gets communicated to the external network all these channels has to be secured so how do we
prevent these men in the middle attack or insecure communication vulnerability you need to enable TLS
11:50 transport layer security updated versions of SSL we have to use strong ciphers we need to use and the
certificates that are signed by the trusted certification Authority don't use self-signed certificates these
are the
12:06 ways how we can prevent insecure communication very simple updated TLS and enable SSL pinning
then updated Cipher details some of the mechanisms to prevent insecure communication there are few
more I'll sell to that I
12:35 am leaving those things to you go through this document for insecure communication insecure
Authentication foreign as you know like in the mobile application platform the passwords are very like
we are using like four digit
12:55 PIN and also like we have to depend on the strong encryption mechanism for authentication purpose
the authentication schema should be the updated one let me see some of the mechanisms in case if
they have posted
13:33 how the insecure authentication in mobile platform is all about bypassing the authentication
mechanism so we are trying to directly invoke the API which is responsible for the authentication
purpose and don't store
13:47 any kind of sensitive passwords or Keys within the mobile app it is it is likely that it would lead to
authentication by bus if you are storing the passwords in the mobile platform if uh directly like it is
possible like
14:01 anyone to view those files in the plane test that is one more mechanism don't use weak passwords most
weak passwords storing in the plane test are similar to any kind of application apart from that there is
one
14:17 additional additional feature or you can say as a loophole basically the backend apis are directly
invoked where the attacker will try to bypass the authentication mechanism either by guessing the
tokens or
14:34 trying to make use of the tokens for accessing some of someone else account this is one of the example
for insecure Authentication insufficient cryptography already we discussed this as part of source code
14:57 analysis can anyone tell me some examples of insecure cryptography give me some examples of
insecure insecure cryptography not using proper hashing power hashing algorithms not using proper
encryption algorithm we
15:33 don't have proper key management system what is mean by key management system we have this
public key and private key we should safely store the private keys if not it may lead to some kind of
attacks some of the examples of hashing
15:50 algorithms are md5 md4 shop all right don't use outdated algorithms don't use custom encryption
protocols use a standard encryption protocols there are some guidelines try to follow those guidelines
while implementing the
16:18 cryptography in your mobile devices insecure cryptography this is a concept about insecure
authorization how do you perform insecure other authorization basically you are the app owner and
you are trying
16:36 to check the application functionality and you have gone through the source code trying to understand
the application then you are trying to tweak some of the dynamic parameters do you guys remember
functional level authorization object
16:50 level authorization ID or privilege escalation everything comes under insecure authorization but in
mobile platform definitely you need to modify some of the parameters either in the platform platform
in the sense mobile
17:03 app or you try to intercept the request between client and server we have to use bobsled for that you
can see here complete ID or vulnerabilities how do you check ID over already I have discussed we need
to look for
17:26 Dynamic parameters that Dynamic parameter try to modify it see if you can access some other personal
details you have installed Facebook app Facebook Messenger in your mobile platform and you are
trying to modify some of the
17:44 things in the mobile app say like ID is equal to 121 that belongs to Hari 123 I put that belongs to Ravi or
Rajiv right I'll be able to see the Rogers messages like that this ID War works hidden endpoints what is
mean by
18:01 endpoint basically you know some urls ideally those URLs will not be shown when your application is
working but if you review The Source Code you'll be able to see some of the links URL links basically we
call it like endpoints by
18:16 making use of those endpoints will be able to access some custom data even some of the roles don't
show the roles in a plain text format try to implement this role-based Access Control don't show the all
the permission so that
18:37 if you are listing all the permissions that are related to the some kind of endpoint it is possible for the
attacker to Tamper those permissions or make use of those permissions for some other attacks
mechanism
18:54 Access Control backend system should completely verify the role the permissions Associated within that
request that's it very simple this is called insecure authorization NPS of Mobile in Mobile also we have
Dynamic parameters
19:10 and when you intercept the request between client and server you can tamper those requests just like
we have done for the API pen testing the same manner you can try for insecure authorization with
respect to the mobile applications
19:27 insecure authorization client code quality this is more of like secure coding practices I can say like you
have your mobile app that is developed with some kind of a programming language Java you are using
19:45 Java compiler and you are able to see the complete source code but you see that the client code quality
is not up to the expectation they are not following proper security standards you can pass some
untrusted input to the
20:04 mobile app right they are my vulnerable to poor God quality client code quality refers to the framework
that is the main difference remember even we get confused in just a second yes the first one we
discussed is improper
20:52 platform usage right improper platform usage refers to the development of the application by not
following secure coding practices within the framework but whereas poor code quality means you are
trying to develop
21:12 some app and you are trying to implement the functionality in an insecure manner trying to implement
the API insecurely that's a code level custom code versus framework platform means framework and
poor code quality means it is a custom
21:28 code that is used by the developers to develop the application how do we prevent that you need to
have proper architecture proper coding practices within the organization and well documentation
validate the input whenever you try to
21:45 consider some user provided data and buffers try to identify the memory leaks and buffer workflows
and memory leaks that's it okay you can easily remember as application code is the poor port quality
and improper platform usage is
22:01 more of like the framework be it some Java c-sharp Swift JavaScript whatever is used for development
of the application code temporary this is a very very important concept already we have done one of
the example
22:19 for code tampering can anyone tell me what is the example we have covered as part of code tampering
give me some example give me some example of code tampering board means in in case of client code
quality
22:47 developers are developing the application mobile app they don't know some of the security features
and they develop the code with some kind of weakness of the vulnerabilities code tampering is not
done by the developers
23:00 developers has given me the APK file and as an attacker I try to modify the functionality of the code
functionality of the app by using this code tampering and I share that package either through some
storage Google Play
23:17 storage or some custom storage and I share that similar app to some of the end users did we cover this
kind of concept earlier you can tell the name also name of the tool which is used for code tampering in
our case
23:48 remember code tampering means there is a package first we need to extract that package right after
extracting you have to do some changes to that package then again rebuild the package what tools we
have used for code tampering
24:04 now I see one correct answer from let me tell you fault off yes that is the correct answer what did we do
with respect to the massive minimum tool I took the current package from the online that is some
24:25 Subway Surfers we have taken the example that package was the secure one before we did some
changes right what is the tool we have used for doing the changes anyone thanks what is the tool we
have used for
24:41 sampling the code so that the package becomes malicious do you guys remember msf v9 hyphen X
cyber Surfers Dot APK file then I am trying to do some changes so that I am trying to include the
payload into that package
25:00 first it will try to uh decompile the package okay extract the package do the changes then compile the
package sign the package that's how we are able to get the new package by using the tool called msf
winner okay you've got the
25:23 difference between client load quality versus code template what tampering happens in the production
I take some existing package do the changes rebuild the package and give it to the end users if
someone uses that specific
25:40 package install it will be able to get the metal bitter session right you can give that example as part of
quad template when it comes to the interviews they don't go too much deep they mask you like give
me two or three examples of the
25:55 mobile top 10 vulnerabilities with some examples you can select cryptography mention roller versions
of TLS and then ciphers all those things you can mention under cryptography code tampering you can
mention improper platform youth usage
26:12 mentioning like vulnerable versions of the Frameworks Java C sharp Swift and data storage TLS
communication here reverse engineering you can easily perform the attacks if you know the application
well if you
26:37 don't know the application well it is very difficult for you to create an attack vector right to understand
that you need to perform reverse engineering to perform reverse engineering you need to understand
the code to understand the
26:50 code first you need to extract the code from the package so how do you do that APK file is f use some
tools like 7g per APK to extract that and we should be able to get what are the different kinds of files
27:06 you get once you extract the package manifest file Android manifest.xml Dex files and source files and
we can use a tool called ZX to view the complete source code and the class files by trying to analyze the
27:26 complete functionality you can prepare for further severe attacks by using this reverse engineering okay
this is a one of the example of your simulating if you want to go through these Concepts code
tampering what did they say scroll
27:44 down scroll down scroll down am I vulnerable to code tampering um they didn't give any examples but
the explanation whatever I have given for code tampering holds Good okay basically it's not allow any
kind of external code
28:18 or any kind of alteration to the existing Port that is the definition of Port temporary reverse engineering
also we have discussed we need to extract the class files by using decompellers and text to jar
converters
28:58 the last one is extraneous functionality anyone who wants to explain about this functionality this
vulnerability make use of mic or you can reply the chat window as well meantime guys give your
attendance for
29:16 today mention your name location and the badge you have attended the cyber security clearing foreign
who wants to explain about extraneous functionality anyone what do you mean by X star something
additional right
32:12 same thing you are trying to implement some additional functionality as part of your mobile app think
like SM in the mobile app you can see your friends and you can chat with your friends Facebook take an
example of the Facebook
32:27 application uh you have your friend friends accounts conference images and videos it is not possible for
you to delete the images and videos of your friends account right some or other way the developer has
32:47 implemented the functionality called delete the images and videos of your any account but it is not
shown in the mobile app but there is an endpoint URL which can do that job basically some of the
functionalities
33:03 which are not exposed to the users through the application but when you go through the source code
analysis or when you walk through the code or functionality behind the package you'll be able to get
some of the endpoints or
33:18 some of the apis to perform some kind of extra functionality to perform this kind of attacks so the
original functionality which are actually which can compromise the CIA you can consider that is called as
extraneous
33:32 functionality and we have these 10 vulnerabilities you can prepare two or three lines for each and every
one Urban D with one example whichever I have mentioned I have given one two three or three
examples of each and every vulnerability
33:49 go through this whenever you want to perform mobile pen test okay this is all about whatever SP top
10 the next concept is very important more often it will be asked in the interviews unless try to have
some kind of a
34:03 theoretical background because the in I can say like not in all the cases they will give you the package
which is signed okay because you need to bypass the SSL pinning to perform the testing so you get the
34:24 package without SSL pinned to perform the testing activities but still in few cases if you get a package
with SSL pinning you need to bypass that SSL pinning by using some tools called Frida but you need to
34:39 understand what exactly mean by SSL pinning and how do we Implement that how do we bypass that
how many of you know TLS communication here is a client and here is a server when I say client it is
mobile app
35:20 in our case when I say server the server is in like a normal server whichever can be used for either web
applications or mobile apps okay client communicates with server it sends a request and it receives the
response
35:46 from the server this is how the communication happens and for secure communication we are
dependent on SSL or it is also called TLS everyone knows how the TLs handshake happens as part of
TLS handshake
36:04 the public key will be stored in the client or private key will be stored in the server we have configured
the digital certificate and it will have both private key and public key is this asymmetric or encryption
and
36:20 asymmetric or symmetric encryption process when you are using two case anyone try to respond in the
chat window symmetric or asymmetric whenever we use two keys it is definitely asymmetric encryption
process
36:44 right so we have the servers public key service private key for TLS communication we have to share
public key to the client or private key do we share public key or private key of the server to that client
37:27 already I have discussed in a lot of sessions with respect to the encryption hashing symmetric
asymmetric whenever the asymmetric encryption process happens private means secret key it is private
only to the server right we have
37:41 configured the digital certificate to have this TLS communication between the end users and the server
so we have this private key and public key public key is to share to the clients now that I am getting one
public key
38:00 public key of the server right okay to enable DLS communication to enable TLS communication I am
getting the public key from the server then what is mean by SSL pinning SSL pinning is the older version
of TLS
38:18 which is outdated but still we call it like SSL or DLS TLS stands for transport layer security okay
considering that there are different ways how you can first try to understand what is mean by SSL
pending
38:36 SSL pinning means we try to incorporate the certificate certificate or public key or hash or public key
these are the different ways how we can do SSL pinning where do you put all these things when you
develop this mobile app when I
38:59 say client it is a mobile app this is a server developers are here they are trying to develop the app the
same app whatever is used by the client these people try to develop the code right by using some
programming language they
39:17 are trying to develop this application when this when they develop this application they try to end
embed the certificate when the queue is add to those end users they're trying to include this certificate
in the app itself so that we
39:40 have this search certificate one here and server certificate also is a server certificate one or it can be
okay server certificate is a line certificate is a this client certificate is embedded into the client package
40:00 whenever the TLs communication happens the server certificate details will be received to the client
certificate details will be shared I try to compare such one is equal to set one that is received from the
server
40:16 it should match it is not matching then it will not enable SSL communication so that's so the first case is
we try to pin the digital certificate through the mobile app that's how like SSL pinning happens this is
the first
40:33 case second case instead of pinning the digital certificate you try to add public first one is certificate
billing second one is public keeping so don't add the certificate into the package just as frame the
public key
40:52 and build the package and send it to the end users okay the public Keys already desired as part of the
package so I'll mention like public key as part of package and to enable the communication between
41:13 client and server for TLS we receive we receive one more public key from the server public key from the
server it should match but SSL pending this is the second approach how we are trying to enable SSL
meaning
41:33 the first case is certificate just a second base the first case is certificate from the package versus
certificate from the server we try to compare the certificates of both client and server if those are
matching then only the SSL
42:05 communication happens if those are not matching no SSL communication this is called SSL pending by
using certificate pinning the second one is public key public key pinning and the last one is hash
pending
42:23 hash in a sense you got the public key from the package then try to generate the hash H1 by using any
algorithm like shavan shato shatri you want the public key from the server try to generate the has to
42:40 if these two are matching then only this TL is communication gets established if not no DLS
communication this is how the SSL communicate SSL pending happens between the mobile app and
the server okay little complex process but you need to
42:59 have some knowledge on these certificates public key public key private key digital certificates
certification Authority it's so to enable SSL pinning you can follow these three approaches either of
these
43:32 three approaches not the one right either certificate pinning or public key pinning or hash pinning we
will try to compare we will try to compare the hashes or certificates are publicly on the client side to
enable the SSL
43:50 communication do you want to perform this I see a question from money ready do you want do we
need to perform this as part of Mobile PT no we don't perform this comparison as part of Mobile fan
testing
44:06 this is like how the package is built and when you want to perform the pen testing you need to bypass
this pinning to perform Man in the middle attack man in the middle attack as a hacker you want to sit
44:21 between the client and server right here is a hacker and by intercepting the request between client and
server so the app or the end user talks with the attacker attacker talks with the server and again server
talks with the
44:39 attacker then attacker talks with the victim this is called man in the middle attack we have seen about
Pursuit tool how it works right website Pursuit is used for intercepting the request between client and
server even
44:54 for mobile apps also we can use website only thing is you need to bypass SL SSL pinning how do we
bypass it there is a question cursing all the scenarios whatever I have explained so far give me some
suggestions how we can
45:11 bypass a simple take one minute of time and then answer you know got one correct answer yes of
course we can use freedom Frida is a tool that can be used for bypassing the SSL billing and there are
some other approaches are
46:17 here is a certificate which you have added to the mobile app right and it is stored under user trusted
certificates if you see in your mobile go to the settings search for cert set means it will try to list you
46:37 all the trusted certificates in your mobile platform you need to overwrite this pack certificate or you can
add some custom certificate to this trusted certificate story we have to override this package not the
46:51 package certificate in the package in that way we'll be override the certificate and we'll be able to
perform Man in the middle attack or you try to override the public key in case of the second scenario
the last scenario
47:04 the same thing the second one the way how it works third one also works because we are just trying to
calculate the hash these are the ways how we can do the SSL pinning and remember the tool Frida is a
tool that is used for SSL
47:19 winning okay only thing is there are some kind of commands that are used sequence of scripts that are
used for bypassing the SSL pinning this I'll share it by tomorrow already after tomorrow the sequence of
steps it is not easy to
47:37 remember it is lengthy process at least to tell like okay what is the process that is involved in doing the
SSL pinning this is the approach what we can perform from my end I'll share you these tips how we can
bypass slinning after you
47:54 bypass this is helping rest of the concepts are same how did you intercept the apis by using bursit we
configure the proxy by using Postman tool in case of API we use postman2 in case of mobile platform
48:12 you have to bypass the SSL pinning and install that APK file in the client then use work suit configure
the proxy in the mobile platform then between the client and server you should be able to intercept the
request
48:29 if I don't have some understanding on the theory part practicals don't spend much time because the
reason is it will take a lot of time to set up these emulators all those things having theoretical
knowledge will get you the
48:41 job okay any questions anyone the API for APS we use Postman tool for intercepting the request okay
it's not for intercepting for framing the request you can intercept those requests with the help of
website and that I guess we
50:10 have discussed we didn't discuss if not we'll I'll take one session sometime later you need you guys has
to go through devsecops devsecups I am going to I'm going to give a demo for you guys after one
hour of week like
50:25 that it is like a one out of month course but I'll give you the overview in case if you are trying for the
jobs the demonstration is itself is enough for you to try for the jobs I'll show you one end to end flow
then in case if you
50:38 want to get process you need to get enrolled for the complete course and then one minute in case if
you have guys any more questions you can ask me fine guys I have taken three sessions for mobile
security I'll be sharing
51:53 these videos in the YouTube and we'll try to publish once it is ready it may take another one or two days
okay we'll keep you updated we'll be sharing these videos so don't worry about all these things okay
52:04 friend guys thank you so much with this you can put mobile penetration testing in your air in your
resume and try for the jobs

3mobile Security Session 3 OWASP Top 10 - YouTube

Uploaded by

Copyright:

Available Formats

3mobile Security Session 3 OWASP Top 10 - YouTube

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3mobile Security Session 3 OWASP Top 10 - YouTube

Uploaded by

Copyright:

Available Formats

4/26/24, 3:44 PM Mobile Security Session 3 OWASP top 10 - YouTube

You might also like