Abstract

Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework or MobSF (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code.

During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications categorised under OWASP Mobile Top 10 like Weak Server Side Controls (M1), Insufficient Transport Layer Protection (M3), Poor authentication and authorisation(M5), Broken Cryptography (M6) and also includes run time analysis of an obfuscated android malware. The latest Dynamic Analyzer module will be released at NULLCON. This module is currently available for Android Applications where the app will run inside our custom Virtual Machine or device configured with our agents. The advantage here is that the tester can navigate through the different flows of the application and our agents will capture the information in background and performs the security analysis. Analysis is done on decrypted HTTPS traffic, application dumps, logs, error or crash reports, debug information, the application assets like files, preference files, and databases. This framework is highly scalable that you can add your custom rules with ease and supports report generation.