Blog

UPDATE: April 2nd – Added new pinning article thanks @an_animal!
UPDATE: Feb 14th – Added (draft, initial) forensics section, Added pinning links, thanks @an_animal for most pinning resources!

Android Security is like IPv6: It will catch you sooner or later :). It is becoming more common for Web Applications to involve a Mobile Application component.  The purpose of this post is to try to get the average infosec person (or competent developer) up to speed asap.

Free Tools

• OWASP Mobisec ISO: This is a bootable ISO like Backtrack/Samurai WTF but for Mobile testing, including lots of tools, emulators, etc (i.e. saves you a lot of time) Click to explore  (Slides here). NOTE: You can install it on a VM for persistent changes, updates, etc
• Dan Cornell/DenimGroup’s scripts (Click to explore): I made some small contributions to this new release and Dan added more improvements (released yesterday: Feb 13th!)
• Android SSL bypass: This is an Android debugging tool that can be used for bypassing SSL, even when certificate pinning is implemented (pinning links below), as well as other debugging tasks: Click to explore (Source here)
• Java Decompiler: Click to explore

NOTE: You need the Java source to do source code searches for insecure practices. jd-gui is just the best tool for this, unfortunately it’s a GUI tool so you’ll have to manually open the .jar file and then click on File / Save all Sources it to save all the .java files to disk:

• Droidsheep (for broken SSL PoCs): Click to explore
• SQLite editor (Edit SQLite databases from your phone): Click to explore
• Android APK Tool: Click to explore
• Agnitio (@securityninja’s source code review tool, contains Android and iPhone app analysis features and great checklist questions):  Click to explore

Vulnerable Apps

• OWASP GoatDroid (Jack Mannino): Click to explore
• Pandemobium (Dan Cornell/DenimGroup): Click to explore

Useful Presentations

• OWASP Top 10 Mobile Risk (Jack Mannino, Zack Lanier, Mike Zusman) Click to explore
• Advanced Code Review Tecniques (Prashant Verma, Dinesh Shetty): Click to explore
• UI Redressing A$acks on Android Devices (Marcus Niemietz): Click to explore (Paper here)
  
• Whack-­‐A-­‐Mobile II (Secure Ideas: Kevin Johnson, Tony DeLaGrange): Click to explore
  
• Mobile Malfeasance (Jason Haddix) Click to explore
• Seven Ways to Hang Yourself with Google Android (Yekaterina Tsipenyuk O’Neil and Erika Chin): Click to explore (NOTE: Android Intent Madness explained here!)
• TEAM JOCH vs. Android: The Ultimate Showdown (Jon Oberheide, Zach Lanier): Click to explore
• Mobile Threats and OWASP Mobile Top 10 Risks (Securbay): Click to explore
• Secure Android Applications The OWASP Way (Jack Mannino): Click to explore
• Mobile Application Security Code Reviews (Dan Cornell/DenimGroup): Click to explore
• Cracking the Code of Mobile Applications (Sreenarayan Ashokkumar): Click to explore (Slides here)
• (Italian with lots of English, easy for Spaniards/Valencian-Catalonian speakers :)) – OWASP Top 10 Mobile Risks: Click to explore

On SSL validation and pinning

• OWASP Pinning CheatSheet: Click to explore
• Certificate Pinning in a Mobile Application: Click to explore
• Defeating SSL certificate validation for Android Applications  (McAfee):  Click to explore
• Your app shouldn’t suffer SSL’s problems (Moxie Marlinspike): Click to explore
• Android SSL bypass: This is an Android debugging tool that can be used for bypassing SSL, even when certificate pinning is implemented, as well as other debugging tasks: Click to explore (Source here)
• Certificate Pinning
• Public key pinning: Click to explore
• Surveillance works! Let’s have more of it: Click to explore

Forensics

• FROST: Forensic Recovery Of Scrambled Telephones (full disk encryption bypass via cold boot attacks against new Android 4 devices): Click to explore

Further reading

• OWASP Top 10 Mobile Risks: Click to explore
• OWASP Top 10 Mobile Controls: Click to explore
• Android Security and Permissions: Click to explore
• Android Security Overview: Click to explore
• Rough overview of HP Fortify’s Android checks: Click to explore
• Reversing Android apps (the article focuses on malware but reversing an .apk for review is largely equivalent)

P.S. If there is something useful I missed above, please let me know and I will update this blog post. Thank you in advance.