Security Testing

Mobile Security Framework 

(MobSF) Configuration

Requirements

Static Analysis

NOTE:
  • On Linux and Mac, install Oracle Java 1.7 or above and make it the default one.
  • On Linux, make sure you have 32 bit execution support enabled.

Dynamic Analysis

  • MobSF x86 Android VM requires Oracle VirtualBox - VirtualBox Download
  • Android Studio and a configured virtual device is required if your using
  •  MobSF ARM Emulator. Intel HAXM is recommended.
  • Hardware Requirements: Min 4GB RAM, 5GB HDD/SSD and Virtualization 
  • Support for running MobSF VM

Downloads

Installation

Tested on Windows (7, 8, 8.1, 10), Kali (2016.2), Ubuntu (14.04) ,
 OSX (Mavericks, Yosemite, El Capitan, Sierra)
  • Windows: Clone MobSF Repository to C:\
  • Mac: Clone MobSF Repository to /Users/[username]/
  • Linux: Clone MobSF Repository to /home/[username]/

Configuring Static Analyzer

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
Install MobSF Python dependencies using pip

Windows

C:\Python27\python.exe -m pip install -r requirements.txt
NOTE: If you face any issues, download and install the latest python 2.7.x

Mac

pip install -r requirements.txt --user
If it throws error like pip command not found then run the following command.
sudo easy_install pip
Then run the command,
pip install -r requirements.txt --user

Linux

sudo apt install build-essential libssl-dev libffi-dev python-dev
pip install -r requirements.txt --user
PDF Report Generation
  • You need to install wkhtmltopdf binary separately for generating PDF reports.
  • Check wkhtmltopdf downloads and Installing wkhtmltopdf wiki for more information.
  • In Windows, you need to add the folder that contains wkhtmltopdf binary to environment variable PATH.

Running MobSF

python manage.py runserver
If you need to run on a specific port number try 
 python manage.py runserver PORT_NO
To expose MobSF to a particular IP, you can try
 python manage.py runserver IP:PORT_NO.
If everything goes right, you will get an output like the one below.
Mobile Security Framework (MobSF) Running
You can navigate to http://localhost:8000/ to access the MobSF Web interface.

Configuring Dynamic Analyzer

MobSF Dynamic Analysis currently supports Android and can be done in four ways.
  1. Dynamic Analysis with MobSF Android 4.4.2 x86 VirtualBox VM - default
  2.  (Fast, not all Apps work)
  3. Dynamic Analysis with MobSF Android 4.1.2 arm Emulator - (Slow, Most Apps work)
  4. Dynamic Analysis using a Rooted Android 4.03 - 4.4 Device (Very Fast, All Apps work)
  5. Dynamic Analysis using a Rooted Android 4.03 - 4.4 VM (not tested)

Configuring Dynamic Analyzer with MobSF Android 4.4.2 x86 VirtualBox VM

Dynamic Anlayzer is available only for Android binaries (APK) 
and works only if your computer has at least 4GB of RAM and Full Virtualization support.
To Configure Dynamic Analyzer we need 4 things.
  • VM UUID
  • Snapshot UUID
  • Host/Proxy IP
  • VM/Device IP

Steps to Follow

  • Open VirtualBox,
     Go to File -> Import Appliance and select the MobSF_VM_X.X.ova file.
    Importing MobSF VM ova file
  • Proceed with the import process. Do not alter anything.
  • Once the OVA is Imported Successfully, you will see a new entry in VirtualBox named MobSF_VM_X.X
  • Right Click MobSF VM and Choose Settings, Go to Network tab. Here we need to configure two Network Adapters.
    • Adapter 1 should be enabled and attached to Host-only Adapter. Remember the name of the adapter. We need the name to Identify the Host/Proxy IP.
      Adapter 1
    • Adapter 2 should be enabled and attached to NAT
      Adapter 2
  • Save the settings and Start MobSF VM. While the VM is Booting up. Note down the VM IP.
    VM IP
  • Once the VM Boots up, It will present a Lock Screen. 
    The password for the Lock Screen is 1234
    MobSF VM
    NOTE: If the VM does not boot up properly
     then you cannot perform Dynamic Analysis with MobSF VM.
  • Getting the Host/Proxy IP
    • Windows : Issue the command ipconfig in command prompt 
      and note down the IP corresponding to the name of the Host-only Adapter.
      ipconfig example windows
    • Unix : Issue the command ifconfig in terminal 
      and note down the IP corresponding to the name of the Host-only Adapter.
      ifconfig example in mac
    NOTE: The VirtualBox Host-Only Adapter IP 
    and MobSF VM IP should be in the same network range.
     If your MobSF VM IP and Adapter IP are in different network range, 
    modify the Adapter IP to be in the same network range as that of MobSF VM IP.
    See:
  • Go to Wi-Fi Settings in MobSF VM and set the Proxy IP as
     the Host/Proxy IP which you have obtained from the previous step
     and port no as 1337.
    Proxy Settings in VM
  • Save the settings and Navigate to the Home Screen of  MobSF VM.
     Wait for 30 seconds and save a snapshot of the MobSF VM in VirtualBox
    Saving MobSF VM Snapshot
  • Once the Snapshot is saved, right click MobSF VM
     and select Show in Explorer or Show in Finder.
Show VM Files
  • Open the File MobSF_VM_X.X.vbox in any Text Editor
  •  and note down the VM UUID and Snapshot UUID
Getting VM UUID and Snapshot UUID
Here the value of uuid is the VM UUID and currentSnapshot is the Snapshot UUID.
  • Now we have all the things needed to configure
     the Dynamic Analyzer (Host/Proxy IP, VM IP, VM UUID and Snapshot UUID)
  • Go to MobSF/settings.py and set the appropriate values as
    • UUID = VM UUID
    • SUUID = Snapshot UUID
    • VM_IP = VM IP
    • PROXY_IP = Host/Proxy IP
  • In MobSF/settings.py, set ANDROID_DYNAMIC_ANALYZER = "MobSF_VM" (default)
  • This will configure MobSF to use Android VirtualBox VM for Dynamic Analysis.

Configuring Dynamic Analyzer with with

 MobSF Android 4.1.2 arm Emulator

  • Make sure Android Studio is installed and an AVD is created.
  •  (Nexus 5 with Lollipop image is recommended)
  • Extract MobSF_ARM_Emulator.zip
  • Run mobsfy_AVD.py script and specify the directory that contains 
  • the files extracted from MobSF_ARM_Emulator.zip.
  • In MobSF/settings.py, set ANDROID_DYNAMIC_ANALYZER = "MobSF_AVD"
  • This will configure MobSF to use Android arm Emulator for Dynamic Analysis.

Manual Configuration (not recommended)

  • If mobsfy_AVD.py script is not running successfully, you need to set the values for AVD_EMULATOR and AVD_PATH in MobSF/settings.py manually.
  • Follow the README inside the emulator zip and change all
  • the path fields according to your system
  • edit MobSF/settings.py and modify
AVD_EMULATOR = r'/Users/[USERNAME]/Library/Android/sdk/tools/emulator'
# This can be 
/Users/[USERNAME]/Library/Android/Sdk/emulator/emulator for
 newer versions of android SDK

AVD_PATH = r'/Users/[USERNAME]/.android/avd'
 # Path to the and folder
 where you extracted the emulator
  • In MobSF/settings.py, set ANDROID_DYNAMIC_ANALYZER = "MobSF_AVD"

Configuring Dynamic Analyzer with 

Rooted Android 4.03 - 4.4 Device

Configuring Dynamic Analyzer with

 Rooted Android 4.03 - 4.4 VM

  • MobSFy the Custom VM, Follow the instructions here: 
  • Configure MobSF Dynamic Analysis Environment in Custom VM
  • VM on Virtual Box: If the VM is hosted on VirtualBox, 
  • follow the same steps that you have followed for configuring 
  • MobSF x86 VirtualBox VM and set appropriate VM UUIDSnapshot UUIDHost/Proxy IPVM IP and set ANDROID_DYNAMIC_ANALYZER = "MobSF_VM"
  • Any Other VM: Configure it as a Real device. Set ANDROID_DYNAMIC_ANALYZER = "MobSF_REAL_DEVICE" and specify DEVICE_IPand DEVICE_ADB_PORT.
  • Snapshot feature is only available with VM(s) hosted in VirtualBox.

Updating MobSF

If you are updating MobSF, In most cases you might have
 to perform database migrations or you will see errors such as
[ERROR] Saving to DB
 (E:\Mobile-Security-Framework-MobSF\StaticAnalyzer\views\android
\db_interaction.py, LINE 236 "static_db.save()"): 
table StaticAnalyzer_staticanalyzerandroid has no column named
Run the below command to migrate your db
python manage.py makemigrations
python manage.py migrate
If the above changes didn't work, you might need to delete the file db.sqlite3
or run clean.sh in Mac/Linux. After that run the above commands.
NOTE: This will remove the previously saved MobSF scan results.

Disabled Components

Some components are disabled by default as they are experimental

APKiD

APKiD is disabled by default. Before enabling you will have to install
 the rednaga fork of yara-python.
git clone https://github.com/rednaga/yara-python
cd yara-python
python setup.py install
Enable APKiD in settings.py by setting APKID_ENABLED to True.

Mass Static Analysis

MobSF supports mass static analysis: Run Mass Static Analysis with MobSF

Using Postgres DB instead of SQLite:

Home Directory Support

If you want all user uploads, downloads and user configurations to be
 created in home directory, enable home directory support: Home Directory Support

Docker Image for MobSF Static Analysis

REST API

MobSF REST API Docs: API Docs

Running Tests

  • Basic Static Analyzer unit tests - run MobSF and navigate to http://127.0.0.1:8000/runtest/
  • MobSF REST API unit tests - run MobSF and navigate to http://127.0.0.1:8000/runapitest/



Dynamic analysis with Inspackage


Inspeckage - (Android Package Inspector) Dynamic Analysis With Api Hooks, Start Unexported Activities And More


Inspeckage is a tool developed to offer dynamic analysis of Android applications. 
By applying hooks to functions of the Android API, Inspeckage will help you understand what
an Android application is doing at runtime.  

Features  
With Inspeckage, we can get a good amount of information about the application's behavior:  

Information gathering  
  •  Requested Permissions; 
  •  App Permissions; 
  •  Shared Libraries; 
  •  Exported and Non-exported Activities, Content Providers,Broadcast Receivers and Services; 
  •  Check if the app is debuggable or not; 
  •  Version, UID and GIDs; 
  •  etc. 

Hooks (so far)  
With the hooks, we can see what the application is doing in real time:  
  •  Shared Preferences (log and file); 
  •  Serialization; 
  •  Crypto; 
  •  Hashes; 
  •  SQLite; 
  •  HTTP (an HTTP proxy tool is still the best alternative); 
  •  File System; 
  •  Miscellaneous (Clipboard, URL.Parse()); 
  •  WebView; 
  •  IPC; 
  •  + Hooks (add new hooks dynamically) 

Actions  
With Xposed it's possible to perform actions such as start a unexported activity and much else:  
  •  Start any activity (exported and unexported); 
  •  Call any provider (exported and unexported); 
  •  Disable FLAG_SECURE; 
  •  SSL uncheck (bypass certificate pinning - JSSE, Apache and okhttp3); 
  •  Start, stop and restart the application; 
  •  Replace params and return value (+Hooks tab). 

Extras  
  •  APK Download; 
  •  View the app's directory tree; 
  •  Download the app's files; 
  •  Download the output generated by hooks in text file format; 
  •  Take a screen capture; 
  •  Send text to android clipboard. 

Configuration  
Even though our tool has some hooks to the HTTP libraries, using an external proxy tool is still the 
best option to analyze the app's traffic. With Inspeckage, you can:  
  •  Add a proxy to the target app; 
  •  Enable and disable proxy; 
  •  Add entries in the arp table. 

Logcat  
Logcat.html page. A experimental page with websocket to show some information from the logcat.  

Installation  
Requirements: Xposed Framework  

Xposed Installer  
  1. Go to Xposed Installer, select "Download" 
  2. Refresh and search for "Inspeckage" 
  3. Download the latest version and install 
  4. Enable it in Xposed 
  5. Reboot and enjoy! 

Xposed Repository  
Get it from Xposed repo:  http://repo.xposed.info/module/mobi.acpm.inspeckage  
    adb install mobi.acpm.inspeckage.apk
  1. Enable it in Xposed 
  2. Reboot and enjoy! 

From Source  
Feel free to download the source!  

How to uninstall  
    adb uninstall mobi.acpm.inspeckage
And reboot!  

Genymotion  

Screenshots









Comments

Post a Comment

Popular posts from this blog

API Automation using Rest Assured

Image
REST API Test using Rest Assured This test will hit a simple Restful web service. Details of the Restful Web service are mentioned in the below table:   Endpoint   http://restapi.demoqa.com/utilities/weather/city/<City> HTTP method type :   GET   Comments :   Here  <City>  means the city for which we are trying to retrieve the weather data. For e.g. if you want to know the weather conditions of Hyderabad, you would simple replace the  <City>  text with  Hyderabad.  The Restful resource URL for Hyderabad becomes:  http://restapi.demoqa.com/utilities/weather/city/Hyderabad   Response { “City”: “Hyderabad”, “Temperature”: “31.49 Degree celsius”, “Humidity”: “62 Percent”, “Weather Description”: “scattered clouds”, “Wind Speed”: “3.6 Km per hour”, “Wind Direction degree”: “270 Degree” } Why not just try to open  http://restapi.demoqa.com/utilities/weather/city/Hyderabad ...
Read more

Manage Jenkins

Configure System:         Add environment variable so that you can identify script run on the jenkins server. Make sure that environment variable         not same as the environment variable of your local system. Manage Plugins:         Add the plugin required to run script.         add build-user-vars-plugin plugin used for identification of user. This plugin set the user id, name as environment                    variable which you can use to identify the user started the build.         for more details visit: https://wiki.jenkins-ci.org/display/JENKINS/Build+User+Vars+Plugin
Read more