BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)

Information about BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)

Published on October 16, 2017

Author: davidecioccia

Source: slideshare.net

Content

1. BDD Mobile security testing with OWASP MASVS, OWASP MSTG and Calabash

2. About Me • #whoami • Davide Cioccia • Security Engineer @ ING Bank NL • Italian leaving in the NL • +7 years security experience • Security magazines and OWASP MSTG contributor • Focus: – Mobile application security – SSDLC – PT & VA – Incident Response

3. • Agile Way of Working

4. • CICD Requirements Design Code Build Test Release Deploy Operate Agile Development Continuous Integration Continuous Delivery Continuous Deployment DevOps

5. • Security challenges • Technical: • Provide security at the DevOps speed • Detect vulnerabilities in early stage • Have developers understand security • Have Pentesters focus on “serious” stuff • Business • Lower cost to fix • Lower time to fix • Lower time for testing • Lower time to market

6. • Manual vs Automation

7. • Automate the testing: the biggest problem

8. • Solution: BDD Testing Describe the behavior of your software in a very understandable language

9. • Solution: BDD Testing with Cucumber and Gherkin • Automated • Understandable by all the stakeholders • It fits in the workflow of CI/CD

10. • BDD Testing Business facing Technology facing

11. • BDD security tests • Different frameworks available in the market • Usage of PT tools, such as Nessus, ZAP, Burp etc • Focused on server side testing (API, Web Services..)

12. • Mobile BDD security tests?

13. • Mobile BDD security tests?

14. • Main problems – different Operating Systems – client side testing – different apps (native, hybrid,web) – different security controls – different way of testing (iOS, Android, Windows Phone)

15. How to fix these problems?

16. • We need a security standard for Mobile Testing

17. • We need a process Requirements Design Code Build Test Release Security Requirements Threat modeling (abuse case generation) Threat based security controls & test specification Implement BDD standardized security tests Implement BDD application specific security tests Test against acceptance environment MSTG Test cases MASVS Checklist Manual PT Identify the flaw Patch the flaw

18. • We need a tool • Cross platform (Android, iOS), we just cut Windows Phone off right? • Support for hybrid apps • Running on emulators • Running on real devices • Possibility to integrate it in the CI/CD • Support for Gherkin syntax • A lot of customization • Free! (We like that :D)

19. • And the winner is … calaba.sh

20. • Calabash

21. • Calabash

22. • Integration with with other mobile security frameworks • Pentest frameworks for Android and iOS • Automate manual activities • scriptable • the agent must run on the device – Powered by MWRlab

23. Let’s try it out https://github.com/dineshshetty/Android-InsecureBankv2

24. • UC1: sensitive information in log file (standard test) – Requirements 1. Logs must not contain usernames 2. Logs must not contain passwords 3. Logs must not contain information related to the user 4. Logs must not disclose sensitive information MASVS V2 - Data Storage and Privacy MSTG 2.1: Sensitive information in log files

25. • What’s wrong here?

26. • What’s wrong here?

27. • Use case 1: sensitive information in log file – Feature

28. • Use case 1: sensitive information in log file – Feature

29. • Use case 1: sensitive information in log file – Step

30. • Similar tests implemented • Sensitive data in the clipboard ▪ adb shell su <uid> service call clipboard 2 s16 <package_name> • Sensitive data in keyboard cache ▪ query /data/data/com.android.providers.user dictionary/databases/user_dict.db

31. • Use case 2: Internal activities must not be exported – Requirements 1. The only exported activity must be the login 2. Internal activities should have the flag exported set to false MASVS: V6 - Platform Interaction V4 - Authentication and Session Management

32. • Use case 2: Internal activities must not be exported – Feature

33. • Use case 2: Internal activities must not be exported – Step without Drozer

34. • Use case 2: Internal activities must not be exported – Step with Drozer

35. • Use case 3: JavaScript in WebView must be disabled – Requirements 1. The Webview must not execute JavaScript code 2. If an input is reflected in the WebView it must be sanitized MASVS V6: Platform interaction MSTG: V6.5: JavaScript is disabled in WebViews unless explicitly required.

36. • Use case 3: JavaScript in WebView must be disabled – Feature

37. • Use case 3: JavaScript in WebView must be disabled <HMTL /> loadsave

38. • Use case 3: JavaScript in WebView must be disabled – Step • Provided by calabash • Checks if an alert box is executed and contains the text specified

39. • Use case 4: Content provider information disclosure – Requirements 1. Content Providers must not expose sensitive information 2. Content Providers must not be exported if there are no other apps from the same developer 3. Content Providers must use android:export = false instead of android:export = true MASVS V6: Platform Interaction MSTG: Testing Platform Interaction on Android

40. • Use case 4: Content provider information disclosure – Feature

41. • Use case 4: Content provider information disclosure – Feature

42. • Use case 4: Content provider information disclosure – Step

43. Other tests implemented: • Exploit Broadcast Receivers • Intent Sniffing • Sensitive information in Pasteboard • More…

44. • Integration with CI/CD (Jenkins) – Android emulator plugin – Add Gemfile to your workspace – Shell script https://azevedorafaela.wordpress.com/2014/10/08/9-steps-to-configure-jenkins-with-calabashcucumber/

45. Improvements • Include OWASP ZAP for API test • Use the ”backdoor” feature to modify the code at runtime • ?

46. DEMO

47. • Achievements – Speed – Quality – Accuracy – Scalability – Maturity “Trying to speed project schedule by reducing testing is like trying to lose weight by donating blood” Klaus Leopold

48. THANK YOU Davide Cioccia email: [email protected] web: davidecioccia.com

#whoami presentations

Zer 0 no zer(0 day)   dragon jar
25. 09. 2020
0 views

Zer 0 no zer(0 day) dragon jar

Related presentations


Other presentations created by davidecioccia