We would like to present to you our new issue - this time we are all about mobile security. We hope you will find the articles interesting and will have time to read them all.
This month we decided to focus on Android security - we haven’t touched upon this topic for a while. We gathered articles that are related to this topic in various ways. Whether you are an expert in mobile security or just starting, we’re sure you will find something for yourself.
We will start with two articles explaining pentesting Android. The first one, by Suraj Rajkumar Waghmare, explains how to pentest Android applications using drozer. The second one, by Olivia Orr, is a step by step guide to Android pentesting.
Next we have a article by Daniel W. Dieterle explaining how to quickly and conveniently get user credentials by running Responder on Kali NetHunter. Maurício Harley will show us how Mobile Security Framework can analyze mobile malware, and Ajit Kumar will explain how you can do reverse engineering on Android with Androguard.
But that’s still not all we have for you! You can also read about Quick Android Review Kit, securing mobile apps, and analyzing malwares. We also have a couple interviews to wrap up this issue on a lighter note. We hope you will enjoy all of it.
We would also like to thank you for all your support. We appreciate it a lot. If you like this publication, you can share it and tell your friends about it! Every comment means a lot to us.
Enjoy your reading,
Android Application Pen-Testing Using Drozer
by Suraj Rajkumar Waghmare
In this article, we are going to learn Android application pen-testing using one of the most popular tools called a “Drozer”. The most important aspect of an Android application is “App components”. App components are the entry point of application, the system can use them to enter in application. These app components determine the behaviour of the application. The following are four components of an app: Content Provider, Activity, Services, and Broadcast Receiver. We are going to target these four components.
Mobile Penetration Testing Tutorial
by Olivia Orr
The objective of this tutorial is to learn the most common vulnerabilities in mobile applications using an app intentionally designed to be insecure. This tutorial will be based on the Windows platform, but you can use other systems if you wish.
Using NetHunter & Responder for Quick User Creds and “Pass the Hash”
by Daniel W. Dieterle
In this article, we will discuss how to easily get user credentials (hashes & clear text passwords) from a vulnerable Windows network using Responder on Kali NetHunter. We will cover how to get a remote shell on a wired network by using a wirelessly connected NetHunter system and Responder’s Multi-Relay tool to “Pass the Hash”. We will then deepen our control over the target by using PowerShell to create a remote Meterpreter shell.
Dissecting Malware with MobSF
by Mauricio Harley
This article will cover Mobile Security Framework. MobSF is a very good tool to analyze Android and iOS malware. For the sake of this article, I opted to test only Android malware samples. Its quick and easy to use GUI makes the task of analyzing malicious code a pleasant experience. Static analysis seems powerful. However, the dynamic analysis engine is extremely useful to see the suspicious application’s real behavior.
Peeping Inside Android Applications: Reverse Engineering with Androguard
by Ajit Kumar
Reverse engineering is one of the ways to find out what’s inside of any Android applications; it also helps developers to learn, test and debug their and applications as well as applications written by others. Reverse engineering is a complex and cumbersome task, so tools like Androguard make this task automated and hence ease the job of reverse engineers. This tutorial provides a brief introduction of Androguard, explains various tools available inside Androguard and provides some examples of basic reverse engineering with Androguard.
Quick Android Review Kit (QARK) – A comrade for Android security analysis
by Vinayak Joshi and Venkatesh Sivakumar (Pranav Venkat)
QARK stands for Quick Android Review Kit. A quirky companion to get the hidden potential vulnerabilities of any Android applications. It is an open community tool designed to assist mobile application security pentesters to leverage its capabilities to reverse engineer mobile applications and conduct static analysis on the hidden vulnerabilities that can potentially create critical breaches. This article will explain how to use it.
Mobile App – Secure SDLC
by Varun Malhotra
Mobile devices are used these days for all our personal and professional needs and have become a basic necessity for everyone. The amount of sensitive information available on mobile devices makes them an attractive target for hackers to attack and find various vulnerabilities, either in the mobile app or the device itself, and accordingly exploit. It further allows an easy way out for hackers to find critical vulnerabilities, considering that most apps are designed and developed without much focus on the security aspect. Basically, most organizations are focusing on mobile app development without having Secure SDLC in place.
Solving Android Malware Threats With Drozer
by dr. Sadouanouan Malo and Constantin Drabo
Android is becoming the most used technology in the mobile and smartphone area. However, the security of the platform is a big deal, since malware and virus are spreading in web and affect mobile resources. Even though there are a lot of options available, it is difficult to decide how to write a secure application and apply a pragmatic solution. Throughout this article we will show you how to check the security strength of your application and how to solve those issues using Drozer, a solution from the company MWR Labs.
For this kind of vulnerabilities, you have to think a bit outside of the box
An interview with Achim Brucker and Michael Herzberg, creators of DVHMA - Damn Vulnerable Hybrid Mobile App
Work hard - An Interview With Mohamed Elkhabit
We asked Mohamed Elkhabit to have a quick chat with us about graduating, entering the job market, and pursuing a professional career in cybersecurity field. We hope his answers will be useful to those of you hoping to start your careers.