Tuesday, May 29, 2012

Setting up GoatDroid properly

GoatDroid is a vulnerable android application for mobile security enthusiasts to learn & practice. I used to face a lot of challenges using GoatDroid. Most of the times I had no clue as to what went wrong in my installation, which is giving me a particular error. This makes me write a blog documenting the correct steps for proper functioning of this application.

Most of the errors I got included "Something Weird Happened", "An unexpected error has occured", "Login Failed", "Unable to Register" and Blank/No error. So here are the steps to follow for a proper setup (ofcourse you will be using QuickStartGuide)-

  • Make sure your MySQL database is properly set, with Login Name as "goatboy", Password as "goatdroid" and Limit Connectivity to Hosts Matching "localhost". Also "goatboy" needs to have insert, delete, update, select on fourgoats database.
  • When you run the jar file first time, point the SDK Path to the SDK installation (....\android-sdk in Windows) and Virtual Devices Path to the avd directory (C:\Documents and Settings\<current-user>\.android\avd)
  • Once your application is well installed in the emulator, you need to get the "Destination Info" correct. You can use 10.0.2.2 as the Destination IP with 8888 as the port number (Webservices is running on this port). Do not use 127.0.0.1. Emulator considers 127.0.0.1 as itself and 10.0.2.2 as the host machine. This is explained in details here.
  • Register & Login, everything goes well now.
The above ones are those silly mistakes which result in the errors mentioned earlier. If these are done, properly you are set.

Now if anyone is not able to capture the traffic in a proxy, here are the steps-

Normally you set 10.0.2.2 & port 8888 in "Destination Info" in emulator. But for setting the Burp Proxy v1.4.01, 
  • Run Burp Proxy on 7000 port, loopback should not be selected, "support invisible" should be enabled. Set the upstream proxy servers to host 127.0.0.1 and port 8888.
  • Start the emulator with this command- emulator.exe -avd <name> -http-proxy 127.0.0.1:7000.
  • Set 10.0.2.2 & port 7000 as "Destination Info" in the application running on emulator.
Ofcourse you can run Burp Proxy on your favorite port other that 8888, I preferred 7000.

Have Fun with Android and GoatDroid!

Monday, April 23, 2012

OWASP APAC 2012 Experience


This year OWASP APAC conference was held at Sydney from Apr 11 to 14. Paladion was invited yet again at the OWASP conference after Jaideep & Siddharth presented at Gold Coast in 2009.

This time Dinesh & myself were conducting a training class on “Mobile Applications & Security”, followed by a talk next day on “Advanced Mobile Application Code Review Techniques”.

About the Training: It was interesting to see some of the web/mobile app developers and the prospective mobile app developers in our class. We started with the mobile introductions and threat modeling. Rest of our session focused on Android & iOS. We taught Android architecture, development basics, security testing, demonstrated security vulnerability via a vulnerable application coded by our team. (The Android vulnerable application can be downloaded at Paladion Labs section at www.paladion.net). We did the same cycle for iOS applications. We concluded the class with a discussion on OWASP Mobile Top 10 Risks.

About the Talk:  We were discussing the mobile application vulnerabilities from the code base for half of the time, focusing on Android & iOS application vulnerabilities. Later we presented on automating the static analysis to discover these vulnerabilities at pace. We discussed the analysis logic & keywords for the vulnerabilities. We have developed a batch script for the Android, which we demonstrated during the talks. The same is also available for download at Paladion Labs.

We got some of the good feedbacks from attendees. This gives an enthusiastic & satisfactory feeling about the work we have been doing for a while. We met some of the well known security guys, hackers & security enthusiasts. It was good to be the part of a global conference & attend the best talks in the industry. I personally loved Mike Park’s “Mobile Security on iOS & Android”, Jason Haddix’s “Pentesting iOS Applications”, Christian Frichot on BeEF and Justin Searle discussing Grid Apps Pentest. Jeremiah Grossman presented some of the useful statistics during his keynote. OWASP Panel Discussion & the OWASP sponsored Dinner were also enjoyed by maximum.

All presentations should be available online in a week at OWASP wiki. Paladion Android vulnerable application & the script for static analysis are available for download here. We look forward to participate more at global conferences.

Thursday, December 29, 2011

Setting up Proxy for Blackberry Simulators


Setting up Proxy for Blackberry Simulators:

1. Install MDS and email simulator

2. Install Device simulator

3. Open the rimpublic.property file. The rimpublic.property file can be found at \Program Files\Research In Motion\BlackBerry Email and MDS Services Simulators #.#.#\MDS\config
(Please note location differs if you are using a Blackberry JDE (Java Development Environment))

4. Under the [HTTP HANDLER] section, update the following:

application.handler.http.proxyEnabled = true
application.handler.http.proxyHost=hostname
application.handler.http.proxyPort=hostport

Wednesday, November 16, 2011

Android 4.0 Face Unlock bypass

Google recently launched its latest Android version (4.0). One of the new features it has is Face Unlock. This is in news with some videos demonstrating how this feature can be fooled by simply showing it a digital image of the user.


A key learning for any developer/vendor is to make sure that they have tested their product for the basic test cases before launching. Think about the bypass vectors for your feature, frame test cases for these vectors, and finally test it to see the result. If you find the test case to fail, then fix the code.

A simple test case for a feature like Face Unlock is to "show it a printed photograph" or "show it a digital image". I am sure Google must have done their part well. Lets wait to listen some official announcement on this.

Tuesday, November 15, 2011

About IPT & 2FA

I read an article today which says-


MasterCard today became the latest company to employ Intel's Identity Protection Technology (IPT) -- which basically converts a laptop or client device into a second factor of authentication -- for online commerce.


Full details here: http://www.darkreading.com/authentication/167901072/security/client-security/231903013/baking-strong-authentication-into-client-devices.html


My thoughts-


Hardcoded Intel chip plays the role of software token, thus providing the token for Two Factor Authentication (2FA). Entire security lies on the fact that it is very very difficult to break into the hardcoded chip. This sounds promising for now.