Ajin Abraham

Product Security Consultant, IMMUNIO (INDIA)

Paper Title

Automated Mobile Application Security Assessment with MobSF


Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework or MobSF (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. 

During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications categorised under OWASP Mobile Top 10 like Weak Server Side Controls (M1), Insufficient Transport Layer Protection (M3), Poor authentication and authorisation(M5), Broken Cryptography (M6) and also includes run time analysis of an obfuscated android malware. The latest Dynamic Analyzer module will be released at NULLCON. This module is currently available for Android Applications where the app will run inside our custom Virtual Machine or device configured with our agents. The advantage here is that the tester can navigate through the different flows of the application and our agents will capture the information in background and performs the security analysis. Analysis is done on decrypted HTTPS traffic, application dumps, logs, error or crash reports, debug information, the application assets like files, preference files, and databases. This framework is highly scalable that you can add your custom rules with ease and supports report generation.

Speaker Bio

Ajin Abraham is a Product Security Consultant for IMMUNIO with 6+ years of experience in Application Security including 3 years of Security Research. He is passionate on developing new and unique security tools than depending on pre existing tools that never work. Some of his contributions to Hacker's arsenal include OWASP Xenotix XSS Exploit Framework, Mobile Security Framework (MobSF), Xenotix xBOT, MalBoxie, Firefox Add-on Exploit Suite, NodeJsScan etc to name a few. He is the cofounder of X0RC0NF, an annual security conference conducted in Kerala. He has been invited to speak at multiple security conferences including ClubHack, NULLCON, OWASP AppSec AsiaPac, BlackHat Europe, Hackmiami, Confidence, BlackHat US, BlackHat Asia, ToorCon, Ground Zero Summit, Hack In the Box and c0c0n.

Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved