Friday, February 28, 2014

Intro to Mobile Application Security Testing: How to install GoatDroid in MobiSec

MobiSec

I've started to investigate mobile application security and one of the tools that seems to be useful is MobiSec. MobiSec, like Kali or SamuraiWTF, is a Linux distro that has many tools that are geared towards the mobile application security arena.

GoatDroid

Like many of the other Goat applications OWASP has, GoatDroid is intended to be an application that is riddled with vulnerabilities for people to find. You can find out more about the GoatDroid app here.
MobiSec does come with another sample app by SecurityCompass. You can find out more about the SecurityCompass lab here.

Setting MobiSec Up

Ok, first thing's first. We install MobiSec as a virtual machine and click through. Once that's over with, we login with mobisec/mobisec. Next thing we'll do is disable the firewall. This is normally a horrible decision to make, but in the interest of being able to focus on the task of assessing mobile applications we'll disable iptables so it isn't a distraction. You are running MobiSec behind a NAT and 7 proxies aren't you?

To disable the firewall, we'll go to System -> Administration -> Firewall configuration

You'll be asked to provide the root password, which is mobisec, and then you'll uncheck the Enabled box. 

Something else I did was update and upgrade the software packages by running a sudo apt-get update && sudo apt-get upgrade.

The next thing I did was update the Android SDK. Going to Applications -> MobiSec -> Development Tools -> Development Environments -> Android SDK Manager will open the Android SDK Manager so you can see what SDK and tools are installed. 

MobiSec 1.1 came with Android SDK Tools version 17 and Android SDK Platform Tools 11 while versions 20 and 12 were available. Go ahead and click on Install 2 packages to download the updates. You'll be greeted with a dialog to accept the user agreements for each update or you can select to accept all. 

Once you finish this, a dialog will pop up that tells you to close the manager and re-run it. Do this because new updates are available. I'm not sure why it can't just update everything to the most current version in the first go around. However, you might run into an issue if you blanket accept all of the updates. I had to uncheck the option to download anything in API 19 because I got an issue like this if I tried to:
I just updating everything else and then re-ran the manager a third and fourth time and accepted all of the available updates and it ran just fine. Is any of this mandatory? Probably not, but I just prefer to update whenever possible.

Setting Up GoatDroid

Next we'll wget the pre-packaged GoatDroid project by running this command from a terminal, wget https://github.com/downloads/jackMannino/OWASP-GoatDroid-Project/OWASP-GoatDroid-0.9.zip
Then we'll unzip it with by running, unzip OWASP-GoatDroid-0.9.zip 
Inside the OWASP-GoatDroid-0.9 directory there should be a goatdroid-0.9.jar. Run this jar by typing, java -jar goatdroid-0.9.jar
You should see the GoatDroid application appear.

First thing to do is to configure GoatDroid. Open the configuration screen by going to Configure -> Edit Configuration. 
You will want to set the Virtual Devices Path to point to a specific device that is located in ~/.android/avd. I chose the Android_4.0.3.avd in this example. You will also want to point the SDK Path to /opt/mobisec/devtools/android-sdk. If you left the firewall enabled, you'd have to look at the Web Services tab and make the appropriate adjustments to allow connections. Otherwise just hit Update Settings.

We'll try running the FourGoats application first. Select it from the list on the left

Start the Android 4.0.3 emulator by going to Applications -> MobiSec -> Development Tools -> Emulators & Simulators -> Android 4.0.3 Emulator.

It may take a while for the emulator to boot up depending on how fast your computer is. Eventually though you should see a screen like this:

Now we'll install the GoatDroid application to your device. From the GoatDroid application, click on the Push App To Device button. You'll see a dialog saying that it is pushing the application to the device. After a little bit you should get another dialog saying that it has successfully installed the application. Go ahead and click on the Start Web Service button as well.

Look at the apps installed by clicking the top right hand corner with the 6 squares. You should now see the Four Goats app listed.


Go ahead and click on the GoatDroid application. It should take you to a login screen. First we'll need to configure the connection settings. Click the 3 little squares in the upper right hand side and click Destination Info. Next set the Host to be MobiSec's IP address and set the HTTPS port to be 9888. Hit Save and you should be taken back to the login screen.

 Use goatdroid/goatdroid to login.

And now you should be in. Test away!

This procedure is essentially the same for installing/setting up the Herd Financial app too.

So What?

This is enough to get you started, but we haven't really done anything yet in the way of assessing GoatDroid. I'll be posting how-to's as I chug along and figure this stuff out. Better hope I'm smrat enough!

93 comments:

  1. the application is not that easy to use but still I would love to read more of your post related to free mobile messaging app service

    ReplyDelete
  2. Excellent post thanks for sharing. We run an organization named Avyaan where we offer mobile application security testing services.

    ReplyDelete
  3. The future of software testing is on positive note. It offers huge career prospects for talented professionals to be skilled software testers. software testing training institute in Chennai | Software Testing Training in Chennai | Software testing course in Chennai

    ReplyDelete
    Replies
    1. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Java developer learn from Java Training in Chennai. or learn thru Java EE Online Training from India . Nowadays Java has tons of job opportunities on various vertical industry.

      Delete
    2. Java Training Institutes Java Training Institutes Java EE Training in Chennai Java EE Training in Chennai Java Spring Hibernate Training Institutes in Chennai J2EE Training Institutes in Chennai J2EE Training Institutes in Chennai Core Java Training Institutes in Chennai Core Java Training Institutes in Chennai

      Java Online Training Java Online Training Java Online Training Java Online Training Java Online Training

      Delete
  4. This comment has been removed by the author.

    ReplyDelete

  5. This is the best community for anyone who is passionate about discovering themselves with writing and who has the desire to excel in the fast changing online world. Mobile application development is a term used to denote the act or process by which application software is developed.

    ReplyDelete
  6. As you see there is no protection from different frauds so parents have to take care of their children.
    If you are worried about it, you can use flexispy for mobile tracking not to let your child be lured into bad or even dangerous situations

    ReplyDelete
  7. This substance makes another trust and motivation within me. A debt of gratitude is in order for sharing article this way. The way you have expressed everything above is entirely amazing. Continue blogging this way.
    Regards,
    Software Testing Training in Chennai | Testing Training in Chennai | Software Training institutes in Chennai

    ReplyDelete
  8. Greens Technology's. the leading software Training & placement centre Chennai & (Adyar)
    ibm-message-broker training in chennai

    ReplyDelete
  9. Greens Technology's. the leading software Training & placement centre Chennai & (Adyar)
    informatica training in chennai

    ReplyDelete
  10. I am following your blog from the beginning, it was so distinct & I had a chance to collect conglomeration of information that helps me a lot to improvise myself.
    Regards,
    testing training in chennai|Software training institutes in chennai

    ReplyDelete
  11. Interesting topic shown here, i am now working on it regularly here and would say keep the future posts like this continuously monitoring feature

    ReplyDelete
  12. The security workers are prepared every day so they can be in standard with the everyday abilities and are always overhauled with the crisis technique information, which is profoundly required for them. https://how-to-remove.org/malware/ransomware-removal/fbi-virus/

    ReplyDelete
  13. Great and useful post on mobile application security.Thanks for sharing this webpage.
    Regards,
    Mobile Application Testing | Mobile App Testing | Mobile Automation Testing

    ReplyDelete
  14. Nice blog, here I had an opportunity to learn something new in my field. I have an expectation about your future post so please keep updates.
    Selenium training institute in Chennai|Selenium Training Chennai

    ReplyDelete
  15. The blog gave me idea for mobile application security Thanks for sharing it
    Android Training in Chennai

    ReplyDelete
  16. We install MobiSec as a virtual machine and click through. Once that's over with, we login with mobisec/mobisec. Next thing we'll do is disable the firewall.

    ReplyDelete
  17. The essence of any open source application is that it gives a wide range of customizations that keep renovating in themselves. Make money

    ReplyDelete

  18. Really nice information you had posted. Its very informative and definitely it will be useful for many people
    iOS Training in Chennai
    Android Training in Chennai
    php Training in Chennai

    ReplyDelete
  19. This comment has been removed by the author.

    ReplyDelete
  20. Great Work. This post is worth everyone’s attention. web design company in chennai

    ReplyDelete
  21. Thanks for posting useful information.You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...Really it was an awesome article...very interesting to read..
    please sharing like this information......
    Android training in chennai
    Ios training in chennai

    ReplyDelete
  22. The blog gave me idea about the mobile application security my sincere thanks for sharing this post please countinue to share this kind of post
    Android Training in Chennai

    ReplyDelete
  23. This is excellent information. It is amazing and wonderful to visit your site.Thanks for sharing this information&its very useful to me...
    Android training in chennai
    Ios training in chennai

    ReplyDelete
  24. Thank you so much for this nice post. This is very informative and helpful Earning Money Online

    ReplyDelete
  25. "There may be a steeper learning curve for older consumers but if there's a technology that meets their needs, these consumers will buy and spend big."SuperSu root

    ReplyDelete
  26. Being new to the blogging world I feel like there is still

    so much to learn. Your tips helped to clarify a few things

    for me as well as giving..
    Mobile App Development Company

    ReplyDelete
  27. Great blog.you put Good stuff.All the topics were explained briefly.so quickly understand for me. Thanks for sharing.
    Software Testing Training in Bangalore
    Dot Net Training in Chennai

    ReplyDelete
  28. • I enjoy what you guys are usually up too. This sort of clever work and coverage! Keep up the wonderful works guys I’ve added you guys to my blog roll."Devops Training in Bangalore"

    ReplyDelete
  29. Dear, I like all your post. Everything looks so sweet, I admire this kind of life and the best wishes for you. Hope that we can communicate with each other. By the way, anybody want to boost app ranking ? This one is useful.

    ReplyDelete
  30. Needed to compose you a very little word to thank you yet again regarding the nice suggestions you’ve contributed here.

    java training in bangalore

    ReplyDelete
  31. Really it was an awesome article...very interesting to read..You have provided an nice article....Thanks for sharing..


    Informatica Training In Chennai | Hadoop Training In Chennai | Sap MM Training In Chennai

    ReplyDelete
  32. Thanks for the useful information of software testing courses, give more updates on software testing development, First time I visit your blog really nice, I bookmark your blog here after a daily visit. Learn software testing course in Chennai

    ReplyDelete
  33. Thanks a lot very much for the high your blog post quality and results-oriented help. I won’t think twice to endorse to anybody who wants and needs support about this area.
    Best Java Training Institute Chennai

    ReplyDelete
  34. This is what I am looking for since days ago, finally got what I required. Thanks for sharing the useful content...
    Best Online Software Training Institute | Android Training

    ReplyDelete
  35. Very good informative article. Thanks for sharing such nice article, keep on up dating such good articles.

    Digital Transformation Services | Austere Technologies

    ReplyDelete
  36. Great article, really very helpful content you made. Thank you, keep sharing.

    cloud Services | Austere Technologies

    ReplyDelete
  37. I got some knowledge so keep on sharing such kind of an interesting blogs.
    QTP Training Videos

    ReplyDelete
  38. Really it was an awesome article...very interesting to read..You have provided an nice article....Thanks for sharing..
    Summer Course Training in Chennai | Summer Course Training in Meenambakkam

    ReplyDelete
  39. VERY INFORMATIVE BLOG. KEEP SHARING SUCH A GOOD ARTICLES.

    Mobility Services | Austere Technologies

    ReplyDelete
  40. Needed to compose one little word yet thanks for the suggestions that you are contributed here, would like to read this blog regularly to get more important updates...
    Best Online Software Training Institute | Android Training

    ReplyDelete
  41. As a light phone user, giffgaff is perfect for me, I get cheap calls and text, I don't use the internet much on my phone and it suits me. They will also cater for the heavy users with deals for heavy call and text users. They also have a sim for internet users and there are no contracts, you just pay for what you use. Some people may be put off with topping up online and having to contact customer services online.

    ReplyDelete
  42. Its an incredible joy perusing your post. It's brimming with data I am searching for and I want to post a remark that "The substance of your post is marvelous" Great work.
    android app development courses in chennai

    ReplyDelete
  43. Very Helpful Post And Explained Very Clearly About All the things.Very Helpful. Coming To Our Self We Provide Restaurant Equipment Parts Through Out US At Very Affordable Prices And Also We Offer Same Day Shipping In US.We Offer Only Genuine Products.Really thanks for sharing such an useful and informative article.

    ReplyDelete
  44. The CCTV Code of Practice directs that you put conspicuous signs with respect to the position of CCTV cameras. Covered up or incognito cameras in business foundations may hazard discipline on the off chance that they don't take after particular tenets.veriato 360 pricing

    ReplyDelete
  45. Really It's A Great Pleasure reading your Article,learned a lot of new things,we have to keep on updating it,Chicago Immediate care in Chicago.By getting them into one place.Really thanks for posting.Very Thankful for the Informative Post.Really Thanks For Posting.

    ReplyDelete
  46. Really Thanks For Posting Such a Useful Content. Really Thanks For Sharing Such an Informative Post.
    USMLE

    ReplyDelete
  47. Very good informative article. Thanks for sharing such nice article, keep on up dating such good articles.

    Best Commerce College in Hyderabad | Avinash College of Commerce

    ReplyDelete
  48. Really Thanks For Posting Such an Useful and informative article. Mulesoft Certification Training

    ReplyDelete
  49. nice post.I am impressed by the quality of information on this website.Thanks for sharing this post
    Automotive Services

    Construction Services

    ReplyDelete
  50. Hi Thanks for the nice information its very useful to read your blog. We provide best Block Chain Services

    ReplyDelete
  51. Hi Thanks for the nice information its very useful to read your blog. We provide best System Integration Services

    ReplyDelete
  52. Thank you for sharing this valuable information. But get out this busy life and find some peace with a beautiful trip. book Andaman holiday packages

    ReplyDelete
  53. Hi Thanks for the nice information its very useful to read your blog. We provide best Finance Training in Hyderabad

    ReplyDelete
  54. Hi Thanks for the nice information its very useful to read your blog. We provide best company secretary course

    ReplyDelete
  55. Hi Thanks for the nice information its very useful to read your blog. We provide best Chartered Accountancy

    ReplyDelete
  56. Hi Thanks for the nice information its very useful to read your blog. We provide best Cost And Management Accountancy (CMA)

    ReplyDelete
  57. Hi Thanks for the nice information its very useful to read your blog. We provide best Certified Public Accountant

    ReplyDelete
  58. Hi Thanks for the nice information its very useful to read your blog. We provide best Certified Financial Analyst

    ReplyDelete
  59. Thanks For Sharing Such an Valuable Information.....

    Plots for Sale in Vizag

    ReplyDelete
  60. Thank you for sharing this valuable information. But get out this busy life and find some peace with a beautiful trip. book ANDAMAN TOUR PACKAGE @24599

    ReplyDelete
  61. Thank you for sharing this valuable information. But get out this busy life and find some peace with a beautiful trip. book BEST ANDAMAN HONEYMOON PACKAGE @5999

    ReplyDelete
  62. Hi Thanks for the nice information its very useful to read your blog. We provide best Association Of Chartered Certified Accountants

    ReplyDelete
  63. Hi Thanks for the nice information its very useful to read your blog. We provide Software Development Services

    ReplyDelete
  64. Hi Thanks for the nice information its very useful to read your blog. We provide best Chartered Institute Of Management Accountants

    ReplyDelete
  65. Hi Thanks for the nice information its very useful to read your blog. We provide Software Development Services

    ReplyDelete
  66. Hi Thanks for the nice information its very useful to read your blog. We provide best Find All Isfs Courses

    ReplyDelete
  67. Nice post By reading your blog, i get inspired and this provides some useful information. Thank you for posting this exclusive post for our vision.
    Digital Marketing Training

    ReplyDelete