Friday, February 28, 2014

Intro to Mobile Application Security Testing: How to install GoatDroid in MobiSec

MobiSec

I've started to investigate mobile application security and one of the tools that seems to be useful is MobiSec. MobiSec, like Kali or SamuraiWTF, is a Linux distro that has many tools that are geared towards the mobile application security arena.

GoatDroid

Like many of the other Goat applications OWASP has, GoatDroid is intended to be an application that is riddled with vulnerabilities for people to find. You can find out more about the GoatDroid app here.
MobiSec does come with another sample app by SecurityCompass. You can find out more about the SecurityCompass lab here.

Setting MobiSec Up

Ok, first thing's first. We install MobiSec as a virtual machine and click through. Once that's over with, we login with mobisec/mobisec. Next thing we'll do is disable the firewall. This is normally a horrible decision to make, but in the interest of being able to focus on the task of assessing mobile applications we'll disable iptables so it isn't a distraction. You are running MobiSec behind a NAT and 7 proxies aren't you?

To disable the firewall, we'll go to System -> Administration -> Firewall configuration

You'll be asked to provide the root password, which is mobisec, and then you'll uncheck the Enabled box. 

Something else I did was update and upgrade the software packages by running a sudo apt-get update && sudo apt-get upgrade.

The next thing I did was update the Android SDK. Going to Applications -> MobiSec -> Development Tools -> Development Environments -> Android SDK Manager will open the Android SDK Manager so you can see what SDK and tools are installed. 

MobiSec 1.1 came with Android SDK Tools version 17 and Android SDK Platform Tools 11 while versions 20 and 12 were available. Go ahead and click on Install 2 packages to download the updates. You'll be greeted with a dialog to accept the user agreements for each update or you can select to accept all. 

Once you finish this, a dialog will pop up that tells you to close the manager and re-run it. Do this because new updates are available. I'm not sure why it can't just update everything to the most current version in the first go around. However, you might run into an issue if you blanket accept all of the updates. I had to uncheck the option to download anything in API 19 because I got an issue like this if I tried to:
I just updating everything else and then re-ran the manager a third and fourth time and accepted all of the available updates and it ran just fine. Is any of this mandatory? Probably not, but I just prefer to update whenever possible.

Setting Up GoatDroid

Next we'll wget the pre-packaged GoatDroid project by running this command from a terminal, wget https://github.com/downloads/jackMannino/OWASP-GoatDroid-Project/OWASP-GoatDroid-0.9.zip
Then we'll unzip it with by running, unzip OWASP-GoatDroid-0.9.zip 
Inside the OWASP-GoatDroid-0.9 directory there should be a goatdroid-0.9.jar. Run this jar by typing, java -jar goatdroid-0.9.jar
You should see the GoatDroid application appear.

First thing to do is to configure GoatDroid. Open the configuration screen by going to Configure -> Edit Configuration. 
You will want to set the Virtual Devices Path to point to a specific device that is located in ~/.android/avd. I chose the Android_4.0.3.avd in this example. You will also want to point the SDK Path to /opt/mobisec/devtools/android-sdk. If you left the firewall enabled, you'd have to look at the Web Services tab and make the appropriate adjustments to allow connections. Otherwise just hit Update Settings.

We'll try running the FourGoats application first. Select it from the list on the left

Start the Android 4.0.3 emulator by going to Applications -> MobiSec -> Development Tools -> Emulators & Simulators -> Android 4.0.3 Emulator.

It may take a while for the emulator to boot up depending on how fast your computer is. Eventually though you should see a screen like this:

Now we'll install the GoatDroid application to your device. From the GoatDroid application, click on the Push App To Device button. You'll see a dialog saying that it is pushing the application to the device. After a little bit you should get another dialog saying that it has successfully installed the application. Go ahead and click on the Start Web Service button as well.

Look at the apps installed by clicking the top right hand corner with the 6 squares. You should now see the Four Goats app listed.


Go ahead and click on the GoatDroid application. It should take you to a login screen. First we'll need to configure the connection settings. Click the 3 little squares in the upper right hand side and click Destination Info. Next set the Host to be MobiSec's IP address and set the HTTPS port to be 9888. Hit Save and you should be taken back to the login screen.

 Use goatdroid/goatdroid to login.

And now you should be in. Test away!

This procedure is essentially the same for installing/setting up the Herd Financial app too.

So What?

This is enough to get you started, but we haven't really done anything yet in the way of assessing GoatDroid. I'll be posting how-to's as I chug along and figure this stuff out. Better hope I'm smrat enough!

142 comments:

  1. the application is not that easy to use but still I would love to read more of your post related to free mobile messaging app service

    ReplyDelete
  2. Excellent post thanks for sharing. We run an organization named Avyaan where we offer mobile application security testing services.

    ReplyDelete
  3. The future of software testing is on positive note. It offers huge career prospects for talented professionals to be skilled software testers. software testing training institute in Chennai | Software Testing Training in Chennai | Software testing course in Chennai

    ReplyDelete
    Replies
    1. Java Training Institutes Java Training Institutes Java EE Training in Chennai Java EE Training in Chennai Java Spring Hibernate Training Institutes in Chennai J2EE Training Institutes in Chennai J2EE Training Institutes in Chennai Core Java Training Institutes in Chennai Core Java Training Institutes in Chennai

      Java Online Training Java Online Training Java Online Training Java Online Training Java Online Training

      Delete
  4. This comment has been removed by the author.

    ReplyDelete

  5. This is the best community for anyone who is passionate about discovering themselves with writing and who has the desire to excel in the fast changing online world. Mobile application development is a term used to denote the act or process by which application software is developed.

    ReplyDelete
  6. As you see there is no protection from different frauds so parents have to take care of their children.
    If you are worried about it, you can use flexispy for mobile tracking not to let your child be lured into bad or even dangerous situations

    ReplyDelete
  7. This substance makes another trust and motivation within me. A debt of gratitude is in order for sharing article this way. The way you have expressed everything above is entirely amazing. Continue blogging this way.
    Regards,
    Software Testing Training in Chennai | Testing Training in Chennai | Software Training institutes in Chennai

    ReplyDelete
  8. Greens Technology's. the leading software Training & placement centre Chennai & (Adyar)
    ibm-message-broker training in chennai

    ReplyDelete
  9. Greens Technology's. the leading software Training & placement centre Chennai & (Adyar)
    informatica training in chennai

    ReplyDelete
  10. • Nice Blog It's such a useful information to all
    webshere training in chennai

    ReplyDelete
  11. Interesting topic shown here, i am now working on it regularly here and would say keep the future posts like this continuously monitoring feature

    ReplyDelete
  12. The security workers are prepared every day so they can be in standard with the everyday abilities and are always overhauled with the crisis technique information, which is profoundly required for them. https://how-to-remove.org/malware/ransomware-removal/fbi-virus/

    ReplyDelete
  13. Great and useful post on mobile application security.Thanks for sharing this webpage.
    Regards,
    Mobile Application Testing | Mobile App Testing | Mobile Automation Testing

    ReplyDelete
  14. Nice blog, here I had an opportunity to learn something new in my field. I have an expectation about your future post so please keep updates.
    Selenium training institute in Chennai|Selenium Training Chennai

    ReplyDelete
  15. The blog gave me idea for mobile application security Thanks for sharing it
    Android Training in Chennai

    ReplyDelete
  16. We install MobiSec as a virtual machine and click through. Once that's over with, we login with mobisec/mobisec. Next thing we'll do is disable the firewall.

    ReplyDelete
  17. The essence of any open source application is that it gives a wide range of customizations that keep renovating in themselves. Make money

    ReplyDelete
  18. This comment has been removed by the author.

    ReplyDelete
  19. The blog gave me idea about the mobile application security my sincere thanks for sharing this post please countinue to share this kind of post
    Android Training in Chennai

    ReplyDelete
  20. "There may be a steeper learning curve for older consumers but if there's a technology that meets their needs, these consumers will buy and spend big."SuperSu root

    ReplyDelete
  21. Being new to the blogging world I feel like there is still

    so much to learn. Your tips helped to clarify a few things

    for me as well as giving..
    Mobile App Development Company

    ReplyDelete
  22. Great blog.you put Good stuff.All the topics were explained briefly.so quickly understand for me. Thanks for sharing.
    Software Testing Training in Bangalore
    Dot Net Training in Chennai

    ReplyDelete
  23. • I enjoy what you guys are usually up too. This sort of clever work and coverage! Keep up the wonderful works guys I’ve added you guys to my blog roll."Devops Training in Bangalore"

    ReplyDelete
  24. This is what I am looking for since days ago, finally got what I required. Thanks for sharing the useful content...
    Best Online Software Training Institute | Android Training

    ReplyDelete
  25. Great article, really very helpful content you made. Thank you, keep sharing.

    cloud Services | Austere Technologies

    ReplyDelete
  26. I got some knowledge so keep on sharing such kind of an interesting blogs.
    QTP Training Videos

    ReplyDelete
  27. Really it was an awesome article...very interesting to read..You have provided an nice article....Thanks for sharing..
    Summer Course Training in Chennai | Summer Course Training in Meenambakkam

    ReplyDelete
  28. Needed to compose one little word yet thanks for the suggestions that you are contributed here, would like to read this blog regularly to get more important updates...
    Best Online Software Training Institute | Android Training

    ReplyDelete
  29. As a light phone user, giffgaff is perfect for me, I get cheap calls and text, I don't use the internet much on my phone and it suits me. They will also cater for the heavy users with deals for heavy call and text users. They also have a sim for internet users and there are no contracts, you just pay for what you use. Some people may be put off with topping up online and having to contact customer services online.

    ReplyDelete
  30. Its an incredible joy perusing your post. It's brimming with data I am searching for and I want to post a remark that "The substance of your post is marvelous" Great work.
    android app development courses in chennai

    ReplyDelete
  31. Very Helpful Post And Explained Very Clearly About All the things.Very Helpful. Coming To Our Self We Provide Restaurant Equipment Parts Through Out US At Very Affordable Prices And Also We Offer Same Day Shipping In US.We Offer Only Genuine Products.Really thanks for sharing such an useful and informative article.

    ReplyDelete
  32. The CCTV Code of Practice directs that you put conspicuous signs with respect to the position of CCTV cameras. Covered up or incognito cameras in business foundations may hazard discipline on the off chance that they don't take after particular tenets.veriato 360 pricing

    ReplyDelete
  33. Very good informative article. Thanks for sharing such nice article, keep on up dating such good articles.

    Best Commerce College in Hyderabad | Avinash College of Commerce

    ReplyDelete
  34. Really Thanks For Posting Such an Useful and informative article. Mulesoft Certification Training

    ReplyDelete
  35. nice post.I am impressed by the quality of information on this website.Thanks for sharing this post
    Automotive Services

    Construction Services

    ReplyDelete
  36. Hi Thanks for the nice information its very useful to read your blog. We provide best System Integration Services

    ReplyDelete
  37. Thank you for sharing this valuable information. But get out this busy life and find some peace with a beautiful trip. book Andaman holiday packages

    ReplyDelete
  38. Thanks For Sharing Such an Valuable Information.....

    Plots for Sale in Vizag

    ReplyDelete
  39. Thank you for sharing this valuable information. But get out this busy life and find some peace with a beautiful trip. book ANDAMAN TOUR PACKAGE @24599

    ReplyDelete
  40. Hi Thanks for the nice information its very useful to read your blog. We provide Software Development Services

    ReplyDelete
  41. Hi Thanks for the nice information its very useful to read your blog. We provide best Chartered Institute Of Management Accountants

    ReplyDelete
  42. thank you for sharing such a nice and interesting blog with us. i have seen that all will say the same thing repeatedly. But in your blog, I had a chance to get some useful and unique information. I would like to suggest your blog in my dude circle. please keep on updates. hope it might be much useful for us. keep on updating...
    CCNA Training in Chennai
    DevOps Training in Chennai
    DevOps Training institute
    DevOps Training near me
    CCNA Training
    CCNA courses in Chennai

    ReplyDelete
  43. Nice way of expressing your ideas with us.
    thanks for sharing with us and please add more information's.
    AWS Course in Bangalore
    Aws Certification in Bangalore
    AWS Training in Mogappair
    AWS Training in Vadapalani

    ReplyDelete
  44. great info from JNTU 99 keep on posting such an useful and informative stuff

    ReplyDelete
  45. The application streams high-quality video content and with some amazing shows and movies to watch, hundreds of new content are added every week. Showbox is an ultimate way to kill boredom. It only requires a strong internet connection and you can stream any movie online. It sounds fun but you cannot find Showbox App for PC Download on Google Play Store.

    ReplyDelete
  46. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. Home Security

    ReplyDelete
  47. Thank you for this great article which conveyed a good information.keep more updates.

    mobile app security testing

    ReplyDelete
  48. Another issue is that clearly numerous arenas can't utilize Hawk-Eye since they can't manage the cost of the technology. For this situation simply do exclude it!bestsecurityplace.com

    ReplyDelete
  49. Excellent Blog , I appreciate your hard work ,It is useful
    Nice work, your blog is concept- oriented ,kindly share more blogs like this
    simply superb,mind blowing, I will share your blog to my friends also

    Android development Course

    iOS development course

    ReplyDelete
  50. Really I enjoy your site with effective and useful information. It is included very nice post with a lot of our resources.thanks for share. i enjoy this post. security camera installation

    ReplyDelete
  51. Really I enjoy your site with effective and useful information. It is included very nice post with a lot of our resources.thanks for share. i enjoy this post. Melbourne CCTV Systems

    ReplyDelete
  52. learn to develop web applications through microsoft azure certification training

    ReplyDelete
  53. A mobile site can possibly arrive at an enormous number of spectators in a shorter period.Mobile App Development Company

    ReplyDelete
  54. I like the helpful info you provide in your articles. I’ll bookmark your weblog and check again here regularly. I am quite sure I will learn much new stuff right here! Good luck for the next!
    web designer courses in chennai | best institute for web designing Classes in Chennai
    web designing courses in chennai | web designing institute in chennai | web designing training institute in chennai
    web designing training in chennai | web design and development institute

    ReplyDelete
  55. Thanks for sharing an informative blog keep rocking bring more details.I like the helpful info you provide in your articles. I’ll bookmark your weblog and check again here regularly. I am quite sure I will learn much new stuff right here! Good luck for the next!
    Web Designing and Development Course | Web Designing Training in Chennai

    ReplyDelete
  56. Really I enjoy your site with effective and useful information. It is included very nice post with a lot of our resources.thanks for share. i enjoy this post. Hikvision

    ReplyDelete
  57. All computer consultants are not created equal. Some specialize in hardware, others in software but what you really need is call of duty mobile hack that specializes in business and how technology can make it better. You need a business technology coach that can help you work smarter with technology.

    ReplyDelete
  58. Your blog is one of a kind, i love the way you organize the topics.:’-”‘ rizk casino

    ReplyDelete
  59. Your blog is one of a kind, i love the way you organize the topics.:’-”‘ casino

    ReplyDelete
  60. Many thanks for spending some time to line this all out for people like us. This blog post has been really helpful in my opinion. cloudbet

    ReplyDelete
  61. You’ll notice several contrasting points from New york Weight reduction eating plan and every one one may be useful. The first point will probably be authentic relinquishing on this excessive. lose weight casinos games

    ReplyDelete
  62. I enjoyed reading this a lot… I really hope to read more of your posts in the future, so I’ve bookmarked your blog. But I couldn’t just bookmark it, oh no.. When I see quality website’s like this one, I like to share it with others So I’ve created a backlink to your site (from … casino bonus

    ReplyDelete
  63. Every good business must have a roadmap that tells exactly how the company is, its potentials and makeup. This important document serves as a guarantee for assistance by any technical or financial institution. It is thus imperative that young entrepreneurs consider developing their own business plan for their enterprises. casino online

    ReplyDelete
  64. Spot on with this write-up, I truly assume this website wants much more consideration. probably be again to read much more, thanks for that info. unibet

    ReplyDelete
  65. It’s appropriate time to make some plans for the future and it’s time to be happy. I have read this post and if I could I wish to suggest you some interesting things or tips. Maybe you could write next articles referring to this article. I wish to read more things about it! unibet

    ReplyDelete
  66. Love to read it,Waiting For More new Update and I Already Read your Recent Post its Great Thanks. baby monitor

    ReplyDelete
  67. This particular is usually apparently essential and moreover outstanding truth along with for sure fair-minded and moreover admittedly useful My business is looking to find in advance designed for this specific useful stuffs… DS-2CD2165G0

    ReplyDelete
  68. Nice to be visiting your blog again, it has been months for me. Well this article that i've been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share. Smarter Security CCTV Installers

    ReplyDelete
  69. Thanks For Sharing Such an Valuable Information...
    Best AWS with Devops Training in Bangalore | AWS with Devops Training Course Content | AWS with Devops Training Institutes | AWS with Devops Online Training - Elegant IT Services
    - Elegant IT Services provides Best AWS with Devops Training in Bangalore with expert real-time trainers who are working Professionals with min 8 + years of experience in AWS with Devops Training Industry, we also provide 100% Placement Assistance with Live Projects on AWS with Devops Training.

    ReplyDelete
  70. Great article Lot's of information to Read...Great Man Keep Posting and update to People..Thanks Melbourne CCTV systems

    ReplyDelete
  71. I enjoy reading an article that will make men and women think. Also Read more, thanks for allowing me to comment!

    ReplyDelete
  72. Thank you so much for this nice post. This is very informative and helpful...
    Software Testing Course in Bangalore

    ReplyDelete
  73. Thank you so much for providing such a nice information. Keep more updates Security testing services

    ReplyDelete
  74. When your website or blog goes live for the first time, it is exciting. That is until you realize no one but you and your. CCTV Sydney

    ReplyDelete
  75. What a fantabulous post this has been. Never seen this kind of useful post. I am grateful to you and expect more number of posts like these. Thank you very much. SydneyCCTVInstallation.com.au

    ReplyDelete
  76. I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... Home Security Systems

    ReplyDelete
  77. If you are about to purchase licenses from Salesforce.com Foundation, then get in touch with the Account Executive and communicate with them by specifying about the project details and asking about whom they think would best satisfy your requirements. Salesforce interview questions and answers

    ReplyDelete
  78. Thanks for sharing such amazing content which is very helpful for us. Please keep sharing like this. Also check for Online Mobile App Development Courses or many more.

    ReplyDelete
  79. I have to convey my respect for your kindness for all those that require guidance on this one field. Your special commitment to passing the solution up and down has been incredibly functional and has continually empowered most people just like me to achieve their dreams. Your amazing insightful information entails much to me and especially to my peers.
    vé máy bay từ mỹ về việt nam hãng korea

    khi nào có chuyến bay từ đức về việt nam

    giá vé máy bay từ anh về hà nội

    vé máy bay từ úc về việt nam giá rẻ

    san ve may bay gia re tu Dai Loan ve Viet Nam

    vé máy bay từ canada về việt nam

    ReplyDelete
  80. Excellent blog. Lots of useful information here, thanks for your effort!
    Real Estate plots in Vizag

    ReplyDelete

  81. Excellent blog. Lots of useful information here, thanks for your effort!
    vuda approved plots for sale in vizag

    ReplyDelete
  82. You made such an interesting piece to read, giving every subject enlightenment for us to gain knowledge. Thanks for sharing the such information with us to read this... Serious Security Melbourne

    ReplyDelete
  83. This information is really awesome thanks for sharing most valuable information.
    workday studio online training india
    workday studio training india

    ReplyDelete
  84. I am looking for some good blog sites for studying. I was searching over search engines and found your blog site on amity online solved assignments. Well i like your high quality blog site design plus your posting abilities. Keep doing it.

    ReplyDelete
  85. Much obliged for a great offer. Your article has demonstrated your persistent effort and experience you have in this field. Splendid .I love it perusing. security company lexington ky

    ReplyDelete
  86. Great Info!
    We also have some good blogs that might interest your audiences
    https://artem.co.in/blog.html

    ReplyDelete
  87. Usually I never comment on blogs but your article is so convincing that I never stop myself to say something about it. You’re doing a great job Man,Keep it up. Meanwhile visit our website for imt synopsis maker

    ReplyDelete
  88. Great and useful post on mobile application security. Thanks for sharing this webpage. iFuture Technologies Private Limited is the best java training in thane, India.

    ReplyDelete
  89. Creative Marketers BD is a team of skilled digital marketers for offering quality SEO, Content Writing and Graphics Design, and Web Development works. We are providing Digital Marketing Services both for companies and individuals.

    Are you Looking for cost effective Content Writing Service In Bangladesh? So you are the right place to start! With Creative Marketers BD, get the best responsive website design for your online business. We are here to help your business to be a success! We can expand your business through reaching to the right audience.

    To expand your business locally or globally, Creative Marketers BD is the perfect choice for you. If you want to grow your business with the help of effective digital marketing works, Creative Marketers BD is available to assist you wholeheartedly.

    ReplyDelete
  90. What exactly does ″Coinsurance″ mean?

    Coinsurance refers to the percentage of treatment costs that you have to bear after paying the deductibles. This amount is generally offered as a fixed percentage. It is similar to the copayment provision under health insurance.

    ReplyDelete
  91. Do you need your credit fixed in order to qualify for a loan, I recommend 760Plus Credit score. They helped me achieve my long term dream of becoming a home owner. I think they are the best right now; they are highly rated in many credit forums. You can reach out to them today for any credit related issues, thank me later. Contact them via mail at 760pluscreditscore at gmail dot com.

    ReplyDelete
  92. Looking forward to reading more from your blog in the future. Keep up the excellent work!" Visit to AWS Training in Pune

    ReplyDelete
  93. I wanted to drop you a little note to express my gratitude for your meaningful postings on a frequent basis. Joint pain is one of the most common problems among adults and the elderly. One of the many potential causes of this is joint discomfort, and people often find themselves in this comfort zone. For further information, see my blog: https://ayursesha.com/blogs/news/common-reasons-for-joint-pain-and-how-to-relieve-it

    ReplyDelete
  94. This blog is an invaluable resource! The detailed guide on withdrawing Bitcoin from a National Bitcoin ATM is incredibly enlightening. I particularly appreciate the clear explanation of each step, catering to both beginners and seasoned crypto users. This blog has equipped me with the knowledge and confidence to navigate the world of cryptocurrency more effectively. Moreover, if you're keen to expand your understanding further, I recently stumbled upon a blog titled "How to Withdraw Bitcoin from a National Bitcoin ATM." It offers an in-depth exploration of the process, along with practical tips and insights to enhance your Bitcoin ATM experience. I highly recommend giving it a read for even more valuable information. Keep up the fantastic work!





    ReplyDelete