Intro to Mobile Application Security Testing: How to install GoatDroid in MobiSec

MobiSec

I've started to investigate mobile application security and one of the tools that seems to be useful is MobiSec. MobiSec, like Kali or SamuraiWTF, is a Linux distro that has many tools that are geared towards the mobile application security arena.

GoatDroid

Like many of the other Goat applications OWASP has, GoatDroid is intended to be an application that is riddled with vulnerabilities for people to find. You can find out more about the GoatDroid app here.

MobiSec does come with another sample app by SecurityCompass. You can find out more about the SecurityCompass lab here.

Setting MobiSec Up

Ok, first thing's first. We install MobiSec as a virtual machine and click through. Once that's over with, we login with mobisec/mobisec. Next thing we'll do is disable the firewall. This is normally a horrible decision to make, but in the interest of being able to focus on the task of assessing mobile applications we'll disable iptables so it isn't a distraction. You are running MobiSec behind a NAT and 7 proxies aren't you?

To disable the firewall, we'll go to System -> Administration -> Firewall configuration

You'll be asked to provide the root password, which is mobisec, and then you'll uncheck the Enabled box. 

Something else I did was update and upgrade the software packages by running a sudo apt-get update && sudo apt-get upgrade.

The next thing I did was update the Android SDK. Going to Applications -> MobiSec -> Development Tools -> Development Environments -> Android SDK Manager will open the Android SDK Manager so you can see what SDK and tools are installed. 

MobiSec 1.1 came with Android SDK Tools version 17 and Android SDK Platform Tools 11 while versions 20 and 12 were available. Go ahead and click on Install 2 packages to download the updates. You'll be greeted with a dialog to accept the user agreements for each update or you can select to accept all. 

Once you finish this, a dialog will pop up that tells you to close the manager and re-run it. Do this because new updates are available. I'm not sure why it can't just update everything to the most current version in the first go around. However, you might run into an issue if you blanket accept all of the updates. I had to uncheck the option to download anything in API 19 because I got an issue like this if I tried to:

I just updating everything else and then re-ran the manager a third and fourth time and accepted all of the available updates and it ran just fine. Is any of this mandatory? Probably not, but I just prefer to update whenever possible.

Setting Up GoatDroid

Next we'll wget the pre-packaged GoatDroid project by running this command from a terminal, wget https://github.com/downloads/jackMannino/OWASP-GoatDroid-Project/OWASP-GoatDroid-0.9.zip

Then we'll unzip it with by running, unzip OWASP-GoatDroid-0.9.zip 

Inside the OWASP-GoatDroid-0.9 directory there should be a goatdroid-0.9.jar. Run this jar by typing, java -jar goatdroid-0.9.jar

You should see the GoatDroid application appear.

First thing to do is to configure GoatDroid. Open the configuration screen by going to Configure -> Edit Configuration. 

You will want to set the Virtual Devices Path to point to a specific device that is located in ~/.android/avd. I chose the Android_4.0.3.avd in this example. You will also want to point the SDK Path to /opt/mobisec/devtools/android-sdk. If you left the firewall enabled, you'd have to look at the Web Services tab and make the appropriate adjustments to allow connections. Otherwise just hit Update Settings.

We'll try running the FourGoats application first. Select it from the list on the left

Start the Android 4.0.3 emulator by going to Applications -> MobiSec -> Development Tools -> Emulators & Simulators -> Android 4.0.3 Emulator.

It may take a while for the emulator to boot up depending on how fast your computer is. Eventually though you should see a screen like this:

Now we'll install the GoatDroid application to your device. From the GoatDroid application, click on the Push App To Device button. You'll see a dialog saying that it is pushing the application to the device. After a little bit you should get another dialog saying that it has successfully installed the application. Go ahead and click on the Start Web Service button as well.

Look at the apps installed by clicking the top right hand corner with the 6 squares. You should now see the Four Goats app listed.

Go ahead and click on the GoatDroid application. It should take you to a login screen. First we'll need to configure the connection settings. Click the 3 little squares in the upper right hand side and click Destination Info. Next set the Host to be MobiSec's IP address and set the HTTPS port to be 9888. Hit Save and you should be taken back to the login screen.

 Use goatdroid/goatdroid to login.

And now you should be in. Test away!

This procedure is essentially the same for installing/setting up the Herd Financial app too.

So What?

This is enough to get you started, but we haven't really done anything yet in the way of assessing GoatDroid. I'll be posting how-to's as I chug along and figure this stuff out. Better hope I'm smrat enough!