Friday, February 28, 2014

Intro to Mobile Application Security Testing: How to install GoatDroid in MobiSec

MobiSec

I've started to investigate mobile application security and one of the tools that seems to be useful is MobiSec. MobiSec, like Kali or SamuraiWTF, is a Linux distro that has many tools that are geared towards the mobile application security arena.

GoatDroid

Like many of the other Goat applications OWASP has, GoatDroid is intended to be an application that is riddled with vulnerabilities for people to find. You can find out more about the GoatDroid app here.
MobiSec does come with another sample app by SecurityCompass. You can find out more about the SecurityCompass lab here.

Setting MobiSec Up

Ok, first thing's first. We install MobiSec as a virtual machine and click through. Once that's over with, we login with mobisec/mobisec. Next thing we'll do is disable the firewall. This is normally a horrible decision to make, but in the interest of being able to focus on the task of assessing mobile applications we'll disable iptables so it isn't a distraction. You are running MobiSec behind a NAT and 7 proxies aren't you?

To disable the firewall, we'll go to System -> Administration -> Firewall configuration

You'll be asked to provide the root password, which is mobisec, and then you'll uncheck the Enabled box. 

Something else I did was update and upgrade the software packages by running a sudo apt-get update && sudo apt-get upgrade.

The next thing I did was update the Android SDK. Going to Applications -> MobiSec -> Development Tools -> Development Environments -> Android SDK Manager will open the Android SDK Manager so you can see what SDK and tools are installed. 

MobiSec 1.1 came with Android SDK Tools version 17 and Android SDK Platform Tools 11 while versions 20 and 12 were available. Go ahead and click on Install 2 packages to download the updates. You'll be greeted with a dialog to accept the user agreements for each update or you can select to accept all. 

Once you finish this, a dialog will pop up that tells you to close the manager and re-run it. Do this because new updates are available. I'm not sure why it can't just update everything to the most current version in the first go around. However, you might run into an issue if you blanket accept all of the updates. I had to uncheck the option to download anything in API 19 because I got an issue like this if I tried to:
I just updating everything else and then re-ran the manager a third and fourth time and accepted all of the available updates and it ran just fine. Is any of this mandatory? Probably not, but I just prefer to update whenever possible.

Setting Up GoatDroid

Next we'll wget the pre-packaged GoatDroid project by running this command from a terminal, wget https://github.com/downloads/jackMannino/OWASP-GoatDroid-Project/OWASP-GoatDroid-0.9.zip
Then we'll unzip it with by running, unzip OWASP-GoatDroid-0.9.zip 
Inside the OWASP-GoatDroid-0.9 directory there should be a goatdroid-0.9.jar. Run this jar by typing, java -jar goatdroid-0.9.jar
You should see the GoatDroid application appear.

First thing to do is to configure GoatDroid. Open the configuration screen by going to Configure -> Edit Configuration. 
You will want to set the Virtual Devices Path to point to a specific device that is located in ~/.android/avd. I chose the Android_4.0.3.avd in this example. You will also want to point the SDK Path to /opt/mobisec/devtools/android-sdk. If you left the firewall enabled, you'd have to look at the Web Services tab and make the appropriate adjustments to allow connections. Otherwise just hit Update Settings.

We'll try running the FourGoats application first. Select it from the list on the left

Start the Android 4.0.3 emulator by going to Applications -> MobiSec -> Development Tools -> Emulators & Simulators -> Android 4.0.3 Emulator.

It may take a while for the emulator to boot up depending on how fast your computer is. Eventually though you should see a screen like this:

Now we'll install the GoatDroid application to your device. From the GoatDroid application, click on the Push App To Device button. You'll see a dialog saying that it is pushing the application to the device. After a little bit you should get another dialog saying that it has successfully installed the application. Go ahead and click on the Start Web Service button as well.

Look at the apps installed by clicking the top right hand corner with the 6 squares. You should now see the Four Goats app listed.


Go ahead and click on the GoatDroid application. It should take you to a login screen. First we'll need to configure the connection settings. Click the 3 little squares in the upper right hand side and click Destination Info. Next set the Host to be MobiSec's IP address and set the HTTPS port to be 9888. Hit Save and you should be taken back to the login screen.

 Use goatdroid/goatdroid to login.

And now you should be in. Test away!

This procedure is essentially the same for installing/setting up the Herd Financial app too.

So What?

This is enough to get you started, but we haven't really done anything yet in the way of assessing GoatDroid. I'll be posting how-to's as I chug along and figure this stuff out. Better hope I'm smrat enough!

32 comments:

  1. the application is not that easy to use but still I would love to read more of your post related to free mobile messaging app service

    ReplyDelete
  2. Excellent post thanks for sharing. We run an organization named Avyaan where we offer mobile application security testing services.

    ReplyDelete
  3. The future of software testing is on positive note. It offers huge career prospects for talented professionals to be skilled software testers. software testing training institute in Chennai | Software Testing Training in Chennai | Software testing course in Chennai

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete

  5. This is the best community for anyone who is passionate about discovering themselves with writing and who has the desire to excel in the fast changing online world. Mobile application development is a term used to denote the act or process by which application software is developed.

    ReplyDelete
  6. As you see there is no protection from different frauds so parents have to take care of their children.
    If you are worried about it, you can use flexispy for mobile tracking not to let your child be lured into bad or even dangerous situations

    ReplyDelete
  7. This substance makes another trust and motivation within me. A debt of gratitude is in order for sharing article this way. The way you have expressed everything above is entirely amazing. Continue blogging this way.
    Regards,
    Software Testing Training in Chennai | Testing Training in Chennai | Software Training institutes in Chennai

    ReplyDelete
  8. Greens Technology's. the leading software Training & placement centre Chennai & (Adyar)
    ibm-message-broker training in chennai

    ReplyDelete
  9. Greens Technology's. the leading software Training & placement centre Chennai & (Adyar)
    informatica training in chennai

    ReplyDelete
  10. I am following your blog from the beginning, it was so distinct & I had a chance to collect conglomeration of information that helps me a lot to improvise myself.
    Regards,
    testing training in chennai|Software training institutes in chennai

    ReplyDelete
  11. Interesting topic shown here, i am now working on it regularly here and would say keep the future posts like this continuously monitoring feature

    ReplyDelete
  12. The security workers are prepared every day so they can be in standard with the everyday abilities and are always overhauled with the crisis technique information, which is profoundly required for them. https://how-to-remove.org/malware/ransomware-removal/fbi-virus/

    ReplyDelete
  13. Great and useful post on mobile application security.Thanks for sharing this webpage.
    Regards,
    Mobile Application Testing | Mobile App Testing | Mobile Automation Testing

    ReplyDelete
  14. Nice blog, here I had an opportunity to learn something new in my field. I have an expectation about your future post so please keep updates.
    Selenium training institute in Chennai|Selenium Training Chennai

    ReplyDelete
  15. The blog gave me idea for mobile application security Thanks for sharing it
    Android Training in Chennai

    ReplyDelete
  16. We install MobiSec as a virtual machine and click through. Once that's over with, we login with mobisec/mobisec. Next thing we'll do is disable the firewall.

    ReplyDelete
  17. The essence of any open source application is that it gives a wide range of customizations that keep renovating in themselves. Make money

    ReplyDelete

  18. Really nice information you had posted. Its very informative and definitely it will be useful for many people
    iOS Training in Chennai
    Android Training in Chennai
    php Training in Chennai

    ReplyDelete
  19. This comment has been removed by the author.

    ReplyDelete
  20. Great Work. This post is worth everyone’s attention. web design company in chennai

    ReplyDelete
  21. Thanks for posting useful information.You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...Really it was an awesome article...very interesting to read..
    please sharing like this information......
    Android training in chennai
    Ios training in chennai

    ReplyDelete
  22. The blog gave me idea about the mobile application security my sincere thanks for sharing this post please countinue to share this kind of post
    Android Training in Chennai

    ReplyDelete
  23. This is excellent information. It is amazing and wonderful to visit your site.Thanks for sharing this information&its very useful to me...
    Android training in chennai
    Ios training in chennai

    ReplyDelete
  24. Thank you so much for this nice post. This is very informative and helpful Earning Money Online

    ReplyDelete
  25. "There may be a steeper learning curve for older consumers but if there's a technology that meets their needs, these consumers will buy and spend big."SuperSu root

    ReplyDelete
  26. Being new to the blogging world I feel like there is still

    so much to learn. Your tips helped to clarify a few things

    for me as well as giving..
    Mobile App Development Company

    ReplyDelete
  27. Great blog.you put Good stuff.All the topics were explained briefly.so quickly understand for me. Thanks for sharing.
    Software Testing Training in Bangalore
    Dot Net Training in Chennai

    ReplyDelete