Saturday, July 4, 2020

The Mobile Application Security Verification Standard (MASVS)

The Mobile Application Security Verification Standard (MASVS)

MASVS is a part of the OWASP Mobile application security guide that can be used as a guideline and best practices during mobile application development as well as security testing. With the use of MASVS, We can achieve a total of four verification levels. But MASVS actually provides two security verification levels (MASVS-L1 and MASVS-L2), as well as a set of reverse engineering resiliency requirements (MASVS-R).
  • MASVS-L1: Security requirements that are recommended for all mobile applications
  • MASVS-L2: Security requirements for applications that contain sensitive data, which requires protection.
  • MASVS-R: Security requirements for applications that need Resiliency Against Reverse Engineering and Tampering such as apps that handle highly sensitive data and may serve as a means of protecting intellectual property or tamper-proofing an app.
Therefore, a mobile application can have four verification levels as follows. 
  1. MASVS-L1
  2. MASVS-L1+R
  3. MASVS-L2
  4. MASVS-L2+R
You can read more about OWASP MASVS from the official publications. 
Reference

Sunday, March 15, 2020

Important Controls for a Mobile Application and Why


If you are looking for the complete guide for a level of security, You must refer to "Mobile Application Security Verification Standards by Open web application security project (OWASP MASVS). MASVS provides levels of security required based on the nature and use of your application. MASVS has  Detailed verification requirements. The security requirements are categorized such as Architecture, design & threat modeling and  Data storage and privacy, etc... MASVS-L1 is the basic level of security requirements recommended by OWASP.

MASVS-L2 lists additional defense-in-depth measures such as SSL pinning. If you achieve the MASVS-L2 level does not cover the root/jailbreak detection and Tampering. Root/jailbreak detection and Tampering is included in the MASVS-R. But MASVS-L2 is recommended for applications such as mobile banking and with a little effort, it is really easy to bypass SSL Pinning. If you want to know more about bypassing SSL Pinning with Inspeckage, Please refer to my previous writing. 

Implementing SSL Pinning correctly and securely means, implementing the controls that prevent bypassing SSL Pinning as well. Therefore the following are the three main controls to consider if your application needs to be protected from intercepting traffic and achieve MASVS-L2. 
  1. SSL Pinning 
  2. Root/Jailbreak Detection
  3. Tampering and Repackaging 
1. SSL Pinning
One of the most vital security control for a mobile application is "SSL Pinning". Most of the attacks are done with intercepting traffic with a proxy such as BurpSuite or ZAP. Therefore,  a control that discourages intercepting traffic is required, and "SSL Pinning" is the main control used at the moment. 




2. Root/Jailbreak Detection
If your application is allowed to run on a rooted/jailbroken device, it is more vulnerable than an application with root/jailbreak detection. One I want to highlight is the possibility of bypassing SSL Pinning with hooks. You can read about bypassing SSL Pinning with "Inspeckage" here. So even if you discourage intercepting traffic with SSL Pinning, If you allow your application to run on a rooted/jailbroken device, still it is possible to intercept traffic from your mobile application. 

3. Tampering and Repackaging 
Let's assume that your mobile application has SSL Pinning and root/jailbreak detection implemented. Still, there are ways to bypass SSL Pinning. You can read a nonconventional method of bypassing SSL pinning without a rooted device here. One common and conventional method is with "Frida" and most of these conventional methods are done with Repackaging the mobile application APK with a third-party tool like "Frida".



So if you are thinking about implementing "SSL Pinning", probably it is a security requirement of your application or you may want to achieve MASVS-L2. Implementing SSL Pinning will definitely,  discourage attackers. But still, even a "script kiddie" might find a way to bypass SSL Pinning if your application is allowed to run on a rooted/jailbroken device. 

SSL Pinning + Root/Jailbreak detection will further discourage attackers but a motivated attacker with some knowledge and skills can still Repackage the application with a tool such as Frida and still find a way to bypass SSL Pinning. Therefore tampering and repackage must also be implemented if you want to achieve better results with SSL Pinning.  

This article intends to use with security testing, ethical hacking, and to increase the awareness of cybersecurity. Any malicious use is not intended. 
Reference

Sunday, March 8, 2020

SSL Pinning Bypass without a Rooted Device

Bypassing SSL Pinning 


If it is not possible to intercept traffic even after successfully installing own CA based on the android version, it is possible that the application is performing some kind of SSL pinning. to bypass this type of validation we need to hook the application’s code and interfere with the validation process. In order to use these hooks, the application must be allowed to run on a rooted/jailbroken device. If running on a rooted device is allowed, please read my previous article on SSL Pinning Bypass with "Inspeckage" and setting up "Inspeckage" for using other available hooks with the Xposed module and "Inspeckage". 

If the application is not allowed to run on a rooted device, the most common method is with the "Frida" framework. For this, you need to repackage the "APK" with the "Frida" library.  So if the application does not allow repackaging or use integrity checks at runtime this option is no longer valid. 

This is written based on an experience I had with bypassing SSL Pinning for mobile applications that do not allow to run on a rooted device and also did not allow repackaging and running on a device. The solution was found with "VirtualXposed" and "Inspeckage". However, this is not a widely tested and approved solution (UNCONVENTIONAL). But this might help you with mobile application Penetration Testing. 

VirtualXposed

VirtualXposed is the same as a virtual machine.  It provides a virtual space to run APKs as plugins and in this space, some Xposed modules and hooks can be applied. You can download the VirtualXposed from the following link.
VirtualXposed - https://virtualxposed.com/ 

Copy VirtualXposed apk and Install
This will download as an "apk" file. Now all you need to do is enable "Unknown source" from device security to allow installation of applications from both trusted and unknown sources, and install the "VirtualXposed" apk. 
  1. Download VirtualXposed
  2. Copy downloaded apk to your unrooted device.  
  3. Go to device Settings > Security > Unknow source and tick Unknown source
  4. Go to the location that you copied the apk
  5. Tap and go through the installation guide



Now you will see the VirtualXposed icon with the other installed android applications. Click and open the "VirtualXposed" and you will see a lock screen like interface. This is the virtual space that is installed on your device OS. Swipe like you unlock a device with no password or pattern lock and enter to your virtual android space.
VirtualXposed installed on a not rooted device

Bypass SSL Pinning with VirtualXposed. 

Now that you have Xposed running on your unrooted device, you can use hooks. My favorite application for hooks is "Inspeckage"

  1. Click on the Xposed inside the virtual space
  2. You will be presented with an interface exactly similar to Xposed
  3. Navigate to Download and search for "Inspeckage"
  4. Click Download and Install 
  5. After successfully installing the "Inspeckage" navigate to Modules and check the box next to "Inspackage" to enable it
  6. Restart the device before using 

The following screen captures show steps to be followed in order to install and configure "Inspeckage". I will not explain the steps in detail here. 
Steps to install and configure Inspeckage
Now all you have to do is install the application that you want to bypass SSL pinning and intercept traffic to the same virtual space. You have to install the application from an apk in order to load the application to the virtual space. 
  1. Extract/Get the "apk" that you want to install in the virtual space. 
  2. Copy it to the desired location of your device
  3. Try to install the apk and it will ask where to install (Add to VirtualXposed or Package Installer) 
  4. Choose "Add to VirtualXposed" and continue the installation. 
  5. You should be able to successfully install the application into virtual space (VirtualXposed)
Installing an application to the VirtualXposed
Now it is straight forward. Just like how you normally use "Inspeckage", run Inspeckage and select the application that you want to apply hooks, and load the Inspeckage web portal. 
  1. Open Inspeckage in VirtualXposed
  2. Click on the "Choose Target" dropdown
  3. Select the application you want to apply hooks 
  4. Click "Launch App" 
  5. Open your web browser from the PC and navigate to the given IP in "Inspeckage" 
  6. Go to "settings" from the web portal
  7. Switch on the "SSL Uncheck" option 
Now you should be successfully able to bypass SSL Pinning and apply other hooks available with "Inspeckage". 

Again, I would like to highlight that this is not a well tested and established approach (
UNCONVENTIONAL). But I was able to successfully do some tricky things with "VirtualXposed" 

This article intends to use with security testing, ethical hacking, and to increase the awareness of cybersecurity. Any malicious use is not intended. 

References 
VirtualXposed - https://virtualxposed.com/
Inspeckage - http://ac-pm.github.io/Inspeckage/

Wednesday, March 4, 2020

SSL Pinning Bypass with "Inspeckage - Android Package Inspector"

What is Inspeckage (Android Package Inspector)


Inspeckage is a tool used for Dynamic Security Analysis of Android Mobile Applications. Inspeckage apply hooks to functions of the Android API to perform Dynamic Analysis. We can write our own hooks as well. We will be using the "SSL uncheck (bypass certificate pinning - JSSE, Apache, and okhttp3)" to bypass the SSL Pinning of a mobile application. Other than the SSL uncheck action, Inspeckage has actions such as Start any activity, Call any provider and Start, stop and restart the application. 

How to Install Inspeckage

This is a basic guide of how to install and configure "Inspeckage". Because when you install and configure the Inspeckage, bypassing SSL Pinning is just a matter of ticking and unticking a checkbox. You must have a rooted device or emulator to use Inspeckage hooks. In order to successfully bypass  SSL Pinning with Inspeckage, the application under test must be allowed to run on a rooted device or emulator. I will be using "Genymotion" personal use for this demonstration.

Following is my "Genymotion" emulator
Genymotion emulator specifications

After installing and downloading an emulator with Genymotion, you can start the emulator. Now you need to install the "Xposed" module. Make sure you install the correct Xposed version based on your android version. For the above-selected emulator, the Xposed version given on the link is suitable. Download the Xposed apk and install it on the emulator.


When you have installed the Xposed module, launch the Xposed module and click on the Framework option and click on Install option to install the framework. Then you need to reboot the device or emulator. Now you should have successfully installed and configure the Xposed module.

Then go to Downloads in Xposed and search for Inspeckage. Download and Install the "Inspeckage" as well. As the last step of installing and configuring Inspeckage, go to the "Modules" and click on the checkbox to enable "Inspeckage" with Xposed.
Installing Inspeckage with Xposed

Running Inspeckage
Now you are ready to use "Inspeckage" and bypass SSL Pinning with "Inspeckage" hooks. Go to Android applications and now, you should see the "Inspeckage" icon among the applications. Click on the icon and open "Inspeckage"


You will see three URL saying that the "service is started on" open your browser and go to a URL. A web page will be load with the "Inspeckage" web portal.

Now the environment is ready to bypass SSL Pinning.

Bypass SSL Pinning with Inspeckage

Now it is straight forward. Click on the dropdown of "Inspeckage" saying "choose target" and select the application that you want to bypass SSL Pinning. Click the "Launch App" to start the app. Refresh your web portal to see. you should see the application details with default hooks used by "Inspeckage"
Inspeckage Web Portal

Now navigate to the settings from the Inspeckage web portal and just click and switch on the "SSL uncheck" option. You have successfully bypassed the SSL Pinning of the selected application.
Inspeckage Web Portal Settings

As a bonus, You can use all other hooks available with Inspeckage.
This article intends to use with security testing, ethical hacking, and to increase the awareness of cybersecurity. Any malicious use is not intended. 

Reference 
Inspeckage - http://ac-pm.github.io/Inspeckage/https://github.com/ac-pm/Inspeckage 
Genymotion - https://www.genymotion.com/
Xposed - https://repo.xposed.info/module/de.robv.android.xposed.installer