AuthorAbhinav

I fork OWASP MASVS, Did you?

How to Contribute

The MASVS is an open source effort and we welcome contributions and feedback. If you want to contribute additional content, or improve existing content, we suggest that you first contact us on the OWASP MSTG Slack channel:

https://owasp.slack.com/messages/project-mobile_omtg/details/

You can sign up here:

http://owasp.herokuapp.com/

To add or edit content, simply fork the repository and make your changes, then create a pull request when you are finished. We’ll review the changes before we merge them with the master branch in the main repo. In case there’s conflicting opinions, we’ll create an issue for discussing the changes.

Read Individual Sections of the MASVS Here

PCI DSS 3.1 is here. Are you ready?

PCI DSS 3.1 is here. Are you ready?

How to record your iPhone, iPad or iPod touch on your Mac?

  1. Connect the iOS device to your Mac using the Lightning cable.
  2. Open the Applications folder.
  3. Double-click on QuickTime Player.
  4. Click on the File menu.
  5. Select New Movie Recording.
  6. Click on the downward-facing arrow to the right of the record button.
  7. Under Camera, select the name of your iOS device.
  8. If you wish to record audio from the device, select its name in the Audio source list.
  9. Click on the red record button to begin recording video from your iPhone.
  10. When you’re done, click on the button again to stop recording.

Screen recording

I fork OWASP ASVS, Did you?

OWASP has released the next version of their Application Security Verification Standard (ASVS v3). The ASVS is an extensive document listing out 19 verification requirements organised as a checklist – Here

If you are security geek and wanted to contribute something  – Why don’t you start helping us in building up next generation application security verification standards?

Abhinav Sejpal

Join me at APP SEC USA 2015

Android is the leading Operating system. It is used not just in Smartphones / Tablet but also is used as base for interactive Television, gaming console and lot more systems. The obvious resultant is that there is a large focus towards developing applications for this platform and to maintain its security. This is an one hour crash course on “By passing root detection” for android based dummy internet banking app, This dummy internet banking application has features such as adding a beneficiary account, fund transfer, view statements, OTP, Pin sign-in, etc. to provide attendees a real world application scenario.

Android APK file architecture and Setting up the emulator.
Reversing the APK file package
Understanding, patching smali code (JAVA – Class – Dex – smali – APK)
Bypass the business logic for the root detection

Who Should Attend
– Security Professionals
– Mobile Application Developers
– People interested to start into Android security
– Web Application Pentesters
– Beginners mobile app malware auditor

What to expect :
– Getting started with Android Security
– Reversing and Auditing of Android applications
– Hands-on on Finding vulnerabilities and patching the binary

https://appsecusa2015.sched.org/event/129aa2ed31755697723b8f2855ab76b9?iframe=no&w=i:100;&sidebar=yes&bg=no#.VenMMNOqrDU

Mail Ru stores passcode in clear text – Insecure Data Storage

I found vulnerability with Mail RU iOS App, it allows its users to set a passcode to protect their information. This passcode is stored in clear text in the keychain, which can be obtained using keychain_dumper tool.

mailRu

Mirroring your iOS Device

One of the simplest way to capture video is by mirroring your iPhone/ipad on to your PC with the help of Reflector App. And then use third party recording tools such as Camtasia or WebEx to record any scenario. Please note that the Airplay feature works only for the mentioned devices

iPhone 4s and above
iPad 2 or later
iPad mini
iPod Touch (5th Generation)
Apple TV (2nd or 3rd Generation)

Prerequisites-

  •   PC /laptop connected to a Wi-Fi.
  •   Third Party Recording Tool like Camtasia, Cisco WebEx Recorder to be installed in PC/laptop.
  •   Above mentioned iPhone/iPad connected to the Wi-Fi.
  •   Installing the Reflector Software into your PC.

Reflector Software can downloaded and Installed from http://www.airsquirrels.com/reflector/

Mirroring the Device into your PC

A.    Open the Reflector
B.    Allow Access if Blocked by Firewall
C.    Right Click on the Reflector icon and Click on the  Show preferences
D.    Select the Optimum resolution for your device and Add password

E.    Turn on the iPad/iPhone and make sure it’s connected to Wi-Fi Router.
F.     Check the bottom of the Device.

Step 1

G.   Tap on the Airplay icon

Step 2

 

H. Computer name will be seen on the popup as seen above. Enter the password which was entered in the preferences and tap on the connect button.
I.  Turn mirroring on and the device should be seen on your PC.

J. Right Click and you can exit full Screen (Alt+F).

Step 3

K. Now we can use any third party recording tools such as camtasia or Cisco WebEx recorder to record a scenario from the PC.

Note: Trial mode of Reflector Software can run only up to 10 Mins.

How to download an APK file from Google Play store

I have been getting many queries in last couple of days for the android mobile binary download from the Google playstore, many folks are unaware about how to get the binary.  If you have rooted device, once you installed the binary – Binary will be stored @ /Data/APP/[Package name].

If you want to download the APK file using a browser extension at your PC then getting yourself an extension for Chrome or Firefox is probably a good idea. you can download one of the Downloader : CodeKiem’s APK Downloader extension version which supports both Chrome and Firefox browsers.

androidpit-apk-downloader              This is one of many APK Downloader extensions available for Chrome

Once you’ve added the extension to your desktop browser, you need to enter your email address, which will be stored in the Chrome extension associated with your Google Play account, and also your device ID for later requests.
Apk-downloader

To get your device ID, download an app called Device ID, which will bring up your Android ID when you open it. You should also use one of the e-mail addresses listed in Device ID- along with its associated password – to log into APK Downloader.

Device ID

You can then proceed and download the APK to your computer, once complete, it is ready to install to your Android device using the side loading method.

Download APK

 

Start a Simple Web Server from Any Directory using Python

If you need a quick web server running and you don’t want to mess with setting up apache or something similar, then Python can help. Python comes with a simple builtin HTTP server.

Assume that I would like to share the directory which is located at   /Users/BugWrangler/Desktop/{Any Share directory} and my local network IP address is 192.168.0.107 (other words 127.0.0.1)

Navigate to same directory and enter the following command

python Simple HTTP Server

Now, Navigate to browser in the same machine or other machine which is located in same network.

Navigate to the below address :

Python HTTP Server

If the directory has a file named index.html, that file will be served as the initial file. If there is no index.html, then the files in the directory will be listed.

If you wish to change the port that’s used start the program via

How to install class-dump-z on your iOS device

Class dump-z used for dumping class information from an iOS application. this binary isn’t available for the windows Operating system.

Step 1: Get a Shell on Device

Step 2 :  Navigate to the https://code.google.com/p/networkpx/wiki/class_dump_z

get the latest url : E.G – http://networkpx.googlecode.com/files/class-dump-z_0.2a.tar.gz

Step 3 : Download the binary

Wget file

Step 4 : Extract the downloaded archive file

Unzip the file

Step 4 : Navigate inside the folder iphone_armv6 and copy the class-dump-z executable into /usr/bin directory. This will make sure you can run class-dump-z from anywhere on the device.

Copy the file

Step 5 :-  Once you have copied the executable,just type class-dump-z, you have successfully config class-dump-z binary in your iOS device. 

class dump z

© 2017 Abhinav Sejpal

Theme by Anders NorénUp ↑