Android and iOS Security Enhancements and Crackme Apps

Track: Mobile Security
When: Mon, Tue, Wed, Thu, Fri
Organizers Jeroen Willemsen, Carlos Holguera
Participants Jeroen Willemsen, Sven Schleier (remote), Abderrahmane AFTAHI (remote), Carlos Holguera

Welcome to the OWASP Mobile Security Testing Guide Content pressure cook!

Why

Staying up-to-date is key, especially regarding mobile security. We have the chance to do it all together in the same place. In this working session we will go through and discuss about the latest security features introduced in the latest Android and iOS versions. We go not only theoretical but also practical: we have of course a hands-on part for this working session where we will be playing and enhancing the MSTG Hacking Playground and crackme apps. So get your phones, laptops and favorite tools ready.

What

Get to know the latest Android and iOS security enhancements

iOS 12:

  • UIWebViews are officially deprecated
  • new AuthenticationServices and Network Frameworks
  • New Password AutoFill Framework for iOS and web apps

Android 9:

  • Scoped Storage: an isolated storage sandbox right on external storage device! The READ_ and WRITE_EXTERNAL_STORAGE permissions are being replaced with more fine-grained media specific permissions.
  • StrongBox Keymaster: an implementation of the Keymaster HAL that resides in a hardware security module.
  • You can now import encrypted keys securely into the Keystore using an ASN.1‑encoded key format.

This and much more that we or you might know about. Let’s discuss about how we can test the new features.

Get your hands dirty with the Android and iOS crackmes

  • Would you say you could write an app that effectively refuses to run on a rooted Android device (e.g. running Magisk)?
  • Do you think you could stop someone using Frida from stealing your precious app data? Or at least make him/her give up trying ;)
  • Do you love to code Android/iOS apps? What about writing some code to challenge other people?
  • Are UnCrackable App for iOS Level 1 and UnCrackable App for iOS Level 2 too easy for you? Do you have some ideas for a Level 3?

In this session you get the chance to work hand in hand with the Mobile Security team on the MSTG crackme apps. The defenders will make them secure (or intentionally leave some holes) and the attackers will prove they can crack them using the latest techniques and available tools. Aren’t you curious about how other people would solve the different challenges you implement? Reverse engineering? debugging? code injection? everything is allowed.

In this session you’ll get to work on tickets regarding these kind of topics and many more. See the MSTG GitHub Issues and the MSTG GitHub Project Page for more details.

Who

The target audience for this Working Session is:

  • iOS developers
  • Android developers
  • Penetration Testers
  • Security engineers

From experts to beginners. Anybody who is passionate about app mobile security, haves fun hacking, securing and/or developing mobile apps and loves to continuously learn and enjoys sharing knowledge.

What do you need to bring with you?

Minimum required: a laptop :)

Depending on the tasks/challenges you choose:

  • For iOS: an iOS device (preferably jailbroken). A MacBook is recommended but not mandatory.
  • For Android: an Android device is highly recommended (preferably rooted). However for many tasks you can use the emulator.

The MSTG and crackmes are hosted in GitHub and can easily be edited by anyone, just a Github account is needed and knowledge on how to create a pull request.

Outcomes

Updated iOS and Android chapters in the MSTG covering the latest security changes in iOS and Android.

References

Register as participant

To register as participant add Android and iOS Security Enhancements and Crackme Apps to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page


Back to list of all Working Sessions