SlideShare ist ein Scribd-Unternehmen logo

Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016

Als PPTX, PDF herunterladen
R
Rizal Aditya

Mobile Top 10 2016-M2 -Insecure Data Storage. .This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data storage and unintended data leakage.

Ingenieurwesen
1 von 16
Simulation & Tutorial INSECURE DATA STORAGE by Mobile Top 10 2016 OWASP Rizal Aditya rizaladitya20@yahoo.co.id
M2 - Insecure Data Storage This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data storage and unintended data leakage.  This category insecure data storage and unintended data leakage. Data stored insecurely includes, but is not limited to, the following:  SQL databases;  Log files;  XML data stores ou manifest files;  Binary data stores;  Cookie stores;  SD card;  Cloud synced.
A. Tools 1. OS Windows 7 Proffesional x64 bit. 2. Genymotion Android Emulator 3.0.3 3. Oracle VM VirtualBox 6.0.4 (Include during Genymotion installation) 4. Root Checker (root-checker-6-4-7.apk) 5. DIVA Damn Insecure and Vulnerable App. apk (diva-beta.apk). Download in references [1].
B. Install Genymotion Android Emulator 1. Download an application Genymotion Android Emulator in https://www.genymotion.com/fun-zone/. In this practise use TRIAL version (only 30 days). 2. Then run and install.
C. Shell Android Debug Brigde (ADB) Configuration 1. Add the adb location path to the Variables Environment. Control Panel - System - "Advanced system settings". Advanced tab - Environment Variables. Click PATH, then click edit, and add the location path adb.exe (Genymotion). 2. %PY_HOME%;%PY_HOME%Lib;%PY_HOME%DLLs;%PY_HOME%Liblib- tk;C:Program Files (x86)Nmap;C:Program FilesGenymobileGenymotiontools
D. How to run Genymotion emulator.  Install one of the emulator phones on Genymotion. Then run by selecting three points, and click start.
E. Mount Storage (SD Card)
F. Root Android (root-checker-6-4-7.apk)
G. DIVA (Damn Insecure and Vulnerable App) APK  For installation, click and hold the file then drag the apk file (diva-beta.apk) into the emulator. Wait until the installation process is complete.  If the apk file is successfully installed, a DIVA shortcut will appear in the emulator. Click to run it.
H. Command Shell & Configuration 1. Test whether adb is connected. Check IP on Android system status. PORT 5555 Default Genymotion. Adb connect 192.168.5.4:5555 1. Run the adb shell > adb shell
Insecure Data Storage (M2) Technique 1: Stolen Device Technique 2: Malicious App Source: https://www.vaadata.com/blog/mobile-application-security-explained-simply-episode-2/
Insecure Data Storage (M2) • The data of an Android application is stored at the location /data/data/<package_name>. • Shared Preference is a way to store data of an Android app in the form of value, key pair. Source: https://tools.androidtamer.com/Training/DIVA/03_Insecure_Data_Storage_P1/
Insecure Data Storage (M2) 1. Create Database 2. Save data Source: https://tools.androidtamer.com/Training/DIVA/04_Insecure_Data_Storage_P2/
Insecure Data Storage (M2) Source: https://tools.androidtamer.com/Training/DIVA/05_Insecure_Data_Storage_P3/
Insecure Data Storage (M2) Source: https://tools.androidtamer.com/Training/DIVA/06_Insecure_Data_Storage_P4/
References  https://www.owasp.org/index.php/Mobile_Top_10_2016-M2- Insecure_Data_Storage  https://payatu.com/damn-insecure-and-vulnerable-app  https://www.vaadata.com/blog/mobile-application-security-explained-simply- episode-2  https://tools.androidtamer.com/Training/DIVA/

Empfohlen

Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Is My App Secure ?
Is My App Secure ? Is My App Secure ?
Is My App Secure ?Herman Duarte
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Internet explorer tech support call 1 866-757-9494
Internet explorer tech support call 1 866-757-9494Internet explorer tech support call 1 866-757-9494
Internet explorer tech support call 1 866-757-9494Tech Cillin
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
Koubei banquet 31
Koubei banquet 31Koubei banquet 31
Koubei banquet 31Koubei UED
 
ALPSP Conference - Pierre Montagano - Code Ocean - Sept 14 2017
ALPSP Conference - Pierre Montagano - Code Ocean - Sept 14 2017ALPSP Conference - Pierre Montagano - Code Ocean - Sept 14 2017
ALPSP Conference - Pierre Montagano - Code Ocean - Sept 14 2017Code Ocean
 

Empfohlen

Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Is My App Secure ?
Is My App Secure ? Is My App Secure ?
Is My App Secure ?Herman Duarte
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Internet explorer tech support call 1 866-757-9494
Internet explorer tech support call 1 866-757-9494Internet explorer tech support call 1 866-757-9494
Internet explorer tech support call 1 866-757-9494Tech Cillin
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
Koubei banquet 31
Koubei banquet 31Koubei banquet 31
Koubei banquet 31Koubei UED
 
ALPSP Conference - Pierre Montagano - Code Ocean - Sept 14 2017
ALPSP Conference - Pierre Montagano - Code Ocean - Sept 14 2017ALPSP Conference - Pierre Montagano - Code Ocean - Sept 14 2017
ALPSP Conference - Pierre Montagano - Code Ocean - Sept 14 2017Code Ocean
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Android Security
Android SecurityAndroid Security
Android SecurityMehrnaz Amoon
 
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策Intune/AADとLookout連携によるモバイル端末の管理と脅威対策
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策ID-Based Security イニシアティブ
 
Android tutorials2 android_tools_on_eclipse
Android tutorials2 android_tools_on_eclipseAndroid tutorials2 android_tools_on_eclipse
Android tutorials2 android_tools_on_eclipseVlad Kolesnyk
 
What is Android? How to develop apps?
What is Android? How to develop apps?What is Android? How to develop apps?
What is Android? How to develop apps?Avinash Meetoo
 
Andriod Pentesting and Malware Analysis
Andriod Pentesting and Malware AnalysisAndriod Pentesting and Malware Analysis
Andriod Pentesting and Malware Analysisn|u - The Open Security Community
 
Android Security
Android SecurityAndroid Security
Android SecurityRobin De Croon
 
Windows 10
Windows 10Windows 10
Windows 10Ngi-NGN Online
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure CodingJPCERT Coordination Center
 
Hacker-powered Software Development
Hacker-powered Software Development Hacker-powered Software Development
Hacker-powered Software Development Assembla
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
December2016 patchtuesdayshavlik
December2016 patchtuesdayshavlikDecember2016 patchtuesdayshavlik
December2016 patchtuesdayshavlikLANDESK
 
IE Exploit Protection
IE Exploit ProtectionIE Exploit Protection
IE Exploit ProtectionKim Jensen
 
January2017 patchtuesdayshavlik
January2017 patchtuesdayshavlikJanuary2017 patchtuesdayshavlik
January2017 patchtuesdayshavlikLANDESK
 
Android security - an enterprise perspective
Android security - an enterprise perspectiveAndroid security - an enterprise perspective
Android security - an enterprise perspectivePietro F. Maggi
 
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...hackersuli
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
October2016 patchtuesdayshavlik
October2016 patchtuesdayshavlikOctober2016 patchtuesdayshavlik
October2016 patchtuesdayshavlikLANDESK
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 

Weitere ähnliche Inhalte

Was ist angesagt?

Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策Intune/AADとLookout連携によるモバイル端末の管理と脅威対策
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策ID-Based Security イニシアティブ
 
Android tutorials2 android_tools_on_eclipse
Android tutorials2 android_tools_on_eclipseAndroid tutorials2 android_tools_on_eclipse
Android tutorials2 android_tools_on_eclipseVlad Kolesnyk
 
What is Android? How to develop apps?
What is Android? How to develop apps?What is Android? How to develop apps?
What is Android? How to develop apps?Avinash Meetoo
 
Hacker-powered Software Development
Hacker-powered Software Development Hacker-powered Software Development
Hacker-powered Software Development Assembla
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
December2016 patchtuesdayshavlik
December2016 patchtuesdayshavlikDecember2016 patchtuesdayshavlik
December2016 patchtuesdayshavlikLANDESK
 
IE Exploit Protection
IE Exploit ProtectionIE Exploit Protection
IE Exploit ProtectionKim Jensen
 
January2017 patchtuesdayshavlik
January2017 patchtuesdayshavlikJanuary2017 patchtuesdayshavlik
January2017 patchtuesdayshavlikLANDESK
 
Android security - an enterprise perspective
Android security - an enterprise perspectiveAndroid security - an enterprise perspective
Android security - an enterprise perspectivePietro F. Maggi
 
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...hackersuli
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
October2016 patchtuesdayshavlik
October2016 patchtuesdayshavlikOctober2016 patchtuesdayshavlik
October2016 patchtuesdayshavlikLANDESK
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 

Was ist angesagt? (19)

Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 
Android Security
Android SecurityAndroid Security
Android Security
 
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策Intune/AADとLookout連携によるモバイル端末の管理と脅威対策
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策
 
Android tutorials2 android_tools_on_eclipse
Android tutorials2 android_tools_on_eclipseAndroid tutorials2 android_tools_on_eclipse
Android tutorials2 android_tools_on_eclipse
 
What is Android? How to develop apps?
What is Android? How to develop apps?What is Android? How to develop apps?
What is Android? How to develop apps?
 
Andriod Pentesting and Malware Analysis
Andriod Pentesting and Malware AnalysisAndriod Pentesting and Malware Analysis
Andriod Pentesting and Malware Analysis
 
Android Security
Android SecurityAndroid Security
Android Security
 
Windows 10
Windows 10Windows 10
Windows 10
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure Coding
 
Hacker-powered Software Development
Hacker-powered Software Development Hacker-powered Software Development
Hacker-powered Software Development
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
December2016 patchtuesdayshavlik
December2016 patchtuesdayshavlikDecember2016 patchtuesdayshavlik
December2016 patchtuesdayshavlik
 
IE Exploit Protection
IE Exploit ProtectionIE Exploit Protection
IE Exploit Protection
 
January2017 patchtuesdayshavlik
January2017 patchtuesdayshavlikJanuary2017 patchtuesdayshavlik
January2017 patchtuesdayshavlik
 
Android security - an enterprise perspective
Android security - an enterprise perspectiveAndroid security - an enterprise perspective
Android security - an enterprise perspective
 
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
October2016 patchtuesdayshavlik
October2016 patchtuesdayshavlikOctober2016 patchtuesdayshavlik
October2016 patchtuesdayshavlik
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open Source
 

Ähnlich wie Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016

Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
Mobile App Security Testing
Mobile App Security TestingMobile App Security Testing
Mobile App Security TestingSarwar Jahan M
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...tdc-globalcode
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNitesh Malviya
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
IRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security AssessmentIRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security AssessmentIRJET Journal
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 

Ähnlich wie Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016 (20)

Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Mobile Apps Security Testing -3
Mobile Apps Security Testing -3
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Mobile App Security Testing
Mobile App Security TestingMobile App Security Testing
Mobile App Security Testing
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-Exploitation
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
IRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security AssessmentIRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security Assessment
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 

Kürzlich hochgeladen

A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityMorshed Ahmed Rahath
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Call Girls Mumbai
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Servicemeghakumariji156
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxSCMS School of Architecture
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"mphochane1998
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdfKamal Acharya
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxSCMS School of Architecture
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxJIT KUMAR GUPTA
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxmaisarahman1
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadhamedmustafa094
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxJuliansyahHarahap1
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksMagic Marks
 
Rums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdfRums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdfsmsksolar
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdfKamal Acharya
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 

Kürzlich hochgeladen (20)

Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic Marks
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
Rums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdfRums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdf
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 

Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016

  • 1. Simulation & Tutorial INSECURE DATA STORAGE by Mobile Top 10 2016 OWASP Rizal Aditya rizaladitya20@yahoo.co.id
  • 2. M2 - Insecure Data Storage This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data storage and unintended data leakage.  This category insecure data storage and unintended data leakage. Data stored insecurely includes, but is not limited to, the following:  SQL databases;  Log files;  XML data stores ou manifest files;  Binary data stores;  Cookie stores;  SD card;  Cloud synced.
  • 3. A. Tools 1. OS Windows 7 Proffesional x64 bit. 2. Genymotion Android Emulator 3.0.3 3. Oracle VM VirtualBox 6.0.4 (Include during Genymotion installation) 4. Root Checker (root-checker-6-4-7.apk) 5. DIVA Damn Insecure and Vulnerable App. apk (diva-beta.apk). Download in references [1].
  • 4. B. Install Genymotion Android Emulator 1. Download an application Genymotion Android Emulator in https://www.genymotion.com/fun-zone/. In this practise use TRIAL version (only 30 days). 2. Then run and install.
  • 5. C. Shell Android Debug Brigde (ADB) Configuration 1. Add the adb location path to the Variables Environment. Control Panel - System - "Advanced system settings". Advanced tab - Environment Variables. Click PATH, then click edit, and add the location path adb.exe (Genymotion). 2. %PY_HOME%;%PY_HOME%Lib;%PY_HOME%DLLs;%PY_HOME%Liblib- tk;C:Program Files (x86)Nmap;C:Program FilesGenymobileGenymotiontools
  • 6. D. How to run Genymotion emulator.  Install one of the emulator phones on Genymotion. Then run by selecting three points, and click start.
  • 7. E. Mount Storage (SD Card)
  • 8. F. Root Android (root-checker-6-4-7.apk)
  • 9. G. DIVA (Damn Insecure and Vulnerable App) APK  For installation, click and hold the file then drag the apk file (diva-beta.apk) into the emulator. Wait until the installation process is complete.  If the apk file is successfully installed, a DIVA shortcut will appear in the emulator. Click to run it.
  • 10. H. Command Shell & Configuration 1. Test whether adb is connected. Check IP on Android system status. PORT 5555 Default Genymotion. Adb connect 192.168.5.4:5555 1. Run the adb shell > adb shell
  • 11. Insecure Data Storage (M2) Technique 1: Stolen Device Technique 2: Malicious App Source: https://www.vaadata.com/blog/mobile-application-security-explained-simply-episode-2/
  • 12. Insecure Data Storage (M2) • The data of an Android application is stored at the location /data/data/<package_name>. • Shared Preference is a way to store data of an Android app in the form of value, key pair. Source: https://tools.androidtamer.com/Training/DIVA/03_Insecure_Data_Storage_P1/
  • 13. Insecure Data Storage (M2) 1. Create Database 2. Save data Source: https://tools.androidtamer.com/Training/DIVA/04_Insecure_Data_Storage_P2/
  • 14. Insecure Data Storage (M2) Source: https://tools.androidtamer.com/Training/DIVA/05_Insecure_Data_Storage_P3/
  • 15. Insecure Data Storage (M2) Source: https://tools.androidtamer.com/Training/DIVA/06_Insecure_Data_Storage_P4/
  • 16. References  https://www.owasp.org/index.php/Mobile_Top_10_2016-M2- Insecure_Data_Storage  https://payatu.com/damn-insecure-and-vulnerable-app  https://www.vaadata.com/blog/mobile-application-security-explained-simply- episode-2  https://tools.androidtamer.com/Training/DIVA/

Hinweis der Redaktion

  1. Insecure Data Storage atau Penyimpanan Data Tidak Aman, dapat digambarkan sebagaimana 2 contoh teknik berikut: Teknik 1 konvensional, dimana perangkat dicuri secara fisik, dan mengambil data / PII (Personally Identifiable Information) melalui koneksi device dengan PC. Teknik ini membutuhkan usaha yg keras untuk melakukannya. PII =informasi yang dapat diidentifikasi secara pribadi. Meskipun device dicuri, device2 saat ini mulai ditanamkan smart software seperti pada perangkat Apple dan Android, Remote Lock My Device/Passcode Lock, atau Find My Device untuk menemukan posisi lokasi device yang dicuri, atau remote reset phone. Teknik 2, modern: Melakukan jailbreak yang tertanam aplikasi jahat/malicious,. Aplikasi jahat dapat menyimpan dan mengirim data/informasi sensitif seperti username, password, akun keuangan dll maupun aktivitas korban kepada pelaku. Data dikirim ke server pelaku melalui jaringan yang terhubung ke internet. Selanjutnya akan kita coba skenario, bagaimana data / informasi sensitif ini dapat diakses.>>