Most penetration testers know the headaches of testing mobile applications. Challenges like certificate pinning and wondering what files are being written to the device while the app is in use. Since Android is open source, you create your own custom OS that takes the guess work out of your test. By doing this, you can monitor HTTP/HTTPS traffic, SQLLite queries, file access and more. Because this is part of the OS, you can intercept before the data is encrypted (i.e. MiTF). And this works for all apps. No need to hook, inject or rebuild each app you test.
In this talk, I will give a high level overview of the Android OS, point out key files for modifications, and demonstrate a proof on concept with a custom OS along with a monitor showing the intercepted information.
Ray Kelly got his start in internet security 11 years ago with SPI Dynamics. As the lead developer of WebInspect, he helped build the product into an industry leading application scanner. After the SPI’s acquisition by HP, Ray moved on to other startups such as Purewire and Barracuda Networks where he focused on content security and mobile technologies. Currently Ray is back at HP Fortify on Demand group managing the Mobile Penetration team where mobile applications are tested for security vulnerabilities. @vbisbest / h30499.www3.hp.com/t5/user/viewprofilepage/user-id/1456467 HP Fortify on Demand