OWASP M-Tools

This is a summary of the tools that are described in OWASP Mobile Security M Tools page.

iMAS

  • What is it?

    • iOS secure application framework research to reduce iOS application vulnerabilities and information loss

  • Source code

  • Modules

    • Secure Foundation Control

      • Cipherlib, crypto manager, keychain crypto

    • AppPassword Control

      • Custom iOS user authentication mechanism (password with security questions for self reset)

    • PasscodeCheck Control

      • Allows an application to verify if an iOS passcode has been set and what complexity. Based on this, an application can programmatically decide to execute fully or in a degraded state given this system evidence

    • Encrypted Core Data

      • Provides a Core Data encrypted SQLite store using SQLCipher.

    • Security-check

      • Application level, attached debug detect and jailbreak checking

    • Memory Security

      • Library for securely clearing and validating iOS application memory

      • Eliminate clear-text sensitive data from memory after app use

Comment

Although most of the modules are about 3-4 years old, I think the modules are still highly recommended and we should take a look when we implement some of the features.

GoatDroid

  • What is it?

    • A fully functional and self-contained training environment for educating developers and testers on Android security

  • Source Code

Comment

Looks promising, however, looks like the apps are not being maintained for the last 4 years and there are many issues being opened to complain the apps are not working anymore.

We should take a look at it and see if there are some values to get it up and running.

iGoat

  • What is it?

    • A safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them.

  • Source Code

Comment

Doesn’t look like the app is being maintained, and doesn’t appear to work with the latest version of iOS.

We can take a quick look but it doesn’t look like provide a lot of value to us.

Damn Vulnerable iOS Application

  • What is it?

    • A project gives mobile testers and developers an iOS application to practice attacking/defending skill sets

  • Website

  • Source code

Comment

Looks much better than iGoat. Especially the websit has a "Learn" section provides a series of very good blog posts about iOS security.

MobiSec

  • What is it?

    • The MobiSec Live Environment Mobile Testing Framework project is a live environment for testing mobile environments, including devices, applications, and supporting infrastructure.

  • Websit

Comment

The last release was about 5 years ago. Doesn’t looks like it’s being maintained properly.

Androick

  • What is it?

    • Androick is a tool that allows any user to analyze an Android application

  • Source Code

Comment

A nice small tool that could be useful to get all the app files from an Android device.

NowSecure App Testing Community Edition

  • What is it?

    • It is the freely downloadable version of the powerful App Testing suite. Users are offered a number of features such as network capture, automation, import / export, and reporting to test and secure mobile apps

  • Website

  • Tools

    • Santoku Linux

      • Santoku is dedicated to mobile forensics, analysis, and security, and packaged in an easy to use, Open Source platform

    • VTS for Android

      • An app to scan vulnerabilities on Android

    • Frida

      • Inject JavaScript to explore native apps on Windows, macOS, Linux, iOS, Android, and QNX.

    • Radare

      • Portable reversing framework

Comment

The tools are very useful. We should try them.

The NowSecure website also provides some resources/handbooks that could be very helpful. E.g.

Conclusion

I think the tools we should try are:

  • Must

    • NowSecure App Testing Community Edition

    • Damn Vulnerable iOS Application

    • iMAS

  • Maybe

    • Androick

  • No

    • GoatDroid

    • iGoat

    • MobiSec