How to connect a real device to AppUse

appsec_logo

 

In order to connect a real device you should do the following steps:

  1. Enable USB debugging mode:

a. Open your device’s “Settings.”
This can be done by pressing the Menu button while on your home screen and tapping “System Settings.”
b. Scroll to the bottom and tap “About phone.”
c. On the “About” screen, scroll to the bottom and tap on “Build number” seven times.
If you see the message “Not needed, you are already a developer!” pop up, then you know if the command succeeded.
Read more

ADB – Common commands

What is ADB (Android Debug Bridge)

The ADB shell is a bridge between your computer and the Android device, which may be a physical device or an emulator.

 

How to install ADB

ADB comes with Android SDK, but you can also find it alone. Inside the AppUse VM we have installed and prepared it for you.

Read more

Wardriving? Apple? Really ??

Advanced iPhone Hacking with iNalyzer

The slides from my OWASP Israel 2012 talk “Advanced iPhone Hacking with iNalyzer” have been uploaded and are available here.

iNalyzer iPhone testing tool that was presented in the talk can be downloaded directly from Here (You will need Graphviz Dot and Doxygen installed on your PC/Laptop )
Here is an Installation Video (currently no Sound..)
iNalyzer Installation and usage

Here is a small demo of iNalyzer Vs. iSafePlay
iNalyzer Vs. iSafePlay
Enjoy,
Chilik

EvilQR – When QRCode goes bad

Security assessment of mobile QR readers – Updated (30-Nov-2011)

Abstract:
Quick Response code, also known as QRCode has been around for several years, but in the last months there has been an incline in adoption of QRcodes as a marketing channel. A QRcode can encode a variety of information into a 2-dimentional barcode that is presented to the costumer. Customers are often referred by vendors into scanning QRCodes in order to receive coupons, discounts or other marketing media such as website, flash movie etc. The QRCode is parsed by QR-reader software on a mobile phone equipped with a camera. The true nature of QRcode content is an enigma until it is scanned; there is no possibility for the customer to authenticate the content of a QRcode without scanning it first. Because of the latter fact, an attacker with evil intent could craft a malicious QRCode (or evilQR) and lure an innocent customer to scan it. Once scanned the evilQR would be parsed by the customer mobile phone software and would initiate its’ attack. Attack vectors could vary from browser-based such as Cross-Site-Scripting (XSS) to specific buffer-overflow and command injection. The key for a successful attack lays in the default behavior of the mobile QRCode reader software. If as an example, a QRCode reader parses a link from a evilQR and preforms a URL redirection without proper confirmation of the customer – the attack would succeed. In this assessment we have compared the default behavior of several QR-readers for and noted their behavior upon the parsing of two evilQRs. Best practices for mobile users are also discussed.

The problem:

 An innocent customer can be easily tricked into scanning a malicious-crafted QRCode (evilQR) by an attacker, upon scanning the customer mobile would be attacked by the encoded payload.

Motivation:

The motive for executing such attack is very clear – the mobile phone is a gold mine for an attacker, because today’s phone contains very sensitive information such that can be abused by an attacker in several ways:

Read more