In almost every Android application, developers expose activities without sufficient protections. Exposing activities can lead to various attacks. For example, an attacker or a malicious app installed on the same device, can call those exposed activities to invoke internal pages of the application. Calling internal pages puts the application at risk of phishing by manipulating […]
When performing security (or regular) tests on Android applications, we sometimes need to emulate or fake mobile data or actions; making/receiving calls, sending SMS or setting the exact geo-location are some commands that can be done, using the Emulator Console. Here are a few tricks that will help you through Android application testing using the emulator:
· First, connect to the emu, using telnet:
· To change geo-locations:
· To make a phone call to the emulator:
· To send an sms to the emulator:
· To scale the emulator window:
· To take a screenshot:
· To create input events (event codes list):
The Monkey is a command-line tool that runs on the emulator instance or on a device. When the Monkey runs, it generates pseudo-random events and sends them to the system.
Google published the first version of Brillo, and as IoT researchers, the first thing that we want to do is to quickly compile and run it in order to get a feel for it, investigate it and learn as much as possible about the system…
At the beginning of our work we made some assumptions, which we found to have been correct:
- Instead of installing a new environment, it will be easier to install it on our AppUse VM which already has a lot of stuff on it.
- Google probably built it similarly to Android (both are Unix-based), so we took the Android compilation guide (links below).
Despite these shortcuts, we still came across a lot of trouble… I know for sure that you don’t want to waste your time to find and fix some stupid errors, so let me give you the shortest way to install it in a few steps and one script 🙂
In order to connect a real device you should do the following steps:
- Enable USB debugging mode:
a. Open your device’s “Settings.”
This can be done by pressing the Menu button while on your home screen and tapping “System Settings.”
b. Scroll to the bottom and tap “About phone.”
c. On the “About” screen, scroll to the bottom and tap on “Build number” seven times.
If you see the message “Not needed, you are already a developer!” pop up, then you know if the command succeeded.
After a few months of work and research we have updated the SSL Analyzer tool to version 1.1. So, here is a description about the SSL Analyzer and who should use it.
What is it?
This tool was created for penetration testers and for site administrations who want to check if their server allows usage of insecure SSL algorithms.
SSL did not allow attackers to read/change the traffic between the client (computer/mobile browser) and the server, if the server allows insecure algorithms, the attacker can force the browser to use them and break the encryption (as they are named, they are insecure algorithms…).
Easy to use
SSL Vulnerabilities Analyzer has a nice interactive tool that makes it easy to run and check if the server contains insecure algorithms also for non-technical people.
SSL vulnerabilities analyzer shared with his source code under GPL v3 license, as a gift back to the open source community.
You can download the current version (1.1) from here: SSL Analyzer version 1.1 zip
For more details, source code and versions, please visit the dedicated area in our website: https://appsec-labs.com/SSL_Analyzer
The slides from my OWASP Israel 2012 talk “Advanced iPhone Hacking with iNalyzer” have been uploaded and are available here.
iNalyzer iPhone testing tool that was presented in the talk can be downloaded directly from Here (You will need Graphviz Dot and Doxygen installed on your PC/Laptop )
Here is an Installation Video (currently no Sound..)
iNalyzer Installation and usage
Here is a small demo of iNalyzer Vs. iSafePlay
iNalyzer Vs. iSafePlay
The slides from my OWASP Israel 2011 talk “Tampering 101 – Automated binary protocol analysis of web applications” have been uploaded and are available here Tampering101_slides.
Belch automation tool that was presented in the talk can be downloaded directly from sourceforge in the following link Belch – Burp ExternaL CHannel v1.0.12
- March 2017
- February 2017
- January 2017
- December 2016
- September 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- January 2016
- December 2015
- August 2015
- June 2015
- May 2015
- March 2015
- February 2015
- January 2015
- December 2014
- September 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- January 2014
- December 2013
- November 2013
- December 2012
- September 2012
- February 2012
- October 2011
- September 2011
- August 2011