SlideShare uma empresa Scribd logo

Generate Xmind Map for Android App Security Analysis with Droidstat-X

Transferir como PPTX, PDF
Cláudio André
Cláudio André

Python tool that generates an Xmind map with all the information gathered and any evidence of possible vulnerabilities identified via static analysis.

Tecnologia
1 de 22
Droidstat-X Android Applications Security Analyser Xmind Generator Cláudio André
whoami - Security Consultant at Integrity S.A. - Web, Android and Infrastructure - OSCP,eMAPT,eWPTX
Droidstat The development of Droidstat started mid 2015 and it was presented in July in Bsides Lisbon 2015.
Droidstat The development of Droidstat started mid 2015 and it was presented in July in Bsides Lisbon 2015. Droidstat aims to be a static and dynamic analysis framework, which does more than just flag issues (there are already several ones which do that and well, like Androbugs or MobSF), it allows to create a methodology and a workflow to achieve consistency.
Droidstat-X
Droidstat-X Python tool that generates an Xmind map with all the information gathered and any evidence of possible vulnerabilities identified via static analysis.
Droidstat-X The map itself is an Android Application Pentesting Methodology component, which assists Pentesters to cover all important areas during an assessment. This was the main goal driving the tool development.
Droidstat-X The tool allows to add custom checks in a simple way, to confirm the existence of those patterns in the dalvik bytecode instructions.
Xmind Organization
Methodology Mobile Top 10 2017
Methodology
Methodology “The MSTG is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS).” https://github.com/OWASP/owasp-mstg
Under The Hood Androguard (Properties,Components, Files)
Under The Hood Androguard (Properties,Components, Files) Xmind SDK for Python *
Under The Hood Androguard (Properties,Components, Files) Xmind SDK for Python * Apktool
Under The Hood Androguard (Properties,Components, Files) Xmind SDK for Python * Apktool Patented Advanced Search Algorithm based on Neural Networks and Blockchains...
Under The Hood Androguard (Properties,Components, Files) Xmind SDK for Python * Apktool Patented Advanced Search Algorithm based on Neural Networks and Blockchains… grep and sed
Next Steps - Integration with Play Store / Android Device to download APKs * - Automatic extraction of bundled DLL’s in Xamarin - Determine usage of Certificate Pinning (Native, Cordova, Xamarin) - Determine usage of Android Keystore - SQL Injection / Path Traversal Evidences for Content Providers ….. Web Interface
Get it. https://github.com/integrity-sa/droidstatx
Install it. Manual Install (needs pip and Java JRE) ● git clone https://github.com/integrity-sa/droidstatx.git ● cd droidstatx ● python install.py Docker ● git clone https://github.com/integrity-sa/droidstatx.git ● cd droidstatx ● docker build -t droidstatx .
Generate Xmind Map for Android App Security Analysis with Droidstat-X

Recomendados

Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projectsJose Manuel Ortega Candel
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsKaspersky
 
Présentation kaspersky threat intelligence services
Présentation kaspersky threat intelligence servicesPrésentation kaspersky threat intelligence services
Présentation kaspersky threat intelligence servicesANSItunCERT
 
Building Content Management Solutions with MongoDB
Building Content Management Solutions with MongoDBBuilding Content Management Solutions with MongoDB
Building Content Management Solutions with MongoDBrivetlogic
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraPriyanka Aash
 
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...Wouter Bloeyaert
 
Summer training program
Summer training programSummer training program
Summer training programDeepak Baghel
 
Elastic user group London nov 2019
Elastic user group London nov 2019Elastic user group London nov 2019
Elastic user group London nov 2019Andrey Bezverkhiy
 

Recomendados

Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projectsJose Manuel Ortega Candel
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsKaspersky
 
Présentation kaspersky threat intelligence services
Présentation kaspersky threat intelligence servicesPrésentation kaspersky threat intelligence services
Présentation kaspersky threat intelligence servicesANSItunCERT
 
Building Content Management Solutions with MongoDB
Building Content Management Solutions with MongoDBBuilding Content Management Solutions with MongoDB
Building Content Management Solutions with MongoDBrivetlogic
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraPriyanka Aash
 
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...Wouter Bloeyaert
 
Summer training program
Summer training programSummer training program
Summer training programDeepak Baghel
 
Elastic user group London nov 2019
Elastic user group London nov 2019Elastic user group London nov 2019
Elastic user group London nov 2019Andrey Bezverkhiy
 
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...Kaspersky
 
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...NECST Lab @ Politecnico di Milano
 
Grounding Conversational AI in a Knowledge Base
Grounding Conversational AI in a Knowledge BaseGrounding Conversational AI in a Knowledge Base
Grounding Conversational AI in a Knowledge BaseVaticle
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
 
ProGuard vs DexGuard
ProGuard vs DexGuardProGuard vs DexGuard
ProGuard vs DexGuardTopher Jordan
 
Strayer cis 333 entire course
Strayer cis 333 entire courseStrayer cis 333 entire course
Strayer cis 333 entire courseuopassignment
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
 
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...Ernesto Bethencourt
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Software Integrity Group
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
 
Malware Detector
Malware DetectorMalware Detector
Malware DetectorAbhishek Jindal
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile securityJudy Ngure
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...Agile Testing Alliance
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...Codemotion
 
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...Amélie Gyrard
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023SofiaCarter4
 
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...theijes
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 

Mais conteúdo relacionado

Mais procurados

Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...Kaspersky
 
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...NECST Lab @ Politecnico di Milano
 
Grounding Conversational AI in a Knowledge Base
Grounding Conversational AI in a Knowledge BaseGrounding Conversational AI in a Knowledge Base
Grounding Conversational AI in a Knowledge BaseVaticle
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
 
ProGuard vs DexGuard
ProGuard vs DexGuardProGuard vs DexGuard
ProGuard vs DexGuardTopher Jordan
 
Strayer cis 333 entire course
Strayer cis 333 entire courseStrayer cis 333 entire course
Strayer cis 333 entire courseuopassignment
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
 
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...Ernesto Bethencourt
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Software Integrity Group
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
 

Mais procurados (11)

Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...
 
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
 
Grounding Conversational AI in a Knowledge Base
Grounding Conversational AI in a Knowledge BaseGrounding Conversational AI in a Knowledge Base
Grounding Conversational AI in a Knowledge Base
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
 
ProGuard vs DexGuard
ProGuard vs DexGuardProGuard vs DexGuard
ProGuard vs DexGuard
 
Strayer cis 333 entire course
Strayer cis 333 entire courseStrayer cis 333 entire course
Strayer cis 333 entire course
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
 
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
 
Malware Detector
Malware DetectorMalware Detector
Malware Detector
 

Semelhante a Generate Xmind Map for Android App Security Analysis with Droidstat-X

Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile securityJudy Ngure
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...Agile Testing Alliance
 
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...Codemotion
 
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...Amélie Gyrard
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023SofiaCarter4
 
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...theijes
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Android Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and DefensesAndroid Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and DefensesIRJET Journal
 
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...Priyanka Aash
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...CA Technologies
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Black Duck by Synopsys
 

Semelhante a Generate Xmind Map for Android App Security Analysis with Droidstat-X (20)

Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
 
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
An ontology-based approach for helping to secure the ETSI Machine-to-Machine ...
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023
 
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
 
Android Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and DefensesAndroid Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and Defenses
 
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...
ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Androi...
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
 

Mais de Cláudio André

This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking forCláudio André
 
A day in the life of a pentester
A day in the life of a pentesterA day in the life of a pentester
A day in the life of a pentesterCláudio André
 
Mobile application (in)security - 2nd Integrity Smart Executive Breakfast
Mobile application (in)security - 2nd Integrity Smart Executive BreakfastMobile application (in)security - 2nd Integrity Smart Executive Breakfast
Mobile application (in)security - 2nd Integrity Smart Executive BreakfastCláudio André
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!Cláudio André
 

Mais de Cláudio André (6)

This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking for
 
Is my app secure?
Is my app secure?Is my app secure?
Is my app secure?
 
A day in the life of a pentester
A day in the life of a pentesterA day in the life of a pentester
A day in the life of a pentester
 
Mobile application (in)security - 2nd Integrity Smart Executive Breakfast
Mobile application (in)security - 2nd Integrity Smart Executive BreakfastMobile application (in)security - 2nd Integrity Smart Executive Breakfast
Mobile application (in)security - 2nd Integrity Smart Executive Breakfast
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!
 
Mobile (in)security ?
Mobile (in)security ?Mobile (in)security ?
Mobile (in)security ?
 

Último

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Último (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Generate Xmind Map for Android App Security Analysis with Droidstat-X

  • 1. Droidstat-X Android Applications Security Analyser Xmind Generator Cláudio André
  • 2. whoami - Security Consultant at Integrity S.A. - Web, Android and Infrastructure - OSCP,eMAPT,eWPTX
  • 3. Droidstat The development of Droidstat started mid 2015 and it was presented in July in Bsides Lisbon 2015.
  • 4. Droidstat The development of Droidstat started mid 2015 and it was presented in July in Bsides Lisbon 2015. Droidstat aims to be a static and dynamic analysis framework, which does more than just flag issues (there are already several ones which do that and well, like Androbugs or MobSF), it allows to create a methodology and a workflow to achieve consistency.
  • 6. Droidstat-X Python tool that generates an Xmind map with all the information gathered and any evidence of possible vulnerabilities identified via static analysis.
  • 7. Droidstat-X The map itself is an Android Application Pentesting Methodology component, which assists Pentesters to cover all important areas during an assessment. This was the main goal driving the tool development.
  • 8. Droidstat-X The tool allows to add custom checks in a simple way, to confirm the existence of those patterns in the dalvik bytecode instructions.
  • 12. Methodology “The MSTG is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS).” https://github.com/OWASP/owasp-mstg
  • 13.
  • 14. Under The Hood Androguard (Properties,Components, Files)
  • 15. Under The Hood Androguard (Properties,Components, Files) Xmind SDK for Python *
  • 16. Under The Hood Androguard (Properties,Components, Files) Xmind SDK for Python * Apktool
  • 17. Under The Hood Androguard (Properties,Components, Files) Xmind SDK for Python * Apktool Patented Advanced Search Algorithm based on Neural Networks and Blockchains...
  • 18. Under The Hood Androguard (Properties,Components, Files) Xmind SDK for Python * Apktool Patented Advanced Search Algorithm based on Neural Networks and Blockchains… grep and sed
  • 19. Next Steps - Integration with Play Store / Android Device to download APKs * - Automatic extraction of bundled DLL’s in Xamarin - Determine usage of Certificate Pinning (Native, Cordova, Xamarin) - Determine usage of Android Keystore - SQL Injection / Path Traversal Evidences for Content Providers ….. Web Interface
  • 21. Install it. Manual Install (needs pip and Java JRE) ● git clone https://github.com/integrity-sa/droidstatx.git ● cd droidstatx ● python install.py Docker ● git clone https://github.com/integrity-sa/droidstatx.git ● cd droidstatx ● docker build -t droidstatx .