YSO – OPENSOURCE MOBILE SECURITY FRAMEWORK
YSO is the Mobile Security Framework and they are capable of performing Static and Dynamic analysis on mobile Applications and Its supports only APK (Android) and IPA (IOS) files and they are various tools used to decompile, debug and code review in mobile app testing and it consumes lot of time and by this framework we can able to check over various mobile issues like
- Insecure Data Storage
- Insecure Communication
- Insecure Authentication
- Certificate Pinning
- Backup Data’s Enabled etc.
The above issues are the major mobile issues that are occurred in a common way
In Static Analysis it used to detect automated Code review, insecure Permissions, Configuration issues, and it also detects over insecure code like SSL overriding, SSL bypass, weak crypto, obfuscated codes, improper permissions, hard coded secrets, improper usage of dangerous APIs, and leakage of sensitive/PII information.
In Dynamic Analysis is slightly difficult to configure it mainly runs on the VM or on a configured devices and detects the issues at run time and Further analysis is done on the captured network packets, decrypted HTTP traffic, dumps, logs, etc.
This tool is highly scalable by which you can add your custom rules in easy use and you can use this framework results as a source to detect the mobile application issues manually and finally the overall report gets saved on the required folder that you are selected.
Requirements:
- Python 2.7
- Django 1.8
Oracle JDK 1.7 or above http://www.oracle.com/technetwork/java/javase/downloads/
Notes:
- On Linux and Mac, install Oracle Java and make it the default one.
- iOS IPA Binary Analysis requires MAC OSX and you need to install Command line tools for MAC OSX
http://osxdaily.com/2014/02/12/install-command-line-tools-mac-os-x/
STATIC ANALYSIS APK RESULTS:
CERTIFICATE ISSUE:
Static Analysis in IOS result:
CONFIGURING STATIC ANALYZER:
Tested on Windows 7, 8, 8.1, Ubuntu, OSX Marvicks
Install Django version 1.8
Pip install Django==1.8
Here I have installed Django in Linux
Django is one of the Web application Framework that used to make the process easier because it has some automated tools in-build so it executes the result at short interval of time
YSO Framework Configuration in Linux:
I have configured the YSO Framework and configured the server and
Configuration Link: http://127.0.0.1:8000/
Once you have entered this URL in your browser U’ll get a Page as follows
YSO EXECUTION ON BROWSER:
Here In this Framework you can upload a particular APK file OR IPA File that you are going to test and it executes the result as in the above figure
CONCLUSION:
From this Blog we have discussed above the installation, Configuration and working Method of YOS Mobile application Framework and we also discussed the results executed for a particular APK or IPA files.
YSO Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. We’ve been depending on multiple tools to carry out reversing, decoding, debugging, code review, and pen-test and this process requires a lot of effort and time. YSO Mobile Security Framework can be used for effective and fast security analysis of Android and iOS Applications.
BiskInfosec provides the best mobile Security solutions. For further doubts and security solution advices reach us @ Contact@briskinfosec.com
AUTHOR
RamKumar
Security Engineer
BriskInfosec Technolagy And consulting PVT LTD
follow me @https://www.linkedin.com/in/ram-kumar-3439b511a/
Posts
