Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
AppSecUSA 2015 - Buy ticket at http://2015.appsecusa.org/buy/
 
View analytic
Friday, September 25 • 3:00pm - 3:55pm
ShadowOS: Modifying the Android OS for Mobile Application Testing

Sign up or log in to save this to your schedule and see who's attending!

Most penetration testers know the headaches of testing mobile applications. Challenges like certificate pinning and wondering what files are being written to the device while the app is in use. Since Android is open source, you create your own custom OS that takes the guess work out of your assessment.

By doing this, you can monitor HTTP/HTTPS traffic, SQL Lite queries, file access and more. Since this is part of the OS, you can intercept web traffic before it is encrypted. And this works for all apps. No need to hook, inject or rebuild each app you test. This saves you time and helps you deliver accurate test results.

Outline of Presentation:
- Describe challenges with testing mobile applications and what is it we are solving
- Overview of the Android operating system - Identify key Android source code files for modification - Demonstrate the Android build process for the new modifications
- Demonstrate a custom Android OS showing data being intercepted and monitored from a remote application (this will be done using the Android Emulator and a PC) Takeaways:

Speakers
avatar for Ray Kelly

Ray Kelly

Researcher, HP Fortify On Demand
Ray Kelly has been developer and researcher for seventeen years, ten of which has focused on the internet security space. He was the lead developer and Business Unit Director for WebInspect with SPI Dynamics. SPI was acquired in 2008 by HP. Currently Ray is in the HP Fortify on Demand group where he focuses on research and innovation related to the mobile security space.


Friday September 25, 2015 3:00pm - 3:55pm
Room B