From last 2-3 months i have been working on some projects related to IoT Security. As there are very less people in IoT Security, it was very difficult to find any resources and learn about it. Nearly one year ago i released MobileSecurityWiki and i got some awesome feedbacks about it from the community members. So i thought to release the same for IoT, but doing that is very difficult task, because there are too many things in IoT and there are different kind of IoT devices. Current version mostly contains research/presentations/talks/studies.

I look forward for your additions/suggestion/feedback for this wiki. Please visit the wiki to know procedure to suggest additions. I think this would be very helpful for the developers and security researchers in the long run.

Thanks

Aditya Agrawal

Below are some of changes which have been made from previous version:-

• It now have Python 32 bit so that even 32 bit systems have no problem with usage.
• Also updated the Conemu framework which i use as a base terminal.
• Although all the tools are now updated in Appie, but in this version i have introduced a simple update script through which you can update all the tools inside Appie without downloading new version of Appie. So at the end this saves your lot of time.
• It is lot more faster now, if you are an existing user of Appie than you will notice that.
• Some new tools have been included in this version:-
  • I have replaced Sublime Text with open-source Atom text editor.
  • ByteCodeViewer
  • jadx
  • SQLite Database Browser
  • SQLmap
  • Included Mozilla Firefox with some security addons.
  • AndroBugs Framework
  • And finally Appie has a logo.
    

Using Update Feature

Using update feature is very simple, currently there are only two options in update script.

Type update in Appie terminal.

With update tools, all tools will get updated inside Appie and with update config, appie configuration files will get updated.

Now you can get news and updates about Appie and android security on Facebook and Twitter page. Email subscription has not been provide because of email privacy issue.

You can download new version of Appie from links given below.

I have also made a short introduction video of Appie, you can watch here.

Thanks

Aditya Agrawal

I will using FourGoats App of OWASP GoatDroid Project which is location-based social network vulnerable app and also HerdFinancial App of OWASP Goatdroid Project which is simple Banking app. OWASP GoatDroid Project is a awesome project for the ones who want to learn about Android Application Security.

Getting Started with GoadDroid Project is already their on their Project Page. But if you are using Appie then you don’t need to follow the instruction written in the above page. I have already installed the GoatDroid server files on the Appie.

• For starting the server type goatdroid in the Appie.
  

• Click “Start Web Service” in the FourGoats Tab.It will start the server.

If you would see the FourGoats server control panel, in the bottom there are several security flaws which are there in FourGoats Application.

• Client-Side Injection
• Server-Side Authorization Issues
• Side Channel Information Leakage
• Insecure Data Storage
• Privacy Concerns
• Insufficient Transport Layer Protection
• Insecure IPC

We also have to setup FouGoats Application .

• If some of the previous posts i have also shown to install Fourgoats Application in the enumlated Device. If you are not aware then please follow the link

• Now determine the ip address of your Host Machine.

So Mine is 192.168.1.5

• Open up the FourGoats Application in Emulator .

• Tap on Destination Info and Input IP Address, Port Number as 9888 and leave other field blank.

Now you can Login and interact with App.

Username: goatdroid

Password: goatdroid

Drozer is already installed in the Appie, if you using it then no need of installation and setup procedure.

• First open up the Appie and the Genymotion Device.

• Download Drozer App

• Open the drozer application in running emulator and click the OFF button in the bottom of the app which will start a Embedded Server.
  

• By default the server is listening on Port Number 31415 so in order to forward all commands of drozer client to drozer server we will use Android Debug Bridge[ADB] to forward the connections.

  Type adb forward tcp:31415 tcp:31415 in the console.

• Type drozer console connect and it will spilt the screen and open the drozer in the other part.
  

The above steps are needed to be done whenever we need to perform assessment through Drozer.

Now you can just type on list in the drozer console and it will list all the modules which came pre-installed with Drozer .

You can use –help switch with any of module given above to get to know more about the functionality of that particular module

For example run app.package.info –help will output

I will be describing most of the Drozer modules while exploiting vulnerable apps in the upcoming posts.

• Switch ON your Genymotion Device.
• Download Google Apps from Cynogenmod
• Drag and Drop the downloaded zip file to Genymotion Device.It will ask for confirmation,confirm it.Then it will start showing some error’s ,ignore for the time being and follow the next steps without opening any installed apps now.
• Go to Settings.
  
• Tap on Add Account.
• Tap on Google.
  
• If you have an existing account then click on existing otherwise you can make a new account.
  
• Signin your google account and then allow google update .You will see now your Google account has been linked to this device.Now you easily operate Google Play Store and install other apps through it.
  

That’s All For Today! Feel free to comment about any issues you are facing And if you enjoyed this post,please consider sharing it on facebook and twitter.

Then on intializing the intial packets i realized that this capture file is of uploading a file to a website(ww18.speedyshare.com).

In our case the file has been divided in 4 parts while uploading and if we look the packets which followed the multipart/form-data then there is common .

All the packet no. 182,63,15,116 are followed by packets which have xaa,xab,xac,xad respectively.

So now the saved the media data of the following four files packets.

Then concatenated all the files in to a zip file.