Xamarin Mobile App pentesting
711 views
Skip to first unread message
Avinash Sinha
Feb 18, 2016, 11:33:26 PM2/18/16
to OWASP Mobile Top 10 Risks
Hi All
Anyone with any ideas to do pen-testing to Mobile applications developed using xamarin framework.
1-Automated Tools
2 Manual tools
3 Where to look for configuration files such as in case of normal android apps is Android Manifest.xml
Regards
Avinash Sinha
Blake Robertson
Feb 19, 2016, 12:42:51 AM2/19/16
to Avinash Sinha, OWASP Mobile Top 10 Risks
Im actually curious about this too. We've been running into a lot more apps developed with xamarin.
-
Blake Robertson
Email: blake.rob...@gmail.com
Cell: 240-538-4376
Sent from my iPhone
> --
> You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
> For more options, visit https://groups.google.com/a/owasp.org/d/optout.
-
Blake Robertson
Email: blake.rob...@gmail.com
Cell: 240-538-4376
Sent from my iPhone
> You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
> For more options, visit https://groups.google.com/a/owasp.org/d/optout.
Jason Axley
Feb 19, 2016, 1:55:04 AM2/19/16
to Blake Robertson, Avinash Sinha, OWASP Mobile Top 10 Risks
My experience is that Xamarin is so fringe that even the pen test companies don't test it properly. They often just test as if they were "normal" mobile applications and look for the typical platform issues. I wanted someone to actually look at the attack surface that the Xamarin mono runtime adds to the application and try to exploit that stuff as well as look for platform inconsistencies in how the APIs sometimes work (e.g. there was a bug with the ServerCertificateValidationCallback not getting called on one platform but getting called on another. You have lots of additional framework/platform bugs that can creep in. One thing worth exploring is that the Mono runtime has its own debug interface separate from the OS. I wondered what was preventing other apps from connecting to it. https://developer.xamarin.com/guides/cross-platform/deployment,_testing,_and_metrics/debugging_with_xamarin/
There are also some misunderstandings of the Xamarin platform on iOS that lead to improper testing, such as that because it is ahead-of-time compiled to native code it is not still running a mono runtime and claiming it is actually like translated code (C# compiled into Objective-C with no mono in the middle). That would be like saying .Net native compilation (https://msdn.microsoft.com/en-us/library/dn807190(v=vs.110).aspx) makes .Net apps into win32 apps. It is not clear whether the mono runtime employed is functionally the same (with the debug capabilities, etc.) or trimmed down as in the .Net native compilation case (other than removal of features Apple won't allow like Reflection.Emit for dynamic code). https://developer.xamarin.com/guides/ios/advanced_topics/limitations/ indicates it still has a mono runtime on iOS.
-Jason
Jeff Gonzales
Dec 12, 2019, 11:34:10 AM12/12/19
to OWASP Mobile Top 10 Risks, Avinash Sinha, blake.rob...@gmail.com
Has anyone found a solution to this yet?
On Friday, February 19, 2016 at 12:42:51 AM UTC-5, Blake Robertson wrote:
Im actually curious about this too. We've been running into a lot more apps developed with xamarin.
-
Blake Robertson
Email: blake.ro...@gmail.com
Cell: 240-538-4376
Sent from my iPhone
> On Feb 18, 2016, at 11:33 PM, avisi...@gmail.com wrote:
>
> Hi All
>
> Anyone with any ideas to do pen-testing to Mobile applications developed using xamarin framework.
>
> 1-Automated Tools
> 2 Manual tools
> 3 Where to look for configuration files such as in case of normal android apps is Android Manifest.xml
>
> Regards
> Avinash Sinha
>
> --
> You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-10-risks+unsub...@owasp.org.
Sven Schleier
Dec 12, 2019, 7:59:22 PM12/12/19
to Jeff Gonzales, OWASP Mobile Top 10 Risks, Avinash Sinha, blake.rob...@gmail.com
Hi Jeff,
This mailing list is not used anymore by the mobile project. I would suggest to join our slack channel instead: https://github.com/OWASP/owasp-mstg#contributions-feature-requests-and-feedback
In terms of testing Xamarin apps, the biggest challenge might be to achieve a MITM position, as Xamarin Apps are not using the system proxy. This is explained here https://github.com/OWASP/owasp-mstg/blob/1a8b990ff04c0d7d2091033d075dd8f24e0418b5/Document/0x04f-Testing-Network-Communication.md#example---dealing-with-xamarin. We also have a PR in the queue that will be merged soon that explains the setup with an access point: https://github.com/OWASP/owasp-mstg/pull/1599/files
Once you are MITM it should be pretty straightforward and you can use all the other hacks, tricks and test cases described in the MSTG for Android/iOS. If there are specific questions please raise an issue in our MSTG Github or in Slack.
There are no specific tools available that would cover specifically Xamarin apps, to the best of my knowledge.
Thanks and cheers,
Sven
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/owasp-mobile-top-10-risks/482cdc1e-7a74-48f3-afeb-eacb89c1787f%40owasp.org.
Reply all
Reply to author
Forward
0 new messages