RMS-Runtime-Mobile-Security

[lwierzbicki]

Describe the issue Maybe it is worth to take a look and investigate this tool: https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security I think we haven't mentioned it anywhere in MSTG.

I could check how it can possibly fit MSTG.

[sushi2k]

Thanks for opening an issue @lwierzbicki . Think I saw it on twitter last week.

I would suggest you give it a try and see if the tool is usable and helps. If so, we can add it first to the list of tools for the host computer: https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Basic-Security_Testing.md#recommended-tools---host-computer

Then in a 2nd round we can think about if it makes test cases for Reverse Engineering or other test cases where Frida is needed easier.

[sushi2k]

Hi @Ozturk470. Do you want to pick up the issue?

[cpholguera]

The tool seems to be very similar to House. I'd propose to test it and make a proposal clearly highlighting the differences between RMS and House. And then decide if we'll add a short description of the tool to the list.

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Basic-Security_Testing.md#house

[PanwarM]

Hey everyone, I can maybe take this if it is not yet assigned.

[cpholguera]

Hi @PanwarM, it's now assigned to you. Please consider the comment above and gladly provide an overview RMS vs House (differences, pros, cons, etc.) before opening a PR. We still have to evaluate if and how to integrate this tool to the MSTG. Thank you very much!

[m0bilesecurity]

Hey @PanwarM, all

one of the best features of RMS which, AFAIK is not present in other similar tools, is the ability to highlight all the hooked methods that have been executed by the app! Very useful if the code is obfuscated 😉

Have a look at the GIF below

Thank you for your interest in RMS!

[lwierzbicki]

Hey all, I've started using RMS some time ago. It works pretty well. It replaced objection for me. Main features which I (heavily) use:

• Frida scripts (it came with some scripts out-of-box)
• monitoring API (really, really useful regarding monitoring changes made by application) There are other features as well, but I use them rarely.

On most of the pentests/assessments/bug bounties, I use mainly Frida + RMS (and of course Android tools like adb ;)).

[cpholguera]

Hi @lwierzbicki! Thanks for updating.

Did/could you try out House as well? Could you give us some hints on how they differentiate from each other?

Regarding objection, could you point out some more details?

• can you monitor the same things? more? is the graphical overview advantage? can objection be extended via scripts to monitor the missing things?
• Is it being updated often as objection?

@m0bilesecurity We'd be also happy to hear your thoughts on this.

[m0bilesecurity]

Hey @cpholguera, Yes, in my opinion the UI is a big advantage because it helps to perform all the RE stuff much faster. You can easily hook tons of Classes/Methods in a second. The UI also helps to keep track of all the methods that have been hooked and executed by the app (very useful if the code of the app is obfuscated).

RMS comes bundled with a lot of useful FRIDA scripts for bypassing root/jailbreak detection, ssl pinning, biometric authentication, loading Stetho by Facebook, etc... It is also possibile to load private scripts by simply adding them inside the "custom_scripts" folder. The difference with Objection is that FRIDA templates/scripts used by RMS to perform all the hooks and bypasses are always visibile to the user who is always able to edited them on the fly.

As @lwierzbicki said, on Android it is also possible to monitor System APIs used by the app which is currently under analysis via the "API Monitor" tab.

And.... since version 1.4 (released yesterday July, 20th) RMS also supports iOS devices 🎉🎉🎉

Please check below a short video (1min42s) that shows RMS in action on an iOS device (same functionalities are of course also available for Android devices)

Please let me know what you think about Runtime Mobile Security (RMS) 📱🔥 Best 😉 Paolo

[lwierzbicki]

Hi all, Apologies for a late answer. I have tried House before. There are a lot of common features. Usage is also similar. Main differences from my perspective are:

• [RMS] more monitoring functions out of box
• [RMS] support for ios
• [House] more intuitive enumeration of classess/methods (however I rarely use that function)

Objection, the main difference are:

• lack of graphical interface, however if you master command line (then it is faster)
• lack of monitoring (or I haven't discovered it)
• case: you can disable ssl pining by built-in script, however you don't know which it is without checking a code of objection. As built-in ssl pinning works for me in around 50% of application I tested, then I need to give a chance other ssl pinning scripts. However I don't know which one was already tested, then I need tostart from the beginning.

To summarize: All of them are based on an interaction with Frida server. All of them have pros and cons. I think it is good to mention all of them, as they allowed to do the job.

[m0bilesecurity]

Hi all, I've recorded 2 videos in order to explain how to use RMS to solve OWASP Uncrackable Android Apps

• Solving OWASP UnCrackable Android App Level 1 with Runtime Mobile Security (RMS)
• Solving OWASP UnCrackable Android App Level 2 with Runtime Mobile Security (RMS)

P.S. @cpholguera since version 1.4 (released on July, 20th) RMS also supports iOS devices. Is it possibile to edit the title and add the iOS label? 😉 Many thanks Best

[cpholguera]

Done, thanks for the update ;)

[lwierzbicki]

@cpholguera @sushi2k - what is the next step here?

[cpholguera]

We would need a short introduction focusing on the added value of RMS in comparison to other tools. Please don't include anything that can be found in the README, or docs. Simply refer/link to it. Linking to the videos should also help to keep it short.