A Guide to Mobile Application Penetration Testing
What is Mobile Application Penetration Testing?
Mobile Application Penetration Methodology
Mobile Application Penetration Testing Methodology is primarily concerned with hardware, file security, and network security. MAPTM has the following stages:
- Discovery
- Analysis/Assessment
- Exploitation
- Reporting
Discovery
Also often called the Reconnaissance stage, in the Discovery stage, the pentester must collect all the crucial information required to successfully exploit mobile applications. This ability to uncover hidden clues and seemingly insignificant vulnerabilities can be the difference between a successful pentest and an unsuccessful one. The process involves:
Open Source Intelligence (OSINT) – the pentester searches for information from social networking sites and search engines, leaked source codes via developer forums, source code repositories, and the dark web.
Understanding the platform
– to aid in developing a threat model, a pentester should learn and understand the mobile application platform (e.g, Are there known vulnerabilities that perhaps have not been patched?).
Client-Side vs. Server-Side Scenarios – the pentester should also understand the type of application he or she is testing, considering such factors as the application’s network interfaces, session management, user data, rooting behaviour and jailbreaking communication with other resources.
Analysis or Assessment
The Analysis and Assessment phase requires the pentester to go through mobile application source codes and identify potential weaknesses and entry points that can be exploited. The different MAPTM assessment techniques include:
Local File Analysis
– the pentester checks the files written on the file system by the application to check for vulnerabilities.
Archive Analysis
– the pentester checks to see if the data at rest is safe. Can the pentester access files that are being stored on a disk? Can the pentester use one app to access the files and history of a different app?
Reverse Engineering
– the penetration tester decompiles applications into readable code. This allows the tester to examine the apps’ internal files and search for vulnerabilities. For reverse engineering, the following tools are available:
- iOS – class-dump-z, otool
- Android – JD-GUI, dex2jar
Inter-Process Communication Endpoint Analysis – The tester reviews different endpoints on the applications’ IPCs. The assessment is done on:
- Content Providers – ensuring that they can access the databases
- Intents – these are signals used to send messages between the components of the Android system
- Activities – these are user-facing components of an app, such as your browser screen.
- Services – these run from the background and quietly perform tasks, though they may not have a specific running app associated with them.
Exploitation
Once the tester has uncovered existing vulnerabilities, it is time to exploit them. This is exactly what it sounds like: behaving “maliciously” in order to see how far he or she can damage the system. Can we upload a SQL-injection into a website? Can we intercept and decrypt traffic?
Exploitation involves one other thing, too, and that involves privilege escalation. If the pentester can gain root access or admin privileges, then there will be no restrictions on the activities that he or she can perform, even going so far as to install a backdoor into the system: creating his or her own private username and password.
Reporting
The report is exactly what it sounds like: an account of any discovered vulnerabilities, as well as the full extent of successful exploitations. The report should be detailed, and should include plenty of supporting documentation (e.g., screenshots). All in all, the most successful penetration tests include a thorough examination of each component of a system, making use of a wide variety of tools. So, what kind of testing tools are available? Let’s take a look.
Mobile Application Penetration Tools
- Quick Android Review Kit (QARK) – a framework for exploiting and auditing Android applications
- OWASP Zed Attack Proxy Project (ZAP) – a free security tool that helps pentesters automate the process of finding security vulnerabilities in both mobile apps and web applications
- Drozer – a framework for testing Android security
- Frida – a dynamic instrumentation toolkit for reverse engineers, developers, and security researchers
- Android Debug Bridge (ADB) – though not a penetration testing tool, it is a versatile command-line tool for communicating with Android devices.
OWASP Mobile Security Testing Guide (MSTG)
The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual for reverse engineering and mobile app security testing for Android and iOS mobile security testers. It gives guidelines for the following:
- Basic static and dynamic security testing
- Mobile platforms
- Assessing software protections
- Mobile app reverse engineering and tampering
- Security testing in the mobile app development lifecycle
Mobile App Security Requirements and Verifications
The OWASP Mobile Application Security Verification Standard (MASVS) is, as the name implies, the standard for mobile app security. This is particularly useful for software architects and developers as they seek to develop secure mobile applications.
Mobile App Security Checklist
The current checklists for both MASVS and MSTG can be found on Github, in English, French, Spanish, and Japanese.
Mobile Application Penetration Best Practices
- Creating a detailed plan
- Picking the right penetration testing tools
- Preparing a thorough penetration testing environment
- Managing time wisely
- Launching server attacks
- Remaining focused, patient, and being thorough
- Launching network attacks
- Making use of source instrumentation
- Always practising to sharpen your skills
- Conducting both file-level and binary analyses.
Conclusion
