Mobile applications are being a part of our lives; however, the idea of security in mobile applications is still unclear for the users because we do not know how they developed applications and used them for penetration testing mobile apps.
Downloading and using mobile applications might carry potential risks for both you and your organization since untested mobile apps have security bugs that easily harm your data. Per Axar’s note, most of mobile and healthcare applications contain several security vulnerabilities.
Mobile apps may contain security bugs.
To avoid the risk of security vulnerabilities, there is an essential solution which is penetration testing mobile apps. Penetration testing mobile application probably provides us a certain confidential, but it needs alternative approaches and setups than web applications.
Here are 8 best practices to help you fight back against mobile hacks with penetration testing:
1. Preparing the security testing plan
The first challenge of penetration testing mobile apps is to have a correct methodology. The map for OWASP iOS shows an overview of the attack vectors.
The map above shows each important attack surface. It contains specific areas that are used for assessment. There is an essential technique for each important attack stage:
⦁ Application mapping ⇒ Information gathering
⦁ Client attacks ⇒ Runtime, binary, and file system analysis
⦁ Network and server attacks ⇒ Network analysis and insecure data storage
There is a specific set of tools and skills for each section. To understand the OS being attacked, you must take a close look on the type of mobile application, because each one has different attack vector. A native iOS app; for instant, uses Objective-C or Swift language; however, browser-based or hybrid apps are using traditional web application technologies, made to be run on the device’s web browser.
Main difference in analyzing mobile applications compared to web applications is binary and file system analysis. At this stage, it requires reverse-engineering skills and the use of debugging techniques.
2. Preparing the testing environment
Preparing the testing environment is another stage for penetration testing mobile applications. Mobile apps are not the same with web applications because they do not run on all kinds of platforms and browsers. Thus, it needs a specific device-driven testing environment that is configured.
For the case of iOS devices, a tester should use the evasi0n7 jailbreak that allows you to penetrate the device and get root/admin access to the OS instead of jailbreak and then given the security imposed by Apple. In addition, a tester uses One Click Root for Android to root a device.
3. Building the attack arsenal
Building the attack arsenal is necessary to analysis and information – gathering purpose when the device is ready for penetration testing. Cydia; an app store of jailbroken iOS, helps to download essential hacking tools. Debuggers, Decryptersare and other tools that help you to understand the mechanics of application.
It recommends Android Apktool and Android Reverse Engineering virtual machine for binary analysis. Moreover, Burp Proxy, Android Proxy, OWASP ZAP, Wireshark, and Tcpdump are just a few of the tools available for network analysis.
4. Preparing the test cases: Application Mapping
In penetration testing, observing application at functional level and analyzing its behavior is necessary. Breaking down all framework and taking note the followings will create an accurate modeling that applies the same principles for creating a test suite as explained in the OWASP testing guide:
- Identity, authentication, and access control => Key chains, brute-force attacks, parameter tempering
- Input validation and encoding => Malicious input, fuzzing
- Encryption => SQLite database password fields, configuration file encryption
- User and session management => Session IDs, time lockouts
- Error and exception handling
- Auditing and logging => Logs, access control to logs.
5. Attacking the client: Binary and file analysis
In penetration testing, a tester applies binary and file analysis to discover insecure API calls and files with adequate access controls. There are some tools to find out insecure files such as IDA Pro or the Hopper App that debugs and analyzes the code. But in this case it should not discard Buffer overflows.
Moreover, a tester uses fuzzing the application or applying malicious inputs techniques to find out vulnerabilities such as SQL injections. Most of techniques used to find out vulnerabilities in native applications are similar to penetration testing web app, however, instead of using a proxy to understand the inner workings of the app, a tester shoul use debugging software.
In Addition, some of these techniques involve testing approaches like those used in the OWASP testing guide. Instead of being assisted using an attack proxy to inject malicious input during web pen testing, penetration testing mobile apps just need a tool like iOKit to support it.
To evaluate risks related to data storage for iOS and Android, a tester applies database browsing with SQLite database browsing to determine how it secures database. If it is encrypted, you finally verify the type of encryption used in sensitive data fields. Also, it uses analyzed proper storing of API key chains’ location and access control for client attack testing.
6. Network attacks: Install traffic, run traffic
For mobile application featured with a clear-server tier architecture, testers should notice to network attacks. So, an essential way to investigate network attacks is to capture network traffic and discover transport layer protection with an assistance of attack proxies like ZAP. The process should invlove more of effective tests, such as:
It is likely to realize vulnerabilities that involve authentication by observing the request and responses between client and server. If it uses HTTP basic authentication in the application, then it contains risks. If so, it should be done through SSL.
Parameter tampering cannot cover roles and access controls between them. Also, file analysis (native apps) or spidering the application (web-based apps) cannot cover Securing the API key properly in an inaccessible folder.
Session ID tokens sent through GET methods and placed in the URL are visible while proxying the application or sniffing the network.
Weak encryption and protocols. Mobile applications are more vulnerable at these areas. Therefore, a tester should make category for wireless vulnerabilities that is revolving around encryption protocols used by the device.
7. Staging server attacks
In this part, tester uses Nmap tool and other penetration testing to test infrastructure, which is server hosting the mobile web app, to map and find out potential vulnerabilities and threats. Moreover, the area of testing should include random file upload, cross-origin resource sharing or open redirect to ensure the lowest potential threats.
Another concerned point is to prevent of conducting attacks that try to bypass authentication mechanisms between client and server. Thus, a tester should notice it when making a test on hybrid or web-based mobile applications.
Apple case in 2013 is an excellent example of server-side attack. The case is that it easily to attacks accounts of Apple ID iCloud by resetting the password. Because it just requires only email and date of birth of the owner. This weak control of authorization was a major cause of the problem.
8. Getting know more about mobile vulnerabilities
It is no doubt to say that nothing perfect without practices. As a result, Testers should keep in mind that the way to learn more about security vulnerabilities occurred in mobile applications is to know that vulnerable mobile applications designed with this purpose in mind. Hence, there are some recommended vulnerable applications that a tester should know:
⦁ Damn Vulnerable iOS Application (DVIA)
⦁ Androick Project Page
The Damn Vulnerable iOS app is a full package of document that includes some instruction articles about discussing setting up a testing environment, runtime analysis, and network traffic, among many other detailed examples.
Loc Tran – Savvycom Blog
For further enquiries, please do not hesitate to contact Savvycom at: