book

Mobile Application Penetration Testing

Name: Mobile Application Penetration Testing
Author: Vijay Kumar Velu
ISBN: 9781785883378

by Vijay Kumar Velu

March 2016

Intermediate to advanced

312 pages

7h 15m

English

Packt Publishing

Read now

Unlock full access

Mobile Application Penetration Testing
Table of Contents
Mobile Application Penetration Testing
Credits
About the Author
About the Reviewers
www.PacktPub.com
eBooks, discount offers, and moreWhy subscribe?
Preface
What this book covers
What you need for this book
Who this book is for

Conventions
Reader feedback
Customer support
Downloading the color images of this bookErrataPiracyQuestions
1. The Mobile Application Security Landscape
The smartphone market shareThe android operating systemThe iPhone operating system (iOS)
Different types of mobile applications
Native appsMobile web appsHybrid apps
Public Android and iOS vulnerabilities
Android vulnerabilitiesiOS vulnerabilities
The key challenges in mobile application security
The impact of mobile application securityThe need for mobile application penetration testingCurrent market reaction
The mobile application penetration testing methodology
DiscoveryAnalysis/assessmentExploitationReporting
The OWASP mobile security project
OWASP mobile top 10 risks
Vulnerable applications to practice
Summary
2. Snooping Around the Architecture
The importance of architecture
The Android architecture
The Linux kernelConfusion between Linux and the Linux kernelAndroid runtimeThe java virtual machineThe Dalvik virtual machineZygoteCore Java librariesARTNative librariesThe application frameworkThe applications layerNative Android or system appsUser-installed or custom appsThe Android software development kitAndroid application packages (APK)AndroidManifest.xmlThe structure of the Android manifest fileAndroid application componentsIntentActivityServicesUnbound or start servicesBound serviceBroadcast receiversContent providersAndroid Debug BridgeApplication sandboxingApplication signingSecure inter-process communicationThe Binder processThe Android permission modelThe Android application build processAndroid rooting
iOS architecture
Cocoa TouchMediaCore servicesCore OS
iOS SDK and Xcode
iOS application programming languages
Objective-CThe Objective-C runtimeSwift
Understanding application states
Apple's iOS security model
Device-level securitySystem-level securityAn introduction to the secure boot chainSystem software authorizationSecure EnclaveTouch IDData-level securityData-protection classesKeychain data protection
Changes in iOS 8 and 9
Network-level securityApplication-level securityApplication code signingThe iOS app sandbox
iOS isolation
Process isolationFilesystem isolationASLRStack protection (non-executable stack and heap)
Hardware-level security
iOS permissions
The iOS application structure
Jailbreaking
Why jailbreak a device?Types of jailbreaksUntethered jailbreaksTethered jailbreaksSemi-tethered jailbreaksJailbreaking tools at a glance
The Mach-O binary file format
Inspecting a Mach-O binary
Property lists
Exploring the iOS filesystem
Summary
3. Building a Test Environment
Mobile app penetration testing environment setup
Android Studio and SDK
The Android SDK
The Android Debug Bridge
Connecting to the deviceGetting access to the deviceInstalling an application to the deviceExtracting files from the deviceStoring files to the deviceStopping the serviceViewing the log informationSideloading appsMonkeyrunner
Genymotion
Creating an Android virtual emulatorInstalling an application to the Genymotion emulatorInstalling the vulnerable app to GenymotionInstalling the Genymotion plugin to Android StudioARM apps and Play Store in Genymotion
Configuring the emulator for HTTP proxy
Setting up the proxy in Wi-Fi settingsSetting up the proxy on mobile carrier settings
Google Nexus 5 – configuring the physical device
The iOS SDK (Xcode)
Setting up iPhone/iPad with necessary tools
CydiaBigBoss toolsDarwins CC toolsiPA InstallerTcpdumpiOS SSL kill-switchCycript, Clutch, and class-dump
SSH clients – PuTTy and WinSCP
iFunbox at glanceAccessing SSH without Wi-FiAccessing SSH with Wi-FiInstalling DVIA to the deviceConfiguring the HTTP proxy in Apple devices
Emulator, simulators, and real devices
SimulatorsEmulatorsProsConsReal devicesProsCons
Summary
4. Loading up – Mobile Pentesting Tools
Android security toolsAPKAnalyserThe drozer toolInstalling drozer on GenymotionAPKToolHow to make apps debuggable?The dex2jar APIJD-GUIAndroguardIsn't Androguard only a malware analysis tool?Androguard's androlyze shell environmentAutomating the analysis of multiple filesIntroducing Java DebuggerDebuggingAttachingInstalling Burp CA certificate to the deviceThe list of other tools
iOS security tools
oToolSSL Kill SwitchThe keychain dumperLLDBClutchClass-dump-zInstrumenting with CycriptInstrumentation using FridaHopperSnoop-itInstalling Burp CA certificate to an iOS device
Summary
5. Building Attack Paths – Threat Modeling an Application
Assets
Threats
Threat agents
Vulnerabilities
Risk
Approach to threat models
Threat modeling a mobile application
Mobile application architectureMobile applications and device dataIdentifying threat agentsModes of attacksSecurity controlsHow to create a threat model?The attacker viewThe device or system viewDiscovering potential threatsThreat modeling methodologiesSTRIDEPASTATrikeUsing STRIDE to classify threatsSpoofingTamperingRepudiationInformation disclosureDenial of service (DoS)Elevation of privilegeA typical mobile application threat modelBuilding attack plans and attack treesAttack scenariosA sample attack tree for a stolen or missing deviceA list of free toolsA commercial toolThreat model outcomesRisk assessment modelsBusiness riskTechnical risk
Summary
6. Full Steam Ahead – Attacking Android Applications
Setting up the target appBackend server setup
Analyzing the app using drozer
Android components
Attacking activitiesAttacking servicesAttacking broadcast receiversAttacking content providers
Attacking WebViews
SQL injection
Man-in-the-Middle (MitM) attacks
SSL pinning
Hardcoded credentials
Encryption and decryption on the client side
Runtime manipulation using JDWP
Storage/archive analysis
Log analysis
Assessing implementation vulnerabilities
Binary patching
Summary
7. Full Steam Ahead – Attacking iOS Applications
Setting up the target
Storage/archive analysis
Plist filesClient-side data storesThe keychain dataHTTP response caching
Reverse engineering
Extracting the class informationStringsMemory managementStack smashing protection
Static code analysis
OpenURL schemes
App patching using Hopper
Hardcoded username and password
Runtime manipulation using Cycript
The Bypass login methodSensitive information in the memory
Dumpdecrypted
Client-side injections
SQL injectionUIWebView injections
Man-in-the-Middle attacks
Beating the SSL cert pinning
Implementation vulnerabilities
Pasteboard information leakageKeyboard logsApp state preservation
Building a remote tracer using LLDB
Snoop-IT for assessment
Summary
8. Securing Your Android and iOS Applications
Secure by design
Security mind map for developers (iOS and Android)
Device level
Platform (OS) levelScreenshots/snapshotsSystem caching and logsCut, copy, and pasteiOS cookie and keychainsBinaryCookiesKeychainsApplication levelApp storage protectionProperty lists/shared preferencesProperty lists in iOSShared preferences in AndroidDatabase protectionApplication permissionsBackup settingsDisable debugUse the latest API versionSecuring Android componentsSecuring activitiesSecuring servicesSecuring content providersSecuring broadcast receiversVerify exported componentsEncryptioniOSAndroidKey managementSecuring WebViewiOSAndroidApp cachesBinary protectionJailbreak detectionFilesystem-based detectionAPI-based detectionRoot detectionCommand detection methodDecompiling protectionCode obfuscationDecryption protectionASLR/ARCStack-smashing protectionRuntime protectionURLSchemes protectionClient-side injection protectionAnti-debug implementationFilesystem protectionAnti-tamper implementation
Network level
Certificate pinningCipher suitesCFNetwork usageSecure caching
Server level
AuthenticationAuthorizationInput/output validationsInjection flawsSession managementInformation leakage
OWASP mobile app security checklist
Mobile app developers checklist
Secure coding best practices
AndroidiOSVendor-neutral adviceDeveloper cheat sheetDeveloper policies
Post-production protection
Keeping up to date
Summary
Index

Content preview from Mobile Application Penetration Testing

Summary

In this chapter, we saw the evolution of mobile applications over the years and the need for mobile application security—in particular, the role of penetration testing for mobile applications. Understanding the methodology, common vulnerabilities around iOS and Android are a crucial part of mobile application penetration testing. We covered the current mobile application security landscape and existing methodologies, such as OWASP, along with several concepts and vulnerable applications for testing. We will discuss the different Android and iOS architectures in the next chapter.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781785883378

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Mobile Application Penetration Testing

by Vijay Kumar Velu

Summary

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.