Book Image

Mobile Application Penetration Testing

By : Vijay Kumar Velu
Book Image

Mobile Application Penetration Testing

By: Vijay Kumar Velu

Overview of this book

Mobile security has come a long way over the last few years. It has transitioned from "should it be done?" to "it must be done!"Alongside the growing number of devises and applications, there is also a growth in the volume of Personally identifiable information (PII), Financial Data, and much more. This data needs to be secured. This is why Pen-testing is so important to modern application developers. You need to know how to secure user data, and find vulnerabilities and loopholes in your application that might lead to security breaches. This book gives you the necessary skills to security test your mobile applications as a beginner, developer, or security practitioner. You'll start by discovering the internal components of an Android and an iOS application. Moving ahead, you'll understand the inter-process working of these applications. Then you'll set up a test environment for this application using various tools to identify the loopholes and vulnerabilities in the structure of the applications. Finally, after collecting all information about these security loop holes, we'll start securing our applications from these threats.
Table of Contents (15 chapters)
Mobile Application Penetration Testing
Credits
About the Author
About the Reviewers
www.PacktPub.com
Preface
Index

Implementation vulnerabilities


Unlike Android, iOS apps can also leak sensitive information the way they are implemented.

Pasteboard information leakage

A majority of the developers allow users to copy and paste data from different areas of the app. This can potentially include some confidential information since these features can be potentially exploited.

We will now hook the iGoat app to Cycript by running cycript –p PID to look at what has been copied from the apps and see whether we are able to extract that information by running [UIPasteboard generalPasteboard].items in Cycript, as shown in the following screenshot:

The preceding screenshot leaks the credit card number under public.utf8-plain-text 4123456790456789; this information can be anything, such as the social security number, e-mail ID, and so on.

Keyboard logs

Apple's features are aimed at increasing the user experience, such as autocorrect and caching the input that is typed into the device's keyboard. This feature comes with a...