Book Image

Mobile Application Penetration Testing

By : Vijay Kumar Velu
Book Image

Mobile Application Penetration Testing

By: Vijay Kumar Velu

Overview of this book

Mobile security has come a long way over the last few years. It has transitioned from "should it be done?" to "it must be done!"Alongside the growing number of devises and applications, there is also a growth in the volume of Personally identifiable information (PII), Financial Data, and much more. This data needs to be secured. This is why Pen-testing is so important to modern application developers. You need to know how to secure user data, and find vulnerabilities and loopholes in your application that might lead to security breaches. This book gives you the necessary skills to security test your mobile applications as a beginner, developer, or security practitioner. You'll start by discovering the internal components of an Android and an iOS application. Moving ahead, you'll understand the inter-process working of these applications. Then you'll set up a test environment for this application using various tools to identify the loopholes and vulnerabilities in the structure of the applications. Finally, after collecting all information about these security loop holes, we'll start securing our applications from these threats.

Related Content you might be interested in

Current Title:

Small book image
Mobile Application Penetration Testing
Vijay Kumar Velu
Mar, 2016 | 312 pages
No titles found
Table of Contents (15 chapters)
Mobile Application Penetration Testing
Mobile Application Penetration Testing
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
The Mobile Application Security Landscape
The Mobile Application Security Landscape
The smartphone market share
Different types of mobile applications
Public Android and iOS vulnerabilities
The key challenges in mobile application security
The mobile application penetration testing methodology
The OWASP mobile security project
OWASP mobile top 10 risks
Summary
2
Snooping Around the Architecture
Snooping Around the Architecture
The importance of architecture
The Android architecture
iOS architecture
iOS SDK and Xcode
iOS application programming languages
Understanding application states
Apple's iOS security model
Changes in iOS 8 and 9
iOS isolation
Hardware-level security
iOS permissions
The iOS application structure
Jailbreaking
The Mach-O binary file format
Property lists
Exploring the iOS filesystem
Summary
3
Building a Test Environment
Building a Test Environment
Mobile app penetration testing environment setup
Android Studio and SDK
The Android Debug Bridge
Genymotion
Configuring the emulator for HTTP proxy
Google Nexus 5 – configuring the physical device
The iOS SDK (Xcode)
Setting up iPhone/iPad with necessary tools
SSH clients – PuTTy and WinSCP
Emulator, simulators, and real devices
Summary
4
Loading up – Mobile Pentesting Tools
Loading up – Mobile Pentesting Tools
Android security tools
iOS security tools
Summary
5
Building Attack Paths – Threat Modeling an Application
Building Attack Paths – Threat Modeling an Application
Assets
Threats
Vulnerabilities
Risk
Approach to threat models
Threat modeling a mobile application
Summary
6
Full Steam Ahead – Attacking Android Applications
Full Steam Ahead – Attacking Android Applications
Setting up the target app
Analyzing the app using drozer
Android components
Attacking WebViews
SQL injection
Man-in-the-Middle (MitM) attacks
Hardcoded credentials
Encryption and decryption on the client side
Runtime manipulation using JDWP
Storage/archive analysis
Log analysis
Assessing implementation vulnerabilities
Binary patching
Summary
7
Full Steam Ahead – Attacking iOS Applications
Full Steam Ahead – Attacking iOS Applications
Setting up the target
Storage/archive analysis
Reverse engineering
Static code analysis
App patching using Hopper
Hardcoded username and password
Runtime manipulation using Cycript
Dumpdecrypted
Client-side injections
Man-in-the-Middle attacks
Implementation vulnerabilities
Building a remote tracer using LLDB
Snoop-IT for assessment
Summary
8
Securing Your Android and iOS Applications
Securing Your Android and iOS Applications
Secure by design
Security mind map for developers (iOS and Android)
Device level
Network level
Server level
OWASP mobile app security checklist
Secure coding best practices
Post-production protection
Summary
Index
Index

Chapter 1. The Mobile Application Security Landscape

Life is now in the palm of your hands. Risk is real, threats are growing!

With more than 1 billion users worldwide and 2.5 million applications (and still counting) available across Google and Apple digital marketplaces, smartphones have become commonplace. The difference they make to our lives is stark and simple, and is impacting our day to day life in multiple ways—in particular, the way we interact, work, and socialize. The increase in demand from consumer market and processing power and the capabilities of smartphones, such as storage, GPS, camera, displays, and so on, have changed the paradigm of the development of mobile applications. The ability to do online banking, trading, e-mails, airport check-ins, and much more is just a tap away.

Mobile application development is the hottest type of software development right now. New surface area equals dangerous surface area, which means that the uppermost layer of smartphones is mobile apps, which are the potential targets of adversaries.

This chapter will cover the current state of mobile application security. We will discuss some of the public vulnerabilities that are disclosed in various mobile applications in order to provide a context and reasons why security needs to be at the forefront of every mobile application developer's mind. We will also cover the following topics:

  • Android and iOS vulnerabilities

  • Key challenges in mobile application security

  • The impact of mobile application security

  • The need for mobile application penetration testing

  • The mobile application penetration testing methodology

  • The OWASP (short for Open Web Application Security Project) mobile top 10 risks

There is no doubt that mobile applications have emerged as one of the most significant innovations of all time. Statista (for more information, visit http://www.statista.com/), a statistical portal company, reports that there are around 1.6 million applications in Google Play Store, 1.5 million applications in the Apple app store, 400,000 applications in the Amazon app store, 340,000 applications in Windows Phone Store, and 130,000 applications in Blackberry World. These statistics alone reflect the exponential growth in mobile applications over the years.

Numerous applications are introduced in stores every single week. At the same time, thousands of cyber criminals, also known as hackers, keep a tab on these applications by constantly looking for new applications that are published to the stores and try to compromise the user information or embed any malicious programs by various techniques. None of the development frameworks currently used are proven as immune to security issues.

Previous Section
End of Section 1
Next Section