Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Mobile Application Penetration Testing
  • Table Of Contents Toc
Mobile Application Penetration Testing

Mobile Application Penetration Testing

By : Vijay Kumar Velu
5 (3)
Buy this Book
close
close
Mobile Application Penetration Testing

Mobile Application Penetration Testing

5 (3)
By: Vijay Kumar Velu
Buy this Book

Overview of this book

Mobile security has come a long way over the last few years. It has transitioned from "should it be done?" to "it must be done!"Alongside the growing number of devises and applications, there is also a growth in the volume of Personally identifiable information (PII), Financial Data, and much more. This data needs to be secured. This is why Pen-testing is so important to modern application developers. You need to know how to secure user data, and find vulnerabilities and loopholes in your application that might lead to security breaches. This book gives you the necessary skills to security test your mobile applications as a beginner, developer, or security practitioner. You'll start by discovering the internal components of an Android and an iOS application. Moving ahead, you'll understand the inter-process working of these applications. Then you'll set up a test environment for this application using various tools to identify the loopholes and vulnerabilities in the structure of the applications. Finally, after collecting all information about these security loop holes, we'll start securing our applications from these threats.
Table of Contents (10 chapters)
close
close
close
Preface
Icon
Preface
Icon
What this book covers
Icon
What you need for this book
Icon
Who this book is for
Icon
Conventions
Icon
Reader feedback
Icon
Customer support
Lock Free Chapter
1
1. The Mobile Application Security Landscape
Icon
1. The Mobile Application Security Landscape
Icon
The smartphone market share
Icon
Different types of mobile applications
Icon
Public Android and iOS vulnerabilities
Icon
The key challenges in mobile application security
Icon
The mobile application penetration testing methodology
Icon
The OWASP mobile security project
Icon
OWASP mobile top 10 risks
Icon
Summary
2
2. Snooping Around the Architecture
Icon
2. Snooping Around the Architecture
Icon
The importance of architecture
Icon
The Android architecture
Icon
iOS architecture
Icon
iOS SDK and Xcode
Icon
iOS application programming languages
Icon
Understanding application states
Icon
Apple's iOS security model
Icon
Changes in iOS 8 and 9
Icon
iOS isolation
Icon
Hardware-level security
Icon
iOS permissions
Icon
The iOS application structure
Icon
Jailbreaking
Icon
The Mach-O binary file format
Icon
Property lists
Icon
Exploring the iOS filesystem
Icon
Summary
3
3. Building a Test Environment
Icon
3. Building a Test Environment
Icon
Mobile app penetration testing environment setup
Icon
Android Studio and SDK
Icon
The Android Debug Bridge
Icon
Genymotion
Icon
Configuring the emulator for HTTP proxy
Icon
Google Nexus 5 – configuring the physical device
Icon
The iOS SDK (Xcode)
Icon
Setting up iPhone/iPad with necessary tools
Icon
SSH clients – PuTTy and WinSCP
Icon
Emulator, simulators, and real devices
Icon
Summary
4
4. Loading up – Mobile Pentesting Tools
Icon
4. Loading up – Mobile Pentesting Tools
Icon
Android security tools
Icon
iOS security tools
Icon
Summary
5
5. Building Attack Paths – Threat Modeling an Application
Icon
5. Building Attack Paths – Threat Modeling an Application
Icon
Assets
Icon
Threats
Icon
Vulnerabilities
Icon
Risk
Icon
Approach to threat models
Icon
Threat modeling a mobile application
Icon
Summary
6
6. Full Steam Ahead – Attacking Android Applications
chevron up
Icon
6. Full Steam Ahead – Attacking Android Applications
Icon
Setting up the target app
Icon
Analyzing the app using drozer
Icon
Android components
Icon
Attacking WebViews
Icon
SQL injection
Icon
Man-in-the-Middle (MitM) attacks
Icon
Hardcoded credentials
Icon
Encryption and decryption on the client side
Icon
Runtime manipulation using JDWP
Icon
Storage/archive analysis
Icon
Log analysis
Icon
Assessing implementation vulnerabilities
Icon
Binary patching
Icon
Summary
7
7. Full Steam Ahead – Attacking iOS Applications
Icon
7. Full Steam Ahead – Attacking iOS Applications
Icon
Setting up the target
Icon
Storage/archive analysis
Icon
Reverse engineering
Icon
Static code analysis
Icon
App patching using Hopper
Icon
Hardcoded username and password
Icon
Runtime manipulation using Cycript
Icon
Dumpdecrypted
Icon
Client-side injections
Icon
Man-in-the-Middle attacks
Icon
Implementation vulnerabilities
Icon
Building a remote tracer using LLDB
Icon
Snoop-IT for assessment
Icon
Summary
8
8. Securing Your Android and iOS Applications
Icon
8. Securing Your Android and iOS Applications
Icon
Secure by design
Icon
Security mind map for developers (iOS and Android)
Icon
Device level
Icon
Network level
Icon
Server level
Icon
OWASP mobile app security checklist
Icon
Secure coding best practices
Icon
Post-production protection
Icon
Summary
9
Index
Icon
Index

Assessing implementation vulnerabilities

With all the vulnerabilities that we are able to find with respect to Android apps, it is important to understand what could potentially happen if attackers elevate privilege on the device from the app. This section focuses on vulnerabilities on the device itself rather than on an app.

Implementation vulnerabilities are of two types:

  • Local: Local vulnerabilities include platform-based and default apps that are installed

  • Remote: These are remote vulnerabilities within the platform that might allow remote access of the device

Let's take an example of packages that are running under the UID 1000. The following screenshot shows how many apps are running under the same UID. These shared IDs can be taken advantage of by malicious apps in order to control the device, even if it is not rooted. The following command is used to show how many apps are running under the same UID:

run app.package.list –u 1000

One more example is system accounts being stored in plaintext...

Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Mobile Application Penetration Testing
End of Section 6
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon