8. Securing Your Android and iOS Applications | Mobile Application Penetration Testing

Sign In Start Free Trial

Book Overview & Buying
Table Of Contents

Mobile Application Penetration Testing

By : Vijay Kumar Velu

5 (3)

Mobile Application Penetration Testing

5 (3)

By: Vijay Kumar Velu

Overview of this book

Mobile security has come a long way over the last few years. It has transitioned from "should it be done?" to "it must be done!"Alongside the growing number of devises and applications, there is also a growth in the volume of Personally identifiable information (PII), Financial Data, and much more. This data needs to be secured. This is why Pen-testing is so important to modern application developers. You need to know how to secure user data, and find vulnerabilities and loopholes in your application that might lead to security breaches. This book gives you the necessary skills to security test your mobile applications as a beginner, developer, or security practitioner. You'll start by discovering the internal components of an Android and an iOS application. Moving ahead, you'll understand the inter-process working of these applications. Then you'll set up a test environment for this application using various tools to identify the loopholes and vulnerabilities in the structure of the applications. Finally, after collecting all information about these security loop holes, we'll start securing our applications from these threats.

Preface

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Free Chapter

1. The Mobile Application Security Landscape

1. The Mobile Application Security Landscape

The smartphone market share

Different types of mobile applications

Public Android and iOS vulnerabilities

The key challenges in mobile application security

The mobile application penetration testing methodology

The OWASP mobile security project

OWASP mobile top 10 risks

Summary

2. Snooping Around the Architecture

2. Snooping Around the Architecture

The importance of architecture

The Android architecture

iOS architecture

iOS SDK and Xcode

iOS application programming languages

Understanding application states

Apple's iOS security model

Changes in iOS 8 and 9

iOS isolation

Hardware-level security

iOS permissions

The iOS application structure

Jailbreaking

The Mach-O binary file format

Property lists

Exploring the iOS filesystem

Summary

3. Building a Test Environment

3. Building a Test Environment

Mobile app penetration testing environment setup

Android Studio and SDK

The Android Debug Bridge

Genymotion

Configuring the emulator for HTTP proxy

Google Nexus 5 – configuring the physical device

The iOS SDK (Xcode)

Setting up iPhone/iPad with necessary tools

SSH clients – PuTTy and WinSCP

Emulator, simulators, and real devices

Summary

4. Loading up – Mobile Pentesting Tools

4. Loading up – Mobile Pentesting Tools

Android security tools

iOS security tools

Summary

5. Building Attack Paths – Threat Modeling an Application

5. Building Attack Paths – Threat Modeling an Application

Assets

Threats

Vulnerabilities

Risk

Approach to threat models

Threat modeling a mobile application

Summary

6. Full Steam Ahead – Attacking Android Applications

6. Full Steam Ahead – Attacking Android Applications

Setting up the target app

Analyzing the app using drozer

Android components

Attacking WebViews

SQL injection

Man-in-the-Middle (MitM) attacks

Hardcoded credentials

Encryption and decryption on the client side

Runtime manipulation using JDWP

Storage/archive analysis

Log analysis

Assessing implementation vulnerabilities

Binary patching

Summary

7. Full Steam Ahead – Attacking iOS Applications

7. Full Steam Ahead – Attacking iOS Applications

Setting up the target

Storage/archive analysis

Reverse engineering

Static code analysis

App patching using Hopper

Hardcoded username and password

Runtime manipulation using Cycript

Dumpdecrypted

Client-side injections

Man-in-the-Middle attacks

Implementation vulnerabilities

Building a remote tracer using LLDB

Snoop-IT for assessment

Summary

8. Securing Your Android and iOS Applications

8. Securing Your Android and iOS Applications

Secure by design

Security mind map for developers (iOS and Android)

Device level

Network level

Server level

OWASP mobile app security checklist

Secure coding best practices

Post-production protection

Summary

Index

Index

OWASP mobile app security checklist

The OWASP community has been working on getting the latest risks incorporated. The top 10 list might change in 2016 according to what we see as the top risk by considering various factors. You should be able to see the yearly commentary by visiting https://www.owasp.org/index.php/Mobile2015Commentary.

The checklist can be found at https://drive.google.com/file/d/0BxOPagp1jPHWVnlzWGNVbFBMTW8/view.

Mobile app developers checklist

As we began this chapter with a security mind map, we will now go ahead and create a new checklist for assessment of any iOS and Android apps as follows:

Network Level
Certificate validation	Certificate validation is not performed
Certificate pinning implementation	No certificate pinning noted
Cipher suites configuration	Weak cipher suites noted
CFNetwork usage	CFNetwork API used to negotiate SSL/TLS connection
Side channel leakage prevention	Leaks information through other channels
Insecure caching on network	Improper...

CONTINUE READING

83

Tech Concepts

36

Programming languages

73

Tech Tools

Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.

Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.

50+ new titles added per month and exclusive early access to books as they are being written.

Mobile Application Penetration Testing

Search

Your notes and bookmarks