Why penetration testing required?
Mobile applications often process any sensitive data (like user details, accessing contacts, photos, etc.), which is the key target of many cybercriminals/attackers. When working with such data, developers must do their best to ensure their protection.
Below are the following methods to test the security flows in the android application step by step.
- Static Analysis.
- Application reverse engineering
- Local storage
- Root or jailbreak detection testing
- SSL pinning testing
- Client-side encryption test
- Insecure Transport Layer Protocols(traffic in HTTP or HTTPS)
- URL Caching (HTTP Request and Response) on cache.db
- SSL/TLS Weak Encryption
- Self-signed certificate(no trusted root CA)
- Dynamic analysis.
- For android:-
- Logcat: For log analysis.
- Drozer:- For activity bypass.
- Application unwanted services check.
- Burpsuite:- For logical and server-side issues.
- For iOS:-
- Data leakage via application screenshot during app back-grounding.
- Runtime analysis using Snoop-it.
- Insecure Logging.
- For android:-
Android application Reverse engineering tools:-
- Apktool:- A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to the nearly original form and rebuild them after making some modifications.
- APKInspector:- GUI tool for analysis of Android applications. The goal of this project is to aide analysts and reverse engineers to visualize compiled Android packages and their corresponding DEX code.
- Objection:– A runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.
- AndroBugs Framework:- Android vulnerability scanner that helps pentester’s to find potential security vulnerabilities in Android applications.
- Simplify- Tool for de-obfuscating android package into Classes.dex which can be used Dex2jar and JD-GUI to extract contents of dex file.
iOS application Reverse engineering tools:-
- Lldb:- Quite feature-rich default debugger in Xcode. It can be a useful C++, Objective-C, and C code reverse engineering tool supporting debugging of the corresponding code on the desktop and iOS devices and simulators. It is based on the larger LLVM project re-using libraries such as its dissembler and others. See details: https://lldb.llvm.org/;
- Hopper:- Another interactive reverse engineering tool, native macOS disassembler. It is a shareware with a limited demo version. Get details here http://www.hopperapp.com/;
- Otool:- Complete console solution for exploring and in-place editing Intel and ARM binaries.
- Codesign:- A tool to get information as well as create and manipulate with code signatures. Get details here: https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/codesign.1.html
- IDA:- It is probably the most wide-known and popular disassembler. Being almost a reversing standard for complex tasks, this system should be mentioned among the best iOS reverse engineering software products. Get details here: https://www.hex-rays.com/products/ida;
- MachOView:- An alternative to otool and nm but with GUI, which enables Mach-O file structure visualization. It is a freeware tool. Get details here https://sourceforge.net/projects/machoview/;
- Class-dump:- This tool allows dumping class declarations from executable headers. Get it here https://github.com/nygard/class-dump;
- Dsc_extractor:– This tool can be used to extract libs and frameworks from dyld_shared_cache. When extracting, it saves locations and original names of all objects that are extracted. It is provided by Apple as open-source software.
Mobile Security Framework (MobSF) is an automated, open-source, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic, and malware analysis. It is suggested by OWASP MSTG for static analysis of security in mobile applications. https://github.com/MobSF/Mobile-Security-Framework-MobSF
Local storage testing areas for iOS:-
- NSUserDefaults:– It is one of the most common ways to store data by applications on iOS. The “NSUserDefaults” keeps information stored even after a user closes the application and restarts it.
- Plist files:– Store various settings and configuration related information. If Any information stored within plist files isn’t encrypted and creates a concern with jailbroken devices is one of the major data leakage risks.
- CoreData and SQLite files:– Core data Generalizes and SQLite data storage test. If Any information stored in CoreData or in SQLite is not encrypted and can easily be retrieved as a plain text.
- Keychain:– Encrypts data before even saving it within keychain. The keychain is one of the best ways to store data locally, but given no straightforward implementation, in a quicker go-to-market environment, it usually is ignored.
Local storage testing areas for android:-
- Insecure Shared preference Storage.
- Unencrypted local database files.
- Sensitive data in local SQLite DB.
- Sensible data in logs file and cache.
- User data saved in local shared after logout the application ( only if login and logout function is present).
- Check read and write permission in external storage.
Root or jailbreak detection testing:-
To test the root or jailbreak detection there are many techniques to bypass it.
- Root detection bypass with the Xposed framework.
- Using the root clock
- By using magisk manager
- Root detection bypass via code tempering.
- Root detection bypass via Frida.
The jailbreak detection bypass in every ios version is different due to security patches on every upgrade.
- Rootless jailbreak technology for jailbreak detection bypass.
- Bypassing Jailbreak Detection Using Xcon.
- jailbreak detection bypass unc0ver, and many more.
Note:- Rootless jailbreak technology is a new concept of jailbreak ios devices to takes access to unprivileged areas.
SSL pinning testing:-
SSL pining testing or bypass in android.
- Adding a Custom CA to the User Certificate Store.
- Overwrite Packaged CA Certificate with Custom CA Certificate.
- Use Frida Hook
- SSL pinning bypass via code tempering.
SSL pining testing or bypass in iOS.
- Installing Your Own CA (like Burpsuite CA certificate, etc.).
- Use Installed software like SSLKillSwitch, Burp mobile assistant, etc.
- Using Frida hooks( https://frida.re/) and Objection (https://github.com/sensepost/objection).
- By Reverse engineering the IPA file.
Client-side encryption test in Android and iOS:-
- Check the IV key, and algorithm in source by simply search with keywords (encryption, AES, iv key, encrypt, decrypt, etc.) with the help of JD-GUI or other IDE.
For android testing:-
- Using Logcat check Sensible data transmission during runtime like user credentials, sensitive keys(AWS, firebase, auth tokens), etc. We can use a logcat via ADB command or android studio.
- Using Drozer:-
Starting a session:-
adb forward tcp:31415 tcp:31415 drozer console connect
Retrieving package information:-
run app.package.list -f <app name> run app.package.info -a <package name>
Identifying the attack surface:-
run app.package.attacksurface <package name>
run app.activity.info -a <package name> -u run app.activity.start --component <package name> <component name>
Exploiting Content Provider:-
run app.provider.info -a <package name> run scanner.provider.finduris -a <package name> run app.provider.query <uri> run app.provider.update <uri> --selection <conditions> <selection arg> <column> <data> run scanner.provider.sqltables -a <package name> run scanner.provider.injection -a <package name> run scanner.provider.traversal -a <package name>
Exploiting Broadcast Receivers:-
run app.broadcast.info -a <package name> run app.broadcast.send --component <package name> <component name> --extra <type> <key> <value> run app.broadcast.sniff --action <action>
run app.service.info -a <package name> run app.service.start --action <action> --component <package name> <component name> run app.service.send <package name> <component name> --msg <what> <arg1> <arg2> --extra <type> <key> <value> --bundle-as-obj
Note:- Some of the Drozer techniques will not work with new technologies like a flutter, Cordova, react based native android app.
For ios testing:-
- Data Leakage Via Application Screenshot During App Back-grounding.
- Insecure Logging:- We can use the Organizer utility provided with Xcode. Connect the iDevice to Mac, start the Organizer, and dump the device logs. Also, we can automate this process using IDB tools.
- Runtime analysis using Snoop-it.
- Snoop-it setup iOS pentest tool
- Add the Cydia repository repo.nesolabs.de and install the provided Snoop-it package
- Go to the “Manage” Tab in Cydia
- Click the “Edit” button
- Click the “Add” button
- Enter the URL http://repo.nesolabs.de/ and click the “Add Source” button
- After Cydia finished updating, click the “Return to Cydia” button
- Choose the new repository “NESO Security Labs GmbH”
- Choose “Snoop-it”
- Click the “Install” button
- Click the “Confirm” button
- Now the device will reboot
- Now the Snoop-it app will appear in your SpringBoard.
- Using the Snoop-it Configuration App, please select the Apps (System/Cydia/AppStore) to analyze
- Adjust some Snoop-it settings (like e.g. the listening port of the web interface, authentication, tracing, etc.)
- Run the selected App & point your browser to the Snoop-it web interface.
Burpsuite Most common checklist for android and ios:-
- Server version disclosure
- Insecure HTTP method
- HSTS Header not implemented
- Host Header injection
- HTTP Method not enforced
- Long password Dos
- User credentials Enumeration
- Verbose error
- Null byte to bypass auth
- Weak auth token or session implementation
- Session or auth token not expired after logout
- Reuse of older session or auth token
- Check privilege escalation from lower to higher user access.
- Check IDOR
- API’s Cors attack
- Rate limiting not set
- Input validation check
- SQL injection
Note:- The logical testing methodology for every application will differ due to the application functionality flow.