Mobile Application Penetration Testing

By Velu Vijay Kumar

Explore real-world threat scenarios, attacks on mobile applications, and ways to counter them

About This Book

- Gain insights into the current threat landscape of mobile applications in particular
- Explore the different options that are available on mobile platforms and prevent circumventions made by attackers
- This is a step-by-step guide to setting up your own mobile penetration testing environment

Who This Book Is For

If you are a mobile application evangelist, mobile application developer, information security practitioner, penetration tester on infrastructure web applications, an application security professional, or someone who wants to learn mobile application security as a career, then this book is for you. This book will provide you with all the skills you need to get started with Android and iOS pen-testing.

What You Will Learn

- Gain an in-depth understanding of Android and iOS architecture and the latest changes
- Discover how to work with different tool suites to assess any application
- Develop different strategies and techniques to connect to a mobile device
- Create a foundation for mobile application security principles
- Grasp techniques to attack different components of an Android device and the different functionalities of an iOS device
- Get to know secure development strategies for both iOS and Android applications
- Gain an understanding of threat modeling mobile applications
- Get an in-depth understanding of both Android and iOS implementation vulnerabilities and how to provide counter-measures while developing a mobile app

In Detail

Mobile security has come a long way over the last few years. It has transitioned from "should it be done?" to "it must be done!"Alongside the growing number of devises and applications, there is also a growth in the volume of Personally identifiable information (PII), Financial Data, and much more. This data needs to be secured.
This is why Pen-testing is so important to modern application developers. You need to know how to secure user data, and find vulnerabilities and loopholes in your application that might lead to security breaches.
This book gives you the necessary skills to security test your mobile applications as a beginner, developer, or security practitioner. You'll start by discovering the internal components of an Android and an iOS application. Moving ahead, you'll understand the inter-process working of these applications. Then you'll set up a test environment for this application using various tools to identify the loopholes and vulnerabilities in the structure of the applications. Finally, after collecting all information about these security loop holes, we'll start securing our applications from these threats.

Style and approach

This is an easy-to-follow guide full of hands-on examples of real-world attack simulations. Each topic is explained in context with respect to testing, and for the more inquisitive, there are more details on the concepts and techniques used for different platforms.

• Language: English
• Publisher: Packt Publishing
• Release date: Mar 11, 2016
• ISBN: 9781785888694

Book preview

Index

Mobile Application Penetration Testing

---

Mobile Application Penetration Testing

Copyright © 2016 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: March 2016

Production reference: 1070316

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham B3 2PB, UK.

ISBN 978-1-78588-337-8

www.packtpub.com

Credits

Author

Vijay Kumar Velu

Reviewers

Akash Mahajan

Swaroop Yermalkar

Commissioning Editor

Veena Pagare

Acquisition Editor

Aaron Lazar

Content Development Editor

Sachin Karnani

Technical Editor

Nirant Carvalho

Copy Editors

Stuti Srivastava

Madhusudan Uchil

Project Coordinator

Nikhil Nair

Proofreader

Safis Editing

Indexer

Tejal Daruwale Soni

Graphics

Jason Monteiro

Production Coordinator

Melwyn Dsa

Cover Work

Melwyn Dsa

About the Author

Vijay Kumar Velu is a passionate information security practitioner, speaker, and blogger, currently working as a cyber security technical manager at one of the Big4 consultancies based in India. He has more than 10 years of IT industry experience, is a licensed penetration tester, and has specialized in providing technical solutions to a variety of cyber problems, ranging from simple security configuration reviews to cyber threat intelligence. Vijay holds multiple security qualifications including Certified Ethical Hacker, EC-council Certified Security Analyst, and Computer Hacking Forensics Investigator. He loves hands-on technological challenges.

Vijay was invited to speak at the National Cyber Security Summit (NCSS), Indian Cyber Conference (InCyCon), Open Cloud Conference, and Ethical Hacking Conference held in India, and he has also delivered multiple guest lectures and training on the importance of information security at various business schools in India. He also recently reviewed Learning Android Forensics, Packt Publishing.

For the information security community, Vijay serves as the director of the Bangalore chapter of the Cloud Security Alliance (CSA) and chair member of the National Cyber Defence and Research Center (NCDRC).

I would like to dedicate this book to my mother and sister for believing in me and always encouraging me to do what I like with all my crazy ideas. Special thanks to my family, friends (Hackerz), core team (Rachel H Martis, Anil Dikshit, Karthik Belur Sridhar, Vikram Sridharan and Vishal Patel), and Lokesh Gowda for allowing me ample amount of time in shaping this book.

A huge thanks to Darren Fuller, my mentor and friend, for providing his support and insights. Also to the excellent team at Packt Publishing for all the support that they provided throughout the journey of this book, specially Sachin and Nirant for their indubitable coordination.

About the Reviewers

Akash Mahajan is an accomplished security professional with over a decade's experience in providing specialist application and infrastructure consulting services at the highest levels to companies, governments, and organizations around the world. He is the author of Burp Suite Essentials, Packt Publishing.

Akash is an extremely active participant in the international security community and a frequent conference speaker. He gives talks as himself, as the head of the Bangalore chapter of OWASP, the global organization responsible for defining the standards for web application security, and as a co-founder of NULL, India's largest open security community.

I want to thank you, Nikhil, for making sure that reviewing this book was a pleasurable experience.

Swaroop Yermalkar works as a healthcare security researcher at Philips Health Systems, India, where he is responsible for thread modeling; security research; and the assessment of IoT devices, healthcare products, web applications, networks, and Android and iOS applications. He is the author of the popular iOS security book Learning iOS Penetration Testing, Packt Publishing and also one of the top mobile security researchers worldwide, working with Synack, Inc.

He also gives talks and training on wireless pentesting and mobile app pentesting at various security conferences, such as GroundZero, c0c0n, 0x90, DEFCONLucknow, and GNUnify.

He has been acknowledged by Microsoft, Amazon, eBay, Etsy, Dropbox, Evernote, Simple banking, iFixit, and many more for reporting high-severity security issues in their mobile apps.

He is an active member of NULL, an open security community in India, and is a contributor to the regular meetups and Humla sessions at the Pune chapter.

He holds various information security certifications, such as OSCP, SLAE, SMFE, SWSE, CEH, and CHFI. He has written articles for clubHACK magazine and also authored a book, An Ethical Guide to Wi-Fi Hacking and Security.

He has organized many eminent programs and was the event head of Hackathon—a national-level hacking competition. He has also worked with Pune Cyber Cell, Maharashtra Police, in programs such as Cyber Safe Pune. He can be contacted at <@swaroopsy> on Twitter.

www.PacktPub.com

eBooks, discount offers, and more

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www2.packtpub.com/books/subscription/packtlib

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Preface

The adoption of mobile technology has changed the world, smartphones especially have become an integral part of everyone's lives and an extension of the corporate workplace.

With over a billion smartphone users worldwide, mobile applications play a crucial role in almost everything a device can do. Most of the time, the security of these applications is always an afterthought when data is the only asset that one would like to protect.

In short, the purpose of this book is to educate you about and demonstrate application security weaknesses on the client (device) side and configuration faults in Android and iOS that can lead to potential information leakage.

What this book covers

Chapter 1, The Mobile Application Security Landscape, takes you through the current state of mobile application security and provides an overview of public vulnerabilities in Android and iOS applications. It also teaches you the OWASP mobile top 10 vulnerabilities in order for you to establish a baseline for the vulnerabilities and principles of securing mobile applications.

Chapter 2, Snooping Around the Architecture, walks you through the importance of an architecture and dives deep into the fundamental internals of the Android and iOS architectures.

Chapter 3, Building a Test Environment, shows you how to set up a test environment and provides step-by-step instructions for Android and iOS devices within a given workstation.

Chapter 4, Loading up – Mobile Pentesting Tools, teaches you how to build the toolbox within your workstation required to perform an assessment of any given mobile app, and it also teaches how to configure them.

Chapter 5, Building Attack Paths – Threat Modeling an Application, shows you how to build attack paths and attack trees for a given threat model.

Chapter 6, Full Steam Ahead – Attacking Android Applications, shows you how to penetrate an Android application to identify its security weakness and exploit them.

Chapter 7, Full Steam Ahead – Attacking iOS Applications, shows you how to penetrate an iOS application to exploit the weaknesses and device vulnerabilities that affect the application.

Chapter 8, Securing Your Android and iOS Applications, teaches you the practical way of securing Android and iOS applications, starting from the design phase, and how to leverage different APIs to protect sensitive data on the device.

What you need for this book

The following hardware and software is recommended for maximum results:

Workstation:

Windows 7 (64-bit):

At least 4 GB of RAM

At least 100 GB of hard disk space

Java Development Kit 7

Active Python

Active Perl

MacBook (10.10 Yosemite):

Xcode with the latest iOS SDK

LLDB

Python (2.6 or higher)

Mobile devices:

A Google Nexus 5 running Android 5.0 Lollipop or higher

An iPhone (either 5 or 6) or iPad running iOS 8.4 or higher

All the software mentioned in this book is free of charge and can be downloaded from the Internet, except Hopper.

Who this book is for

If you are a mobile application evangelist, mobile application developer, information security practitioner, infrastructure web application penetration tester, application security professional, or someone who wants to pursue mobile application security as a career, then this book is for you. This book will provide you with all the skills you need to get started with Android and iOS pentesting.

Conventions

In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: Cydia installations are pretty much similar to Linux Debian packages; a majority of the apps are packaged and bundled in the .deb format.

A block of code is set as follows:

public StatementDBHelper(Context paramContext)

  {

    this.context = paramContext;

    StatementOpenHelper localStatementOpenHelper = new StatementOpenHelper(this.context);

    SQLiteDatabase.loadLibs(paramContext);

    this.db = localStatementOpenHelper.getWritableDatabase(havey0us33nmyb@seball);

    this.insertStmt = this.db.compileStatement(insert into history (userName, date, amount, name, balance) values (?,?,?,?,?));

    this.deleteStmt = this.db.compileStatement(delete from history where id = ?);

  }

Any command-line input or output is written as follows:

C:\Hackbox\sdk\platform-tools>adb shell monkey 2 Events injected: 2## Network stats: elapsed time=1185ms (0ms mobile, 0ms wifi, 1185ms not connected)

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: Open the iFunbox, click on Quick Toolbar and then click on USB Tunnel.

Note

Warnings or important notes appear in a box like this.

Tip

Tips and tricks appear like this.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.

To send us general feedback, simply e-mail <feedback@packtpub.com>, and mention the book's title in the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the color images of this book

We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from