Mobile Applications Penetration Testing Methodology
- Preparation: Firstly, a thorough walkthrough of the “application to be tested” would be done to obtain the necessary testing information such as credentials, application builds, and URL’s and source code, provide an overview of our testing process, and discuss any special testing requirements.
- Application Footprinting: The application would then be installed on the mobile device, snapshots of the before and after also would be taken of the file system and (if applicable) registry. All the files that are related to the application are analyzed so as to determine whether they contain sensitive information such as credit card numbers, passwords, banking details, etc. The file system is again examined after performing significant transactions, such as money transfers, to determine which files are being changed and whether or not they can be manipulated to exploit the application.
- Reverse Engineering:If source code has not been provided, the application would be decompiled so as to discover the underlying programming logic. This code is then examined to determine whether or not it is possible to exploit the application by removing or modifying the pieces of programming logic. Our Security Engineers attempt to uncover design flaws with the application and hidden secrets such as passwords and encryption keys in the code.
- Code Review:If source code is provided, then we would examine the code for traditional vulnerabilities as well as top listed mobile application and platform specific vulnerabilities.
- Traffic Interception and Analysis: Mobile applications interact with a server through HTTP/HTTPS or other means. We would configure the mobile device to route traffic through a proxy such as Burp Suite, Paros and examine the server communication. The communication would then be analyzed to look for authorization issues, injection flaws, etc.
- A Detailed Report on the tests performed above would be compiled with the severity level of the vulnerability discovered and ways to mitigate that vulnerability.
Mobile Application Penetration Testing
- Environmental Analysis.
o Analyzing Internal Processes and Structures.
o Knowing about the company behind the app and their business case.
- Architectural Analysis.
o Runtime environment.(MDM, jailbreak/rooting, OS version)
o Backend services.(application server, databases, and firewall)
o App.(network interfaces, used data, communication with other resources, session management, jailbreak/rooting detection)
Vulnerabilities that will be tested:
- Weak Server Side Controls
- Insecure Data Storage
- Insufficient Transport Layer Protection
- Unintended Data Leakage
- Poor Authorization and Authentication
- Broken Cryptography
- Client Side Injection
- Security Decisions Via Untrusted Inputs
- Improper Session Handling
- Lack of Binary Protections
- Check if credential transport is over encrypted.
- Testing for authenticationbypass bugs.
- Bruteforce and Dictionary attacks against login.
- Test password reset forms.
Testing for Privilege escalation of accounts.
Tools to be used:
- Android: dex2jar, JD-GUI, apk studio
- IOS: otool, class-dump-z
Automatic and Manual Source Code Analysis:
- Android: Androwarn, Andrubis, ApkAnalyser.
- IOS: FlawFinder, Clang Static Analyser.
Network Traffic Analysis:
- ProxyDroid, Wireshark, BurpSuite.
Checking User Authentication:
- IOS: GNU Debugger, Snoop-it, Cycript.
- Android: Mercury, Intent Sniffer, Intent Fuzzer.
File Activity Analysis:
- IOS: filemon.IOS
- Android: androidAuditTools.