Mobile Applications have become an essential part of our lives as our dependence on smartphones has grown. But many users are unaware of the security of their devices. A recent study on the state of application security that “84 percent of mobile app users believe that their mobile health and finance apps are adequately secure.”
Security can often be a false perception if we do not know how our applications were developed and penetration tested. The reality is that downloading and using these applications can represent a potential risk to both you and your organization, given that untested apps may contain security bugs that can make your data vulnerable.
One way to avoid this risk is to make sure that mobile apps have been properly pen tested against security vulnerabilities. Penetration testing can provide us with a certain level of confidence, but hacking into mobile applications demands a different approach and setup than with web applications.
Different Types Of Mobile Applications
The apps are broadly categorized into the following types:
• Native apps: Native applications that reside in the mobile operating system are installed via the respective app stores. These apps are typically built using development tools and languages (Xcode and Objective C, Swift for iOS apps, and Android Studio and Java for Android apps) and are designed for a particular platform and can take advantage of all the device features, such as the usage of the camera, GPS, phone contact list, and so on.
Android & iOS Applications
Android: Android is a software stack developed by Google and the Open Handset Alliance (OHA) for mobile devices. Every application runs as its own user and group and applications run under their own user and group ID’s for segregation of user processes. This in theory stops one application from manipulating another applications data. Applications interact using permissions which are agreed upon at the time of installation. The user either accepts these permissions or not, if not the application will not install.
Installable files in Android are called Android application package (APK) files. This is the file format used by Google to distribute applications for the Android operating system and is similar to .exe files in Windows.
It is very beneficial to understand the Android permission model, which is implemented for every single app while assessing it for privacy concerns. The application to be installed will request access to multiple resources. This is presented to the user so that he or she can make a decision whether to install or not. A majority of users who are want to install the app on their device fail to read the permissions that they are granting the app, which means they are exposing the device to malicious activities or making it more vulnerable.
iOS Applications: iOS is the operating system that runs on all Apple mobile devices. Unlike other major operating systems, iOS manages the hardware device and provides the technologies required to build the applications on the platform. It is not possible to run iOS and Mac OS X on any other hardware apart from Apple’s, and it is restricted to use iOS on any other mobile device apart from Apple’s for security and commercial reasons.
The foundation of the iOS platform relies on its System Security. This consists of the Secure Boot Chain, System Software Authorization, Secure Enclave, and Touch ID. In addition to the system security protection mechanisms, iOS has encryption and data protection, which exist to add additional layers of security even when the device is compromised, lost, or stolen.
Mobile App Pen Testing Methodology
Discovery : It may be possible to find out information about an application by checking through search engines, third-party libraries that are used, or finding leaked source code through the use of source code repositories, developer forums, and social media.
Understanding the platform is a crucial part of application penetration testing. It gives a clear understanding from an external point of view when it comes to creating a threat model for the application.
Analysis / Assessment : Mobile applications have a unique way of assessment or analysis, and testers have to check the applications pre and post installation. This can be done by static analysis without executing the application, on the provided or decompiled source code and accompanying files , or by dynamic analysis which is performed while the application is running on the device. Archive analysis can be done where the application installation packages for the Android and iOS platforms will be extracted and examined to review configuration files. Reverse engineering could be attempted to convert the compiled applications into human-readable source code.
Exploitation : To demonstrate real-world data breach, a properly executed exploitation can happen very quickly. This involves
- Attempt to exploit the vulnerability: Acting upon the discovered vulnerabilities to gain sensitive information or perform malicious activities.
- Privilege escalation: Demonstration of identified vulnerability to gain privileges and attempt to become a super user.
Reporting : This involves creating a detailed report about the discovered vulnerabilities, including the overall risk rating, description, the technical risk associated, technical impact, the business impact and proof of concept, and recommendations to fix the findings.
Types Of Mobile App Penetration Testing
Black Box Testing : Black-box testing is a kind of testing where no knowledge about the app under test is given to the tester. This is sometimes called “zero-knowledge testing”. The main interest of this kind of tests is to behave like a real attacker and see what is possible when using publically available or discoverable information. Black-box testing might be a good choice if the app is already mature from a security point of view and if the client wants to test the implemented security controls and their effectiveness.
White Box Texting : White-box testing is the total opposite of black-box testing in that, in this situation, full knowledge about the app is given to the tester: that may include source code, documentations, diagrams etc. While testing in such conditions is way easier and faster than in black-box conditions, it does not allow the checking of as many test cases as black-box. It is generally more purposeful for improving the app against internal attackers. This is sometimes referred to as “full knowledge testing”.
All kinds of testing in between the two previous kinds of tests are called grey-box testing: this is when some information is provided to the tester, but some other is left to find. This is an interesting compromise when it comes to the number of test cases checked, cost, speed and depth of testing.
Static Analysis of mobile apps deals with examining the inner elements of an application without executing it. It often refers to source code analysis, either done manually or aided by an automated tool. On the other hand, Dynamic Analysis deals with examining the app from the outside when executing it. It can be either manual or automatic. It usually does not provide the same information as Static Analysis and is a good manner to detect interesting elements with a user point of view. Vulnerability analysis is, generally speaking, the fact of looking for vulnerabilities in an app. While this may be done manually, most of the time automated scanners are used to identify the main vulnerabilities of an app.
The different tools that can be used for Android App pen test are :
- APKTool, dex2jar, and JD-GUI
- JDB debugging
The Different tools which can be used for iOS Pen test are
- keychain dumper
- LLDB remote debugging
- Clutch, Class-dump-z, and instrumentation with Frida and Cycript