Mobile Application Penetration Testing
()
About this ebook
About This Book
- Gain insights into the current threat landscape of mobile applications in particular
- Explore the different options that are available on mobile platforms and prevent circumventions made by attackers
- This is a step-by-step guide to setting up your own mobile penetration testing environment
Who This Book Is For
If you are a mobile application evangelist, mobile application developer, information security practitioner, penetration tester on infrastructure web applications, an application security professional, or someone who wants to learn mobile application security as a career, then this book is for you. This book will provide you with all the skills you need to get started with Android and iOS pen-testing.
What You Will Learn
- Gain an in-depth understanding of Android and iOS architecture and the latest changes
- Discover how to work with different tool suites to assess any application
- Develop different strategies and techniques to connect to a mobile device
- Create a foundation for mobile application security principles
- Grasp techniques to attack different components of an Android device and the different functionalities of an iOS device
- Get to know secure development strategies for both iOS and Android applications
- Gain an understanding of threat modeling mobile applications
- Get an in-depth understanding of both Android and iOS implementation vulnerabilities and how to provide counter-measures while developing a mobile app
In Detail
Mobile security has come a long way over the last few years. It has transitioned from "should it be done?" to "it must be done!"Alongside the growing number of devises and applications, there is also a growth in the volume of Personally identifiable information (PII), Financial Data, and much more. This data needs to be secured.
This is why Pen-testing is so important to modern application developers. You need to know how to secure user data, and find vulnerabilities and loopholes in your application that might lead to security breaches.
This book gives you the necessary skills to security test your mobile applications as a beginner, developer, or security practitioner. You'll start by discovering the internal components of an Android and an iOS application. Moving ahead, you'll understand the inter-process working of these applications. Then you'll set up a test environment for this application using various tools to identify the loopholes and vulnerabilities in the structure of the applications. Finally, after collecting all information about these security loop holes, we'll start securing our applications from these threats.
Style and approach
This is an easy-to-follow guide full of hands-on examples of real-world attack simulations. Each topic is explained in context with respect to testing, and for the more inquisitive, there are more details on the concepts and techniques used for different platforms.
Related to Mobile Application Penetration Testing
Related ebooks
Learning Pentesting for Android Devices Rating: 5 out of 5 stars5/5Automated Security Analysis of Android and iOS Applications with Mobile Security Framework Rating: 1 out of 5 stars1/5Learning iOS Penetration Testing Rating: 0 out of 5 stars0 ratingsAdvanced Penetration Testing for Highly-Secured Environments - Second Edition Rating: 0 out of 5 stars0 ratingsAndroid Application Security Essentials Rating: 0 out of 5 stars0 ratingsMobile Device Exploitation Cookbook Rating: 0 out of 5 stars0 ratingsHacking Android Rating: 4 out of 5 stars4/5Coding for Penetration Testers: Building Better Tools Rating: 0 out of 5 stars0 ratingsLearning Android Forensics Rating: 4 out of 5 stars4/5Mastering Metasploit Rating: 0 out of 5 stars0 ratingsPython Penetration Testing Essentials Rating: 5 out of 5 stars5/5Seven Deadliest Web Application Attacks Rating: 0 out of 5 stars0 ratingsWeb Penetration Testing with Kali Linux - Second Edition Rating: 0 out of 5 stars0 ratingsMobile Malware Attacks and Defense Rating: 5 out of 5 stars5/5The Mobile Application Hacker's Handbook Rating: 3 out of 5 stars3/5Practical Mobile Forensics - Second Edition Rating: 0 out of 5 stars0 ratingsLearning Penetration Testing with Python Rating: 0 out of 5 stars0 ratingsPractical Mobile Forensics Rating: 4 out of 5 stars4/5Practical Windows Forensics Rating: 0 out of 5 stars0 ratingsNetwork Security Traceback Attack and React in the United States Department of Defense Network Rating: 0 out of 5 stars0 ratingsBuilding Virtual Pentesting Labs for Advanced Penetration Testing - Second Edition Rating: 0 out of 5 stars0 ratingsMobile Malware Infringement and Detection Rating: 0 out of 5 stars0 ratingsMobile Forensics – Advanced Investigative Strategies Rating: 0 out of 5 stars0 ratingsLearning zANTI2 for Android Pentesting Rating: 0 out of 5 stars0 ratingsMetasploit Bootcamp Rating: 5 out of 5 stars5/5Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide Rating: 5 out of 5 stars5/5Burp Suite Essentials Rating: 4 out of 5 stars4/5Mastering Modern Web Penetration Testing Rating: 0 out of 5 stars0 ratings
Hardware For You
Chip War: The Fight for the World's Most Critical Technology Rating: 4 out of 5 stars4/5CompTIA A+ Complete Review Guide: Core 1 Exam 220-1101 and Core 2 Exam 220-1102 Rating: 5 out of 5 stars5/5Creative Selection: Inside Apple's Design Process During the Golden Age of Steve Jobs Rating: 5 out of 5 stars5/5CompTIA A+ Complete Review Guide: Exam Core 1 220-1001 and Exam Core 2 220-1002 Rating: 5 out of 5 stars5/5Raspberry Pi Cookbook for Python Programmers Rating: 0 out of 5 stars0 ratingsDancing with Qubits: How quantum computing works and how it can change the world Rating: 5 out of 5 stars5/5Programming Arduino: Getting Started with Sketches Rating: 4 out of 5 stars4/5Computer Science: A Concise Introduction Rating: 4 out of 5 stars4/5Samsung Galaxy S23 Ultra User Guide for Beginners and Seniors Rating: 3 out of 5 stars3/5Raspberry Pi Electronics Projects for the Evil Genius Rating: 3 out of 5 stars3/5Build Your Own PC Do-It-Yourself For Dummies Rating: 4 out of 5 stars4/5Upgrading and Fixing Computers Do-it-Yourself For Dummies Rating: 4 out of 5 stars4/5Apple Watch Series 4: Your Ultimate Guide to Using the Apple Watch Like A Pro Rating: 5 out of 5 stars5/5Linux All-in-One For Dummies Rating: 3 out of 5 stars3/5Macs For Dummies Rating: 5 out of 5 stars5/5Arduino: A Quick-Start Beginner's Guide Rating: 4 out of 5 stars4/5Fitbit For Dummies Rating: 0 out of 5 stars0 ratingsTI-84 Plus CE Graphing Calculator For Dummies Rating: 0 out of 5 stars0 ratingsTor Darknet Bundle: Master the Art of Invisibility Rating: 0 out of 5 stars0 ratingsThe Richest Man in Babylon: with The Magic Story Rating: 0 out of 5 stars0 ratingsRaspberry Pi Mechatronics Projects HOTSHOT Rating: 5 out of 5 stars5/5Macs All-in-One For Dummies Rating: 0 out of 5 stars0 ratingsiPhone 14 Pro Max User Guide for Beginners and Seniors Rating: 0 out of 5 stars0 ratingsiPhone For Seniors For Dummies: Updated for iPhone 12 models and iOS 14 Rating: 4 out of 5 stars4/5Amazon Web Services (AWS) Interview Questions and Answers Rating: 5 out of 5 stars5/5iPhone X Hacks, Tips and Tricks: Discover 101 Awesome Tips and Tricks for iPhone XS, XS Max and iPhone X Rating: 3 out of 5 stars3/5Raspberry Pi for Secret Agents - Second Edition Rating: 3 out of 5 stars3/5
Reviews for Mobile Application Penetration Testing
0 ratings0 reviews
Book preview
Mobile Application Penetration Testing - Velu Vijay Kumar
Index
Mobile Application Penetration Testing
Mobile Application Penetration Testing
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: March 2016
Production reference: 1070316
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78588-337-8
www.packtpub.com
Credits
Author
Vijay Kumar Velu
Reviewers
Akash Mahajan
Swaroop Yermalkar
Commissioning Editor
Veena Pagare
Acquisition Editor
Aaron Lazar
Content Development Editor
Sachin Karnani
Technical Editor
Nirant Carvalho
Copy Editors
Stuti Srivastava
Madhusudan Uchil
Project Coordinator
Nikhil Nair
Proofreader
Safis Editing
Indexer
Tejal Daruwale Soni
Graphics
Jason Monteiro
Production Coordinator
Melwyn Dsa
Cover Work
Melwyn Dsa
About the Author
Vijay Kumar Velu is a passionate information security practitioner, speaker, and blogger, currently working as a cyber security technical manager at one of the Big4 consultancies based in India. He has more than 10 years of IT industry experience, is a licensed penetration tester, and has specialized in providing technical solutions to a variety of cyber problems, ranging from simple security configuration reviews to cyber threat intelligence. Vijay holds multiple security qualifications including Certified Ethical Hacker, EC-council Certified Security Analyst, and Computer Hacking Forensics Investigator. He loves hands-on technological challenges.
Vijay was invited to speak at the National Cyber Security Summit (NCSS), Indian Cyber Conference (InCyCon), Open Cloud Conference, and Ethical Hacking Conference held in India, and he has also delivered multiple guest lectures and training on the importance of information security at various business schools in India. He also recently reviewed Learning Android Forensics, Packt Publishing.
For the information security community, Vijay serves as the director of the Bangalore chapter of the Cloud Security Alliance (CSA) and chair member of the National Cyber Defence and Research Center (NCDRC).
I would like to dedicate this book to my mother and sister for believing in me and always encouraging me to do what I like with all my crazy ideas. Special thanks to my family, friends (Hackerz), core team (Rachel H Martis, Anil Dikshit, Karthik Belur Sridhar, Vikram Sridharan and Vishal Patel), and Lokesh Gowda for allowing me ample amount of time in shaping this book.
A huge thanks to Darren Fuller, my mentor and friend, for providing his support and insights. Also to the excellent team at Packt Publishing for all the support that they provided throughout the journey of this book, specially Sachin and Nirant for their indubitable coordination.
About the Reviewers
Akash Mahajan is an accomplished security professional with over a decade's experience in providing specialist application and infrastructure consulting services at the highest levels to companies, governments, and organizations around the world. He is the author of Burp Suite Essentials, Packt Publishing.
Akash is an extremely active participant in the international security community and a frequent conference speaker. He gives talks as himself, as the head of the Bangalore chapter of OWASP, the global organization responsible for defining the standards for web application security, and as a co-founder of NULL, India's largest open security community.
I want to thank you, Nikhil, for making sure that reviewing this book was a pleasurable experience.
Swaroop Yermalkar works as a healthcare security researcher at Philips Health Systems, India, where he is responsible for thread modeling; security research; and the assessment of IoT devices, healthcare products, web applications, networks, and Android and iOS applications. He is the author of the popular iOS security book Learning iOS Penetration Testing, Packt Publishing and also one of the top mobile security researchers worldwide, working with Synack, Inc.
He also gives talks and training on wireless pentesting and mobile app pentesting at various security conferences, such as GroundZero, c0c0n, 0x90, DEFCONLucknow, and GNUnify.
He has been acknowledged by Microsoft, Amazon, eBay, Etsy, Dropbox, Evernote, Simple banking, iFixit, and many more for reporting high-severity security issues in their mobile apps.
He is an active member of NULL, an open security community in India, and is a contributor to the regular meetups and Humla sessions at the Pune chapter.
He holds various information security certifications, such as OSCP, SLAE, SMFE, SWSE, CEH, and CHFI. He has written articles for clubHACK magazine and also authored a book, An Ethical Guide to Wi-Fi Hacking and Security.
He has organized many eminent programs and was the event head of Hackathon—a national-level hacking competition. He has also worked with Pune Cyber Cell, Maharashtra Police, in programs such as Cyber Safe Pune. He can be contacted at <@swaroopsy> on Twitter.
www.PacktPub.com
eBooks, discount offers, and more
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Fully searchable across every book published by Packt
Copy and paste, print, and bookmark content
On demand and accessible via a web browser
Preface
The adoption of mobile technology has changed the world, smartphones especially have become an integral part of everyone's lives and an extension of the corporate workplace.
With over a billion smartphone users worldwide, mobile applications play a crucial role in almost everything a device can do. Most of the time, the security of these applications is always an afterthought when data is the only asset that one would like to protect.
In short, the purpose of this book is to educate you about and demonstrate application security weaknesses on the client (device) side and configuration faults in Android and iOS that can lead to potential information leakage.
What this book covers
Chapter 1, The Mobile Application Security Landscape, takes you through the current state of mobile application security and provides an overview of public vulnerabilities in Android and iOS applications. It also teaches you the OWASP mobile top 10 vulnerabilities in order for you to establish a baseline for the vulnerabilities and principles of securing mobile applications.
Chapter 2, Snooping Around the Architecture, walks you through the importance of an architecture and dives deep into the fundamental internals of the Android and iOS architectures.
Chapter 3, Building a Test Environment, shows you how to set up a test environment and provides step-by-step instructions for Android and iOS devices within a given workstation.
Chapter 4, Loading up – Mobile Pentesting Tools, teaches you how to build the toolbox within your workstation required to perform an assessment of any given mobile app, and it also teaches how to configure them.
Chapter 5, Building Attack Paths – Threat Modeling an Application, shows you how to build attack paths and attack trees for a given threat model.
Chapter 6, Full Steam Ahead – Attacking Android Applications, shows you how to penetrate an Android application to identify its security weakness and exploit them.
Chapter 7, Full Steam Ahead – Attacking iOS Applications, shows you how to penetrate an iOS application to exploit the weaknesses and device vulnerabilities that affect the application.
Chapter 8, Securing Your Android and iOS Applications, teaches you the practical way of securing Android and iOS applications, starting from the design phase, and how to leverage different APIs to protect sensitive data on the device.
What you need for this book
The following hardware and software is recommended for maximum results:
Workstation:
Windows 7 (64-bit):
At least 4 GB of RAM
At least 100 GB of hard disk space
Java Development Kit 7
Active Python
Active Perl
MacBook (10.10 Yosemite):
Xcode with the latest iOS SDK
LLDB
Python (2.6 or higher)
Mobile devices:
A Google Nexus 5 running Android 5.0 Lollipop or higher
An iPhone (either 5 or 6) or iPad running iOS 8.4 or higher
All the software mentioned in this book is free of charge and can be downloaded from the Internet, except Hopper.
Who this book is for
If you are a mobile application evangelist, mobile application developer, information security practitioner, infrastructure web application penetration tester, application security professional, or someone who wants to pursue mobile application security as a career, then this book is for you. This book will provide you with all the skills you need to get started with Android and iOS pentesting.
Conventions
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: Cydia installations are pretty much similar to Linux Debian packages; a majority of the apps are packaged and bundled in the .deb format.
A block of code is set as follows:
public StatementDBHelper(Context paramContext)
{
this.context = paramContext;
StatementOpenHelper localStatementOpenHelper = new StatementOpenHelper(this.context);
SQLiteDatabase.loadLibs(paramContext);
this.db = localStatementOpenHelper.getWritableDatabase(havey0us33nmyb@seball
);
this.insertStmt = this.db.compileStatement(insert into history (userName, date, amount, name, balance) values (?,?,?,?,?)
);
this.deleteStmt = this.db.compileStatement(delete from history where id = ?
);
}
Any command-line input or output is written as follows:
C:\Hackbox\sdk\platform-tools>adb shell monkey 2 Events injected: 2## Network stats: elapsed time=1185ms (0ms mobile, 0ms wifi, 1185ms not connected)
New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: Open the iFunbox, click on Quick Toolbar and then click on USB Tunnel.
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail <feedback@packtpub.com>, and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the color images of this book
We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from