Rampant digitization has made mobile apps an essential part of our lives. Mobile applications are used everywhere, from government portals, banking applications, e-commerce, healthcare platforms to virtual classrooms.

Securing these apps is a growing challenge with new vulnerabilities found every day. Mobile app and device security awareness is extremely low among users. Hence, data security in mobile applications has become an utmost necessity. Mobile application penetration testing helps in secure apps and mitigates risks from comes fraud attacks, virus or malware infections, data leakage and other security breaches.

Mobile application penetration testing can identify and assess vulnerabilities and misconfigurations that might lead to security concerns such as code execution, privilege escalation, data leakage, and information disclosure. This is a continuous improvement process which is beneficial during application development.

Pen testing involves the following types:

  • Black-box testing: Here the tester does not have any information of the mobile application. The tester behaves like a real attacker and perform tests by exploring publicly available and discoverable information.
  • White-box testing: The tester has complete information about the application including the source code. This is conducted mainly from an internal attacker perspective.
  • Gray-box testing: The tester has partial information about the application (usually credentials).

Mobile application penetration testing methodology

Important steps to consider while testing any mobile app:

  1. Create a application threat model by understanding the application using third party search engines, findig leaked source code using source code repositories, developer forums, and social media etc.
  2. Perform static and dynamic assessments using:
    • Automated scanning tools.
    • Manually explore the application and execute test scenarios before and after installating the app.
  3. Exploit vulnerabilities identified to gain sensitive information, perform any malicious activity and discard any false positives.
  4. Report identified vulnerabilities and their mitigations in detail to the client.

Classifications of mobile application penetration testing

  1. Static Analysis
    During static analysis (also known as white box testing), the mobile app's source code is reviewed to identify vulnerabilities/loopholes in the code. Reverse engineering is a major step in this phase. The application’s source code is reverse engineered to detect sensitive hard-coded values stored in the code. This could be used to gain unauthorized access or to identify business logic and operational flaws in the application. The type of analysis can be performed using manual or automated scanning tools.
  2. Dynamic Analysis
    The goal of dynamic analysis is to find security vulnerabilities in the application through real-time test execution of possible attacks using automated scans and manual testing. Here, the request and response patterns of mobile applications, backend services and APIs are analysed and tampered. Dynamic analysis is used to test whether the app has its security controls in place to prevent attacks such as disclosure of data in transit, authentication and authorization issues, and server configuration errors, etc.

Tools for Android mobile application testing

Below is the list of tools that can be used for automated and manual Android tests:

  • Burp Suite: A proxy-based tool used to perform manual tests by capturing and tampering request/response.
  • Zed Attack Proxy (ZAP): An alternative to Burp Suite with similar functions.
  • Android Debug Bridge: ADB is a command-line tool to communicate with Android devices. This tool is included in the Android SDK platform tools package.
  • APKTool, dex2jar, and JD-GUI: For reverse engineering the source code.
  • Nikto: An open-source vulnerability scanner that checks for vulnerable directories, outdated server software, and potentially dangerous programs.
  • MobSF: Mobile Security Framework, or MobSF, is a penetration testing framework used in static and dynamic analysis.
  • QARK: QARK stands for the Quick Android Review Kit. An open-source project, it is a static-code analysis engine designed to recognize potential vulnerabilities in Java-based Android apps.
  • Drozer: Drozer is an Android application assessment toolkit. It is an interactive tool. A pen tester must install Drozer at his workstation to establish a session with the targeted Android device (either physical or emulated).
  • Frida: A dynamic instrumentation toolkit for developers, reverse engineers, and security researchers.
  • Fiddler: A debugging proxy server tool used monitor and modify requests and responses.

Tools for iOS mobile application testing

Reverse engineering and Static analysis tools

  • MobSF: Mobile Security Framework, or MobSF, is a penetration testing framework used in static and dynamic analysis.
  • Hopper: A tool to disassemble, decompile, and debug mobile applications.
  • Clutch: To decrypt the application binary and dump the IPA file.
  • Otool: Tool to fetch library information from the IPA file.
  • Frida- iOS-dump: Tool to decrypt encrypted binary and dump the IPA file.
  • BFDecrypt: Tool to decrypt Appstore apps in iOS 11.x versions.
  • Cracker XI: Tool to decrypt Appstore apps in iOS 12.x versions.
  • Cydia Impactor: Tool used to instal iOS applications in iPhone.

Dynamic and Runtime Analysis Tools

  • Cycript: Tool that allows a user to modify a running application. Cycript is a JavaScript interpreter and can also understand Objective C syntax. 
  • GDB: Tool to perform runtime analysis of iOS applications. It supports < iOS 9.
  • LLDB: Tool for debugging iOS applications It can be used for latest iOS versions.
  • Keychain Dumper: A tool used to dump the keychain entries on iOS Devices.
  • Frida: A dynamic instrumentation toolkit for developers, reverse engineers, and security researchers.
  • Objection: A runtime mobile exploration toolkit used to assess the mobile application without jailbreaking the device.
  • iNalyzer: A framework used to manipulate iOS applications and tamper its parameters.

Interception Proxies

  • Burp Suite: A proxy-based tool used to perform manual tests by capturing and tampering request/response.
  • Zed Attack Proxy (ZAP): A free security tool which helps to automatically find security vulnerabilities.

Bypassing Tools

  • SSL Kill Switch 2: A tool to disable SSL certificate Validation and SSL Pinning
  • Liberty Lite: A tool for bypassing jailbreak detection
  • Xcon: A tool for bypassing jailbreak detection
  • Swizzler: A tool to help analysing iOS applications. We can use this tool to bypass Touch ID Authentication.

Mobile pen testing : areas of focus

A pentester must focus on these common vulnerabilities of mobile applications while performing tests:

  1. Data such as user information stored in cleartext, unmasked data in screenshots, and keys and passwords in source code.
  2. Poorly secured network communications.
  3. Poorly configured interactions with the platform.
  4. Insecure configuration (signature, debug, etc.).
  5. Issues concerning authentication, access controls and permissions.
  6. Implementation and use of third-party components.

Security breaches is making news quite often. Mobile devices are at a risk of getting hacked with hackers looking for confidential data including PII/MNPI user details and payment card information stored in devices. Often, users unintentionally compromise their devices by opening suspicious links in SMS messages, downloading software from unofficial sources and disabling protection. Securing user data is a responsibility of application owners and device users. A holistic approach to penetration testing is therefore an absolute must to ensure enhanced security of mobile applications.

Credits to Subject Matter Experts:

Rubeshwaran Chokkalingam - Senior Consultant, Riddhi Kapadia - Senior Consultant

To know more about Aujas penetration testing services, talk to our experts at contact@aujas.com.