Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources

OWASP Delhi
OWASP Delhi

Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July. Watch the webinar here - https://youtu.be/BQWcUjzxJE0 Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.

1 of 17
Download to read offline
Getting Started With Hacking Android & iOS Apps Tools, Techniques & Resources
Abhinav Mishra Founder, ENCIPHERS ENCIPHERS InfoSec Consulting | Training @enciphers_ @0ctac0der www.enciphers.com
Mobile Application Penetration Testing What to do? What Why to do? How to do? Where to go, if you are stuck? Why How Where
This is a 1 hour talk. I strongly believe that in focusing on technical parts in one hour, is not the best approach. Hence, this talk will majorly be about the methodology and discussing resources. Disclaimer
What to test? What to look for? The methodology should be based on knowledge, not the tools 01
What? The mobile application penetration testing is mainly divided in two parts: ● Static Analysis ○ As the name suggests, stuff that can be tested statically. Maybe even without installing the app. ● Dynamic Analysis ○ As the name suggests, stuff that can be tested when the app is running. Network calls, crypto, storage etc.
What? What are the ingredients of a mobile application? ● Do you know the structure of the application package? ○ IPA | APK ~ Zip ● Manifest | Plist ● Resources that the app would need ● Source code ● XML? Config? Res? Certs etc.
What? What happens when you install and use a mobile app? ● Permission on device? ○ To access data, use hardware, access other apps etc. ● Provide personal/account data. ○ Username/Email/Password etc. ● Network calls? ○ TLS? MITM? ● On device Security? Data at rest. ○ Crypto? Storage details ● API Security? ○ IDOR? ○ Authorisation/Authentication?
What? Anything else on the device which: ● Handles user and application data ● Handles network connection ● Uses device permissions ● Implements a security control
Ok, so we know what all things are there to be tested/analysed. But why do we need to test each of these things? ● Static Analysis: ○ Sensitive information inside app package might lead to more attack surface. ○ Bad crypto implementation might be bypassed. ● Dynamic Analysis ○ User and application internal data should be safeguarded ○ Not implementing a security control is a security issue, bypassing it might not always be ○ Request and response is the place where all the action happens, this should be secure ○ APIs, are the biggest source of vulnerabilities in mobile applications Why?
If you know what to test and why to test, then finding or knowing how to test that might be the easiest part. IMHO, majority of people focus only on this section… ● What tools to use? ● How to use the tools? ● Click to hack/secure applications So, let’s talk about how to do each of these.... How?
What to test? ● Mobile Application Security Testing Checklist How to test? ● Setting up lab? ○ Hardware Requirements: ■ Android: ● Android Studio/ADB ● Any virtual device, Genymotion, AVD & Tools ■ iOS: ● Preferably Mac, or a high (good) config laptop ● iDevice (iPhone, iPad etc.) [Thanks to Checkra1n] Tools, Techniques & Resources?
Mobexler: A customised virtual machine, designed to help in penetration testing of Android & iOS applications. When to use: ● Does not have Mac ● Don’t want to install a large amount of security tools on Mac ● Want to test Android & iOS apps at the same time, from the same setup Let’s get to Mobexler then. Mobexler
Tools? ● Android: https://enciphers.com/awesome-android-application-security/ ● iOS: https://enciphers.com/awesome-ios-application-security/ Resources? ● Jailbreaking: https://canijailbreak.com/ ● Mobile application hacker's handbook ● OWASP MSTG: https://mobile-security.gitbook.io/mobile-security-testing-guide/ ● Talks on iOS & Android Security: ○ Android: https://www.youtube.com/watch?v=B3Udl86Zu20&t=20700s ○ iOS: https://www.youtube.com/watch?v=B3Udl86Zu20&t=22920s ○ Demystifying Frida: https://www.youtube.com/watch?v=kd05JjCqViY ● Blogs: ○ iOS Security: http://www.allysonomalley.com/ ○ Reverse engg. iOS apps: https://github.com/ivRodriguezCA/RE-iOS-Apps ○ Android Security: https://medium.com/knowing-android/modern-security-in-android-part-1-6282bcb71e6c Tools, Techniques & Resources?
Resources? ● Frida Cheat Sheet, for Android: https://erev0s.com/blog/frida-code-snippets-for-android/ ● Android App Reverse Engg: https://maddiestone.github.io/AndroidAppRE/ Techniques: ● Jailbreak bypass in iOS: https://syrion.me/blog/ios-swift-antijailbreak-bypass-frida/ ● SSL Pinning bypass: https://www.cyclon3.com/bypass-instagram-ssl-certificate-pinning-for-ios ● Xamarin cert pinning bypass: https://www.gosecure.net/blog/2020/04/06/bypassing-xamarin-certificate-pinning-on-android/ ● Frida scripts: https://codeshare.frida.re/ ● Frida Scripts: https://github.com/0xdea/frida-scripts Trainings: ● iOS Application Security: https://www.enciphers-trainings.com/p/ios-application-security Tools, Techniques & Resources?
Questions?(There's) no such thing as a stupid question.
CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik. THANKS! Do you have more questions? a@enciphers.com Join Slack: Invite Link

More Related Content

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources

  • 1. Getting Started With Hacking Android & iOS Apps Tools, Techniques & Resources
  • 2. Abhinav Mishra Founder, ENCIPHERS ENCIPHERS InfoSec Consulting | Training @enciphers_ @0ctac0der www.enciphers.com
  • 3. Mobile Application Penetration Testing What to do? What Why to do? How to do? Where to go, if you are stuck? Why How Where
  • 4. This is a 1 hour talk. I strongly believe that in focusing on technical parts in one hour, is not the best approach. Hence, this talk will majorly be about the methodology and discussing resources. Disclaimer
  • 5. What to test? What to look for? The methodology should be based on knowledge, not the tools 01
  • 6. What? The mobile application penetration testing is mainly divided in two parts: ● Static Analysis ○ As the name suggests, stuff that can be tested statically. Maybe even without installing the app. ● Dynamic Analysis ○ As the name suggests, stuff that can be tested when the app is running. Network calls, crypto, storage etc.
  • 7. What? What are the ingredients of a mobile application? ● Do you know the structure of the application package? ○ IPA | APK ~ Zip ● Manifest | Plist ● Resources that the app would need ● Source code ● XML? Config? Res? Certs etc.
  • 8. What? What happens when you install and use a mobile app? ● Permission on device? ○ To access data, use hardware, access other apps etc. ● Provide personal/account data. ○ Username/Email/Password etc. ● Network calls? ○ TLS? MITM? ● On device Security? Data at rest. ○ Crypto? Storage details ● API Security? ○ IDOR? ○ Authorisation/Authentication?
  • 9. What? Anything else on the device which: ● Handles user and application data ● Handles network connection ● Uses device permissions ● Implements a security control
  • 10. Ok, so we know what all things are there to be tested/analysed. But why do we need to test each of these things? ● Static Analysis: ○ Sensitive information inside app package might lead to more attack surface. ○ Bad crypto implementation might be bypassed. ● Dynamic Analysis ○ User and application internal data should be safeguarded ○ Not implementing a security control is a security issue, bypassing it might not always be ○ Request and response is the place where all the action happens, this should be secure ○ APIs, are the biggest source of vulnerabilities in mobile applications Why?
  • 11. If you know what to test and why to test, then finding or knowing how to test that might be the easiest part. IMHO, majority of people focus only on this section… ● What tools to use? ● How to use the tools? ● Click to hack/secure applications So, let’s talk about how to do each of these.... How?
  • 12. What to test? ● Mobile Application Security Testing Checklist How to test? ● Setting up lab? ○ Hardware Requirements: ■ Android: ● Android Studio/ADB ● Any virtual device, Genymotion, AVD & Tools ■ iOS: ● Preferably Mac, or a high (good) config laptop ● iDevice (iPhone, iPad etc.) [Thanks to Checkra1n] Tools, Techniques & Resources?
  • 13. Mobexler: A customised virtual machine, designed to help in penetration testing of Android & iOS applications. When to use: ● Does not have Mac ● Don’t want to install a large amount of security tools on Mac ● Want to test Android & iOS apps at the same time, from the same setup Let’s get to Mobexler then. Mobexler
  • 14. Tools? ● Android: https://enciphers.com/awesome-android-application-security/ ● iOS: https://enciphers.com/awesome-ios-application-security/ Resources? ● Jailbreaking: https://canijailbreak.com/ ● Mobile application hacker's handbook ● OWASP MSTG: https://mobile-security.gitbook.io/mobile-security-testing-guide/ ● Talks on iOS & Android Security: ○ Android: https://www.youtube.com/watch?v=B3Udl86Zu20&t=20700s ○ iOS: https://www.youtube.com/watch?v=B3Udl86Zu20&t=22920s ○ Demystifying Frida: https://www.youtube.com/watch?v=kd05JjCqViY ● Blogs: ○ iOS Security: http://www.allysonomalley.com/ ○ Reverse engg. iOS apps: https://github.com/ivRodriguezCA/RE-iOS-Apps ○ Android Security: https://medium.com/knowing-android/modern-security-in-android-part-1-6282bcb71e6c Tools, Techniques & Resources?
  • 15. Resources? ● Frida Cheat Sheet, for Android: https://erev0s.com/blog/frida-code-snippets-for-android/ ● Android App Reverse Engg: https://maddiestone.github.io/AndroidAppRE/ Techniques: ● Jailbreak bypass in iOS: https://syrion.me/blog/ios-swift-antijailbreak-bypass-frida/ ● SSL Pinning bypass: https://www.cyclon3.com/bypass-instagram-ssl-certificate-pinning-for-ios ● Xamarin cert pinning bypass: https://www.gosecure.net/blog/2020/04/06/bypassing-xamarin-certificate-pinning-on-android/ ● Frida scripts: https://codeshare.frida.re/ ● Frida Scripts: https://github.com/0xdea/frida-scripts Trainings: ● iOS Application Security: https://www.enciphers-trainings.com/p/ios-application-security Tools, Techniques & Resources?
  • 16. Questions?(There's) no such thing as a stupid question.
  • 17. CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik. THANKS! Do you have more questions? a@enciphers.com Join Slack: Invite Link