Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://youtu.be/BQWcUjzxJE0
Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.
Report
Share
Report
Share
1 of 17
Download to read offline
More Related Content
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
4. This is a 1 hour talk. I strongly believe that in focusing on technical
parts in one hour, is not the best approach.
Hence, this talk will majorly be about the methodology and discussing
resources.
Disclaimer
5. What to
test? What
to look for? The methodology should be based on
knowledge, not the tools
01
6. What?
The mobile application penetration testing is mainly divided in two parts:
● Static Analysis
○ As the name suggests, stuff that can be tested statically. Maybe even without installing the app.
● Dynamic Analysis
○ As the name suggests, stuff that can be tested when the app is running. Network calls, crypto,
storage etc.
7. What?
What are the ingredients of a mobile application?
● Do you know the structure of the application package?
○ IPA | APK ~ Zip
● Manifest | Plist
● Resources that the app would need
● Source code
● XML? Config? Res? Certs etc.
8. What?
What happens when you install and use a mobile app?
● Permission on device?
○ To access data, use hardware, access other apps etc.
● Provide personal/account data.
○ Username/Email/Password etc.
● Network calls?
○ TLS? MITM?
● On device Security? Data at rest.
○ Crypto? Storage details
● API Security?
○ IDOR?
○ Authorisation/Authentication?
9. What?
Anything else on the device which:
● Handles user and application data
● Handles network connection
● Uses device permissions
● Implements a security control
10. Ok, so we know what all things are there to be tested/analysed. But why do we need to test each of these
things?
● Static Analysis:
○ Sensitive information inside app package might lead to more attack surface.
○ Bad crypto implementation might be bypassed.
● Dynamic Analysis
○ User and application internal data should be safeguarded
○ Not implementing a security control is a security issue, bypassing it might not always be
○ Request and response is the place where all the action happens, this should be secure
○ APIs, are the biggest source of vulnerabilities in mobile applications
Why?
11. If you know what to test and why to test, then finding or knowing how to test that might be
the easiest part.
IMHO, majority of people focus only on this section…
● What tools to use?
● How to use the tools?
● Click to hack/secure applications
So, let’s talk about how to do each of these....
How?
12. What to test?
● Mobile Application Security Testing Checklist
How to test?
● Setting up lab?
○ Hardware Requirements:
■ Android:
● Android Studio/ADB
● Any virtual device, Genymotion, AVD & Tools
■ iOS:
● Preferably Mac, or a high (good) config laptop
● iDevice (iPhone, iPad etc.) [Thanks to Checkra1n]
Tools, Techniques & Resources?
13. Mobexler: A customised virtual machine, designed to help in penetration testing of Android & iOS
applications.
When to use:
● Does not have Mac
● Don’t want to install a large amount of security tools on Mac
● Want to test Android & iOS apps at the same time, from the same setup
Let’s get to Mobexler then.
Mobexler
17. CREDITS: This presentation template was created by Slidesgo, including
icons by Flaticon, and infographics & images by Freepik.
THANKS!
Do you have more questions?
a@enciphers.com
Join Slack: Invite Link