Introduction to the mobile application penetration testing methodology [Updated 2019]
The Mobile Application Penetration Testing Methodology (MAPTM), as described by author Vijay Kumar Velu in his ebook, is the procedure that should be followed while conducting mobile application penetration testing. It is based on application security methodology and shifts the focus of traditional application security, which considers the primary threat as originating from the Internet.
Earn two pentesting certifications at once!
Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.
The mobile application penetration testing methodology focuses on client-side security, file system, hardware, and network security. It is has been long considered that the end user is in control of the device.
In this article, we shall provide an overview of this methodology and discuss its four main stages.
Stages of the mobile application penetration testing methodology
The MAPTM is divided into four stages:
Discovery requires the pentester to collect information that is essential in understanding events that lead to the successful exploitation of mobile applications.
Assessment or analysis involves the penetration tester going through the mobile application source code and identifying potential entry points and weaknesses that can be exploited.
Exploitation involves the penetration tester leveraging the discovered vulnerabilities to take advantage of the mobile application in a manner not intended by the programmer initially did not intend.
Reporting is the final stage of the methodology and it involves recording and presenting the discovered issues in a manner that makes sense to management. This is also the stage that differentiates a penetration test from an attack. A more detailed discussion of the four stages follows.
1) Discovery
Intelligence gathering is the most important stage in a penetration test. The ability to discover hidden cues that might shed light on the existence of a vulnerability might be the difference between a successful and unsuccessful pentest.
The discovery process involves:
Open Source Intelligence (OSINT)—The pentester searches the Internet for information about the application. This might be found on search engines and social networking sites, leaked source code through source code repositories, developer forums, or even on the dark web.
Understanding the Platform—It is important for the penetration tester to understand the mobile application platform, even from an external point of view, to aid in developing a threat model for the application. The pentester takes into account the company behind the app, their business case, and related stakeholders. The internal structures and processes are also taken to account.
Client-Side vs Server-Side Scenarios—The penetration tester needs to be able to understand the type of application (native, hybrid, or web) and to work on the test cases. The application’s network interfaces, user data, communication with other resources, session management, jailbreaking/rooting behavior are all taken into account here. Security considerations are also made; for example, does the app interact with firewalls? Databases or any servers? How secure is this?
Collected information may include:
- The user session remains active until a manual log off is performed.
- No financial transactions are performed.
- The application is built not to run on jailbroken devices.
- The actions that are performed on the server include database additions, deletions, and pulls.
2) Assessment/Analysis
The process of assessing mobile applications is unique because it requires the penetration tester to check the applications before and after installation. The different assessment techniques that are encountered within the MAPTM include:
Local File Analysis—The pentester checks the local files written on the file system by the application to ensure that there are no violations.
Archive Analysis—The penetration tester extracts the application installation packages for the Android and iOS platforms. A review is then done to ensure that there are no modifications done to the configurations of the compiled binary.
Reverse Engineering—This involves converting the compiled applications into human-readable source code. The penetration tester reviews the readable code in order to understand the internal application functionality and search for vulnerabilities. Android application source code may be modified once reversed and recompiled. The following tools can be used while conducting reverse engineering:
- Android—dex2jar, JD-GUI
- iOS—otool, class-dump-z
Static Analysis—During static analysis, the penetration tester does not execute the application. The analysis is done on the provided files or decompiled source code.
Dynamic Analysis—The pentester reviews the mobile application as it runs on the device. Reviews done include forensic analysis of the file system, assessment of the network traffic between the application and server and an assessment of the application’s inter-process communication (IPC).
There are a couple of tools that are available to the pentester for automated and manual source code analysis. These include:
- Android: Androwarn, Andrubis, and ApkAnalyser
- iOS: Flawfinder and Clang Static Analyzer
Inter-Process Communication Endpoint Analysis: The pentester reviews the different mobile application IPC endpoints. Assessment is performed on:
- Content Providers—These ensure that access to databases is achieved.
- Intents—These are signals used to send messages between components of the android system.
- Broadcast Receivers—These receive and act on intents received from other applications on the android system.
- Activities—These make up the screens or pages within the application.
- Services—These run from the background and perform tasks regardless of whether the main application is running.
Information obtained from the assessment may be used to create a threat model. For example, we can consider the following:
- Discovered Vector—The app communicates with a database on a remote server.
- Possible Threat—Unauthorised reading of data traffic while communicating with the server.
- Relating Countermeasure—Implementing a secure transport layer protection (SSL, TLS).
- Possible Test Case—Attempt to sniff traffic between the app and server backend.
3) Exploitation
The pentester acts upon the information discovered from the information-gathering process to attack the mobile application. Thoroughly performed intelligence gathering guarantees a high chance of successful exploitation hence a successful project.
The pentester attempts to exploit the vulnerability in order to gain sensitive information or perform malicious activities, then finally performs privilege escalation to elevate to the most privileged user (root) so as to not face any restrictions on any activities being performed.
The pentester then persists within the compromised device. This simply means that he/she executes modules that allow for backdooring the device with the motive of showing the ability to perform future access.
4) Reporting
A good report communicates to management in simple language, clearly indicating the discovered vulnerabilities, consequences to the business and possible remediation or recommendations.
The vulnerabilities must be risk rated and proper technical communication done for the technical personnel, with a proof of concept included to support the findings uncovered.
Conclusion
The mobile application penetration testing methodology considers mobile characteristics and is vendor-neutral. It helps improve transparency and repeatability for mobile penetration testing. It is a holistic approach with sufficient flexibility and improves the security of mobile applications. The methodology uses thorough intelligence gathering, analysis and exploitation, and ensures clear presentation/reporting of the findings in a manner that clearly communicates to both management and the technical team.
Interested in learning more? Check out these articles:
- 10 Best Practices For Mobile App Penetration Testing
- Top 6 Mobile Application Penetration Testing Tools
FREE role-guided training plans
Source
Mobile Application Penetration Testing, Vijay Kumar Velu (Pakt Publishing, 2016)
In this Series
- Introduction to the mobile application penetration testing methodology [Updated 2019]
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness