The widespread use of mobile applications comes with a full range of new attacks formerly not relevant in the classic web application world. Fortunately, pentesters can help make sure corporate apps provide sufficient data protection.
As the OWASP Mobile Security Testing Guide points out, protecting applications on both Android and iOS devices requires many different tests and processes, including:
- Mobile platform internals
- Security testing in the mobile app development lifecycle
- Basic static and dynamic security testing
- Mobile app reverse engineering and tampering
- Assessing software protections and creating detailed test cases that map to the requirements in the Mobile Application Security Verification Standard (MASVS)
Pentesting mobile applications should be a critical part of your overall security strategy. To help you facilitate this process, here are six mobile security testing tools for intrusion testing on both Android and iOS:
- QARK (Quick Android Review Kit) is a framework for auditing and exploiting Android applications.
QARK was designed to be flexible tool; it can be used either by developers, as part of the SDLC, or by security personnel. It has the ability to perform static code analysis on source code or existing APKs.
QARK can be run in interactive or scriptable mode, and creates reports highlighting discovered vulnerabilities and possible security issues. Additionally, when possible, it will create either ADB commands to verify a vulnerability, or optionally, build an APK customized to attempt vulnerability verification for discovered issues.
- OWASP Zed Attack Proxy Project (ZAP) is a free security tool that can help pentesters to automate the process of finding security vulnerabilities in both web applications and mobile apps.
Using ZAP, it is possible to craft and send malicious messages to assess mobile app security. It works by attacking server-side resources through malicious messages. It is also possible to check for vulnerabilities by reverse engineering the communication protocols.
- IBM Application Security on Cloud is a tool designed to secure both web and mobile applications by detecting the most pervasive published security vulnerabilities.
IBM Application Security on Cloud can import both APK and IPA files, scan for vulnerabilities and create a report on vulnerabilities. The report details how vulnerabilities could be exploited by an attacker, while also providing information about how to correct the issue.
The focus here is on eliminating vulnerabilities from applications before they are placed into production and deployed, so there is no integrated exploitation module. But pentesters can still make good use of IBM Application Security on Cloud for analyzing both iOS and Android apps, identifying vulnerabilities and exploiting apps either manually or with the help of other solutions.
- Drozer is a security testing framework for Android. It allows a pentester to search for security flaws in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.
Drozer is an interactive tool, meaning a pentester will be required to install Drozer at his workstation and establish a session with the targeted Android device (either physical or emulated). This way, it is possible to select commands on the console (at the workstation) and have a Drozer agent execute them on the Android device.
With this tool, a pentester can:
- Retrieve package information
- Identify the attack surface
- Launch activities
- Gather information from content providers
- Test for SQL injection and other vulnerabilities on Android apps
Drozer has the advantage of being open source software. The public version can be downloaded here.
Mobile Device Penetration Testing
- Frida is a dynamic instrumentation toolkit for developers, reverse engineers and security researchers.
Frida can hook into the running processes of the application and modify code on the fly, without requiring any re-launching or repackaging. This allows dynamic modification of app behavior and exploiting vulnerabilities that could allow, for example, bypassing a login or root detection.
- Android Debug Bridge (ADB) is not a penetration testing tool per se. It is a versatile command-line tool for communicating with an Android device.
The ADB command allows for a variety of advanced device actions, such as installing and debugging apps, and it provides access to a Unix shell that can be used to run a variety of commands on a device. ADB can also run as a client-server tool, and connect to various Android devices and emulator instances.
In the right hands, ADB is really useful for pentesters, as it can also be used to forward ports, run shell commands, pull files from devices or push files. It allows pentesters to explore the Android device file system, making it possible to identify and test vulnerabilities that can expose a mobile app to malicious attacks.