How to get started as a mobile penetration tester
If you’re reading this, you’re probably interested in learning how to get started with penetration-testing mobile devices but aren’t sure how to start. In this article, we’ll talk about some of the background knowledge that a mobile pentester will need, how to get a practice environment set up, and ways to improve your chances of landing a job as a mobile pentester.
Mobile pentesting is like most jobs in that you need to know some basics and have certain skills before you can begin to get deep into the field. When starting out in mobile testing, it’s useful to have a background in general penetration testing, some basic programming skills and a couple of non-technical “soft skills.”
It’s not strictly necessary for an aspiring mobile penetration tester to have a background in IT or general penetration, but it can definitely help. Mobile apps share many characteristics with web applications, so knowledge of or a background in web application testing can be beneficial for a mobile pentester.
A good starting point for building up the necessary skill set is checking out the Open Web Application Security Project (OWASP) Top Ten lists. OWASP publishes a list of the Top Ten Web Application Vulnerabilities and the Mobile Top Ten. Becoming familiar with the vulnerabilities included in these lists is a great way to start getting into mobile pentesting.
Many automated tools exist for mobile and web app penetration testing and knowledge of how to run them and process their output is important for a pentester. However, at some point it will be necessary to look at the source code of some application on the target machine. The ability to read, if not write Java and Objective-C is helpful for a mobile penetration tester evaluating Android and Apple mobile devices.
When most people think of becoming a penetration tester, they focus solely on having the technical skills necessary to break into a mobile device. However, if all you know how to do is crack a device, then you’re probably going to make a lousy penetration tester.
Unlike black-hat hacking where the primary goal is finding a way into the target, the primary goal of penetration testing is helping your client fill the gaps in their security. Hackers only have to find one vulnerability in a system; pentesters need to find as many as possible, so a lot of time is spent performing the same old basic tests before moving on to the “cool stuff.”
Communication and documentation are key skills for penetration testers. In a pentesting engagement, each step of the process needs to be clearly documented for the benefit of both the pentester and the client. If something breaks or malicious activity is detected in the environment, the pentester needs to be able to prove that they did not do anything outside the agreed-upon rules of engagement. If the pentester discovers a security flaw in the client’s environment, the pentester needs to be able to clearly communicate the issue to the client and provide documentation that allows the client to replicate the finding both for verification purposes and to test potential solutions. A pentester with poor documentation and communication skills will be of limited use to the client organization.
Practice makes perfect
Just like anything else, it takes practice to become an expert at mobile pentesting. In order to get started, an aspiring mobile pentester needs to make some decisions about the testing environment (whether to use emulators or real devices as targets) and set up a pentesting machine with the right tools for the job.
Emulators or real devices?
Just as virtual machines make it easy to set up a network with a variety of computers for testing, Android and Apple emulators make it possible to practice penetration testing and tool development for a variety of target devices. Also like virtual machines, smartphone emulators come with their tradeoffs between efficiency and realism.
The biggest arguments for using emulators in a mobile pentesting lab are ease of use and cost. Rather than purchasing and configuring a variety of devices for testing, an emulator can be easily downloaded to a host computer and used to simulate any of a variety of devices. Emulators also provide a greater degree of control over a test environment and enable the use of snapshots and gold images to save the state of the device and easily spin up clean instances of the target platform. Emulators also provide a high degree of versatility, which can be useful for testing if a pentesting tool or technique will work against a wide variety of potential targets.
Physical devices are superior to emulated ones in terms of the realism of the simulation. Just like virtual machines provide imperfect simulations of computers, emulators imperfectly replicate the functionality of physical devices. The wide variety of hardware and operating system versions in use means that it is impossible to guarantee that the emulator will behave in the same way as a physical copy of the simulated hardware and software. This is especially true when the device’s camera or fingerprint scanning technology is involved in the test.
When starting out as a mobile pentester, emulators are a great way to practice and get experience with a variety of target systems. Over time, it will probably be necessary to purchase one or more physical devices in order to gain experience with how emulated and physical devices behave differently. When preparing for a penetration testing engagement, emulators can be used to test and refine potential tools and techniques before attacking the actual devices under test.
Mobile Pentesting Tools
For pentesters in general and mobile pentesters in particular, many tools have been developed to aid in the hacking process. At a minimum, an emulator is necessary in order to gain familiarity with a variety of target platforms, but other tools have also been developed to automate common steps. In general, a Linux or Mac computer is a better choice than a Windows one for mobile pentesting, as Unix-based systems have better support for the available tools.
An Android and/or Apple emulator is a must-have for the aspiring mobile device penetration tester. The wide variety of systems on the market and currently in use makes it impossible to purchase a sample of every device that a pentester may come into contact with during an engagement. For Android, CuckooDroid extends the functionality of Cuckoo Sandbox to analyzing Android applications. Bluestacks simulates the functionality of a rooted Android device. For Apple, the iOS development environment Xcode includes a built-in Apple simulator for testing pentesting tools and techniques.
A variety of software has been developed to automate common parts of the mobile pentesting process. The following is an incomplete list of some of the tools available to the mobile-device pentester.
Android Debug Bridge (ADB) is a command-line utility for interfacing with connected Android devices. It includes both Android-specific actions and access to a Unix command shell on the connected device.
Burp Suite is a collection of tools for web-application penetration testing. It includes a proxy allowing pentesters to intercept and modify web traffic between a device and the web server.
Cycript is an application designed to support modifications of running applications on iOS. Functionality includes process injection, foreign function calls and tab completion.
Drozer is an automated Android vulnerability scanner. It has several public Android exploits built in to test the vulnerability of the target device.
Frida is dynamic instrumentation framework for on-the-fly code modification for both Android and Apple devices. It enables process injection and function hooking for running applications.
The iOS Reverse Engineering Toolkit (iRET) by Veracode is an all-in-one analysis toolkit for Apple devices. It contains several different iOS pentesting tools and automatically runs included tools and collects the results for the user.
The Mobile Security Framework (MobSF) is a mobile pentesting framework that supports Android, Apple and iOS devices. It includes functionality for static analysis, dynamic analysis, malware analysis, and web API testing.
The Zed Attack Proxy (ZAP) is a web proxy developed by OWASP for web application vulnerability scanning. Its functionality includes both passive and active scanning, web proxying and fuzzing.
Quick Android Review Kit (QARK) is an automated Android application-vulnerability scanner for both source code and compiled apps. It has the capability to automatically generate applications or ADB commands to exploit identified vulnerabilities.
Santoku is a Linux-based virtual machine designed for mobile forensics, malware analysis and penetration testing. It automates data collection, application vulnerability scanning and other tasks related to mobile penetration testing.
Landing the job
After setting up a toolkit and getting some experience in mobile pentesting, the final step in the process is prepping a resume for a mobile pentesting position. In this section, we’ll talk about how to demonstrate pentesting skills, how to gain experience and considerations regarding what type of position to pursue.
Training and certifications
If you don’t have a degree or experience in the field, training and certifications may be a good way to get up to speed and demonstrate knowledge to potential employers. InfoSec Institute offers a course on Mobile Device Penetration Testing focusing on the top ten security threats of mobile devices. The GIAC Mobile Device Security Analyst (GMOB) certification is another good way to demonstrate knowledge and experience in mobile device penetration testing to potential employers.
One of the most important things that recruiters look for when hiring for a mobile pentester role is proof of experience. While previous work experience as a mobile pentester or intern is the most obvious way to show competence, there are several other ways to demonstrate that you have the knowledge necessary to do the job.
Capture the Flag (CTF) competitions are contests in which players race to solve challenges relating to pentesting, reverse engineering and other hacking-based puzzles. Participation in a CTF shows dedication to the field and creating writeups for mobile-based pentesting challenges demonstrates competency. On Github, xtiankisutsa hosts a list of mobile-related CTF challenges.
In addition to work experience and CTFs, project work related to mobile-device penetration testing is a good way to showcase skills. This could include authoring a CTF problem writeup, performing a penetration test against some application and generating a report, or creating software that automates some aspect of the mobile penetration testing process.
Any previous work experience, CTF-related experience and pentesting projects should be included in your resume when applying for a position as a mobile pentester. It is also useful to post any CTF or project write-ups and code on Github or a similar site. Include a link to the content in a resume and on LinkedIn to allow potential recruiters to see evidence of knowledge and previous experience in the field.
Employee or freelance?
The final consideration before applying for a role as a mobile pentester is what type of role you want to apply for. The two main options are working as an employee at a company or going it alone as a freelancer. Both options are totally possible and the first step for each is building a strong online presence (LinkedIn, Github and so on) and a strong resume (using the tips described above).
Becoming a freelance mobile penetration tester is a bit different from applying for a traditional position. A good way to start is to use sites like Upwork, Freelancer, Guru and others, which provide matchmaking services between clients and freelancers. As your brand and network improve, you may find opportunities via social media, advertising, connections and/or a website if you choose to create one.
Mobile penetration testing requires both knowledge of web application vulnerabilities and mobile-specific vulnerabilities, tools and techniques. A variety of training courses and certifications are available to start the aspiring mobile penetration tester off, but in the end, practice is essential to mastery. By starting with web-application penetration testing and branching out to mobile specific vulnerabilities, a student can build up the background knowledge necessary to land a position as a mobile penetration tester.
When applying for roles, demonstrations of experience are key, whether it’s completion of a certification, participation in a CTF competition, a related internship or even just projects posted on Github. The need for mobile penetration testers is huge and growing, and anyone who wants to get in on it should just start playing with the tools and learning how mobile devices tick.