Introduction to the mobile application penetration testing methodology [Updated 2019]
The Mobile Application Penetration Testing Methodology (MAPTM), as described by author Vijay Kumar Velu in his ebook, is the procedure that should be followed while conducting mobile application penetration testing. It is based on application security methodology and shifts the focus of traditional application security, which considers the primary threat as originating from the Internet.
The mobile application penetration testing methodology focuses on client-side security, file system, hardware, and network security. It is has been long considered that the end user is in control of the device.
In this article, we shall provide an overview of this methodology and discuss its four main stages.
Stages of the mobile application penetration testing methodology
The MAPTM is divided into four stages:
Discovery requires the pentester to collect information that is essential in understanding events that lead to the successful exploitation of mobile applications.
Assessment or analysis involves the penetration tester going through the mobile application source code and identifying potential entry points and weaknesses that can be exploited.
Exploitation involves the penetration tester leveraging the discovered vulnerabilities to take advantage of the mobile application in a manner not intended by the programmer initially did not intend.
Reporting is the final stage of the methodology and it involves recording and presenting the discovered issues in a manner that makes sense to management. This is also the stage that differentiates a penetration test from an attack. A more detailed discussion of the four stages follows.
Intelligence gathering is the most important stage in a penetration test. The ability to discover hidden cues that might shed light on the existence of a vulnerability might be the difference between a successful and unsuccessful pentest.
The discovery process involves:
Open Source Intelligence (OSINT)—The pentester searches the Internet for information about the application. This might be found on search engines and social networking sites, leaked source code through source code repositories, developer forums, or even on the dark web.
Understanding the Platform—It is important for the penetration tester to understand the mobile application platform, even from an external point of view, to aid in developing a threat model for the application. The pentester takes into account the company behind the app, their business case, and related stakeholders. The internal structures and processes are also taken to account.
Client-Side vs Server-Side Scenarios—The penetration tester needs to be able to understand the type of application (native, hybrid, or web) and to work on the test cases. The application’s network interfaces, user data, communication with other resources, session management, jailbreaking/rooting behavior are all taken into account here. Security considerations are also made; for example, does the app interact with firewalls? Databases or any servers? How secure is this?
Collected information may include:
- The user session remains active until a manual log off is performed.
- No financial transactions are performed.
- The application is built not to run on jailbroken devices.
- The actions that are performed on the server include database additions, deletions, and pulls.
The process of assessing mobile applications is unique because it requires the penetration tester to check the applications before and after installation. The different assessment techniques that are encountered within the MAPTM include:
Local File Analysis—The pentester checks the local files written on the file system by the application to ensure that there are no violations.
Archive Analysis—The penetration tester extracts the application installation packages for the Android and iOS platforms. A review is then done to ensure that there are no modifications done to the configurations of the compiled binary.
Reverse Engineering—This involves converting the compiled applications into human-readable source code. The penetration tester reviews the readable code in order to understand the internal application functionality and search for vulnerabilities. Android application source code may be modified once reversed and recompiled. The following tools can be used while conducting reverse engineering:
- Android—dex2jar, JD-GUI
- iOS—otool, class-dump-z
Static Analysis—During static analysis, the penetration tester does not execute the application. The analysis is done on the provided files or decompiled source code.
Dynamic Analysis—The pentester reviews the mobile application as it runs on the device. Reviews done include forensic analysis of the file system, assessment of the network traffic between the application and server and an assessment of the application’s inter-process communication (IPC).
There are a couple of tools that are available to the pentester for automated and manual source code analysis. These include:
- Android: Androwarn, Andrubis, and ApkAnalyser
- iOS: Flawfinder and Clang Static Analyzer
Inter-Process Communication Endpoint Analysis: The pentester reviews the different mobile application IPC endpoints. Assessment is performed on:
- Content Providers—These ensure that access to databases is achieved.
- Intents—These are signals used to send messages between components of the android system.
- Broadcast Receivers—These receive and act on intents received from other applications on the android system.
- Activities—These make up the screens or pages within the application.
- Services—These run from the background and perform tasks regardless of whether the main application is running.
Information obtained from the assessment may be used to create a threat model. For example, we can consider the following:
- Discovered Vector—The app communicates with a database on a remote server.
- Possible Threat—Unauthorised reading of data traffic while communicating with the server.
- Relating Countermeasure—Implementing a secure transport layer protection (SSL, TLS).
- Possible Test Case—Attempt to sniff traffic between the app and server backend.
The pentester acts upon the information discovered from the information-gathering process to attack the mobile application. Thoroughly performed intelligence gathering guarantees a high chance of successful exploitation hence a successful project.
The pentester attempts to exploit the vulnerability in order to gain sensitive information or perform malicious activities, then finally performs privilege escalation to elevate to the most privileged user (root) so as to not face any restrictions on any activities being performed.
The pentester then persists within the compromised device. This simply means that he/she executes modules that allow for backdooring the device with the motive of showing the ability to perform future access.
A good report communicates to management in simple language, clearly indicating the discovered vulnerabilities, consequences to the business and possible remediation or recommendations.
The vulnerabilities must be risk rated and proper technical communication done for the technical personnel, with a proof of concept included to support the findings uncovered.
The mobile application penetration testing methodology considers mobile characteristics and is vendor-neutral. It helps improve transparency and repeatability for mobile penetration testing. It is a holistic approach with sufficient flexibility and improves the security of mobile applications. The methodology uses thorough intelligence gathering, analysis and exploitation, and ensures clear presentation/reporting of the findings in a manner that clearly communicates to both management and the technical team.
Interested in learning more? Check out these articles:
- 10 Best Practices For Mobile App Penetration Testing
- Top 6 Mobile Application Penetration Testing Tools
Mobile Application Penetration Testing, Vijay Kumar Velu (Pakt Publishing, 2016)