If you’re unfamiliar with mobile penetration testing, it is a form of security testing used to analyze security inside a mobile environment. By conducting pentests, companies can gain knowledge of vulnerabilities in the source code, bottlenecks, loopholes and attack vectors before releasing an app or making use of another mobile-related technology. As a result, you can change the design, the code and the architecture beforehand. The opportunity cost of fixing problems at this stage is less than addressing issues later when a breach or a flaw gets discovered. The cost at post-rollout stage includes not only financial issues but also PR, legal and more. A typical mobile pentest involves the following five key steps:
Step 1: Pentesting Preparation
The preparation phase includes identifying the enterprise’s testing goals, confidential information, and application security controls. Different enterprises have different security requirements and resources available for pentesting. Controls in OWASP MASVS Level 1 (Mobile App Security Verification Standard) apply to all applications. However, MASVS Level 2 requirements may be applicable in some cases. For instance, a banking app may require two-factor authentication, which is an L2 requirement. Also, it’s essential to have a data classification policy in place that labels sensitive data. Data is usually accessible when it’s at rest (data is idle in a storage device or a file), in use (data has been loaded into an app’s address space) or in transit (data is transferred between communication processes). If your organization hasn’t set up a data classification policy, it can regard any technical data used to protect the operating system itself or other applications as sensitive.
Step 2: Building the Pentesting Environment
Web apps are compatible with most browsers and platforms, but that level of compatibility isn’t available in mobile apps. Therefore, pentesters have to configure an OS-driven testing environment. If the pentest is planned for Android, the device has to be rooted. If it’s for iOS, the pentester has to jailbreak the device. Jailbreaking an iOS device allows testers to boot it and have administrator/root access to the OS. Also, information gathering will require the pentester to install some extra tools, which need to be deployed in the testing environment. For binary analysis on Android, pentesters are recommended to use the Android Apktool. Network analysis can be conducted using OWASP ZAP, Wireshark or Burp Proxy. Tools like AppCrack come in handy when an encrypted app has to be pentested. For iOS, Cydia makes it possible to download the required tools for pentesting in a jailbroken state. App debugging is also an option if you want to gain a thorough understanding of an app’s mechanism.
Step 3: Application Mapping
The third step requires organizations to understand the mobile application’s logic, the data it stores, its entry points and the potential architectural vulnerabilities. If pentesting is conducted in a white-box scenario (where the tester has complete knowledge of the app), the internal of the app (its source code, functional features, etc.) may greatly aid the process. For instance, leveraging SAST (static application security testing) tools can help in identification of vulnerabilities like SQL injections. However, it’s important to note that automated tools will only identify what they have been programmed to identify. Therefore, manual analysis might be needed to augment findings from intrusion detection tools. Another critical element of the process is threat modeling. It’s a structured approach that helps you address and quantify the threats associated with an app. It is usually performed in the initial stages of pentests and the documentation it produces often supports the identification of most of the details a pentester requires — severity, vulnerability, entry point, etc. It is a best practice to discuss documentation with the client if the pentest is performed on someone’s behalf. OWASP’s threat modeling guidelines apply to mobile apps.
Step 4: Staging Mobile Attacks
Sometimes, budget or time constraints limit mobile security tests to vulnerability analysis via automated scanners. Although the identified vulnerabilities may be noteworthy, pentesters need to stage attacks to confirm their relevance. Firstly, client attacks need to be conducted. The primary goal of this phase is to perform file and binary analysis. Insecure files without adequate access controls can be discovered by analyzing the code and debugging. To identify vulnerabilities like SQL injections, pentesters can use techniques like applying malicious commands and application fuzzing. Some of these methods are similar to the ones used in the OWASP testing guide. Once a client-server tier architecture is determined for the app, network attacks can be staged using sniffers to investigate network traffic and layer protection. Techniques like parameter tampering can be used to uncover roles and related access controls. File analysis can reveal API keys that have been secured in an inaccessible folder. ZAP and other attack proxies can assist with the identification of malicious traffic. Lastly, it’s vital for pentesters to test the infrastructure, especially the server where the mobile app is hosted. This can be done with tools like Nmap. However, testing on hybrid applications should include attacks that can break through authentication mechanisms between the server and the client. The approach can be handy for uncovering vulnerabilities like the Apple ID iCloud hack, where accounts could be hijacked by providing the date of birth and email of the owner.
Step 5: Reporting Vulnerabilities
This part of the mobile app pentesting process is essential to the client. Testers report the vulnerabilities they identified and list the kind of attacks they’ve been able to stage, including the scope of the compromise. The findings need to be explicitly documented. Also, the report should include sources of information, the context of the vulnerability, prioritized discoveries and recommendations for fixing the discovered loopholes. As there are different mobile operating systems out there and each one has a different architecture, there is no single framework available which applies to all platforms. Hence, the above-mentioned pentesting steps will include various tools and methodologies for different environments and often require manual intervention. Continuous practice and learning can help pentesters become more aware of the security risks associated with mobile apps and systems.