Mobile Application Penetration Testing电子书

Mobile Application Penetration Testing

Table of Contents

Mobile Application Penetration Testing

Credits

About the Author

About the Reviewers

www.PacktPub.com

eBooks, discount offers, and more

Why subscribe?

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

1. The Mobile Application Security Landscape

The smartphone market share

The android operating system

The iPhone operating system (iOS)

Different types of mobile applications

Native apps

Mobile web apps

Hybrid apps

Public Android and iOS vulnerabilities

Android vulnerabilities

iOS vulnerabilities

The key challenges in mobile application security

The impact of mobile application security

The need for mobile application penetration testing

Current market reaction

The mobile application penetration testing methodology

Discovery

Analysis/assessment

Exploitation

Reporting

The OWASP mobile security project

OWASP mobile top 10 risks

Vulnerable applications to practice

Summary

2. Snooping Around the Architecture

The importance of architecture

The Android architecture

The Linux kernel

Confusion between Linux and the Linux kernel

Android runtime

The java virtual machine

The Dalvik virtual machine

Zygote

Core Java libraries

ART

Native libraries

The application framework

The applications layer

Native Android or system apps

User-installed or custom apps

The Android software development kit

Android application packages (APK)

AndroidManifest.xml

The structure of the Android manifest file

Android application components

Intent

Activity

Services

Unbound or start services

Bound service

Broadcast receivers

Content providers

Android Debug Bridge

Application sandboxing

Application signing

Secure inter-process communication

The Binder process

The Android permission model

The Android application build process

Android rooting

iOS architecture

Cocoa Touch

Media

Core services

Core OS

iOS SDK and Xcode

iOS application programming languages

Objective-C

The Objective-C runtime

Swift

Understanding application states

Apple's iOS security model

Device-level security

System-level security

An introduction to the secure boot chain

System software authorization

Secure Enclave

Touch ID

Data-level security

Data-protection classes

Keychain data protection

Changes in iOS 8 and 9

Network-level security

Application-level security

Application code signing

The iOS app sandbox

iOS isolation

Process isolation

Filesystem isolation

ASLR

Stack protection (non-executable stack and heap)

Hardware-level security

iOS permissions

The iOS application structure

Jailbreaking

Why jailbreak a device?

Types of jailbreaks

Untethered jailbreaks

Tethered jailbreaks

Semi-tethered jailbreaks

Jailbreaking tools at a glance

The Mach-O binary file format

Inspecting a Mach-O binary

Property lists

Exploring the iOS filesystem

Summary

3. Building a Test Environment

Mobile app penetration testing environment setup

Android Studio and SDK

The Android SDK

The Android Debug Bridge

Connecting to the device

Getting access to the device

Installing an application to the device

Extracting files from the device

Storing files to the device

Stopping the service

Viewing the log information

Sideloading apps

Monkeyrunner

Genymotion

Creating an Android virtual emulator

Installing an application to the Genymotion emulator

Installing the vulnerable app to Genymotion

Installing the Genymotion plugin to Android Studio

ARM apps and Play Store in Genymotion

Configuring the emulator for HTTP proxy

Setting up the proxy in Wi-Fi settings

Setting up the proxy on mobile carrier settings

Google Nexus 5 – configuring the physical device

The iOS SDK (Xcode)

Setting up iPhone/iPad with necessary tools

Cydia

BigBoss tools

Darwins CC tools

iPA Installer

Tcpdump

iOS SSL kill-switch

Cycript, Clutch, and class-dump

SSH clients – PuTTy and WinSCP

iFunbox at glance

Accessing SSH without Wi-Fi

Accessing SSH with Wi-Fi

Installing DVIA to the device

Configuring the HTTP proxy in Apple devices

Emulator, simulators, and real devices

Simulators

Emulators

Pros

Cons

Real devices

Pros

Cons

Summary

4. Loading up – Mobile Pentesting Tools

Android security tools

APKAnalyser

The drozer tool

Installing drozer on Genymotion

APKTool

How to make apps debuggable?

The dex2jar API

JD-GUI

Androguard

Isn't Androguard only a malware analysis tool?

Androguard's androlyze shell environment

Automating the analysis of multiple files

Introducing Java Debugger

Debugging

Attaching

Installing Burp CA certificate to the device

The list of other tools

iOS security tools

oTool

SSL Kill Switch

The keychain dumper

LLDB

Clutch

Class-dump-z

Instrumenting with Cycript

Instrumentation using Frida

Hopper

Snoop-it

Installing Burp CA certificate to an iOS device

Summary

5. Building Attack Paths – Threat Modeling an Application

Assets

Threats

Threat agents

Vulnerabilities

Risk

Approach to threat models

Threat modeling a mobile application

Mobile application architecture

Mobile applications and device data

Identifying threat agents

Modes of attacks

Security controls

How to create a threat model?

The attacker view

The device or system view

Discovering potential threats

Threat modeling methodologies

STRIDE

PASTA

Trike

Using STRIDE to classify threats

Spoofing

Tampering

Repudiation

Information disclosure

Denial of service (DoS)

Elevation of privilege

A typical mobile application threat model

Building attack plans and attack trees

Attack scenarios

A sample attack tree for a stolen or missing device

A list of free tools

A commercial tool

Threat model outcomes

Risk assessment models

Business risk

Technical risk

Summary

6. Full Steam Ahead – Attacking Android Applications

Setting up the target app

Backend server setup

Analyzing the app using drozer

Android components

Attacking activities

Attacking services

Attacking broadcast receivers

Attacking content providers

Attacking WebViews

SQL injection

Man-in-the-Middle (MitM) attacks

SSL pinning

Hardcoded credentials

Encryption and decryption on the client side

Runtime manipulation using JDWP

Storage/archive analysis

Log analysis

Assessing implementation vulnerabilities

Binary patching

Summary

7. Full Steam Ahead – Attacking iOS Applications

Setting up the target

Storage/archive analysis

Plist files

Client-side data stores

The keychain data

HTTP response caching

Reverse engineering

Extracting the class information

Strings

Memory management

Stack smashing protection

Static code analysis

OpenURL schemes

App patching using Hopper

Hardcoded username and password

Runtime manipulation using Cycript

The Bypass login method

Sensitive information in the memory

Dumpdecrypted

Client-side injections

SQL injection

UIWebView injections

Man-in-the-Middle attacks

Beating the SSL cert pinning

Implementation vulnerabilities

Pasteboard information leakage

Keyboard logs

App state preservation

Building a remote tracer using LLDB

Snoop-IT for assessment

Summary

8. Securing Your Android and iOS Applications

Secure by design

Security mind map for developers (iOS and Android)

Device level

Platform (OS) level

Screenshots/snapshots

System caching and logs

Cut, copy, and paste

iOS cookie and keychains

BinaryCookies

Keychains

Application level

App storage protection

Property lists/shared preferences

Property lists in iOS

Shared preferences in Android

Database protection

Application permissions

Backup settings

Disable debug

Use the latest API version

Securing Android components

Securing activities

Securing services

Securing content providers

Securing broadcast receivers

Verify exported components

Encryption

iOS

Android

Key management

Securing WebView

iOS

Android

App caches

Binary protection

Jailbreak detection

Filesystem-based detection

API-based detection

Root detection

Command detection method

Decompiling protection

Code obfuscation

Decryption protection

ASLR/ARC

Stack-smashing protection

Runtime protection

URLSchemes protection

Client-side injection protection

Anti-debug implementation

Filesystem protection

Anti-tamper implementation

Network level

Certificate pinning

Cipher suites

CFNetwork usage

Secure caching

Server level

Authentication

Authorization

Input/output validations

Injection flaws

Session management

Information leakage

OWASP mobile app security checklist

Mobile app developers checklist

Secure coding best practices

Android

iOS

Vendor-neutral advice

Developer cheat sheet

Developer policies

Post-production protection

Keeping up to date

Summary

Index