Mobile App Pentest

Mobile Application Penetration Testing - iOS and Andorid

Android

labs

• dvaa
• android digital bank
• dvfa
• exploitme mobile
• hacme bank android
• insecurebank
• ncn wargame
• owasp goatdroid
• dodo Vulnerable Bank
• urdu app
• appknox
• owasp crackme

Tools

• frida : hooking method , bypassing root detection , bypassing cert pinning, etc .
• Burpsuite : intercept request
• apktool : reversing
• Xposed Framework : hooking native method
• Drozer : reverse engineerring
• Tcpdump : capture the traffic
• adb , fastboot : install apk , logging , push or pull file from devices.
• sqlite browser : to browse sqlite database.
• zipgrep : Searching purpose.
• jdgui : code review
• dex2jar : reverse engineering purpose
• modSF : Dynamic Analysis
• jarsigner : tool to sign and verify Java Archive (JAR/APK) files

Techniques

• Root Detecting Bypass

  • https://kyawthiha7.github.io/2018/12/27/Android-Root-Detection-Bypass/
  • https://resources.infosecinstitute.com/android-root-detection-bypass-reverse-engineering-apk/
  • https://resources.infosecinstitute.com/android-hacking-security-part-8-root-detection-evasion/#gref
  • http://repo.xposed.info/module/com.devadvance.rootcloak2
  • https://www.notsosecure.com/pentesting-android-apps-using-frida/
  • https://github.com/dineshshetty/Android-InsecureBankv2/blob/master/Walkthroughs/Bypass%20Android%20Root%20Detection.docx

• Cert Pinning Bypass

  • intercepting-traffic-from-android-flutter-applications
  • bypassing-root-ca-checks-in-flutter-based-apps-on-android
  • https://kyawthiha7.github.io/2017/09/27/Android-Cert-Pinning-Bypass/
  • https://blog.netspi.com/four-ways-bypass-android-ssl-verification-certificate-pinning/
  • https://github.com/ac-pm/SSLUnpinning_Xposed
  • http://sh3llc0d3r.com/certificate-pinning/

• Hooking native API

  • https://koz.io/android-substrate-c-hooking/
  • https://www.notsosecure.com/instrumenting-native-android-functions-using-frida/
  • https://resources.infosecinstitute.com/android-hacking-and-security-part-25-hooking-and-patching-android-apps-using-xposed-framework/
  • https://resources.infosecinstitute.com/android-hacking-and-security-part-22-hooking-and-patching-android-apps-using-cydia-substrate-extensions/
  • https://www.nccgroup.trust/sg/about-us/newsroom-and-events/blogs/2015/september/code-injection-on-android/
  • http://www.syssec-project.eu/m/page-media/158/syssec-summer-school-Android-Code-Injection.pdf

• Reverse Engineering

  • http://mobiletools.mwrinfosecurity.com/Using-Drozer-for-application-security-assessments/
  • https://pentestlab.blog/2017/02/06/reverse-engineering-android-applications/
  • https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05c-Reverse-Engineering-and-Tampering.md
  • https://medium.com/@thomas_shone/reverse-engineering-apis-from-android-apps-part-1-ea3d07b2a6c
  • https://www.rsaconference.com/writable/presentations/file_upload/stu-w02b-beginners-guide-to-reverse-engineering-android-apps.pdf
  • https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#gref

Tutorials & courses & books

• https://www.tutorialspoint.com/android_penetration_testing/index.asp
• https://gbhackers.com/android-application-penetration-testing
• https://www.udemy.com/android-hacking-and-penetration-testing/
• https://resources.infosecinstitute.com/android-application-security-testing-guide-part-1/
• Android Applicaiton Hacker’s Handbook
• Mobile Application Hackers’ Handbook

CheckLists & Testing Guide

• https://github.com/OWASP/owasp-mstg/blob/master/Checklists/Mobile_App_Security_Checklist-English_1.1.2.xlsx
• https://github.com/OWASP/owasp-mstg
• https://gbhackers.com/penetration-testing-android-application-checklist/

Public Exploits

• XXE : https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/

• TinyCards RCE (CVE-2017-16905) : https://wwws.nightwatchcybersecurity.com/2018/01/04/rce-in-duolingos-tinycards-app-for-android-cve-2017-16905/

• Finding XSS in an html based android application : https://labs.detectify.com/2015/02/20/finding-an-xss-in-an-html-based-android-application/

• Broken Down SSL in Android Apps : https://www.owasp.org/images/7/77/Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl%2BMarian_Harbach%2BMathew_Smith.pdf

iOS

jailbreak chart

• Jailbreak Chart
• CanIJailbreak

Labs

• exploitme mobile
• Damn Vulnerable iOS Applicatio (DVIA)
• owasp igoat
• owasp crackme
• Myriam iOS sec App
• iOS online CTF

Tools

• Frida : hooking , bypassing , anlysis dynamic
• GDB : Dynamic analysis
• Cycript : Dynamic analysis
• Clutch : Static Analysis
• dumpdecrypted : dumping decrypted iPhone Applications to a file
• class-dump : dumping class info
• class-dump-z : dumping class info
• otool : disassembler
• strings : print all the strings in a given binary.
• nm : utility that displays the symbol table of a given binary.
• cydia impactor : for jailbreaking
• openssh (cydia)
• wget (cydia)
• Erica Utilities
• Snoop-it (cydia)
• unzip (cydia)
• adv-cmds (cydia)
• usbmuxd : SSH over USB
• syslogd
• socat
• burpsuite
• iphonessh
• idb

Techniques

• Jail Break Detection Bypass

  • https://www.notsosecure.com/bypassing-jailbreak-detection-ios/
  • https://www.theiphonewiki.com/wiki/Bypassing_Jailbreak_Detection
  • https://resources.infosecinstitute.com/ios-application-security-part-44-bypassing-jailbreak-detection-using-xcon/#gref
  • https://blog.attify.com/bypass-jailbreak-detection-frida-ios-applications/
  • https://www.c0d3xpl0it.com/2017/05/ios-jailbreak-bypass-using-needle.html
  • https://resources.infosecinstitute.com/ios-application-security-part-23-jailbreak-detection-evasion/
  • https://agostini.tech/2018/02/05/ios-application-security-part-three-bypassing-jailbreak-and-certificate-pinning-let-the-right-one-in/

• Cert Pinning Bypass

  • https://blog.netspi.com/four-ways-to-bypass-ios-ssl-verification-and-certificate-pinning/
  • https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/january/bypassing-openssl-certificate-pinning-in-ios-apps/
  • https://github.com/vtky/Swizzler2/wiki/Case-Study:-SSL-Pinning
  • https://labs.nettitude.com/tutorials/using-frida-to-bypass-snapchats-certificate-pinning/

• Static and Dynamic Analysis

  • https://medium.com/@ansjdnakjdnajkd/dynamic-analysis-of-ios-apps-wo-jailbreak-1481ab3020d8
  • https://labs.mwrinfosecurity.com/assets/BlogFiles/Needle-Finding-Issues-within-iOS-Applications.pdf
  • https://medium.com/@drag0n/needle-analysis-of-ios-mobile-applications-cfd9e407c0d9

• Reverse Engineering

  • https://labs.mwrinfosecurity.com/blog/repacking-and-resigning-ios-applications/
  • https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06c-Reverse-Engineering-and-Tampering.md
  • https://resources.infosecinstitute.com/ios-application-security-part-2-getting-class-information-of-ios-apps/
  • https://resources.infosecinstitute.com/penetration-testing-for-iphone-applications-part-5

• Misc

  • https://www.igeeksblog.com/how-to-sideload-apps-on-iphone-ipad-in-ios-10/

Tutorials & courses & books

• iOS Hacker’s Handbook
• iOS Application Security: The Definitive Guide for Hackers and Developers
• Mobile Application Hackers’ Handbook
• Pentesting iOS Application by Pentester Academy

CheckLists & Testing Guide

• OWASP MSTG
• SANS White Paper

Public Exploits

• https://nvisium.com/blog/2014/07/30/swift-core-data-format-string-injection.html
• https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

Checklist