10 best practices for mobile app penetration testing
Penetration testing is one of the best ways to thoroughly check your defense perimeters for security weaknesses. Pentesting can be used across the entire spectrum of an IT infrastructure, including network, web application and database security. But today, we also see pentesting used widely for another segment — mobile application security.
According to Veracode, mobile app "penetration testing attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible."
What should you learn next?
Mobile pentesting is a critical component in any comprehensive security plan. Here are 10 best practices to follow when conducting a mobile pentest.
1. Create a detailed plan
To yield the most effective results from a mobile app pentest, you need to first develop some sort of methodology as to how you plan to go about it. Obviously, each mobile app environment is going to be different from one another. Therefore, you should give careful thought and consideration to what exactly needs to be tested.
One of the best places to get started in this regard is this cheat sheet provided by OWASP. It is important to note it has been created for pentesting mobile apps in an iOS environment, but the same principles can still be applied to different situations.
2. Pick the right penetration testing tools
There are many pentesting tools available — some are vendor provided (for a cost), and also, many of them are free to download and use. Picking the right one(s) will depend primarily on the environment you are using. Here are a few of the most popular mobile pentesting tools available:
3. Prepare a thorough pentesting environment
You must plan your pentesting environment in great detail. For instance, since Apple theoretically has made it quite difficult to jailbreak an iPhone, it can still be done if the user knows what they are doing. Therefore, when pentesting in an iPhone environment, it will also be necessary to conduct a real word jail break in order to discover what the security ramifications will be. You can use the following resources:
- For iOS: www.evasi0n.com
- For Android: www.oneclickroot.com/
4. Manage your time wisely
Depending on the magnitude of the pentest you are conducting, you will need to have effective time management skills as well. For instance, there may be times when you are not testing the entire mobile app, just one portion of it. Therefore, use the right amount of time to do the test, and move onto the next item without sacrificing attention to detail.
5. Launch server attacks
It is equally important to test the server environment, as well as the server the app is hosted and downloaded from. In this regard, one of the more popular tools to use is Nmap. Some aspects that need to be pentested here include:
- The authentication mechanisms in place between the smartphone and the server (for example, Apple has numerous authentication steps a user has to take before he or she can download a mobile app from the Apple Store)
- Any authorized and unauthorized file uploads
- Any open redirects
- Cross origin resource sharing
6. Stay focused, be patient & above all be thorough
Remember, conducting a mobile app pentest can be a very tedious and laborious task, depending upon the actual magnitude of the test involved. It is often tempting to bypass a step, or even speed up the process of one segment of the plan. But, never, ever do this. Keep in mind it is your job to unearth any potential security vulnerabilities. For example, if it's discovered you purposely missed an important step in the pentesting plan, not only you, but the organization that you work for, could be held liable for any subsequent damages that may occur. In other words, follow this guiding principle: Never assume a mobile app works. Always assume that it is broken in all ways possible.
7. Launch network attacks
When pentesting network connectivity between the wireless device/smartphone and the server the mobile app will be downloaded from, always make use of network sniffers. These tools are used to collect important information and data not only about the network traffic itself, but also the data packets. From here, results can be used to ascertain and formulate the type of pentesting that needs to be done. No matter what, the following should be included:
- Examining the authentication, authorization and session management mechanisms deployed
- Examining the encryption protocols implemented
8. Make use of source instrumentation
This process involves creating a specialized piece of code and layering it onto the source code already being developed. The primary purpose of this is to create a "backdoor," to investigate the source code objects at a much more granular level. With this, you can diagnose any unknown errors or flaws in the source code that could prove to be a security vulnerability.
9. Keep your mobile app pentesting skills sharp by always practicing
It is very important to keep your skills sharp by constantly practicing as often as you can. The following websites offer tools in which you can further (and safely) hone in on your pentesting skills:
10. Conduct both binary and file-level analyses
In this regard, you are pentesting for specific application programming interface (API) calls that are inherently weak, and those files which have poor quality access controls embedded into them. In this instance, you should also check for the following:
- Buffer overflows
- Examining the potential for SQL Injection based attacks
Some popular tools to use here include the following:
What should you learn next?
Conclusion
This article reviews important considerations for mobile app pentesters. Each pentesting environment will be different, so these best practices must be modified and adjusted to match environment conditions. However, just as much proper planning and using the best tools are of top priority, so is the focus of the pentester. Long hours are often involved, therefore it is crucial that backup is always at hand in case of fatigue so that attention to detail will never be missed.
Sources
- https://techbeacon.com/how-hack-app-8-best-practices-pen-testing-mobile-apps
- http://www.testbytes.net/blog/best-practices-to-follow-for-ios-mobile-app-testing/
- https://www.tripwire.com/state-of-security/security-data-protection/seven-steps-towards-mobile-penetration-testing/
- https://infinum.co/the-capsized-eight/10-app-testing-principles
- https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet
- www.oneclickroot.com
- www.evasi0n.com
- https://www.veracode.com/security/penetration-testing
- www.owasp.org
- www.nmap.org
- http://www.testbytes.net/blog/best-practices-to-follow-for-ios-mobile-app-testing/
- https://www.owasp.org/index.php/Projects/OWASP_Androick_Project
- https://sourceforge.net/projects/mobisec/
- http://damnvulnerableiosapp.com/#about
- https://www.hex-rays.com/products/ida/
- https://www.hopperapp.com/