A Step by Step Guide on Pen Testing a Mobile Application (With Tools and Service Providers):
A decade ago, owing to the evolution of technology, we all started to understand about IT industry and that was the time, all of us got to know about how and what could be done using computer systems.
Slowly, it became possible to transfer money online using the internet instead of visiting the bank in person and waiting in queue to perform a transaction. Due to such demand, all the banks started to operate online.
But, did we all feel comfortable and secured using this feature right from the beginning, the answer that most of us would say is “NO”.
When it comes to money matters, we all think twice.
When something is newly launched we want to ensure that it is secured in all aspects, all the websites that we use nowadays go through several layers of security checks before they are exposed to the public. Now the trend is changing again and we want everything to happen at a click of a button which is only possible using Mobile Apps.
How do you ensure that all the mobile apps you download from the play store or iStore are safe to use? With any download comes the risk of malicious attacks. For the same reason & in order to ensure their app gets preferred over others, the app developers should ensure that their apps are successfully security tested before they actually publish it for download.
This article will brief you about the types of mobile apps, what should be expected from penetration testing of mobile apps, how can the testing be conducted, service providers who offer services for mobile app testing and a list of some tools which can be used for testing.
What You Will Learn:
- Mobile Apps and their Types
- Mobile App Penetration Testing Service Providers
- Mobile App Penetration Testing Tools
- Few Popular Dummy Vulnerable Mobile Apps
- What Should You Expect from your Test?
- Steps to Penetration Test Mobile Apps
- Recommended Reading
Mobile Apps and their Types
Before we move on deep about how to pen test a mobile app, it is very important to ensure that you have some background knowledge about Mobile Apps.
Let's understand the different types of Mobile Apps.
#1) Native Mobile Application
Native App means the apps created for a particular platform like iOS or Android, specifically written in a particular programming language and they can be installed from the respective stores like Google’s play store or Apple’s app store. They offer the most user-friendly experience and can be operated simply by clicking on the icon.
Some good examples of Native apps are Facebook, Instagram, Angry Birds, etc.
The only problem is that these apps do not work with all types of devices like if an app is created for Android, it will not work on iOS and vice versa. Native Apps can also work without Internet connectivity.
#2) Mobile Browser-Based Application/Mobile Web Apps
Mobile Web apps are basically apps that run on a browser and they are device-independent.
The Same app can be run using an iOS device or an Android Smartphone. These apps are mostly written in HTML5. They are easy to be published because it doesn’t need any permission from Google or Apple to allow on their store.
Web apps can directly be downloaded using the download button available on their concerned websites. A typical example would be our shopping sites like Flipkart, Amazon, etc.
#3) Mobile Hybrid Application
These are the applications which are partly native and partly non-native. They can be downloaded from the stores as well as run in the browser.
The benefit of developing these type apps is, it supports the cross-platform development and hence reduces the overall development cost, which means it allows reusing the same code component on a different device. Also, these apps can be developed quickly.
In addition, hybrid mobile apps allow you to get the features of both native and web apps.
Mobile App Penetration Testing Service Providers
Mobile App Penetration Testing Tools
- Port Scanner (Android)
- Fing (Android & iOS)
- DroidSheep (Android)
- Intercepter-NG (Android)
- Nessus (Android)
- Droid SQLi (Android)
- Orweb (Android)
Few Popular Dummy Vulnerable Mobile Apps
In general, there are some well known vulnerable mobile applications that are created to give users an idea of Mobile Testing. These apps have vulnerabilities that are intentional to help the users/testers practice and enhance their pen test knowledge.
You can refer to iMAS, GoatDroid, DVIA, MobiSec:
What Should You Expect from your Test?
The reason behind testing is to find out as many issues as we can and to ensure that the issues are found before it actually impacts the end-users. The main reason for getting a mobile security issue is because developers want to create more useful apps than secured apps and there are chances for lack of security awareness while developing the apps.
In this section, I will take you through some vulnerabilities/Security Flaws that you should look out as part of the testing.
Common Security Flaws to look for:
1) Data Storage format: It all depends on the format in which the data is stored. Whether in plain text or other formats. For E.g., Android stores the username and password in plain text, which in turn makes it more vulnerable.
2) Stored Sensitive Data: Sometimes developers hard-code passwords or store sensitive information which can get compromised easily.
3) Bad Coding Methods: Usage of Open SSL library which is vulnerable to FREAK attack is one of the things to check for.
4) Data Encryption: It is important to ensure that the data transmission is done in a secure way, and the stored data are encrypted.
5) Weak Password Creation: Apps should have a mechanism to check for password strength. Weak passwords are always vulnerable to attacks.
6) Data Sync: Transmission of data or data sync should be done via a secure method. The way in which data is transmitted or synched with the cloud can lead to attacks and hence it causes data loss.
Testing a mobile app still remains a challenge when compared to web testing as mobile apps are being fairly new in the market and we do not have several scanners available as in the web and we are still creating cheat sheets or coming up with ways to scan and have more secure mobile apps created for the end-users.
Steps to Penetration Test Mobile Apps
There are certain steps involved in Pen Testing the Mobile Apps.
#1) Test Environment Setup
Test Environment setup is a process in itself and can be a separate topic for reading :)
I haven’t mentioned many details about setting up a test environment here because it will differ based on the testing. I have just included it here because I didn’t want to completely miss this step.
Some of the testings can be performed on a real device whereas some can be done on Emulators. Also, it differs based on which platform we plan to test, for Android applications we may need to install SDK’s and for iOS, we will require jailbreaking.
#2) Discover/Application Understanding
Each mobile application will work differently, so the very first step in your testing should be to discover or find out more information about the application under test. This should also involve identifying how the application connects to the OS and the back-end server.
It should include checking for libraries used, understanding the platform better, and finding out if the application is a native/web/hybrid type. This step can also be called as Information Gathering step.
#3) Application Analysis/Assessment
As a part of this step, install the application on the mobile device and take a snapshot of the file system and registry before and after installation.
Analyze the information available to identify the areas of weakness and which can be exploited, like understanding how sensitive information is stored, how data is transmitted, how interaction with the third party is taking place, etc.
#4) Reverse Engineering
This will be required if the tester doesn’t have the source code. Code reviews will be planned to understand how the application functions internally. The intention of doing this is to search for vulnerabilities.
#5) Traffic Interception
In this step, configure the device to route through a proxy, which in turn should help in intercepting traffic and finding out the flaws like injection or authorization issues.
After the analysis and proxy setting is done, exploitation can be done where you behave like a hacker, simulate attacks and try to compromise the system.
Exploit the system and perform malicious activities.
The above step would form the main testing step, so the last step should be to compile a report mentioning about all the findings. A good report should consist of details of all the vulnerabilities found along with the business and technical risk assessment score.
Another important point which can be mentioned is the recommendation for the fix.
Hope you all enjoyed reading this article on mobile app pen-testing. In my opinion, mobility testing is still an area that hasn’t been explored completely.
However, we can consider this to have brought in a change and give us an opportunity to rethink our capabilities and start thinking out of the box and different from our traditional testing approach. Developers are putting their creativity and coming up with different variations of apps, so even we as testers have lots more to do!
Hope you would have got a great insight on Mobile App Penetration Testing tools and service providers!!