starting with mobile application pen testing

MOBILE APPLICATION PEN TESTING

HOW TO GET STARTED IN

WHY PEN TEST MOBILE APPLICATIONS?

CHALLENGES

CHALLENGES

CHALLENGES YOU’LL FACE WHEN TESTING MOBILE APPLICATIONS

▸ Mobile OS software versions

▸ There are a lot of tools available

▸ A lot of online material to sift through -> Where to start?

▸ Some challenges have little or no tools, solutions or online information

EXAMPLE: A MOBILE APP THAT USES A COMMUNICATION PROTOCOL OTHER THAN HTTP OR HTTPS

MOBILE APPLICATION PEN TESTING

STEPS FOR STARTING IN

CHOOSE AN OSSTEP 1

LEARN ABOUT OS ARCHITECTURE

STEP 2

STATIC VS. DYNAMIC TESTINGSTEP 3

VIRTUAL VS. REAL DEVICE STEP 4

ROOT OR JAILBREAK DEVICESTEP 5

CAPTURE TRAFFICSTEP 6

DIVE RIGHT INSTEP 7

EXAMPLES OF FOUND VULNERABILITIES

EXAMPLES OF VULNERABILITIES

VULNERABILITIES I’VE FOUND DURING MOBILE PEN TESTS

▸ private certificate found on device

▸ database with unencrypted passwords

▸ list of all users in the app

▸ bypassing game restrictions

▸ public IP for database servers

SOME TIPS

TIPS

HELPFUL LINKS & COURSES

▸ OWASP Mobile Pen Testing Guide

▸ SANS 575: Mobile Device Security and Ethical Hacking

▸ Infosec institute blog

▸ Conference talk videos

▸ Conferences - almost every conference now has talks on mobile security

▸ The Andro2 VM image is nice for Android because it has all tools installed