starting with mobile application pen testing
TRANSCRIPT
MOBILE APPLICATION PEN TESTING
HOW TO GET STARTED IN
WHY PEN TEST MOBILE APPLICATIONS?
CHALLENGES
CHALLENGES
CHALLENGES YOU’LL FACE WHEN TESTING MOBILE APPLICATIONS
▸ Mobile OS software versions
▸ There are a lot of tools available
▸ A lot of online material to sift through -> Where to start?
▸ Some challenges have little or no tools, solutions or online information
EXAMPLE: A MOBILE APP THAT USES A COMMUNICATION PROTOCOL OTHER THAN HTTP OR HTTPS
MOBILE APPLICATION PEN TESTING
STEPS FOR STARTING IN
CHOOSE AN OSSTEP 1
LEARN ABOUT OS ARCHITECTURE
STEP 2
STATIC VS. DYNAMIC TESTINGSTEP 3
VIRTUAL VS. REAL DEVICE STEP 4
ROOT OR JAILBREAK DEVICESTEP 5
CAPTURE TRAFFICSTEP 6
DIVE RIGHT INSTEP 7
EXAMPLES OF FOUND VULNERABILITIES
EXAMPLES OF VULNERABILITIES
VULNERABILITIES I’VE FOUND DURING MOBILE PEN TESTS
▸ private certificate found on device
▸ database with unencrypted passwords
▸ list of all users in the app
▸ bypassing game restrictions
▸ public IP for database servers
SOME TIPS
TIPS
HELPFUL LINKS & COURSES
▸ OWASP Mobile Pen Testing Guide
▸ SANS 575: Mobile Device Security and Ethical Hacking
▸ Infosec institute blog
▸ Conference talk videos
▸ Conferences - almost every conference now has talks on mobile security
▸ The Andro2 VM image is nice for Android because it has all tools installed