To keep your enterprise system secure, mobile application penetration testing is one of the most critical factors.
The number of mobile device users has been increasing significantly in the last couple of years, and mobile applications are becoming integral tools for daily life. Therefore, protecting the data used by the mobile app has been becoming critically important. At the enterprise level, BYOD (Bring Your Own Device) policies allow employees to connect their mobile devices to enterprise networks. This allows an opportunity for hackers to penetrate the network, and a recent survey indicated in increased attacks using mobile malware exponentially. So, it is crucial for security professionals to understand the security for both mobile device and application levels.
Mobile device security has been becoming an emerging field of research, and mobile device security focuses on Mobile Device Management (MDM), device-level security, storage security, transport layer security, and mobile device application security.
A penetration test is a professional security method to emulate a threat, acting on the attack surface with one or more attack vectors that comprise an “attack scenario.”
There are several ways to test android and iPhone environment for security testing:
A tester attempts to reverse engineer the application content to identify sensitive hard-coded values that could be used to gain unauthorized access or to identify potential logic and operational flaws of the execution of the application. More about Reverse Engineering.
Network Communications Analysis
A tester eavesdrops on and manipulates network calls to the backend servers supporting the execution of the application. These tests are performed to identify common input validation flaws that could lead to sensitive information disclosure or unauthorized access. More about Testing Network Communications.
Local Resource Handling Analysis
A tester monitors and analyzes local resource handling operations as different tasks within the application are performed. Testing for Local File Inclusion
Run-time and Logic Manipulation
A tester performs various techniques to manipulate the logic of the application as it is executed on the device, to attempt to identify risks associated with misuse, data leakage, or unauthorized access. Testing for business logic
Different programming level security bugs can be easily found by performing application reverse engineering. Misconfigurations during database creation or misconfiguring Content Providers can be easily detected during code analysis. Also, the use of any vulnerable API and libraries can be noted in code analysis. Static Code Analysis
Port scanning is a formal method to analyze the device features and services running on the device. NMAP (Network Mapper) is used to design a port scanning. OS fingerprinting and possible attack prone services are found in such exercise. OWASP PHP Portscanner Project
Finding IPC based attack surfaces
Tools are used to spot possible vulnerable IPC (Inter-process communication). Exploits can be carried out using tools like Drozer and other capabilities like SQL (Structured Query Language) injections. Attack Surface Analysis Cheat Sheet
Proxy-based attack for MITM
Burp Suite proxy is used to exploit the transport layer flaws and perform a man in the middle attack (MITM). It provides exploitation techniques to exploit transport layer flaws and potential business logic flaws. Also, private information can be found through exploring the sent data through application due to the insecure transmission of data. Man-in-the-middle attack
Dynamic analysis for invalid input failure
Client-side input validation is required. It allows SQL injection and reveals the stored information as the client-side input validation is not performed correctly. Testing for Input Validation
Log analysis for data leakage through log generation
Application developers many times log some critical error, which gives more knowledge about the possible attack’s surfaces. Logging Cheat Sheet
Insecure data storage analysis
Unsafe data storage can be a critical issue for mobile application, which stores credit card or financial data. Content provider miss configuration and insecure storage of encryption key may lead to such flaws. Mobile Top 10 2016-M2-Insecure Data Storage
Malware analysis is a core part of mobile device security. Several mobile malware analysis techniques are static analysis, dynamic analysis, network analysis, and user intent, and geographical location of the servers for finding outliers.
· Static analysis:
The static analysis utilizes code reverse engineering techniques, and explores the malware code. This analysis also provides an understanding of permission characteristics and exploiting malware characteristics. Static analysis also reveals the functional capabilities of malware and possible family to which the malware belongs.
· Dynamic analysis:
The dynamic analysis utilizes multiple tools to monitor the activities within the device. By observing the generated data from the tools, malware behavior can be evaluated. This analysis is a much faster and dynamically elastic technique when analyzing a large number of malware codes and can be automated and deployed in cloud-based frameworks. Dynamic analysis reveals details about a functional call by mobile malware and other system-level activity calls related to malicious activities. Battery and network usage also help in predicting the malicious behavior of the application. The stack activity of the malicious application is analyzed as well.
· Network-level analysis:
The network-level analysis involves understanding of network protocols used by the malware to send data to remote servers. The malware utilizes http, https, and ftp protocol, but there have been families of malware using SMTP to compromise user’s private data. Network-level malware analysis help to understand network traffic characteristics of malware and provide understanding to effectively setup network intrusion Detection System (IDS) in the future.
All of the above methods have been built into App-Ray to simplify your work. As a result, you only have to focus on keeping your business secure. Leave the penetration test to us. We are happy to help – request a Free Demo or a Call with us now.