The mobile application penetration testing methodology

The mobile application penetration testing methodology is typically based on the application security methodology. The focus shifts from traditional application security, where the primary threat is from multiple sources over the Internet. The key difference is in the client-side security, filesystem, hardware, and network security. Traditionally for mobile applications, an end user is in control of the device.

Everything starts with understanding the risk environment of mobile applications.

Discovery

Information collection is an important point to keep in mind during the penetration testing process:

• Open Source Intelligence: It may be possible to find out more information about an application. This includes checking through search engines, third-party libraries that are used, or finding leaked source code through the use of source code repositories, developer forums, and social media.
• Understanding the platform: Understanding the platform is a crucial part of application penetration testing. This gives a clear understanding from an external point of view when it comes to creating a threat model for the application.
• Client side vs Server side scenarios: It is crucial to understand the type of application (native, hybrid, or web) and work on the test cases.

Analysis/assessment

Mobile applications have a unique way of assessment or analysis, and testers have to check the applications pre and post installation.

• Static analysis: Static analysis is performed, without executing the application, on the provided or decompiled source code and accompanying files. Sometimes, you might be provided with just the source code of the application.
• Archive analysis: The application installation packages for the Android and iOS platforms will be extracted and examined to review configuration files that have not been compiled into the binary.
• Local file analysis: When the application is installed, it is given its own directory in the filesystem. During the usage of the application, it will write to and read from this directory. Files accessed by the application will be analyzed to verify.
• Reverse engineering: Reverse engineering will be attempted to convert the compiled applications into human-readable source code. If possible, code review will be performed to understand the internal application functionality and search for vulnerabilities. In the case of Android, the application code may be modified and recompiled to enable access to debug information during dynamic analysis.
• Dynamic analysis: Dynamic analysis is performed while the application is running on the device. This includes forensic analysis of the local filesystem, network traffic between the application and server, and assessment of the app's local inter-process communication (IPC) surface(s).
• Network and web traffic: The device will be configured to route their connection to the server through a test proxy controlled by the security tester. This will enable web traffic to be intercepted, viewed, and modified. It will also reveal the communication endpoints between the application and the server so that they can be tested. Network traffic that is not traversing the Web and is happening at a lower layer in the TCP/IP protocol stack, such as TCP and UDP packets, will also be intercepted and analyzed.
• Inter-process communication endpoint analysis: Android mobile apps are composed of the following IPC endpoints:
  • Intents: These are signals used to send messages between components of the Android system
  • Activities: These are screens or pages within the application
  • Content providers: These provide access to databases
  • Services: These run in the background and perform tasks regardless of whether the main application is running
  • Broadcast receivers: These receive and possibly act on intents received from other applications or the Android system

Exploitation

To demonstrate real-world data breach, a properly executed exploitation can happen very quickly:

• Attempt to exploit the vulnerability: Acting upon the discovered vulnerabilities to gain sensitive information or perform malicious activities.
• Privilege escalation: Demonstration of identified vulnerability to gain privileges and attempt to become a super user.

Reporting

Clearly, a thorough mobile application penetration testing methodology involves a great deal of work in data collection, analysis, and exploitation:

• Risk assessments for the findings: Analyze business criticality of the application and the security risk posture and categorize the overall risk rating of the assessed application
• Final report: Detailed report about the discovered vulnerabilities, including the overall risk rating, description, the technical risk associated, technical impact, the business impact and proof of concept, and recommendations to fix the findings