Mobile Application Penetration Testing
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Preface

The adoption of mobile technology has changed the world, smartphones especially have become an integral part of everyone's lives and an extension of the corporate workplace.

With over a billion smartphone users worldwide, mobile applications play a crucial role in almost everything a device can do. Most of the time, the security of these applications is always an afterthought when data is the only asset that one would like to protect.

In short, the purpose of this book is to educate you about and demonstrate application security weaknesses on the client (device) side and configuration faults in Android and iOS that can lead to potential information leakage.

What this book covers

Chapter 1, The Mobile Application Security Landscape, takes you through the current state of mobile application security and provides an overview of public vulnerabilities in Android and iOS applications. It also teaches you the OWASP mobile top 10 vulnerabilities in order for you to establish a baseline for the vulnerabilities and principles of securing mobile applications.

Chapter 2, Snooping Around the Architecture, walks you through the importance of an architecture and pes deep into the fundamental internals of the Android and iOS architectures.

Chapter 3, Building a Test Environment, shows you how to set up a test environment and provides step-by-step instructions for Android and iOS devices within a given workstation.

Chapter 4, Loading up – Mobile Pentesting Tools, teaches you how to build the toolbox within your workstation required to perform an assessment of any given mobile app, and it also teaches how to configure them.

Chapter 5, Building Attack Paths – Threat Modeling an Application, shows you how to build attack paths and attack trees for a given threat model.

Chapter 6, Full Steam Ahead – Attacking Android Applications, shows you how to penetrate an Android application to identify its security weakness and exploit them.

Chapter 7, Full Steam Ahead – Attacking iOS Applications, shows you how to penetrate an iOS application to exploit the weaknesses and device vulnerabilities that affect the application.

Chapter 8, Securing Your Android and iOS Applications, teaches you the practical way of securing Android and iOS applications, starting from the design phase, and how to leverage different APIs to protect sensitive data on the device.

What you need for this book

The following hardware and software is recommended for maximum results:

  • Workstation:
    • Windows 7 (64-bit):
      • At least 4 GB of RAM
      • At least 100 GB of hard disk space
      • Java Development Kit 7
      • Active Python
      • Active Perl
    • MacBook (10.10 Yosemite):
      • Xcode with the latest iOS SDK
      • LLDB
      • Python (2.6 or higher)
  • Mobile devices:
    • A Google Nexus 5 running Android 5.0 Lollipop or higher
    • An iPhone (either 5 or 6) or iPad running iOS 8.4 or higher

All the software mentioned in this book is free of charge and can be downloaded from the Internet, except Hopper.

Who this book is for

If you are a mobile application evangelist, mobile application developer, information security practitioner, infrastructure web application penetration tester, application security professional, or someone who wants to pursue mobile application security as a career, then this book is for you. This book will provide you with all the skills you need to get started with Android and iOS pentesting.

Conventions

In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "Cydia installations are pretty much similar to Linux Debian packages; a majority of the apps are packaged and bundled in the .deb format."

A block of code is set as follows:

public StatementDBHelper(Context paramContext)
  {
    this.context = paramContext;
    StatementOpenHelper localStatementOpenHelper = new StatementOpenHelper(this.context);
    SQLiteDatabase.loadLibs(paramContext);
    this.db = localStatementOpenHelper.getWritableDatabase("havey0us33nmyb@seball");
    this.insertStmt = this.db.compileStatement("insert into history (userName, date, amount, name, balance) values (?,?,?,?,?)");
    this.deleteStmt = this.db.compileStatement("delete from history where id = ?");
  }

Any command-line input or output is written as follows:

C:\Hackbox\sdk\platform-tools>adb shell monkey 2
Events injected: 2## Network stats: elapsed time=1185ms (0ms mobile, 0ms wifi, 1185ms not connected)

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "Open the iFunbox, click on Quick Toolbar and then click on USB Tunnel."

Note

Warnings or important notes appear in a box like this.

Tip

Tips and tricks appear like this.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.

To send us general feedback, simply e-mail , and mention the book's title in the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the color images of this book

We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from https://www.packtpub.com/sites/default/files/downloads/MobileApplicationPenetrationTesting_ColorImages.pdf

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.

To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.

Piracy

Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us at with a link to the suspected pirated material.

We appreciate your help in protecting our authors and our ability to bring you valuable content.

Questions

If you have a problem with any aspect of this book, you can contact us at , and we will do our best to address the problem.

上一章目录下一章