Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
0 likes702 views
The document outlines a one-hour talk focused on mobile application penetration testing for Android and iOS, emphasizing the importance of methodology over tools. It details the distinction between static and dynamic analysis, lists various components and vulnerabilities to test, and provides resources such as tools, techniques, and training information. Key highlights include the use of Mobexler, a customized virtual machine for testing apps, and numerous external resources for further learning.
![What to test?
● Mobile Application Security Testing Checklist
How to test?
● Setting up lab?
○ Hardware Requirements:
■ Android:
● Android Studio/ADB
● Any virtual device, Genymotion, AVD & Tools
■ iOS:
● Preferably Mac, or a high (good) config laptop
● iDevice (iPhone, iPad etc.) [Thanks to Checkra1n]
Tools, Techniques & Resources?](https://image.slidesharecdn.com/nulltalk-200615105049/85/Getting-Started-With-Hacking-Android-iOS-Apps-Tools-Techniques-and-resources-12-320.jpg)
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
- 1. Getting Started With Hacking Android & iOS Apps Tools, Techniques & Resources
- 2. Abhinav Mishra Founder, ENCIPHERS ENCIPHERS InfoSec Consulting | Training @enciphers_ @0ctac0der www.enciphers.com
- 3. Mobile Application Penetration Testing What to do? What Why to do? How to do? Where to go, if you are stuck? Why How Where
- 4. This is a 1 hour talk. I strongly believe that in focusing on technical parts in one hour, is not the best approach. Hence, this talk will majorly be about the methodology and discussing resources. Disclaimer
- 5. What to test? What to look for? The methodology should be based on knowledge, not the tools 01
- 6. What? The mobile application penetration testing is mainly divided in two parts: ● Static Analysis ○ As the name suggests, stuff that can be tested statically. Maybe even without installing the app. ● Dynamic Analysis ○ As the name suggests, stuff that can be tested when the app is running. Network calls, crypto, storage etc.
- 7. What? What are the ingredients of a mobile application? ● Do you know the structure of the application package? ○ IPA | APK ~ Zip ● Manifest | Plist ● Resources that the app would need ● Source code ● XML? Config? Res? Certs etc.
- 8. What? What happens when you install and use a mobile app? ● Permission on device? ○ To access data, use hardware, access other apps etc. ● Provide personal/account data. ○ Username/Email/Password etc. ● Network calls? ○ TLS? MITM? ● On device Security? Data at rest. ○ Crypto? Storage details ● API Security? ○ IDOR? ○ Authorisation/Authentication?
- 9. What? Anything else on the device which: ● Handles user and application data ● Handles network connection ● Uses device permissions ● Implements a security control
- 10. Ok, so we know what all things are there to be tested/analysed. But why do we need to test each of these things? ● Static Analysis: ○ Sensitive information inside app package might lead to more attack surface. ○ Bad crypto implementation might be bypassed. ● Dynamic Analysis ○ User and application internal data should be safeguarded ○ Not implementing a security control is a security issue, bypassing it might not always be ○ Request and response is the place where all the action happens, this should be secure ○ APIs, are the biggest source of vulnerabilities in mobile applications Why?
- 11. If you know what to test and why to test, then finding or knowing how to test that might be the easiest part. IMHO, majority of people focus only on this section… ● What tools to use? ● How to use the tools? ● Click to hack/secure applications So, let’s talk about how to do each of these.... How?
- 12. What to test? ● Mobile Application Security Testing Checklist How to test? ● Setting up lab? ○ Hardware Requirements: ■ Android: ● Android Studio/ADB ● Any virtual device, Genymotion, AVD & Tools ■ iOS: ● Preferably Mac, or a high (good) config laptop ● iDevice (iPhone, iPad etc.) [Thanks to Checkra1n] Tools, Techniques & Resources?
- 13. Mobexler: A customised virtual machine, designed to help in penetration testing of Android & iOS applications. When to use: ● Does not have Mac ● Don’t want to install a large amount of security tools on Mac ● Want to test Android & iOS apps at the same time, from the same setup Let’s get to Mobexler then. Mobexler
- 14. Tools? ● Android: https://enciphers.com/awesome-android-application-security/ ● iOS: https://enciphers.com/awesome-ios-application-security/ Resources? ● Jailbreaking: https://canijailbreak.com/ ● Mobile application hacker's handbook ● OWASP MSTG: https://mobile-security.gitbook.io/mobile-security-testing-guide/ ● Talks on iOS & Android Security: ○ Android: https://www.youtube.com/watch?v=B3Udl86Zu20&t=20700s ○ iOS: https://www.youtube.com/watch?v=B3Udl86Zu20&t=22920s ○ Demystifying Frida: https://www.youtube.com/watch?v=kd05JjCqViY ● Blogs: ○ iOS Security: http://www.allysonomalley.com/ ○ Reverse engg. iOS apps: https://github.com/ivRodriguezCA/RE-iOS-Apps ○ Android Security: https://medium.com/knowing-android/modern-security-in-android-part-1-6282bcb71e6c Tools, Techniques & Resources?
- 15. Resources? ● Frida Cheat Sheet, for Android: https://erev0s.com/blog/frida-code-snippets-for-android/ ● Android App Reverse Engg: https://maddiestone.github.io/AndroidAppRE/ Techniques: ● Jailbreak bypass in iOS: https://syrion.me/blog/ios-swift-antijailbreak-bypass-frida/ ● SSL Pinning bypass: https://www.cyclon3.com/bypass-instagram-ssl-certificate-pinning-for-ios ● Xamarin cert pinning bypass: https://www.gosecure.net/blog/2020/04/06/bypassing-xamarin-certificate-pinning-on-android/ ● Frida scripts: https://codeshare.frida.re/ ● Frida Scripts: https://github.com/0xdea/frida-scripts Trainings: ● iOS Application Security: https://www.enciphers-trainings.com/p/ios-application-security Tools, Techniques & Resources?
- 16. Questions?(There's) no such thing as a stupid question.
- 17. CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik. THANKS! Do you have more questions? a@enciphers.com Join Slack: Invite Link