Appknox’s webinar How to Perform Manual Pentest on Mobile Applications was all about demonstrating the basics of manual pentesting for mobile applications with the best open-source tools available in the industry.
Hosted by Appknox CEO Mr. Harshit Agarwal and CISO Mr. Subho Halder, the webinar was attended by security professionals from renowned organizations like Dell, PwC, McAfee, E&Y, Unilever, Axis Bank, and many others.
Key Takeaways of the Mobile Security Webinar
The agenda of the webinar was to discuss the following:1) Basics of pentesting for mobile application
2) Tools to be used and how to start pentesting for mobile application
3) Reporting and remediation post pentesting to fix security issues
Click here to download the Speaker Deck of the Webinar.
Why Do You Need Pentesting?
The following reasons assert the need for pentesting of your mobile applications:
- 1) Mobile App asks for Personally Identifiable Information(PII).
- 2) Regular ongoing exercise to perform Pentesting on mobile apps.
- 3) Threat landscape getting complex as mobile devices are getting smarter.
- 4) To discover new bugs in updated applications.
- 5) VAPT Reports may be required by enterprises if you work with them.
- 6) Getting an Alert before anyone can misuse the app.
Pentest Tools Used in the Webinar
Smali or baksmali is a commonly applied assembler/disassembler for the dex format (Dalvik Executable) used by Dalvik (VM implementation for Android). This widely-known syntax comfortably supports the entire functionality of the dex format (debug info, annotations, line info, etc.) and is somewhat based on Jasmin’s/dedexer’s syntax. The small package consists of smali and baksmali to assemble and disassemble dex files respectively.
APKTool is one of the best-known tools to reverse-engineer third-party, closed and binary Android apps. The primary highlight of APKTool is that it can decode resources and debug codes step-by-step.
It can comfortably help in the reverse engineering of dex files of Android APKs into the smali format. It can also reverse or re-compile smali files back into dex files. Almost any Android application can be modified using this tool.
JADX is a CLI/GUI tool that decompiles an Android application or dex file (APK) to an equivalent Java source code. This reverse engineering tool helps in figuring out the logical flow and structure of applications and carrying out an effective analysis. However, the generated Java code can’t always be recompiled back and JADX can’t modify the original application.
Developed by NSA’s Research Directorate for the Cybersecurity Mission, Ghidra is an open-source software reverse engineering (SRE) suite. This SRE framework consists of high-end analysis tools that help analyze compiled code on a variety of platforms like Linux, macOS, and Windows.
Ghidra is commonly used to reverse engineer native files in Android (mostly .so or shared files) and iOS. It presents a pseudo-code of how the native binary file would look like in C or C++ representation. Ghidra makes reverse engineering a lot easier by helping the user understand the logic of binary. However, Android Dex files can’t be reverse-engineered using this software.
Passion Fruit is a famous cross-platform web GUI used to perform manual security assessments on iOS applications with Frida as the backend driver. This tool is highly useful for bypassing pinning and jailbreak detections. It also supports non-jailbroken devices.
With Passion Fruit, you could list all the URL schemes, capture screenshots, check signature entitlements and also list human-readable app meta info. With this black box assessment tool, you can also examine if the target iOS app is encrypted or has enabled ARC, PIE, and stack canary.
Pentesting iOS Apps with Burpsuite
Written in Java and developed by PortSwigger Security, Burp Suite is a cross-platform proxy tool used for in-depth security assessments. With rich features like replaying and brute-forcing, Burp is often considered as the best intercepting proxy tool. This tool is available in three versions: a free community edition, a professional edition, and an enterprise edition. Burp Suite can be used to perform MITM (Man in the Middle) attacks and perform server-side testing.
For mobile testing, PortSwigger offers Burp Suite Mobile Assistant for iOS 8 and above. With the Mobile Assistant, one can bypass SSL Pinning and keep a check on application security.
VAPT of Android Apps with Drozer
Drozer is arguably one of the best open-source pen-testing tools for Android. Drozer was developed by MWR InfoSecurity (now F-Secure Consulting). Drozer helps in the assessment of apps and devices through social engineering. It interacts with the Dalvik VM, app IPC, and the underlying OS to make sure there are no security vulnerabilities left unnoticed.
You can read more about Drozer and similar VAPT tools here.
Decompiling with dnSpy and ILSpy
Used for Xamarin-based applications, dnSPY and ILSPY are cutting-edge DLL decompilers and .NET assembly editors. dnSpy can be used to efficiently decompile as well as recompile Xamarin-based applications. Decompilation to C# can be done easily with ILSpy. While ILSpy works across several platforms, dnSpy works with Windows only.
SSL Unpinning with Xposed
Xposed is a unique framework for Android jailbroken devices. With custom tools like SSL Unpinning, RootCloak and Greenify one could do a lot of exciting modifications to an Android device.
Remediation is as Important as Assessment
Remediation process involves the following steps:
Reporting - Reporting is an important step as it helps developers fix issues. One should include CVSS 3.0 or any other globally followed reporting standard scoring to rate the criticality of any issues.
Proof of Concepts - Proof of concepts helps give more clarity to each issue. It also builds the confidence of developers by giving clarity on where the issue is exactly, which can be a reference code or screenshot.
Re-Scan to confirm security fix - No security testing is complete until it has been verified that the issue is resolved. This step should also check for any new issues that might have popped up while remediating.
After the webinar, a Q&A was also held wherein our security experts answered the questions of the audience in detail. You can find the consolidated Q&A document here.
‘Smarter’ phones and apps mean that more and more user information is at stake. Therefore, application security has become a concrete necessity. With webinars like these, Appknox aims at spreading the word about the usefulness of manual pen testing and associated open-source tools and how they can prevent serious security threats to your organization.