Mobile Application Penetration Testing Methodology as a security testing measure, analyses security perimeters within a mobile environment. Derived from the traditional concept of application security methodology, its main focus lies on client-side security and it broadly puts the end-user in control.
By conducting penetration testing, companies can gain insights into the source code’s vulnerabilities, bottlenecks, and attack vectors beforehand. This way, once all shortcomings are known, developers can put in fixes to plug these gaps and change the design to address the issues at hand.
Types of Penetration Testing
Penetration Testing has become a valuable methodology for companies and organizations alike to generate valuable insights into their software/hardware systems. Through these tests, software and hardware systems are subject to planned attacks, to expose the inherent security flaws, which can be addressed as a part of the development plans.
Here are some of the various types of penetration testing, which are most commonly used by organizations these days:
1) Web Application Penetration Testing:
As per Verizon’s “2020 Data Breach Investigations Report”, data breaches caused due to web application vulnerabilities reached up to double digits (43%) in 2019 itself.
Web application penetration testing is used broadly to check for vulnerabilities or security gaps in web-based applications. Typically, web application penetration testing would include web-based applications such as browsers, along with their individual components like ActiveX, Silverlight, Plugins, Applets and Scriptlets. Such tests are quite detailed and targeted towards specific components.
2) Network Service/Infrastructure Testing Penetration Testing
Network penetration testing helps identify weaknesses within the network infrastructure, which can either be on-premises or in the cloud. This is a crucial test to ensure the safety and security of business-critical data. Network service penetration testing often includes the following checks:
- Insecure configurations
- Encryption vulnerabilities
- Missing security patches
The testing procedures are further divided into external and internal testing, which can be carried out depending on the need of the hour.
3) Client-side Penetration Testing:
As the name suggests, client-side penetration testing procedures are solely carried out to discover vulnerabilities in client-side applications. Such applications include the likes of Putty, web browsers, email clients, Macromedia Flash, amongst others.
4) Wireless Penetration Testing:
Wireless penetration testing examines and tests the connections between the different devices connected to the corporate Wi-Fi network. Such devices can include laptops, smartphones, and tablets along with the internet of things devices. Such tests are performed onsite, as the pentester needs to be in the range of the Wi-Fi signal for testing purposes.
5) Social engineering Penetration Testing:
When a malicious hacker attempts to trick end users into revealing sensitive information, which includes usernames, passwords, amongst other sensitive information, it qualifies for Social engineering testing. Some common attacks include, but are not limited to, the following:
6) Physical penetration testing:
During this testing type, by stimulating a real-world threat, organizations can attempt to pre-empt the physical barriers around a business’s infrastructure, system, employees, etc. If a hacker is able to gain physical access to a server room, it can have an adverse impact on the business, customers and other working relationships.
Mobile Application Penetration Testing Methodologies Stages
Broadly speaking, mobile application penetration testing methodologies stages include the following stages:
2) Assessment and analysis
The discovery process includes gathering information, which will further form the basis of the penetration testing phases. The data collected is used as a base in the process of checking for vulnerabilities, which can make or break the pentest.
The discovery process encompasses the following steps:
Open-Source Intelligence: Commonly known as OSINT, the pentester searches the Internet for information pertaining to the application. Such information can be found on search engines, social networking sites, source code repositories, developer forums and even the Dark Web.
Understand the Architecture: It’s important for the pentester to understand the architecture, and further develop a threat model to use in the application/platform. In an ideal test, the tester should take into consideration the company behind the application, their business case, along with the stakeholders. These can be complemented with the internal structures and processes also.
Client-side vs server-side scenarios: The pentester needs to identify the type of app, which could range from native, hybrid, or web while testing the cases. Some further considerations include the app’s network interfaces, session management, jailbreaking, user data amongst others.
The process of analysis and assessment is rather unique as it needs the pentester to analyse the application before and after installation. Some assessment techniques included are as below:
Static Analysis: Static analysis is executed with the source code of the application only. Other times, it might use the decompiled source code and accompanying files, depending upon the availability.
Archive Analysis: Android and iOS app installation packages are extracted and thoroughly examined, with an aim to review configuration files.
Reverse Engineering: The compiled applications are all converted into readable code. The pentester further analyses the decompiled code with an aim to understand and decipher the application functionalities and hunt for vulnerabilities.
Local File Analysis: As soon as the app is installed, it has its own directory within the filesystem. When the application is being used, it reads and writes from this directory. Such files are analysed during the testing phase.
Dynamic Analysis: This form of analysis is performed while the application is still running. It includes forensic analysis of the file systems while monitoring the traffic between the application and server.
Network and Web Traffic: A test proxy is used to control the security tester, and certain configurations are made within the server connections to reflect the proxy connections. The network traffic is intercepted and analysed, especially the transmission between the application and the server.
Interprocess Endpoint Analysis: Android apps consist of the following IPC endpoints, which need to be analysed:a) Intents: These refer to signals which are used to send and receive messages between different components within Android systems.
b) Activities: These include the screens/pages within an application.
c) Content providers: These contain all accesses to a specific database
d) Services: Services run in the background and continue to perform tasks, irrespective of the main application’s status.
e) Broadcast receivers: These are dependent on intents that are received from different applications within the Android systems.
The exploitation stage is probably the most important step during the penetration test. The pentester needs to find hidden cues which can successfully shed light on different vulnerabilities, which become a determining factor between a successful and unsuccessful test.
Here are some steps, which can make the Exploitation process a success:
· Open-source intelligence (OSINT): The first step refers to the process of reviewing publicly available information. A pentester needs to search for all possible information about the application, wherever possible. Important pieces of information can be found on search engines, social networks, the dark web, and developer boards.
· Architecture understanding: What makes a good threat model? Understanding the application architecture plays an important role in designing a foolproof threat model, which can predict any external threats to an application. The pentester would need to track the external stakeholders, users, and followers, to get an idea about the intended usage.
· Client and server-side situations: A tester is well equipped to recognize the nature and type of application, which can range between native, hybrid, or web. An application network access includes network interfaces, methods of communication with third party resources, user data, session management, and root detection.
· Report preparations: The final stage of mobile application penetration testing is reporting the findings via technical reports and even an executive-level paper. Whilst an executive-level paper contains a high-level summary of your findings, it is most appropriate for management review. The technical report, unlike its counterpart, covers a list of vulnerabilities fixed individually, along with specifications to recreate the vulnerabilities, their risks, and recommended remediation procedures.
· Presentation: The final documents need to be presented to the end client. Any suggested recommendations, updates, and questions need to be addressed during this phase. The documentation is revised accordingly, and the final version is presented to the client for review. Once this step is completed, the pentester can validate the remediations and approve them for final review.
The Mobile Application Penetration Testing Methodology is vendor-neutral since it helps drive transparency and facilitates repeatability. It’s a holistic approach, as it provides flexibility towards the security of mobile applications.