Basic Pentesting Tools for Mobile Applications
The world of Pentesting, already wide when focused on web applications, servers, computer networks or infrastructure, becomes even more intricate -but no less interesting and exciting- when talking about penetration tests focused on mobile applications. The later ones are the medium on which today, thanks to the rise of digitalization, human beings depend to carry out a large part of their tasks, many of them related to the consumption of entertainment services, financial applications and banking.
Derived from this, the necessity for ethical hacking teams to professionalize and focus more and more on this type of penetration testing becomes imperative. Also to have an effective arsenal that facilitates the work of detection and invariable mitigation of vulnerabilities or security holes that put at risk the confidentiality, integrity and availability of the information of the users or of the organizations that offer their services through the mobile application.
For this reason, throughout this article we will talk about the basic tools that a Pentester must know and become familiar with when it comes to mobile applications.
MobSF
Mobile Security Framework (MobSF) is an open source all-in-one application written in Python for analyzing mobile applications. MobSF is a complete testing environment that enables static and dynamic testing on Android (APK), iOS (IPA), and Windows Mobile (APPX) executables. MobSF can also perform security tests on APIs (Application Programming Interfaces) with its Fuzzer API, which can collect information, analyze security headers, identify specific API vulnerabilities such as XXE (XML External Entity), XSS (Cross Site Scripting), route transfer, IDOR (Insecure direct object references), etc.
The static analyzer it has is capable of performing code review, permission detection, encryption level, inadequate or insecure configurations, use of dangerous APIs and malicious code, as well as leaking sensitive information. All this is carried out with the use of the following tools:
-APKiD: Gives you information about how an APK was created. Identifies many compilers, packers, and obfuscators.
-Jadx: Allows you to decompile the application.
-Quark Engine: Performs a search for threats within APK files, DEX.
To perform dynamic analysis, MobSF runs the application in a virtual machine or on a previously configured device and detects application problems in real time, capturing traffic and deciphering log and error reports.
This security analysis suite for mobile applications presents the results of its analysis in dashboards within its interface, and these can be exported in pdf file as a findings report. That is why today MobSF turns out to be an excellent starting point for the rapid analysis of mobile applications, since it offers an overview of how an application is built, the permissions it uses to function, as well as a qualifying score for the security of the app.
Apktool and Android Studio
Apktool is a tool for reverse engineering binary, closed, and third-party Android apps. You can decode resources to their almost original form and rebuild them after making some modifications. It also makes easier working with an app by providing a directory structure of code and resources as if it were an Android Studio project. For this reason, Apktool turns out to be one of the most important tools in the arsenal of a Pentester for Android mobile applications, because code extraction for later analysis can be performed, understanding of flows and business logic, thus facilitating the identification of vulnerabilities that are related with programming and implementation of the application.
Thanks to this tool, an ethical hacker can reproduce certain fragments or flows of an application for which they do not have source code. Subsequently, a dynamic analysis of those can be performed through Android Studio (Android’s mobile applications development IDE), or, source code modification can be done, to consecutively re-compile the complete application that allows a Pentester to debug it.
Burp Suite
Burp Suite, also called the Pentester’s Swiss Army Knife, is a fundamental tool on computer security realm, created by the company PortSwigger and written in Java that allows security tests to be carried out, mainly in web applications.
Among its basic functions, there is the proxy server that allows traffic to be inspected and modified by performing a Man in the Middle attack between the browser and the target application. There is also a vulnerability scanner that automates the detection of various types of vulnerabilities of web applications, as well as a repeater that is used to modify and forward individual requests to the server.
Of the aforementioned characteristics, the proxy server stands out, whose functionality can be exploited for the dynamic analysis of a mobile application when it communicates with a web server to consume services. In the case of a mobile application developed on Android, the capture of web requests can be easily carried out on a device or emulator with an Android 5.1 version or lower, and only requires the installation of a PortSwigger digital certificate generated in Burp Suite. However, if the analysis is going to be performed on an application that is only available for more recent versions of Android, it is necessary to perform the SSL Pinning Bypass by adding other modules such as Frida-gadget within the APK, or the rooting of the device and installation of Frida Server in its full version.
In the case of iOS, it is required that the mobile has a jailbreak, that makes possible the installation of modules (called tweaks in iOS and Apple jargon) to disable SSL Pinning, such as SSL Kill Switch, and capturing traffic with Burp Suite.
Frida Server
Defined as a set of dynamic code instrumentation tools, Frida Server allows you to inject JavaScript snippets or your own library into native applications on Windows, macOS, GNU/Linux, iOS, Android and QNX. For this reason, Frida is the tool par excellence when it comes to performing a dynamic analysis of the application and seeking to inject code at runtime. This opens a huge door to different developments that range from bypassing SSL pinning (a process that allows specifying identity of endpoints participating on a connection and allow secured connections between them), or the detection of Jailbreak or root in a modified device, to the overwriting of memory spaces and/or function parameters that modify the behavior of the application.
It is important to mention that Frida Server is currently a tool that allows the injection of code through JavaScript and interacts directly with the mobile application or its specific modules when they are programmed in C/C++, as is the case with native Android libraries, or in Objective-C in the case of native iOS libraries.
It is to be considered that its most common and easiest installation requires that the target phone has root (on Android), or jailbreak (on iOS). However, as mentioned in its documentation, Frida (referred to for this case as Frida-gadget) can be incorporated into an Android app as a native library on a non-rooted device, but requires more steps to complete the process, such as de-compiling and re-compiling the app with the module added via Apktool. For the non-jailbroken iOS version, it happens in a similar way, but in this case, the Frida-gadget module must be embedded in an application compiled in Xcode on a Mac.
IDA Pro
IDA Pro is a reverse engineering and disassembly tool capable of creating execution maps and displaying the binary instructions that are executed on the processor in a symbolic representation (assembly language). Advanced techniques have been implemented in IDA Pro so that one can generate assembly language source code from machine-executable code and make this complex code more human-readable.
Due to its characteristics, IDA Pro is the perfect tool to carry out the reverse engineering of the binaries generated, for example, on native libraries of an Android application, or it is even capable of disassembling a complete application in iOS. Thus, a Pentester can have a general view of the application or its modules, exploring the assembly language code generated by IDA, both in its graphical version and in its text version.
NetCapture
NetCapture is an application developed for Android devices that is used to capture HTTP and HTTPS packets through a VPN service. It is a very useful tool for Android developers during the debugging stage.
Among its main features, stands out the fact that this application can be installed on a device that does not have root. In addition to this, it allows packets to be decoded immediately using the Man in the Middle technique. Due to its simplicity both in installation and use, NetCapture is ideal for carrying out a first approach in the traffic analysis from an app to the services with which it communicates through web protocols, and to be able to determine if these communication channels are secure and the information travels encrypted.
Extra Section: Jailbreak and root
Throughout this text, two relevant concepts have been discussed when talking about mobile penetration tests: jailbreak and root. Therefore, in this final section, we will briefly discuss what these terms mean and why they are essential in the Pentest cycle.
The first of these refers to the process of removing some of the limitations imposed by Apple on devices that use the iOS operating system by using modified kernels. Jailbreaking allows the device owner to gain full root access to the operating system and access all features. It is called jailbreaking because it involves freeing users from the “prison” of limitations imposed by the iOS environment.
Despite the fact that this practice is not as popular as it was in the past, jailbreak undoubtedly turns out to be essential in the pentesting process, since it is the door that allows the installation of several of the tools that accompany the Pentester on its way through find security holes in an application. Tools like Unc0ver, checkra1n, Chimera, among others, currently allow the jailbreak of Apple devices. Choosing which one to use will depend on the version of the device’s operating system.
On the other hand, the term root is the equivalent of jailbreak, but on Android devices. Thus, rooting an Android mobile is the operation that is carried out to obtain superuser permissions, and consequently, to be able to make the most profound changes within the operating system. For this case there are countless tools such as dr.fone - Root, RSRoot, iRoot, Root Genius, Kingo, SuperSU Pro, Superuser X[L], etc. Choosing which of these tools to use to carry out the rooting process will depend on the model and version of the operating system.
|
Isdragonalex Twitter |
|
| superhacker | ||