Awesome Mobile App Pentest

Mobile Application Penetration Testing - iOS and Andorid

Android

labs

• dvaa
• android digital bank
• dvfa
• exploitme mobile
• hacme bank android
• insecurebank
• ncn wargame
• owasp goatdroid
• dodo Vulnerable Bank
• urdu app
• appknox
• owasp crackme

Tools

• frida : hooking method , bypassing root detection , bypassing cert pinning, etc .
• Burpsuite : intercept request
• apktool : reversing
• Xposed Framework : hooking native method
• Drozer : reverse engineerring
• Tcpdump : capture the traffic
• adb , fastboot : install apk , logging , push or pull file from devices.
• sqlite browser : to browse sqlite database.
• zipgrep : Searching purpose.
• jdgui : code review
• dex2jar : reverse engineering purpose
• modSF : Dynamic Analysis

Techniques

• Root Detecting Bypass

  • https://resources.infosecinstitute.com/android-root-detection-bypass-reverse-engineering-apk/
  • https://resources.infosecinstitute.com/android-hacking-security-part-8-root-detection-evasion/#gref
  • http://repo.xposed.info/module/com.devadvance.rootcloak2
  • https://www.notsosecure.com/pentesting-android-apps-using-frida/
  • https://github.com/dineshshetty/Android-InsecureBankv2/blob/master/Walkthroughs/Bypass%20Android%20Root%20Detection.docx

• Cert Pinning Bypass

  • https://kyawthiha7.github.io/posts/android-cert-bypass/
  • https://blog.netspi.com/four-ways-bypass-android-ssl-verification-certificate-pinning/
  • https://github.com/ac-pm/SSLUnpinning_Xposed
  • http://sh3llc0d3r.com/certificate-pinning/

• Hooking native API

  • https://koz.io/android-substrate-c-hooking/
  • https://kyawthiha7.github.io/posts/android-api-hook/
  • https://www.notsosecure.com/instrumenting-native-android-functions-using-frida/
  • https://resources.infosecinstitute.com/android-hacking-and-security-part-25-hooking-and-patching-android-apps-using-xposed-framework/
  • https://resources.infosecinstitute.com/android-hacking-and-security-part-22-hooking-and-patching-android-apps-using-cydia-substrate-extensions/
  • https://www.nccgroup.trust/sg/about-us/newsroom-and-events/blogs/2015/september/code-injection-on-android/
  • http://www.syssec-project.eu/m/page-media/158/syssec-summer-school-Android-Code-Injection.pdf

• Reverse Engineering

  • http://mobiletools.mwrinfosecurity.com/Using-Drozer-for-application-security-assessments/
  • https://pentestlab.blog/2017/02/06/reverse-engineering-android-applications/
  • https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05c-Reverse-Engineering-and-Tampering.md
  • https://medium.com/@thomas_shone/reverse-engineering-apis-from-android-apps-part-1-ea3d07b2a6c
  • https://www.rsaconference.com/writable/presentations/file_upload/stu-w02b-beginners-guide-to-reverse-engineering-android-apps.pdf
  • https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#gref

Tutorials & courses & books

• https://www.tutorialspoint.com/android_penetration_testing/index.asp
• https://gbhackers.com/android-application-penetration-testing
• https://www.udemy.com/android-hacking-and-penetration-testing/
• https://resources.infosecinstitute.com/android-application-security-testing-guide-part-1/
• Android Applicaiton Hacker's Handbook
• Mobile Application Hackers' Handbook

CheckLists & Testing Guide

• https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx
• https://github.com/OWASP/owasp-mstg
• https://gbhackers.com/penetration-testing-android-application-checklist/

Public Exploits

• XXE : https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/

• TinyCards RCE (CVE-2017-16905) : https://wwws.nightwatchcybersecurity.com/2018/01/04/rce-in-duolingos-tinycards-app-for-android-cve-2017-16905/

• Finding XSS in an html based android application : https://labs.detectify.com/2015/02/20/finding-an-xss-in-an-html-based-android-application/

• Broken Down SSL in Android Apps : https://www.owasp.org/images/7/77/Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl%2BMarian_Harbach%2BMathew_Smith.pdf

iOS

jailbreak chart

• Jailbreak Chart
• CanIJailbreak

Labs

• exploitme mobile
• Damn Vulnerable iOS Applicatio (DVIA)
• owasp igoat
• owasp crackme
• Myriam iOS sec App
• iOS online CTF

Tools

• Frida : hooking , bypassing , anlysis dynamic
• GDB : Dynamic analysis
• Cycript : Dynamic analysis
• Clutch : Static Analysis
• dumpdecrypted : dumping decrypted iPhone Applications to a file
• class-dump : dumping class info
• class-dump-z : dumping class info
• otool : disassembler
• strings : print all the strings in a given binary.
• nm : utility that displays the symbol table of a given binary.
• cydia impactor : for jailbreaking
• openssh (cydia)
• wget (cydia)
• Erica Utilities
• Snoop-it (cydia)
• unzip (cydia)
• adv-cmds (cydia)
• usbmuxd : SSH over USB
• syslogd
• socat
• burpsuite
• iphonessh
• idb

Techniques

• Jail Break Detection Bypass

  • https://www.notsosecure.com/bypassing-jailbreak-detection-ios/
  • https://www.theiphonewiki.com/wiki/Bypassing_Jailbreak_Detection
  • https://resources.infosecinstitute.com/ios-application-security-part-44-bypassing-jailbreak-detection-using-xcon/#gref
  • https://blog.attify.com/bypass-jailbreak-detection-frida-ios-applications/
  • https://www.c0d3xpl0it.com/2017/05/ios-jailbreak-bypass-using-needle.html
  • https://resources.infosecinstitute.com/ios-application-security-part-23-jailbreak-detection-evasion/
  • https://agostini.tech/2018/02/05/ios-application-security-part-three-bypassing-jailbreak-and-certificate-pinning-let-the-right-one-in/

• Cert Pinning Bypass

  • https://blog.netspi.com/four-ways-to-bypass-ios-ssl-verification-and-certificate-pinning/
  • https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/january/bypassing-openssl-certificate-pinning-in-ios-apps/
  • https://github.com/vtky/Swizzler2/wiki/Case-Study:-SSL-Pinning
  • https://labs.nettitude.com/tutorials/using-frida-to-bypass-snapchats-certificate-pinning/

• Static and Dynamic Analysis

  • https://medium.com/@ansjdnakjdnajkd/dynamic-analysis-of-ios-apps-wo-jailbreak-1481ab3020d8
  • https://labs.mwrinfosecurity.com/assets/BlogFiles/Needle-Finding-Issues-within-iOS-Applications.pdf
  • https://medium.com/@drag0n/needle-analysis-of-ios-mobile-applications-cfd9e407c0d9

• Reverse Engineering

  • https://labs.mwrinfosecurity.com/blog/repacking-and-resigning-ios-applications/
  • https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06c-Reverse-Engineering-and-Tampering.md
  • https://resources.infosecinstitute.com/ios-application-security-part-2-getting-class-information-of-ios-apps/
  • https://resources.infosecinstitute.com/penetration-testing-for-iphone-applications-part-5

• Misc

  • https://www.igeeksblog.com/how-to-sideload-apps-on-iphone-ipad-in-ios-10/

Tutorials & courses & books

• iOS Hacker's Handbook
• iOS Application Security: The Definitive Guide for Hackers and Developers
• Mobile Application Hackers' Handbook
• Pentesting iOS Application by Pentester Academy

CheckLists & Testing Guide

• OWASP MSTG
• SANS White Paper

Public Exploits

• https://nvisium.com/blog/2014/07/30/swift-core-data-format-string-injection.html
• https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

Checklist

Categories	Issues
Network	Certificate pinning
	Weak Cipher
	API to negotiated with SSL
	Leak Info via Side Channel
	Improper Usage of HTTP Method
Server	Authentication
	Injection
	Session Management Issues
	Server banners
Device	Insecure Data Storage (log, database, keychain, NSUserDefaults, cache, etc)
	JavaScript Execution(Webview)
	Code Quality (codesign , debug symbol,free security features, etc ..)
	Anti-reversing Detection(jailbreak/root detection, File integrity , Device Bonding )