1. A day in the life of a pentester
@clviper
ca@integrity.pt
Cláudio André
2. • whoami
• Who is a Pentester?
• Mobile App Architecture
• Android Mobile App Components
• OWASP Top 10 Mobile Risks
• Practical Examples
• Security Recommendations
/// Agenda
3. 10+ years working in Information Systems.
Pentester at
BSc in Management Information Technology at
ULHT.
Offensive Security Certified Professional (OSCP)
Security Blog: http://security.claudio.pt
/// whoami
16. Zip Archive.
Contains Dalvik class files, assets, resources and
AndroidManifest.xml.
Stored at /data/app.
Android Application Package File (.apk)
/// Android Mobile App Components - APK
17. Presents information about the app to the
system.
Describes app components.
Define permissions.
AndroidManifest.xml
/// Android Mobile App Components – AndroidManifest.xml
18. XML format file with key-value pairs.
App settings.
/// Android Mobile App Components – Shared Preferences
19. Single file relational database used to store
application data and settings.
/// Android Mobile App Components - SQLite
37. M2 - Insecure Data Storage
- Shared Preferences without MODE_WORLD_READABLE.
- Sensitive information should not be stored. If needed, should be encrypted
from derivation of user Password/PIN and not with hardcoded encryption keys.
Still vulnerable to offline brute-force. Enforce strong password policy.
M3 - Insufficient Transport Layer Protection
- Apply TLS transport in channels that the app transmits sensitive
information to the backend.
- Implement Certificate Pinning if very sensitive information is transmitted.
/// Security Recommendations
38. M7 - Client Side Injection
- Only export components(Activities,Services,Broadcast Receivers, Content
Providers) that make sense and that cannot bypass access controls and leak
Internal information.
- Always validate User Input.
M10 - Lack of Binary Protection
- Obfuscate your code, at minimum with ProGuard. Dont make your attacker
life easier.
/// Security Recommendations