This document discusses the importance of mobile application security and penetration testing. It describes penetration testing as discovering vulnerabilities before attackers through vulnerability detection, comprehensive penetration attempts, and analysis/reporting. The document outlines static and dynamic analysis methods used for Android application security assessments. These include code review, function hooking, runtime debugging, and analyzing data at rest and in transit. It promotes understanding how applications work through reverse engineering, decompilation, and deobfuscation. The methodology uses tools like MARA, MobSF, Xposed, Frida, and BurpSuite.

1. DroidCon
Mobile security
Penetration testing Android Applications

2. Whoami
Role: Senior QA engineer ScanGroup
Interests: Appsec as whole( i love code)
Twitter: @Judy_infosec
Co-founder : @WistSecurity Kenya

3. Whoami
Role: Security Analyst
Interests: Mobile Security and Network Security Monitoring
Projects: https://github.com/xtiankisutsa/swaraVM
Twitter: @PurpleR0b0t
Affiliate : Africa Hackon

4. Importance of Mobile Application
Security
▪ To ensure mobile applications are developed with security in mind.
Can you imagine being a developer who not only knows how to develop
mobile applications but understands and knows how to secure mobile
applications?
▪ To be able to spot a malicious application
▪ To ensure you comply with mobile security standards e.g. OWASP
▪ To ensure the user’s data is secured and confidentiality is maintained

5. Importance of Mobile Application
Security
▪ To protect the application and the service from malicious attackers
▪ To be able to build well secured mobile applications.

6. Penetration testing...what is
pentesting?
What is penetration testing-
A penetration test is the act of discovering security weaknesses or
vulnerabilities in a system before they are discovered by an attacker .
A pentest is comprehensive in ways where you conduct every bit of a security
test known to man: what do i mean
1. Vulnerability detection
2. Penetration attempt (very comprehensive)
3. Analysis and reporting

7. Types of Analysis
● Static Analysis
Static analysis is performed in a non-runtime environment.
Typically a static analysis tool will inspect program code for all
possible runtime behaviors and seek out coding flaws, back doors,
and potentially malicious code.

8. Types of Analysis
● Dynamic Analysis
Dynamic analysis entails executing the application, typically in an
instrumented or monitored manner, to garner more concrete
information on its behavior.
This often entails tasks like ascertaining artifacts the application
leaves on the file system, observing network traffic, monitoring
process behavior...basically all things that occur during execution.

9. Android Application Security Assessment
Methodology
The methodology we use encompasses the Open Web Application
Security Project (OWASP) Mobile Testing guide (including the
OWASP Mobile Top 10 2016-Top 10).
Our approach leverages on proprietary open source and bespoke
tools using a consistent and repeatable process. Some of the tools
that are used for testing android applications are;
▪ MARA Framework
▪ MobSF
▪ Xposed Framework
▪ Frida
▪ Burpsuite
▪ Alternatively you can install Swara VM or santoku that has all tools

10. What Next?
➔ Reverse Engineering
Reverse Engineering is taking something apart to see how it works.
Why Reverse Engineer Mobile Applications?
• Taking something apart to understand how it works.
• To understand how it works
• To determine how secure it was built (security assessment)
• To determine interoperability
• You get paid to break into them (mobile app pentester)
• To identify vulnerabilities :)

11. Reverse Engineering
1. De-compilation
The Android APK bundle contains the application binary which is
compiled in the dex file format for the Dalvik virtual machine.
The purpose of de-compilation is to gain access to the pseudo
source code for manual review.
This can be achieved using the MARA Framework.

12. Reverse Engineering
2. De-obfuscation (Where appropriate)
Obfuscation is a technique in which initial code of application is
intentionally made to be unclear to humans.
Where the source code for the mobile application binary has been
obfuscated, we will attempt to de-obfuscate.
This can be done using MARA Framework which makes use of a
tool called apk-deguard that attempts to reverse the process of
obfuscation performed by Android obfuscation tools.

13. Reverse Engineering
▪ Rename Obfuscation
Renaming alters the name of methods and variables. It makes the
decompiled source harder for a human to understand.

14. Static Analysis
1. Code Review
Manual static code analysis is conducted on source code (if
available), or on partial/pseudo source where code has been
decompiled, to identify security issues.
Automated Static Analysis can be performed using tools such as
the Mobile Security Framework (MobSF), an all-in-one mobile
application (Android/iOS/Windows) pen-testing framework
capable of performing static, dynamic and malware analysis and
Appknox, a mobile app security testing solution to detect and fix
vulnerabilities in mobile apps using a combination of automated
and manual tests.

15. Dynamic Analysis
1. Function Hooking
When source code is not accessible or limited, function hooking
provides another method to analyse the mobile application for
security vulnerabilities. This is typically achieved using tools
such as the XposedFramework which record and can be used to
modify API calls made by an application, including function calls,
arguments and return values

16. Dynamic Analysis
2. Run-time debugging
Android applications that are flagged as debuggable not only pose
a security concern but can also be leveraged to better analyse the
mobile application.
Using debug tools such as Android Debug Bridge (adb) to attach
to the mobile application running process, you can be able to
analyse the mobile applications behaviour, and conduct in-
memory manipulation.

17. Data at Rest Analysis
A thorough review of the device file system is conducted to identify any
sensitive residual data that may be exposed following normal use of the
mobile app.
This includes analysing caches and persistent app stores for sensitive
data.
Examples of places to look are, Shared Preferences and the SQlite
Databases.

18. Data in Transit Analysis
During normal use of the mobile app, all communication methods are
analysed to identify sensitive data in transit that should be encrypted,
and to assess the strength of encryption, if in use.
This can be achieved using proxy tools such as Burp Suite that lets you
intercept, inspect and modify the raw traffic passing in both directions
(communication between the client and the server).

19. DEMO
Reverse engineering using MARA
Framework.
HAPPY HACKING!