Mobile App Penetration Testing

1. Beginners Guide To
Mobile Application
Penetration Testing
Presenter:
Whitney Phillips

2. Who Am I?
12 Years in IT and Information
Security
• Help Desk
• System Administrator
• Security Operations
• Application Security Analyst
(Purple Team)
• Mobile Application
Penetration Tester

4. Why are we here ?

5. Mobile Devices
Rooted Android Device

6. Magisk
https://github.com/topjohnwu/Magisk

7. Genymotion
https://www.genymotion.com

8. Genymotion cont.
Screen Shot 2023-03-23 at 7.57.25 PM

9. Mobile Devices
Jailbroken iOS Device

10. Unc0ver
https://unc0ver.dev/
Screen Shot 2023-03-23 at 7.57.25 PM
iOS 11.0 –
14.8

11. checkra1n
https://checkra.in/
Screen Shot 2023-03-23 at 7.57.25 PM
iOS 12.0 and up

12. Corellium
https://www.corellium.com/
Screen Shot 2023-03-23 at 7.57.25 PM

13. Obtaining the Application
Screen Shot 2023-03-23 at 7.57.25 PM
Google Play Store
Apple App Store

14. APK Pure
https://apkpure.com
Screen Shot 2023-03-23 at 7.57.25 PM

15. apk-downloader
https://apps.evozi.com/apk-downloader/
apkmirror
https://www.apkmirror.com/
androidappsapk
https://androidappsapk.co/

16. iOS IPA
https://www.iphonecake.com
Screen Shot 2023-03-23 at 7.57.25 PM

17. iOS IPA
https://armconverter.com/decrypted
appstore/us
Screen Shot 2023-03-23 at 7.57.25 PM

18. Sideloading the Application
• Android – adb install
• iOS Filza, Sideloadly, Xcode

19. Tools

20. Mobexler
https://mobexler.com/
Screen Shot 2023-03-23 at 7.57.25 PM

21. MobSF
https://github.com/MobSF/Mobile-Security-Framework-MobSF
Screen Shot 2023-03-23 at 7.57.25 PM

22. MobSF
Screen Shot 2023-03-23 at 7.57.25 PM

23. MobSF
Screen Shot 2023-03-23 at 7.57.25 PM

24. Burp Suite - https://portswigger.net
Screen Shot 2023-03-23 at 7.57.25 PM

25. Root Bypass
Screen Shot 2023-03-23 at 7.57.25 PM
Magisk Hide
https://magiskmanager.com/
#What_is_Magisk_Hide

26. Jailbreak Bypass
Screen Shot 2023-03-23 at 7.57.25 PM
iHide
https://github.com/Kc57/iHde

27. Jailbreak Bypass
Screen Shot 2023-03-23 at 7.57.25 PM
Liberty Lite
https://www.ios-repo-updates.com/repository/ryley-s-
repo/package/com.ryleyangus.libertylite.beta/

28. iOS Certificate Pinning
Screen Shot 2023-03-23 at 7.57.25 PM
SSL-Kill-Switch2
https://github.com/nabla-
c0d3/ssl-kill-switch2

29. Android SDK Tool
https://developer.android.com/studio/releases/platfo
rm-tools.html

30. adb shell - Connect to device
adb push - PC to device
adb pull - Device to PC
adb install - sideload apks
adb (Android Debug Bridge)

31. The priority is one of the following character values
V: Verbose (lowest priority)
D: Debug
I: Info
W: Warning
E: Error
F: Fatal
S: Silent (highest priority, on which nothing is ever
printed)
Adb logcat

32. Frida
https://www.frida.re

33. Fridump
https://github.com/Nightbringer21/fridu
mp
Fridump is an open-source memory dumping
tool. It uses the Frida framework to dump
accessible memory addresses from any platform
supported.

34. Fridump - What are we looking for?
Credentials / Usernames / Passwords / Email addresses
Private keys/ IP addresses
URLs that the app normally can't talk to

35. Frida-ios-dump
https://github.com/AloneMonkey/frida-
ios-dump
Pull a decrypted IPA from a jailbroken device

36. •Supports both iOS and Android.
•Inspect and interact with container file systems.
•Bypass SSL pinning.
•Dump keychains.
•Perform memory related tasks
•Explore and manipulate objects on the heap
Objection
https://github.com/sensepost/objection

37. objection -g "Process Name" explore
Objection Commands

38. •android sslpinning disable
•android root disable
•android keystore list
•android hooking search classes
Objection Commands Android

39. •ios nsuserdefaults get
•ios hooking list classes
•ios hooking search classes <search_term>
•ios nsurlcredentialstorage dump
•ios keychain dump
•ios cookie get
Objection Commands iOS

40. Decompiling - Jadx
https://github.com/skylot/jadx

41. • Pull Decrypted IPA file
• Add .zip to file, unzip
• Right click the application
• Show Package Contents
Reverse Engineering iOS

42. BundlePath /private/var/containers/Bundle/Application/3CB79
49C-4561-41D9-94F2-5414BF162787/appname.app
CachesDirectory /var/mobile/Containers/Data/Application/9655F
CD2-1447-4DD6-9423-CFC4FAE82897/Library/Caches
DocumentDirectory /var/mobile/Containers/Data/Application/965
5FCD2-1447-4DD6-9423-CFC4FAE82897/Documents
LibraryDirectory /var/mobile/Containers/Data/Application/9655F
CD2-1447-4DD6-9423-CFC4FAE82897/Library
Local Storage iOS

43. Original APK - /data/app/<pkg>*/base.apk
Application Storage -data/data/package name
• Databases/
• lib/: libraries and helpers for the app files
• shared_prefs/
• settings cache/
Local Storage Android

44. External storage can be accessed in:
• /storage/emulated/0
• /sdcard
• /mnt/sdcard
External Storage Android

45. DB Browser for SQLite
https://sqlitebrowser.org/

46. Applications can create sqlite databases
May store sensitive data on them and
often our unencrypted.
• find . -type f -exec file '{}' ; | grep
'SQLite 3.x database’
• find ./ -name "*.sqlite" -or -name
"*.db"
SQLite Databases

47. • plist files are structured XML files that
contains key-value pairs.
• Way to store persistent data
• You may find sensitive information in
these files..
Plist iOS

48. To find all the plist of used by the
application you can access to
/private/var/mobile/Containers/Data/Appl
ication/{APPID} and run:
Command - find ./ -name "*.plist"
Plist iOS

49. To find all the plist of used by the
application you can access to
/private/var/mobile/Containers/Data/Appl
ication/{APPID} and run:
Command - find ./ -name "*.plist"
Plist iOS

50. To convert the plist into a readable format
Command - $ plutil -convert xml1
Info.plist
Plist iOS

51. Training Materials

52. TrustedSec Blog
https://www.trustedsec.com/blog/
OWASP Mobile Security Testing Guide
https://mobile-security.gitbook.io/mobile-security-
testing-guide/appendix/0x08-testing-tools

53. Hacktricks
https://book.hacktricks.xyz/mobile-pentesting
CheckList
https://mobexler.com/checklist.htm

54. Questions?

55. Contact Info:
wphillips114@gmail.com
Twitter: _whit_ney_m

56. Thank You!