SlideShare a Scribd company logo
Beginners Guide To
Mobile Application
Penetration Testing
Presenter:
Whitney Phillips
Who Am I?
12 Years in IT and Information
Security
• Help Desk
• System Administrator
• Security Operations
• Application Security Analyst
(Purple Team)
• Mobile Application
Penetration Tester
Why are we here ?
Mobile Devices
Rooted Android Device
Magisk
https://github.com/topjohnwu/Magisk
Genymotion
https://www.genymotion.com
Genymotion cont.
Screen Shot 2023-03-23 at 7.57.25 PM
Mobile Devices
Jailbroken iOS Device
Unc0ver
https://unc0ver.dev/
Screen Shot 2023-03-23 at 7.57.25 PM
iOS 11.0 –
14.8
checkra1n
https://checkra.in/
Screen Shot 2023-03-23 at 7.57.25 PM
iOS 12.0 and up
Corellium
https://www.corellium.com/
Screen Shot 2023-03-23 at 7.57.25 PM
Obtaining the Application
Screen Shot 2023-03-23 at 7.57.25 PM
Google Play Store
Apple App Store
APK Pure
https://apkpure.com
Screen Shot 2023-03-23 at 7.57.25 PM
apk-downloader
https://apps.evozi.com/apk-downloader/
apkmirror
https://www.apkmirror.com/
androidappsapk
https://androidappsapk.co/
iOS IPA
https://www.iphonecake.com
Screen Shot 2023-03-23 at 7.57.25 PM
iOS IPA
https://armconverter.com/decrypted
appstore/us
Screen Shot 2023-03-23 at 7.57.25 PM
Sideloading the Application
• Android – adb install
• iOS Filza, Sideloadly, Xcode
Tools
Mobexler
https://mobexler.com/
Screen Shot 2023-03-23 at 7.57.25 PM
MobSF
https://github.com/MobSF/Mobile-Security-Framework-MobSF
Screen Shot 2023-03-23 at 7.57.25 PM
MobSF
Screen Shot 2023-03-23 at 7.57.25 PM
MobSF
Screen Shot 2023-03-23 at 7.57.25 PM
Burp Suite - https://portswigger.net
Screen Shot 2023-03-23 at 7.57.25 PM
Root Bypass
Screen Shot 2023-03-23 at 7.57.25 PM
Magisk Hide
https://magiskmanager.com/
#What_is_Magisk_Hide
Jailbreak Bypass
Screen Shot 2023-03-23 at 7.57.25 PM
iHide
https://github.com/Kc57/iHde
Jailbreak Bypass
Screen Shot 2023-03-23 at 7.57.25 PM
Liberty Lite
https://www.ios-repo-updates.com/repository/ryley-s-
repo/package/com.ryleyangus.libertylite.beta/
iOS Certificate Pinning
Screen Shot 2023-03-23 at 7.57.25 PM
SSL-Kill-Switch2
https://github.com/nabla-
c0d3/ssl-kill-switch2
Android SDK Tool
https://developer.android.com/studio/releases/platfo
rm-tools.html
adb shell - Connect to device
adb push - PC to device
adb pull - Device to PC
adb install - sideload apks
adb (Android Debug Bridge)
The priority is one of the following character values
V: Verbose (lowest priority)
D: Debug
I: Info
W: Warning
E: Error
F: Fatal
S: Silent (highest priority, on which nothing is ever
printed)
Adb logcat
Frida
https://www.frida.re
Fridump
https://github.com/Nightbringer21/fridu
mp
Fridump is an open-source memory dumping
tool. It uses the Frida framework to dump
accessible memory addresses from any platform
supported.
Fridump - What are we looking for?
Credentials / Usernames / Passwords / Email addresses
Private keys/ IP addresses
URLs that the app normally can't talk to
Frida-ios-dump
https://github.com/AloneMonkey/frida-
ios-dump
Pull a decrypted IPA from a jailbroken device
•Supports both iOS and Android.
•Inspect and interact with container file systems.
•Bypass SSL pinning.
•Dump keychains.
•Perform memory related tasks
•Explore and manipulate objects on the heap
Objection
https://github.com/sensepost/objection
objection -g "Process Name" explore
Objection Commands
•android sslpinning disable
•android root disable
•android keystore list
•android hooking search classes
Objection Commands Android
•ios nsuserdefaults get
•ios hooking list classes
•ios hooking search classes <search_term>
•ios nsurlcredentialstorage dump
•ios keychain dump
•ios cookie get
Objection Commands iOS
Decompiling - Jadx
https://github.com/skylot/jadx
• Pull Decrypted IPA file
• Add .zip to file, unzip
• Right click the application
• Show Package Contents
Reverse Engineering iOS
BundlePath /private/var/containers/Bundle/Application/3CB79
49C-4561-41D9-94F2-5414BF162787/appname.app
CachesDirectory /var/mobile/Containers/Data/Application/9655F
CD2-1447-4DD6-9423-CFC4FAE82897/Library/Caches
DocumentDirectory /var/mobile/Containers/Data/Application/965
5FCD2-1447-4DD6-9423-CFC4FAE82897/Documents
LibraryDirectory /var/mobile/Containers/Data/Application/9655F
CD2-1447-4DD6-9423-CFC4FAE82897/Library
Local Storage iOS
Original APK - /data/app/<pkg>*/base.apk
Application Storage -data/data/package name
• Databases/
• lib/: libraries and helpers for the app files
• shared_prefs/
• settings cache/
Local Storage Android
External storage can be accessed in:
• /storage/emulated/0
• /sdcard
• /mnt/sdcard
External Storage Android
DB Browser for SQLite
https://sqlitebrowser.org/
Applications can create sqlite databases
May store sensitive data on them and
often our unencrypted.
• find . -type f -exec file '{}' ; | grep
'SQLite 3.x database’
• find ./ -name "*.sqlite" -or -name
"*.db"
SQLite Databases
• plist files are structured XML files that
contains key-value pairs.
• Way to store persistent data
• You may find sensitive information in
these files..
Plist iOS
To find all the plist of used by the
application you can access to
/private/var/mobile/Containers/Data/Appl
ication/{APPID} and run:
Command - find ./ -name "*.plist"
Plist iOS
To find all the plist of used by the
application you can access to
/private/var/mobile/Containers/Data/Appl
ication/{APPID} and run:
Command - find ./ -name "*.plist"
Plist iOS
To convert the plist into a readable format
Command - $ plutil -convert xml1
Info.plist
Plist iOS
Training Materials
TrustedSec Blog
https://www.trustedsec.com/blog/
OWASP Mobile Security Testing Guide
https://mobile-security.gitbook.io/mobile-security-
testing-guide/appendix/0x08-testing-tools
Hacktricks
https://book.hacktricks.xyz/mobile-pentesting
CheckList
https://mobexler.com/checklist.htm
Questions?
Contact Info:
wphillips114@gmail.com
Twitter: _whit_ney_m
Thank You!

More Related Content

Similar to Mobile App Penetration Testing Bsides312

DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
deepikakumari643428
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
tdc-globalcode
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Márcio Rosa
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
Daniel Miessler
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
Jerod Brennen
 
ShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdf
Steven Carlson
 
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
Seth Law
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
Ravi Aggarwal
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies:  Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies:  Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
Securing Android
Securing AndroidSecuring Android
Securing Android
Marakana Inc.
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 

Similar to Mobile App Penetration Testing Bsides312 (20)

DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
ShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdf
 
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies:  Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies:  Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Android security
Android securityAndroid security
Android security
 

Mobile App Penetration Testing Bsides312