[PDF] [PDF] Mobile Application Penetration Testing

View - Download [PDF] Mobile Application Penetration Testing

Previous PDF

Next PDF

www.allitebooks.com

Mobile Application

Penetration Testing

Explore real-world threat scenarios, attacks on mobile applications, and ways to counter them

Vijay Kumar Velu

BIRMINGHAM - MUMBAIwww.allitebooks.com

Mobile Application Penetration Testing

Copyright © 2016 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior wr itten permission of the publisher, except in the case of brief quotations embe dded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, no r Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about a ll of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this informat ion.

First published: March 2016

Production reference: 1070316

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham B3 2PB, UK.

ISBN 978-1-78588-337-8

www.allitebooks.com

Credits

Author

Vijay Kumar Velu

Reviewers

Akash Mahajan

Swaroop Yermalkar

Commissioning Editor

Veena Pagare

Acquisition Editor

Aaron Lazar

Content Development Editor

Sachin Karnani

Technical Editor

Nirant Carvalho

Copy Editors

Stuti Srivastava

Madhusudan UchilProject Coordinator

Nikhil Nair

Proofreader

Indexer

Tejal Daruwale Soni

Graphics

Jason Monteiro

Production Coordinator

Melwyn Dsa

Cover Work

Melwyn Dsawww.allitebooks.com

About the Author

Vijay Kumar Velu is a passionate information security practitioner, speaker, and blogger, currently working as a cyber security technical manager at one of the Big4 consultancies based in India. He has more than 10 years of IT industry e xperience, is a licensed penetration tester, and has specialized in providing technica l solutions to a Forensics Investigator. He loves hands-on technological challenges. Vijay was invited to speak at the National Cyber Security Summit (NCSS) , Indian Cyber Conference (InCyCon), Open Cloud Conference, and Ethical Hacking Conference held in India, and he has also delivered multiple guest lectu res and training on the importance of information security at various business s chools in

India. He also recently reviewed

Learning Android Forensics, Packt Publishing.

For the information security community, Vijay serves as the director of the Bangalore chapter of the Cloud Security Alliance (CSA) and chair member of the N ational

Cyber Defence and Research Center (NCDRC).

I would like to dedicate this book to my mother and sister for believing in me and always encouraging me to do what I like with all my crazy ideas. Special thanks to my family, friends (Hackerz), core team (Rachel H Martis, Anil Dikshit, Karthik Belur Sridhar, Vikram Sridharan and Vishal Patel), and Lokesh Gowda for allowing me ample amount of time in shaping this book. A huge thanks to Darren Fuller, my mentor and friend, for providing his support and insights. Also to the excellent team at Packt Publishing for all the support that they provided throughout the journey of this book, specially Sachin and Nirant for their indubitable coordination.www.allitebooks.com

About the Reviewers

Akash Mahajan is an accomplished security professional with over a decade's experience in providing specialist application and infrastructure consul ting services at the highest levels to companies, governments, and organizations aroun d the world. He is the author of

Burp Suite Essentials, Packt Publishing.

Akash is an extremely active participant in the international security c ommunity and a frequent conference speaker. He gives talks as himself, as the hea d of the standards for web application security, and as a co-founder of NULL, Ind ia's largest open security community. I want to thank you, Nikhil, for making sure that reviewing this book was a pleasurable experience.www.allitebooks.com Swaroop Yermalkar works as a healthcare security researcher at Philips Health Systems, India, where he is responsible for thread modeling; security re search; and the assessment of IoT devices, healthcare products, web applications, ne tworks, and Android and iOS applications. He is the author of the popular iOS securi ty book Learning iOS Penetration Testing, Packt Publishing and also one of the top mobile security researchers worldwide, working with Synack, Inc. He also gives talks and training on wireless pentesting and mobile app p entesting at various security conferences, such as GroundZero, c0c0n, 0x90, DEFCONLuc know, and GNUnify. He has been acknowledged by Microsoft, Amazon, eBay, Etsy, Dropbox, Ever note, Simple banking, iFixit, and many more for reporting high-severity securi ty issues in their mobile apps. He is an active member of NULL, an open security community in India, and is a contributor to the regular meetups and Humla sessions at the Pune chapte r.

SWSE, CEH, and CHFI. He has written articles for

clubHACK magazine and also authored a book,

An Ethical Guide to Wi-Fi Hacking and Security

He has organized many eminent programs and was the event head of Hackath on - a national-level hacking competition. He has also worked with Pune Cyber C ell, Maharashtra Police, in programs such as Cyber Safe Pune. He can be conta cted at on Twitter.www.allitebooks.com www.PacktPub.com eBooks, discount offers, and more Did you know that Packt offers eBook versions of every book published, w ith PDF and as a print book customer, you are entitled to a discount on the eBo ok copy.

Get in touch with us at

for more details. At , you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and o ffers on Packt books and eBooks. book library. Here, you can search, access, and read Packt's entire libr ary of books.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browserwww.allitebooks.com www.allitebooks.com [ i ]

Table of Contents

Preface ix

Chapter 1: The Mobile

Application Security Landscape

1

The smartphone market share 2

The android operating system

3

The iPhone operating system (iOS)

3

Different types of mobile applications

3

Native apps

4

Mobile web apps

4

Hybrid apps

5

Public

Android and iOS vulnerabilities

7

Android vulnerabilities

9 iOS vulnerabilities 10

The key challenges in mobile application security

1 1

The impact of mobile application security

12 The need for mobile application penetration testing 13

Current market reaction 13

The mobile application penetration testing methodology 14

Discovery

14

Analysis/assessment

15

Exploitation

16

Reporting

16

The OWASP mobile security project

16 OW

ASP mobile top 10 risks

17 V ulnerable applications to practice 20

Summary

20www.allitebooks.com

Table of Contents

[ ii ]

Chapter 2: Snooping Around the Architecture 21

The importance of architecture 22

The

Android architecture

23

The Linux kernel

24

Confusion between Linux and the Linux kernel 24

Android runtime 25

The java virtual machine

26

The Dalvik virtual machine

26

Zygote 27

Core Java libraries 27

A RT 2 8

Native libraries

28

The application framework

29

The applications layer

31

Native Android or system apps 31

User-installed or custom apps

31
The

Android software development kit

31

Android application packages (APK)

32

Android application components 36

Intent 36

Activity

36

Services

38

Broadcast receivers

40

Content providers

41

Android Debug Bridge 41

Application sandboxing

42

Application signing

43

Secure inter-process communication

43

The Binder process 44

The Android permission model 45

The

Android application build process

46

Android rooting

50
iOS architecture 51

Cocoa T

ouch 53
Media 53

Core services

54

Core OS

55
iOS SDK and Xcode 55
iOS application programming languages 56

Objective-C

56

The Objective-C runtime 57

Swift 57

Table of Contents

[ iii ]

Understanding application states 57

Apple's iOS security model

58

Device-level security

59

System-level security

59

An introduction to the secure boot chain 59

System software authorization

60

Secure Enclave

60

Data-level security 60

Data-protection classes 61

Keychain data protection

62

Changes in iOS 8 and 9 62

Network-level security

63

Application-level security

63

Application code signing 63

The iOS app sandbox 64

iOS isolation 64

Process isolation

65

Filesystem isolation

65
ASLR 66

Stack protection (non-executable stack and heap)

66

Hardware-level security

66
iOS permissions 66

The iOS application structure

68

Jailbreaking

69

Why jailbreak a device?

70
T ypes of jailbreaks 70

Untethered jailbreaks 70

T ethered jailbreaks 70

Semi-tethered jailbreaks

70

Jailbreaking tools at a glance 71

Inspecting a Mach-O binary

73

Property lists

74

Summary

75

Chapter 3: Building a Test Environment 77

Mobile app penetration testing environment setup 77

Android Studio and SDK

78

The Android

SDK 81
The

Android Debug Bridge

81

Connecting to the device

82

Getting access to the device

83

Table of Contents

[ iv ]

Installing an application to the device 84

Stopping the service

85
V iewing the log information 85

Sideloading apps

86
quotesdbs_dbs14.pdfusesText_20

[PDF] mobile application penetration testing pdf

[PDF] mobile application performance testing tools

[PDF] mobile application reference architecture

[PDF] mobile application security pdf

[PDF] mobile application security ppt

[PDF] mobile application security testing approach

[PDF] mobile application security testing checklist

[PDF] mobile application security testing pdf

[PDF] mobile application security testing ppt

[PDF] mobile application testing checklist xls

[PDF] mobile apps for language learning pdf

[PDF] mobile computing applications

[PDF] mobile computing architecture

[PDF] mobile computing framework

[PDF] mobile computing functions pdf