Read part I of this article here.
What is mobile application security testing?
Mobile application security testing is a subsection of VAPT (Vulnerability Assessment and Penetration Test) that is focused on mobile applications (iOS and Android). It involves ensuring there are no vulnerabilities in a mobile application that could be exploited by a malicious user.
The whole exercise involves simulating the actions of a malicious user, looking for loopholes within the application, its business logic, and in its communication with the server and trying to exploit these loopholes in a bid to access sensitive information such as user data stored on the device or database of the application, server/database connections and source code of the application.
Now, before you start your journey into the exciting world of application testing, you’d have to set up an environment with the necessary tools installed. Most penetration testers favour the Linux operating systems, preferably the Kali Linux variant (as it is the swiss army knife of pentesting specific operating systems).
Let’s Login!
So what are the tools one would need to begin mobile application testing?
- A laptop/desktop: This is the first requirement, as you would need a workstation to conduct these tests. System requirements may vary based on the kind of tests you want to perform; however, one can consider the following specifications when choosing a penetration testing workstation: Processor – Intel Core i7; Hard disk storage – 500 GB and RAM – 8 GB.
- A hypervisor: You would need to install a hypervisor on your workstation to create and run a virtual machine (allowing you install your Linux OS flavour of choice). Hypervisors allow us to create and configure as many virtual machines as possible, so you can have virtual machines configured for specific types of VAPT. Now, my preferred hypervisor of choice is Oracle VirtualBox. Download VirtualBox here.
- Kali Linux: As earlier stated, this is the swiss army knife of pentesting specific operating systems, as it comes pre-installed with very essential penetration testing tools. Kali Linux is a Debian-based Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security and can be used to practice your penetration testing skills in a safe space. Download Kali Linux here.
- Burp Suite: This is a very popular cybersecurity tool that was specifically created for application (web and mobile) testing. It was developed by the good folks over at PortSwigger and is a licensed application at around 399 USD per user. However, there is a community version of the application which is available for free. You lose out on a bunch of features, but it comes with all the essential tools required for manual testing. Download the community version of Burp Suite here. Depending on the option you selected during your Kali Linux installation, you can get the community version pre-installed.
- Mobile Security Framework (MobSF): The swiss army knife for mobile application testing. MobSF – Mobile Security Framework is an automated, mobile application (Android/iOS/Windows) pen-testing, malware analysis, and security assessment framework capable of performing static and dynamic analysis. You just upload your .apk/.ipa file, sit back and let MobSF do its thing. It provides a very detailed description of the possible attack surfaces of the application, any insecure configuration enabled, and much more. Click here for the CyberKach article on Mob SF installation.
- An Emulator: This might not be essential for everyone, but if you don’t have a spare phone to perform these tests, you might need to get an emulator. One of the more popular emulators is Genymotion, which has a very simple interface and provides Android emulators of older operating systems, which is very essential when you’re testing applications. Download Genymotion here.
- Drozer: Most penetration testers use this tool to identify and exploit any vulnerability identified in the mobile application. It was developed by MWR labs and is one of the most leveraged Android security frameworks for performing penetration tests on Android applications. The Drozer tool is made up of two components:
- the Agent – a lightweight android application that runs on the emulator or device used for testing.
- the Console – a command-line interface (CLI) running on your workstation.
Download Drozer here.
- ADB: This is a very essential utility for testing applications, as it provides developers and penetration testers with a command-line interface (CLI) to communicate with an android device via a USB cable connection. ADB can be used to copy files, run commands and install .apk files directly to the device. More importantly, the Drozer framework relies on an ADB connection to the emulator or device used for testing. Download ADB ZIP file here.
- Dex2Jar: This is a lightweight tool that is used for reverse engineering Android applications. Android applications are compiled into “.dex” (Dalvik Executable) files, which are in turn zipped into a single “.apk” file installed on the device. The main feature of this tool is to convert the “classes.dex” file of an apk to “classes.jar”. Download Dex2Jar here.
- JD-GUI: This is a GUI tool that is used to display Java source codes of “.classes” files. Most penetration testers combine this tool with Dex2Jar, to view the decompiled “classes.jar” file of the apk. It presents the source code of the application in an easy to read format. Download JD-GUI here.
This is not an exhaustive list of penetration testing tools, but it is enough to get you started on your mobile applications security testing journey.
IMPORTANT DISCLAIMER
It is illegal to perform penetration tests on applications without obtaining essential and documented approval from the application owners.
However, here are two applications on which one is legally allowed to practice with:
- DIVA – Damn Insecure and Vulnerable Application for android. Download here.
- DVIA – Damn Vulnerable iOS App. Download here.
Happy Testing!