Chủ Nhật, 7 tháng 3, 2021

[#2][MobilePentesting] Principle Of Mobile Security Testing


    After learning basic knowlegment about Android Platform, we should go through Mobile Pentesting Methodology  to get acquainted with what you'll do and your business.


1. Dicovery/Preparation

    Requires the pentester to obtain information that is crucial in knowing events that lead to the successful exploitation of mobile applications.

Understanding the Platform—It is important for the penetration tester to understand the mobile application platform, even from an external point of view, to aid in developing a threat model for the application. The internal structures and processes are also taken to account.

Open Source Intelligence (OSINT)—The pentester searches the Internet for information about the application. This might be found on search engines and social networking sites, leaked source code through source code repositories, developer forums, or even on the dark web.

Client-Side vs Server-Side Scenarios—The penetration tester needs to be able to understand the type of application (native, hybrid, or web) and to work on the test cases. The application’s network interfaces, user data, communication with other resources, session management, jailbreaking/rooting behavior are all taken into account here. 

2. Assessment/Analysis

Mobile applications have a unique way of assessment or analysis, and testers must check the applications before and after installation.


- Local File Analysis—The pentester checks the local files written on the file system by the application to ensure that there are no violations.

- Archive Analysis—The penetration tester extracts the application installation packages for the Android and iOS platforms. A review is then done to ensure that there are no modifications done to the configurations of the compiled binary.

- Reverse Engineering—This involves converting the compiled applications into human-readable source code. The penetration tester reviews the readable code in order to understand the internal application functionality and search for vulnerabilities. Android application source code may be modified once reversed and recompiled. 

- Malware Analysis

Malware analysis is a core part of mobile device security. Several mobile malware analysis techniques are static analysis, dynamic analysis, network analysis, and user intent, and geographical location of the servers for finding outliers. 

+ Static Analysis

During static analysis, the penetration tester does not execute the application. The analysis is done on the provided files or decompiled source code. Requirement skill : Code Review.

+ Network-level analysis:

The network-level analysis involves understanding of network protocols used by the malware to send data to remote servers. The malware utilizes http, https, and ftp protocol, but there have been families of malware using SMTP to compromise user’s private data. Network-level malware analysis help to understand network traffic characteristics of malware and provide understanding to effectively setup network intrusion Detection System (IDS) in the future.

+ Dynamic analysis 

Pentester reviews the mobile application as it runs on the device or emulator. Reviews done include a forensic examination of the file system, assessment of the network communication between the application and server, and an evaluation of the application’s inter-process communication (IPC).

- Inter-Process Communication Endpoint Analysis

IPC stands for Inter-process communication, which refers specifically to the mechanisms an operating system provides to allow the processes to manage shared data. Typically, applications can use IPC, categorized as clients and servers, where the client requests data and the server responds to client requests. Many applications are both clients and servers, as commonly seen in distributed computing.

+ Content Providers—These ensure that access to databases is achieved.

 A content provider presents data to external applications as one or more tables. In other words, content providers can be treated as interfaces that connect data in one process with code running in another process.

Intents—These are signals used to send messages between components of the android system.

Broadcast Receivers—These receive and act on intents received from other applications on the android system.

A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low, boot completed, headset plug etc. Though most of the broadcast receivers are originated by the system, applications can also announce broadcasts.

Activities—These make up the screens or pages within the application.

An Activity provides a screen with which users can interact in order to do something. Users can perform operations such as making a call, sending an SMS, etc.

Services—These run from the background and perform tasks regardless of whether the main application is running. 

A Service can perform long-running operations in the background and does not provide a user interface.


Happy Pentesting!

Không có nhận xét nào:

Đăng nhận xét

Phổ Biến