PenTest: Mobile Application Penetration Testing Tools

Description

/wcm_restrict]

Dear PenTest Readers,

We would like to proudly present you the newest issue of PenTest. We hope that you will find many interesting

articles inside the magazine and that you will have time to read all of them.

We are really counting on your feedback here!

In this issue we discuss the tools and methods that you can find useful while performing penetration tests on

mobile applications. You can read articles straight from tools developers, about QARK or MASTS. You will be

shown some technics where you can use Metasploit, Netcat or AppUse.

Enjoy your reading,
PenTest Magazine’s
Editorial Team

---

 

Table of content:

---

Pentesting Android Recovering Data using Metasploit
by Daniel W. Dieterle

In this article we will learn how to create a backdoor Android application, see how to connect to it remotely, and then recover text messages and other data from the Android device. This article is a modified version of a part of the “Attacking Android” section in my latest book, “Intermediate Security Testing with Kali Linux 2”. This tutorial will consist of creating a backdoor Android app with Msfvenom, and then creating a listening service in Metasploit to listen for the backdoor callback. Once the callback is made, the listener creates a fully functional remote Meterpreter shell to the device. Once we have the Meterpreter shell, we can then use the built in Metasploit commands to view and download data from the phone.

---

Oldschool Pentesting with Netcat
by Daniel Deandresi

Netcat has been created by “Hobbit”; its first stable released was in 2007. We all know Netcat’s legendary remark for being the “Swiss army knife” for pentesting, but do we really know everything about it? We all have used Netcat for one thing or another, but the truth is that with Netcat can be used for a plethora of things!

---

Steps to intercept traffic using Burp suite
by Shekar Munirathnam

In the todays world, Smart phones have become a integral part of one’s lifestyle from which many things can be done in no time, such as logging into a bank application and performing any actions that we do from our native web application. The major challenge is that the mobile apps that have been installed, how secure are they?

---

Android Penetration Testing
by Matt Freitas & Dusan Petricko

When the amount of people using smartphones surpassed desktop users back in 2014, it marked an important milestone in smartphone history, while making it very clear that smartphones are here to stay and ready to take over. What is more, Android is without a doubt the most popular platform, selling over 325 million units in Q4 2015 and having a total of 1.4 billion users worldwide (as of September 2015). It is also the most popular platform for software developers – the official Google Play Store had over 1.6 billion apps in July of 2015. Being a relatively new platform however, means that pentesters need to adjust their strategy and methodology to overcome the new challenges presented.

---

QARK
by Anthony Trummer

I would like to introduce you to relatively new tool named QARK (Quick Android Review Kit), designed to automate auditing of Android applications for common security vulnerabilities through static code analysis. Some of what makes QARK unique, is that not only does it perform an automated code review, but it also delivers a high quality report of findings along with a custom built APK that you can use to attack the tested app; moreover, it is totally free to use and opensource.

---

Mobile Application Security Testing Suite
by Chetan Gulhane

In today’s evolving world of technology, mobile applications are becoming more dominant than ever, users shifting from web application to mobile applications. The mobile application market is increasing exponentially. Mobile applications are being used for m-commerce, e—commerce and many more things. It is obvious that mobile application security comes into the picture. Looking at the challenges of mobile application security testing, there is a need for automation of application security testing.

---

Risk management as a strategy for decision making
by Johany Chacon

This is a two part article with fundamental points that support decision-making: the first part highlights the need for management information as a fundamental input and basis for decision making. The second is a look from the perspective of computer security and auditing as an evaluator and aggregator of value in managing organizational risks.

---

Mobile Application Penetration Testing Framework
by Muruganandam

This article explains mobile application penetration testing techniques.

---

The Hackers Mobile Application Penetration Testing Arsenal

by Mohit Sahu

In era of technological advancement and globalization, mobile devices have become a necessity for us; almost everyone has a mobile device or access to one. They have made the world accessible and communication convenient, all at the touch of a button. Various aspects of people’s lives can be represented by an application on a mobile device. These applications range from the food order
to scheduling appointments. Most of the commercial website services are now porting to mobile application, latest statistics show that there is more then 1.6 million apps available for android users and more then 1.5 million apps available for ios users . This evolution is bringing a full range of new attacks on users based on mobile application vulnerabilities, which is very different than common

---

Android Advanced Reversing
by Vishal Mishra

Android reversing is certainly the hottest topic in the present world of reverse engineering. The prime factor that makes Android reversing a more explored domain is that it is relatively less difficult to reverse Android in comparison to other mobile platforms. The main Oh Bother! for most of the pentesters/malware analysts is to take out the main juice. One can usually rely on dynamic analysis tools for doing deeper analysis of an Android apk. That is the obvious approach someone can take. But is this the only effective way to get things done? No. Do we have a better method for dynamic analysis of apk? Yes. Will this better method increase the complexity of analysis? Turns out it is easier. Saves time? Yes, a lot. What is it? Dynamic instrumentation (more commonly Android hooking), and this article will explore this approach at length.

---

Android Application Penetration Testing using AppUse Virtual Machine
by Siddhartha

AppUse is a VM (Virtual Machine) developed by AppSec Labs. It is a unique platform for mobile application security testing in the Android environment, and includes exclusive custom-made tools created by AppSec Labs. Along with custom made tools, this provides you with a very attractive user interface for all your pentesting needs and it features a lot of open source and free tools you are currently using in your Android pentesting arsenal. You can use the AppUse user interface to work with the free and open source tools. And you don’t always need the terminal or cmd to work with the tools manually. AppUse automates most of the functions in those tools. You are gonna love it.