|preview mobile 09 2017.pdf|
Dear PenTest Readers,
We know it’s summertime and probably many of you are enjoying your holidays or still thinking where to go. But we’re not slacking off and here is the new, almost 200 pages long, issue for you!
This time we’ve focused on mobile pentesting and security. In the first nine articles you will find Drozer, Mobsf and Zed Attack Proxy tutorials. Some of them start with basic content, and some of them go straight into practical case studies. You can also read about Mobile security architecture, Android reverse engineering and hooking, and learn how to automate app security. We’ve prepared a detailed tutorial on how to pentest transport layer security in android applications and what tools to use. You will also be shown also how to crack iOS applications to get access to paid/premium functions.
As always our magazine contains couple articles with mixed content. You can read the second part of the OWASP Top 10 vulnerability testing with WebGoat and a Tcpdump step by step tutorial. Last but not least Rolf Oppliger will tell you about SSL/TLS attacks, countermeasures, and counterattacks.
Enjoy your reading,
Table of contents
Exploiting Android application components using “Drozer”
This article covers how Android application components can be exploited in real time using the tool “Drozer” which may compromise the security of mobile applications. It also explains how to set up a testing environment for performing security assessments on Android applications.
For demonstration purposes, this article uses three deliberately vulnerable open source Android mobile applications: “FourGgoats”,”HerdFinancial” and “Sieve”.
When reverse engineering and hooking a mobile application enables one to abuse an API
Whether it is for usability/performance/connectivity reasons, providing a native mobile application in addition to an existing web solution has far more security implications than it may seem. Very often the mobile integration moves logic from the server to the client side, but this code cannot be considered secret any more.
Pentesting transport layer security in Android apps, and effective tools
The bulk of data flows between the Android applications and the server. All the work in smartphones is done through these applications so there is reason to worry. The four pillars of information security are on stack, i.e. integrity, authenticity, availability, confidentiality. The bulk of data is in motion, especially after India’s PM’s mission, digital India, all money transactions and official documents went digital, so here we clearly see a problem. We need a clearly described method for techies or developers or users through which they defined that this application is secure or not with respect to the Transport Layer.
Mobile Security Architecture
To completely understand how to breach mobile device security, we must first know the mobile platform features we will dealing with. So, we are going to study in-depth the OS architectures and the security models implemented on both Android and iOS.
The experiment described in this article has a study purpose. It was tested on a smartphone with Android system and no attack was performed on external sites. We've looked at the typical vulnerabilities associated with hacking.
Mobile Application Security is one of the hottest segments in the security world, as security is really a big concern with growing mobile applications. In this article I will show you how Zed Attack Proxy can help you automatically find security vulnerabilities in your applications while you are developing and testing your applications.
Bypassing in-App Purchases in iOS Applications
This paper describes how common monetization techniques for modern day iOS applications, such as in-App Purchases and such can be hacked if stringent checks are not performed on the server-side to validate transactions. Using techniques such as method-swizzling and a number of easy to use tools, these transactions can easily be cracked to give access to a number of “premium” or “paid” functionalities within applications without completing any payment to the developer.
Automating App Security
There has been a growing shift in the way software is developed and one the security industry has unfortunately been slow to adapt to and adopt. I'm talking, of course, about agile. Agile exists in order to help developers write and release software early and often. This has the benefit of allowing companies to quickly react to changes in the market, however, when a security review is a requirement of going live, how can a development team be truly agile? Is it possible to be both secure and have the flexibility to go live when needed?
Drozer – Mobile Security Testing Framework Tutorial
Drozer is one of the best Android security assessment tools available for Android security developed by MWR Labs. This tool allows you to take on the role of an Android application and interact with other applications through the Android inter-process communication (IPC) mechanism and the underlying operating system. In this document we will explain how to use this tool.
MOBSF – Open Source Security Mobile Application Tutorial
MobSF is an intelligent open source mobile application (Android / iOS / Windows) capable of performing static and dynamic analysis and web API testing. This tool can be used to analyze Android (APK), iOS (IPA) and Windows Mobile (APPX) executables as well as ZIP archives. In this document we will explain how to install and configure MobSF.
Tcpdump: For Network Forensics
Tcpdump may be a valuable tool for anyone wanting to be introduced into networking or data security. The raw manner with which it interfaces with traffic, combined with the exactitude it offers in inspecting packets make it the simplest doable tool for learning TCP/IP.
SSL/TLS: Attacks, Countermeasures, and Counterattacks
In this article, we mainly focus on the attacks that have been mounted against these protocols, as well as their countermeasures and counterattacks. As is usually the case in security, there is a «cops and robbers» game going between the designers and developers of the protocols and the people who try to break them (be it from the hacker community or from academia).
OWASP Top 10 Vulnerability Testing with Web Goat - part 2
Welcome to the second part of the article. First one was published in our previous issue.