today we present you great interview with Prathan Phongthiproek who is creator of The Mobile App Pentest Cheat Sheet- which include penetration testing guide, tools and tool's commands. He told us his thoughts about the mobile application security market. Enjoy reading!
[PM]: Can you please tell us something about yourself?
[PP]: I’m a Security Consultant in KPMG Thailand. I led the project team responsible for performing penetration testing services. My areas of research include Web and Mobile application vulnerabilities and exploits. I also regularly contributes hacking techniques which are published on Exploit-DB (e.g. Mobile Application Hacking Diary Ep.1, Beyond SQLi: Obfuscate and Bypass).
[PM]: Just in case some of our readers are not familiar with your project can you tell us something about it?
[PP]: The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics. This also include the penetration testing guide (checklist), tools and tool's commands which can help anyone to perform security assessment on mobile application.
[PM]: How did you came up with idea of creating it?
[PP]: Mobile app pen-testing is not the same as Web app pen-testing. There are lots of web vulnerability scanner which can to for us automatically but not for mobile app. Therefore, We have to test manually. Moreover, There are lots of tool to perform mobile app pen-testing so I decided to create the cheat-sheet which separates the testing approach into 3 phases:
- Reverse Engineering and Static Analysis
- Dynamic and Run-time Analysis
- Network Analysis and Server Side Testing
then map the well-known tools into these phases. Because of there are lots of tool for mobile app pen-testing and it's very hard to remember every commands. Therefore, the tool commands are also put in the cheat sheet that would be easy for anyone who would like to test their app and visit my projects which already have testing approach and command of each tool.
[PM]: Have you got any difficulty with creating it?
[PP]: I have to learn about iOS and Android application development after that I did research regarding the mobile app vulnerability on the Internet and Security books which allow me to understand and create the cheat-sheet.
[PM]: Cheat Sheet include apps both for Android and iOS. Which one do you prefer to work with or you don’t see any difference?
[PP]: I don't see any difference because both Android and iOS already have fully information which can be used to perform security testing.
[PM]: We can see that you upgrade the list constantly. Is there any new tool that you find very interesting?
[PP]: I'm doing a research on Cycript tool (iOS) and trying to create a automated scripts for method swizzling (Now, we have to do it manually).
[PM]: Have you got your favourite penetration testing tool?
[PP]: For Android, I regularly use automated static-analysis tools (e.g. Mobile Security Framework and Qark), Drozer for testing android components vulnerability, and Burpsuite for network testing. For iOS, idb could be used to access iOS app filesystem, Dumpdecrypted+classdump could be used to perform static-analysis, Cycript combine with snoop-it could be used to perform dynamic-analysis and method swizzling.
[PM]: What do you think about today’s mobile applications security? Do you think our smartphones are protected enough?
[PP]: As far as I'm concerned, the security on mobile app still a big problem due to underdeveloped security awareness and insecure smart phones device. As you can see, there are lots of tool for rooting on android and jail-breaking on iOS even the OS is upgraded quarterly.
[PM]: I think we can agree that there is a lof of to do in securing mobile applications, but do you know any good examples of well-tested, secure apps that you use on a regular basis? Like you use it and think “that’s how it should be done”.
[PP]: You could use OWASP Top 10 Mobile Risks as a baseline that the secure apps should not have any issues on OWASP Top 10. In order to secure mobile application, you can develop the mobile app by following the "Smartphone Secure Development". ENISA has published the results of the collaborative effort as the "Smartphone Secure Development Guideline" (https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/smartphone-security-1/smartphone-secure-development-guidelines).
[PM]: Have you got any final thoughts? Is here anything you would like to add?
[PP]: I have plan to map the cheat-sheet into OWASP Top 10 Mobile Risks topic. Moreover, I'm doing a research on Windows phone application and put it into the cheat-sheet. Stay tuned!