43,19 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Explore real-world threat scenarios, attacks on mobile applications, and ways to counter them
About This Book
- Gain insights into the current threat landscape of mobile applications in particular
- Explore the different options that are available on mobile platforms and prevent circumventions made by attackers
- This is a step-by-step guide to setting up your own mobile penetration testing environment
Who This Book Is For
If you are a mobile application evangelist, mobile application developer, information security practitioner, penetration tester on infrastructure web applications, an application security professional, or someone who wants to learn mobile application security as a career, then this book is for you. This book will provide you with all the skills you need to get started with Android and iOS pen-testing.
What You Will Learn
- Gain an in-depth understanding of Android and iOS architecture and the latest changes
- Discover how to work with different tool suites to assess any application
- Develop different strategies and techniques to connect to a mobile device
- Create a foundation for mobile application security principles
- Grasp techniques to attack different components of an Android device and the different functionalities of an iOS device
- Get to know secure development strategies for both iOS and Android applications
- Gain an understanding of threat modeling mobile applications
- Get an in-depth understanding of both Android and iOS implementation vulnerabilities and how to provide counter-measures while developing a mobile app
In Detail
Mobile security has come a long way over the last few years. It has transitioned from "should it be done?" to "it must be done!"Alongside the growing number of devises and applications, there is also a growth in the volume of Personally identifiable information (PII), Financial Data, and much more. This data needs to be secured.
This is why Pen-testing is so important to modern application developers. You need to know how to secure user data, and find vulnerabilities and loopholes in your application that might lead to security breaches.
This book gives you the necessary skills to security test your mobile applications as a beginner, developer, or security practitioner. You'll start by discovering the internal components of an Android and an iOS application. Moving ahead, you'll understand the inter-process working of these applications. Then you'll set up a test environment for this application using various tools to identify the loopholes and vulnerabilities in the structure of the applications. Finally, after collecting all information about these security loop holes, we'll start securing our applications from these threats.
Style and approach
This is an easy-to-follow guide full of hands-on examples of real-world attack simulations. Each topic is explained in context with respect to testing, and for the more inquisitive, there are more details on the concepts and techniques used for different platforms.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 309
Veröffentlichungsjahr: 2016
Ähnliche
Table of Contents
Mobile Application Penetration Testing
Mobile Application Penetration Testing
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: March 2016
Production reference: 1070316
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78588-337-8
www.packtpub.com
Credits
Author
Vijay Kumar Velu
Reviewers
Akash Mahajan
Swaroop Yermalkar
Commissioning Editor
Veena Pagare
Acquisition Editor
Aaron Lazar
Content Development Editor
Sachin Karnani
Technical Editor
Nirant Carvalho
Copy Editors
Stuti Srivastava
Madhusudan Uchil
Project Coordinator
Nikhil Nair
Proofreader
Safis Editing
Indexer
Tejal Daruwale Soni
Graphics
Jason Monteiro
Production Coordinator
Melwyn Dsa
Cover Work
Melwyn Dsa
About the Author
Vijay Kumar Velu is a passionate information security practitioner, speaker, and blogger, currently working as a cyber security technical manager at one of the Big4 consultancies based in India. He has more than 10 years of IT industry experience, is a licensed penetration tester, and has specialized in providing technical solutions to a variety of cyber problems, ranging from simple security configuration reviews to cyber threat intelligence. Vijay holds multiple security qualifications including Certified Ethical Hacker, EC-council Certified Security Analyst, and Computer Hacking Forensics Investigator. He loves hands-on technological challenges.
Vijay was invited to speak at the National Cyber Security Summit (NCSS), Indian Cyber Conference (InCyCon), Open Cloud Conference, and Ethical Hacking Conference held in India, and he has also delivered multiple guest lectures and training on the importance of information security at various business schools in India. He also recently reviewed Learning Android Forensics,Packt Publishing.
For the information security community, Vijay serves as the director of the Bangalore chapter of the Cloud Security Alliance (CSA) and chair member of the National Cyber Defence and Research Center (NCDRC).
I would like to dedicate this book to my mother and sister for believing in me and always encouraging me to do what I like with all my crazy ideas. Special thanks to my family, friends (Hackerz), core team (Rachel H Martis, Anil Dikshit, Karthik Belur Sridhar, Vikram Sridharan and Vishal Patel), and Lokesh Gowda for allowing me ample amount of time in shaping this book.
A huge thanks to Darren Fuller, my mentor and friend, for providing his support and insights. Also to the excellent team at Packt Publishing for all the support that they provided throughout the journey of this book, specially Sachin and Nirant for their indubitable coordination.
About the Reviewers
Akash Mahajan is an accomplished security professional with over a decade's experience in providing specialist application and infrastructure consulting services at the highest levels to companies, governments, and organizations around the world. He is the author of Burp Suite Essentials, Packt Publishing.
Akash is an extremely active participant in the international security community and a frequent conference speaker. He gives talks as himself, as the head of the Bangalore chapter of OWASP, the global organization responsible for defining the standards for web application security, and as a co-founder of NULL, India's largest open security community.
I want to thank you, Nikhil, for making sure that reviewing this book was a pleasurable experience.
Swaroop Yermalkar works as a healthcare security researcher at Philips Health Systems, India, where he is responsible for thread modeling; security research; and the assessment of IoT devices, healthcare products, web applications, networks, and Android and iOS applications. He is the author of the popular iOS security book Learning iOS Penetration Testing, Packt Publishing and also one of the top mobile security researchers worldwide, working with Synack, Inc.
He also gives talks and training on wireless pentesting and mobile app pentesting at various security conferences, such as GroundZero, c0c0n, 0x90, DEFCONLucknow, and GNUnify.
He has been acknowledged by Microsoft, Amazon, eBay, Etsy, Dropbox, Evernote, Simple banking, iFixit, and many more for reporting high-severity security issues in their mobile apps.
He is an active member of NULL, an open security community in India, and is a contributor to the regular meetups and Humla sessions at the Pune chapter.
He holds various information security certifications, such as OSCP, SLAE, SMFE, SWSE, CEH, and CHFI. He has written articles for clubHACK magazine and also authored a book, An Ethical Guide to Wi-Fi Hacking and Security.
He has organized many eminent programs and was the event head of Hackathon—a national-level hacking competition. He has also worked with Pune Cyber Cell, Maharashtra Police, in programs such as Cyber Safe Pune. He can be contacted at <@swaroopsy> on Twitter.
www.PacktPub.com
eBooks, discount offers, and more
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Preface
The adoption of mobile technology has changed the world, smartphones especially have become an integral part of everyone's lives and an extension of the corporate workplace.
With over a billion smartphone users worldwide, mobile applications play a crucial role in almost everything a device can do. Most of the time, the security of these applications is always an afterthought when data is the only asset that one would like to protect.
In short, the purpose of this book is to educate you about and demonstrate application security weaknesses on the client (device) side and configuration faults in Android and iOS that can lead to potential information leakage.
What this book covers
Chapter 1, The Mobile Application Security Landscape, takes you through the current state of mobile application security and provides an overview of public vulnerabilities in Android and iOS applications. It also teaches you the OWASP mobile top 10 vulnerabilities in order for you to establish a baseline for the vulnerabilities and principles of securing mobile applications.
Chapter 2, Snooping Around the Architecture, walks you through the importance of an architecture and dives deep into the fundamental internals of the Android and iOS architectures.
Chapter 3, Building a Test Environment, shows you how to set up a test environment and provides step-by-step instructions for Android and iOS devices within a given workstation.
Chapter 4, Loading up – Mobile Pentesting Tools, teaches you how to build the toolbox within your workstation required to perform an assessment of any given mobile app, and it also teaches how to configure them.
Chapter 5, Building Attack Paths – Threat Modeling an Application, shows you how to build attack paths and attack trees for a given threat model.
Chapter 6, Full Steam Ahead – Attacking Android Applications, shows you how to penetrate an Android application to identify its security weakness and exploit them.
Chapter 7, Full Steam Ahead – Attacking iOS Applications, shows you how to penetrate an iOS application to exploit the weaknesses and device vulnerabilities that affect the application.
Chapter 8, Securing Your Android and iOS Applications, teaches you the practical way of securing Android and iOS applications, starting from the design phase, and how to leverage different APIs to protect sensitive data on the device.
What you need for this book
The following hardware and software is recommended for maximum results:
All the software mentioned in this book is free of charge and can be downloaded from the Internet, except Hopper.
Who this book is for
If you are a mobile application evangelist, mobile application developer, information security practitioner, infrastructure web application penetration tester, application security professional, or someone who wants to pursue mobile application security as a career, then this book is for you. This book will provide you with all the skills you need to get started with Android and iOS pentesting.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail <[email protected]>, and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the color images of this book
We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from https://www.packtpub.com/sites/default/files/downloads/MobileApplicationPenetrationTesting_ColorImages.pdf
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
Questions
If you have a problem with any aspect of this book, you can contact us at <[email protected]>, and we will do our best to address the problem.
Chapter 1. The Mobile Application Security Landscape
Life is now in the palm of your hands. Risk is real, threats are growing!
With more than 1 billion users worldwide and 2.5 million applications (and still counting) available across Google and Apple digital marketplaces, smartphones have become commonplace. The difference they make to our lives is stark and simple, and is impacting our day to day life in multiple ways—in particular, the way we interact, work, and socialize. The increase in demand from consumer market and processing power and the capabilities of smartphones, such as storage, GPS, camera, displays, and so on, have changed the paradigm of the development of mobile applications. The ability to do online banking, trading, e-mails, airport check-ins, and much more is just a tap away.
Mobile application development is the hottest type of software development right now. New surface area equals dangerous surface area, which means that the uppermost layer of smartphones is mobile apps, which are the potential targets of adversaries.
This chapter will cover the current state of mobile application security. We will discuss some of the public vulnerabilities that are disclosed in various mobile applications in order to provide a context and reasons why security needs to be at the forefront of every mobile application developer's mind. We will also cover the following topics:
There is no doubt that mobile applications have emerged as one of the most significant innovations of all time. Statista (for more information, visit http://www.statista.com/), a statistical portal company, reports that there are around 1.6 million applications in Google Play Store, 1.5 million applications in the Apple app store, 400,000 applications in the Amazon app store, 340,000 applications in Windows Phone Store, and 130,000 applications in Blackberry World. These statistics alone reflect the exponential growth in mobile applications over the years.
Numerous applications are introduced in stores every single week. At the same time, thousands of cyber criminals, also known as hackers, keep a tab on these applications by constantly looking for new applications that are published to the stores and try to compromise the user information or embed any malicious programs by various techniques. None of the development frameworks currently used are proven as immune to security issues.
The smartphone market share
Understanding the market share will give us a clear picture about what cyber criminals are after and also what could be potentially targeted. The mobile application developers can propose and publish their applications on the stores, being rewarded by a revenue sharing of the selling price.
The following screenshot referenced from www.idc.com provides us with the overall smartphone OS market, 2015:
Since mobile applications are platform-specific, a majority of software vendors are forced to develop the applications for all the available operating systems.
The android operating system
Android is an open source Linux-based operating system for mobile devices (smartphones and tablet computers). It was developed by the Open Handset Alliance, which was led by Google and other companies. Android OS is Linux-based, and it can be programmed in C/C++, but most of the application development is done in Java (Java access to C libraries via JNI, short for Java Native Interface).
The iPhone operating system (iOS)
iOS was developed by Apple Inc. It was originally released in 2007 for the iPhone, iPod Touch, and Apple TV. Apple's mobile version of the OS X operating system used in Apple computers is iOS. BSD (short for Berkeley Software Distribution) is Unix-based and can be programmed in the Objective C and Swift languages.
Different types of mobile applications
In the modern realm, mobile applications are also called mobile apps. There are thousands of user-friendly apps on the market for most specific needs, starting from chatting, multi-video conferencing, games, health check-ups, gambling, communities, trading, other financial services, and so on and so forth.
One of the interesting future technologies in the mobile apps space is the development of mobile apps running on iOS and Android devices, where the app can listen for signals from beacons in the physical world and react accordingly, called iBeacon.
The apps are broadly categorized into the following types:
Native apps
Native applications that reside in the mobile operating system are pushed/installed through the respective app stores. These apps are typically built using development tools and languages (Xcode and Objective C, Swift for iOS apps, and Android Studio and Java for Android apps) and are designed for a particular platform and can take advantage of all the device features, such as the usage of the camera, GPS, phone contact list, and so on. The following screen capture of a well-known game is a solid example of a native mobile application:
Mobile web apps
Mobile web applications are non-native applications. Most of them are HTML5, JavaScript, and CSS applications with a web interface supporting the native application look and feel. Users first access them as they would access any other web page, and these are mobile-optimized web pages.
These applications became popular when HTML5 came around and people started to utilize the functionality of native applications from browser. The development and testing of these applications are easy since they all have tooling support.
The following screen capture shows one of the banking web applications:
Hybrid apps
Hybrid applications have two definitions. One definition is of a combination of web- based content and native components accessing services on the mobile device, most notably, storing or using storage. Another definition is of a client-server architecture of mobile applications. An example is a mobile enterprise application.
These are web apps built into native mobile framework and take advantage of the cross-compatibility of web technologies, such as HTML5, CSS, and JavaScript. The following is a screen capture of a well-known news mobile application, which is an example of a hybrid app:
Note
Why does it matter?
The changes to the programming languages in order to develop applications force developers to maintain multiple code bases. Cyber attackers follow users; the mobile application threat scape has grown significantly grown over the years.
Public Android and iOS vulnerabilities
Before we proceed with the different types of vulnerabilities on Android and iOS, this section introduces you to Android and iOS as operating systems and covers various fundamental concepts that need to be understood in order to gain experience in mobile application security.
Year
Android
iOS
2007/2008
1.0
iPhone OS 1
iPhone OS 2
2009
1.1
iPhone OS 3
1.5 (Cupcake)
2.0 (Eclair)
2.0.1(Eclair)
2010
2.1 (Eclair)
iOS 4
2.2 (Froyo)
2.3-2.3.2(Gingerbread)
2011
2.3.4-2.3.7 (Gingerbread)
iOS 5
3.0 (HoneyComb)
3.1 (HoneyComb)
3.2 (HoneyComb)
4.0-4.0.2 (Ice Cream Sandwich)
4.0.3-4.0.4 (Ice Cream Sandwich)
2012
4.1 (Jelly Bean)
iOS 6
4.2 (Jelly Bean)
2013
4.3 (Jelly bean)
iOS 7
4.4 (KitKat)
2014
5.0 (Lollipop)
iOS 8
5.1 (Lollipop)
2015
iOS 9 (beta)
The preceding table comprises the operating system releases year after year.
An interesting research conducted by Hewlett Packard (HP), a software giant that tested more than 2000 mobile applications from 600+ companies, has reported the following statistics (for more details, visit http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-1057ENW.pdf):
So, the key vulnerabilities to mobile applications arise due to the lack of security awareness, usability versus security trade-off by developers, excessive application permissions, and lack of privacy concerns. Couple this with a lack of sufficient application documentation, and it leads to vulnerabilities that developers are not aware of.
Note
Usability versus security trade-off
For every developer, it is difficult to provide an application with high security and high usability. Making any application secure and usable takes a lot of effort and analytical thinking.
Mobile application vulnerabilities are broadly categorized into the following categories:
Note
Rooting/jail-breaking
Rooting/jail-breaking refers to the process of removing the limitations imposed by the operating system on devices through the use of exploit tools. It enables users to gain complete control of the device operating system.
Android vulnerabilities
In July 2015, a security company called Zimperium announced that it has discovered a high risk vulnerability Stagefright (Android bug) inside the Android operating system. They deemed it as a unicorn in the world of Android risk, and it was practically demonstrated in one of the hacking conferences in the US on August 5, 2015. More information can be found at https://blog.zimperium.com/stagefright-vulnerability-details-stagefright-detector-tool-released/, and a public exploit is available at https://www.exploit-db.com/exploits/38124/.
This has made Google release security patches for all Android operating systems, which is believed to be 95% of Android devices, an estimated 950 million users. The vulnerability is exploited through a particular library, which can let attackers take control of an Android device by sending specifically crafted multimedia services, such as MMS.
If we take a look at the Superuser and other similar application downloads from Play Store, there are around 10 million to 50 million downloads. It can be assumed that more than 50% of Android smartphones are rooted.
The following graph shows Android vulnerabilities from 2009 till January 2016. There are currently 184 reported vulnerabilities for Android's Google operating system (chart taken from http://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224).
More features that are introduced to the operating system in the form of applications act as additional entry points that allow cyber attackers or security researchers to circumvent and bypass the controls that were put in place.
iOS vulnerabilities
On June 18, 2015, a password stealing vulnerability, also known as XARA (Cross Application Resource Attack), outlined for iOS and OS X cracked the Keychain services on jail broken and non-jail broken devices. The vulnerability is similar to the cross-site request forgery attack in web applications. In spite of Apple's isolation protection and its App Store's security vetting, it was possible to circumvent the security controls mechanism. It clearly provided the need to protect the cross-app mechanism between the operating system and the app developer. Apple rolled out a security update week after the XARA research. More information can be found at http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/.
The following graph shows the iOS vulnerabilities from 2007 until January 2016. There are around 805 reported vulnerabilities for Apple IPhone OS (http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49).
As we can see, year after year, the vulnerabilities kept on increasing. A majority of the vulnerabilities reported aredenial-of-service (DoS) attacks. This vulnerability makes the application unresponsive.
Primarily, the vulnerabilities arise due to insecure libraries or overwriting with plenty of buffer in the stacks.
The key challenges in mobile application security
Mobile security is not just about code running safely on the mobile device. Starting from the design, it also includes the residual data and data in motion.
Looking at the data and behavior of the application, any interesting mobile application will send back data to the server. Lots of applications use third-party web services. Some prevalent problems associated with data on different layers are mentioned as follows:
Since mobile apps are platform-dependent, the key challenges change from the traditional applications; some of the key challenges are as follows:
The impact of mobile application security
Mobile applications put the security and privacy of an individual or corporation at risk. With more vulnerabilities attributed to mobile application flaws than any other category today, security has become a core concern for the business. Several attacks are associated with the way the mobile apps are used and the specific methods the app utilizes to communicate with the user.
Mobile applications can communicate over various services, which increases the attack surface significantly. Some of these services from which applications can obtain input are Bluetooth, Short Message Service (SMS), microphone, camera, and near field communication (NFC), to name a few.
The two primary impacts of mobile application security are data at rest and data in motion:
The need for mobile application penetration testing
Today's mobile apps have complex security landscapes; vulnerabilities might occur due to various reasons, starting from misconfiguration to code level bugs.
As the need for mobile applications is increasing, multiple companies ranging, from Fortune 500 to start-ups, are investing lots of money on security programs to protect critical information that is handy for every single individual at their fingertip. Naturally, the companies intend the applications to be secured. Their goal is to identify the loopholes while battling cyber attackers and prevent a serious data breach.
As discussed earlier about the importance of mobile applications, penetration test is one of the most effective ways to identify known and unknown weaknesses and functionality bugs (which will lead to a vulnerability) in these applications. By attempting to circumvent security controls and bypassing security mechanisms, a security tester is able to identify ways in which a hacker might be able to compromise an organization's security. Potentially, it leads to damaging the image of an organization that they have built over a period of time while building trust.
Current market reaction
The need for security in mobile applications has paved the market to create multiple job roles with respect to mobile security. Some of these job roles are as follows:
