How to Pentest Mobile Apps in 2020 - A Sensible Approach
Introduction
I'm Jabo and I'm a consultant here at Wire Security. I've been an app developer since 2012 and I'm just getting started in my career in security. I've always felt like a hacker and these days I'm over the moon to actually be one! I'm going to be writing more articles here regularly so please remember to check back and keep an eye on our company Twitter feed: @Wire_Sec
Old News
Over the years other people in the industry have developed guides and tools to forensically analyse mobile apps which made pentesting easier. Unfortunately many of those tools were dependant on specific Android/iOS releases or other factors which make them no longer usable.
On a recent engagement with Wire Security I took the lead on an Android and iOS app report where the items in scope were:
1) The app sandbox on rooted/jailbroken devices and on non-compromised devices too,
2) External network communication, and
3) Device memory
We were interested in sensitive user data, any credentials being leaked, etc. The client gave us the source code. After stumbling through many outdated mobile pentesting guides and lists of tools, I took a step back to consider my requirements carefully. The approach I used in the end was very simple.
Simple New Approach
With most guides and toolsets published on GitHub being out of date, or not working on the latest iOS and Android versions, I had to manually do most of the work where my goal was to analyse memory, the app sandbox, and key storage. These targets are going to be very similar in most mobile app penetration tests in 2020 and beyond so if I can help you lay down a simple, standard attack process then you can take that forward and own it, and play with it as you like. Alongside my no-frills methodology I had two important devices, which were a jailbroken iPad Mini 4 and a rooted Huawei P20 Pro. You don't need physical devices when services like Corellium exist (for now), but they are nice. Note: the Android Emulator (AVD) has support for root.
Memory analysis
On Android you can use adb shell am dumpheap <pid> This command gives a dump of the memory heap of the chosen app or process. Use ps -aux <package name> to find the PID. Very handy with breakpoints in the source code. If you pass the output to a file then you can open with vim or your favourite text editor to search for interesting nuggets like apiKeys. In vim you can use :%!xxd to view the hex output. You can also use strings to filter interesting human-readable text from the file.
Android Studio has awesome built-in functionality for memory profiling. DZone done a write-up on the usage of Android Studio.
On iOS Xcode also has a fantastic collection of memory tools including heap analysis. ZenDesk Engineering wrote a great piece on this.
App sandbox
On rooted Android you can use a file manager like File Explorer Root Browser to browse the app sandbox storage.
With a jailbroken iOS device you can install Terminal from Cydia or SSH into your device and explore the app sandbox storage.
Key storage
With Elcomsoft tools, on Android you can browse Google Drive backups (which can contain app data), and on iOS you can browse the KeyChain backed up by iTunes.
Outro
Thanks for taking the time to read! If you have any comments you can reach me on Twitter: @Jabo_SCO