Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.

Mobile Penetration Testing



              



Mobile application penetration testing is the hot cake for all penetration testers, and has recently obtained more attention with the introduction of the Android, iPhone platforms. The mobile application market is growing very fast, and all the companies now interested to make there major products available for mobile platform.


This blog focuses specifically on helping security professionals understand the nuances of penetration testing on android and iPhone applications. It attempts to cover the key steps the reader would need to understand such as setting up the test environment, installing the emulator, configuring the proxy tool and decompiling applications etc. It also provides an introduction to security tools available for the android platform:


Setting up the Android Test Environment

There are two main ways to test android based mobile applications, either by using real device or by using phone emulator. Here we will discuss both, lets start with phone emulator. It is not necessarily need to have access to the latest mobile devices. Thankfully, there's an easy way to run android on your Windows, Mac, or Linux computer. Google provides an android emulator with their SDK, which is designed to let developers test their applications on android before running them on handsets. This can be used to test drive android on our computer.

Requirements:


- Computer running microsoft windows operating system

- Oracle JRE 1.6.0.25 or higher

Download Link: http://java.com/en/

- Android SDK

Downloas Link: http://developer.android.com/sdk/index.html

Downloading the SDK starter package:

The SDK starter package is not a full development environment, it includes only the core SDK Tools, which you can use to download the rest of the SDK packages (such as the latest android platform). Make a note of the name and location of the SDK directory on your system, you will need to refer to the SDK directory later. Download android SDK from above link.

The SDK uses a modular structure that separates the major parts of the SDK, android platform versions, add-ons, tools, samples, and documentation into a set of separately installable packages. Install the SDK starter package, which you've already downloaded. Then launch the Android SDK Manager from Start -> All Programs

To download packages, use the graphical UI of the Android SDK Manager to browse the SDK repository and select new or updated packages. The Android SDK Manager installs the selected packages in the SDK environment.
 

Creating a virtual device:

With the AVD Manager you can create as many AVDs (Android Virtual Device) as you would like to test on. The AVD Manager is an easy to use user interface to manage your AVD (Android Virtual Device) configurations. An AVD is a device configuration for the android emulator that allows you to model different configurations of android-powered devices. Launch the AVD Manager from Start -> All Programs
 

In the Virtual Devices panel, you'll see a list of existing AVDs. Click New to create a new AVD. The Create New AVD dialog appears.


Give it a name (e.g. AVD_2.3.3), a platform target (e.g. Android 2.3.3 – API Level 10), an SD card size (e.g. 8 GiB), and a skin (e.g. Default(WVGA800)). You can also add specific hardware features of the emulated device by clicking the New button and selecting the feature.


Note: Be sure to define a target for your AVD that satisfies your application's Build Target (the AVD platform target must have an API Level equal to or greater than the API Level that your application compiles against).

Your AVD is now ready and you can launch an emulator with the AVD by selecting a device and clicking Start.

How to install and, uninstall android applications on the emulator


To install the application you have to obtain the application's ".apk" file in order to perform penetration testing. Use the android debug bridge (adb) that comes with the sdk to install the files into the emulator.

- Open the command prompt and browse the android sdk directory and enter the following command to install any android package file

adb install <path of the application .apk file>





- If you get any error during the installation, try the following commands:


adb kill-server

adb start-server

- If the install fails due to size problem, restart the emulator by executing the following command

emulator -partition-size 256 -memory 512 -avd newavd  

- Application can be uninstall either by using command prompt or by the emulator. To use the command prompt open "adb shell", navigate to the "app" folder and use the "rm" command to delete the ".apk" file as shown below.

- Alternatinely to uninstall the application using the emulator, navigate to menu > settings > application > manage application > select the application you want to uninstall and press uninstall.    

Setting up the Proxy Tool for Android Environment


If the application is using HTTP(s), or is a website that you are testing in the android browser, the next step is to setup a proxy tool such as Charles Proxy. There are many proxy tools like Brup Suite or Paros or Fiddler are there in the market but for me only charles proxy worked in this scenario. Now there are differnet ways to set up proxy.


Option - 1

Provide the proxy details when starting the emulator using the command below. This command is to use a proxy listening on port (For example 8888)



Option - 2

Provide the proxy details in the emulator APN settings as shown below. Navigate to home > menu > wireless & Network > Mobile Networks > Access Point Names and update the following settings:

Name : Internet
APN : Internet
Proxy : IP Address of system
Port : 8080
Username : not set
Password : not set


Option - 3


Provide the proxy details using the adb shell using the export command to set an environment variable, for example:



Option - 4


The last alternative is changing the proxy settings in the settings database from where the android web browser reads. The settings database uses SQLite. Familiarity with basic SQL commands is recommended if you plan to use this method. Change the hostname and port information appropriately is illustrated in the command below leaving everything else as is:



After setting up the proxy using any of these methods, it possible to intercept the HTTP requests sent by the emulator browser. From here forward, penetration testing is similar to that of regular web applications.
 


Setting up the iOS Test Environment

 
Again there are two main ways to test iOS based mobile applications:
 
- Either by using real device with proxy tool
- or by using device emulator with proxy tool

In this blog we will focus both methods to test the iPhone/iPad applications, using device simulator with proxy tool and using real device (like iPhone/iPad) with proxy tool.
 
Requirements:
 
- Mac Book running Snow Leopard 10.6.2 OS or above
- Download right version of Xcode for your Mac.
- Charles/Burp Suite Proxy

 
Installing the Xcode:
 
The iPhone/iPad simulator is not available for download, as an independent application. In order to use the simulator, it is necessary to install the Xcode. This complete developer toolset for creating Mac, iPhone, and iPad applications includes the Xcode IDE, performance analysis tools, iOS Simulator, and the latest Mac OS X and iOS SDKs. The simulator comes packaged with the Xcode installer. However, only registered Apple developers can download the Xcode.
 
Steps to install the Xcode:
 
Login to the apple website and browse the below URL:https://developer.apple.com/downloads/index.action?name=Xcode. Then download the appropriate version of Xcode for your Mac. After downloading the Xcode installer, locate where the .dmg file is downloaded and double click this installer and follow on screen instructions.
 
 
 
 
 
 
 
 
 
 
 
 
After successful installation a new "developer" folder will be placed under /Users//Library/Developer/ and all the tools for iPhone development and testing are located under this directory.
 
The default project folder location is
/Users/<UserName>/Library/Developer/Xcode/DerivedData
where all the project will get stored.
 

Download the Source Code to your local machine, then go to the location where you have downloaded the source code and search for .xcodeproj file which is an application file.

Then right click on the .xcodeproj file and Open with Xcode then the application will open in the respective emulator. 

 

1 comment:

  1. This is something NEW, and good for application testers..

    ReplyDelete