DeepSec 2020 Online Training: Mobile Security Testing Guide Hands-On – Sven Schleier & Ryan Teoh
This online course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven and Ryan will share their experience and many small tips and tricks to attack mobile apps.
We asked Sven and Ryan a few more questions about their training.
Please tell us the top 5 facts about your training.
- Learn a holistic methodology for testing the security of mobile apps
- A full Penetration Test against iOS apps can also be done on non-jailbroken devices!
- Learn how to bypass Anti-Frida security controls in a mobile app with Frida
- Focus on hands-on exercises during the training with vulnerable apps build by the trainers
- You just need to have a laptop (no Android or iOS devices are needed) and be curious to figure out how to attack mobile apps
How did you come up with it? Was there something like an initial spark that set your mind on creating this training?
Sven was part of the initial team that was taking over the OWASP Mobile Security Testing Guide (MSTG) and created the OWASP Mobile Application Security Verification Standard (MASVS) project in 2016. In a great community effort over the years we were able to achieve OWASP Flagship status and both projects are referenced in various standards, like NIST in the US and mobile payment standards in the EU and have become the industry standard for mobile security. Ryan supported the project in the early stage and has a passion for mobile security and reverse engineering and is sharing his knowledge with the community.
We created many vulnerable mobile apps together as part of our research and due to the vast amount of content and knowledge we gained, we experimented with pro-bono training for the security community in Singapore. One thing led to the other and we delivered the training at OWASP AppSec US 2018 in San Jose. Over the years we made many iterations over the content and delivered this training in various countries around the globe and are looking forward to doing it virtually for DeepSec in November this year.
Why do you think this is an important topic?
Web application penetration testing has matured over the years and a common methodology has been adopted by the wider community. Whereas according to our experience, we learnt that mobile penetration testing was often mistaken to be similar to Web penetration testing skills. However the threat landscape, test methodology and exploitation technique are different.
To name a few, there are additional hardware features such as biometric authentication (Touch and Face ID), remote procedure calls between mobile apps and the usage of Deeplinks that may introduce a gaping hole in your application. Moreover, security controls like Jailbreak detection or SSL Pinning that can complicate your usual security testing approach.
Also, some known vulnerabilities from the web app pen testing world are only partly or not applicable to mobile apps. If a mobile app doesn’t have a WebView, then a JavaScript payload of a Cross-Site-Scripting will never be rendered and executed. Also, Cross-Site Request Forgery (CSRF) is something that cannot easily be exploited in a mobile app.
As mobile technology is evolving, mobile security is taking its shape, there will be a lot of missed opportunity and inaccurate evaluation if the usual web penetration testing approach were taken. A lot of things can be mapped from Web App to Mobile App testing, but you need to understand the differences to test it the right way and also understand the risk tied to the vulnerabilities, so you can communicate the potential impact accordingly to the teams and customers.
Is there something you want everybody to know – some good advice for our readers maybe?
If you are about to start in mobile app penetration testing, the best advice is to get your hands dirty. The approach that you are applying for attacking other technologies is also applicable for mobile apps. Which means:
- Build an App (understand it)
- Attack it (break it)
This is how you usually learn it the best and you are also getting used to the developer toolchain which also helps during analysis of mobile apps.
If you are a pure breaker, download one of the many vulnerable apps that are already available. A summary can be found here: https://github.com/OWASP/owasp-mstg/blob/master/Document/0x08-Testing-Tools.md#vulnerable-applications
If you are interested in one specific test case, like for example analysis of sensitive data in iOS Apps, just go to the OWASP Mobile Security Testing Guide (MSTG) (https://mobile-security.gitbook.io/mobile-security-testing-guide/) and read through it and apply it to your scenario. As with everything in life, practice is key!
Otherwise, these are some other resources we personally love to learn from:
- https://twitter.com/mobilesecurity_ curates the latest mobile security-related news, tools, bugs and rumours.
- https://maddiestone.github.io/AndroidAppRE/ – Great Android Reverse Engineering guide by Maddie Stone
- https://hackerone.com/bagipro – All public bug bounty report by Bagipro, who is specialised in finding bugs in Android Apps
Another way is to just go for one of the various bug bounty programs out there. Many times it’s also applicable for mobile apps.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?
Mobile Apps are omnipresent nowadays and many start-ups and even big enterprises follow the “mobile first” approach and we have a zoo of various frameworks and programming languages out there to produce mobile apps. This creates a lot of complexity through various code bases, not only for the developers, but also for the security researchers and testers.
To reduce this complexity some companies are experimenting with Progressive Web Apps or PWA’s. These are web apps running in a webview but are able to use some of the native features of the mobile phone, like push notifications. So we might see a shift to more PWA’s in the future, as companies also want to avoid the 30% cut in the Apple App Store and Google Play Store. This will definitely be an interesting topic in the next years and if PWAs are becoming more successful than the testing would become more similar to a web app penetration test again.
Another topic would be around testing. It will be interesting to see if testing will be possible on a macOS device in the upcoming years, due to the recent introduction of the Apple Silicon. As the Apple Silicon is ARM64 based, the CPU architecture becomes now the same as on iOS devices. This would be the foundation to allow installing and running IPA files and even apps from the App Store on macOS.
Another trend we are anticipating is a stronger focus on privacy-related vulnerabilities. We have seen that the general public has been more educated with privacy. Android and Apple are gradually granularizing the permissions of applications and Apple’s recent pro-privacy policy to advertisement tracking. These are great wins but changes on the Operating Systems are usually slow and monumental. We anticipate that data collection will continue to happen, as it’s also part of the business model for many app creators and companies and we have seen third-party SDK or libraries to collect data without the knowledge of developers and users. It will be no surprise to see a demand in identifying app components that may violate personal privacy, and we will include this as part of our mobile security course in the future.
Sven made several stops at big consultant companies and small boutique firms in Germany and Singapore and became specialised in Application Security. Besides his day job Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MSTG) and OWASP Mobile Application Security Verification Standard (MASVS) and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile Security worldwide to different audiences, ranging from developers to students and penetration testers.
Ryan Teoh (OSCE, OSCP, CRT) is a Security Engineer with a strong focus on Mobile Security. He spends a considerable amount of time in iOS kernel exploitation, contributing to the iOS security testing chapter and the iOS Crackmes which are part of the OWASP Mobile Security Testing Guide. That aside, he is active on both private and public bug bounty programs and has successfully bagged several critical mobile security bugs. Ryan is a strong believer in knowledge sharing initiated a security blog on top of facilitating workshops to security engineers, developers and students about mobile security, dynamic instrumentation and reverse engineering of mobile applications.