DeepSec 2022 Training: Mobile Security Testing Guide Hands-On (Hybrid edition) – Sven Schleier
This course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout his career and bug hunting adventures.
We asked Sven a few more questions about his training.
Please tell us the top 5 facts about your training.
- Learn a holistic and consistent method for testing the security of mobile apps
- A full Penetration Test against iOS apps can also be done on a non-jailbroken device!
- Learn how to bypass Anti-Frida security controls in a mobile app with… FRIDA!
- Focus on hands-on exercises during the training with vulnerable apps build by the trainer
- You just need to have a laptop (no Android or iOS devices are needed) and be curious to figure out how to attack mobile apps
How did you come up with it? Was there something like an initial spark that set your mind on creating this training?
I was part of the initial team that was taking over the OWASP Mobile Security Testing Guide (MSTG) and created the OWASP Mobile Application Security Verification Standard (MASVS) project in 2016. In a great community effort over the years, we could achieve OWASP Flagship status and both projects are now the foundation of Google’s App Defense Alliance (ADA) to ensure safety in the Google Play Store and are also referenced in various standards, like NIST in the US and mobile payment standards in the EU and have become the industry standard for mobile security.
For the training, many vulnerable mobile apps were created as part of my research and because of the vast amount of content and knowledge I gained, I experimented with pro-bono training for the security community in Singapore. One thing led to another, and I delivered the training at OWASP AppSec US 2018 in San Jose. Over the years, I made many iterations over the content and delivered this training in various countries around the globe and are looking forward to doing it in a hybrid setup for DeepSec in November this year.
Why do you think this is an important topic?
Web application penetration testing has matured over the years and a common method has been adopted by the wider community. Whereas, according to our experience, we learnt that mobile penetration testing was often mistaken to be like Web penetration testing skills. However, the threat landscape, test method and exploitation techniques are different.
To name a few, there are additional hardware features such as biometric authentication (Touch and Face ID) and the usage of Deeplinks that may introduce a gaping hole in your application. Moreover, security controls like jailbreak detection or SSL Pinning that can complicate your usual security testing approach.
Also, some known vulnerabilities from the web app pen testing world are only partly or not applicable to mobile apps. If a mobile app doesn’t have a WebView, then a JavaScript payload of a Cross-Site-Scripting will never be rendered and executed. Also, Cross-Site Request Forgery (CSRF) is something that cannot easily be exploited in a mobile app.
As mobile technology is evolving, mobile security is taking its shape, there will be a lot of missed opportunity and inaccurate evaluation if the usual web penetration testing approach were taken. A lot of things can be mapped from Web App to Mobile App testing, but you need to understand the differences to test it the right way and also understand the risk tied to the vulnerabilities, so you can communicate the potential impact accordingly to the teams and customers.
Is there something you want everybody to know – some good advice for our readers, maybe?
If you are about to start in mobile app penetration testing, the best advice is to get your hands dirty. The approach that you are applying for attacking other technologies also applies to mobile apps. Which means:
Build an App (understand it)
Attack it (break it)
This is how you usually learn it the best and you are also getting used to the developer toolchain, which also helps during analysis of mobile apps.
If you are a pure breaker, download one of the many vulnerable apps that are already available. A summary can be found here: https://github.com/OWASP/owasp-mstg/blob/master/Document/0x08-Testing-Tools.md#vulnerable-applications
If you are interested in one specific test case, like for example analysis of sensitive data in iOS Apps, just go to the OWASP Mobile Security Testing Guide (MSTG) (https://mobile-security.gitbook.io/mobile-security-testing-guide/) and read through it and apply it to your scenario. As with everything in life, practice is key!
Otherwise, these are some other resources we personally love to learn from:
– https://twitter.com/mobilesecurity – curates the latest mobile security-related news, tools, bugs and rumors.
– https://maddiestone.github.io/AndroidAppRE/ – Great Android Reverse Engineering guide by Maddie Stone
– https://hackerone.com/bagipro – All public bug bounty reports by Bagipro, who is specialised in finding bugs in Android Apps
Another way is to just go for one of the various bug bounty programs out there. Many times it’s also applicable for mobile apps.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?
Mobile Apps are omnipresent nowadays and many start-ups and even big enterprises follow the “mobile first” approach and we have a zoo of various frameworks and programming languages out there to produce mobile apps. This creates a lot of complexity through various code bases, not only for the developers, but also for the security researchers and testers.
To reduce this complexity, some companies are experimenting with Progressive Web Apps or PWA’s. These are web apps running in a webview but can use some of the native features of the mobile phone, like push notifications. So we might see a shift to more PWA’s in the future, as companies also want to avoid the 30% cut in the Apple App Store and Google Play Store. This will definitely be an interesting topic in the next years and if PWAs are becoming more successful than the testing would become more similar to a web app penetration test again.
Another topic would be around testing itself. Some researchers are already testing iOS Apps on their Apple Silicon and it will be interesting to see if iOS App testing on a macOS device will become the default in the upcoming years. As the Apple Silicon is ARM64 based, the CPU architecture becomes now the same as on iOS devices. Which is the foundation to allow installing and running IPA files and even apps from the App Store on macOS.
Another trend we are expecting is a stronger focus on privacy-related vulnerabilities. We have seen that the general public has been more educated with privacy. Android and Apple are gradually granularizing the permissions of applications and Apple’s recent pro-privacy policy to advertisement tracking. These are great wins, but changes on the Operating Systems are usually slow and monumental. We expect that data collection will continue to happen, as it’s also part of the business model for many app creators and companies and we have seen third-party SDK or libraries to collect data without the knowledge of developers and users. It will be no surprise to see a demand in identifying app components that may violate personal privacy, and we are planning to include this as part of our mobile security course in the future.
Sven made several stops at big consultant companies and small boutique firms in Germany and Singapore and became specialised in Application Security and Penetration Testing.
Besides his day job, Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MSTG) and OWASP Mobile Application Security Verification Standard (MASVS). Sven is giving talks and workshops about Mobile Security worldwide to different audiences, ranging from developers to students and penetration testers.