DeepSec 2024 Training: The Mobile Playbook: Dissecting iOS and Android Apps – Sven Schleier
This course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout his career and bug hunting adventures.
We asked Sven a few more questions about his training.
Please tell us the top 5 facts about your training.
- Focus: The course teaches penetration testing of Android and iOS apps using the OWASP Mobile Application Security Testing Guide (MASTG). The OWASP MASTG is an open-source documentation project that summarises techniques for penetration testing and reverse engineering of mobile apps.
- Hands-on Experience: We will go through many labs and real-world scenarios with customized apps. Many of the labs can be done offline at your own pace after the training. All labs will have detailed instructions you can follow to complete them.
- iOS and Android devices provided: Each Student will receive emulated devices via Corellium, eliminating the need for personal devices during the training. You will have a jail broken iOS device and rooted Android device during the 2 days training.
- Key Topics: Learn a holistic and consistent method for testing the security of mobile apps, including reverse engineering, dynamic instrumentation with Frida, intercepting network traffic and bypassing security mechanisms in mobile apps.
- Completion Benefits: Participants receive detailed course materials, a certificate, and continued support via Slack.
To attend the training, you only need a laptop (no Android or iOS device is needed) and curiosity to figure out how to attack mobile apps.
How did you come up with it? Was there something like an initial spark that set your mind on creating this training?
I was executing many tests against mobile apps 10 years back, but there was no centralized documentation, but many fragmented bits and pieces on how to assess iOS and Android apps.
Because of this, I was part of the initial team that was taking over the OWASP Mobile Application Security Testing Guide (MASTG) and created the OWASP Mobile Application Security Verification Standard (MASVS) project in 2016. In a great community effort over the years, we were able to achieve OWASP Flagship status and both projects are now the foundation of Google’s App Defense Alliance (ADA) to ensure safety in the Google Play Store and are also referenced in various standards, like NIST in the US and mobile payment standards in the EU and have become the industry standard for mobile security.
For the training many vulnerable mobile apps were created as part of my research and because of the vast amount of content and knowledge I gained, I experimented with pro-bono training for the security community in Singapore. One thing led to the other, and I delivered the training at OWASP AppSec US 2018 in San Jose. Over the years, I made many iterations over the content and delivered this training in various countries around the globe and are looking forward to doing it in a hybrid setup for DeepSec in November this year.
Why do you think this is an important topic?
Web application penetration testing has matured over the years and a common method has been adopted by the wider community. Whereas according to our experience, we learnt that mobile penetration testing was often mistaken to be like Web penetration testing skills. However, the threat landscape, test method and exploitation techniques are different.
To name a few, there are additional hardware features such as biometric authentication (Face ID) and the usage of Deeplinks that may introduce a gaping hole in your application. Moreover, security controls like jailbreak detection or SSL Pinning that can complicate your usual security testing approach.
Also, some known vulnerabilities from the web app pen testing world are only partly or not applicable to mobile apps. If a mobile app doesn’t have a WebView, then a JavaScript payload of a Cross-Site-Scripting will never be rendered and executed. Also, Cross-Site Request Forgery (CSRF) is something that cannot easily be exploited in a mobile app.
As mobile technology is evolving, mobile security is taking its shape, there will be a lot of missed opportunity and inaccurate evaluation if the usual web penetration testing approach were taken. A lot of things can be mapped from Web App to Mobile App testing, but you need to understand the differences to test it the right way and also understand the risk tied to the vulnerabilities, so you can communicate the potential impact accordingly to the teams and customers.
Is there something you want everybody to know – some good advice for our readers, maybe?
If you are about to start in mobile app penetration testing, the best advice is to get your hands dirty. The approach that you are applying for attacking other technologies is also applicable to mobile apps. Which means:
- Build an App (understand it)
- Attack it (break it)
This is how you usually learn it the best and you are also getting used to the developer toolchain, which also helps during analysis of mobile apps.
If you are a pure breaker, download one of the many vulnerable apps that are already available. A summary can be found here:
https://mas.owasp.org/crackmes/
https://mas.owasp.org/MASTG/apps/
If you are interested in one specific test case, like for example analysis of sensitive data in iOS Apps, just go to the OWASP Mobile Application Security Testing Guide (MASTG) (https://mas.owasp.org/MASTG/) and read through it and apply it to your scenario. As with everything in life, practice is key!
Another way is to just go for one of the various bug bounty programs out there. Many times, it’s also applicable for mobile apps.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?
Mobile Apps are omnipresent nowadays and many start-ups and even big enterprises follow the “mobile first” approach and we have a zoo of various frameworks and programming languages out there to produce mobile apps. This creates a lot of complexity through various code bases, not only for the developers but also for the security researchers and testers.
To reduce this complexity, some companies are experimenting with Progressive Web Apps or PWA’s. These are web apps running in a WebView but can use some of the native features of the mobile phone, like push notifications. So we might see a shift to more PWA’s in the future, as companies also want to avoid the 30% cut in the Apple App Store and Google Play Store. This will definitely be an interesting topic in the next years and if PWAs are becoming more successful than the testing would become more similar to a web app penetration test again.
Another topic would be around testing itself. Some researchers are already testing iOS Apps on their Apple Silicon and it will be interesting to see if iOS App testing on a macOS device will become the default in the upcoming years. As the Apple Silicon is ARM64 based, the CPU architecture becomes now the same as on iOS devices. Which is the foundation to allow installing and running IPA files and even apps from the App Store on macOS.
Another trend we are expecting is a stronger focus on privacy-related vulnerabilities. We have seen that the general public has been more educated with privacy. Android and Apple are gradually granularizing the permissions of applications and Apple’s pro-privacy policy to advertisement tracking. These are great wins but changes on the Operating Systems are usually slow and monumental. We expect that data collection will continue to happen, as it’s also part of the business model for many app creators and companies and we have seen third-party SDK or libraries to collect data without the knowledge of developers and users. It will be no surprise to see a demand in identifying app components that may violate personal privacy, and this has also now become it’s own category in the OWAPS MASVS (see https://mas.owasp.org/MASVS/12-MASVS-PRIVACY/).
Sven, an application and cloud security expert living in Austria, is the co-founder of Bai7 Consulting together with his wife Bettina. With extensive experience in the delivery of many offensive security engagements, he also provides support and guidance on software development projects for mobile and web applications throughout the SDLC.
Since 2016, Sven has been a project leader and co-author of the OWASP Mobile AppSec Testing Guide (MASTG) and OWASP Mobile AppSec Verification Standard (MASVS). He has conducted technical talks and workshops at various conferences since 2018 in the EU, USA, South-east Asia and ANZ for developers, penetration testers, and students.