Q&A: What Is It Like to Be a Mobile App Pen Tester?Posted by Amy Schurr
Because NowSecure was founded as a mobile application forensics company a decade ago, penetration testing is built into our DNA. We’ve tested thousands of Android and iOS apps on behalf of our customers, uncovered some scary vulnerabilities and helped customers improve the security of their mobile apps.
The following is the third installment of an occasional Q&A interview series to highlight key roles and responsibilities of our passionate NowSecure team members who stay abreast of the latest threat vectors through industry-leading research, open-source sponsorship and continuous exploration of mobile risks and vulnerabilities. In this discussion, we shine the spotlight on Rono Dasgupta, a mobile security analyst with the NowSecure services team and veteran black box pen tester.
Q: How long have you been with NowSecure?
A: Two and a half years, including my internship while I was earning my master’s in security informatics at Johns Hopkins.
Q: Why did you join the company?
A: I had a background in web security and cryptography and wanted to branch out into a new and exciting field. I spotted NowSecure on a list of leading mobile security vendors.
Q: Where are you based?
Q: What do you do as a mobile security analyst?
A: I pen test our client’s mobile applications and backends to look for security vulnerabilities and help resolve them. Sometimes we pen test web apps and connected devices, too.
Q: What is your day typically like?
A: Every day is different. For the past couple of weeks, I’ve been testing apps non-stop. I test multiple apps a day and also work on maintaining side projects (e.g. differential analysis), improve our pen testing process and assist others in the company. Finally, I participate in our task force with services, engineering and research and test new features/debug issues in our products.
I prioritize tasks based on deadlines from our customers as well as any internal cycles. We always focus on getting high-quality results out to the customer as soon as possible.
Q: What are you working on today?
A: Today I have to test two major financial apps — a major banking app on Android and iOS and another financial app. I’m also helping my colleague Michael Krueger find bugs in the new report writing tool he built for our team. I also have to check the status of our recent differential analysis runs and resolve any issues.
Q: Generally how long does it take to pen test a mobile app?
A: It depends. Complex apps require that the customer provides us with any necessary credentials and app/architecture information. If everything is working as intended, a NowSecure services-based pen test usually gets completed within a few days to about a week leveraging our expertise, NowSecure software and a variety of tools.
Q: How do you attack a mobile app?
A: The services team uses NowSecure Workstation, an awesome forensics/network/reverse engineering tool that enables us to do static, dynamic and behavioral analysis from a single product. The GUI-based tool helps the tester perform a security test using an organized and reliable approach. My personal testing approach is to look for entry points — anywhere user input is introduced. I then look at how that data gets processed by the app and its servers.
To reverse engineer the app, I disassemble/decompile the app executable and its libraries and examine the assembly/pseudocode. I use open source tools built by the NowSecure research team such as Radare2 to disassemble and patch apps and Frida to bypass app protections and instrument apps.
Q: What other tools do you like?
A: We couldn’t do many of our network/backend tests without proxies like Burp Suite and mitmproxy. For Android, I like apktool, which is a decompiler. I also use Hopper, IDA Pro, Drozer and Needle from time to time.
Q: How do you collaborate with your teammates?
A: When a customer sends us a binary to test, it’s usually an Android app or an iOS app. Sometimes you also have IoT devices included with these assessments. We divide work within the team to focus on specific areas such as network and backend testing, forensics, reverse engineer. Collaboration is also important because you need someone to cross-check your findings.
Q: What skills make a mobile app pen tester successful?
A: Determination as well as attention to detail — testing apps can be a lengthy and tiresome process. You need to have a wide range of skills from areas like information security and computer science. You need to understand how systems work and communicate with each other and where and how risk can be introduced. And skills such as threat modeling are vital.
Customers send us their binaries, they don’t send us the source code. So you need to have a “blackbox testing” mindset to test the app from an attacker’s perspective.
In terms of personality traits, you need to be adaptable and a multitasker. It helps if you don’t need much sleep (jk). Creativity is also a huge bonus.
Q: What’s an example of a recent challenge you encountered?
A: Just last week, we had to test a fully functional banking app with a lot of features and deliver a full report with a turnaround time of only one day. The client was on deadline and our team pulled together to meet their needs. We’re all about teamwork and focus on the client at NowSecure.
Q: What do you like best about pen testing?
A: I get to test real apps and it’s fun to see my friends using apps I’ve tested. It’s also fun and challenging to test things like connected devices or complex authentication architectures because you come across a lot of interesting issues you would not have thought of otherwise.
Q: What do you like least?
A: The lack of sleep.
Q: How can others get in the field?
A: As I mentioned before, you need a wide variety of skills. Understanding distributed systems, networks, basic cryptography and being able to read/write code are prerequisites. Aside from that, a fundamental understanding of common security vulnerabilities and how to resolve them can take you a long way (see OWASP).
Q: Finally. What mobile device do you carry?
A: I have an Apple iPhone XS. I was a Google Pixel user and longtime Android fanboy before but I love my iPhone! I also have an Apple Watch.
To learn about mobile pen testing practices, consult this recorded webinar of Rono and fellow Mobile Security Analyst Tony Ramirez. To peer into the roles of others who make NowSecure run, check out our interviews with Jeff Fairman, senior vice president of product and engineering; and Francesco Tamagni, a senior mobile security researcher. And finally, obtain expert assistance with pen testing, mobile application security assessments and consulting by reaching out to our services team.