Interest in mobile app pen testing grows as organizations recognize the importance of mitigating security and privacy risks. Less understood and more mysterious to many, though, is how to build the skills needed to conduct manual mobile application security testing.
To shed light on the topic, NowSecure convened a virtual panel of its expert mobile pen testers at the NowSecure Connect 2022 AppSec and DevSecOps community event. The NowSecure Services team has more than a dozen years pen testing more than 11,000 mobile apps against industry standards and boasts the industry’s broadest collection of the most skilled pen testers. In addition, NowSecure security analysts have helped thousands of organizations establish successful mobile app pen testing programs.
The panelists include:
- Ben Corbitt, Application Security Analyst, NowSecure
- David Mockler, Senior Application Security Analyst
- Jeremy Murphy, Senior Application Security Analyst, NowSecure
- Devin Price, Lead Application Security Analyst, NowSecure
The group discussion highlights how mobile app pen testers got their start and honed their craft, their favorite tools for Android and iOS and best practices for mobile app pen testing. Their original conversation has been edited for length and clarity.
[Mockler] Do you need certification or formal education to become a mobile pen tester or break into cybersecurity?
[Murphy] “No. There are plenty of free and inexpensive resources out there that can teach you everything you need to become a penetration tester. To get hired, though, certifications give potential employers a way to validate your skillset.”
[Corbitt] “They’re not necessarily required, but are great for building your resume and getting your foot in the door. Certifications that include a training class like a weeklong boot camp or lab requirements can be really helpful in forcing you to learn a lot in a short period of time.”
[Price] “I would say no. I’ve seen people join bug bounties or do technical write-ups to demonstrate to employers they know how to find security vulnerabilities within mobile applications.”
[Murphy] “Have a GitHub of some of your work, a blog or HackTheBox rank to show you have the skills.”
[Mockler] How did each of you gain pen testing skills to get to where you are today?
[Price] “The best resource I used first was the more senior pen testers already on my team when I joined NowSecure. Early on, I looked through older reports of what my teammates had done to get in the mindset of how to write a detailed assessment report. In my free time, I completed pen testing training courses on TryHackMe and found some security podcasts to help me understand the exploits pen testers are doing and understand the vernacular.”
[Corbitt] “I started as a pen tester for web apps. The company also had a mobile app and nobody at the time knew how to test it. I was voluntold to get a mobile security certification and test the app.”
[Murphy] “I started at the help desk. One of my coworkers said, ‘Hey dude, you should study for Certified Ethical Hacker (CEH). He told me what it was and I thought it was cool. Then I found a podcast that lit a fire underneath me — shoutout to Jack Rhysider at Darknet Diaries. It really built my passion for this field. I started on Hack The Box and built a network of pen testers. I started in the trenches and worked my way up.”
[Mockler] “Everyone gets there in their own way, but you all took the initiative to go out and learn something new without anyone really telling you to. Curiosity is key to being a pen tester. If you don’t have curiosity, it’s going to be tough.”
[Mockler] Rolling into our next question, what kind of mobile app pen testing tools do you use?
[Price] “For Android, my go-to tool for any type of static analysis or reverse engineering is JADX, a simple Dex to Java decompiler. And for the iOS counterpart, I use Hopper which is a great disassembler that lets you decompile and debug iOS applications.”
[Corbitt] “I really like Drozer, a tool for Android apps. It’s very outdated and hard to get working sometimes. I really wish there was a more modern supported tool that does the same thing. But it’s a great tool for quickly and easily interacting with the internals of an application.”
[Murphy] “The correct answer is NowSecure Workstation. Some of the key ones are Hopper, Ghidra, Burp Suite, Postman, JADX…reFlutter on GitHub is another good one for poking around those new Flutter apps. Obviously, R2Frida is another good one we use a lot for reverse engineering.”
[Mockler] “We get asked quite a bit what are the best mobile app pen testing tools out there. It’s not necessarily what the best tools are — it’s ‘what are you trying to do?’ Depending on what type of exploit you’re going to try, you’re going to use a different tool and there’s a GitHub repo for everything.”
[Mockler] We’ve discussed what tools we use. Let’s go over what we look for with them.
[Price] “One of the first things I examine is the Android manifest file, because that’s going to tell me a lot about the application. For example, has the application been correctly signed with the correct key length? I’ll also look for some of the application’s content providers and look at any broadcast receivers to make sure those have been correctly exported. Has the application enabled a backup of user data? What does the application’s network security configuration look like? What are some of the rulings that have been set up for that? Think of the manifest file as the front door for pentesting when it comes to static analysis for an Android application.”
[Corbitt] “Drozer looks at the internals of an Android application — the activities and broadcast receivers and the like. Let’s talk about activities. If you don’t know what an activity is, think of it as a screen. If you open an Android application and it brings up a login screen, that’s an activity. And when you log in and it brings up your main menu, that’s another activity. If those activities aren’t set correctly with the proper permissions, you can directly call some activities that you weren’t meant to see without logging in first. A few years ago, there was an NFL-related app where you could subscribe to watch NFL games on your phone. There was a bug in the app where using Drozer, you could call an activity out of order to reach the section of the app where you could watch NFL games without having to login to an account or pay. You could run that activity that wasn’t set properly and watch NFL games for free. I find that really interesting, being able to call parts of the app out of order and bypass things that you’re not supposed to be able to bypass.”
[Murphy] “Using Burp Suite for the network side of things, I like to look at what kind of tokens they may be using and if there’s any reuse, make sure it’s properly valid. I like to see if the app has proper sanitizing. We’ve found a lot of mobile apps that aren’t secured against tampering. We’re able to laterally move to places we’re not supposed to. That happens to my favorite part of mobile pen testing; it’s definitely the most fun.”
[Mockler] “ API backend is a very important part of the mobile pen testing life cycle. It’s not 100% solely mobile. Most of the time, mobile apps and web apps use the same backend. I personally love using Burp Suite and tampering with anything that might look like cross-site scripting, SQL injection. If there’s an input, search bar or anything there, I’m going to attack it…If you poke at something long enough, you’ll definitely break it.”
[Mockler] Let’s talk about methodology. Let’s say I give you a brand new APK — what’s the starting point, where you end and what’s everything in between?
[Murphy] “To be able to properly assess an application, you have to understand what its goal is, what its target audience is and what it’s supposed to be used for. Research the app, use it for a bit and try to get a full understanding of its purpose. That gets me into a spot where I can start thinking about different attack vectors and ways to abuse the application. I like to go into static analysis right off the bat, open up the binary and poke around to see if I can find any hard-coded strings that shouldn’t be there.”
[Corbitt] “I agree, I like to start with static analysis. If I’m given an APK, logging into the app and seeing what’s going on is a good first step. Then decompile the APK with either APK Tool or JADX. I’ve found several hard-coded API keys that have given me access to Amazon accounts. I go to the network and API after that using a proxy with Burp Suite and look at network traffic.”
[Price] “My approach is static code first and then dynamic analysis. Jeremy mentioned a great point. If it’s a brand new app that I have never used before, I’ll try to figure out how it works first and then run a general static analysis scan to get an idea of what types of vulnerabilities the app may be susceptible to. Then I’ll follow that up with data-at-rest analysis, where I try to look for sensitive data in either the device or app’s private storage that is not protected ,but should be. Then I’ll try some reverse engineering to see if I can bypass any controls or uncover sensitive data through that method. After that, I’ll finish with a dynamic analysis of the app.”
[Mockler] “The way a mobile app pen test is supposed to go, you have that research stage and information gathering. Then static analysis and dynamic analysis before report writing. I swap static and dynamic and like to do dynamic first to see if I can find any API keys or client IDs, then go back to static analysis…No matter where you start, you always have to go back to enumeration or information gathering.”
[Mockler] What’s your favorite vulnerability?
[Murphy] “I like the idea of how [SQL injection] works and the things it can do.”
[Corbitt] “I found something very interesting one time using Burp. It turned out it was using an XOR where they were rolling their own encryption. Because of how xor works, it was basically the master key and I could decrypt every password from there on out when I found it.”
[Price] “For me, anytime there are sensitive credentials within a mobile app’s private storage that are unencrypted. I like the simple vulnerabilities that will be really easy for an attacker to exploit if they are not resolved.”
[Mockler] “We’re out of time here but I want to thank everyone on the panel for talking about mobile app pen testing methodologies.”
For those seeking to acquire or advance their mobile pen testing skills, NowSecure Academy offers free online training and paid certifications. Check out ‘Crash Course in Getting Started with Mobile App Pen Testing’ and the Mobile Application Security Foundations certificate curriculum.
To tackle the pen testing challenges of cost, frequency and coverage, we are seeing a growing trend towards Pen Testing as a Service. – Michelle Abraham, IDC Security and Trust Research Director
Mobile App Pen Testing as a Service (PTaaS)
Because organizations face difficulties in staffing experienced mobile pen testers and assembling the required pen testing tools, they often turn to expert mobile pen testing services such as the NowSecure Services team for a deep bench of talent that includes the security pros featured above. The need for a fast, frequent mobile AppSec testing solution drives demand for Mobile Pen Testing as a Service (PTaaS).
“Application development and security teams strive to deliver secure software quickly to market, balancing speed and managing risk,” said Michelle Abraham, Research Director, Security and Trust at IDC. “To tackle the pen testing challenges of cost, frequency and coverage, we are seeing a growing trend towards Pen Testing as a Service. PTaaS solutions offer a mix of continuous automated security testing and deeper manual pen testing to bring together the best of both worlds.”
NowSecure launched NowSecure Mobile Pen Testing as a Service to bridge the gap between automated and manual mobile security assessments for continuous security. Designed to provide mobile app developers and security teams with a more cost-effective, efficient pen testing solution, NowSecure PTaaS combines periodic expert manual assessments with the power of automated continuous testing to deliver full mobile app coverage at a higher frequency, all for less than the cost of a single outsourced pen test.
Customers can enjoy maximum value by choosing from on-demand and scheduled pen testing complemented by automated continuous testing for DevSecOps pipelines, all accessible from a single portal. NowSecure offers a flexible mix of standards-based pen test options that include embedded developer remediation resources, consultation and retesting to confirm mitigation. Dec Learn more about NowSecure mobile pen testing and the NowSecure PTaaS offering — sign up for a personal mobile pen testing consultation to discuss your needs today.