When you don't know where to start, start from a threat model. I think about any application in a way like the following:
A threat model can be any comfortable to you.
If to imagine any application as a black box, the imaginary boundary could be drawn around the box: the external perimeter where the data flows from/to the outer world.
Static analysis ("grepping") will give you some initial basic ideas: just use
grep to find 'http://' links, passwords or any suspicious stuff. Basically, such frameworks like MobSF gives you a lot of info (but not enough) about APK on the initial step of Android application analysis. Application permissions will give you an idea what kind of personal info the application may potentially gather.
Dynamic analysis (tracing/debugging) will give you the actual picture of what happens in the application: sessions identifier, outgoing traffic, plain data before the encryption.
Sniff HTTPS Traffic using MITM Proxy (SSL proxy)
View the traffic that application sends to the network via HTTPS. You may need it to verify PII leaks or analyze protocols of application level (e.g. RESTful API). It's a good starting point, as you analyze application as a black-box.
Even using SSL proxy you may see that some traffic cannot be decrypted, and it means that application uses either the default system certificate storage excluding user certificates, or certificate pinning for particular URLs.
- You don't want to waste your time, so try to find a
TrustManagerimplementation in a case of Android application to see how the chain of trust is configured.
- You might have to modify system certificate storage on the rooted/jailbroken device to overcome the issue.
- Use certificate unpinning techniques on the rooted/jailbroken device to change the pinned certificate and analyze the traffic (e.g. https://github.com/ac-pm/SSLUnpinning_Xposed; another option - modify and re-pack the application).
iOS Application Security Testing
- Jailbreak iOS device for the further security research.
- Connect device to the same network (e.g. Wi-Fi network).
- Install Frida (https://frida.re), SSH daemon.
- Connect to device via SSH (
ssh email@example.com, login:
alpine). Traverse file system using bash tools; use
scpto copy some files from the phone to the host.
- Install iOS application from App Store, extract IPA (iOS application package), test it with MobSF.
- Decrypt application using frida-ios-decrypt, Clutch, dumpdecrypted.dylib.
- Trace filesystem, network, encryption:
frida-trace -m "-[NSFileManager fileExistsAtPath:]" -U <pid/appname> frida-trace -m "-[NSURLSession dataTaskWithRequest*]" -U <pid/appname> frida-trace -i CCCrypt -U <pid/appname>
Android Application Security Testing
- Not mandatory, but you should get a rooted device to simplify the further security assessment.
- Test APK with MobSF: https://github.com/MobSF/Mobile-Security-Framework-MobSF. MobSF gives much more insights about Android app than about iOS app.
classes.dexfrom APK file, use
greplooking for http links, password, key, paths.
- Use jadx (
jadx-gui) to decompile APK (just skip
d2j-dex2jartool cause it's pretty outdated nowadays). Even better:
- Use Frida (https://frida.re). To avoid rooting, use
frida-gadget: it's is the library which you have to insert into APK, re-pack/re-sign and then
adb install -r you-self-signed-with-gadget.apk. Then run application and then
frida-trace -U Gadget.
- Look into
libs/subdirectory of APK: if there are native shared libraries inside, then you may use
strings libblabla.so | grep passwordand
r2 libblabla.soto do some reverse engineering using Radare2 (or use IDA, but it's not free).
- Many of the tools above use
apktoolunder the hood. I would recommend to install the version
apktool 2.4.1and higher to save your time catching the errors related to the older versions.
Use OWASP MSTG to Get More Ideas
It is here: OWASP Mobile Security Testing Guide