Mobile Application Penetration Testing
eBook - ePub

Mobile Application Penetration Testing

  1. 312 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Mobile Application Penetration Testing

About this book

Explore real-world threat scenarios, attacks on mobile applications, and ways to counter them

About This Book

  • Gain insights into the current threat landscape of mobile applications in particular
  • Explore the different options that are available on mobile platforms and prevent circumventions made by attackers
  • This is a step-by-step guide to setting up your own mobile penetration testing environment

Who This Book Is For

If you are a mobile application evangelist, mobile application developer, information security practitioner, penetration tester on infrastructure web applications, an application security professional, or someone who wants to learn mobile application security as a career, then this book is for you. This book will provide you with all the skills you need to get started with Android and iOS pen-testing.

What You Will Learn

  • Gain an in-depth understanding of Android and iOS architecture and the latest changes
  • Discover how to work with different tool suites to assess any application
  • Develop different strategies and techniques to connect to a mobile device
  • Create a foundation for mobile application security principles
  • Grasp techniques to attack different components of an Android device and the different functionalities of an iOS device
  • Get to know secure development strategies for both iOS and Android applications
  • Gain an understanding of threat modeling mobile applications
  • Get an in-depth understanding of both Android and iOS implementation vulnerabilities and how to provide counter-measures while developing a mobile app

In Detail

Mobile security has come a long way over the last few years. It has transitioned from "should it be done?" to "it must be done!"Alongside the growing number of devises and applications, there is also a growth in the volume of Personally identifiable information (PII), Financial Data, and much more. This data needs to be secured.

This is why Pen-testing is so important to modern application developers. You need to know how to secure user data, and find vulnerabilities and loopholes in your application that might lead to security breaches.

This book gives you the necessary skills to security test your mobile applications as a beginner, developer, or security practitioner. You'll start by discovering the internal components of an Android and an iOS application. Moving ahead, you'll understand the inter-process working of these applications. Then you'll set up a test environment for this application using various tools to identify the loopholes and vulnerabilities in the structure of the applications. Finally, after collecting all information about these security loop holes, we'll start securing our applications from these threats.

Style and approach

This is an easy-to-follow guide full of hands-on examples of real-world attack simulations. Each topic is explained in context with respect to testing, and for the more inquisitive, there are more details on the concepts and techniques used for different platforms.

Tools to learn more effectively

Saving Books

Saving Books

Keyword Search

Keyword Search

Annotating Text

Annotating Text

Listen to it instead

Listen to it instead

Information

Publisher
Packt Publishing
Year
2016
eBook ISBN
9781785883378
Edition
1
Topic
Computer Science
Subtopic
Hardware
Index
Computer Science

Mobile Application Penetration Testing

Table of Contents

Mobile Application Penetration Testing
Credits
About the Author
About the Reviewers
www.PacktPub.com
eBooks, discount offers, and more
Why subscribe?
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the color images of this book
Errata
Piracy
Questions
1. The Mobile Application Security Landscape
The smartphone market share
The android operating system
The iPhone operating system (iOS)
Different types of mobile applications
Native apps
Mobile web apps
Hybrid apps
Public Android and iOS vulnerabilities
Android vulnerabilities
iOS vulnerabilities
The key challenges in mobile application security
The impact of mobile application security
The need for mobile application penetration testing
Current market reaction
The mobile application penetration testing methodology
Discovery
Analysis/assessment
Exploitation
Reporting
The OWASP mobile security project
OWASP mobile top 10 risks
Vulnerable applications to practice
Summary
2. Snooping Around the Architecture
The importance of architecture
The Android architecture
The Linux kernel
Confusion between Linux and the Linux kernel
Android runtime
The java virtual machine
The Dalvik virtual machine
Zygote
Core Java libraries
ART
Native libraries
The application framework
The applications layer
Native Android or system apps
User-installed or custom apps
The Android software development kit
Android application packages (APK)
AndroidManifest.xml
The structure of the Android manifest file
Android application components
Intent
Activity
Services
Unbound or start services
Bound service
Broadcast receivers
Content providers
Android Debug Bridge
Application sandboxing
Application signing
Secure inter-process communication
The Binder process
The Android permission model
The Android application build process
Android rooting
iOS architecture
Cocoa Touch
Media
Core services
Core OS
iOS SDK and Xcode
iOS application programming languages
Objective-C
The Objective-C runtime
Swift
Understanding application states
Apple's iOS security model
Device-level security
System-level security
An introduction to the secure boot chain
System software authorization
Secure Enclave
Touch ID
Data-level security
Data-protection classes
Keychain data protection
Changes in iOS 8 and 9
Network-level security
Application-level security
Application code signing
The iOS app sandbox
iOS isolation
Process isolation
Filesystem isolation
ASLR
Stack protection (non-executable stack and heap)
Hardware-level security
iOS permissions
The iOS application structure
Jailbreaking
Why jailbreak a device?
Types of jailbreaks
Untethered jailbreaks
Tethered jailbreaks
Semi-tethered jailbreaks
Jailbreaking tools at a glance
The Mach-O binary file format
Inspecting a Mach-O binary
Property lists
Exploring the iOS filesystem
Summary
3. Building a Test Environment
Mobile app penetration testing environment setup
Android Studio and SDK
The Android SDK
The Android Debug Bridge
Connecting to the device
Getting access to the device
Installing an application to the device
Extracting files from the device
Storing files to the device
Stopping the service
Viewing the log information
Sideloading apps
Monkeyrunner
Genymotion
Creating an Android virtual emulator
Installing an application to the Genymotion emulator
Installing the vulnerable app to Genymotion
Installing the Genymotion plugin to Android Studio
ARM apps and Play Store in Genymotion
Configuring the emulator for HTTP proxy
Setting up the proxy in Wi-Fi settings
Setting up the proxy on mobile carrier settings
Google Nexus 5 – configuring the physical device
The iOS SDK (Xcode)
Setting up iPhone/iPad with necessary tools
Cydia
BigBoss tools
Darwins CC tools
iPA Installer
Tcpdump
iOS SSL kill-switch
Cycript, Clutch, and class-dump
SSH clients – PuTTy and WinSCP
iFunbox at glance
Accessing SSH without Wi-Fi
Accessing SSH with Wi-Fi
Installing DVIA to the device
Configuring the HTTP proxy in Apple devices
Emulator, simulators, and real devices
Simulators
Emulators
Pros
Cons
Real devices
Pros
Cons
Summary
4. Loading up – Mobile Pentesting Tools
Android security tools
APKAnalyser
The drozer tool
Installing drozer on Genymotion
APKTool
How to make apps debuggable?
The dex2jar API
JD-GUI
Androguard
Isn't Androguard only a malware analysi...

Table of contents

  1. Mobile Application Penetration Testing

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 990+ topics, we’ve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Mobile Application Penetration Testing by Vijay Kumar Velu in PDF and/or ePUB format, as well as other popular books in Computer Science & Hardware. We have over one million books available in our catalogue for you to explore.