DeepSec 2020 Online Training: Mobile Security Testing Guide Hands-On — Sven Schleier & Ryan Teoh

This online course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven and Ryan will share their experience and many small tips and tricks to attack mobile apps.

We asked Sven and Ryan a few more questions about their training.

Please tell us the top 5 facts about your training.

  • A full Penetration Test against iOS apps can also be done on non-jailbroken devices!
  • Learn how to bypass Anti-Frida security controls in a mobile app with Frida
  • Focus on hands-on exercises during the training with vulnerable apps build by the trainers
  • You just need to have a laptop (no Android or iOS devices are needed) and be curious to figure out how to attack mobile apps

How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

We created many vulnerable mobile apps together as part of our research and due to the vast amount of content and knowledge we gained, we experimented with pro-bono training for the security community in Singapore. One thing led to the other and we delivered the training at OWASP AppSec US 2018 in San Jose. Over the years we made many iterations over the content and delivered this training in various countries around the globe and are looking forward to doing it virtually for DeepSec in November this year.

Why do you think this is an important topic?

To name a few, there are additional hardware features such as biometric authentication (Touch and Face ID), remote procedure calls between mobile apps and the usage of Deeplinks that may introduce a gaping hole in your application. Moreover, security controls like Jailbreak detection or SSL Pinning that can complicate your usual security testing approach.

Also, some known vulnerabilities from the web app pen testing world are only partly or not applicable to mobile apps. If a mobile app doesn’t have a WebView, then a JavaScript payload of a Cross-Site-Scripting will never be rendered and executed. Also, Cross-Site Request Forgery (CSRF) is something that cannot easily be exploited in a mobile app.

As mobile technology is evolving, mobile security is taking its shape, there will be a lot of missed opportunity and inaccurate evaluation if the usual web penetration testing approach were taken. A lot of things can be mapped from Web App to Mobile App testing, but you need to understand the differences to test it the right way and also understand the risk tied to the vulnerabilities, so you can communicate the potential impact accordingly to the teams and customers.

Is there something you want everybody to know — some good advice for our readers maybe?

  • Build an App (understand it)
  • Attack it (break it)

This is how you usually learn it the best and you are also getting used to the developer toolchain which also helps during analysis of mobile apps.

If you are a pure breaker, download one of the many vulnerable apps that are already available. A summary can be found here: https://github.com/OWASP/owasp-mstg/blob/master/Document/0x08-Testing-Tools.md#vulnerable-applications

If you are interested in one specific test case, like for example analysis of sensitive data in iOS Apps, just go to the OWASP Mobile Security Testing Guide (MSTG) ( https://mobile-security.gitbook.io/mobile-security-testing-guide/) and read through it and apply it to your scenario. As with everything in life, practice is key!

Otherwise, these are some other resources we personally love to learn from:

Another way is to just go for one of the various bug bounty programs out there. Many times it’s also applicable for mobile apps.

A prediction for the future — what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

To reduce this complexity some companies are experimenting with Progressive Web Apps or PWA’s. These are web apps running in a webview but are able to use some of the native features of the mobile phone, like push notifications. So we might see a shift to more PWA’s in the future, as companies also want to avoid the 30% cut in the Apple App Store and Google Play Store. This will definitely be an interesting topic in the next years and if PWAs are becoming more successful than the testing would become more similar to a web app penetration test again.

Another topic would be around testing. It will be interesting to see if testing will be possible on a macOS device in the upcoming years, due to the recent introduction of the Apple Silicon. As the Apple Silicon is ARM64 based, the CPU architecture becomes now the same as on iOS devices. This would be the foundation to allow installing and running IPA files and even apps from the App Store on macOS.

Another trend we are anticipating is a stronger focus on privacy-related vulnerabilities. We have seen that the general public has been more educated with privacy. Android and Apple are gradually granularizing the permissions of applications and Apple’s recent pro-privacy policy to advertisement tracking. These are great wins but changes on the Operating Systems are usually slow and monumental. We anticipate that data collection will continue to happen, as it’s also part of the business model for many app creators and companies and we have seen third-party SDK or libraries to collect data without the knowledge of developers and users. It will be no surprise to see a demand in identifying app components that may violate personal privacy, and we will include this as part of our mobile security course in the future.

Sven made several stops at big consultant companies and small boutique firms in Germany and Singapore and became specialised in Application Security. Besides his day job Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MSTG) and OWASP Mobile Application Security Verification Standard (MASVS) and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile Security worldwide to different audiences, ranging from developers to students and penetration testers.

Ryan Teoh (OSCE, OSCP, CRT) is a Security Engineer with a strong focus on Mobile Security. He spends a considerable amount of time in iOS kernel exploitation, contributing to the iOS security testing chapter and the iOS Crackmes which are part of the OWASP Mobile Security Testing Guide. That aside, he is active on both private and public bug bounty programs and has successfully bagged several critical mobile security bugs. Ryan is a strong believer in knowledge sharing initiated a security blog on top of facilitating workshops to security engineers, developers and students about mobile security, dynamic instrumentation and reverse engineering of mobile applications.

Originally published at https://blog.deepsec.net on September 3, 2020.

--

--

The In-Depth Security Conference in the Heart of Europe.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store