Hey everybody, welcome back to the series. Today, we will be taking a deep dive into the world of what a real pentest engagement looks like and the processes involved. We will also look at how the process looks regarding mobile.

During mobile app pentesting, there is some interesting information we set out to look for, some low-hanging fruits to get the ball rolling. With that said, let’s dive in.

The Penetration Testing Process

Reconnaissance

Information gathering can be both active and passive. We do this to learn more about the target.

• Active - physical recon, interacting with targets via social engineering, anything with a hands-on target approach.

• Passive - using tools like LinkedIn, google, and publicly available information to enumerate the target.

Scanning / Enumeration

Using tools that touch the target's physical or digital infrastructures to enumerate vulnerabilities, open ports, etc. After scanning, we enumerate to find if there’s anything of value.

For example, using tools like nmap, dirb, nikto, nessus, etc.

Exploitation

Taking advantage of the vulnerabilities you discovered during enumeration and recon to gain access to the system.

Privilege Escalation

Once inside of the system or environment, moving laterally or vertically to obtain more access or maintain access should we be kicked out of the system.

• Lateral movement - from a device or app to another device or app as the same user.

• Vertical movement - from low-level user to higher-level account

Covering Tracks

Eliminating evidence that may incriminate you or leave signs of exploitation. Example: Deleting the malware you uploaded to gain access, Changing timestamps, deleting logs, erasing video footage, etc. As a pentester, you need to clean up.

Reporting

The results of your hard work whether successful or not is outlined with the findings and exploits to the company including steps on how to fix them. Find a list of resources on how to write a great report at the end of this article.

If you want to dig a little deeper into this, then check out The Cyber Mentor ethical hacking course on youtube. It’s in two parts, part 1 and part 2.

Now that we’ve seen what the process looks like for web apps and networks, let’s dive into what we do when testing mobile applications.

The Mobile Pentest Process

Reconnaissance

Look at earnings reports and press releases often contain info about mobile apps.

Find the target app on the play store or apple store

• read the reviews

• enumerate who created the app

• enumerate the different app versions and patch notes

• enumerate the company's other apps

Note:

Sometimes new apps are released for androids and are not available for iOS yet. There's no need to sign in to Play Store, search {name of app} google/apple store. On the Apple store, we're given the version history

Static Analysis

Reading the application code via manual or automated tools to assess the security. Looking for hardcoded strings, security misconfigurations, or additional targets extracted from the app.

Static analysis will sometimes result in the pen-testing process being triggered, especially additional enumeration or fingerprinting.

• Find a URL - recon, enumerate, exploit, etc

  • Many companies use other API gateways/paths for mobile apps vs the traditional website.

• Find an email/username - recon using phonebook.cz, etc

• Find a storage bucket - recon, enumerate with cloud_enum

What we're looking for

• API keys

• Emails and passwords

• Hard coded strings

• URL

Dynamic Analysis

Running the application, monitoring and manipulating it to figure out what it’s doing based on its behavior. This allows us to look at the backend of the application because some applications download extra data during runtime.

• Monitor the file system, app interactions and operating system interaction

• Intercepting traffic with proxies like burp suite/proxyman

• Dumping memory from the application to check for insecurely

• Stored secrets

• Checking local storage for files created in runtime (app running )

• Breaking SSL pinning at runtime

Dynamic analysis can often result in attacks related to the OWASP top ten SQL injection, Cross-Site Scripting, IDOR, XXE, etc

Note on XSS: you often will get XSS in the mobile app itself, but sometimes this can affect the full version of the website.

Learn more about dynamic analysis from this webcast on SANS by Jeroen Beckers.

Reporting

• Often contains an executive summary as well as specific vulnerabilities discovered

• Write a report for both OWASP top ten (web) and OWASP top ten (mobile) in mind

• Provide the business with the criticality as well as steps to reproduce

• Remember to mention the positive security implementations!

Here’s a good resource to learn how to write a penetration testing report by hackersploit and here is a list of public pentest reports by juliocesarfort. For more information on report writing check out Gabrielle B’s post on Linkedin which contains some useful links to great resources and insights.

If you’re enjoying this series, consider following me here, like comment and share this with friends and colleagues.