This post is just all about few thought’s on VAPT and regarding security programs for mobile apps not related to Mobile OS security | Malware research | Reverse Engineering .
Mobile app security is a buzz word these day’s and quite tangled and contradictory in itself after the arrival of IOT it became even more important to assess your apps to prevent the attacks against these systems ! but in reality the major culprit are always been the web services running at the background REST in peace . So question is who we are actually pentesting is it api or mobile app and if its api then we are only doing the same burp stuffs like we used to do in web then
what is actual mobile app security ?
Just imagine for a while who will give his/her own Iphone 6 /Android device that too jailbroken to find something in plaintext in plist ! seriously ?
Their are too many protection levels within system to prevent the exploitation itself ! and infosec guys while reporting be like .
Hi team ,
Here is insecure local storage flaw imagine that the device have been stolen , rooted & jailbroken .
I dare you if you will say in case of IOS.
(okay just modify it *we have physical access to the device for a while *)
Rooting or jailbreaking a device will itself will give you higher most privilege within the device so their is no point of reporting insecure local storage which is termed M2 in owasp
unless the data is stored with world readable permission in sdcard
Most of the companies won’t give a damm if the app you have tested was on rooted/jailbroken device and twist is entire Owasp was written with respect to emulator which comes pre-rooted .
Below are some knockout on face regarding flaws from programs :
and half of the owasp top 10 went off .
That’s the reality of acceptance of app based vulnerability no doubt you will get those issues in any random app from app store but it won’t have much impact .
I would rather prefer this path sdcard/android/ instead of this data/data
So what are some accepted issues about mobile app’s ?
Ans:In general any bug which have significant impact without having much privilege on device more better if you can exploit it remotely like code execution , web-view exploits ! (but i guess these web-kits issues are dead these days )
Try to pentest having least privilege on an unrooted android device .
(Now it sounds like your hands + legs are being tied up)
next thing you will ask how to proceed and possible on an unrooted device ? I will post about it ! few of my poc’s
Few of the issues i worked upon and helped me regarding android which at-least counts in acceptance are :
- Sensitive information leaked like access_tokens in logs during debugging .
- Fragment injections .
- Arbitary code execution but their are constraint’s in this too you need to have world readable + writable permissions to overwrite the native libraries + to execute it remotely you need mitm .
and even after doing all
the feeling still you got informative trust me i was here 😛
- Xxe lucky if app is parsing xml entities you can try those apps who parse pdf,docx etc
- Sensitive Api calls and Idor .
- Exported intents which are helpful in bypassing authentication or screens
- Exported broadcast receivers like making a phone call by passing params .
- Tapjacking at oauth end points just like clickjacking issue in web at oauth buttons
- Backup issues like android:backup=”allow” which let you make backup of the app and explore the sensitive stuffs on it .
- Exported components without custom permissions includes activities,receivers
[which also can be bypassed]
- I consider ssl pinning should be here but still bug bounty programs will cry coz it can be bypassed using cydia substrate ,ssl killer or exposed framework modules.
What about IOS ?
- Some of the above issues are also relevant to ios too .
- Ios too have web-views which can be exploited using file Uri:// to trigger facetime calls improper URI schemes this can allow attackers for example, send unauthenticated tweets and bypass popup blockers
- Check again rest api calls
- Do traffic analysis
App related issues which are found on jail-broken device doesn’t count unless you got a privilege escalation exploit on the device !
These are some of my own thoughts on mobile app sec specially related to bug acceptance and feasibility of exploitation and does not intends to hurt any one’s feelings .
Thanks for reading guys and for being here 🙂
let me know your thoughts in comment .