This post is just all about few thoughts on VAPT and regarding security programs for mobile apps not related to Mobile OS security | Malware research | Reverse Engineering.
Mobile app security is a buzzword these day’s and quite tangled and contradictory in itself after the arrival of IOT it became even more important to assess your apps to prevent the attacks against these systems! but in reality, the major culprit has always been the web services running in the background REST in peace. So the question is who we are actually pentesting is it API or mobile app and if its API then we are only doing the same burp kinds of stuff like we used to do in web then
what is actual mobile app security?
Just imagine for a while who will give his/her own iPhone 6 /Android device that too jailbroken to find something in plaintext in plist! seriously?
There are too many protection levels within the system to prevent the exploitation itself ! and infosec guys while reporting be like.
Here is an insecure local storage flaw imagine that the device has been stolen, rooted & jailbroken.
I dare you if you will say in the case of IOS.
(okay just modify it *we have physical access to the device for a while *)
Rooting or jailbreaking a device will itself will give you higher most privilege within the device so there is no point of reporting insecure local storage which is termed M2 in owasp
unless the data is stored with world readable permission in sdcard
Most of the companies won’t give a damn if the app you have tested was on rooted/jailbroken device and the twist is entire Owasp was written with respect to the emulator which comes pre-rooted.
Below are some knockout on face regarding flaws from programs :
and half of the owasp top 10 went off.
That’s the reality of acceptance of app-based vulnerability no doubt you will get those issues in any random app from the app store but it won’t have much impact.
I would rather prefer this path sdcard/android/ instead of this data/data
So what are some accepted issues about mobile app’s ?
Ans: In general any bug which has significant impact without having many privileges on device more better if you can exploit it remotely like code execution, web-view exploits! (but I guess these web-kits issues are dead these days )
Try to pentest having least privilege on an unrooted android device.
(Now it sounds like your hands + legs are being tied up)
next thing you will ask how to proceed and possible on an unrooted device? I will post about it! few of my poc’s
Few of the issues I worked upon and helped me regarding android which at-least counts in acceptance are :
- Sensitive information leaked like access_tokens in logs during debugging.
- Fragment injections.
- Arbitrary code execution but there are constraint’s in this too you need to have world readable + writable permissions to overwrite the native libraries + to execute it remotely you need MITM.
and even after doing all
the feeling still you got informative trust me i was here 😛
- Xxe lucky if app is parsing xml entities you can try those apps who parse pdf,docx etc
- Sensitive Api calls and Idor .
- Exported intents which are helpful in bypassing authentication or screens
- Exported broadcast receivers like making a phone call by passing params.
- Tapjacking at OAuth endpoints just like clickjacking issue in the web at OAuth buttons
- Backup issues like android: backup=” allow” which will help you make a backup of the app and explore the sensitive stuff on it.
- Exported components without custom permissions include activities, receivers
[which also can be bypassed]
- I consider SSL pinning should be here but still, bug bounty programs will cry coz it can be bypassed using Cydia substrate, ssl killer or exposed framework modules.
What about IOS?
- Some of the above issues are also relevant to ios too.
- Ios too have web-views which can be exploited using file Uri:// to trigger facetime calls improper URI schemes this can allow attackers, for example, send unauthenticated tweets and bypass popup blockers
- Check again rest API calls
- Do traffic analysis
App related issues which are found on a jail-broken device doesn’t count unless you got a privilege escalation exploit on the device!
These are some of my own thoughts on mobile app sec especially related to bug acceptance and feasibility of exploitation and does not intends to hurt any one’s feelings.
Thanks for reading guys and for being here 🙂
let me know your thoughts in the comment .