For Mobile Pentesting, we are going to categorize it into two parts: Android and IOS. Since these two have different architecture, tools used for Vulnerability Assessment and Penetration Testing although their approaches might look similar. We are going to take an example of a Mobile Banking application. Let's discuss the possible functionalities which can be present in mobile banking applications.
* The banking application will have login functionality for their users.
* There will be functionality to transfer money from one account to another.
* There will be functionality to update their details
Let's talk about Android first as the setup for Pentesting Android application is much easier and cost effective as compared to IOS device.
The following approach and methodology for testing android application as follows:
Understanding the functionality - We will start by understanding the mobile banking application's architecture, testing and playing around functionalities provided by the application which typically involves complex financial transactions, security implementations, updation of records, etc.
Setup - We will use emulators like Android Studio or Genymotion to emulate an android device. Please note that emulation of an android device can take up a significant amount of Memory which might slow down your system. Use appropriate tools to debug the apk file like jadx2gui or Apktool. Configure Burp Suite or a similar proxy tool for traffic interception and analysis.
Static Testing - This step involves debugging the apk file using tools like Apkool and looking through the configuration files. One of the most important files will be AndroidManifest.xml as this will contain configurations of the android application. Review the files for vulnerabilities like hardcoded API keys, sensitive financial data storage, and insecure data handling. This process can be automated by using tools like MobSF which will list down all the vulnerabilities in the apk file.
Dynamic Testing - Interact with the mobile banking app as a user, performing various financial transactions while monitoring its network traffic through Burp Suite. Analyze the requests and responses for vulnerabilities like insecure data transmission, session management issues, and API security problems. This involves test cases like Root Detection Bypass and SSL pinning bypass which can be performed using tools like Frida and Objection.
The following approach and methodology for testing IOS application as follows:
Understanding the functionality - This step would be similar to android testing. We will start by understanding the mobile banking application's architecture, testing and playing around functionalities provided by the application which typically involves complex financial transactions, security implementations, updation of records, etc.
Setup - The setup for IOS testing is not feasible as we need an IOS device preferably with ios versions lower than 14 as they are easy to jailbreak.Get the IPA file of the mobile banking application. The IPA file needs to be signed which can be performed with the help of iOS-app-signer or any other tool.
Static Testing - This involves file system analysis such as finding out the unique 32 char UUID which represents its App directory sandbox location and a unique 36 char Data-UUID which contains all the application data. Static analysis also involves analyzing data protection classes as these are additional protections which are used to safeguard important files. Test cases like sensitive data storage in file system and plist file along with data stored in databases such as SQLite, Core Data or RealmDB databases fall under this category. Automated tools like MobSF can be used for IOS as well, uploading the IPA file would list down all the vulnerabilities.
Dynamic Testing - Similar to android dynamic testing, tools like Frida, Objection and Burpsuite work with IOS applications as well. Test cases like Jailbreak bypass and SSL pinning would come into picture along with other test cases such as insecure data transmission, session management issues, and API security problems.
Helpful resources:
OWASP has a Mobile Security Testing Guide (OMSTG) which can be used while pentesting a mobile application.