🔴 Executive Offense Issue #7 - Mobile Application Hacking Part 1

Hey everyone!

Happy post-holidays to you all. This is the return of Executive Offense after a long haitus. I could belabor the story of being busy, hacking all the things (I will still do that), etc, but instead I’ll jump right into the newsletter.

Going forward, you should expect EO (normally) to hit your inbox once every one or two weeks.

Let’s ride.

Lately, I've been diving back into research on mobile applications. This week, we'll be discussing mobile applications and the tools and techniques that modern mobile assessors might need to do their job.

/ Part 1

Back in 2014-2016, Daniel Meissler and I were the primary rebooters of the OWASP Mobile Top 10 project, where we outlined the common vulnerability types that mobile applications were subject to back then. I've probably done at least 100 mobile application assessments myself, as well as written a binary analysis framework for Objective-C apps. BUT the landscape changes rapidly as the platforms add more and more security controls and secure-by-default features.

Unfortunately, these features also hinder legitimate security researchers, meaning that the testing methods that used to be easy to do are a bit harder these days.

In general, modern mobile application vulnerabilities usually have to do with the APIs tied to the app installed on your phone. In addition, previously, we needed a jailbreak to access the apps in a way that let us assess them, but nowadays we have some pretty neat frameworks that allow us the layered access we need.

Let's dive into part one of a few of my favorite resources for mobile application testing in this week's special edition technical newsletter.

/ The OWASP Mobile Top Ten and the OWASP Mobile Testing Guide

The OWASP Mobile Top Ten has gone through several revisions since its inception. The landscape of the project has changed significantly as the phone platforms up their game as far as default configurations. A case in point used to be that one of the threat scenarios for Apple iPhones was that you could plug them into any computer and files that were not protected by a default data protection class were subject to just pulling off the device. For many years now, data protection values on files have been the default. So, this has lowered these types of representations in the project. In the 2016 version, there was a high level of code quality focus, which fell by the wayside with the introduction of several new mobile frameworks. It is, however, great to understand that the project page does show the 2023 version, which is right now in draft, and the 2016 version, which was ratified many years ago, allowing you to see the differences in everything. Here's a view of the vulnerabilities in both side by side:

As a companion to the top 10, there are two projects which really give a basis for how mobile application security tests should be performed: that's the Mobile Application Security Testing Guide and the Mobile Application Verification Standard.

Just like their counterparts for the OWASP Web Top Ten and the OWASP Web comparable projects, these projects go over test cases and a bunch of useful information around securing mobile applications. An aspiring mobile application tester should make sure that these are bookmarked and that they understand these intimately.

 The Mobile Application Security Testing Guide also has a checklist which is handy for people to verify controls mandated by the verification standard.

/ Android

Many would consider Android application testing the easier of the two platforms to do assessments on. Android physical devices have the Android Debug Bridge (ADB), which allows for a high level of control over the phone operating system, making it easier for you to install scripts and get access to the applications you want to assess.

There still is a significant amount of setup though for any type of mobile application assessment. In this area, I really like a couple of Cheat Sheets that give me all of the ADB commands I might need, as well as some tips and tricks for looking at things on the Android side:

Black Hills Information Security and @srkasthuri also have somewhat up-to-date guides on setting up your environment for Android pen testing:

• https://www.blackhillsinfosec.com/start-to-finish-configuring-an-android-phone-for-pentesting/

• https://medium.com/@srkasthuri/android-pentesting-101-a-novices-handbook-to-getting-started

Securitycafe.ro also has a guide which includes setting up Android emulators such as AVD and Genymotion:

I love guides with lots of images in them so newcomers to the topic can follow along!

 / iOS + Frida

I group iOS and Frida together because these days when you're testing iOS mobile applications, it's almost a requirement to use Frida.

Frida is a dynamic instrumentation toolkit for security researchers. What does that mean? It means I can do some fancy stuff by hooking operating system and application functions. But what does that actually mean? It means that Frida is a framework that can allow security researchers to do a lot of things needed in security testing without a jailbreak or root for the device. It allows them to read files, decrypt applications, set breakpoints in programs, patch security routines, disable SSL pinning, and more. These are all useful functions to have access to as an assessor.

Story: Back in the early days of mobile application assessment, it was very feast or famine. Our teams at HP would literally go out to GameStops and find used iPhones and iPads that hadn't been updated to the newest versions of the operating systems yet because we needed to be able to jailbreak them for our testing. It was always a funny look on a game store employee's face when you would ask them if you could boot up the device to see what OS version the device was running.

 / Frida Resources

Recently, I came across a 103-page workshop by @lain7z & @martrudix on Frida. It is very comprehensive, and I highly recommend it for a bookmark as a reference guide to what you can do with Frida, as well as some slide visuals on labs related to using Frida. It covers both Android and iOS applications. Great resource. 

In addition, I have bookmarked 8Ksec’s five-part blog series on advanced Frida usage. These resources are quite special. They are not traditional in giving you just the Frida scripts to do the instrumentation of a mobile application assessment, but rather they showcase using Frida while doing real security research work on real applications. 

Links:

/ End Part 1

Well, that was a pretty large post for a comeback newsletter, but when you're passionate about something and you want to write about it, you just gotta let it out.

I hope you all enjoyed part one of this technical edition and collection of resources. I know for sure I'm missing some good resources, so if you know of any, make sure to hit me up on Twitter/X, and I'll add an appendix for ones that are really cool.

Until next week and part 2 (Reverse Engineering, API Hacking, Practice Apps, Valuable Talks, Advanced Topics, and more!)