Mobile App Pen Test guide provides a quick overview of various tools and techniques used to perform penetration testing on mobile apps
No Pen Test guide can start witout mention of Mobile OWASP Top 10 https://owasp.org/www-project-mobile-top-10/
OWASP Mobile Top 10 is a list that identifies types of security risks faced by mobile apps globally. This list, which was last updated in 2016, is an acting guide for developers to build secure applications and incorporate best coding practices. With almost 85 percent of apps tested by NowSecure found to be affected by at least one of the OWASP Top 10 risks, it becomes essential for developers to understand each one of them and adopt coding practices that nullify their occurrence as far as possible.
-
Mobile-Security-Framework-MobSF An all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis, that can work directly on mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline. The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
`git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git'
cd Mobile-Security-Framework-MobSFpython manage.py runserver 127.0.0.1:8000OR
docker pull opensecurity/mobile-security-framework-mobsfdocker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latestAnd open desktop browser http://127.0.0.1:8000
Note: If you need Dynamic Analysis, do not setup MobSF inside Docker or Virtual Machine.
-
Objection -
objectionis a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak. Supports both iOS and Android. Bypass SSL pinning, dump keychains, perform memory related tasks, explore and manipulate objects on the heap, etc.pip3 install objection -
Runtime-Mobile-Security-RMS -
Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime. With RMS you can easily dump all loaded classes and relative methods, hook everything on the fly, trace methods args and return value, load custom scripts and many other useful stuff.
- APKTool - A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc.
- Disassembling Android apk file
apktool d <apk file>
- Rebuilding decoded resources back to binary APK/JAR with certificate signing
apktool b <modified folder>keytool -genkey -v -keystore keys/test.keystore -alias Test -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 10000jarsigner -keystore keys/test.keystore dist/test.apk -sigalg SHA1withRSA -digestalg SHA1 Test
- Disassembling Android apk file