Mobile penetration testing creates many new challenges not commonly seen in standard web application and infrastructure tests. To aid in overcoming these, there are some great open source tools available and in this post, we will outline our top 5.
MobSF
What is MobSF?
Mobile Security Framework (MobSF) is an essential tool for any mobile penetration test on Android or iOS. It’s a static and dynamic binary analyzer capable of quickly enumerating security issues. Some of the great features of MobSF include its ability to identify leads for hardcoded API keys or passwords, enumerating common manifest bad practices, and performing code analysis.
How does it work?
MobSF can be downloaded locally, avoiding the need for sending any data to a server. It then takes the APK or IPA file and performs the analysis. It’s extremely fast, producing results in a matter of minutes.
Who would benefit from it?
While being an essential part of any hacker’s mobile toolkit, a mobile developer could find use with this tool and assist in practicing secure development.
Why is it useful for mobile security testing?
Mobile applications are often composed of hundreds of files, each possibly containing information useful to an attacker, but would take significant amounts of time to find. MobSF allows for application analysis at a pace not achievable manually in the same time frame. The combination of automated and manual analysis ensures security issues are identified and reported.
ADB
While not a penetration testing tool in itself, the Android Debug Bridge (ADB) can be used to identify issues of a mobile application as it is running and access a shell on a non-rooted device. It is a command-line tool that comes with the standard Android SDK allowing for an emulated or USB-connected Android device to be debugged in real-time.
How does it work?
ADB works best on Linux machines and can be run in a virtual machine. Once the android device is connected, you can run a variety of commands, the most useful of which are adb shell and adb logcat. Shell allows for commands to be run on the device, showing running processes, the file system, and memory information. Logcat shows real-time logs on the device where passwords and sensitive data is often found.
Who would benefit from it?
As part of the developer SDK for android, developers and penetration testers would get the most use from this tool. This tool can help software engineers practice secure development and spot issues before they reach production.
Why is it useful for mobile security testing?
Logs and application files can often reveal sensitive information including passwords, authentication tokens, and API keys. This is one of the most common issues in mobile testing and ADB helps penetration testers to search the file system and logs for these issues.
Frida
What is Frida?
Frida is an instrumentation framework for all mobile testing. More specifically, it’s described as a “Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers”. This allows you to hook into processes, view the execution flow of a process, or even modify it.
How does it work?
Frida works by essentially injecting an engine into the target process, which allows JavaScript to be executed with full access to memory and just about everything to do with the process.
There are some prerequisites in order to use Frida, one being the device needs to be rooted or jailbroken in order for the Frida-Server binary to be installed. The device also needs to be connected to a host machine with Frida installed to allow interaction and execution. Once the initial setup is complete, processes can be hooked into or even started from the host machine.
Who would benefit from it?
Developers, reverse engineers, and security researchers alike would benefit from Frida. If for example new security features were implemented in a mobile application, Frida provides a means of testing the implementation.
Why is it useful for mobile security testing?
Frida has a variety of uses, from bypassing SSL pinning, bypassing root detection and just about any type of dynamic testing. Frida also has a great CodeShare project, where scripts are publicly shared for everyone to use. The scripts range from static code audits, SSL pinning bypasses, root detection bypasses and even fuzzing scripts.
APKTool
What is APKTool?
APKTool is a great tool for any part of the reverse engineering process on Android. It allows you to decompile and rebuild applications for source code analysis or to insert new files. It is often used in conjunction with Frida (mentioned above) and other tools such as Dex2Jar which turns some of the output of APKTool into readable classes.
How does it work?
APKTool is a simple tool to use on Linux platforms. Once installed, simply specifying the APK file to decompile or the folder to rebuild will perform the action which can then be used further.
Who would benefit from it?
Any penetration tester on a black box Android engagement will use APKTool as part of the reverse engineering process to identify errors in source code or to inject Frida gadgets.
Why is it useful for mobile security testing?
It’s a simple yet effective tool that performs basic actions from which other tools can benefit from. Being able to read source code or dynamically inspect the application can uncover obscure vulnerabilities that otherwise would be left undiscovered.
Checkra1n
Checkra1n is the current go-to jailbreak tool for iOS. Jailbreaking allows for root access to a device, bypassing restrictions imposed by Apple in the software such as accessing files.
How does it work?
Checkra1n provides root access to an iPhone through an inherent flaw in Apple’s chips. This means it won’t be going away anytime soon. To use Checkra1n the device needs to be connected to a Linux machine (no virtualization) and then run the tool begins to exploit the flaw.
Who would benefit from it?
Any penetration tester on an iOS penetration test will need a jailbroken device to ensure a thorough test is performed.
Why is it useful for mobile security testing?
Testing on a jailbroken device allows the file system to be accessed and makes bypassing SSL pinning possible in some instances. By checking the file system, SQL databases, logs, and caches are uncovered which sometimes store sensitive information which is a misconfiguration that needs to be resolved.
If there are any tools that you think deserve to make the list then let us know?
Originally published at https://www.informer.io.
