Application of mobile app security in penetration testing

Http://netsecurity.51cto.com/art/201403/433726_all.htm

In the past, security enthusiasts often studied the local security of the app, such as remote control, application cracking, information stealing, and so on, most of them have not paid attention to the security of the app server, so there are so many security loopholes.

Mobile apps mostly interact with the server through Web API services, a pattern that binds mobile security to web security. Mobile app in the way of Web services to interact with the service side, the server is also a display information site, common Web vulnerabilities in this also exist, such as SQL injection, file upload, middleware/server vulnerability, etc., but because some apps are not directly embedded in the Web page in the app, Instead, the API interface is used to return JOSN data, causing the scanner crawler to not crawl the link.

It's the embarrassing thing about the encyclopedia. List of embarrassing things, contet field content is irrelevant to me-_-| | |

Then I try to find the app Server vulnerability, the two methods currently thought:

1. Anti-compilation app 2.http[s] Agent grab Bag

Then someone should ask questions, these two ways to get the link is fragmented, also not good to find loopholes ah, my side of the use of the way is to put all the crawl link directly to the Multi-engine Web vulnerability scanner, scanner can be batch scan SQL injection and so on, in addition to these vulnerabilities, there are a lot of information available.

First, anti-compilation app

There are two kinds of anti-compilation methods, Dex2jar and Apktool, two tools to decompile the effect is not the same, Dex2jar decompile the Java source code, Apktool decompile the Java assembly code.

1. Dex2jar Anti-compilation

Tool: Dex2jar+jdgui

Method:

A. Modify apk to zip extension

B. Extract the Classes.dex file

C. Using Dex2jar to Decompile (Dex2jar.bat classes.dex)

Finally decompile the source code such as. Although some classes are proguard.cfg confused by configuration, they are still available.

2. Apktool Anti-compilation

Tool: Apktool

This tool is relatively simple, directly (Apktool D apkfile) can decompile the apk file, decompile things for Smali disassembly code, RES resource file, assets configuration file, Lib library file, We can search directly for Smali files and resource files to find links and so on.

Use the app to find your website real IP

In addition to the app service side of the vulnerability, there is a more fun way to use, through the collection of sub-domain IP in the app to find the real IP of the target site, according to experience, most of the app's interface is not using services such as CDN.

Embarrassing Encyclopedia Real IP

Second, Http[s] agent grab Bag

This method uses the agent on the mobile device to interact with the server through manual operation.

Steps:

A. On the capture machine to open the agent, testing can be used burp, need to automate the submission of the scan task can write their own agent, mobile device settings proxy server.

B. To operate the app on a mobile device, the agent-side crawl is as follows.

Summarize:

The whole idea has been very clear, then actually to do is to let this process automation, anti-compilation after a problem, the URL is not necessarily complete, many URLs are stitching up, I try to write a set of analysis engine, automated anti-compilation, and then through the analysis of the source code, stitching the full API URL, and then the vulnerability scan.

Is a dome, ready to be written in Python and put on the server.

Application of mobile app security in penetration testing