Application of mobile app security in penetration testing

Mobile app security threats are mainly local security, such as remote control, application cracking, information theft, and so on, most people have not paid attention to the security issues of the app server, but there are many security vulnerabilities in this block.

mobile apps mostly interact with the server through Web API services, a pattern that binds mobile security to web security. But mobile apps and web apps are completely different in security solutions. Mobile app general protection methods include pseudo-encryption, code obfuscation, run-time validation, and apk encryption . Mobile app in the way of Web services to interact with the service side, the server is also a display information site, common Web vulnerabilities in this also exist, such as SQL injection, file upload, middleware/server vulnerability, etc., but because some apps are not directly embedded in the Web page in the app, Instead, the API interface is used to return JOSN data, causing the scanner crawler to not crawl the link.

It's a list of embarrassing things about the encyclopedia.

650) this.width=650; "Src=" http://dl2.iteye.com/upload/attachment/0104/4883/ F2ac7fdd-62d9-3bd1-8098-90f5a3ceeccd.jpg "width=" "height=" "style=" border:0px;/>

Then I try to find the app Server vulnerability, the two methods currently thought:

1. Anti-compilation app

2.http[s] Agent Grab Bag

Seemingly these two ways to get the links are fragmented, not to find loopholes, I put all the crawl links directly to the multi-engine Web vulnerability scanner, scanner can batch scan SQL injection and so on, in addition to these vulnerabilities, there are a lot of information available.

First, anti-compilation app

There are two kinds of anti-compilation methods, Dex2jar and Apktool, two tools to decompile the effect is not the same, Dex2jar decompile the Java source code, Apktool decompile the Java assembly code.

1. Dex2jar Anti-compilation

Tool: Dex2jar+jdgui

Method:

A. Modify apk to zip extension

650) this.width=650; "Src=" http://dl2.iteye.com/upload/attachment/0104/4885/ Eb7e2129-532a-3ab2-8dd6-0efebb9f42ae.jpg "width=" "height=" "style=" border:0px;/>

B. Extract the Classes.dex file

C. Using Dex2jar to Decompile (Dex2jar.bat classes.dex)

650) this.width=650; "Src=" http://dl2.iteye.com/upload/attachment/0104/4918/ Bf98b131-e43a-35b6-837d-bc4dff613e8c.jpg "width=" "height=" "style=" border:0px;/>

Finally decompile the source code such as. Although some classes are proguard.cfg confused by configuration, they are still available.

650) this.width=650; "Src=" http://dl2.iteye.com/upload/attachment/0104/4920/ E9921538-58f2-3cad-a283-55fd38f3e75f.jpg "width=" "height=" "style=" border:0px;/>

2. Apktool Anti-compilation

Tool: Apktool

This tool is relatively simple, directly (Apktool D apkfile) can decompile the apk file, decompile things for Smali disassembly code, RES resource file, assets configuration file, Lib library file, We can search directly for Smali files and resource files to find links and so on.

650) this.width=650; "Src=" http://dl2.iteye.com/upload/attachment/0104/4922/ F23ca2c5-978d-3d79-823c-9089e25e782b.jpg "width=" "height=" "style=" border:0px;/>

Use the app to find your website real IP

In addition to the app service side of the vulnerability, there is a more fun way to use, through the collection of sub-domain IP in the app to find the real IP of the target site, according to experience, most of the app's interface is not using services such as CDN.

650) this.width=650; "Src=" http://dl2.iteye.com/upload/attachment/0104/4924/ B7aff5ba-b640-3bc2-bf1f-41562062c96c.jpg "width=" "height=" "style=" border:0px;/>

Embarrassing Encyclopedia Real IP

650) this.width=650; "Src=" http://dl2.iteye.com/upload/attachment/0104/4926/ F050b00b-74ff-3320-8637-d09100f88aa1.jpg "width=" "height=" "style=" border:0px;/>

Second, Http[s] agent grab Bag

This method uses the agent on the mobile device to interact with the server through manual operation.

Steps:

A. On the capture machine to open the agent, testing can be used burp, need to automate the submission of the scan task can write their own agent, mobile device settings proxy server.

650) this.width=650; "Src=" http://dl2.iteye.com/upload/attachment/0104/4928/ Cda09209-d39a-3bbe-9775-edf320f9a2af.jpg "width=" "height=" "style=" border:0px;/>

B. To operate the app on a mobile device, the agent-side crawl is as follows.

650) this.width=650; "Src=" http://dl2.iteye.com/upload/attachment/0104/4930/ 42dba9b5-37e7-3a08-b4f8-b66bd8fbea77.jpg "width=" "height=" "style=" border:0px;/>

Summarize:

the whole idea has been very clear, then actually to do is to let this process automation, anti-compilation after a problem, the URL is not necessarily complete, many URLs are stitching up, I try to write a set of analysis engine, automated anti-compilation, and then through the analysis of the source code, stitching the full API URL, and then use Vulnerability Analysis tool for vulnerability scanning.

Is a dome, ready to be written in Python and put on the server.

650) this.width=650; "Src=" http://dl2.iteye.com/upload/attachment/0104/4932/ 5af0b603-0826-3d6a-b863-f848b861e070.jpg "width=" "height=" "style=" border:0px;/>

The whole process is not very difficult, mobile app developers can see the security threats in the app is still quite large, do not pay attention to security, the consequences you understand. It is recommended that the vast number of mobile app developers can try free app encryption , after all, the development of their own things, will not want to be cracked.

Application of mobile app security in penetration testing