Mobile Application Pentesting
Presented below is a carefully compiled checklist for conducting penetration testing on mobile applications. It is not an exhaustive inventory but instead an evolving one, with ongoing updates planned as I progress in this journey. This checklist can be an excellent initial reference for beginners.
APK Information Gathering
Extracting insights from APK files is crucial for understanding permissions, embedded secrets, and third-party libraries. This process forms the foundation for identifying security vulnerabilities in mobile applications.
APK File Gathering
Obtaining the application from an Android device or the Play Store.
adb, apkpure, devices
Check Application Ecosystem
Attempt to grasp the fundamental components of the application, including its underlying technology.
apktool, jadx-gui, yazhini
Installation (Device)
Install the APK on an actual device
Physical Phones
Installation (Emulator)
Installing the APK on emulators
Genymotion, BlueStacks, Nox
Installation (Root)
Installing the APK on a rooted decice
Actual Phones
Reverse Engineering & Analysis
Reverse Engineering in mobile app testing involves dissecting the app's code and logic to uncover hidden features, assess vulnerabilities, and understand its internal workings, providing crucial insights for security analysts.
APK Analysis
Analyze the APK package, inspecting its contents such as assets, resources, manifest files, and META-INF.
apktool, adb, dex2jar, JDGUI, IDA Pro
Static Analysis
Conduct static analysis to identify sensitive information, such as passwords or API keys.
MobSF, adb, apktool, dex2jar, JDGUI
Debug Checking
Check the android:debuggable
attribute.
Any Editor
Android Manifest
Check the AndroidManifest.xml
thoroughly.
Any Editor
Dynamic Analysis
Dynamically assessing a mobile app's behavior during runtime reveals vulnerabilities, how the app handles sensitive data, and any potential malicious activities. This approach complements static analysis for a comprehensive security evaluation.
Applog
Review the application logs, examining entries related to processes from a particular application package.
pidcat, logcat
Root Detection
Examine the root detection mechanism and evaluate methods to bypass root detection.
Manual
Shared Preference
Upon initial login, the app requests the user's username and password. Subsequent logins do not require this information, as the app stores the login key in the shared preferences file "login_account.xml." Notably, this key can be extracted from one app and utilized by another.
Manual
WebView Vulnerabilities
Examine WebView settings for potential vulnerabilities.
MobSF, Manual
Storage Issue
Inspect the external storage of various data for security concerns.
Manual, sqlite
Secrets
Examine various locations for sensitive data such as keys and passwords.
Manual, grep
Last updated