0 to 100 with Mobile Application Pentesting

last presentation today James Kennedy the penetration tester he's my favorite today

we got a short talk and there's a lot of content to cover so I'm just gonna kind of dive right in there's no way that I'm gonna be able to talk about every single tool that's out there so I encourage you guys after this just go out the tools familiar with this up into three sections when I go over kind of setting up a lab getting the second section will dive into static analysis and then after that we'll go a little bit deeper and touch on dynamic analysis likely there's a lot in that section so we're just going to kind of leave but in so lab setup basically what I'm going to cover is blackbox testing

and how to get that set up for Android and iOS so here's kind of things you're going to need so start with aim for it you really need a device that's rooted so that you can have word access that it's going to allow you to do most of your tasks you can get away with using emulators but it's not as easy in some circumstances there are applications out there that just are not going to run on unfamiliar or one reason or another so when I started that's like usually have a device ready to go and maybe I start with proxy with iOS is pretty much mandatory that you have a device and you need to

be able to get a kill break going on that device the simulators if you have a Mac and you're doing application for proxying so that you can monitor network traffic my go-to is Burke I've been using that for years it's my bread butter so you can do that or does it have to get I'll turn to the two and I'll kind of walk you guys through how to get that set up a little bit so a little more details for angering basically you just need two things when you get in here emulator and door class getting going setting up the Android debug debug bridge or ABV is going to be it's got a ton of really powerful

functionality you can logon push and pull files off there this atv connects is actually how you can connect the debug bridge to your device over Wi-Fi so that might make your life a little bit easier you don't feel like plugging it in and plugg it all the time you can drop the shell over a TV and there's a bunch of functions in there so really getting player and play around with that whole expose framework this is gonna kind of come into play later on in the presentation but it gives us some runtime manipulation functions in certain circumstances so I just go

iOS is a little bit more complicated so you've ever get a we're going to device are probably familiar with Cydia this is going to give you guys both access to a lot of packages and tools that are going to be important to the main ones are going to be aptitude and OpenSSH OpenSSH obviously you're going to be able to get into the device and play around the things in a shell environment most of the time your default passwords can be outlined so if you do install it open SSH and have that listening you're going to want to change that password just for safety big boss has a couple of key functions that are gonna come into play

if you're testing these things includes W get it and sequel light so you can interact with some of those databases that are going to be on the device the this advanced commands library adds a couple of more command-line tools finger PS stuff like that that's going to device the fkd installer is basically a command-line tool that lets you remotely

so that's how I feel about the setting of the basic environment so I can get into old prices and start doing basic tasks so now let's talk about static analysis this part is basically my very first step when I finally ready to start taking apart an application and figuring out what's going on area what we're doing is just taking the packet from the place or or the Apple store and we're just you know third party from your customer plan and looking at the package taking apart appearing out what we can glean what information what potential misconfigurations are there and the packet is just by itself so this is basically so for Android here my go-to

tools that I'm going to walk you guys through ap tool is a powerful command line facility that's going to let you unpack the apk file which is the angular package and take a part of it seems give you some low-level code like this tool is gonna give you that the mobile security framework has been a go-to for me in terms ludos quickly spinning up a GUI interface it's really easy to use you can get some really good information right off the bat just by dropping Harry into that bytecode björk we're going to use that later to get the actual source code

so iOS iOS is a little bit different when it comes to static analysis because unlike Android we're dealing with an actual compiled binary and so you kind of have to go to your reverse engineering tools to get any sort of information during the set and houses things though to look like them these are kind of my go-to dudes they're going to give you some information but it's not going to be great pasa which is the short bird lady mobile security framework is going to give you some of the same info in that QB interface so here's just some basic output it from an apk tool usage you just wanted it your package it unpacks everything

and her advances if you were to look at that it would give you tons of information about what's going on on the actual application and we'll show a little bit of that later as you can see there's a directory doesn't a head of your small e code and this is a good way to see what's inside the package and this is actually an important set that I'd like to remind people that there because it looks like okay yeah we got some stuff and this is pretty trivial but I've actually found plaintext passwords private keys a lot kinds of goodies just sitting here in these packages and it's production these are on people's devices right so you don't

what you you want to make sure that your clients I accidentally

all right so now I'm gonna walk you guys through how I go about getting access to the source code for an Android application basically the first step you just unzip the apk and this is different than baby cable which is actually doing some other procedures to get that smaller code but you just unzip it you're gonna get some different files and one of the problems that we get is this classes that X borrow and that actually has the byte code of the application inside there what I usually go to is I just by foot viewer with just that one single command and point it I point my computer to my classes let that's file and that's it I have source

code here it's searchable you can find all kinds of good stuff in here you know developer comments cryptographic functions you know are coded keys all that kind of stuff you really want to dive down and just see what location it's not perfect you can some decompiler to do a better job than others depending on what you are actually injured average running for example hybrid applications kind of has some stuff that I've found I have to change decompiler to get their classes to pop up but for the most part of this one I go to so now I'm going to talk about mobile security framework or SF for short this is like it's a powerful tool I'm going to walk you guys

through how to just get it up and running fairly quickly and just drop your applications in there it will handle Android I was in Windows apps I've never used Windows x but if you come across them you know this so they have a docker container out there on the kids oh and I'll have a reference light at the end with all these tools and different github repositories where you can get all this but just two commands and it's up and running and it's what's going on you know forty-eight thousand and all you got to do when your brows are there and this is easy you can just drag-and-drop your apks or IPS which is the iOS

package and it's gonna do some analysis basically I use it for static analysis mostly but it has a couple of other function those have a dynamic analysis toolkit built in we're able to spin up an Android VM and try to do some analysis on it I haven't had much luck using that because I think it's an Olivia so though some of the newer applications aren't actually they have tools but another cool thing that they've implemented is a API back-end and I don't have experience with this but those of you who are looking to do some dedsec ops might look at this tool for integration into your pipelines because you can automate uploading from just doing some basic analysis on your

packages so here's what it looks like once we get the package analyzed then this happens real quickly this is the enjoyed outlet and you can see there's just a ton of information about basic and profound package just where I here at your fingertips some of these are IPC mechanisms that we want to be aware of if you see the providers over there that's actually a database that is that the application is interacting with and you can see that it's marked as exported and that's important because if your database is exported then it can actually be interacted with by other applications on the device so right off the bat we can just check and make sure

that our application isn't having any

there's a ton of other options here I'm encourage you guys to come play with it really good though but the best part of this is that all that stuff we did with finding the source code it does it for you automatically for native applications and you it's searchable so you can just search for password and here's all the Java files that you filed and they found that in there so there's quickly drawn the package in and start searching source code right off the bat here's the iOS output like I said it's a Canales that's on iOS isn't is good but it's still going to give you some based information to start fingerprinting going off of and it has a couple of the

worse engineering things built in you can see there's a class dump you can run strings this view info.plist is actually kind of similar to the Android handsets that I talked about earlier where it has some basic configuration information and you can have you that to see what's going on so those are kind of my go-to initial steps for static analysis now dynamic counselors this is kind of where the pumping so we started a bit about you know hacking and that's I'm going to go over some tools and techniques first a proxy and some tools so proxies this is just your basic bird proxy you want to have you're using physical devices you want to have

Wi-Fi access so that you can point your physical device ed your proxy and you want to make sure this is where normally by default burp is listening up local those so if you want to edit it to make sure that it's pointed at that Wi-Fi IP address so you've set it up and get it listening and for Android getting it set up on a device that is running over nonetheless it's pretty straightforward what you got to do is get the first root CA on the device and you can just go through the devices actual UI and settings there's part this ATB push is just putting that CA on that's just how you put device and

then you can just point your Wi-Fi proxy settings networks go unfortunately in everything above nugget Android's a little bit harder they stopped inclusively trusting user-installed CAS on the device so we can't just put it on the device and configure it really quickly there's basically two options and I usually go for the first often because you're doing one and it's done and what we have to do is install the CA on in Reverse on partition as a system CA so basically we're trying to install

there's a really good blog out there on rock Nam and I'll link this at the end of the first - I had like 30 - check it out it goes into this more in-depth but here's kinds of basic things that we have we had to convert the certificate include the format that anger is expecting we had to remount our system partitions so that it's actually writable and then we push the search onto there move it into the correct directory there and then set the correct permissions and this can actually be a little complicated on emulators a lot of times people will try to do the same thing and

and you actually have to use the specific if you're gonna do an emulator you can list out your abs which is gonna give you a list of indicators that you have available and you can actually boot it with a writable system partition so if you find yourself using an emulator and trying to go down this route it took me a while

all right so I was we don't have to deal with any of that which is awesome because Burt has this mobile assistant app which is just like beautiful you can just point your proxy settings in here point it to your bourbon since toggle it on and off you can install the seat sir all from this iOS app and down here you notice this injected app section this is actually if you point Berk mobile system at your target application it'll actually bypass the SSL penny on that app for you so it makes it super easy and I have that accurate up there because I have actually had at least one or two apps for this wouldn't you bypass the SS

opening kind of hints on how that set up for most cases so that makes it super easy also there were a couple of the residues that doesn't work on iOS it only works on 10 envelope so if you have device that's

all right so that means said that's not how I go about setting up two proxies if you can't get a new mobile sis on iOS it's pretty similar to the Android we just go through the UI and then point your proxy settings in the network and now I'm going to move on I'm going to talk about a couple of tools that are going to help us kind of do a little bit more in depth so MWR Labs has a school called needle and it's a command-line interface and it's been around for quite a while it's pretty useful if you just have to install the agent on the device and it will give you some settings and you have

access to all these modules and it makes doing some of these tasks tasks a little bit simpler though these models are just built in you can see the layers of class some module and some 3d module that there's some more powerful options that I like to keep in mind is that has this dynamic monitoring where you can actually monitor the clipboard or whatever files are being touched by the application time they'll actually have learned you if it seemed and it has its own built-in okay bypass which can be useful and that's just the expertise and so for iOS this is a good option they have another MWR has another kind of brothers about rozer which is the

same thing but for Android and it has a lot of the same kinds of modules I don't find myself using this one as much because you have you already have ATP which is a pretty powerful you know you can just drop it - Rochelle immediately put your full files and you can interact with IPC in this and also what they mean so if you check it out if you want it's definitely useful so those are some these are some of my favorites actually when I'm thinking about actually having to get down and dirty with iOS and like doing some dynamic analysis stuff Breda is one of my favorite tools and so useful and you pick it up pretty

quickly and it's pretty powerful so this one it can do a lot pretty other thing I'll talk about inspector gentlest but Freda you have SSL pending bypasses it right local authentication is a breeze to bypass with this one you can do all sorts of laundering stuff one of the coolest thing to a vertical section called arena which is really does is it creates a bridge between three words so running it's on cryptograph cryptography and you're seeing me she requests those requests with like just a lot of crypto in there or something like that it'll actually let you inside for hook into the functions that are already there and they have decrypt that data and then

re-encrypted there's also a github repo that i have linked at the end here told awesome freedom which is basically a curated yet another evo of a bunch of different freakin scripts that do all these things and SSL paying bypasses that work for various situations

in Spanish is a little bit less now and it's a good do we integrated for Android only this is what it looks like on the device basically you pointed it at your target out instead of this ATV or forwarding and kind of hook into and monitor the application at runtime so here's the dashboard that you're going to see if you if you get it all set up it's going to give you a ton of information about the package up there at the top you can access the logcat extreme shots and you can see these little notifications that it actually prompt you okay this application is running some crypto functions it's making HTTP requests it's accessing the

file system you know whatever you're kind of arrested it you can look it you can actually do

so those are my two go to that maverick analysis tools that's kind of all I actually got for tools and techniques there's some references I

you