Methodologies for Mobile Penetration Testing
Through research initiatives, Praetorian has created a thorough mobile testing methodology. Using a combination of manual and dynamic analysis along with custom automated fuzzing, Praetorian's Mobile Security Testing covers areas such as storage protection, transport protection, authentication, authorization, session management, data validation, and error and exception handling. For open mobile platforms such as Android, mobile applications are also decompiled to maximize understanding and testing coverage. For closed platforms such as BlackBerry OS and iOS, source code is often requested to accompany the engagement or binaries can be reversed at runtime.
Praetorian begins the assessment by evaluating data protection controls on the client device. In particular, Praetorian will examine where and how the application manages sensitive information, whether the application is properly utilizing native APIs for features like key stores, and whether dangerous client artifacts such as user credentials, personal information, and/or any other sensitive application data are unintentionally or insecurely stored on the client device. As part of this analysis, consultants will also examine memory to ensure sensitive data is properly erased by the application. Additionally, Praetorian will review the communication between the mobile application and any remote systems/services. Traffic analysis will focus on uncovering vulnerabilities related to information disclosure, tampering, and spoofing.
Once the analysis of transport- and storage-level data protection controls has concluded, Praetorian will transition to authentication and authorization testing. During this phase of testing, activities include, but are not limited to, an examination of implemented authentication protocols, certificate validation, password policy enforcement, and account lockout mechanisms. In addition to assessing how the application performs authentication, Praetorian also evaluates how the application segregates functional roles and implements authorization concepts such as principle of least privilege. Authorization testing will also assess how data access controls are applied and whether or not authorization corner cases such as confused deputy attacks are present. During this testing phase, Praetorian will attempt to access hidden functionality in both the client and the server in addition to attempting to escalate their privileges. As an example, Praetorian may determine how data is retrieved from the server for the different users and use this information to replay or manipulate the request to gain access to another user's data.
In cases where the application communicates with a remote system/service, Praetorian's testing will evaluate how session management is performed. In some cases the application simply maintains a persistent connection (e.g., socket). If the application uses a persistent socket, Praetorian will check to see what happens when the connection is severed, either because the application does not support both data and voice or multi-tasking. In some cases, the application may implement a session identifier to uniquely identify the user for the duration of the session. For such cases, Praetorian will examine the entropy, length, timeout, and rotation to determine the applications susceptibility to preset identifiers, brute force, session fixation, and other related vulnerabilities.
Data validation is another important aspect of our testing. Praetorian will identify any open ports, interfaces, IPC channels, or other input modes that can be leveraged by an attacker or malicious application. Fuzz testing will be performed on those interfaces that are exposed and examine how the application handles erroneous input. The objective of this process is to determine the extent the application is performing filtering, sanitation, and validation. Vulnerability categories in scope include, but are not limited to, cross-site scripting, SQL injection, command injection, mishandled exceptions, and memory corruption vulnerabilities that can lead to remote code execution or denial of service condition.
As vulnerabilities are discovered, Praetorian will attempt to demonstrate the positional exploitability of each finding to achieve the two primary objectives of the assessment: 1) obtain unauthorized access and 2) retrieve sensitive information. Using commercial, open source, and proprietary tools, Praetorian implements a structured testing methodology to make the mobile application assessment as efficient as possible.