Chapter 5 Mobile Device and Application Testing

The iOS is based on Darwin (www.puredarwin.org), which is an open-source, Unix-based OS that was first released by Apple in 2000.

(IOS)

This was a mainframe operating system developed by the Massachusetts Institute of Technology (MIT), General Electric (GE), and Bell Labs back in the 1960s. The operating system was written in assembly language and designed to support the concept of single-level memory.

(Multics) Multiplexed Information and Computing Service.

Each ASCII storage element is an

8-bit byte

sets the variable type based on an assigned value

A data type (Basic Scripting)

mobile operating system based on the Linux 2.x and 3.x kernels

ANDROID OPERATING SYSTEM (android)

is one level higher than binary and allows computer programs to be written a little faster using symbolic operational codes instead of a sequence of bits.

Assembly language (or Assembler)

MobSF evaluates the DVIA application for potential vulnerabilities using security development best practices. As we discussed earlier in the chapter, software assurance testing helps provides assurance that the software is free and clear of bugs, and binary analysis is a way to evaluate bugs in compiled software.

Binary Analysis

is the app store for "jailbroken" iDevices

Cydia Package Manager

is the reverse of this process, where the end point decodes the message and transforms it back into the original format.

Decoding

is used to determine the next step in the programming process, based on a given response.

Flow control (Basic Scripting)

repeats a procedure as long as the statement is true.

Looping (Basic Scripting)

are flat files stored on the file system

SQLite databases (.db)

The assembly statements put everything together and tell the processor what to do specifically. Each statement consists of an instruction (mnemonic, or symbols) to be executed and the parameters of the command. Assembly statements have the following format:

[label] mnemonic [operands] [;comment]

users interact within the ____ layer, This layer is also home for the native system apps that are installed by default such as the calendar app, camera, and email. Android applications are developed in Java.

application layer (android)

Wondershare and Kingo

are two of the more popular methods of tethered and untethered (one-click root) capabilities that can assist with rooting an Android device.

variable is always the same and cannot be changed during program execution.

constant (Basic Scripting)

interfaces with built-in hardware components of the device. The native C and C++ libraries provide support for applications developed in native code, such as HAL and ART.

hardware abstraction layer (HAL) (android)

is an iOS application security assessment tool developed by Daniel Mayer.

idb

are used to substitute a value until it can be defined.

substitutions (Basic Scripting)

is a small, integrated circuit that connects together common components that make up a mobile device, such as • Central processing unit (CPU) • Graphical processing unit (GPU) • Random access memory (RAM) • Read-only memory (ROM) • Modem designed to reduce overall system costs, increase performance, and lower power consumption.

system on a chip (SoC)

is used for keeping the code and instructing the kernel where program execution starts.

the .text section

Applications run their own processes within a virtual machine (i.e., an instance of ART, which is short for Android Runtime), as if they were separate user accounts with separate home directories. This provides isolation among all the other applications running on the device.

(android)

Assembly programs written in ARM assembly, 8086 assembly, etc., are divided into three main sections:

.data, .bss, and .text.

Cyber Security Engineering: A Practical Approach for Systems and Software Assurance (Addison-Wesley Professional, 2016) provides seven principles that can help organizations achieve confidence in software products developed in the technology world of today:

1. Risk drives assurance decisions. 2. Align risk across all interconnected technology and organizational elements. 3. Software dependencies should be validated and proven trustworthy. 4. Plan for cyber-attacks. 5. Implement defense-in-depth security practices. 6. Assurance should adapt to change. 7. Organizations should measure assurance effectiveness

1. ______is a debugging method used to examine source code, bytecode, and binaries without execution. static analysis helps conduct a security code review, identify the structure of the program, and map the application functionality. 2. In the context of application testing, this process is also known as

1. Static Analysis 2. static application security testing (SAST)

is a type of hardware mechanism used for debugging and connecting to embedded devices on a circuit board.

A JTAG, which stands for Joint Test Action Group (IOS)

is a reverse-engineering framework for disassembling and rebuilding Android applications. It provides a graphical user interface, code editor, and APK signing feature so you can modify code and repackage it if necessary.

APK Studio application (Static Analysis)

considered high level, as the syntax in the source code is far easier to read, and are several steps removed from the code run on the computer processor.

C, C++, Objective-C, and Swift,

the ___ is used for decision logic and the __ is responsible for visual processing.

CPU, GPU

) is a decryption tool that supports all versions of iOS. Clutch helps you disassemble the already installed applications from the Apple App Store on your iDevice into IPA files to use for static analysis.

Clutch

• Untethered The device can be powered on and off without the help of a computer. • Tethered A computer and software is required to boot the jailbroken device each time. • Semi-tethered If the device is rebooted, you will need to jailbreak the device again to patch the kernel using a computer. • Semi-untethered This is the same as semi-tethered but can be accomplished using the jailbreak app that is already installed on the iDevice.

Common iOS Jailbreaks

is a security auditing framework for Android that can help pentesters identify vulnerabilities and validate them with exploitation.

Drozer (android)

This forces mobile applications to use Hypertext Transfer Protocol Secure (HTTPS) to encrypt data in transit.

During static analysis of iOS applications, you can check that App Transport Security (ATS) is enabled.

is the process of executing and testing a program in real-time, also known as dynamic application security testing (DAST)

Dynamic and runtime analysis

is a type of black-box testing methodology used to evaluate the security effectiveness of an application (mobile or web) from the outside by investigating its running state.

Dynamic and runtime analysis (DAST)

To conduct static analysis on the iOS application, you must first obtain the

IPA file

functions are necessary to communicate what the program is doing and what the program needs in order to successfully execute.

Input and output (I/O)

is the process of exploiting a software vulnerability in iOS that enables low-level execution with elevated privileges (i.e., root) to bypass the security mechanism in iOS.

Jailbreaking (IOS)

• Hardware security • Secure boot (secure boot chain) • Code signing • Sandbox • Encryption and data protection • General exploit mitigations

OWASP Mobile Security Testing Guide summarizes the six core features of the iOS security architecture to be

___ provides temporary memory storage for applications, and ___ provides the long-term storage, such as for firmware and operating systems.

RAM, ROM

REVIEW CHAPTER 5 AGAIN AND TRY TO DO PRACTICE EXERCISES FOR MOBILE APP TESTING

REVIEW CHAPTER 5 AGAIN AND TRY TO DO PRACTICE EXERCISES FOR MOBILE APP TESTING

This type of testing occurs against the end point that the mobile client communicates with, such as a web application server. Some of the tools used to conduct this type of testing include Nessus, Burpsuite, and Nmap. The primary objective is to leverage the access from the mobile client for vulnerability identification and exploitation. Imclude: • Look for default credentials • Evaluate session timeouts for the client on the server • Test for input validation flaws, like command or SQL injection • Look for exposed web services through Web Services Description Language (WSDL) documents

SERVER-SIDE TESTING

card is unique, and is required in order to identify and authenticate a user's device on the cellular network.

SIM (subscriber identity module)

have a limited storage capacity (up to 256KB) and contain information regarding the user's identity, location, network authentication data, phone number, stored contact lists, and even stored text messages. Setting a SIM personal identification number (PIN) on the mobile device can help protect your data in the event the device is lost or stolen.

SIM (subscriber identity module)

is a restricted area where applications are executed from. It is a general mitigation technique to prevent escalation attacks. If an application were to be compromised, the damage would be limited to the data managed by the vulnerable application and possibly the data from other applications, like your Contacts, depending on the access restrictions enabled by the iOS user.

Sandbox (IOS)

two Advanced Encryption Standard (AES) 256-bit encryption keys included on every iDevice, called group ID (GID) and unique ID (UID) values.

Security (IOS)

is a type of assembler, and Smali files are created when disassembling Dalvik executables (DEX), which are included in APKs.

Smali

is a multistep process of identifying vulnerabilities in software due to flaws in the programming logic. The objective is to ensure the processes and procedures follow certain coding standards to provide a level of confidence that the product is free from bugs.

Software assurance testing

• Disassembling and decompiling the application from its original format (IPA or APK) • Looking for information disclosure weaknesses, such as hard-coded credentials • Evaluating the use of custom encryption protocols and configurations • Analyzing files and application permissions

Static code analysis entails multiple test cases, to include

section stores uninitialized variables

The .bss section

section is used for declaring initialization data and constants, which don't change during runtime, such as filenames and buffer sizes.

The .data

is a GUI used to install IPA files to the iDevice. Jailbreaks are packaged as an IPA, and the Impactor tool is used to transfer the jailbreak over to the device for installation.

The Cydia Impactor tool

• Class Dump • Wget • IPA Installer Console • OpenSSH • Filza

The Cydia home screen provides access to features including user guides, themes that can be installed to the device, respositories (repos) for useful packages, and the ability to search for a package you want to install from a repo. Some basic tools you may want to search for and install from the preconfigured repos are

is used to prevent modification to firmware files, outside of the user's private data.

The GID key (IOS)

is used to compile a program's source code into an executable format for a given processor type (i.e., Intel or AMD).

The GNU Compiler (GCC)

intents, binders, and broadcast receivers

The IPC mechanisms in Android include

is an all-in-one, automated pentesting framework for mobile applications for Android, iOS, and Windows platforms.

The Mobile Security Framework (MobSF)

provides developers and security researchers with a list of known security development flaws, vulnerable code, and test cases for languages such as Java, C, etc.

The NIST Software Assurance Reference Dataset Project (SARD)

Test cases are grouped together into specific methods of testing to include static analysis, dynamic and runtime analysis, communication channel, and web services and API. Each method can be executed independent of the other.

The OWASP Mobile App Security Checklist

• Activities Parts of the application the user can see • Fragments A behavior that is placed in an activity • Intents Used for sending messages between other components • Broadcast receivers Allow an application to receive notifications from other apps • Content providers A SQLite database to store data in the form of a flat file • Services Used to start intents, send notifications, and process data

The primary components of an Android application are (android)

entails stringing together a sequence of characters to transfer data in an efficient manner You can encode different types of data formats such as string, binary, hexadecimal, etc.

The process of encoding

low-level (machine-dependent) and high-level (machine-independent).

There are two levels of programming languages:

• Brute-force the PIN or pattern lock on the device • Binary attacks against the mobile app to escalate privileges • Client-side injection attacks (e.g., SQL injection) • Assess application functions when the PIN or pattern lock on the device is not enabled • Copy and paste buffer caching • Sensitive information stored in memory • Evaluate shared application data storage

This type of analysis includes

is used to execute multiple tasks in parallel in order to optimize the speed and efficiency of program execution.

Threading

are placeholders in memory that contain a value.

Variables (Basic Scripting)

is the development framework used for developing iOS applications in Swift or Objective-C on macOS.

Xcode

machine code is dependent on the processor type

bytecode is platform independent, such that it can be executed from within its native language, regardless of the type of processor.

Applications developed for Android are stored in the Android Package Kit (APK). Since Android applications are Java-based, an APK is in a Java Archive (JAR) format and includes a manifest file (AndroidManifest.xml), which embeds the contents in a binary XML format.

iOS applications are stored in the iOS App Store Package format, or IPA for short, which is a ZIP-compressed archive.

• Cocoa Touch User interface (UI) framework for developing software apps, like games, to run on iOS • Media Services Provides audio, graphics, video, and over-the-air (AirPlay) capabilities • Core Services Fundamental services like networking, file access, address book, etc. • Core OS Provides OS functionality such as power management, file system, etc.

iOS is a layered architecture that is made up of four levels of abstraction:

is a function that is a part of an object

method (Basic Scripting)

Objective-C and Swift are high-level programming languages specifically for Apple operating systems like iOS (https://developer.apple.com), whereas the low-level programming language C is used for operating system and kernel development. Swift is a modern development language, and the code resembles the English language more so than Objective-C.

programming languages (IOS)

Every iOS application uses a _____ which is typically encoded using the Unicode UTF-8 encoding, and the contents are structured in XML. A plist is used to store configuration data about the app. These files are subject to information disclosure attacks and can be modified to bypass application restrictions.

property list (plist) file

Partition File system type 1. / rootfs 2. /system ext4 3. /data ext4 4. /cache ext4 5. /storage FUSE(File system in Userspace)

purpose: 1.RAMDISK 2. contains the entire OS, except the kernal and RAMDISK 3. contains user and installed app data 4. where android stores frequently accessed data 5. contains internal(emulated) and external (sd card) storage locations

Apple uses an Apple Root CA (Certificate Authority) certificate, which is loaded in read-only memory (boot ROM) for verifying other certificates to establish explicit trust relationships. Each step of the boot process contains components that are cryptographically signed by Apple. This signature represents a chain of trust and is verified every time the device is booted to ensure the device has not been tampered with.

secure boot chain. (IOS)

provides foundational services to other components within the platform, such as drivers, memory management, display functionality, etc.

the kernal (android)

allows mobile devices to communicate over cellular networks, using basic phone services to make phone calls and send text messages.

the modem

are created during manufacturing and are unique to every device. They are used in conjunction with passcodes (the magical code used to protect initial entry to the device or when installing new software) and other data protection mechanisms for file encryption and decryption.

unique ID (UID) (IOS)

The key software protection mechanisms described in In 1974, Jerome H. Saltzer published an article called "Protection and the Control of Information Sharing in Multics," helped to influence some basic security principles with code development that are still followed today, to include

• Access control lists • Hierarchical control of access specifications • Identification and authentication of users • Memory protection

OOP is made up of the following basic concepts:

• Object Specific instance of a class that defines the data values • Class Defines variables and methods of any object of the class • Inheritance Allows a new class (subclass) to be created from an existing class (superclass) • Polymorphism Ability to process an object differently, based on its data type • Abstraction Used to hide unnecessary data about an object to reduce complexity • Encapsulation Used to implement abstraction and restrict access to object components