- This topic has 20 replies, 8 voices, and was last updated 9 years, 7 months ago by
.
-
Posts
-
Thanks for the presentation 😉
it was well understood in the combination with Stephan giving the intro steps in mobile testing as such – as well i recently got an intro training in security testing for web apps. I enjoyed this.Question would be – what else asside proxy could be used for not vert technical people. You mentioned the getting the sources (parsing class files to java ect. )
is there something else cool to look into, that you could suggest? 🙂
-^. ^=-
~~ ~~Thank you for the presentation. Like Stephen’s presentation earlier, it was excellent and combined with his presentation gave a valuable insight into how to test mobile app devices and software.
A question I have is are there any simulators that you would recommend to test Android/iOS phones? and how much testing should include the simulators as part of the testing?
Thanks
Here are a few links to some of the things I mentioned in my talk:
- OWASP Top Ten Mobile Security Risks is a list of mobile risks that are worth considering. Remember that your own stakeholders are what really matter. This is just a starting point.
- Proxies
- Zed Attack Proxy is a good proxy and free.
- Charles Proxy is what I used during my presentation. It is commercial. This is not an endorsement. Just the tool that I use.
- Burp Proxy is another, commercial HTTP proxy that is popular among security testers.
- Go Mobile Add-on for Firefox. Simply sets your User Agent header to be a mobile header, so that web servers often send you the mobile version of their content. Only useful for mobile web sites. Not useful for testing the web services side of a mobile app.
Happy to answer your questions.
Daragh – i see some cool questions/answers in the chat transcript – any chance the info gets stored here somehow?
-^. ^=-
~~ ~~For iOS the only one is the built-in simulator that comes with XCode.
For Android, it’s the Android emulator or Geny Motion.
Hi Alt,
Yes we have all transcript saved so we’ll look and sharing the views and opinions expressed here on TEST Huddle 🙂
Here’s an article on using Charles Proxy with an iPhone: http://www.charlesproxy.com/documentation/faqs/using-charles-from-an-iphone/. That’s a fine tutorial The instructions are largely the same for Android, just finding the equivalent settings.
Once you have your mobile device routing through the proxy, all the standard guidance on how to use a proxy applies.
Andy -> http://www.wikiwand.com/en/Jailbreaking_(iOS) (thanks to Stephan 🙂 )
-^. ^=-
~~ ~~Andy: The thing with iOS is that, unless you jailbreak the phone, you can’t install any software other than via the Apple store. This is intended to be a feature and Apple works hard to prevent people from being able to bypass their security restrictions. As an end user I never jailbreak my personal devices because it’s risky. As a tester, however, jailbreaking allows you to get under the bonnet of an app and find out what it’s doing. For example, you can see local storage, API calls, and other behaviours. This is important from a testing point of view because we care what’s really going on under the hood. I think it is of dubious value to end users, though. Because it opens an iOS device to the same sorts of malware and mischief that occur on Android, which they’d otherwise be protected from if they didn’t jailbreak.
alt: The other sorts of resources I recommend are things like the various cheat sheets at OWASP. For example, the XSS cheat sheet is a bountiful harvest of strings that you can use as test input to test for XSS. And when we talk about webview apps and/or hybrid apps that use HTML5/JavaScript as their UI layer, suddenly cross-site scripting moves from a web server concern to an actual code-running-on-the-mobile-device concern. If your app has JavaScript APIs into native functions, and I can make your app run MY JavaScript, it can do things you don’t want it to do.
On Android, APKs are nothing more than zip files. They’re signed Java packages. You can unzip them, decompile them, and produce .java files from .class files. At that point, security-critical things like passwords, encryption keys, enrolment tokens, and more are all visible. So someone can just download the apk off the google play store, extract your source code, and look for interesting secrets that the developers thought were “hidden” in it. Fun times.
You need to install the certificate and add the host in SSL under proxy settings to catch https calls. Like Paco said, charles has pretty good documentation on it.
@Paco: There are few extentions in web browsers that will allow you to test SQL injection or cross site scripting check, like Inject-me, XSS-me in firefox. Do you know about anything similar for mobile?@ahossain: I don’t know of any automations against the client-side code running on the mobile device. That’s one of the big difficulties of the mobile platform at the moment. We’re kinda lucky to have the simulators and emulators.
I also think it’s important to distinguish between client-side concerns and server-side concerns. The server side is the one where we care about SQL injection and XSS (except in the rare case I mentioned above, where you have a badly-implemented webview app). Mobile apps have dramatically different security concerns. And we test the mobile server services for (XSS and SQLi the same way we’ve always tested web services for those issues.
Popular mobile risks are things like data disclosure, weaker security controls than our web channels (e.g., the web requires 2-factor auth, but the mobile doesn’t) and trusting the app to do authorization (e.g., assuming that if we tell the mobile app that it’s logged in as a low-privileged user, it will not generate a high-privleged request, thus we omit the authorization check on the server side.). We need to make sure we’re covering the new situations that we’ve never had to deal with before, as well as all the old server-side stuff that’s still there.
Hi,
I totally agree @Paco pint of view on OWASP Top Ten Mobile Security Risks, because hacker can attack from any weak place in the overall IT Infrastructure .
I still love to use “fiddler” time to time for security check. I am testing ios & android native app and win application. With fiddler tool I cover many issues(API, HTTP(s), Web session) with application.
@ahossain: @Afreen @Alt @Andy @Rona >> Can you all list your used tools for the Mobile Security.Please list the tools in sequence with respect to the
1)Native Apps
2)Web Apps
3)Hybrid Apps
- You must be logged in to reply to this topic.