Mobile Application Security Testing

Overview

Testing Scope

1. Application Security

• Code Obfuscation
• Decompilation Protection
• Debugging Protection
• Certificate Pinning

2. Data Security

• Data Encryption
• Key Management
• Sensitive Data Storage
• Data Transmission

3. Authentication & Authorization

• Authentication Mechanisms
• Token Management
• Biometric Authentication
• Session Management

4. Communication Security

• TLS/SSL Configuration
• Certificate Validation
• API Security
• Man-in-the-Middle Attack Protection

Android Security Testing

Static Analysis

# 反编译APK
apktool d app.apk

# 查看AndroidManifest.xml
cat app/AndroidManifest.xml

# 查看Smali代码
find app/smali -name "*.smali"

# 反编译APK
jadx -d output app.apk

# 查看Java源码
find output -name "*.java"

# 启动MobSF
docker run -it -p 8000:8000 opensecurity/mobsf

# 上传APK进行分析
# 访问 http://localhost:8000

Dynamic Analysis

// Hook函数
Java.perform(function() {
    var MainActivity = Java.use("com.example.MainActivity");
    MainActivity.onCreate.implementation = function(savedInstanceState) {
        console.log("[*] onCreate called");
        this.onCreate(savedInstanceState);
    };
});

# 启动Objection
objection -g com.example.app explore

# Hook函数
android hooking watch class_method com.example.MainActivity.onCreate

# 配置代理
# Android设置代理指向Burp Suite
# 安装Burp证书

Common Vulnerabilities

// 不安全的代码
String apiKey = "1234567890abcdef";
String password = "admin123";

// SharedPreferences存储敏感数据
SharedPreferences prefs = getSharedPreferences("data", MODE_WORLD_READABLE);
prefs.edit().putString("password", password).apply();

// 不验证证书
TrustManager[] trustAllCerts = new TrustManager[] {
    new X509TrustManager() {
        public X509Certificate[] getAcceptedIssuers() { return null; }
        public void checkClientTrusted(X509Certificate[] certs, String authType) { }
        public void checkServerTrusted(X509Certificate[] certs, String authType) { }
    }
};

iOS Security Testing

Static Analysis

# 导出头文件
class-dump app.ipa

# 查看头文件
find app -name "*.h"

# 使用Hopper反汇编
# 打开app二进制文件
# 分析汇编代码

# 查看Mach-O信息
otool -L app

# 查看字符串
strings app | grep -i "password\|key\|secret"

Dynamic Analysis

// Hook Objective-C方法
var className = ObjC.classes.ViewController;
var method = className['- login:password:'];
Interceptor.attach(method.implementation, {
    onEnter: function(args) {
        console.log("[*] Login called");
        console.log("Username: " + ObjC.Object(args[2]).toString());
        console.log("Password: " + ObjC.Object(args[3]).toString());
    }
});

# 附加到进程
cycript -p app

# 执行命令
[UIApplication sharedApplication]

Common Vulnerabilities

// 不安全的代码
NSString *apiKey = @"1234567890abcdef";
NSString *password = @"admin123";

// Keychain存储不当
NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
[defaults setObject:password forKey:@"password"];

// 不验证证书
- (void)connection:(NSURLConnection *)connection 
didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
    [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] 
          forAuthenticationChallenge:challenge];
}

Tool Usage

MobSF

# 启动MobSF
docker run -it -p 8000:8000 opensecurity/mobsf

# 上传应用进行分析
# 支持Android和iOS

Frida

# 安装Frida
pip install frida-tools

# 运行脚本
frida -U -f com.example.app -l script.js

Objection

# 安装Objection
pip install objection

# 启动Objection
objection -g com.example.app explore

Burp Suite

1. Configure Burp Suite listener
2. Set up proxy on mobile device
3. Install Burp certificate
4. Intercept and analyze traffic

Testing Checklist

Application Security

• Code Obfuscation Check
• Decompilation Protection
• Debugging Protection
• Certificate Pinning

Data Security

• Data Encryption Check
• Key Management
• Sensitive Data Storage
• Data Transmission Security

Authentication & Authorization

• Authentication Mechanism Testing
• Token Management
• Session Management
• Biometric Authentication

Communication Security

• TLS/SSL Configuration
• Certificate Validation
• API Security Testing
• Man-in-the-Middle Attack Protection

Common Security Issues

1. Hardcoded Keys

• Hardcoded API keys
• Hardcoded passwords
• Hardcoded encryption keys

• Use key management services
• Use environment variables
• Use secure storage

2. Insecure Storage

• Storing sensitive data in plaintext
• Using insecure storage methods
• Unencrypted data

• Use encrypted storage
• Use Keychain/Keystore
• Implement data encryption

3. Certificate Validation Bypass

• No SSL certificate validation
• Accepting self-signed certificates
• No certificate pinning implemented

• Implement certificate pinning
• Validate certificate chain
• Use system certificate store

4. Debug Information Leakage

• Logs contain sensitive information
• Error information leakage
• Debug mode not disabled

• Remove debugging code
• Restrict log output
• Disable debug mode in production

Best Practices

1. Code Security

• Implement code obfuscation
• Disable debugging features
• Implement anti-debugging protection
• Use certificate pinning

2. Data Security

• Encrypt sensitive data
• Use secure storage
• Implement key management
• Restrict data access

3. Communication Security

• Use TLS/SSL
• Implement certificate pinning
• Validate server certificates
• Use secure APIs

4. Authentication Security

• Implement strong authentication
• Secure token management
• Implement session management
• Use biometric authentication

Notes

• Only conduct testing in authorized environments
• Comply with laws and regulations
• Note differences between platforms
• Protect user privacy