1. Introduction & Mobile Pentesting

Intro

The Penetration Testing Process

Reconnaissance Active/Passive
Scanning/Enumeration
Exploitation
Privilege Escalation / Maintaining Access / Lateral, Vertical movement
Covering the tracks
Reporting

The Mobile Application Penetration Testing Process

Reconnaissance
Static Analysis
Dynamic Analysis
Reporting

Mobile Penetration Testing

Reconnaissance

Info about the company Mobile Apps, releases, reports, code

Static Analysis

Read app's code manually and via automated tools. Look for:

security misconfigurations
hardcoded strings
user's information, email, username, passwords
URL - recon, enumerate, new exploitation path via API gateways
Cloud resources and storage buckets
Local Storage locations
etc

Dynamic Analysis

Run the application and manipulate it by:

intercepting traffic with proxies
dump (RAM) memory and check for stored secrets
break SSL Pinning
check for runtime created files on local storage

Reporting

Executive summary and detailed technical analysis of specific vulnerabilities, including criticality assessment, scoring, steps for reproduction, and mentions of positive security implementations.

PreviousTCM - Mobile Application Penetration Testing Next2. Android Security

Last updated 1 year ago

Was this helpful?