What is Penetration Test?
A penetration test, or sometimes pentest, is a software attack on a computer system that looks for
security weaknesses, potentially gaining access to the computer’s features and data. Many types of
penetration testing is exist mobile application penetration testing, operating system penetration testing,
and web application penetration testing. In this blog we will discuss about the mobile penetration
testing. On next blog we will discuss about further penetration testing techniques. Mobile applications
are have so many vulnerability like
1. Activity monitoring and data retrieval
Activity monitoring and data retrieval are the core functionality of any spyware. Data can be intercepted
real time as it is being generated on the device. Examples would be sending each email sent on the
device to a hidden 3rd party address, letting an attacker listen in on phone calls or simply open
microphone recording. Stored data such as a contact list or saved email messages can also be retrieved.
The following are examples of mobile data that attackers can monitor and intercept:
- Messaging (SMS and Email)
- Audio (calls and open microphone recording)
- Video (still and full-motion)
- Contact list
- Call history
- Browsing history
- Data files
2. Unauthorized dialing, SMS, and payments
Criminals seeking to monetize weaknesses in human nature and the mobile app distribution model can
turn to premium rate phone calls and premium rate SMS messages. By including premium dialing
functionality into a Trojan app the attacker can run up the victim’s phone bill and get the mobile carriers
to collect and distribute the money to them. Mobile devices can also be used to purchase items, real
and virtual, and have the cost billed on the customers mobile bill.
Another use of unauthorized SMS text message is as a spreading vector for worms. Once a device is
infected a worm can send SMS text messages to all contacts in the address book with a link to trick the
recipient into downloading and install the worm.
3. Unauthorized network connectivity (exfiltration or command & control)
Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker.
Since mobile devices are designed for communication there are many potential vectors that a malicious
app can use to send data to the attacker. A full function malicious program will often allow the attacker
to direct commands to the spyware to for instance turn on the microphone or grab a data file at a
The following are examples of communication channels attackers can use for exfiltration and command
- HTTP GET/POST
- TCP socket
- UDP socket
- DNS exfiltration
- Blackberry Messenger
4. UI impersonation
Phishing attacks on PCs work by tricking the user to click on a link in their browser which brings them to
a bogus website impersonating the UI of their bank or online service. The UI asks the user to enter in
their credentials. The attacker collects the credentials and uses them to impersonate the victim. On the
mobile device there are new opportunities for attackers to perform UI impersonation. This can take the
form of a web view application which presents a native mobile UI as a proxy to a native web app. With
this attack, the user thinks they are downloading a legitimate app, such as a banking app, but instead
they are getting an imposter that proxies information to the bank’s genuine website. When the user
authenticates they end up sending their credentials to the attacker.
Another vector to impersonation is a malicious app popping up UI that impersonates that of the phone’s
native UI or the UI of a legitimate application. The victim is asked to authenticate and ends up sending
their credentials to an attacker.
5. System modification (rootkit, APN, proxy config)
Malicious applications will often attempt to modify the system configuration to hide their presence. This
is often called rootkit behavior. Configuration changes also make certain attacks possible. An example is
modifying the device proxy configuration or APN (Access Point Name).
6. Logic or Time bomb
Logic or time bombs are classic backdoor techniques that trigger malicious activity based on a specific
event, device usage or time.
7. Sensitive data leakage
Sensitive data leakage can be either inadvertent or side channel. A legitimate apps usage of device
information and authentication credentials can be poorly implemented thereby exposing this sensitive
data to 3rd parties.
- Owner ID info: name, number, device ID
- Authentication credentials
- Authorization tokens
8. Unsafe sensitive data storage
Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card
numbers, or online service passwords. Sensitive data should always be stored encrypted so that
attackers cannot simply retrieve this data off of the file system. It should be noted that storing sensitive
data without encryption on removable media such as a micro SD card is especially risky.
9. Unsafe sensitive data transmission
It is important that sensitive data is encrypted in transmission lest it be eavesdropped by attackers.
Mobile devices are especially susceptible because they use wireless communications exclusively and
often public WiFi, which is known to be insecure. SSL is one of the best ways to secure sensitive data in
transit. If the app implements SSL it could still fall victim to a downgrade attack if it allows degrading
HTTPS to HTTP. Another way SSL could be compromised is if the app does not fail on invalid certificates.
This would enable that a man-in-the-middle attack.
10. Hardcoded password/keys
The use of hardcoded passwords or keys is sometimes used as a shortcut by developers to make the
application easier to implement, support, or debug. Once this hardcoded password is discovered
through reverse engineering it renders the security of the application or the systems it authenticates to
with this password ineffective.