You are here
what is penetration testing ? Education General IT 

what is penetration testing ?

What is Penetration Test?

A penetration test, or sometimes pentest, is a software attack on a computer system that looks for

security weaknesses, potentially gaining access to the computer’s features and data. Many types of

penetration testing is exist mobile application penetration testing, operating system penetration testing,

and web application penetration testing. In this blog we will discuss about the mobile penetration

testing. On next blog we will discuss about further penetration testing techniques. Mobile applications

are have so many vulnerability like


1. Activity monitoring and data retrieval

Activity monitoring and data retrieval are the core functionality of any spyware. Data can be intercepted

real time as it is being generated on the device. Examples would be sending each email sent on the

device to a hidden 3rd party address, letting an attacker listen in on phone calls or simply open

microphone recording. Stored data such as a contact list or saved email messages can also be retrieved.

The following are examples of mobile data that attackers can monitor and intercept:

  • Messaging (SMS and Email)
  • Audio (calls and open microphone recording)
  • Video (still and full-motion)
  • Location
  • Contact list
  • Call history
  • Browsing history
  • Input
  • Data files

2. Unauthorized dialing, SMS, and payments

Criminals seeking to monetize weaknesses in human nature and the mobile app distribution model can

turn to premium rate phone calls and premium rate SMS messages. By including premium dialing

functionality into a Trojan app the attacker can run up the victim’s phone bill and get the mobile carriers

to collect and distribute the money to them. Mobile devices can also be used to purchase items, real

and virtual, and have the cost billed on the customers mobile bill.

Another use of unauthorized SMS text message is as a spreading vector for worms. Once a device is

infected a worm can send SMS text messages to all contacts in the address book with a link to trick the

recipient into downloading and install the worm.

3. Unauthorized network connectivity (exfiltration or command & control)

Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker.

Since mobile devices are designed for communication there are many potential vectors that a malicious

app can use to send data to the attacker. A full function malicious program will often allow the attacker

to direct commands to the spyware to for instance turn on the microphone or grab a data file at a

particular time.

The following are examples of communication channels attackers can use for exfiltration and command

and control:

  • Email
  • SMS
  • TCP socket
  • UDP socket
  • DNS exfiltration
  • Bluetooth
  • Blackberry Messenger

4. UI impersonation

Phishing attacks on PCs work by tricking the user to click on a link in their browser which brings them to

a bogus website impersonating the UI of their bank or online service. The UI asks the user to enter in

their credentials. The attacker collects the credentials and uses them to impersonate the victim. On the

mobile device there are new opportunities for attackers to perform UI impersonation. This can take the

form of a web view application which presents a native mobile UI as a proxy to a native web app. With

this attack, the user thinks they are downloading a legitimate app, such as a banking app, but instead

they are getting an imposter that proxies information to the bank’s genuine website. When the user

authenticates they end up sending their credentials to the attacker.

Another vector to impersonation is a malicious app popping up UI that impersonates that of the phone’s

native UI or the UI of a legitimate application. The victim is asked to authenticate and ends up sending

their credentials to an attacker.

5. System modification (rootkit, APN, proxy config)

Malicious applications will often attempt to modify the system configuration to hide their presence. This

is often called rootkit behavior. Configuration changes also make certain attacks possible. An example is

modifying the device proxy configuration or APN (Access Point Name).

6. Logic or Time bomb

Logic or time bombs are classic backdoor techniques that trigger malicious activity based on a specific

event, device usage or time.

7. Sensitive data leakage

Sensitive data leakage can be either inadvertent or side channel. A legitimate apps usage of device

information and authentication credentials can be poorly implemented thereby exposing this sensitive

data to 3rd parties.

  • Location
  • Owner ID info: name, number, device ID
  • Authentication credentials
  • Authorization tokens

8. Unsafe sensitive data storage

Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card

numbers, or online service passwords. Sensitive data should always be stored encrypted so that

attackers cannot simply retrieve this data off of the file system. It should be noted that storing sensitive

data without encryption on removable media such as a micro SD card is especially risky.

9. Unsafe sensitive data transmission

It is important that sensitive data is encrypted in transmission lest it be eavesdropped by attackers.

Mobile devices are especially susceptible because they use wireless communications exclusively and

often public WiFi, which is known to be insecure. SSL is one of the best ways to secure sensitive data in

transit. If the app implements SSL it could still fall victim to a downgrade attack if it allows degrading

HTTPS to HTTP. Another way SSL could be compromised is if the app does not fail on invalid certificates.

This would enable that a man-in-the-middle attack.

10. Hardcoded password/keys

The use of hardcoded passwords or keys is sometimes used as a shortcut by developers to make the

application easier to implement, support, or debug. Once this hardcoded password is discovered

through reverse engineering it renders the security of the application or the systems it authenticates to

with this password ineffective.