Mobile (Android/iOS) Security

Why Mobile Security Matters

Essential for personal and business data protection.
6.8 billion smartphone users globally—prime targets for cybercrime.
Increased reliance on mobile devices for banking, shopping, and
communication.
Rapid rise of mobile-based cyberattacks like phishing and
ransomware.
Sensitive data such as medical records and financial info stored on
devices.
Growing use of mobile devices for corporate access, making
business networks vulnerable.
Key Threats to Mobile Devices
Malware:
Steals data, tracks activity, or takes control.
Data Leaks:
Exposes sensitive information through weak security.
Unauthorized Access
Identity theft and fraud from weak authentication.
App Vulnerabilities:
Poor coding leads to security gaps.
Importance of Testing Android & iOS
Different vulnerabilities: Unique security challenges on each
platform.
Android: More third-party apps, increased malware risk.
iOS: Less vulnerable but targeted by zero-day exploits.
Ensures comprehensive security for diverse user bases.
Android OS
Mobile Operating System based on modified version of Linux
Open & Free under Apache License
Developers have access to source code
Vendors can add propriety extensions
Same Program can run on different devices running android
No fixed Hardware & Software as manufactures can customize
freely
Storage – Uses SQLite for Database
Connectivity – Collection of Rich APIs for connecting with other
devices via Bluetooth, wi-fi P2p etc.
Android Devices
Smartphones
Tablets
E-reader devices
Notebook
MP4 Players
Android TV
Android Architecture
Linux Kernal
Hardware Abstraction Layer
(HAL)
Native Libraries (C/C++)
Android Runtime (ART)
Application Framework
Applications Layer
Android Vulnerabilities
Improper Platform Usage
Insecure Data Storage
Insecure Communication
Code Tampering
Poor Authentication
Reverse Engineering
Security Misconfiguration
Untrusted Inputs
Insufficient Cryptography
Android Application Penetration
Testing - Basic
Essential Tools:
Burp Suite
APKTool
MobSF (Mobile Security Framework)
Frida
Setting Up the Testing Environment:
Android Studio or MEMU: Integrated development environment (IDE) for
app development and testing.
ADB (Android Debug Bridge): Command-line tool to interact with Android
devices for testing and debugging.
Android Application Penetration
Testing - Basic
Static Analysis of APK Files:
APKTool: Decompiles APKs to examine app structure and resources.
ADX: Decompiles and converts DEX files into readable Java code for
analysis.
Dynamic Analysis Tools:
Frida: Instrument apps at runtime to analyze and manipulate their behavior.
Drozer: Framework for testing the security of Android apps, focusing on
components and permissions.
Testing Insecure Data Storage and Application Components.
Identify and exploit vulnerabilities in data storage methods (e.g., shared
preferences, SQLite).
Android Application Penetration
Testing - Advanced
Testing for Insecure Communication
Intercept and analyze traffic between the app and server.
Identify unencrypted data transmission vulnerabilities.
Exploiting Android App Permissions and System Services.
Test for over-permissive app permissions that expose sensitive data.
Exploit system services to gain unauthorized access.
Reversing Android Applications.
Analyze app behavior by decompiling DEX files into Smali code.
Modify app logic to test for security flaws.
Android Application Penetration
Testing - Advanced
Exploiting Android Rootkits
Identify and exploit vulnerabilities in rooted devices.
Assess the security implications of root access on app behavior.
Advanced Dynamic Testing Using Frida.
Use Frida to hook into functions and modify app behavior on-the-fly.
Analyze and manipulate network requests, data storage, and authentication
processes.
Hybrid App Exploitation
Hybrid apps are mobile applications developed using web technologies
(HTML, CSS, JavaScript) and are often wrapped inside a native container,
allowing them to run on multiple platforms (iOS, Android). Examples of
frameworks for hybrid apps include Flutter, React Native, Ionic, and
Cordova.
Exploiting hybrid apps involves identifying vulnerabilities that may arise
from:
Web vulnerabilities: Since hybrid apps use web technologies, they may be
vulnerable to traditional web application vulnerabilities like XSS, SQLi, and CSRF.
Insecure API communication: Hybrid apps rely heavily on back-end APIs to fetch
and send data. Improper authentication, broken access controls, or lack of
encryption can lead to sensitive data leaks.
Challenges in Exploiting Hybrid Apps:
SSL Pinning blocks traffic interception.
gRPC and HTTP/2 protocols complicate interception.
Encrypted traffic, particularly HTTPS, makes analyzing requests difficult.
BurpSuite is often unable to capture the traffic of apps built with Flutter.
Even if we bypass the security using Frida, BurpSuite still doesn't work in
this case.
Solution: Use Http Toolkit.
Automated Setup: Simplifies proxy configuration and certificate management.
Bypasses SSL Pinning: Handles pinning and encrypted traffic easily.
Supports Modern Protocols: Seamlessly intercepts HTTP/2, gRPC, and more
iOS
Mobile Operating System based on Darwin (Unix-based).
Closed Source & Proprietary under Apple’s License
Developers have access to strict Apple guidelines and tools (Xcode).
No external vendors can add proprietary extensions.
Apple tightly controls the hardware and software ecosystem.
Fixed Hardware & Software Model.
Storage – Uses Core Data & SQLite.
iOS uses Core Data as its main framework for storing and managing data,
with SQLite being available as well.
Connectivity – Seamless integration through APIs.
IOS Architecture
Core OS (Kernel Layer)
Core Services Layer
Media Layer
Cocoa Touch Layer
Applications Layer
Android vs iOS – Security Features
Security Feature Android iOS
Open-source, allows customizations, but Closed-source, tightly controlled
Open/Closed System increases exposure to security risks. by Apple, offering more built-in
security.
Google Play Protect scans apps, but third- Strict app review process reduces
App Store Policies party app stores can be used, increasing the chances of malware entering
malware risk. the Apple App Store.
Permission-based access for apps to Apps run in a secure sandbox,
Permissions sensitive data (location, contacts, camera, limiting data access and
etc.). interaction between apps.
Rooting gives users full control but Jailbreaking voids many built-in
Rooting/Jailbreaking increases vulnerabilities. security features and opens the
system to vulnerabilities.
Updates depend on the manufacturer, iOS devices receive updates
causing delays in receiving critical patches. simultaneously, ensuring timely
Security Updates
security patches for all supported
devices.
IOS Vulnerabilities
Insecure Data Storage
Improper Session Handling
Insecure Communication
Code Injection
Insecure API Usage
Jailbroken Devices
Weak Authentication
User Privacy Violations
Improper Error Handling
iOS Penetration Testing Tools and
Setup
Essential Tools.
3utools
Objections
Jailbroken iPhone
Frida
Setting up the Testing Environment:
Install Xcode
Install 3utools
Install Frida
iOS Penetration Testing -Basic
Static Analysis of IPA Files:.
Hopper: A disassembler used to analyze iOS binary files for vulnerabilities.
Examines app logic and security implementations
Dynamic Analysis Using Tools:
Cycript: Used for real-time manipulation and inspection of running iOS
applications
Frida: Allows dynamic instrumentation to modify app behavior and analyze
security.
Testing for Insecure Data Storage
Identify sensitive data stored insecurely (e.g., plaintext in UserDefaults or
unencrypted files).
Assess compliance with Apple's security guidelines.
iOS Penetration Testing -
Advanced
Reverse Engineering iOS Apps and Binary Analysis:
Use disassemblers like Hopper or IDA Pro to analyze app binaries.
Identify vulnerabilities in the app logic and find hardcoded secrets.
Testing for Insecure Communication:
Test if the app implements certificate pinning to prevent Man-in-the-Middle
(MitM) attacks
Use tools like Frida or Charles Proxy to intercept and modify traffic, bypassing
pinning checks.
Runtime Manipulation Using Frida and Objection
Inject scripts into running applications to alter their behavior dynamically
Analyze function calls, modify parameters, and access sensitive data in real-time.
iOS Penetration Testing -
Advanced
iCloud Exploits:
Identify vulnerabilities in iCloud authentication and data syncing.
Test for insecure access to user data stored in iCloud.
Keychain Vulnerabilities:
Analyze keychain storage for weaknesses, such as unprotected data
Check for improper access controls allowing unauthorized access to
sensitive keys.
Sandboxing Weaknesses
Test for vulnerabilities that may allow apps to escape their sandbox
environment.
Assess how well the app isolates its data and processes from other apps.
Mitre ATT&CK – A reference for
Mobile Security
Mitre Matrix – For Android & iOS
Tactis
Techniques
Mitigations
APT Groups
Pegasus Spyware – Case Study
Pegasus Spyware – Case Study
Mobile Device Management (MDM)
Mobile Hacking via Bluetooth
Blue jacking: Sending unsolicited messages to Bluetooth-enabled devices.
Blue snarfing: More damaging than bluejacking is bluesnarfing. With blue snarfing,
thieves wirelessly connect to some early Bluetooth-enabled mobile devices without
the owner’s knowledge to download and/or alter phonebooks, calendars or worse.
Blue bugging: Blue bugging goes beyond bluejacking or blue snarfing, allowing
thieves to take full control of a device. A crafty blue bugger can wirelessly direct a
mobile phone to make calls without the owner’s knowledge. Similarly, a bluebugger
can set call forwarding and receive calls intended for the unsuspecting victim.
Thank You!