There are a number of excellent tools that exist when it comes to testing mobile web applications. Unfortunately many of them cost a significant amount of mulah. There are a few though that currently are free to use and we are going to take a deep dive into getting you your first Mobile Security Framework report from the Mobile Web App that you are testing today.
Before testing Mobile Web Applications please be sure that your organization has the required documentation and written consent from the organization in order for you to do so. Typically this will be included in a SOW (Statement of Work) and ROE (Rules of Engagement)
How to Extract an Android .apk with Genymotion:
**If you already have an .apk file scroll down to MobSF install **
First things first you will need and .ipa or .apk file. Basically for those of you who are new to Mobile Application testing these are just the files that store applications.
For the most part:
.ipa –> Apple iOS
.apk –> Android/Play Store
When testing iOS devices and extracting the application .ipa file it is required that you jailbreak a device in order to get the version of the application that has been installed onto your ipad/iphone that you are trying to test, I will update this article for a link once a newer jailbreak is released and I have a few minutes to demonstrate that process.
For today we will do a quick run through of how to extract an android .apk and analyze it using the MobSF static analyzer.
First things first. Hop on your mobile device or Genymotion Android Device and download ES File Explorer and the application in which you will be testing from the Google Play Store.
This screenshot is taken off of Genymotion which is a virtual device emulator which acts very similarly to android devices. I highly recommend using this for android testing. There is a free version but it is a tad difficult to find on their website as they would prefer for you to buy their professional product. I believe their newest version comes with Google Playstore pre installed (co-worker informed me, I still use an older version) if not please go check out our friends at inthecheesefactory.com who have written an excellent tutorial on installing it with the necessary dependencies.
**Update on Genymotion 2.10.0+
Genymotion 2.10.0 just made it so much easier to have Google Play Services (GApps) on your Device. All you do is download Geny, Add a new virtual machine, and then in the top right hand corner you will see a GApps icon.
Click the Icon, accept the agreement, and install. Once the install is complete, power down the device, exit out of it and then start it all the way back up and Pachow, the Play store will be sitting right there ready to use.
Now it has come to my attention that at times some applications do not appear to function correctly on the Android Emulators (will not download from play store due to compatibility issues). This is where application side loading comes into play. What side loading means is that you will go to a site like apkmirror.com (They are run by Android Police, and are my go to trusted source for .apk files) and get your application. The cool part is that you will be able to Drag-and-Drop this .apk file into Genymotion AFTER you Download and Drag-and-Drop the correct ARM-Translation Package.
Then click and Drag your .APK package into your Genymotion Device, Restart it manually or by typing adb reboot (to learn how to install ADB, see our Drozer Setup Tutorial.)
Alright, back to business. Once you pull up ES explorer as shown above, click on APPs find the application you want the .apk file for, press and hold the application and click back-up.
As you can see right above us ^^^ the backed up application was saved at /sdcard/backups/apps/ as we traverse ES explorer to that location we can see that we have successfully created an .apk file for the desired application.
Throw this file into your Google Drive/Dropbox account and then download it in your Kali Box for further analysis.
MobSF Install and Use:
Now that we have the .APK and have it in our Kali box, lets get our Mobile Security Framework up and running.
I would be doing you a disservice if I tried to go step by step on the setup and did not tell you that MobSF and
Feel free to visit their page or continue on and follow the next few steps.
**For Windows or Mac please see MobSF documentation at this link **
The reason I use Kali in a Virtual Environment is so I can suspend it, have a dedicated MobSF VM, and it saves my MobSF reports in the ‘recent MobSF reports’ so I can actively switch back and forth to it and analyze source code.
For Kali Linux follow along here and run this syntax:
Pull up your terminal/command line in Kali Linux and run:
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git cd Mobile-Security-Framework-MobSF
clone the file, then switch your directory as shown above.
sudo apt install build-essential libssl-dev libffi-dev python-dev pip install -r requirements.txt --user
Then install these libraries which are essential to getting up and running, along with installing the requirements and dependencies.
Now in every pentest I have been apart of, there is always a pentester who claims to have done the work but has NO report to back it up…..Don’t be that GUY/GAL!
Run this command
apt-get install wkhtmltopdf
This will give you the option at the end of uploading your .APK file to download the pdf and have a report to show that the analysis has at least been run, an artifact exists, and that it can be referenced back to.
After this, we are ready to start the MobSF Server.
In your terminal run
python manage.py runserver
Now you have your server running, but wait there is nowhere to insert my APK file!?
Thats because MobSF is AWESOME!
Pull up your browser and go to http://localhost:8000/
You will now see the Web Interface that is click and drag ready for that .APK file that you have already downloaded from your Google Drive/Dropbox Account
Throw it in, and you will see the server in the background have fun analyzing this .APK while you sit back and relax.
The fun is about to begin!
All wrapped up now be sure you are aware of the OWASP Mobile Security Checklist this is essential to making sure you cover your bases as a pentester. You are not required to know everything, but you are required to have to know how and where to find EVERYTHING.
So hop to it, get analyzing you have your report, at the bottom left side you can see download report, but please use the web interface, it allows you to download the Java code for the application and really get your hands dirty.
Here is the certificate for the Application which you are able to make sure it is up to industry standards.
Also make sure the permissions for your application Make Sense! Go through these while testing the functionality of the application and make sure that the user is asked for the appropriate permissions and they are not assumed (many a lawsuit has happened by the creator of mobile applications assuming that data can be taken and/or shared).
As you can see in the Manifest Analysis MOBSF rates many items as high severity. There is a fine line between Customer Experience and Security which is why you see what you see, read the description and use your God given critical thinking skills to analyze them, do not just throw this report at your Project Manager or client and say fix these things! If you find something out of the ordinary, or seriously think you have a few items that may lead to vulnerabilities, do some research, or crazier yet ASK someone!
Have fun, learn lots.
~Cyber Incision out