THREE PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.
THREE PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.

Mobile Vulnerabilities Worth Millions: Pen Tester’s Guide for Mobile Security Testing

When I talk about pen testing for mobile, the first question people ask me is which vulnerabilities do I go after? When it’s a mobile target, there are lots of restrictions. For instance, many enterprises clearly mention that issues found on “rooted / jailbroken” devices won’t be accepted. However, other companies specifically require testing of rooted or jailbroken devices for complete coverage.

However, when performing a mobile app pen test that requires testing of rooted or jailbroken devices for complete coverage, I often get the same question. So to answer the question of which vulnerabilities should I submit in order to get accepted and get paid I’ve created this blog to offer my advice.

For this blog I want to share two real-life examples from my experience of pen testing 100+ mobile applications. Sharing the vulnerabilities that were accepted and provide insights on how I found them.

App #1: iOS Application Pen Test

Here are the steps that I took to test an an iOS app:

  1. I decrypted the application using Clutch

  2. Then dumped the classes (using class-dump) and started looking at the code. I found couple of references for AWS

  3. The next step I performed was loading binary into Hopper disassembler and started taking a look at the application workflows. If you’ve never used disassembler for iOS binary, **Hopper** is awesome — and my favorite — for macOS and Linux Disassembler. I found that there were AWS calls made by mobile app and found something “arn:aws”

  4. I started dumping all keywords using “strings” command and greping it with AWS/keys. Finally I found hardcoded access key and a secret key!

  5. Next, I checked what was permission for those keys. I used AWS CLI and was able to list ‘ALL’ IAM users of that enterprise. Now the keys I got had lot more permissions.

  6. Did I mention that I was able to launch EC2 as well? ;)

  7. For Proof of concept, I launched t2 free tier ec2 instance. Now I had enough proofs to submit my bug! yay!

  8. Finally I prepared a write up and submitted this vulnerability which was fixed on high priority. Can you imagine getting those AWS secret keys in wrong hands and launching hundreds of EC2 large instances over few mins? Or something worse?

App #2: iOS Application Pen Test

On another pen test, I observed that after the application was installed on the device, it also used to create database having QA account credentials. Now it’s common practice to check the local storage of the application. If I had just gone ahead and reported that the app is storing sensitive info locally, it would be ‘low’ severity / or got rejected because exploitation will require prerequisites like rooted device. So I began to explore further.

I stayed motivated and started looking for a few more things. I found references to a few other endpoints which were not listed on program. I checked further and observed that I can use QA account credentials (found during storage analysis) for new endpoints (not listed one!) and was able to fetch their all upcoming features of app for next couple of quarters.

I prepared writeup and submitted bug with all evidence. Can you imagine accessing those all upcoming features by competitors?

Similar to this, I’ve several cases where companies said ‘wow’ or got surprised. Well this is my first blog and I don’t want to make it very lengthy, so stay tuned for upcoming blogs.

Want to dive deep in iOS app pen testing? Check out this free and open source project at — http://igoatapp.com/. Explore more on this topic with an overview of the OWASP Mobile Top 10 2024

Back to Blog
About Cobalt
Cobalt combines talent and technology to provide end-to-end offensive security solutions that enable organizations to remediate risk across a dynamically changing attack surface. As the innovators of Pentest as a Service (PtaaS), Cobalt empowers businesses to optimize their existing resources, access an on-demand community of trusted security experts, expedite remediation cycles, and share real-time updates and progress with internal teams to mitigate future risk. More By Cobalt
iOS App Pentesting and Security with Real-World Case Studies Part 2
In part 2 of our IOS pentesting series, we will explore two additional case studies. One of them is about a ride-sharing app, and the other is about an E-commerce app. These case studies highlight the risks associated with insecure practices in iOS app development, such as hardcoding credentials and the exploitation of third-party libraries, emphasizing the importance of secure coding, data storage, and access control measures.
Blog
Jun 26, 2023
Learning iOS App Pentesting and Security Part 1
This blog is a three-part series focused on iOS app penetration testing. Swaroop Yermalkar, who is a Core Penetration Tester, shares their experiences and knowledge in various types of pentesting, including mobile app security. The blog aims to provide a comprehensive guide to improving knowledge of iOS security and penetration testing methodologies through real-world case studies.
Blog
Jun 13, 2023