For effective penetration testing, efficient analysis of a system or application in order to identify problems and collect data quickly is done through tools. In this article, we explore tools that should be used for every penetration test for both Android and iOS. This article will cover what each of these tools is used for, how to configure them and step-by-step configuration process, details around their applicable use cases etc. All the tools demonstrated in the article can also perform multiple functions depending upon the requirements, such as information gathering, fuzzing, forensics, code analysis, reverse engineering and other miscellaneous test cases.
Penetration Security Tools for Android
-
APKAnalyser
APKAnalyser is Java-based (GUI) application tool that can perform a static and virtual analysis. This tool provides the following detailed information during static code analysis:
- API references
- Application architecture and dependencies
- Disassembled bytecodes
- The ability to rebuild, install, and run the app
- Adb logcat to verify the results
-
The drozer tool
The drozer tool is one of the finest dynamic analysis tools that allow us to discover security vulnerabilities with the app and the device. Its unique feature allows it to communicate with the Dalvik VM, IPCs and the operating system.
This tool is often termed as the Android vulnerability scanner. It comes in two versions, as follows:
- Community edition: An open source software maintained by MWR Info security, released under the BSD license.
- Professional edition: This version of drozer has lots of features that make app security testing for Android easy and simple for the developers. It has more graphical components with the reporting feature.
Basically, drozer works in a traditionally distributed system with three components:
- The Agent APK: A simple APK file that can be installed on the device or emulator that is used for testing.
- The drozer console: A command-line interface that allows us to interact with the emulator or the device through the agent.
- The drozer server: The server uses the drozer protocol for communication. It provides the bridge between the agents and console and also provides route sessions between them.
-
APKTool
APKTool is a Java-based application that is predominantly used by security testers during the Android app security assessment, which can decode the APK file into almost original source code, and it allows us to perform modifications to the code and rebuild it. APKTool can also be used to make any Android app debuggable. The following are its important features:
- Converting the .apk file into the .smali file; debugs SMALI code step by step
- Structured data
- Disassembling resources to their nearly original form (including resources.arsc, classes.dex, and XMLs)
- Rebuilding decoded resources back to the binary APK/JAR
- Smali debugging
- Repetitive tasks such as building rebuilding and reinstalling the apps.
-
JD-GUI
JD-GUI is used to display all the Java source code of all the .class files, and it allows us to browse the reconstructed code for instant access to all the methods and fields from the JAR files. It is a standalone application, which can be downloaded from http://jd.benow.ca/.
-
Androguard
Androguard is a suite of built-in tools that can perform various tasks; it’s is primarily used in the malware reverse engineering process. Androguard is considered to be one of the most efficient reverse engineering tools in the current state of assessment for Android apps.
-
Java Debugger (JDB)
Java Debugger (JDB) is a useful tool to detect bugs in Java programs. Debugging is an important activity in manipulating a program to break the security trust through breakpoints and stepping and managing exceptions. One of the powerful techniques in debugging is to engage a debugger to manipulate the variable during runtime. In this technique, testers/attackers normally look for a patch or hook to attach to an application code and the execution will be debugged on that particular piece of code, providing the ability to analyze different variables and classes and changing the values and also interacting with the app state. Runtime analysis can be done by making the app debuggable and then attaching the app to JDB as well.
Penetration Testing tools for iOS
Although there are plenty of assessment tools available on the Internet, this article focuses on important tools that suffice the requirement of assessing known and unknown vulnerabilities. It is important to note that all the security tools provided here will work only on a jailbroken device.
-
oTool
It is a known fact that the apps in the Apple store must be signed. In order to decrypt these apps to perform the binary analysis, oTool is required. oTool is widely utilized to perform manual decryption and identify relevant misconfigurations in the manner the app is packaged and installed on the device of the user. This tool shares the relevant libraries to inspect any Mach-O binary.
-
SSL Kill Switch
The SSL Kill Switch tool was released in Blackhat in 2012. The iOS SSL Kill Switch tool is designed to disable SSL certificate validation, including certificate pinning within iOS apps. This tool patches SSL functions within the secure transport API to override an disable the system’s default certificate validation.
-
The keychain dumper
The keychain dumper is a utility that’s used to dump all the keychain data from a jailbroken device.
-
LLDB
LLDB is the default debugger in Xcode and supports the debugging of Objective-C on iOS devices and the iOS simulator. LLDB works similar to GDB and follows a client-server architecture.
-
Clutch
Clutch is another excellent tool that’s used during the penetration testing activity; it decrypts and dumps the data for the iPhone, iPod Touch, and iPad applications.
-
Cycript
Cycript (http://www.cycript.org) is the best runtime tool that can be used to instrument iOS apps; it uses JavaScript and Objective-C and it can be installed by adding cydiasaurik.com to the repository. By default, this tool can be programmed to instrument iOS apps during runtime with an interactive console. Cycript can be extremely useful in breaking the logic of authentication and information leakage, such as encrypted keys from the objects and loading additional view controllers.
-
Snoop-it
Snoop-it plays a crucial role during iOS app security assessments, and it provides a lot of options to automate, such as adding moc locations and changing the binary boolean values. It is considered one of the best toolkits for penetration testing. Snoop-it provides three main features: monitoring, analysis, and manipulation at runtime. The following is the list of things that we can do using this tool:
- Filesystem details
- Network information
- Keychain data
- All the API access
- Jailbreak detection
- Allows you to inspect the runtime state and load classes and methods
- during runtime
- Trace methods during runtime
Summary
In this article, we discussed various penetration testing tools and learned how to debug apps in Android using JDB, iOS and LLDB. Using these tools, one can simulate real-time attacks on apps in Android and iOS. Before attacking any application, it is always a best practice to look at the application from an attacker’s point of view and understand how the application threat model could have been implemented.
Give us 30 minutes and we will show you how many millions you can save by outsourcing software testing. Make Your product quality top notch. Talk to us to see how