Archive for the 'Mobile App Penetration Testing' Category



An evolutionary malware, known as the “Accessibility Clickjacking”, has been discovered by SkyCure, a US-based global mobile threat Security Company, and revealed to the world at the 25th annual RSA conference, which is the world’s biggest cyber-security event, that just ended on Friday the 4th of March.


The Accessibility ClickJacking” malware is a critical and dangerous discovery

In their study, the company discovered that the start of the advanced mobile malware had already impacted more than half a billion Android devices globally. This very modern mobile malware had the capability to not be detected in scanner detection, which is usually based on signatures, static and dynamic analysis approaches, the company had pointed out in its report.

“Accessibility Clickjacking can allow malicious applications to access all text-based sensitive information on an infected Android device, as well as take automated actions via other apps or the operating system, without the victim’s consent.

If you want to see accessibility clickjacking in action, just watch the video from Skycure below, which utilizes a free ‘Rick and Morty’-themed game to get users to unknowingly enable certain accessibility features:



A number of functions and capabilities had been put into web browsers and web servers in order to limit the clickjacking risk, the mobile platform was still a vulnerable platform and, therefore, it showed that Android is still susceptible to similar kinds of threats.


Smartphone users of the Android operating system were advised to be careful when playing games or running applications, as hackers were able to create simple so-called “benign” games that could automatically trigger the “Accessibility ClickJacking” in the background unbeknownst to the owner of the device.


The malware could allow malicious apps to get hold of all text based sensitive information on the affected Android devices and take automated actions via other apps or even the operating system. Malicious apps include emails, text messages, data from messaging apps, and important business applications such as CRM software, marketing automation software and more. This makes Android users vulnerable to the games and applications they download.


When let inside the victim’s device, the hackers could, therefore, change passwords. However the security did mention that the malware was only active on older versions of the Android operating system accounting for 65 percent of these devices and said that there was no reason to worry for users of the latest operating systems, Lollipop and Marshmallow platforms. Anything between Android 2.2 Froyo to Android 4.4 KitKat was most likely to be affected by ClickJacking, SkyCure noted.


WhatsApp Denial of Service :-)

Author: Martin Voelk
December 24, 2015

As exploit developers will know, fuzzing and crashing an application is an integral part of exploiting an application. Whilst this WhatsApp bug may “only” crash the App, maybe it can be be further developed into a full exploit of the underlying platform.

This one is funny, as it allows people to crash other people’s whatsapp applications by just sending enough smileys 🙂 Very Merry Christmas everyone and a happy new year and don’t send your friends too many smileys with your christmas wishes 🙂


Effective BYOD Security App

Author: Martin Voelk
April 15, 2015

Only recently Apple started cracking down on Anti Virus Apps by starting removing them from the App Store as apparently no viruses or malware exists for Apple….hust hust. (  A slight dose of arrogance must have overcome Apple by doing so. Just to clarify for everyone: We are not in the boat with any vendor and we report from a pure Security standpoint without any Bias towards or against one vendor or the other. Fact is that there are tons of viruses and malware out there specifically targeting Apple iOS. So anyone saying there are no viruses or malware on iOS is WRONG. Only recently we stumbled across interesting code snippets on the dark web to exploit iOS 8.x.

Now this is clarified we would like to show our readers a very good mobile application which enhances security a lot. The company producing this App is called zImperium. It counter-tackles ARP spoofing attempt in a Wireless Cell but also is an ideal component for any BYOD setup. It protects agains Host and Network Attacks alike and is a very robust endpoint security solution overall. Here the link:


April 1, 2015

One of the biggest challenges Penetration Testers always face is how to test out technologies, play around in sandbox environments and so forth. No professional Pentester wants to start Pentesting a real App on iTunes or Google Play and potential break something.

But there is good news! An application called the Damn Vulnerable iOS App provides Ethical Hackers with a platform to test and learn Mobile Application Penetration Testing in a safe and controller environment. A similar distribution exists for Web Application for a while already, but now Mobile Pentesters and those who want to become one have a great platform.


iOS and Android App Penetration Testing

When assessing a mobile application several areas will be taken into account: client software, the communication channel and the server side infrastructure. All our Penetration Tests are aligned to the OWASP framework. We perform the service either as black box (no knowledge of the App), grey box (partial knowledge of the App) or white box (full knowledge of the App). In all assessments we follow a strict process.

  • Encryption and communications with the main web app (web service, etc)
  • Code Signing and Memory Protections
  • Fuzzing the iOS Application
  • Exploiting the iOS Application

Information gathering

  • Observe application behavior
  • Determine the application’s data states (at rest, in transit or on display) and sensitivity
  • Identify access methods
  • Identify what frameworks are in use
  • Identify server side APIs that are in use
  • Identify what protocols are in use
  • Identify other applications or services with which the application interacts
  • Decrypt Appstore binaries: the .ipa will be decrypted at runtime by the kernel’s mach loader. Cydia has several applications available: Crackulous, AppCrack and Clutch. Also, you can use GDB. The “cryptid” field of the LC_ENCRYPTION_INFO identifies if the application is encrypted or not. Use otool –l <app name> | grep –A 4 LC_ENCRYPTION_INFO
  • Determine the architecture the application was compiled for: otool –f <app name> or lipo -info <app>.
  • Get information about what functions, classes and methods are referenced in the application and in the dynamically loaded libraries. Use nm <app name>
  • List the dynamic dependencies. Use otool –L <app name>
  • Dump the load commands for the application. Use otool –l <app name>
  • Dump the runtime information from the compiled application. Identify each class compiled into the program and its associated methods, instance variables and properties. Use class-dump-z <app name>. That can be put that into a .h file which can be used later to create hooks for method swizzling or to simply make the methods of the app easier to read.
  • Dump the keychain using dump_keychain to reveal application specific credentials and passwords if stored in the keychain.
  • Determine the security features in place:
    Locate the PIE (Position Independent Executable) – an app compiled without PIE (using the “–fPIE –pie” flag) will load the executable at a fixed address. Check this using the command: otool –hv <app name>
  • Stack smashing protection – specify the –fstack-protector-all compiler flag. A “canary” is placed on the stack to protect the saved base pointer, saved instruction pointer and function arguments. It will be verified upon the function return to see if it has been overwritten. Check this using: otool –I –v <app name> | grep stack . If the application was compiled with the stack smashing protection two undefined symbols will be present: “___stack_chk_fail” and “___stack_chk_guard”.

Application traffic analysis

  • Analyze error messages
  • Analyze cacheable information
  • Transport layer security (TLS version; NSURLRequest object )
  • Attack XML processors
  • SQL injection
  • Privacy issues (sensitive information disclosure)
  • Improper session handling
  • Decisions via untrusted inputs
  • Broken cryptography
  • Unmanaged code
  • URL Schemes
  • Push notifications
  • Authentication
  • Authorization
  • Session management
  • Data storage
  • Data validation (input, output)
  • Transport Layer protection – are the certificates validated, does the application implement Certificate Pinning
  • Denial of service
  • Business logic
  • UDID or MAC ID usage (privacy concerns)

Runtime analysis

  • Disassemble the application (gdb)
  • Analyze file system interaction
  • Use the .h file generated with class-dump-z to create a method swizzling hook of some interesting methods to either examine the data as it flow through or create a “stealer” app.
  • Analyze the application with a debugger (gdb): inspecting objects in memory and calling functions and methods; replacing variables and methods at runtime.
  • Investigate CFStream and NSStream
  • Investigate protocol handlers (application: openURL – validates the source application that instantiated the URL request) for example: try to reconfigure the default landing page for the application using a malicious iframe.
  • Buffer overflows and memory corruption
  • Client side injection
  • Runtime injections
  • Having access to sources, test the memory by using Xcode Schemes

Insecure data storage

  • Investigate log files(plugging the device in and pulling down logs with Xcode Organizer)
  • Insecure data storage in application folder (var/mobile/Applications), caches, in backups (iTunes)
  • Investigate custom created files
  • Analyze SQLlite database
  • Investigate property list files
  • Investigate file caching
  • Insecure data storage in keyboard cache
  • Investigate Cookies.binarycookies
  • Analyze iOS keychain (/private/var/Keychains/keychain-2.db) – when it is accessible and what information it contains; data stored in the keychain can only be accessible if the attacker has physical access to the device.
  • Check for sensitive information in snapshots
  • Audit data protection of files and keychain entries (To determine when a keychain item should be readable by an application check the data protection accessibility constants)