Logo
RSS Feed

👈🏼 Back to
Application Attacks

📱 Mobile Attacks

📱 Mobile Application Basics

In this article, I will summarise all the specifics of mobile applications and devices. This information might be valuable either for penetration testing or digital forensics.

📚 App Transport Security

In this article I’m trying to untangle a very confusing notion for some people (myself included) - App Transport Security. We will have several examples to work with and then try to construct our own setting according to our requirements.

Overview

NSAppTransportSecurity : Dictionary {
    NSAllowsArbitraryLoads : Boolean
    NSAllowsArbitraryLoadsForMedia : Boolean
    NSAllowsArbitraryLoadsInWebContent : Boolean
    NSAllowsLocalNetworking : Boolean
    NSExceptionDomains : Dictionary {
        <domain-name-string> : Dictionary {
            NSIncludesSubdomains : Boolean
            NSExceptionAllowsInsecureHTTPLoads : Boolean
            NSExceptionMinimumTLSVersion : String
            NSExceptionRequiresForwardSecrecy : Boolean   // Default value is YES
            NSRequiresCertificateTransparency : Boolean
        }
    }
}

The above code snippet from Apple docs shows the object that is responsible for loosening network security. This topic has been very confusing for me, but I’ve finally got myself untangled 🎄 🐈 💡 !

📚 Frida Crash Course

Intro

Frida is cool

Templates

Empty

If a method needs an argument of type Context, getApplicationContext() needs to be used. Otherwise, may skip it.

function getApplicationContext() {
		const ActivityThread = Java.use("android.app.ActivityThread");
		const currentApplication = ActivityThread.currentApplication();

		var ret = currentApplication.getApplicationContext();
		return ret;
}


function bruteforcePIN() {
	Java.perform(() => {
    // if the method requires Context type arg
		var context = getApplicationContext();
		try {
      // code here
    }
    catch(e) {
      // exceptions to handle, example:
      console.log(e.message);
    }    
	});
}

Reverse Bool

If there is a function that returns a bool, and this bool value needs to be reversed:

📚 Decrypting iOS Applications

There are several tools available that perform decryption of iOS applications. iOS applications that are downloaded from AppStore are encrypted. AppStore simply won’t allow to upload an app without proper signature and encryption. To get .ipa from the device for further analysis one needs a tool. There are several tools available now (October, 2020). I’ve prepared a simple overview of the differences and how they work.

I’ve taken a single application (in my case it was Bear) and decrypted it using several different tools. Frida-is-dumo and CrackerXI+ had the same output (md5 matches), clucth had a difference in several bytes.

🧰 Mobile Toolkit

Debuggers

gdb

radare2

Other

  • IDA Pro
  • [Hopper Disassembler](/docs/toolkit/general/reverse-toolkit/#hopper disassembler)

Static code analysis

IDA Pro

Hopper Disassembler

radare2

Utilities

Activity Analysis

Jailbreaking/Rooting

Something

Desciption

Host platforms: 🌈

Target platforms: 🌈

Install:

Common commands:

Keywords:

Analogues:

Possible issues:

Multitools

Passionfruit

Host platforms: 🌈

Target platforms: 🌈

Install:

brew install npm
# install node js - https://nodejs.org/en/download/
# reopen terminal
npm install -g passionfruit    
passionfruit

Common commands:

passionfruit to launch

Keywords: multitool, logs

📘 📕 BTFM and RTFM iOS

This is a combination of BTFM and RTFM (Blue Team Field Manual and Red Team Field Manual) for iOS devices and applications. I used to keep two separate field manuals at first, but since there are just too many intersections, I’ve decided to combine them to make it easier to use. For Android RTFM and BTFM see here

Cheatsheet

This cheasheet is to ease the flow of either penetration testing analysis or forensics investigation. Fill in the form below to speed up command line tools usage.

📚 ApplePay, GooglePay, SamsungPay

Options: Google Wallet, Apple Pay, Samsumg Pay, Amazon Pay, Visa Checkout and PayPal. I think there are more,

https://www.linkedin.com/feed/update/urn:li:activity:6978379172934991873/

Samsung Pay

I am planning to add SamsungPay as well (former LoopPay), when I get how it works and how it differs.

ВНИМАНИЕ. Samsung Pay ранее поддерживал технологию MST. Это бесконтактные платежи без использования NFC. Вместо данного модуля использовался магнитный, позволявший совершить покупку даже на устаревших терминалах. Но в новых моделях смартфонов от использования MST отказались, так как сейчас 99% магазинов установили POS-терминалы с поддержкой более защищённого NFC [4].

📘 BTFM and RTFM Android

This is a combination of BTFM and RTFM (Blue Team Field Manual and Red Team Field Manual) for Android devices and applications. I used to keep two separate field manuals at first, but since there are just too many intersections, I’ve decided to combine them to make it easier to use. For iOS RTFM and BTFM see here

I use the below cheatsheet at the very beginning of forensic analysis or application testing.