Mobile App Penetration tests and app scanning are on the rise. In this blog, I’ll discuss the increasing trend of developers including mobile penetration testing and vulnerability scanning as part of a mobile app release process. In previous posts of this series, I covered some of the basics of reverse engineering to provide an understanding of the tools and techniques used to pen testing iOS apps and pen-testing Android apps. In this post, I’ll show you how to easily secure any mobile app to ensure that it will pass a pentest.
What is a Mobile Pentest?
A mobile app pen-test is a cyber security assessment of a mobile application conducted to identify, safely exploit and attempt to eliminate vulnerabilities and weaknesses in the app’s security defenses. Penetration testers use a combination of static analysis and dynamic analysis techniques to test the robustness of the mobile app’s security model – effectively, they attempt to exploit the vulnerabilities and weaknesses within the application code, logic, or data to determine whether unauthorized access or other malicious activity is possible ‘in the wild’.
These techniques include static techniques, such as disassembling or decompiling the app’s source code, to understand what the code does and they also use dynamic analysis techniques, where the tester executes the code, runs and interacts with the app, learning how the app works by observing or altering its behavior. Dynamic techniques include attaching debuggers to the app, inserting breakpoints to crash the app, dumping memory, running the app on emulators/simulators. This also includes advanced dynamic techniques such as dynamic binary instrumentation, where the pen tester attaches to running processes and modifies the app dynamically while the app is running, using tools like Frida or ADB and using methods like function hooking, method swizzling, memory injection, JavaScript injection, and more.
How to Secure Mobile Apps to Pass a Mobile Pentest
Using Appdome, passing a mobile app pentest is easy. It all comes down to selecting the right collection of features that protect against the exploit methods or tools used by the pentester. I’ll walk through each below, and also map them to the previous post on pentesting methods.
Application Shielding/RASP:
- Appdome ONEShield protects against dynamic analysis and dynamic attacks such as malicious debugging, tampering, emulation. ONEShield will also protect against binary patching and repackaging apps for re-distribution.
Code Obfuscation
Appdome TOTALCode Obfuscation makes the code and application logic difficult for hackers and pentesters to understand. As you can see from the screenshot below, you can select the obfuscation method most suitable for your app and use case. In the example below, I’m securing an app built using React Native, which is a non-native development framework for building cross-platform or hybrid apps. Therefore I selected Non-Native Code Obfuscation to protect the javascript code that would otherwise be saved inside the application unprotected. There are also options to obfuscate native code and native libraries, as well as to obfuscate/relocate control flows and in the case of Android apps you can relocate DEX control flow and or encrypt DEX files (which are the executable java classes of your Android app).
Jailbreak Prevention / Rooting prevention
Jailbreak prevention and Rooting prevention protect the app against attempts by the pentester or hacker to run the app on a Jailbroken or Rooted phone, which allows them to compromise the app with much greater ease.
Data Encryption
Data Encryption protects data stored in or used by the app, including data in the app sandbox, as well as in strings, preferences, and many other places where data is stored in the code.
Secure Communication / MitM Attack Prevention
Secure Communication (prevent MitM attacks) – Protects data in transit, protects the app’s chain of trust, including certificate pinning, certificate validation, and protection against MitM attacks, session hijacking, credential stuffing, malicious proxies, and more.
Prevent Dynamic Instrumentation and Magisk
And if you know that your pen tester will use advanced dynamic instrumentation tools, like Frida and advanced rootkits and malware hiding tools like Magisk, then it would be wise to implement protections against those tools and frameworks as well.
Passing a Mobile Pentest Requires a Multi-Layered Security Defense
Each of the feature categories informs, complements, and reinforces the other security features. Omitting any one of the functional categories (or implementing the protection superficially) makes it possible for the attacker to exploit the deficiency to compromise, disable, or bypass the other protections. So to achieve a layered defense requires protections in each of the key categories, including multiple detection mechanisms, operating at different layers of the code, frameworks, and APIs, and also occurring at different life cycle events for the app.
Check out the video below to see how to pass a mobile pentest or vulnerability scan in less than 5 minutes using Appdome’s no-code mobile app security platform.
If you want to learn more about any of these features or see them in action, request a demo using the button below, and see how Appdome helps mobile developers automate mobile app security implementations and pass mobile penetration tests – for any app frameworks, and without changing developer workflows.
