{"id":1836,"date":"2018-08-07T18:38:54","date_gmt":"2018-08-07T13:08:54","guid":{"rendered":"http:\/\/www.idslogic.com\/blog\/?p=1836"},"modified":"2019-12-04T14:34:22","modified_gmt":"2019-12-04T09:04:22","slug":"best-practices-to-start-with-mobile-penetration-testing","status":"publish","type":"post","link":"https:\/\/www.idslogic.com\/blog\/best-practices-to-start-with-mobile-penetration-testing","title":{"rendered":"Best Practices to Start with Mobile Penetration Testing"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_72 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.idslogic.com\/blog\/best-practices-to-start-with-mobile-penetration-testing\/#Build_a_Plan_for_Effective_Results\" title=\"Build a Plan for Effective Results:\">Build a Plan for Effective Results:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.idslogic.com\/blog\/best-practices-to-start-with-mobile-penetration-testing\/#Create_a_Thorough_Testing_Environment\" title=\"Create a Thorough Testing Environment:\">Create a Thorough Testing Environment:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.idslogic.com\/blog\/best-practices-to-start-with-mobile-penetration-testing\/#Time_Management_Skills\" title=\"Time Management Skills:\">Time Management Skills:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.idslogic.com\/blog\/best-practices-to-start-with-mobile-penetration-testing\/#Network_Connectivity\" title=\"Network Connectivity:\u00a0\">Network Connectivity:\u00a0<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.idslogic.com\/blog\/best-practices-to-start-with-mobile-penetration-testing\/#Server_Environment\" title=\"Server Environment:\">Server Environment:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.idslogic.com\/blog\/best-practices-to-start-with-mobile-penetration-testing\/#Choose_the_Right_Penetration_Testing_Tool\" title=\"Choose the Right Penetration Testing Tool:\">Choose the Right Penetration Testing Tool:<\/a><\/li><\/ul><\/nav><\/div>\n<p>With the increased use of mobile devices and applications by people, there also comes a wide range of attacks that was not much more relevant earlier in the web application world. Fortunately, there are experts who can delve deep into the matter and find ways to solve the challenges. But testing a mobile app requires a different approach than testing a web application.<\/p>\n<p>Protecting the applications on the handheld devices using Android or iOS needs to perform different tests and process that include mobile app reverse engineering, static and dynamic security testing, mobile platform internal and etc.<\/p>\n<p>Here in this blog, we will discuss some practical tips regarding penetration testing, how to set the testing environment and some testing tools that you will need for the task. So, here is how you should begin with:<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Build_a_Plan_for_Effective_Results\"><\/span><span style=\"color: #003366;\"><strong>Build a Plan for Effective Results: <\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>In order to run a successful penetration <a href=\"https:\/\/www.idslogic.com\/digital-and-mobility-testing\/\">testing of your mobile application<\/a>, the first step that you need to do is to develop a methodology as to how you will plan to move forward.\u00a0 Since each mobile app is different from the other and the environment too varies, it is important to carefully consider the exact needs that are to be tested. you can start with the cheat sheet that is provided to you by your mobile app testing company. This is actually created for the pentesting of the mobile app.<\/p>\n<hr \/>\n<h3><span class=\"ez-toc-section\" id=\"Create_a_Thorough_Testing_Environment\"><\/span><strong><span style=\"color: #003366;\">Create a Thorough Testing Environment:<\/span> <\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Planning for the appropriate pentesting environment is also essential. Though it is very difficult to jailbreak an iPhone, but it can be done by mobile app testing experts if they know what they are exactly doing. So, when it comes to pentesting an iPhone environment, it is necessary to create the actual real test environment to discover the security issues that can be there.<\/p>\n<hr \/>\n<h3><span class=\"ez-toc-section\" id=\"Time_Management_Skills\"><\/span><span style=\"color: #003366;\"><strong>Time Management Skills: <\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Based on the magnitude of the penetration testing that you are conducting, you will have to effectively manage your time skills as well. There may be times when you may not need to test the entire mobile application. Testing only one portion would be enough. Proper time management would enable you to do the test and complete it and then move onto something else without having to sacrifice attention to details.<\/p>\n<hr \/>\n<h3><span class=\"ez-toc-section\" id=\"Network_Connectivity\"><\/span><span style=\"color: #003366;\"><strong>Network Connectivity<\/strong>:\u00a0<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>While conducting a penetration testing on the networking connectivity between the server and the smartphone, from where the application will be downloaded, make sure that you use the network sniffers.\u00a0 These tools help to gather important information and data that is not only related to the network traffic, but also with the data packets.<br \/>\nThe results can be used to formulate the type of pentesting that has to be done. It is also very important to examine the authorization, authentication and also the session management mechanism that is to be deployed and verify the encryption protocols that has to be implemented.<\/p>\n<hr \/>\n<h3><span class=\"ez-toc-section\" id=\"Server_Environment\"><\/span><span style=\"color: #003366;\"><strong>Server Environment:<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Testing the server environment is equally important, as that is the place where the app is hosted and will be downloaded from. Some penetration testing that needs to be conducted include the authentication mechanism placed between the server and the smartphone, any open redirects, authorized and unauthorized file uploads and cross origin resource sharing.<\/p>\n<hr \/>\n<h3><span class=\"ez-toc-section\" id=\"Choose_the_Right_Penetration_Testing_Tool\"><\/span><span style=\"color: #003366;\"><strong>Choose the Right Penetration Testing Tool:<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>With many pentesting tools available, you can either choose a free version or a paid one. Picking the right based on your environment and requirements is very important. Some of the most popular mobile pentesting tools available include Cydia, Apktool, Wireshark, Burp Proxy and etc.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>With the increased use of mobile devices and applications by people, there also comes a wide range of attacks that was not much more relevant earlier in the web application world. Fortunately, there are experts who can delve deep into&#8230;<\/p>\n","protected":false},"author":1,"featured_media":1837,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[219,172],"tags":[554,555,504],"class_list":["post-1836","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software-testing","category-technology","tag-mobile-penetration-testing","tag-mobile-testing","tag-testing"],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/www.idslogic.com\/blog\/wp-json\/wp\/v2\/posts\/1836","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.idslogic.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.idslogic.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.idslogic.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.idslogic.com\/blog\/wp-json\/wp\/v2\/comments?post=1836"}],"version-history":[{"count":1,"href":"https:\/\/www.idslogic.com\/blog\/wp-json\/wp\/v2\/posts\/1836\/revisions"}],"predecessor-version":[{"id":1838,"href":"https:\/\/www.idslogic.com\/blog\/wp-json\/wp\/v2\/posts\/1836\/revisions\/1838"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.idslogic.com\/blog\/wp-json\/wp\/v2\/media\/1837"}],"wp:attachment":[{"href":"https:\/\/www.idslogic.com\/blog\/wp-json\/wp\/v2\/media?parent=1836"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.idslogic.com\/blog\/wp-json\/wp\/v2\/categories?post=1836"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.idslogic.com\/blog\/wp-json\/wp\/v2\/tags?post=1836"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}