Introduction

Mobile computing has changed the game. Your personal data is no longer just stored on your desktop in the sanctuary of your office or home. You now carry personally identifiable information, financial data, personal and corporate email, and much more in your pocket, wherever you go. The smartphone is quickly becoming ubiquitous, and with at least 40 applications installed on the average smartphone the attack surface is significant.

Smartphones have become commonplace not only in the consumer markets but also now in the enterprise. Enterprise mobile applications extend the corporate environment beyond the workplace, introducing new security concerns and exposing organizations to new types of threats. Enterprises embracing "Bring Your Own Device" (BYOD) strategies should be particularly mindful of the array of applications that the smartphone may have installed and run within the corporate network.

This book is a practical guide to reviewing the security of mobile applications on the most widely adopted mobile operating systems: Apple iOS, Google Android, BlackBerry, and Windows Mobile. It focuses solely on the client-side, examining mobile applications in the context of these devices as opposed to server-side applications, where security is much more mature and better understood.

Overview of This Book

The focus of this book is highly practical. Although we provide some background theory for you to understand the fundamentals of mobile application vulnerabilities, our primary concern is documenting the techniques you need to master to attack and exploit them. Where applicable, we include real-world examples derived from our many years of experience and from publically documented vulnerabilities.

In addition to describing mobile application security vulnerabilities and attack techniques, we describe in detail the defense-in-depth strategies and countermeasures that application developers can use to effectively defend their applications. This information enables penetration testers, security consultants, and developers alike to provide high-quality remediation advice to application owners.

In short, this book is intended to act as an all-encompassing single point of reference for mobile application security, bringing together the publicly available knowledge on the attack and defense of mobile applications and combining it with the blended experience of the authors.

How This Book Is Organized

This book is roughly split into the topics covered for each of the mobile device platforms, you can think of it as four books in one! For each of the mobile platforms; we provide a pragmatic approach to performing a mobile application security assessment. First detailing the necessary background information on how to analyze the application itself, followed by detailed information on how to attack the application and the categories of vulnerability that affect the relevant platform, finally providing remedial action that can be implemented to develop secure mobile applications. If you are new to mobile application security, it is recommended that you read the book from start to finish, acquiring the knowledge and understanding to tackle later chapters. This can be applied to the relevant chapters for each mobile platform, or the entirety of the book. If you're only interested in one specific platform or only a specific area of a platform, you can jump straight into the subsection that interests you. Where applicable, we have included cross-references to other chapters, which can be used to fill any gaps in your understanding.

• Chapter 1, "Mobile Application (In) Security," describes the current state of security in mobile applications today. As an area that has seen explosive and rapid growth over the past few years, security has been frequently overlooked or misunderstood in the fast evolving software lifecycles. As a consequence, mobile application vulnerabilities are rife and commonplace in the application ecosystem. This chapter examines the key attack surfaces for mobile applications, how mobile security has evolved and what standards and frameworks exist that can be used to categorize mobile application vulnerabilities. It then provides an overview of some mobile security resources that may prove useful in developing your assessment skills. Finally, it provides an insight into how mobile application security is, in our opinion, likely to evolve in the future.
• Chapter 2, "Analyzing iOS Applications," is the first chapter to focus on iOS application assessment. It starts off by describing some foundational knowledge on the security features of the iOS platform and briefly touches on how they have been circumvented in the past through jailbreaking. Although jailbreaking weakens the security controls of the device, it provides the opportunity to gain interactive access to the operating system, which is essential to thoroughly assess the security of an iOS application. This chapter describes how to access the device, and the file system as well as important concepts such as the Data Protection API and Keychain. This chapter also describes a range of further interesting topics, including App Store encryption, reverse engineering of iOS binaries, generic exploit, and mitigation features.
• Chapter 3, "Attacking iOS Applications," describes in detail the offensive techniques that can be used to attack iOS applications. It provides a brief introduction to Objective-C and Swift, the languages in which iOS applications are developed, and then outlines how the Swift and Objective-C runtimes can be manipulated to access and control the internals of an application. We then go on to describe the various types of client-side injection attacks that iOS applications can be susceptible to, including SQL injection, XML injection, and XML External Entity injection. It also dives into how data can be transmitted between applications on the same device through Inter Process Communication and how insecurities can arise that leave an application at risk of attack.
• Chapter 4, "Identifying iOS Implementation Issues," contains information related to how implementation issues specific to the iOS platform can leave applications at risk. This chapter describes how iOS applications can be audited for vulnerabilities arising from improper use of the device's address book, geolocation frameworks, and logging system. We also examine iOS specific peculiarities that can leave residual data on a device and may expose sensitive content, including caching of snapshots, web view data, and pasteboards. Finally, the chapter concludes with an overview of the memory corruption issues that affect iOS applications and how and to what extent these can be exploited.
• Chapter 5, "Writing Secure iOS Applications," transitions from the attacker's perspective to that of the defender. In this chapter, we examine the techniques that developers can use in their applications to protect against manipulation. This chapter also serves as a reference point for professional security assessors who need to offer remedial advice following application assessments. We describe how to securely implement encryption, erase data from both memory and the file system, and embed binary protections such as tamper proofing, jailbreaking, and runtime validation.
• Chapter 6, "Analyzing Android Applications," is the first section in a series of chapters on the Google Android platform. It starts by providing the necessary background on the security features of the platform, including code signing, sandboxing and a detailed description of the permission model. With the basics covered, we go on to examine how Android devices can be rooted to provide interactive super user access to the device. We also examine how Android applications are packaged, loaded onto devices, and some of the tools that can be used to build a test environment. The chapter concludes by describing the different ways packages are compiled and how security assessments can be conducted by decompiling and examining the application packages.
• Chapter 7, "Attacking Android Applications," provides a detailed description of the common areas of vulnerability in Android applications, along with the techniques to attack and exploit them. This chapter delves into many Android-specific attack categories, including exploitation of insecure services, content providers, broadcasts, intents, and activities. The chapter also examines how the Android runtime can be manipulated, exploring the various frameworks that can be used to implement function hooking in the Java Virtual Machine with sample use cases and practical examples. We also address perhaps two of the most important areas in mobile security, file system storage, and network communications. We explore how file and folder permissions can be exploited to leak sensitive information, how poor cryptographic practices can undermine secure storage, and how poorly implemented network access can be exploited from public or insecure networks. Finally, this chapter concludes with an insight into JavaScript interfaces, an area that has come under close scrutiny in 2014, and one that has exposed a significant number of Android devices to remote compromise.
• Chapter 8, "Identifying Android Implementation Issues," teaches you how to become an Android hacker. It provides practical advice on how to identify vulnerabilities in OEM device applications, how to find and exploit powerful packages, and how to leverage privilege...