Search icon
ReadWrite
see notifications
Notifications
see more
paint-brush
Ethical Hackers Inoburitsa Mabatiro Ekuita Chero Chero Chishandiso Chefoni (Pamutemo!)by@sekurno
1,122 kuverenga
1,122 kuverenga

Ethical Hackers Inoburitsa Mabatiro Ekuita Chero Chero Chishandiso Chefoni (Pamutemo!)

by Sekurno16m2025/02/03
Read on Terminal Reader
tldt arrow
en-flagENes-flagESja-flagJAam-flagAMta-flagTAsn-flagSNxh-flagXHti-flagTIca-flagCAka-flagKAmg-flagMGky-flagKYtl-flagTL
SN

Kurebesa; Kuverenga

Mobile pentesting ndeyekutsvaga nzira dzekugadzira dzekupaza muapp. Izvo zvakasiyana neyakajairwa pawebhu pentesting nekuti nharembozha: Android neIOS imwe neimwe ine yayo mitemo, mhando dzekuchengetedza, uye quirks. Matambudziko akajairika anosanganisira kubata nemudzi / jeri rekuona, kupfuura SSL pinning, uye kuongorora ese ari maviri mutengi-parutivi uye server-parutivi logic.
featured image - Ethical Hackers Inoburitsa Mabatiro Ekuita Chero Chero Chishandiso Chefoni (Pamutemo!)
Sekurno HackerNoon profile picture
0-item

Funga nezve mobile app sedhijitari vault , yakabata zvese kubva pamapassword evashandisi kusvika kune yekubhadhara mari. Semuyedzo wekupinda, basa rako ndere kuona kuti vault yakavharwa zvakasimba-nguva refu murwi chaiye asati aedza kupaza. Mugwaro iri, tinokufambisa kuburikidza nehurongwa hwese hwekupinda panhare , kubva pakuunganidza maturusi akakodzera kusvika. kuongorora kodhi uye traffic. Ngatisvetukira mukati!

Nhanganyaya

Isu tinorarama munyika umo nharembozha dzinenge dziri kuwedzera isu pachedu. Nekuti vanhu vanoita kubhengi kwavo, kutenga , uye kushamwaridzana pamafoni, kuve nechokwadi chekuchengetedza app kwakakosha. Ndosaka nhare yepentesting ichinetsa: isu tinotevedzera kurwiswa neapps kuratidza kusasimba uye kubatsira vanogadzira kuzvigadzirisa.


Hezvino izvo zvirimo kwauri:


  • Runyararo rwePfungwa : Hauzorasikirwe nehope pamusoro pekudonhedza data kana zvitupa zvakabiwa.
  • Kuteerera : Vatongi (uye vashandisi vako) vanoda mitemo yakasimba yekudzivirira.
  • Reputation Boost : Mapurogiramu akachengeteka anoreva vatengi vanofara uye njodzi shoma yemisoro isina kunaka.

Chii chinonzi Mobile Pentesting?

Pakati payo, nhare yepentesting ndeyekutsvaga nzira dzekugadzira dzekupinda muapp-sezvinoita munhu anorwisa chaiye-kuti utange wagadzirisa kusasimba. Izvo zvakasiyana neyakajairwa pawebhu pentesting nekuti nharembozha:


  • Mhanya paMapuratifomu Akasarudzika : Android uye iOS imwe neimwe ine yayo mitemo, mhando dzekuchengetedza, uye quirks.

  • Chengetedza Dhata paZvishandiso : Ruzivo rwesensitive runogona kuchengetwa munharaunda, zvichiita kuti zvive zvakakosha kuti uongorore mudziyo-chaiwo kuchengetedza.

  • Vimba Zvakanyanya pamaAPI : Zvishandiso zvefoni zvinowanzo taura nemasevha ekudzokera kumashure kuburikidza neAPIs, izvo zvinogona kunge zvisina kurongeka kana kutambura kana zvisina kuedzwa nemazvo.


Matambudziko akajairwa anosanganisira kubata nemudzi / jeri rekuona , kupfuura SSL pinning , uye kuongorora ese ari maviri mutengi-parutivi uye server-parutivi logic.

Zvakajairwa Kutyisidzira kune Mobile Applications

Fungidzira nhare yeMiddle Ages—idzi ndidzo “nzvimbo dzisina simba” dzinonangwa nevanorwisa:


  1. Kusachengeteka Data Kuchengeta
    • Masensitive tokens kana zvitupa zvemushandisi zvinosiiwa zvisina kunyorwa pachigadzirwa.
  2. Yakaneta Server-Side Controls
    • Isipo yekusimbisa yekupinda kana kukanganisa API logic iyo matsotsi anogona kushandisa.
  3. Insufficient Transport Layer Protection
    • Kushandisa HTTP kana HTTPS isina kukanganisa, inobvumira vanorwisa kubata kana kugadzirisa network traffic.
  4. Kusachengeteka Kutendesa & Mvumo
    • Zvisina kuisirwa zvisizvo zvekupinda masisitimu, masesheni manejimendi, kana mvumo yekutarisa.
  5. Client-Side Vulnerabilities

    • Kodhi inogona kudzoserwa kumashure kuti iburitse zvakavanzika, kana pfungwa dzinogona kushandiswa panguva yekumhanya.


Tarisa uone iyo OWASP Nhare yepamusoro gumi uye iyo Mobile Chikumbiro Chekuchengetedza Yekuongorora Guide (MASTG) kune zvimwe pane idzi njodzi. Dzakafanana nemepu dzinoratidza zvese zvingangoitika.


https://owasp.org/www-project-mobile-top-10/


Gadzirira Kuongororwa Kwenhare

Usati waparadza nhare, unoda nhumbi dzokurwa uye zvombo . Mukutaura kwepentesting, zvinoreva kumisikidza nharaunda yaunogona kuedza zvakachengeteka pasina kukuvadza data renyika chaiyo. Ngatifungei nezve izvo zvekutanga zveese Android uye iOS.

Android

Paunenge uchiyedza maapuro eAroid, unogona kupenengura zvishandiso uchishandisa maturusi akaita se Android Emulator kana Genymotion . Aya emulators anokuita kuti uise uye uedze maapplication nekukurumidza usingade chimbo chemuviri. Matanho akadzama ekugadzira imwe anogona kuwanikwa mune ino gwara .


Android Emulator


Android Emulator

Zvakadaro, kushandisa mudziyo wepanyama kazhinji unoburitsa mhedzisiro chaiyo-kunyanya kana iwe uchida kuyedza mamiriro etiweki epasi rese, masensa, kana biometric authentication. Kana iwe uri kuronga mimwe miedzo yepamberi senge midzi cheki kana zvakadzama data forensics, kuve nehardware chaiyo chinhu chikuru chekuwedzera.


Kana ukafunga kutenga kana kukwereta mudziyo wakatsaurirwa, ramba uchifunga kuti mamwe mafoni eAroid ari nyore kudzura . Rooting inokupa iwe kupinda kwakadzama kune iyo inoshanda sisitimu, ichikubvumidza kuti uongorore mafaera akavanzika, bypass zvirambidzo zveapp, uye mhanyisa maturusi ane simba anoda mvumo yakakwira.


Rooting

Android Rooting yakafanana nekutsvaga skeleton kiyi kune yako foni yekushandisa system. Kazhinji, iwe ucha:

  1. Vhura iyo bootloader.
  2. Ratidza tsika yekudzoreredza (semuenzaniso, TWRP).
  3. Isa mudziyo wekushandisa midzi seMagisk kana SuperSU .

Imwe neimwe nhare uye OS vhezheni ine quirks dzayo, saka gadzirira kuyedza mishoma. Nhau dzakanaka ndedzekuti kana mudziyo uchinge wadzika midzi, unogara wakadaro kunze kwekunge iwe wagadzirisa fekitori kana kusimudzira firmware. Ramba uchifunga kuti iOS jailbreaks inogona kurasika mushure mekutangazve-saka Android dzimwe nguva inopa inoenderera mberi chikuva chekuyedza.


Gara uchitevera madhairekitori akavimbika efoni yako chaiyo - kudzika midzi kwakashata kunogona kukanganisa software kana kuunza maburi ekuchengetedza. Uye, chokwadi, chengetedza data rako usati wanyura mukati! Muenzaniso wekudzura Pixel 3a

Proxy

Funga nezve proxy seBurp Suite se "spyglass" yako. Iyo inoita kuti iwe uone uye uchinje traffic yese inopinda nekubuda muapp. Iwe uchabata kusachengeteka kutaurirana, chokwadi chisina kunaka, kana zvikumbiro zvine mumvuri. Kumisikidza proxy yenharembozha kwakafanana paIOS uye Android. Iwe unogona kuwana mirairo yepamutemo yepuratifomu yega yega pano .


Zvinhu zvinonetsa nemamwe masisitimu:


  • Xamarin dzimwe nguva inofuratira system-yakafara proxy marongero nekuda kwetsika networking maraibhurari.

  • Flutter inogona kuremekedza proxies asi inogona kumanikidza chitupa pinning , ichikuvharira kubva pakuona traffic.


Kuti ukunde zvipingaidzo izvi, unogona kugadzirisa kodhi, shandisa maturusi akaita saFrida kana Objection kudzima pinning kana kuseta reverse proxies (semuenzaniso, mitmproxy ) kutora traffic. Kugadzirisa maitiro ako chikamu chekunakidzwa!

Kuiswa kweApp

Kana iyo app isiri paGoogle Play Store parizvino-yakajairika kumapentest-iwe ungangove uine APK faira yekuisa parutivi. Iwe unogona kugovera iyo APK kuburikidza neGoogle Drive kana yakananga yekurodha link. Imwe sarudzo iri nyore kushandisa Firebase App Distribution , iyo inoronga kuyedzwa nekutumira kukoka kune vanobatana.


https://firebase.google.com/codelabs/appdistribution-android#0

iOS

PaIOS, chishandiso chemuviri chinopawo ruzivo rwechokwadi rwekuyedza. Iwe unogona kunyura mukati me Hardware-chaiwo maficha akadai seFace ID , Bata ID , uye masensor uku uchitorawo realistic network yekudyidzana. Kana iwe uchitenga kana kushandisa mudziyo wega, funga mamodheru anozivikanwa kuve akareruka kune jailbreak (sezvo asiri ese maPhones ane hushamwari kune iyi maitiro). Kana iwe uchida chaiwo iOS zvishandiso, Corellium inopa yakasimba-yakavakirwa gore-yakavakirwa bvunzo, kunyangwe isiri yemahara. Vazhinji vaedzi vachiri kuvimba nechishandiso chemuviri kuti vanyatsoongorora.


AppleDB Muenzaniso we iPhone 8


Jailbreaking

iOS Jailbreaking inonzwa zvakanyanya sekubvisa machira anoiswa neApple pamidziyo yayo. Iwe unowana midzi ropafadzo, kukurega iwe kuisa tweaks, kuongorora yakavanzika mafaira madhairekitori, kana kumhanya yepamusoro pentesting zvinyorwa. Zvishandiso zvakakurumbira zvinosanganisira unc0ver uye Checkra1n . Sarudzo yakanakisa inotsamira pane yako iOS vhezheni uye mudziyo modhi.


Rangarira:

  • Zvishandiso zvitsva zvinogona kuomarara kune jailbreak.
  • Mamwe mabreak ejeri haapone pakatangazve ("semi-untethered").
  • Gara uchitsigira yako iPhone usati wakanganisa nemafaira ehurongwa.


Ziva zvakare kuti mamwe maseru edziviriro anodzoserwa otomatiki kana mudziyo wako uchitangazve, saka ungangoda re-jailbreak pese paunosimuka.

Kuiswa kweApp

Maapplication eIOS anouya ari IPA mafaera-akafanana nemaAPK paAroid. Pafoni yakavharwa nejeri, unogona kuisa IPAs uchishandisa vatariri vefaira seFilza kana mapurogiramu akaita seSideloadly . Kuti uwane imwe nzira yepamutemo, vanogadzira vanowanzovimba neTestFlight , iyo inoita kuti vakoke vaedzi kuburikidza neemail-ingobaya chinongedzo, uye iOS inobata zvimwe.


Sideloadly tool


Kumisikidza nharaunda yako nemazvo - kusarudza michina yakakodzera (chaiyo kana yemuviri), kugadzirisa maproxies, uye kunzwisisa nzira yekuisa parutivi maapplication-inovimbisa kuti uchave wakagadzirira kunyura kwakadzika mukati mekushanda kwemukati kweapp. Zvinogona kutora kutekenyedza, asi kana iwe uine iyo yakakwana setup, iyo chaiyo pentesting inogona kutanga!

Static Analysis (SAST)

Zvino ngatienderere mberi nekuongorora iyo app pachayo-pasina kuimhanyisa zvizere. Izvi zvakafanana nekuverenga purani yenhare usati wapinda mukati. Isu tinotarisa zvakavanzika zvakaomeswa , zvigadziriso zvisina kuchengeteka , uye zvimwe zvinhu mukodhi kana config mafaira.

Nzvimbo Dzakakosha Kutarisisa

  1. Hardcoded Secrets

    API makiyi, tokens, zvitupa, uye encryption makiyi dzimwe nguva anoguma akananga mune kodhi kodhi. Kana vanorwisa vakadzora-injiniya app, vanogona kuburitsa zvakavanzika izvi nekuedza kushoma uye kutevedzera vashandisi kana masevhisi.

  2. Kusachengeteka Magadzirirwo

    Mvumo dzemvumo dzakawandisa, mireza yekugadzirisa yakasiiwa yakagoneswa, kana kusaina zvisina kufanira zvese zvinogona kubaya maburi munhumbi dzekuzvidzivirira dzeapp. Chimiro chimwe chete-seNSAllowsArbitraryLoads muIOS Info.plist kana android:debuggable="true" -inogona kuvhura musuwo wekuti man-in-the-middle (MITM) kurwisa kana kugadzirisa zvisina kudzivirirwa.

  3. Sensitive Data Exposure

    Kuchengeta ma tokeni echikamu kana ruzivo rwemunhu mune zviri pachena zvinyorwa pachishandiso (matanda, zvakagovaniswa zvaunofarira, mafaera emunharaunda) inzira yenjodzi. Chero ani ane ruzivo rwemuviri kana foni yakadzika midzi / jeri yakavhunika anogona kutenderera achiba data rakakosha-hapana hutsinye hunodiwa.

  4. App Logic uye Zvikanganiso

    Kazhinji, nyaya dzemidzi dzinobva pamashandisirwo anoitwa zvinhu. Kana macheki akakosha — senge chokwadi — akashaikwa kana kuti akasanyanyiswa, vanokurwisa vanogona kupfuura kudzivirira kwako nyore. Saizvozvo, zvisina kusimba cryptographic mabasa kana zvisina kuchengetedzwa maapps zvinogona kuita kuti hupenyu huve nyore kune chero munhu ari kuongorora app yako.

MSTG Checklist

Iyo Mobile Security Testing Guide (MSTG) inopa yakakwana yekutarisa kuti ikubatsire kugadzirisa static ongororo nenzira:

  • [ ] MSTG-STORAGE-1 : Sensitive data haina kuchengetwa isina encrypted pamudziyo.
  • [ ] MSTG-STORAGE-2 : Hapana data inonzwisisika inochengetwa munzvimbo yekugoverana.
  • [ ] MSTG-CRYPTO-1 : Kushandiswa kwakakodzera kwecryptographic algorithms nemaraibhurari.
  • [ ] MSTG-NETWORK-1 : Chengetedza nzira dzekukurukurirana (semuenzaniso, HTTPS/TLS).
  • [ ] MSTG-CODE-1 : Kusavapo kwezvakavanzika zvakaomeswa mukodhi yekwakabva.
  • [ ] MSTG-CODE-3 : Code obfuscation inoshandiswa nemazvo.
  • [ ] MSTG-RESILIENCE-1 : Dziviriro kubva kune reverse engineering.
  • [ ] MSTG-RESILIENCE-2 : Kugadzirisa zvikwanisiro kwakaremara mukugadzira.
  • [ ] MSTG-PRIVACY-1 : Kubata kwakakodzera kwemvumo dzevashandisi uye data yakavanzika.

SAST Zvishandiso

Zvishandiso zvakasiyana-siyana zvinogona kukubatsira kupatsanura kodhi yako, magadzirirwo, uye mabhinari pasina kumhanyisa app:


MobSF (Mobile Security Framework)

Shandisa : Bakira APK/IPA uye MobSF ichagadzira rondedzero yakadzama: inonyora zvisizvo zvingangoitika, mvumo yekufungidzira, kana zvakavanzika zvakaomeswa.


Bhonasi : Iyo ine zvakare mamwe maficha ane simba, ichiiita yakatsvinda yese-mu-imwe mhinduro.


MobSF muenzaniso https://mobsf.live/ yeAndroGoat app


APKTool (Android)

Shandisa : Gadzirisa uye wozodzosera APK kuti uone zviri mukati. Izvi zvakanakira kuverenga AndroidManifest.xml, kuongorora zviwanikwa, kana kugadzirisa app.


apktool d app.apk -o output_director


JADX (Android)

Shandisa : Shandura Dalvik bytecode (.dex) kuita Java inoverengwa. Yakanakira kuona mitsara yekodhi ine njodzi inogona kuitika, senge API kiyi.


jadx app.apk -d output_directory


Kirasi-Dump, Hopper, Ghidra (iOS)

Shandisa : Bvisa Chinangwa-C kirasi misoro (Kirasi-Dump) kana disassemble iOS mabhinari (Hopper/Ghidra). Kana iyo app yave Swiftified, iwe uchaonawo Swift metadata.

Mienzaniso

Android

  • Kuburitswa kwemashoko


Muenzaniso wefaira reAndroidManifest.xml


  • Zvishandiso zveAroid zvinogona kupatsanurwa kubva kumafaira avo eAPK uchishandisa maturusi akaita seAPKTool , JADX , kana MobSF .

    Maitiro aya anoratidza kwaanobva kodhi, chimiro cheapp, uye zvinhu zvinonzwisa tsitsi zvakaita seAndroidManifest.xml kana .smali mafaera, anogona kuratidza zvine chekuita neapp uye mvumo.


  • Kubvumira Cleartext Traffic

<application android:usesCleartextTraffic="true" />


Varwi vanogona kushandisa zvisina kuvharwa (HTTP) kutaurirana kuti vateerere kana kukanganisa.


  • Debuggable Application

<application android:debuggable="true" />


Chero ani ane mudziyo (kana emulator) anogona kubatanidza debugger uye rummage kuburikidza neakavanzika data kana pfungwa.


  • Hardcoded API Keys

public class ApiClient { private static final String API_KEY = "12345-abcdef-67890"; private static final String API_SECRET = "superSecretPassword123!"; }


Kukurumidza kudhirowa neAPKTool kana JADX inoburitsa makiyi aya, ichibvumira vanorwisa kuti vatevedzere app kana kuwana backend masevhisi vasina kutenderwa.


  • Sensitive Data muPlaintext

<map> <string name="session_token">abc123XYZ987</string> <string name="user_email">user@example.com</string> </map>


Kana tokeni kana ruzivo rwemushandisi zvakachengetwa mumavara akajeka, mudziyo wakadzika midzi unogona kuabvisa zviri nyore.

iOS

  • Misconfigured Info.plist

<key>NSAppTransportSecurity</key> <dict>

<key>NSAllowsArbitraryLoads</key> <true/> </dict>


Apple inomanikidza kubatana kwakachengeteka nekukasira, saka kudarika izvi kunovhura iyo app kune MITM njodzi kana isina kunyorwa traffic.


Zvishandiso zvekudzikisira zvakaita seKirasi -Dump , Hopper Disassembler , uye Ghidra inoburitsa IPA yefaira reapp, kusanganisira makirasi eObjective-C, mazita enzira, uye mafaera ebhinari.


info.plist


Dynamic Analysis (DAST)

Kana static ongororo iri kudzidza purani yecastle, ongororo ine simba iri kufamba famba mukati menhare uchitarisa musuwo wega wega nehwindo. Isu tinomhanyisa app, tarisa maitiro ayo, uye toona kana isu tichigona kushandisa chero kusasimba munguva chaiyo.

Nzvimbo Dzakakosha Kutarisisa

  1. Network Communication

    Ita shuwa kuti data yeapp yako haisi kubuda panguva yekufambisa. Kana app yako ichivimba neHTTP kana kuti HTTPS isina kurongeka, munhu anokurwisa anogona kupinda, kubata, kana kugadzirisa data. Zvakangofanana nekushaikwa kana kusasimba kweSSL/TLS chitupa kupinza , kuratidza app yako kune man-in-the-pakati (MITM) kurwiswa.

  2. Authentication & Authorization

    Kunyangwe kana zviratidziro zvako zvekupinda uye mabasa emushandisi achitaridzika pabepa, bvunzo chaiyo ndeyekuti mumwe munhu anogona kuvapfuura panguva yekumhanya. Semuyenzaniso, munhu anorwisa anogona here kushandisa zvekare ma tokeni echikamu kana kufungidzira? Iyo app inopera zvakanaka here kana kuti inochengeta zvikamu zvakavhurika zvachose?

  3. Runtime Kutendeseka & Chengetedzo Macheki

    Mapurogiramu mazhinji anoedza kuona kana mudziyo wakadzika midzi (Android) kana jailbroken (iOS) wobva waramba kumhanya kana kuvharisa zvimwe zvinhu. Munguva yekuongorora zvine simba, iwe unoda kuona kana uchikwanisa kutsvedza kupfuura aya macheki nekukochekera mukodhi yeapp, kuti urambe uchiyedza zvakadaro. Kana iwe uchikwanisa kunzvenga matanho aya nyore, vanorwisa vanogona, zvakare.

  4. Data Leakage Panguva Kuurayiwa

    Iyo app inonyora ruzivo rwakadzama (senge mapassword kana tokeni) mune zviri pachena? Paunochinja maapplication kana kumashure kwechishandiso, skrini inotorwa ine zvakavanzika data ichiri kuratidza? Iyi nzira yekusaziva "breadcrumb" nzira inogona kutungamirira vanorwisa kupfuma.

  5. API uye Server-Side Verification

    Iyo app inogona kutaridzika yakachengeteka kubva kune mutengi maonero, asi kana iyo backend API ikasasimbisa mvumo yevashandisi kana kuisa, anorwisa anogona kugadzirisa zvikumbiro panhunzi kuti awane mukana usina mvumo kana kutyora sisitimu. Izvo zvakakosha kuti uedze ese mutengi uye server maitiro mune tandem.

MSTG Checklist

Iyo Mobile Security Testing Guide (MSTG) inovharawo ongororo ine simba. Heano mamwe macheki ekuchengeta mupfungwa:


  • [ ] MSTG-RESILIENCE-1 : App inoona uye inodzivirira kukanganisa kana kudzosera kumashure mainjiniya kuedza.

  • [ ] MSTG-RESILIENCE-2 : App inoona midzi kana jailbroken zvishandiso.

  • [ ] MSTG-RESILIENCE-3 : App inosimbisa kuvimbika kwekodhi yayo uye zviwanikwa panguva yekumhanya.

  • [ ] MSTG-NETWORK-1 : App inovharidzira traffic yese network ichishandisa yakasimba cryptography.

  • [ ] MSTG-NETWORK-3 : App inosimbisa kupinza zvitupa pazvinofanirwa.

  • [ ] MSTG-PLATFORM-1 : App haivimbi nepuratifomu kuchengetedza nzira chete uye inosimbisa matanho ekuchengetedza yakazvimirira.

  • [ ] MSTG-AUTH-2 : App inonyatso shandisa nguva yekubuda kweseshini uye zvinodiwa nemushandisi-kusimbisazve.

  • [ ] MSTG-STORAGE-4 : App haitore data yakavanzika kune system logs.

  • [ ] MSTG-STORAGE-5 : App haichengete data inodzika munzvimbo isina kuchengeteka.

  • [ ] MSTG-CRYPTO-1 : App inoshandisa up-to-date cryptographic algorithms for runtime operations.


Funga nezveizvi semugwagwa webvunzo dzako dzepasirese. Ivo vanokubatsira zvakarongeka kubaya pamusuwo wega wega nepahwindo kuratidza kuti rakakiyiwa.

DAST Zvishandiso

Kusiyana neSAST, iyo inotarisa pakuongorora kodhi, DAST inotenderera nekumhanyisa app uye kutarisa. Pazasi pane maturusi ane mukurumbira kuita kuti maitiro acho ave nyore:


Burp Suite / OWASP ZAP

Shandisa : Ese ari maviri ari kubvunzurudza ma proxies anokurega iwe kutora uye kugadzirisa traffic pakati peapp uye backend maseva. Yakanakira kuona magumo asina kuchengetedzeka, zvikanganiso zvesesheni, kana kuburitswa kwedata.


Burp Suite Proxy marongero


Frida

Shandisa : Chishandiso chekushandisa chekushandisa chinokochekera mukuita maitiro, chichikubatsira kupfuura SSL pinning, kuona mudzi/jailbreak, kana zvimwe zvinorambidzwa nevatengi.


Frida tool



Common Frida Commands

Chiito

Command

Batanidza kune Running process

frida -U -n <process_name>

Nyora Zvese Running Maitiro

frida-ps -U

Bayai Custom Script

frida -U -n <process_name> -c script.js

Tsanangura Zvakananga Mabasa

frida-trace -U -n <process_name>

Hook a Specific Function

frida -U -n <process_name> --eval 'Interceptor.attach(Module.findExportByName(null, "function_name"), { onEnter: function (args) { console.log(args[0].toInt32()); } })'


Drozer (Android)

Shandisa : Inotarisa pakuongorora zvinhu zveAndroid zvakaita seZviitwa, Masevhisi, Broadcast Receivers, uye Vanopa Zvemukati kune kusasimba kwekuchengetedza.


Drozer tool



Common Drozer Commands

Chiito

Command

Batanidza kune Chishandiso

drozer console connect

Nyora Zviito

run app.activity.info -a <package_name>

Bata neZviitwa Zvinotengeswa kunze kwenyika

run app.activity.start --component <package_name> <activity_name>

Muedzo weSQL Injection

run scanner.provider.injection -a <package_name>


kuramba

Shandisa : Yakavakwa paFrida, asi nemirairo iri nyore yemabasa sekudzima SSL pinning kana kuongorora iyo app's file system. Yakakwana kana usiri scripting guru.


Chigadziro chekushandisa



Common Objection Commands

Chiito

Command

Batanidza kune Running App

objection -g <app_package> explore

Dzima SSL Pinning

android sslpinning disable / ios sslpinning disable

Dhinda Ruzivo rweMashandisirwo

android application info or ios application info


Mienzaniso

Android

  • Network Interception & Kugadziriswa

Nekufambisa Android traffic kuburikidza nechishandiso chakaita seBurp Suite , vaedzi vanogona kubata nekugadzirisa zvikumbiro. Semuyenzaniso, kana app ikatumira magwaro pamusoro peHTTP kana kuti ikatadza kuburitsa zvitupa zveTLS nemazvo, anorwisa anogona kuita man-in-the-pakati (MITM) kurwisa.


POST /login HTTP/1.1 Host: api.example.com Content-Type: application/json { "username": "test_user", "password": "secret_password" }


Session tokens, data rako pachako, kana ruzivo rwekubhadhara zvinogona kuburitswa pachena kana kushandiswa.


  • Debug Logs Inoburitsa Sensitive Data

03-09 12:34:56.789 1234 5678 I MyAppLogger: User token = "abc123XYZ987" 03-09 12:34:56.789 1234 5678 I MyAppLogger: Payment info: "card_number=4111111111111111"


Chero ani ane ADB (kana app ine hutsinye) anogona kuverenga matanda aya nekuashandisa.


  • Zviitiko Zvisina Kuchengetedzeka / Vanopa Zvemukati


Muenzaniso wekubuda kubva kune drozer chishandiso


Uchishandisa Drozer , vaedzi vanogona kuwana zviitiko zvinotengeswa kunze kwenyika kana vanopa zvemukati izvo zvisingade humbowo.

drozer console connect run app.provider.query

content://com.example.app.provider/users


Kana data ikadzoserwa pasina mvumo yakakodzera, vanorwisa vanogona kuverenga kana kugadzirisa ruzivo rwemushandisi.


  • Bypassing Root Detection

Zvishandiso zvakaita seFrida kana Objection zvinokutendera kuti upfuure kuona midzi kana SSL pinning cheki panguva yekumhanya:

frida -U -n com.example.app --eval "..." objection -g com.example.app explore android sslpinning disable android root disable ios sslpinning disable ios root disable


Vanorwisa pamafoni akadzika midzi vanogona kuenderera mberi nekuyedza kana kupinda mumabasa akajeka, kuburitsa zvakavanzika kana kukanganisa app logic.

iOS

  • Jailbreak Detection Bypass

Muenzaniso wekukochekera iOS app


Mazhinji maapplication eIOS haashande kana akaona foni yakaputsika . NaFrida , unogona kukochekera uye kupfuudza nzira yekuona:

Interceptor.attach(Module.findExportByName(null, "jailbreakDetectionFunction"), { onEnter: function (args) { console.log("Bypassed jailbreak check!"); // Force return a 'clean' status } });


Vanorwisa vanogona kumhanyisa app pamidziyo yakakanganiswa uye kutsvaga kuburikidza nedata kana hoko.


  • Sensitive Data muSystem Logs

2023-03-09 12:34:56.789 MyApp[1234:5678] Payment info: card_number=4111111111111111 2023-03-09 12:34:56.789 MyApp[1234:5678] session_token=abc123XYZ987


Pamidziyo yakapwanyika yejeri—kana kuti kuburikidza nekuunganidza matanda ekunze—vapambi vanokohwa data rakavanzika zvakananga.

Matambudziko Akajairika muMobile Pentesting

  • Platform Fragmentation : Zvishandiso zveAroid zvinosiyana zvakanyanya mushanduro dzeOS, tsika maROM, uye magadzirirwo emugadziri, zvichiita kuti kuyedzwa kuve kwakaoma.
  • Mashandisiro Ekuchengetedza Matanho : Zvimiro zvakaita seSSL pinning, midzi / jailbreak yekuona, uye obfuscation inogona kutadzisa pentesting.
  • Yakaganhurirwa Kuwana Kunobva Kodhi : dema-bhokisi kuyedzwa kazhinji kunoda reverse engineering nemidziyo yakaita seAPKTool kana JADX, iyo inogona kutora nguva.
  • Dynamic Analysis Zvirambidzo : Sandboxing, ndangariro dziviriro, uye kudiwa kwemidziyo yakadzika midzi/yakavhunika jeri kunoomesera bvunzo dzepasirese dzekufambiswa kwebasa.
  • Kuchengetedzwa Kwenetiweki uye Kuongorora Kwemigwagwa Zvishandiso zvakaita seFrida , Burp Suite , uye mitmproxy zvinova zvakakosha pakunzvenga.

Mibvunzo Inowanzo bvunzwa (FAQ)

  • Chii chinonzi mobile pentesting?

    Iri kuyedza kuti nharembozha yakachengeteka sei nekuteedzera kurwiswa kwepasirese - kutsvaga chero makatsemuka vasati varwisa.

  • Sei mobile pentesting yakakosha?

    Nekuti mafoni ane huwandu hukuru hwe data remunhu neremari, ndiwo anotariswa zvakanyanya nematsotsi.

  • Ndeapi matanho makuru?

    • Gadzira nharaunda inodzorwa, ita static ongororo (SAST), ita dynamic analysis (DAST), zvinyorwa zvakawanikwa, uye ongororazve mushure mekugadzirisa.

  • Ndeapi maturusi andinoda?

    Burp Suite kana ZAP yekuvharira traffic, MobSF yema scans, APKTool/JADX (Android), Kirasi-Dump/Hopper (iOS), pamwe nekukochekera maturusi seFrida kana Objection.

  • Tinofanira kunyengetera kakawanda sei?

    Mushure mekuvandudzwa kukuru, maitiro matsva, kana shanduko yakakosha yezvivakwa. Zvakanaka, zvibatanidze muCI/CD kuti irambe ichitariswa.

  • Ndezvipi zvinowanzoitika?

    Kusachengeteka kwekuchengetedza data, hapana HTTPS, zvakavanzika zvakaomeswa, hurombo hwesesheni manejimendi, uye zvisizvo maAPI.

  • Zvese zvinogona kuve otomatiki?

    Kwete saizvozvo. Zvishandiso zvinogona kuita otomatiki mamwe ma scans, asi manyorero ekuongorora anoburitsa trickier logic kukanganisa kana yakaoma bhizinesi mitemo.

  • Tinofanira kuedza zvose Android uye iOS?

    Ehe, imwe neimwe ine yakasarudzika mamodhi ekuchengetedza uye misungo.

  • Zviri pamutemo here kupentest?

    Chokwadi, kana uine mvumo yakajeka kubva kumuridzi weapp. Zvikasadaro, hazvisi pamutemo.

  • Ndotangira papi?

    Dzidza iyo OWASP Mobile Security Testing Guide (MASTG) , dzidza kudzosera kumashure, uye dzidzira uine yakavhurika-sosi maapplication kana sampuli zvinangwa.

Mhedziso

Kupinda kwenharembozha kwakafanana nekutsvaga kukuru - unotanga nekuunganidza giya (maturusi nemidziyo), wozoongorora nzvimbo (SAST), wozopedzisira wotora mawoko ekusvika (DAST) kuti uwane pese pasina kusimba. Nekuita izvi nguva nenguva uye nekutaura zvaunowana, iwe unochengeta maapplication ako akasimba uye vashandisi vako vakachengeteka.


Rangarira: software inoshanduka mazuva ese, uye ndizvo zvinoitawo kutyisidzira. Ita kuti pentesting ienderere mberi chikamu chekukura kwako kwehupenyu-nekuti nzira yakanakisa yekuchengetedza humambo kusamboregedza kungwarira kwako.

Nezve Munyori

Ichi chinyorwa chakagadzirirwa naAnastasiia Tolkachova , Mutevedzeri Wekuongorora Chekuchengetedza paSekurno , uye akaongororwa naAlex Rozhniatovskyi , CTO yeSekurno . Anastasiia ane anopfuura makore mashanu emaoko-pane ruzivo mukuyedza kupinda uye kuchengetedzwa kwekuongorora. Anonyanya kuyedza mawebhusaiti, zvivakwa (zvese zviri pa-nzvimbo uye gore), uye nharembozha (iOS uye Android). Hunyanzvi hwake hunotambanudzira Bhokisi reBlack, Bhokisi reGrey, uye White Bhokisi nzira, pamwe nehunyanzvi mukuongororwa kwekusagadzikana uye ongororo yekuchengetedza kodhi.


Alex ane makore manomwe eruzivo mukusimudzira uye cybersecurity. Iye iAWS Open-source Contributor yakatsaurirwa kusimudzira maitiro akachengeteka ekukodha. Unyanzvi hwake hunovhara mukaha pakati pekuvandudzwa kwesoftware uye chengetedzo, zvichipa ruzivo rwakakosha mukuchengetedza mawebhusaiti emazuva ano.

Mobile Pentesting Guide: References

Zvishandiso uye Zvishandiso

  1. Mobile-Security-Framework-MobSF
  2. Apktool
  3. jadx
  4. Burp Suite
  5. Frida
  6. Drozer
  7. kuramba
  8. Genymotion
  9. Corellium Virtual Hardware
  10. appledb.dev
  11. reFlutter
  12. platform-zvishandiso
  13. Magisk
  14. Root Checker
  15. checkra1n
  16. unc0ver
  17. Filza

Vatungamiri uye Zvinyorwa

  1. OWASP Mobile Top 10
  2. OWASP Mobile Application Security
  3. OWASP MASTG
  4. NIST SP 800-163
  5. Dhawunirodha uye isa Android Studio
  6. Kugadzirisa mudziyo weAroid kuti ushande neBurp Suite
  7. Kugadzirisa mudziyo weIOS kuti ushande neBurp Suite Professional
  8. Kubira Xamarin apps


Spacecoin
L O A D I N G
. . . comments & more!

About Author

Sekurno HackerNoon profile picture
Sekurno@sekurno
Sekurno is a leading cybersecurity firm dedicated to providing robust security solutions that go beyond compliance.
Read my stories

HONGA TAGS

purcat-imgprogramming #mobile-app-development #pentesting #cybersecurity #mobile-pentesting #how-to-break-into-iphone #how-to-break-into-android #good-company #hackernoon-top-story

NYAYA IYI YAKAPIWA MUNA...

Read on Terminal Reader Terminal
Read this story w/o Javascript Lite
Also published here

RELATED STORIES

Article Thumbnail
Forget Pepe and dogwifhat — Snek Is the Memecoin You've Been Waiting For
by jonstojanmedia
Jan 01, 1970
#crypto
Article Thumbnail
Snowdrop & Other Tales by Jacob Grimm and Wilhelm Grimm - Table of Links
by hackernoonbooks
Jan 01, 1970
#fiction
Article Thumbnail
On the Position of Large Factories
by charlesbabbage
Jan 01, 1970
#economic-literature
Join HackerNoonloading
Latest technology trends. Customized Experience. Curated Stories. Publish Your Ideas