Mobile Application Penetration Testing

I'm wondering if anyone that has experience with mobile app pen testing can assist me. Just for some background. I do web application pen testing with no background in pen testing mobile apps, but due to a security flaw in our android tablets that we produce, my company is wanting me to start pen testing our tablets as well. Starting with the latest firmware upgrade that addresses this flaw. I'm going to be learning on the fly here. Could anyone recommend some good tools I can use? I've googled a few tools, but there seems to be quite a bit to choose from.

Without having much knowledge in this area and with the company wanting a thorough test completed by the end of the week, I don't have the time to try tool after tool to find some good ones. It can be free ones or paid ones. My company said they have no issues spending money to get me what I need.

Another question, I noticed that eLearnSecurity has a mobile pen testing course. Has anyone taken this and have any feedback if it's worth it? I just completed the web pen testing course and liked it. I'm going to see if my company will pay for me to get some training in mobile pen testing, but I want to find the right course.

Find more posts tagged with

Comments

Infosec_Sam

I don't have much mobile pentesting experience either, but I've heard good things about a couple of the tools in this article. Drozer, Frida, and QARK should all be pretty useful in pentesting android devices.

As far as the course goes, if you liked the eLearnSecurity web pentesting course, there's no harm in checking out their mobile course. However, if you're looking for some alternatives, we have a mobile pentesting course on Infosec Skills! There's about an hour of Android content, so if you're starting from nothing, you might find it to be helpful. You can sign up for a 7-day free trial to check it out if you like, and let me know if you have any questions!

yoba222

The OWASP MSTG is a great start in a pinch, but like you wrote, I'd get some training while I could.

Severine

Drozer is a pretty good tool for the mobile application pen-testing or android pen-testing. This tool allows you to detect security flaws in-app and devices.

chrisone

Also want to point out that elearnsecurity just had an Android pentesting webinar on the 24th. I know time is precious right now because you seem to be in a pinch, but if you have one hour to spend to get some more information about this topic, the webinar may be of benefit to you.

Before spending time here is the agenda of the webinar.

Agenda for “Android Hacking Proving Ground”:

Note: Subject to Change

Intro by Don Donzal, EH-Net Editor-in-Chief
Bios – Kyle Benac
Presentation
- The Mobile Security Landscape
- Attacking, Defending and Bug Hunting Android
- The Skinny on InjuredAndroid
- Live Demos
- Career Aspects
- Resources
Special Offer
Q&A

Good luck!

nathandrake

I was registered for the webinar, but ended up having conflicting meetings, so I wasn't able to attend.

On a positive note, I passed the eMAPT exam three weeks ago. Very interesting course. I learned a lot in it. It may not be as useful for someone that already has a lot of experience pentesting mobile apps, but I was brand new to it, so it helped me a lot.

Started the eWPTX course yesterday. Really looking forward to this one.

chrisone

Very cool @nathandrake , good luck on eWPTX!