Mobile Application Penetration Testing

nathandrakenathandrake Member Posts: 69 ■■■□□□□□□□
I'm wondering if anyone that has experience with mobile app pen testing can assist me.  Just for some background.  I do web application pen testing with no background in pen testing mobile apps, but due to a security flaw in our android tablets that we produce, my company is wanting me to start pen testing our tablets as well.  Starting with the latest firmware upgrade that addresses this flaw.  I'm going to be learning on the fly here.  Could anyone recommend some good tools I can use?  I've googled a few tools, but there seems to be quite a bit to choose from.

Without having much knowledge in this area and with the company wanting a thorough test completed by the end of the week, I don't have the time to try tool after tool to find some good ones.  It can be free ones or paid ones.  My company said they have no issues spending money to get me what I need.  

Another question, I noticed that eLearnSecurity has a mobile pen testing course.  Has anyone taken this and have any feedback if it's worth it?  I just completed the web pen testing course and liked it.  I'm going to see if my company will pay for me to get some training in mobile pen testing, but I want to find the right course.

Comments

  • Infosec_SamInfosec_Sam Security+, CCENT, ITIL Foundation, A+ Madison, WIAdmin Posts: 519 Admin
    I don't have much mobile pentesting experience either, but I've heard good things about a couple of the tools in this article. Drozer, Frida, and QARK should all be pretty useful in pentesting android devices.

    As far as the course goes, if you liked the eLearnSecurity web pentesting course, there's no harm in checking out their mobile course. However, if you're looking for some alternatives, we have a mobile pentesting course on Infosec Skills! There's about an hour of Android content, so if you're starting from nothing, you might find it to be helpful. You can sign up for a 7-day free trial to check it out if you like, and let me know if you have any questions!
    Community Manager at Infosec!
    Who we are | What we do
  • yoba222yoba222 Senior Member Member Posts: 1,206 ■■■■■■■■□□
    The OWASP MSTG is a great start in a pinch, but like you wrote, I'd get some training while I could.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • SeverineSeverine Member Posts: 33 ■■■□□□□□□□
    Drozer is a pretty good tool for the mobile application pen-testing or android pen-testing. This tool allows you to detect security flaws in-app and devices.
  • chrisonechrisone Senior Member Member Posts: 2,144 ■■■■■■■■■□
    Also want to point out that elearnsecurity just had an Android pentesting webinar on the 24th. I know time is precious right now because you seem to be in a pinch, but if you have one hour to spend to get some more information about this topic, the webinar may be of benefit to you. 

    Before spending time here is the agenda of the webinar.

    Agenda for “Android Hacking Proving Ground”:

    Note: Subject to Change
    • Intro by Don Donzal, EH-Net Editor-in-Chief
    • Bios – Kyle Benac
    • Presentation
      • The Mobile Security Landscape
      • Attacking, Defending and Bug Hunting Android
      • The Skinny on InjuredAndroid
      • Live Demos
      • Career Aspects
      • Resources
    • Special Offer
    • Q&A

    Good luck!


    Certs: CISSP, OSCP, CRTP, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2020 Goals:
    Courses: VHL (completed), CQURE: Windows Security Crash Course (completed), BlackHills InfoSec: Breaching the Cloud (completed), eLearnSecurity: WAPTv3 (completed), IHRP (completed), THPv2 (completed), PTXv2 (completed)
    Certs: VHL: Advanced+ (completed), OSCP (completed), AZ-500 (failed 1st attempt), eWPT (failed 2x, no further attempts), eCIR (complete), eCTHPv2 (report: awaiting results), eCPTXv2 (Dec)
    2021: AZ-500, AZ-104, AZ-204, AZ-303, AZ-304, MS-500
  • nathandrakenathandrake Member Posts: 69 ■■■□□□□□□□
    I was registered for the webinar, but ended up having conflicting meetings, so I wasn't able to attend.

    On a positive note, I passed the eMAPT exam three weeks ago.  Very interesting course.  I learned a lot in it.  It may not be as useful for someone that already has a lot of experience pentesting mobile apps, but I was brand new to it, so it helped me a lot.

    Started the eWPTX course yesterday.  Really looking forward to this one. 
  • chrisonechrisone Senior Member Member Posts: 2,144 ■■■■■■■■■□
    Very cool @nathandrake , good luck on eWPTX!
    Certs: CISSP, OSCP, CRTP, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2020 Goals:
    Courses: VHL (completed), CQURE: Windows Security Crash Course (completed), BlackHills InfoSec: Breaching the Cloud (completed), eLearnSecurity: WAPTv3 (completed), IHRP (completed), THPv2 (completed), PTXv2 (completed)
    Certs: VHL: Advanced+ (completed), OSCP (completed), AZ-500 (failed 1st attempt), eWPT (failed 2x, no further attempts), eCIR (complete), eCTHPv2 (report: awaiting results), eCPTXv2 (Dec)
    2021: AZ-500, AZ-104, AZ-204, AZ-303, AZ-304, MS-500
Sign In or Register to comment.