Cinga nge-app yeselula efana ne- digital vault , ephethe yonke into ukusuka kwiiphasiwedi zomsebenzisi kwiinkcukacha zentlawulo. Njengomvavanyi wokungena, umsebenzi wakho kukuqinisekisa ukuba ivault ivalwe ngokuqinileyo-kudala ngaphambi kokuba nawuphi na umhlaseli wokwenyani azame ukuqhekeza. Kwesi sikhokelo, siza kukuhamba ngayo yonke inkqubo yovavanyo oluphathwayo , ukusuka ekuqokeleleni izixhobo ezifanelekileyo ukuya kuthi ga ngoku. ukuhlalutya ikhowudi kunye netrafikhi. Masitsibe ngaphakathi!

Intshayelelo

Siphila kwihlabathi apho izixhobo eziphathwayo ziphantse zandiswa ngokwethu. Kuba abantu benza iibhanki zabo, bethenga , kwaye bencokola ngeefowuni, ukuqinisekisa ukuba ukhuseleko losetyenziso lubalulekile. Yiyo loo nto i-mobile pentesting ibalulekile: silinganisa uhlaselo oluchasene ne-apps ukubonisa ubuthathaka kwaye sincede abaphuhlisi bazilungise.

Nantsi into ekuyo:

• Uxolo lwengqondo : Awuyi kulahlekelwa bubuthongo ngenxa yokuvuza kwedatha okanye iziqinisekiso ezibiweyo.
• Ukuthobela : Abalawuli (kunye nabasebenzisi bakho) bafuna imigangatho yokhuseleko oluluqilima.
• Ukunyusa iReputation Boost : Iiapps ezikhuselekileyo zithetha abathengi abonwabileyo kunye nomngcipheko omncinci wezihloko ezingalunganga.

Yintoni iMobile Pentesting?

Embindini wayo, ukungena kwemfonomfono kukufumana iindlela zokuyila zokungena kwi-app-kanye njengokuba umhlaseli wokwenyani ebenokwenza-ukuze ukwazi ukulungisa ubuthathaka kuqala. Yahlukile kwi-web pentesting esemgangathweni kuba ii-apps eziphathwayo:

• Qhuba kwii-Platforms eziZodwa : I-Android kunye ne-iOS nganye inemithetho yayo, imifuziselo yokhuseleko, kunye ne-quirks.

• Gcina iDatha kwiZixhobo : Ulwazi olunovakalelo lunokugcinwa ekuhlaleni, nto leyo eyenza ukuba kubaluleke kakhulu ukujonga ugcino lwesixhobo esithile.

• Thembela kakhulu kwii-APIs : Ii-apps eziphathwayo zihlala zithetha neeseva ezibuyela ngasemva ngee-APIs, ezinokuthi ziqwalaselwe kakubi okanye zibe sesichengeni ukuba azivavanywanga kakuhle.

  
  

Imingeni eqhelekileyo iquka ukujongana neengcambu / ukubhaqwa kwe-jailbreak , ukudlula i-SSL pinning , kunye nokuhlalutya zombini icala lomxhasi kunye ne -server-side logic.

Izoyikiso eziqhelekileyo kwizicelo zeMobile

Yiba nomfanekiso-ngqondweni wenqaba yamaxesha aphakathi—ezi “zezona ndawo zibuthathaka” abahlaseli bajolise kuzo:

1. Ugcino lwedatha olungakhuselekanga
   • Iimpawu ezinovakalelo okanye iinkcukacha zomsebenzisi zishiywe zingaguqulelwanga kwisixhobo.
2. Izilawuli ze-Server-Side ezibuthathaka
   • Ukuqinisekisa igalelo elilahlekileyo okanye iingqiqo ze-API ezineziphene ezinokuxhatshazwa ngabagezeli.
3. Ukungonelanga koMaleko wezoThutho
   • Ukusebenzisa i-HTTP okanye i-HTTPS ephosakeleyo, ivumela abahlaseli ukuba bathintele okanye baguqule itrafikhi yenethiwekhi.
4. Uqinisekiso olungakhuselekanga & noGunyaziso
   • Iinkqubo zokungena eziphunyeziweyo, ulawulo lweseshoni, okanye iitshekhi zemvume.
5. Ubuthathaka becala lomthengi

   • Ikhowudi enokubuyiselwa umva ukutyhila iimfihlo, okanye ingqiqo enokuguqulwa ngexesha lokusebenza.

     
     

Jonga i -OWASP Mobile Top 10 kunye neSikhokelo soVavanyo loKhuseleko lweSicelo seMobile (MASTG) ngakumbi kule mingcipheko. Zifana neemephu ezibonisa yonke imigibe enokwenzeka.

Lungiselela uvavanyo lweMobile

Ngaphambi kokuba uhlasele inqaba, udinga isikrweqe esifanelekileyo kunye nezixhobo . Ngokwemigaqo yokuvavanya, oko kuthetha ukuseta indawo apho unokuzama ngokukhuselekileyo ngaphandle kokonakalisa idatha yelizwe lokwenyani. Makhe sigubungele iziseko zombini Android kunye iOS.

Android

Xa uvavanya ii-apps ze-Android, unokujikeleza izixhobo ezibonakalayo usebenzisa izixhobo ezifana ne -Android Emulator okanye iGenymotion . Ezi zilinganisi zikuvumela ukuba ufake kwaye uvavanye ii-apps ngokukhawuleza ngaphandle kokufuna isixhobo somzimba. Amanyathelo aneenkcukacha zokuseta enye anokufumaneka kwesi sikhokelo .

I-Emulator ye-Android

Nangona kunjalo, ukusebenzisa isixhobo esibonakalayo kudla ngokuvelisa iziphumo ezichaneke ngakumbi-ingakumbi xa ufuna ukuvavanya iimeko zenethiwekhi yehlabathi yokwenyani, izinzwa, okanye uqinisekiso lwebhayometriki. Ukuba ucwangcisa iimvavanyo eziphucukileyo ezinje ngengcambu yokukhangela okanye ubunzulu bedatha yedatha, ukuba nehardware yokwenyani yinto enkulu.

Ukuba uthatha isigqibo sokuthenga okanye ukuboleka isixhobo esizinikeleyo, khumbula ukuba ezinye iifowuni ze-Android kulula ukuzicothula . I-rooting ikunika ukufikelela okunzulu kwinkqubo yokusebenza, ikuvumela ukuba uhlalutye iifayile ezifihliweyo, uthintelo lwe-app ngaphandle, kwaye usebenzise izixhobo ezinamandla ezifuna iimvume eziphakamileyo.

Iingcambu

Android Rooting kufana ukufumana isitshixo skeleton kwinkqubo yokusebenza yefowuni yakho. Ngokuqhelekileyo, uya:

1. Vula i-bootloader.
2. Flash a custom recovery (umzekelo, TWRP).
3. Faka isixhobo solawulo lweengcambu njengeMagisk okanye iSuperSU .

Ifowuni nganye kunye nenguqulo ye-OS ine-quirks yayo, ngoko lungele ukuzama okumbalwa. Iindaba ezimnandi zezokuba xa isixhobo siqanduselwe, sihlala sihlala sinjalo ngaphandle kokuba useta ngokutsha okanye uphucule i-firmware. Gcina ukhumbula ukuba i-iOS ye-jailbreaks inokulahleka emva kokuqalisa kwakhona-ke i-Android ngamanye amaxesha inikezela ngeqonga elizingisayo lokuvavanya.

Ngalo lonke ixesha ulandela izikhokelo ezithembekileyo zefowuni yakho ethile-i-rooting engafanelekanga inokonakalisa isoftware okanye ingenise imingxunya yokhuseleko. Kwaye, ewe, gcina idatha yakho ngaphambi kokuba ungene! Umzekelo wokucothula iPixel 3a

Ummeli

Cinga ngommeli onje ngeBurp Suite njenge "spyglass" yakho. Ikuvumela ukuba ubone kwaye uguqule yonke i-traffic engena kwaye iphuma kwi-app. Uya kubamba unxibelelwano olungakhuselekanga, ukuqinisekiswa okungalunganga, okanye izicelo ezinomthunzi. Ukuseta ummeli weselula kuyafana kwi-iOS kunye ne-Android. Unokufumana imiyalelo esemthethweni yeqonga ngalinye apha .

Izinto ziba nzima ngesikhokelo esithile:

• Ngamanye amaxesha i-Xamarin iyayihoya imimiselo ye-proxy yenkqubo ngokubanzi ngenxa yamathala eencwadi othungelwano.

• I-Flutter inokuhlonipha i-proxies kodwa inokunyanzelisa ukuqholwa kwesatifikethi , ikuthintele ekujongeni itrafikhi.

  
  

Ukoyisa le miqobo, unokwenza ikhowudi, sebenzisa izixhobo ezinje ngoFrida okanye i-Objection ukucima ukuphina okanye ukuseta umva iiproxies (umzekelo, mitmproxy ) ukubamba itrafikhi. Ukulungelelanisa indlela yakho yinxalenye yolonwabo!

Ukufakela usetyenziso

Ukuba usetyenziso alukho kuGoogle Play Store okwangoku-iqhelekile kwiipentest-unokuba nefayile ye-APK yokuyilayisha ecaleni. Ungabelana nge-APK nge-Google Drive okanye ikhonkco lokukhuphela ngokuthe ngqo. Enye inketho efanelekileyo kukusebenzisa i-Firebase App Distribution , eququzelela uvavanyo ngokuthumela izimemo kwabachaphazelekayo.

iOS

Kwi-iOS, isixhobo somzimba sikwabonelela ngamava ovavanyo lokwenyani. Unokuntywila kwiimpawu ezithile zehardware ezinje nge -ID yoBuso , i-ID yokuchukumisa , kunye nezinzwa ngelixa ubamba unxibelelwano oluyinyani lwenethiwekhi. Ukuba uthenga okanye usebenzisa isixhobo somntu, qwalasela iimodeli ezaziwa zilula kwi -jailbreak (kuba ingezizo zonke ii-iPhones ezinobuhlobo ngokulinganayo kule nkqubo). Ukuba ufuna izixhobo ze-iOS ezibonakalayo, iCorellium ibonelela ngovavanyo olunamandla olusekwe kwilifu, nangona ingasimahla. Uninzi lwabavavanyi basaxhomekeke kwisixhobo somzimba ukuze kujongwe ngokucokisekileyo.

Jailbreaking

I-iOS Jailbreaking ivakalelwa kakhulu njengokususa ii-padlocks ezibekwe ngu-Apple kwizixhobo zayo. Ufumana amalungelo eengcambu, ikuvumela ukuba ufake i-tweaks, ujonge abalawuli beefayile ezifihliweyo, okanye uqhube izikripthi zokuhlola eziphambili. Izixhobo ezidumileyo ziquka unc0ver kunye neChecker1n . Olona khetho lufanelekileyo luxhomekeke kuguqulelo lwakho lwe-iOS kunye nemodeli yesixhobo.

Khumbula:

• Izixhobo ezitsha zinokuba nzima kwi-jailbreak.
• Ezinye iindawo zokuqhawuka entolongweni azisindi xa kuphinda kuqaliswe (“semi-untethered”).
• Soloko ugcina i-iPhone yakho ngaphambi kokungcolisa iifayile zenkqubo.

Kwakhona qaphela ukuba iileya ezithile zokhuseleko ziphinde zisebenze ngokuzenzekelayo xa isixhobo sakho siqala kwakhona, ngoko unokufuna ukuphinda ube ne-jailbreak ngalo lonke ixesha uvula amandla.

Ukufakela usetyenziso

Ii-iOS zokusebenza ziza kwiifayile ze-IPA -ezifana nee-APK kwi-Android. Kwifowuni ye-jailbroken, unokufaka ii-IPA usebenzisa abaphathi befayile njengeFilza okanye ii-apps ezifana ne-Sideloadly . Ngomzila osemthethweni, abaphuhlisi bahlala bexhomekeke kwi -TestFlight , evumela ukuba bameme abahloli nge-imeyile-cofa nje ikhonkco, kwaye i-iOS iphatha abanye.

Ukuseta indawo okuyo ngokufanelekileyo-ukhetha izixhobo ezifanelekileyo (ezokwenene okanye ezomzimba), ukuqwalasela iiproxies, kunye nokuqonda indlela yokukhuphela ecaleni ii-apps-ukuqinisekisa ukuba uya kulungela ukuntywila nzulu ekusebenzeni kwangaphakathi kwe-app. Kusenokuthatha ukukhenkceza, kodwa wakuba ulufumene olo cwangciso lugqibeleleyo, ukungena kokwenyani kunokuqalisa!

Uhlalutyo olungatshintshiyo (SAST)

Ngoku masiqhubele phambili ekuvavanyeni i-app ngokwayo-ngaphandle kokuyiqhuba ngokupheleleyo. Oku kufana nokufunda iplani yenqaba ngaphambi kokuba ungene ngaphakathi. Sijonge iimfihlo ezinekhowudi , ulungelelwaniso olungakhuselekanga , kunye neminye imiba kwikhowudi okanye iifayile zoqwalaselo.

IiNdawo eziphambili ekuJoliswe kuzo

1. Iimfihlo ezinekhowudi

   Izitshixo ze-API, iimpawu, iziqinisekiso, kunye nezitshixo zokubethela ngamanye amaxesha ziphela ngokuthe ngqo kwikhowudi yomthombo. Ukuba abahlaseli bayayibuyisela umva i-app, banokukhupha ezi mfihlo ngomzamo omncinci kwaye bazenze abasebenzisi okanye iinkonzo.

2. Ulungelelwaniso olungakhuselekanga

   Iimvume ezigqithisiweyo zemvume, iiflegi zolungiso lweempazamo ezishiywe zinikwe amandla, okanye ukusayina okungafanelekanga kungagqobhoza imingxunya kwisikrweqe sosetyenziso lwakho. Isetingi enye-efana ne-NSAllowsArbitraryLoads kwi-iOS Info.plist okanye i-android:debuggable="true" -inokuvula umnyango wokuhlaselwa kwe-man-in-the-middle (MITM) okanye ulungiso olungakhuselekanga.

3. Ukutyhileka kweDatha obuthathaka

   Ukugcina amathokheni eseshoni okanye ulwazi lomntu siqu kwisicatshulwa esicacileyo kwisixhobo (iilogi, izinto ozikhethayo ekwabelwana ngazo, iifayile zendawo) iresiphi yentlekele. Nabani na onofikelelo ngokwasemzimbeni okanye ifowuni enengcambu/eyaphukileyo ejele unokukroba kwaye ebe idatha ebalulekileyo-akukho mandla akhohlakeleyo afunekayo.

4. App Logic kunye neziphene

   Ngokuqhelekileyo, imiba eyingcambu ivela kwindlela iimpawu eziphunyezwa ngayo. Xa iitshekhi eziyimfuneko-njengobungqina-zingekho okanye zinganyanzeliswanga ngokungqongqo, abahlaseli banokuludlula ngokulula ukhuseleko lwakho. Ngokufanayo, imisebenzi ye-cryptographic ebuthathaka okanye izixhobo ezingakhuselekanga zinokwenza ubomi bube lula kuye nabani na ovavanya usetyenziso lwakho.

Uluhlu lokukhangela lwe-MSTG

ISikhokelo soVavanyo loKhuseleko lweMobile (MSTG) sibonelela ngoluhlu lokukhangela olucokisekileyo ukukunceda ujongane nohlalutyo olungaguqukiyo ngokwendlela:

• [ ] MSTG-STORAGE-1 : Idatha enovakalelo ayigcinwa ingaguqulelwanga kwisixhobo.
• [ ] MSTG-STORAGE-2 : Akukho datha enovakalelo egcinwe kwindawo ekwabelwana ngayo.
• [ ] MSTG-CRYPTO-1 : Ukusetyenziswa ngokufanelekileyo kwe-cryptographic algorithms kunye namathala eencwadi.
• [ ] MSTG-NETWORK-1 : Khusela amajelo onxibelelwano (umzekelo, HTTPS/TLS).
• [ ] MSTG-CODE-1 : Ukungabikho kweemfihlo ezinekhowudi kwikhowudi yomthombo.
• [ ] MSTG-KHOWUDI-3 : Ukubethelwa kwekhowudi kusetyenziswa ngokufanelekileyo.
• [ ] I-MSTG-RESILIENCE-1 : Ukhuseleko kubunjineli obubuyela umva.
• [ ] MSTG-RESILIENCE-2 : Ubunakho bokulungisa bukhubazekile kwimveliso.
• [ ] MSTG-PRIVACY-1 : Ukuphathwa ngokufanelekileyo kweemvume zomsebenzisi kunye neenkcukacha zabucala.

SAST Tools

Izixhobo ezahlukeneyo zinokukunceda ukwahlula ikhowudi yakho, uqwalaselo, kunye nokubini ngaphandle kokusebenzisa usetyenziso:

MobSF (Isakhelo soKhuseleko lweMobile)

Sebenzisa : Iplagi kwi-APK/IPA kwaye i-MobSF iya kuvelisa ingxelo eneenkcukacha: iya kudwelisa ulungelelwaniso olugwenxa, iimvume ezikrokrisayo, okanye iimfihlo ezinekhowudi.

Ibhonasi : Ikwanayo neempawu eziguqukayo, iyenza ibe sisisombululo esicocekileyo yonke into.

APKTool (Android)

Sebenzisa : Yahlula kwaye uqokelele kwakhona i-APK ukuze ubone okungaphakathi. Oku kulungele ukufunda i-AndroidManifest.xml, ukuhlola izixhobo, okanye ukulungisa i-app.

apktool d app.apk -o output_director

IJADX (Android)

Sebenzisa : Guqula i-Dalvik bytecode (.dex) ibe yiJava efundekayo. Ilungele ukubona imigca yekhowudi enobuthathaka obunokwenzeka, njengamaqhosha e-API.

jadx app.apk -d output_directory

I-Class-Dump, iHopper, iGhidra (iOS)

Sebenzisa : Khipha iiheader zeklasi zeNjongo-C (I-Class-Dump) okanye uqhaqhe iibhinari ze-iOS (Hopper/Ghidra). Ukuba i-app i-Swiftified, uya kubona kwakhona imethadatha ye-Swift.

Imizekelo

Android

• Ukubhengezwa kolwazi

• Ii-apps ze-Android zinokuchithwa kwiifayile zazo ze-APK usebenzisa izixhobo ezifana APKTool , JADX , okanye MobSF .

  Le nkqubo ityhila ikhowudi yemvelaphi, ulwakhiwo lwesicelo, kunye nezinto ezinovakalelo ezifana ne-AndroidManifest.xml okanye iifayile ze-.smali, ezinokuveza ubuqili bosetyenziso kunye neemvumelwano.

  
  

• Ukuvumela iTrafikhi ecacileyo

<application android:usesCleartextTraffic="true" />

Abahlaseli banokusebenzisa unxibelelwano olungafihlwanga (HTTP) ukuze balalele okanye babhubhise.

• Usetyenziso olunokususwa

<application android:debuggable="true" />

Nabani na onesixhobo (okanye i-emulator) angaqhoboshela idebugger kwaye arhole ngedatha enovakalelo okanye ingqiqo.

• Hardcoded API Keys

public class ApiClient { private static final String API_KEY = "12345-abcdef-67890"; private static final String API_SECRET = "superSecretPassword123!"; }

Ukudityaniswa okukhawulezayo nge-APKTool okanye i-JADX ityhila ezi zitshixo, zivumela abahlaseli ukuba bazenze usetyenziso okanye bafikelele kwiinkonzo zokubuyela umva ngaphandle kwemvume.

• Idatha enovakalelo kwi-Plaintext

<map> <string name="session_token">abc123XYZ987</string> <string name="user_email">user@example.com</string> </map>

Ukuba amathokheni okanye iinkcukacha zomsebenzisi zigcinwe kwisicatshulwa esicacileyo, isixhobo esinengcambu sinokukhupha ngokulula.

iOS

• Ulwazi olungaqwalaselwanga kakuhle.plist

<key>NSAppTransportSecurity</key> <dict>

<key>NSAllowsArbitraryLoads</key> <true/> </dict>

I-Apple inyanzelisa uqhagamshelo olukhuselekileyo ngokungagqibekanga, ngoko ke ukubeka ngaphezulu oku kuvula i-app kwimingcipheko ye-MITM okanye i-traffic engafihlwanga.

Izixhobo zokuqhawula ezifana neClass-Dump , iHopper Disassembler , kunye neGhidra zikhupha umxholo wefayile ye-IPA ye-app, kuquka iiklasi zeNjongo-C, amagama endlela, kunye neefayile zokubini.

Uhlalutyo olunamandla (DAST)

Ukuba uhlalutyo olungatshintshiyo lufunda iplani yenqaba, uhlalutyo oluguquguqukayo luhamba lujikeleza ngaphakathi kwinqaba ngelixa ujonga yonke iminyango kunye neefestile. Siqhuba i-app, sijonge indlela eziphatha ngayo, kwaye sibone ukuba singasebenzisa nabuphi na ubuthathaka ngexesha lokwenyani.

IiNdawo eziphambili ekuJoliswe kuzo

1. Unxibelelwano lwenethiwekhi

   Qinisekisa ukuba idatha ye-app yakho ayivuzi ngexesha lokuhamba. Ukuba i-app yakho ixhomekeke kwi-HTTP okanye i-HTTPS engafanelekanga, umhlaseli angangena, athintele, okanye alungise idatha. Okufanayo kuya kulahleko okanye ubuthathaka besatifikethi se-SSL/TLS ukuphina , ukuveza usetyenziso lwakho kuhlaselo lomntu ophakathi (MITM).

2. Uqinisekiso & noGunyaziso

   Nokuba izikrini zakho zokungena kunye neendima zomsebenzisi zijongeka zivakala ephepheni, uvavanyo lokwenyani kukuba umntu angalugqitha na ngexesha lokubaleka. Umzekelo, ngaba umhlaseli angaphinda asebenzise iithokheni zeseshoni okanye aziqashele? Ngaba i-app iphelelwa lixesha ngokuchanekileyo okanye igcina iiseshini zivuliwe ngonaphakade?

3. Ixesha leMfezeko kunye nokuHlolwa koKhuseleko

   Ii-apps ezininzi zizama ukufumanisa ukuba isixhobo sinengcambu (i-Android) okanye i-jailbroken (i-iOS) kwaye emva koko yala ukuqhuba okanye ukuvala iimpawu ezithile. Ngexesha lokuhlalutya okuguquguqukayo, uyafuna ukubona ukuba ungatyibilika na udlule kwezi zitshekisho ngokungena kwikhowudi ye-app, ukuze uhlale uvavanya. Ukuba unokugqitha ngokulula kula manyathelo, abahlaseli banako, nabo.

4. Ukuvuza kweDatha ngexesha lokuPhunyezwa

   Ngaba i-app iloga ulwazi olubuthathaka (elifana namagama agqithisiweyo okanye iimpawu) kumbhalo ongenanto? Xa utshintshela usetyenziso okanye ngasemva isixhobo, ngaba isikrini sithathwe ngedatha eyimfihlo sisabonisa? Olu hlobo lomzila "we-breadcrumb" olungenanjongo lunokukhokelela abahlaseli ngqo kubuncwane.

5. I-API kunye noQinisekiso lwe-Server-Side

   Usetyenziso lunokujongeka lukhuselekile ngokwembono yomxhasi, kodwa ukuba i-API yangasemva ayiziqinisekisi iimvume zomsebenzisi okanye igalelo, umhlaseli unokutsala izicelo kubhabho ukuze afumane ufikelelo olungagunyaziswanga okanye aphule inkqubo. Kubalulekile ukuvavanya zombini umxhasi kunye nokuziphatha kweseva kwi-tandem.

Uluhlu lokukhangela lwe-MSTG

Isikhokelo soVavanyo loKhuseleko lweMobile (MSTG) sikwabandakanya uhlalutyo oluguquguqukayo. Nazi ezinye iitsheki onokuzikhumbula:

• [ ] MSTG-RESILIENCE-1 : Usetyenziso lubhaqa kwaye luthintele ukuphazamisa okanye ukubuyisela umva iinzame zobunjineli.

• [ ] MSTG-RESILIENCE-2 : Usetyenziso lubhaqa izixhobo ezineengcambu okanye ezaphukileyo ejele.

• [ ] MSTG-RESILIENCE-3 : App iqinisekisa intembeko yekhowudi yayo kunye nezixhobo ngexesha lokusebenza.

• [ ] MSTG-NETWORK-1 : I-App ifihla zonke iitrafikhi zenethiwekhi isebenzisa i-cryptography eyomeleleyo.

• [ ] MSTG-NETWORK-3 : I-App inyanzelisa ukuqholwa kwesatifikethi apho kufanelekileyo.

• [ ] I-MSTG-PLATFORM-1 : I-App ayixhomekekanga kwiindlela zokhuseleko zeqonga lodwa kwaye inyanzelisa amanyathelo okhuseleko ngokuzimeleyo.

• [ ] MSTG-AUTH-2 : I-App inyanzelisa ngokufanelekileyo amaxesha okuphela kweseshoni kunye neemfuno zokuqinisekisa kwakhona komsebenzisi.

• [ ] MSTG-STORAGE-4 : I-App ayifaki idatha ebuthathaka kwiilog zesixokelelwano.

• [ ] MSTG-STORAGE-5 : I-App ayigcini idatha enovakalelo kwindawo engakhuselekanga.

• [ ] MSTG-CRYPTO-1 : I-App isebenzisa i-cryptographic algorithms ehlaziyiweyo kwimisebenzi yexesha lokubaleka.

  
  

Cinga ngezi njengemephu yendlela yovavanyo lwakho lwehlabathi lokwenyani. Bakunceda ugqobhoze ngokucwangcisiweyo kuwo wonke umnyango kunye neefestile ukuze uqinisekise ukuba itshixiwe.

DAST Tools

Ngokungafaniyo ne-SAST, egxile ekuhlolweni kwekhowudi, i-DAST ijikeleza ngokuqhuba i-app kunye nokujonga. Apha ngezantsi zizixhobo ezidumileyo zokwenza loo nkqubo ibe lula:

Burp Suite / OWASP ZAP

Sebenzisa : Zombini zibamba iiproksi ezikuvumela ukuba ubambe kwaye uguqule itrafikhi phakathi kwe-app kunye neeseva ezibuyela ngasemva. Ilungele ukubona iziphelo ezingakhuselekanga, iziphene zeseshoni, okanye ukuvuza kwedatha.

Frida

Sebenzisa : Isixhobo sezixhobo esitshintshayo esingena kwiinkqubo ezisebenzayo, sikunceda ukuba ugqithe i-SSL pinning, ingcambu/ubhaqo lwe-jailbreak, okanye ezinye izithintelo zecala lomxhasi.

Imiyalelo yeFrida eqhelekileyo

I-Drozer (Android)

Sebenzisa : Ijolise ekuhloleni amacandelo e-Android afana neMisebenzi, iiNkonzo, abaFundi boSasazo, kunye nabaBoneleli boMxholo ukwenzela ubuthathaka bokhuseleko.

Imiyalelo yeDrozer eqhelekileyo

inkcaso

Sebenzisa : Yakhelwe kuFrida, kodwa ngemiyalelo elula yemisebenzi efana nokukhubaza ukuphina kwe-SSL okanye ukujonga inkqubo yefayile ye-app. Igqibelele ukuba awungomntu obhalayo.

Imiyalelo yokuchasa eqhelekileyo

Imizekelo

Android

• UThintelo lweNethiwekhi kunye noLungiso

Ngokuhambisa itrafikhi ye-Android ngesixhobo esinje ngeBurp Suite , abavavanyi banokunqanda kwaye balungise izicelo. Umzekelo, ukuba i-app ithumela iinkcazi nge-HTTP okanye iyasilela ekuqinisekiseni izatifikethi ze-TLS ngokufanelekileyo, umhlaseli angenza uhlaselo lwe -man-in-the-middle (MITM) .

POST /login HTTP/1.1 Host: api.example.com Content-Type: application/json { "username": "test_user", "password": "secret_password" }

Iithokheni zeseshoni, iinkcukacha zobuqu, okanye iinkcukacha zentlawulo zinokuvezwa okanye zijikwe.

• Iilog zeDebug zityhila iDatha ebuthathaka

03-09 12:34:56.789 1234 5678 I MyAppLogger: User token = "abc123XYZ987" 03-09 12:34:56.789 1234 5678 I MyAppLogger: Payment info: "card_number=4111111111111111"

Nabani na one -ADB (okanye usetyenziso olukhohlakeleyo) unokufunda ezi zigodo kwaye azixhaphaze.

• Imisebenzi engaKhusekanga / Ababoneleli boMxholo

  
  

Ukusebenzisa i-Drozer , abavavanyi banokufumanisa imisebenzi ethunyelwa ngaphandle okanye ababoneleli bomxholo abafuni kuqinisekiswa.

drozer console connect run app.provider.query

content://com.example.app.provider/users

Ukuba idatha ibuyiswa ngaphandle kweemvume ezifanelekileyo, abahlaseli banokufunda okanye balungise ulwazi lomsebenzisi.

• Ukugqitha ukufunyanwa kweNgcambu

Izixhobo ezinje ngeFrida okanye i-Objection ikuvumela ukuba udlule ekubhaqweni kweengcambu okanye ukukhangela i-SSL yokuqhobosha ngexesha lokusebenza:

frida -U -n com.example.app --eval "..." objection -g com.example.app explore android sslpinning disable android root disable ios sslpinning disable ios root disable

Abahlaseli kwiifowuni ezineengcambu banokuqhubeka nokuvavanya okanye ukuxhamla kwimisebenzi ebuthathaka, ukutyhila iimfihlo okanye ukuphazamisa ingqiqo ye-app.

iOS

• Jailbreak Ukufunyanwa Bypass

Ii-apps ezininzi ze-iOS aziyi kuqhuba ukuba zibhaqa ifowuni eyaphukileyo . NgoFrida , ungahuka kwaye ubhale ngaphezulu indlela yobhaqo:

Interceptor.attach(Module.findExportByName(null, "jailbreakDetectionFunction"), { onEnter: function (args) { console.log("Bypassed jailbreak check!"); // Force return a 'clean' status } });

Abahlaseli banokusebenzisa i-app kwizixhobo ezisengozini kunye nokuphanda ngedatha okanye iihuku.

• Idatha enovakalelo kwiiLogi zeNkqubo

2023-03-09 12:34:56.789 MyApp[1234:5678] Payment info: card_number=4111111111111111 2023-03-09 12:34:56.789 MyApp[1234:5678] session_token=abc123XYZ987

Kwizixhobo ze-jailbroken-okanye ngengqokelela yelog yangaphandle-abahlaseli bavuna idatha ebuthathaka ngokuthe ngqo.

Imingeni eqhelekileyo kwiMobile Pentesting

• I-Platform Fragmentation : Izixhobo ze-Android ziyahluka ngokubanzi kwiinguqulelo ze-OS, iiROM zesiko, kunye nokuguqulwa komenzi, ukwenza uvavanyo lube nzima.
• Imilinganiselo yoKhuseleko lweSicelo : Iimpawu ezifana ne-SSL pinning, ingcambu / ukubhaqwa kwe-jailbreak, kunye ne-obfuscation inokuthintela ukungena.
• Ufikelelo oluNcinane kwiKhowudi yoMthombo : Uvavanyo lwebhokisi emnyama luhlala lufuna ubunjineli obubuyela umva ngezixhobo ezifana ne-APKTool okanye i-JADX, enokutya ixesha.
• IZithintelo zoHlalutyo oluNgqongileyo : Ibhokisi yesanti, ukukhuselwa kwenkumbulo, kunye nesidingo sezixhobo ezineengcambu/ezaphukileyo zasejele zinzima iimvavanyo zokuhamba komsebenzi wokwenyani.
• Ukhuseleko lweNethiwekhi kunye noHlolo lweTrafikhi : Ukuphina kwe-SSL, ukuqinisekiswa kwesatifikethi, okanye ii-VPNs zinokuthintela iiproxi eziqhelekileyo ze-MITM. Izixhobo ezifana noFrida , Burp Suite , kunye ne mitmproxy iba yimfuneko kudlula.

Imibuzo Ebuzwa Rhoqo (FAQ)

• Yintoni i-mobile pentesting?

  Ivavanya ukuba ikhuselekile kangakanani iapp ephathwayo ngokulinganisa uhlaselo lwehlabathi lokwenyani-ukukhangela nakuphi na ukuqhekeka phambi kokuba abahlaseli benze.

• Kutheni i-pentesting ehambayo ibalulekile?

  Ngenxa yokuba ii-smartphones zibamba isixa esikhulu sedatha yobuqu kunye neyezemali, zezona kujoliswe kuzo kubagebenga be-cyber.

• Ngawaphi amanyathelo aphambili?

  • Misela indawo elawulwayo, yenza uhlalutyo lwe-static (SAST), yenza uhlalutyo oluguquguqukayo (DAST), ukufunyaniswa kwamaxwebhu, kunye nokuvavanya kwakhona emva kokulungiswa.

• Zeziphi izixhobo endizidingayo?

  IBurp Suite okanye iZAP yokuthintela izithuthi, iMobSF yokuskena, APKTool/JADX (Android), iClass-Dump/Hopper (iOS), kunye nezixhobo zokuhuka ezifana neFrida okanye iObjection.

• Kufuneka singene kangaphi?

  Emva kohlaziyo olukhulu, amanqaku amatsha, okanye utshintsho olubalulekileyo lweziseko zophuhliso. Ngokufanelekileyo, yidibanise kwi-CI / CD ukuze uhlolwe rhoqo.

• Yintoni ubuthathaka obuqhelekileyo?

  Ukugcinwa kwedatha okungakhuselekanga, akukho HTTPS, iimfihlo ezikhuselweyo, ulawulo olubi lweseshoni, kunye nee-API ezingalungiswanga.

• Ngaba yonke into inokuzenzekela?

  Hayi ncma. Izixhobo zinokwenza ezinye izikena zizenzekele, kodwa uvavanyo olwenziwa ngesandla lutyhila iziphene ezibukhali okanye imithetho entsonkothileyo yeshishini.

• Ngaba kufuneka sivavanye zombini i-Android kunye ne-iOS?

  Ewe, nganye ineemodeli zokhuseleko ezizodwa kunye nemigibe.

• Ngaba kusemthethweni ukungena?

  Ngokuqinisekileyo, ukuba unemvume ecacileyo evela kumnini we-app. Kungenjalo, akukho mthethweni.

• Ndiyiqala ngaphi?

  Funda iSikhokelo soVavanyo loKhuseleko lwe-OWASP (MASTG) , funda ukubuyisela umva, kwaye uziqhelanise ne-apps evulekileyo okanye iithagethi zeesampuli.

Ukuqukumbela

Ukungena ngemfonomfono kufana nomzamo omkhulu—uqala ngokuqokelela izixhobo (izixhobo kunye nezixhobo), emva koko uhlole umhlaba (SAST), uze ekugqibeleni uthathe indlela yokujongana (i-DAST) ukuze ufumane zonke iindawo ezibuthathaka. Ngokwenza oku rhoqo kwaye unike ingxelo ngeziphumo zakho, uya kugcina usetyenziso lwakho luqinile kwaye abasebenzisi bakho bekhuselekile.

Khumbula: isoftware iyavela yonke imihla, kwaye kunjalo nezisongelo. Yenza ulindelo lube yinxalenye eqhubekayo yobomi bakho bokukhula-kuba eyona ndlela yokukhusela ubukumkani kukuba ungaze uyeke ukulinda kwakho.

Malunga noMbhali

Eli nqaku lilungiswe ngu -Anastasiia Tolkachova , iNjineli yoVavanyo loKhuseleko eSekurno , kwaye ihlaziywe ngu- Alex Rozhniatovskyi , i-CTO yaseSekurno . U-Anastasiia uneminyaka engaphezu kwemihlanu yamava amava kuvavanyo lokungena kunye novavanyo lokhuseleko. Ugxininise ekuvavanyeni izicelo zewebhu, iziseko zophuhliso (zombini kwizakhiwo kunye nefu), kunye namaqonga eselula (iOS kunye ne-Android). Ubuchwephesha bakhe bubandakanya iBhokisi eMnyama, iBhokisi eNgwevu, kunye neendlela zeBhokisi eMhlophe, ecaleni kobuchule bokuhlola ukuba sesichengeni kunye nophononongo lokhuseleko lwekhowudi yomthombo.

UAlex uneminyaka esixhenxe yamava kuphuhliso kunye ne-cybersecurity. UnguMxhasi we-AWS womthombo ovulekileyo ozinikele ekuqhubeleni phambili izenzo ezikhuselekileyo zokukhowuda. Ubuchwephesha bakhe buvala umsantsa phakathi kophuhliso lwesoftware kunye nokhuseleko, ukubonelela ngemibono ebalulekileyo ekukhuseleni usetyenziso lwewebhu lwangoku.

Mobile Pentesting Guide: References

Izixhobo kunye nezibonelelo

1. Mobile-Security-Framework-MobSF
2. Apktool
3. jadx
4. Burp Suite
5. Frida
6. Drozer
7. inkcaso
8. Genymotion
9. I-Corellium Virtual Hardware
10. appledb.dev
11. reFlutter
12. iqonga-izixhobo
13. UMagisk
14. Umhloli weengcambu
15. i-checkra1n
16. unc0ver
17. Filza

Izikhokelo kunye namaNqaku

1. OWASP Mobile Top 10
2. OWASP Mobile Application Security
3. OWASP MASTG
4. I-NIST SP 800-163
5. Khuphela kwaye ufake i-Android Studio
6. Ukuqwalasela isixhobo se-Android ukuze sisebenze neBurp Suite
7. Ukuqwalasela isixhobo iOS ukusebenza Burp Suite Professional
8. Uqhekezo lwe-Xamarin apps