Mobile App Security Testing

📋 Daftar Isi

Pengenalan
OWASP Mobile Top 10
Android Setup
Static Analysis
Dynamic Analysis
iOS Testing
Network Analysis
Automation
Quiz

1. Pengenalan Mobile Security Testing

Mobile Application Security Testing adalah proses evaluasi keamanan aplikasi mobile. Dengan 6.8 miliar pengguna smartphone global, mobile apps menjadi target utama karena menyimpan data sensitif seperti credentials, data finansial, dan informasi pribadi.

📋 Apa yang Dipelajari

OWASP Mobile Top 10 risks
Android dan iOS security architecture
Static dan dynamic analysis
Reverse engineering mobile apps
Network traffic interception
Automated mobile security testing

Mobile Attack Surface

Diagram: Mobile App Attack Surface

┌─────────────────────────────────────────────────────┐
│           MOBILE APP ATTACK SURFACE                   │
│                                                      │
│  ┌──────────────────────────────────────────────┐   │
│  │              MOBILE DEVICE                    │   │
│  │  ┌─────────┐  ┌─────────┐  ┌──────────┐    │   │
│  │  │   App    │  │  OS     │  │ Hardware │    │   │
│  │  │• Storage│  │• Root/  │  │• Secure  │    │   │
│  │  │• Code   │  │  Jailbrk│  │  Enclave │    │   │
│  │  │• IPC    │  │• Sandbox│  │• Biometr │    │   │
│  │  │• Memory │  │• Perms  │  │• NFC/BLE │    │   │
│  │  └─────────┘  └─────────┘  └──────────┘    │   │
│  └──────────────────────────────────────────────┘   │
│                       │                              │
│                       ▼                              │
│  ┌──────────────────────────────────────────────┐   │
│  │              NETWORK                          │   │
│  │  • MITM/TLS interception                     │   │
│  │  • Certificate pinning bypass                │   │
│  │  • API tampering                             │   │
│  └──────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────┘

2. OWASP Mobile Top 10 (2024)

#	Risiko	Deskripsi
M1	Improper Credential Usage	Hardcoded credentials, insecure storage
M2	Inadequate Supply Chain Security	Compromised SDK, malicious libraries
M3	Insecure Authentication	Weak auth, missing checks
M4	Insufficient Input Validation	Injection, XSS, buffer overflow
M5	Insecure Communication	No TLS, weak cipher
M6	Inadequate Privacy Controls	Data leakage, PII exposure
M7	Insufficient Binary Protections	No obfuscation, debug enabled
M8	Security Misconfiguration	Debug mode, backup enabled
M9	Insecure Data Storage	Plaintext, world-readable
M10	Insufficient Cryptography	Weak algorithm, hardcoded keys

3. Android Testing Environment

Bash — Android Pentesting Setup

# =============================================
+# Android Security Testing Environment
+# =============================================

+# 1. Install tools
+pip install frida-tools objection drozer

+# 2. Setup Burp Suite proxy
+# Burp > Proxy > Options > Add: all interfaces:8080
+# Mobile: WiFi proxy ke laptop IP:8080
+# Install Burp CA certificate

+# 3. Bypass SSL Pinning dengan Frida
+frida -U -f com.target.app -l ssl-bypass.js --no-pause

+# ssl-bypass.js:
+# Java.perform(function() {
+#   var TrustManager = Java.registerClass({
+#     name: 'com.custom.TrustManager',
+#     implements: [Java.use('javax.net.ssl.X509TrustManager')],
+#     methods: {
+#       checkClientTrusted: function(chain, authType) {},
+#       checkServerTrusted: function(chain, authType) {},
+#       getAcceptedIssuers: function() { return []; }
+#     }
+#   });
+#   var SSLContext = Java.use('javax.net.ssl.SSLContext');
+#   var ctx = SSLContext.getInstance('TLS');
+#   ctx.init(null, [TrustManager.$new()], null);
+# });

+# 4. Decompile APK
+apktool d target.apk -o decompiled
+jadx --show-bad-code target.apk -d jadx_out

+# 5. Enumerate components
+drozer console connect
+dz> run app.package.attacksurface com.target.app
+dz> run app.activity.info -a com.target.app
+dz> run app.provider.info -a com.target.app
+dz> run app.broadcast.info -a com.target.app

4. Static Analysis (SAST)

Static analysis menganalisis source code atau binary tanpa menjalankan aplikasi. Menemukan hardcoded secrets, insecure API usage, dan vulnerability pattern.

Bash — Static Analysis

# =============================================
+# Static Analysis Tools & Techniques
+# =============================================

+# 1. MobSF (Mobile Security Framework)
+docker run -p 8000:8000 opensecurity/mobsf:latest

+# 2. Hardcoded secrets
+grep -rn "api_key\|password\|secret\|token" \
+  decompiled/smali/

+# 3. Exported components
+grep -A5 'exported="true"' decompiled/AndroidManifest.xml

+# 4. Insecure cryptography
+grep -rn "DES\|RC4\|ECB\|MD5" decompiled/smali/

+# 5. Network security config
+cat decompiled/res/xml/network_security_config.xml

+# 6. Insecure WebView
+grep -rn "setJavaScriptEnabled\|setAllowFileAccess" \
+  decompiled/smali/

+# 7. Semgrep
+semgrep --config=p/android decompiled/
+semgrep --config=p/owasp-mobile decompiled/

5. Dynamic Analysis (DAST)

Dynamic analysis menguji aplikasi saat berjalan. Menemukan insecure storage, IPC, dan runtime manipulation.

Bash — Dynamic Analysis

# =============================================
+# Dynamic Analysis Techniques
+# =============================================

+# 1. Trace API calls
+frida-trace -U -i "open*" com.target.app

+# 2. Hook crypto functions
+frida -U com.target.app -l crypto-hook.js

+# 3. Enumerate stored files
+adb shell run-as com.target.app ls -la /data/data/com.target.app/
+adb shell run-as com.target.app cat /data/data/com.target.app/shared_prefs/*.xml

+# 4. Content Provider leaks
+adb shell content query --uri content://com.target.app.provider/users

+# 5. Backup vulnerability
+adb backup -f backup.ab com.target.app
+java -jar abe.jar unpack backup.ab backup.tar
+tar xf backup.tar

6. iOS Security Testing

Bash — iOS Pentesting

# =============================================
+# iOS Security Testing Setup
+# =============================================

+# Requirements: Jailbroken iPhone (palera1n/Dopamine)

+# 1. Explore filesystem
+objection -g "com.target.app" explore
+[objection] ls /var/mobile/Containers/Data/Application/

+# 2. Bypass jailbreak detection
+frida -U -f com.target.app -l ios-jb-bypass.js --no-pause

+# 3. Bypass SSL pinning
+objection -g com.target.app explore
+[objection] ios sslpinning disable

+# 4. Dump keychain
+[objection] ios keychain dump

+# 5. Binary analysis
+class-dump -H TargetApp.app/TargetApp
+otool -L TargetApp.app/TargetApp

7. Network Traffic Analysis

Bash — Network Analysis

# =============================================
+# Mobile Network Traffic Analysis
+# =============================================

+# 1. mitmproxy
+mitmweb --listen-port 8080

+# 2. Install CA certificate
+# Download http://mitm.it di mobile browser
+# Android: Settings > Security > Install certificate
+# iOS: Settings > General > Profile > Install

+# 3. Monitor with tcpdump
+adb shell tcpdump -i any -s 0 -w /sdcard/capture.pcap
+adb pull /sdcard/capture.pcap

+# 4. Bypass certificate pinning
+objection -g com.target.app explore
+[objection] android sslpinning disable

+# 5. ReFlutter (Flutter apps)
+reflutter target.ipa

8. Automated Testing

YAML — Mobile Security CI/CD

# Mobile Security CI/CD Pipeline
+name: Mobile Security Scan
+on:
+  push:
+    branches: [main, develop]
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: MobSF Scan
+        uses: fundacaociatec/mobsf-action@v1
+        with:
+          file_path: app/build/outputs/apk/debug/app-debug.apk
+      - name: Semgrep SAST
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: p/owasp-mobile

Flutter App Security

Flutter apps memiliki tantangan keamanan khusus karena menggunakan Dart yang dikompilasi ke native code (AOT compilation). Standard Android/iOS reverse engineering tools tidak langsung bekerja pada Flutter.

Bash — Flutter App Analysis

# =============================================
+# Flutter App Security Testing
+# =============================================

+# Flutter apps store Dart code in libapp.so
+# Standard decompilers won't work

+# 1. ReFlutter — Repackage Flutter app
+pip install reflutter
+reflutter target.apk
+# This patches the app to dump SSL traffic

+# 2. Frida for Flutter
+# Use rida (Flutter-specific Frida scripts)
+git clone https://github.com/aspect-apps/rida
+frida -U -f com.target.app -l rida.js --no-pause

+# 3. Binary analysis
+# Extract libapp.so
+unzip target.apk lib/armeabi-v7a/libapp.so
+# Use Ghidra or IDA to analyze
+# Search for API endpoints in binary
+strings libapp.so | grep -i "https://api"

+# 4. Dart-specific reverse engineering
+# Use blutter for Flutter reverse engineering
+git clone https://github.com/aspect-apps/blutter
+python3 blutter.py path/to/libapp.so path/to/output

+# 5. Intercept Flutter HTTP traffic
+# Flutter doesn't use system proxy by default
+# Use ProxyDroid (rooted device) to force proxy
+# Or patch app with iptables redirect

+# 6. Secure Storage analysis
+# Flutter flutter_secure_storage uses:
+# Android: EncryptedSharedPreferences
+# iOS: Keychain
+# Check for weak encryption keys

React Native App Security

React Native apps membawa JavaScript bundle yang berisi source code dan business logic. Bundle ini bisa diekstrak dan dibaca langsung.

Bash — React Native Analysis

# =============================================
+# React Native App Analysis
+# =============================================

+# 1. Extract JS bundle dari APK
+unzip target.apk assets/index.android.bundle

+# 2. Beautify dan analisis
+js-beautify assets/index.android.bundle > bundle.js
+
+# 3. Search for sensitive data
+grep -i "api_key\|secret\|password\|token" bundle.js
+grep -i "https://api" bundle.js
+
+# 4. Find hardcoded credentials
+grep -i "bearer\|authorization" bundle.js
+
+# 5. Check for debug flags
+grep -i "__DEV__\|debug\|DEV_MODE" bundle.js
+
+# 6. Find environment configs
+grep -i "staging\|production\|localhost" bundle.js
+
+# 7. Hermes bytecode (if Hermes engine enabled)
+# Hermes compiles JS to bytecode
+# Use hermes-dec to decompile:
+git clone https://github.com/P1sec/hermes-dec
+python3 hermes-dec/bytecode_dec.py index.android.bundle
+
+# Defense:
+# - Enable ProGuard/R8 obfuscation
+# - Use Hermes engine (compiled bytecode)
+# - Don't store secrets in JS bundle
+# - Use env-specific builds (not JS checks)

Mobile App Hardening Checklist

Category	Control	Implementation
Data Storage	Encrypt sensitive data	Keychain (iOS), EncryptedSharedPreferences (Android)
Network	Certificate pinning	TrustManager, NSAppTransportSecurity
Authentication	Biometric + MFA	BiometricPrompt, LocalAuthentication
Code	Obfuscation	ProGuard/R8 (Android), SwiftShield (iOS)
Tamper	Tamper detection	Root/jailbreak detection, integrity checks
Debug	Disable debugging	android:debuggable=false, strip symbols

Mobile Malware Analysis

Analisis malware mobile membantu memahami teknik yang digunakan attacker untuk menginfeksi dan mencuri data dari perangkat mobile.

Bash — Mobile Malware Analysis

# =============================================
+# Mobile Malware Analysis
+# =============================================

+# 1. Install malware di emulator (isolated)
+adb install suspicious_app.apk

+# 2. Monitor network traffic
+adb shell tcpdump -i any -w /sdcard/capture.pcap &
+# Open suspicious app, use features
+adb pull /sdcard/capture.pcap

+# 3. Analyze network with Wireshark
+wireshark capture.pcap
+# Look for:
+# - C2 server communication
+# - Data exfiltration (POST requests)
+# - DGA (Domain Generation Algorithm) patterns

+# 4. Monitor file system changes
+adb shell inotifywait -m -r /data/data/com.suspicious.app/

+# 5. API monitoring with Frida
+frida -U com.suspicious.app -l api-monitor.js
+# api-monitor.js:
+# Interceptor.attach(Module.findExportByName(null, 'connect'), {
+#   onEnter: function(args) {
+#     console.log('connect() called');
+#   }
+# });

+# 6. Check for overlay attack capability
+# Look for SYSTEM_ALERT_WINDOW permission
+grep "SYSTEM_ALERT_WINDOW" AndroidManifest.xml

+# 7. Check for SMS interception
+# Look for RECEIVE_SMS, READ_SMS permissions
+grep -i "sms" AndroidManifest.xml

+# 8. Check for screen recording
+# Look for MEDIA_PROJECTION permission
+grep "MEDIA_PROJECTION" AndroidManifest.xml

Common Mobile Vulnerabilities

+ + + + + + + +

Vulnerability	Platform	Impact
Insecure WebView	Android	XSS, file access, JS injection
Exported Components	Android	Unauthorized access to activities/services
Weak Keychain	iOS	Data accessible without biometric
Clipboard Exposure	Both	Sensitive data in clipboard
Screenshot Leak	Both	App screens captured in recent apps
Debug Build	Both	Debug info exposed, easy reverse engineering

iOS App Transport Security

App Transport Security (ATS) pada iOS memaksa semua koneksi menggunakan HTTPS. Banyak developer yang men-disable ATS sepenuhnya, yang mengakibatkan data rentan terhadap interception.

XML — iOS ATS Check

<!-- YANG HARUS DIHINDARI di Info.plist -->
+<key>NSAppTransportSecurity</key>
+<dict>
+  <key>NSAllowsArbitraryLoads</key>
+  <true/>  <!-- KRITIS: Mengizinkan semua HTTP -->
+</dict>
+
+<!-- YANG BENAR: Hanya exception spesifik -->
+<key>NSAppTransportSecurity</key>
+<dict>
+  <key>NSExceptionDomains</key>
+  <dict>
+    <key>api.example.com</key>
+    <dict>
+      <key>NSExceptionRequiresForwardSecrecy</key>
+      <true/>
+      <key>NSIncludesSubdomains</key>
+      <true/>
+    </dict>
+  </dict>
+</dict>

+ +

Mobile Security Resources

OWASP MASTG — Mobile Application Security Testing Guide
OWASP MASVS — Mobile Application Security Verification Standard
HackTheBox — Mobile challenges untuk praktik
DIVA Android — Insecure app untuk belajar
OWASP iGoat — iOS security learning tool

9. Quiz Pemahaman

Rangkuman

📝 Poin Penting

OWASP Mobile — 10 risiko kritis mobile app security
Static Analysis — MobSF, semgrep, manual grep untuk hardcoded secrets
Dynamic Analysis — Frida untuk runtime hooking dan bypass
SSL Pinning — Bisa di-bypass dengan Frida atau objection
Backup — Android backup bisa mengekstrak data sensitif