Introducción al pentesting de aplicaciones móviles sin morir en el intento

Introduction to mobile application pentesting without dying trying

Celia Catalán

Pentest para moviles

Before starting to talk about mobile pentesting, we must lay the foundations and differentiate between static analysis of the application and dynamic analysis. But not before talking about the structure of an APK.

The process of disassembling an APK is called decompression and it is through this process through which we can access the innards of our binary:




To do this, it would be enough to:

unzip APP.apk -d output-unzip

apktool d APP.apk -o output-apktool


When it comes to decompiling the source code, we have two ways, on the one hand we can generate the .smali which is the “readable” bytecode for humans (apktool), or generate the interpreted .java, it is not the original source code, but we It helps to understand the logic of the application more easily (jadx).




Once we have the source code with us, we will talk about the two types of analysis that need to be taken into account when performing mobile pentesting. 

Static vs Dynamic Analysis


In static analysis, the application is analyzed at the code level and without interaction with the application, and dynamic analysis is reviewed at runtime, interacting with the functionalities.

Static analysis

With the Jadx tool we will try to search for sensitive information:

  • Vulnerable keywords or code patterns. 
  • Credentials / api keys. 
  • Urls/endpoints.
  • Identification of important functions: authentication, state changes, PII.
  • Debug function identification. Presence of comments in the code.
  • Identification of dangerous functions: use of external storage, code execution. Sanitization.
  • Hardcoded secrets.

Automatic

All the above analysis can be automated with the following tool (MobSF):



When talking about mobile pentesting there are a series of interesting components (identified by Mobsf in the previous image), which we recommend that you spend time understanding (activities, suppliers, recipients and exportable services). In the next article we will talk about exportable activities.

Xuquiang Liu Xu, Pentester Jr. at Zerolynx and Alejandro Auñón, Offensive Security Analyst at Zerolynx.
return to blog

Leave a comment

Please note that comments must be approved before they are published.

Latest articles

See everything
  • La Ciberseguridad en los procesos de Autenticación: Riesgos y Soluciones

    Cybersecurity in Authentication processes: Risk...

    Authentication systems, such as logins, are a constant target of cyberattacks that seek to violate user security and access sensitive information. From techniques such as brute force, phishing and credential...

    Cybersecurity in Authentication processes: Risk...

    Authentication systems, such as logins, are a constant target of cyberattacks that seek to violate user security and access sensitive information. From techniques such as brute force, phishing and credential...

  • ¡Flu Project estrena nuevo aspecto!

    Flu Project unveils a new look!

    This December Flu Project will turn 14 years old and we wanted to take advantage of this milestone to show off a new visual appearance, more adapted to the new...

    Flu Project unveils a new look!

    This December Flu Project will turn 14 years old and we wanted to take advantage of this milestone to show off a new visual appearance, more adapted to the new...

  • A10:2021 – Server-Side Request Forgery (SSRF)

    A10:2021 – Server-Side Request Forgery (SSRF)

    Description The 'Server-Side Request Forgery' (SSRF) attack is a type of attack in which an attacker abuses the functionality of a server to make HTTP requests to internal resources or...

    A10:2021 – Server-Side Request Forgery (SSRF)

    Description The 'Server-Side Request Forgery' (SSRF) attack is a type of attack in which an attacker abuses the functionality of a server to make HTTP requests to internal resources or...

1 3
See everything