Contents

1. Introduction
   1. Overview of This Book
   2. How This Book Is Organized
   3. Who Should Read This Book
   4. Tools You Will Need
   5. What's on the Website
2. Chapter 1 Mobile Application (In)security
   1. The Evolution of Mobile Applications
   2. Mobile Application Security
   3. Summary
3. Chapter 2 Analyzing iOS Applications
   1. Understanding the Security Model
   2. Understanding iOS Applications
   3. Jailbreaking Explained
   4. Understanding the Data Protection API
   5. Understanding the iOS Keychain
   6. Understanding Touch ID
   7. Reverse Engineering iOS Binaries
   8. Summary
4. Chapter 3 Attacking iOS Applications
   1. Introduction to Transport Security
   2. Identifying Insecure Storage
   3. Patching iOS Applications with Hopper
   4. Attacking the iOS Runtime
   5. Understanding Interprocess Communication
   6. Attacking Using Injection
   7. Summary
5. Chapter 4 Identifying iOS Implementation Insecurities
   1. Disclosing Personally Identifiable Information
   2. Identifying Data Leaks
   3. Memory Corruption in iOS Applications
   4. Summary
6. Chapter 5 Writing Secure iOS Applications
   1. Protecting Data in Your Application
   2. Avoiding Injection Vulnerabilities
   3. Securing Your Application with Binary Protections
   4. Summary
7. Chapter 6 Analyzing Android Applications
   1. Creating Your First Android Environment
   2. Understanding Android Applications
   3. Understanding the Security Model
   4. Reverse-Engineering Applications
   5. Summary
8. Chapter 7 Attacking Android Applications
   1. Exposing Security Model Quirks
   2. Attacking Application Components
   3. Accessing Storage and Logging
   4. Misusing Insecure Communications
   5. Exploiting Other Vectors
   6. Additional Testing Techniques
   7. Summary
9. Chapter 8 Identifying and Exploiting Android Implementation Issues
   1. Reviewing Pre-Installed Applications
   2. Exploiting Devices
   3. Infiltrating User Data
   4. Summary
10. Chapter 9 Writing Secure Android Applications
    1. Principle of Least Exposure
    2. Essential Security Mechanisms
    3. Advanced Security Mechanisms
    4. Slowing Down a Reverse Engineer
    5. Summary
11. Chapter 10 Analyzing Windows Phone Applications
    1. Understanding the Security Model
    2. Understanding Windows Phone 8.x Applications
    3. Building a Test Environment
    4. Analyzing Application Binaries
    5. Summary
12. Chapter 11 Attacking Windows Phone Applications
    1. Analyzing for Data Entry Points
    2. Attacking Transport Security
    3. Attacking WebBrowser and WebView Controls
    4. Identifying Interprocess Communication Vulnerabilities
    5. Attacking XML Parsing
    6. Attacking Databases
    7. Attacking File Handling
    8. Patching .NET Assemblies
    9. Summary
13. Chapter 12 Identifying Windows Phone Implementation Issues
    1. Identifying Insecure Application Settings Storage
    2. Identifying Data Leaks
    3. Identifying Insecure Data Storage
    4. Insecure Random Number Generation
    5. Insecure Cryptography and Password Use
    6. Identifying Native Code Vulnerabilities
    7. Summary
14. Chapter 13 Writing Secure Windows Phone Applications
    1. General Security Design Considerations
    2. Storing and Encrypting Data Securely
    3. Secure Random Number Generation
    4. Securing Data in Memory and Wiping Memory
    5. Avoiding SQLite Injection
    6. Implementing Secure Communications
    7. Avoiding Cross-Site Scripting in WebViews and WebBrowser Components
    8. Secure XML Parsing
    9. Clearing Web Cache and Web Cookies
    10. Avoiding Native Code Bugs
    11. Using Exploit Mitigation Features
    12. Summary
15. Chapter 14 Analyzing BlackBerry Applications
    1. Understanding BlackBerry Legacy
    2. Understanding BlackBerry 10
    3. Understanding the BlackBerry 10 Security Model
    4. BlackBerry 10 Jailbreaking
    5. Using Developer Mode
    6. The BlackBerry 10 Device Simulator
    7. Accessing App Data from a Device
    8. Accessing BAR Files
    9. Looking at Applications
    10. Summary
16. Chapter 15 Attacking BlackBerry Applications
    1. Traversing Trust Boundaries
    2. Summary
17. Chapter 16 Identifying BlackBerry Application Issues
    1. Limiting Excessive Permissions
    2. Resolving Data Storage Issues
    3. Checking Data Transmission
    4. Handling Personally Identifiable Information and Privacy
    5. Ensuring Secure Development
    6. Summary
18. Chapter 17 Writing Secure BlackBerry Applications
    1. Securing BlackBerry OS 7.x and Earlier Legacy Java Applications
    2. Securing BlackBerry 10 Native Applications
    3. Securing BlackBerry 10 Cascades Applications
    4. Securing BlackBerry 10 HTML5 and JavaScript (WebWorks) Applications
    5. Securing Android Applications on BlackBerry 10
    6. Summary
19. Chapter 18 Cross-Platform Mobile Applications
    1. Introduction to Cross-Platform Mobile Applications
    2. Bridging Native Functionality
    3. Exploring PhoneGap and Apache Cordova
    4. Summary
20. Title page
21. Copyright
22. Dedication
23. About the Authors
24. About the Technical Editor
25. Credits
26. Acknowledgments
27. EULA

List of Tables

1. Chapter 2
   1. Table 2.1
   2. Table 2.2
   3. Table 2.3
   4. Table 2.4
   5. Table 2.5
   6. Table 2.6
   7. Table 2.7
2. Chapter 6
   1. Table 6.1
   2. Table 6.2
   3. Table 6.3
   4. Table 6.4
   5. Table 6.5
3. Chapter 7
   1. Table 7.1
   2. Table 7.2
4. Chapter 9
   1. Table 9.1

List of Illustrations

1. Chapter 1
   1. Figure 1.1 The incidence of some common mobile application vulnerabilities recently tested by the authors
   2. Figure 1.2 OWASP Top 10 Mobile Risks
2. Chapter 2
   1. Figure 2.1 The secure boot chain
   2. Figure 2.2 The user sees this privacy prompt when an application tries to access the address book.
   3. Figure 2.3 Users can access Privacy settings if they want to grant access to a resource.
   4. Figure 2.4 The data protection key hierarchy
   5. Figure 2.5 The Mach-O file format
3. Chapter 3
   1. Figure 3.1 Configuring Burp Suite to listen on all interfaces
   2. Figure 3.2 Configuring your device to use a proxy
   3. Figure 3.3 Capturing cipher suites using Wireshark
   4. Figure 3.4 Installing the Burp certificate on your device
   5. Figure 3.5 Install profile view
   6. Figure 3.6 Snoop-it filesystem monitoring
   7. Figure 3.7 Jailbreak check in sample application
   8. Figure 3.8 Hopper disassembler
   9. Figure 3.9 Locating strings in Hopper
   10. Figure 3.10 Finding references to strings in Hopper
   11. Figure 3.11 Disassembly of the viewDidLoad delegate
   12. Figure 3.12 Pseudo-code view in Hopper
   13. Figure 3.13 Pseudo-code view of clickedButtonAtIndex in Hopper
   14. Figure 3.14 Pseudo-code view of sub_b1fc function in Hopper
   15. Figure 3.15 Modifying an instruction in Hopper
   16. Figure 3.16 Running the example application after bypassing the jailbreak detection
   17. Figure 3.17 A breakdown of an Objective-C interface
   18. Figure 3.18 A breakdown of Swift class
   19. Figure 3.19 Bypassing the Password Manager lock screen
   20. Figure 3.20 Pivoting to internal networks in Kaseya BYOD
   21. Figure 3.21 View of the Snoop-it application
   22. Figure 3.22 The Snoop-it Objective-C classes view
   23. Figure 3.23 Registering a URL scheme in Xcode
   24. Figure 3.24 An app extension can indirectly communicate and share resources with the containing app.
4. Chapter 4
   1. Figure 4.1 Accessing application snapshots with iExplorer
   2. Figure 4.2 A snapshot can capture a registration page.
5. Chapter 6
   1. Figure 6.1 From this Android SDK Manager interface you can install SDK platforms and tools.
   2. Figure 6.2 You can customize your emulator configuration. Here is just one example.
   3. Figure 6.3 The main activity of the drozer agent displaying the embedded server toggle.
   4. Figure 6.4 The main activity of the clock application
   5. Figure 6.5 A list of running services on a device and the applications they belong to
   6. Figure 6.6 A simple manifest file showing the general structure
   7. Figure 6.7 The runtime selection activity available on Android 4.4
   8. Figure 6.8 The simplified structure of a zip file containing a single file entry.
   9. Figure 6.9 The required permissions displayed when looking at the permission details on the Twitter application.
   10. Figure 6.10 The prompt displayed by SuperSU to allow an application access to root context.
   11. Figure 6.11 The options available on Cydia Impactor to make use of code-signing bugs to obtain system and root.
   12. Figure 6.12 Graph view showing the disassembly of a DEX file in IDA.
   13. Figure 6.13 Viewing decompiled application code in JD-GUI
   14. Figure 6.14 Viewing decompiled application code in JEB
   15. Figure 6.15 Viewing decompiled application code in Jadx-gui
6. Chapter 7
   1. Figure 7.1 A high-level overview of various testing perspectives of an Android application
   2. Figure 7.2 The vulnerable Sieve password manager application
   3. Figure 7.3 Exported activity that leads to the disclosure of all accounts within Sieve
   4. Figure 7.4 Device lock screen requiring a password and then this being removed after the exploit is run
   5. Figure 7.5 An illustration of how a toast could be used to perform unintended actions on underlying activities
   6. Figure 7.6 The recent applications being shown on a device
   7. Figure 7.7 Fragment loaded inside the Settings activity that allows the PIN to be changed without providing the existing one
   8. Figure 7.8 Sieve allows the Settings activity to be opened without logging in
   9. Figure 7.9 Finding SQL injection using drozer’s WebContentResolver web interface
   10. Figure 7.10 Call initiated from exploiting a broadcast receiver in com.android.phone
   11. Figure 7.11 Activity started by entering *#*#4636#*#* in the dialer
   12. Figure 7.12 SuperSU prompt requesting permission to run droidwall.sh as root
   13. Figure 7.13 An error in Wireshark when you try to open the generated capture file
   14. Figure 7.14 Loading libencrypt.so into IDA
   15. Figure 7.15 The application backup activity
   16. Figure 7.16 Root Checker displaying that the device is rooted
   17. Figure 7.17 Root Checker now displaying that the device is not rooted
   18. Figure 7.18 The main activity of Cydia Substrate running on an Android device
   19. Figure 7.19 Burp is able to proxy Twitter API traffic after loading Android SSL TrustKiller
   20. Figure 7.20 The configuration available in Introspy
7. Chapter 8
   1. Figure 8.1 The prompt shown to the user when a device with USB debugging is connected to his computer
   2. Figure 8.2 A screenshot of a Sony Xperia Z2 before and after having the password lock screen removed
   3. Figure 8.3 Showing the Forgot pattern? button and the resulting screen by pressing it
   4. Figure 8.4 The Android Device Manager Lock functionality and the resulting screen of the locked device
   5. Figure 8.5 A Samsung Galaxy S3 device visiting the exploit page and receiving the exploit files
   6. Figure 8.6 Setting up the drozer MitM helper extension for JavaScript injection
   7. Figure 8.7 Burp extension showing that an injection has taken place
   8. Figure 8.8 Setting up the drozer MitM helper extension to replace APKs and then invoke them
   9. Figure 8.9 The prompt shown to the user after a valid response is obtained from the server
   10. Figure 8.10 The configuration of the Custom URI Handler Injection section of the drozer Burp plug-in
   11. Figure 8.11 The drozer exploit page attempting to perform social engineering to get the user to click the reload button
   12. Figure 8.12 A screen recording of capturing the user's lock screen pattern
8. Chapter 10
   1. Figure 10.1 Windows Phone 8.x chamber architecture
   2. Figure 10.2 Stack frame with cookies
   3. Figure 10.3: SEH chain
   4. Figure 10.4 Unzipped non-Store XAP package
   5. Figure 10.5 Splash screen for a Samsung Windows Phone 8 device
   6. Figure 10.6 Creating a new WP8 project
   7. Figure 10.7 Application Deployment tool
   8. Figure 10.8 Developer Registration tool
   9. Figure 10.9 Sideloading the Interop Unlock helper app
   10. Figure 10.10 Setting the MaxUnsignedApp registry key
   11. Figure 10.11 Setting the PortalUrlProd registry key
   12. Figure 10.12 Applying the Full Filesystem access hack using SamWP8 tools
   13. Figure 10.13 Browsing the filesystem
   14. Figure 10.14 Home Screen with Spavlin’s MBN Applied
   15. Figure 10.15 Configuration of checkboxes and radio buttons
   16. Figure 10.16 Browsing an app’s Install directory in Explorer
   17. Figure 10.17 Opening a .NET assembly from a device’s filesystem
9. Chapter 11
   1. Figure 11.1 Viewing XAML files in .NET reflector
   2. Figure 11.2 The proxy settings disabled
   3. Figure 11.3 Proxy settings configured
   4. Figure 11.4 Burp Suite captures web traffic from a Windows Phone device
   5. Figure 11.5 Exporting Burp Suite CA Certificate
   6. Figure 11.6 Installing the certificate onto the device
   7. Figure 11.7 .NET reflector showing XAML pages in a Windows Phone 8 application
   8. Figure 11.8 .NET reflector showing an XAML page’s OnNavigatedTo() implementation
   9. Figure 11.9 The Native Toast Notification Launcher sending a toast message
   10. Figure 11.10 The XAML screen launched after you tap the toast notification
   11. Figure 11.11 Names parsed out from the XML document
   12. Figure 11.12 Out-of-memory exception reported by Visual Studio due to a “billion laughs” attack
   13. Figure 11.13 Result of external entity resolution of the “secret file” in a message box
   14. Figure 11.14 SQLite syntax error
   15. Figure 11.15 EncryptAndSaveData() in .NET reflector
   16. Figure 11.16 Reversed CIL code in .NET reflector and Reflexil
   17. Figure 11.17 Deleting an instruction in Reflexil
   18. Figure 11.18 Modified CIL code after deleting instructions
   19. Figure 11.19 New disassembly for SaveAndEncryptData() after patching the method
   20. Figure 11.20 Editing an existing instruction in Reflexil
   21. Figure 11.21 Patching a method in C#
10. Chapter 12
    1. Figure 12.1 Accessing an __ApplicationSettings file on a device’s filesystem
    2. Figure 12.2 Browsing an app’s INetCookies directory on a device
    3. Figure 12.3 Original image of the Linux mascot, Tux the Penguin
    4. Figure 12.4 Recovered image of Tux the Penguin
11. Chapter 14
    1. Figure 14.1 The Developer Mode menu
    2. Figure 14.2 Elcomsoft cracking the BlackBerry backup encryption
    3. Figure 14.3 Sachesi helps you access BAR files
    4. Figure 14.4 Splitting the firmware image using Sachesi
    5. Figure 14.5 Extracting the application using Sachesi
    6. Figure 14.6 The extracted application
    7. Figure 14.7 Rename the original BAR file
    8. Figure 14.8 Result of extracting the BAR file
    9. Figure 14.9 Example MANIFEST.MF file
    10. Figure 14.10 BAR root directory
    11. Figure 14.11 Contents of the native directory
    12. Figure 14.12 The bar-descriptor.xml file
    13. Figure 14.13 The Assets subdirectory
    14. Figure 14.14 Example QML file
    15. Figure 14.15 The MANIFEST.MF file for a WebWorks application
    16. Figure 14.16 The entry point for a WebWorks application
    17. Figure 14.17 The BARs native subdirectory
    18. Figure 14.18 The jnext directory
12. Chapter 15
    1. Figure 15.1 Container separation in BlackBerry Balance
    2. Figure 15.2 An example file browser application
13. Chapter 16
    1. Figure 16.1 Disassembly of vulnerable function in IDA Pro

Guide

1. Cover
2. Table of Contents
3. Chapter