We have not included URL references to many of the tools listed here to save space—we figure you’ll use your favorite Internet search tool to find them in any case.We’ve covered numerous tools and techniques in this book for performing security assessments of mobile technologies. This appendix summarizes many items from our consulting arsenal in one convenient location, providing a cheat sheet of sorts for anyone interested in quickly learning the basics of mobile pen testing. For deeper information on each tool, consult the relevant chapter in this book where it’s covered in greater detail (for example, Chapter 3 for iOS and Chapter 4 for Android, and also check out Chapters 5, 6, and 8 for mobile malware, mobile browser/service endpoint, and developer-oriented tools and techniques, respectively).
We’ve framed our cheat sheet within the generic process of a mobile pen test project, as follows:
• Preparation Setting up a proper test environment, including jailbreaking/rooting the device (or, alternatively, obtaining appropriate emulator/simulator software if getting a device is too costly or otherwise not feasible), so that full access is enabled for running code, network communications, and so on
• Instrumentation Deploying passive monitoring sensors at key junctures, such as web proxies, network sniffers, debuggers, and so on, to facilitate observation of potentially sensitive data as it transits the device
• Information gathering Active checking for basic security features like code signing, as well as potential vulnerabilities including known native language exploits and so on
• Testing Active disassembly, invasive testing, and observation of the application as well as associated infrastructure (for example, SQLite databases or data protection features)
We’ve also divided the discussion into iOS and Android sections, for greater efficiency.
We have not included URL references to many of the tools listed here to save space—we figure you’ll use your favorite Internet search tool to find them in any case.
