How to kick-start Mobile Security Testing – by @Santhoshst
Security Testing Tips: Tips for Kick-Starting Mobile Security Testing
It may look like mountain (However, when you are climbing Himalayas it is not about *difficult*, it is about *challenges*. There is difference between difficult and challenge meaning in my opinion) when you start approaching mobile security testing, if you have been web security tester; this activity of starting-up mobile security testing may become easy compared to if you have not been web security tester. Either ways, you can look into these tips.
#1 Reverse engineering: Start using the tools and then you will understand what it can do and also you may understand the underlying architecture of the android / iOS device.
#2 There are lots of tools, do not get into automated ones till you get the mind-set of mobile security. I am telling this because, your learning may stop because you may feel that, “Wow, I am a mobile security tester now” and if you take it head; then THE END!
#3 Mobile security looks like infant area as of today, there is so much to do in it. You may want to become researcher if this area interests you. Be it mobile automation using JUnit or uiautomator for android or any other thing which can help you add value to your mobile app testing.
#4 I love using developer websites of Android and iOS, it helps me to learn “How to test better?” or “How to add value to my testing activity?” instead of just doing some functional testing. There is so much of information on the developer site, you will just love it if you are core technical person who crave for technical things which I think software tester need to be unless you are a scripted checker.
Reverse Engineering Way of Learning via Tools
Xcode – To view logs, debug application and get application data.
Burp suite – To monitor HTTP/HTTPS network traffic.
Snoop-it – For dynamic analysis of iOS Apps, to trace method calls analyze application flow.
iNalyzer – iOS Penetration testing framework (contains multiple utilities).
iFunBox – File system access of iOS device (jailbreak not required).
USBMux Proxy – Command line tool to connect local TCP ports to ports on an iPhone or iPod Touch device over USB.
Keychain dumper – To dump keychain entries on iOS devices.
Sqlite3 – To view contents of db files.
iRET – iOS Reverse Engineering Toolkit.
INTROSPY – Black box assessment of iOS apps.
Cycript – Runtime Analysis of iOS apps.
APK Extractor – The name says it all.dex2jar – It is a conversion utility to convert dex format to jar format.
MobiSec – Live Environment Mobile Testing Framework project is a live environment for testing mobile environments.
You may also want to look into https://www.isecpartners.com/tools/mobile-security.aspx, I must tell this; I am in so much love with these tools and then applying my test ideas to test mobile security. Happy Reverse Engineering Learning For Mobile Security Testing!https://www.testingcircus.com/how-to-kick-start-mobile-security-testing/https://i0.wp.com/www.testingcircus.com/wp-content/uploads/security-testing-tips-7.png?fit=364%2C262&ssl=1https://i0.wp.com/www.testingcircus.com/wp-content/uploads/security-testing-tips-7.png?resize=150%2C131&ssl=1Security Testing TipsSecurity Testing TipsSecurity Testing Tips: Tips for Kick-Starting Mobile Security Testing It may look like mountain (However, when you are climbing Himalayas it is not about *difficult*, it is about *challenges*. There is difference between difficult and challenge meaning in my opinion) when you start approaching mobile security testing, if you have been...Santhosh TuppadSanthosh Tuppad[email protected]AuthorSanthosh Tuppad is the Cofounder & Software Tester of Moolya Software Testing Private Limited (www.moolya.com). He also won the uTest Top Tester of the Year 2010 apart from winning several testing competitions from uTest and Zappers. Santhosh specializes in exploratory testing approach and his core interests are security, usability and accessibility amidst other quality criteria. Santhosh loves writing and he has a blog http://tuppad.com/blog. He has also authored several articles and crash courses in the past. He attends conferences and confers with testers he meets. Santhosh is known for his skills in testing and you should get in touch with him if you are passionate about testing.Testing Circus
Latest posts by Santhosh Tuppad (see all)
- Writing exploits – Learn programming to build a strong report – by @Santhoshst - December 25, 2014
- Is Your Third-Party Integration Secure? – by @Santhoshst - November 15, 2014
- FAQs by Developers for Security Vulnerabilities Reported – by @Santhoshst - October 20, 2014