4 Stages
- Recon
- Static Analysis
- Dynamic Analysis
- Reporting
Recon
- Earning reports and Press releases contain info about mobile apps
- App reviews
- Enumerate
- Who created the app
- Different versions and patch notes - also notice how often patches are released
- Company’s other apps
Static Analysis
- Reading the code to asses security - manual or automated
- Hardcoded strings, misconfigs, additional targets
- gateways, config files
- May discover urls, employee username email etc, storage bucket url etc and recon them
- local data storage
Dynamic Analysis
- Run and intercept traffic with burp or proxyman
- memory dump
- local storage at runtime
- SSL pinning
- Mobile top ten
- XSS may trigger on the website and not on mobile app at times
Reporting
- Keep both web top 10 in mind and mobile top ten in mind
- steps to reproduce and impact
- remediation steps / best practices
- Mention positive security implementations