Chapter 30 Exercises: Mobile Application Security

Exercise 30.1: Android Manifest Analysis (Beginner)

Analyze the following AndroidManifest.xml excerpt and identify all security issues:

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.medsecure.provider"
    android:debuggable="true">

    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
    <uses-permission android:name="android.permission.CAMERA" />
    <uses-permission android:name="android.permission.READ_CONTACTS" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.RECORD_AUDIO" />
    <uses-permission android:name="android.permission.READ_SMS" />

    <application
        android:allowBackup="true"
        android:usesCleartextTraffic="true"
        android:label="MedSecure Provider">

        <activity android:name=".LoginActivity"
            android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />
                <category android:name="android.intent.category.DEFAULT" />
                <data android:scheme="medsecure" android:host="login" />
            </intent-filter>
        </activity>

        <activity android:name=".PatientDetailActivity"
            android:exported="true" />

        <provider
            android:name=".data.PatientContentProvider"
            android:authorities="com.medsecure.provider.patients"
            android:exported="true"
            android:grantUriPermissions="true" />

        <receiver android:name=".PushReceiver"
            android:exported="true" />

        <service android:name=".SyncService"
            android:exported="true" />
    </application>
</manifest>

For each issue: (a) identify the vulnerability, (b) explain the risk, (c) provide the corrected configuration.

Exercise 30.2: Hardcoded Secrets Discovery (Beginner)

Given the following code snippets from a decompiled Android application, identify all hardcoded secrets and explain the risk of each:

public class ApiClient {
    private static final String API_KEY = "sk_live_4eC39HqLyjWDarjtT1zdp7dc";
    private static final String BASE_URL = "https://api.medsecure-example.com";
    private static final String AWS_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE";
    private static final String ENCRYPTION_KEY = "MedSecure2024!@#$";

    public void authenticate(String username, String password) {
        SharedPreferences prefs = context.getSharedPreferences("auth", MODE_PRIVATE);
        prefs.edit().putString("password", password).apply();
        Log.d("AUTH", "Login attempt: " + username + ":" + password);
    }
}

For each secret: identify it, explain the risk, and describe the secure alternative.

Exercise 30.3: Frida Scripting Basics (Intermediate)

Write Frida scripts to accomplish the following tasks on an Android application:

  1. Hook the SharedPreferences.getString() method to log all key-value reads
  2. Hook the android.util.Log class to capture all debug log messages
  3. Hook the java.net.URL constructor to log all URLs the application connects to
  4. Bypass a method called isDeviceSecure() in class com.app.SecurityCheck that returns a boolean

Test your scripts against the DIVA (Damn Insecure and Vulnerable App) or a similar practice application.

Exercise 30.4: SSL Pinning Bypass (Intermediate)

You are testing a mobile banking application that implements certificate pinning. You have configured Burp Suite as a proxy and installed the Burp CA certificate on your test device, but the application refuses to connect.

  1. Explain why the application rejects the proxy certificate despite having the Burp CA installed
  2. Write a Frida script to bypass certificate pinning for OkHttp3
  3. Write a Frida script to bypass certificate pinning for Android's default HttpsURLConnection
  4. Describe how Objection can be used as an alternative approach
  5. Discuss the limitations of certificate pinning bypass and when it might fail

Exercise 30.5: Local Data Storage Assessment (Intermediate)

Perform a complete local data storage assessment on a practice Android application:

  1. Install DIVA or InsecureBankv2 on an emulator or rooted device
  2. Use the application (log in, browse features, enter data)
  3. Examine the following storage locations for sensitive data: - SharedPreferences files - SQLite databases - Internal storage files - External storage files - Application cache - Log files
  4. Document all sensitive data found, the storage location, and whether it was encrypted
  5. Write a remediation recommendation for each finding

Exercise 30.6: APK Reverse Engineering (Intermediate)

Using jadx and apktool, perform a complete static analysis of a practice APK:

  1. Decompile the APK using both tools
  2. Analyze the AndroidManifest.xml for security issues
  3. Search for hardcoded strings (API keys, URLs, credentials)
  4. Identify the app's network communication patterns
  5. Review the authentication flow
  6. Check for cryptographic implementations and assess their security
  7. Look for debug/test code that should not be in production
  8. Create a summary report with findings categorized by OWASP Mobile Top 10

Exercise 30.7: OWASP Mobile Top 10 Mapping (Intermediate)

For each of the following vulnerability descriptions, identify the OWASP Mobile Top 10 category and explain how you would test for it:

  1. The app stores the user's session token in SharedPreferences without encryption
  2. The app allows login with only a 4-digit PIN that can be brute-forced
  3. The app uses DES encryption for local database encryption
  4. The app's API returns the user's SSN in the profile response, though the app only displays the last 4 digits
  5. The app has a hidden admin menu accessible via a specific gesture sequence
  6. The app does not validate the server's SSL certificate
  7. The app requests camera, microphone, contacts, and SMS permissions for a note-taking function
  8. The app's client-side checks for premium features can be bypassed with Frida

Exercise 30.8: Mobile API Testing (Intermediate)

Set up and test a mobile API endpoint:

  1. Using Burp Suite, capture the traffic between a test mobile app and its backend
  2. Document all API endpoints discovered
  3. Test for the following vulnerabilities: - Broken Object Level Authorization (change resource IDs) - Mass assignment (add extra parameters to requests) - Missing rate limiting on the login endpoint - Excessive data exposure in responses - Missing input validation
  4. Write a brief penetration test report for the API findings

Exercise 30.9: Root/Jailbreak Detection Bypass (Advanced)

Research and implement bypasses for common root/jailbreak detection methods:

  1. Research at least five common root detection checks on Android: - File existence checks (su binary, Superuser.apk) - Build property checks (test-keys) - Package manager checks (Magisk, SuperSU) - Runtime.exec checks - Native library checks
  2. Write a comprehensive Frida script that bypasses all five methods
  3. Test your script against a practice app with root detection
  4. Discuss the arms race between detection and bypass — what advanced techniques make bypass more difficult?

Exercise 30.10: Cross-Platform App Analysis (Intermediate)

Analyze a React Native mobile application:

  1. Obtain a React Native APK (or build one for testing)
  2. Extract the JavaScript bundle from the APK: assets/index.android.bundle
  3. Analyze the JavaScript code for: - Hardcoded API endpoints and keys - Authentication logic - Business logic that should be server-side - Debug/development flags
  4. Compare the difficulty of analyzing React Native vs. native Java/Kotlin
  5. Discuss the security implications of using cross-platform frameworks

Exercise 30.11: Dynamic Analysis with MobSF (Intermediate)

Install and use the Mobile Security Framework (MobSF) for automated analysis:

  1. Deploy MobSF using Docker
  2. Upload a practice APK for static analysis
  3. Review the automated findings: - Manifest analysis results - Code analysis findings - Hardcoded secrets detection - Network security assessment
  4. Perform dynamic analysis (if emulator is available)
  5. Compare MobSF's automated findings with your manual analysis
  6. Identify false positives and false negatives in MobSF's results

Exercise 30.12: iOS Keychain Assessment (Advanced)

On a jailbroken iOS device or simulator with the appropriate tools:

  1. Install a practice iOS application
  2. Use Objection to dump the Keychain entries created by the app
  3. Analyze each Keychain item: - What protection class is used (WhenUnlocked, AfterFirstUnlock, Always)? - Is the data accessible when the device is locked? - Is the item configured for backup?
  4. Use Frida to hook Keychain API calls and observe what data is stored and retrieved
  5. Assess whether the Keychain is being used correctly for the type of data being stored

Exercise 30.13: BLE Security Testing (Advanced)

MedSecure's app communicates with IoT medical devices over Bluetooth Low Energy (BLE):

  1. Research BLE security vulnerabilities relevant to healthcare devices
  2. Using a BLE-capable device and tools like nRF Connect or BTLE-Sniffer: - Scan for BLE devices in the testing area - Connect to a test BLE device - Enumerate services and characteristics - Test for unencrypted communication - Test for authentication requirements
  3. Write a Frida script that hooks the Android BluetoothGatt class to intercept BLE communication
  4. Discuss the unique risks of BLE vulnerabilities in medical device contexts

Exercise 30.14: Mobile App Penetration Test Report (Advanced)

Perform a complete mobile application penetration test against a practice app (DIVA, InsecureBankv2, or similar) and produce a professional report including:

  1. Executive Summary
  2. Scope and Methodology
  3. Findings with: - Severity rating - OWASP Mobile Top 10 mapping - Description and evidence (screenshots) - Impact assessment - Remediation recommendation
  4. Positive observations (security controls that were effective)
  5. Strategic recommendations

Exercise 30.15: MedSecure Mobile Threat Model (Advanced)

Create a comprehensive threat model for MedSecure's provider mobile application:

  1. Identify all assets (patient data, authentication tokens, BLE commands, session data)
  2. Map the data flows (app to API, app to BLE device, app to local storage)
  3. Identify threat actors (malicious app on same device, network attacker, physical device access, rogue BLE device)
  4. For each data flow, identify threats using STRIDE: - Spoofing - Tampering - Repudiation - Information Disclosure - Denial of Service - Elevation of Privilege
  5. Propose mitigations for each identified threat
  6. Prioritize mitigations based on risk and implementation effort