Chapter 30 Further Reading: Mobile Application Security

Books

  • "The Mobile Application Hacker's Handbook" by Dominic Chell, Tyrone Erasmus, Shaun Colley, and Ollie Whitehouse (Wiley, 2015). The foundational text for mobile application security testing. Covers Android and iOS architectures, reverse engineering, runtime manipulation, and network interception with practical examples. While some tools have evolved, the methodologies remain essential.

  • "Android Security Internals: An In-Depth Guide to Android's Security Architecture" by Nikolay Elenkov (No Starch Press, 2014). Deep technical coverage of Android's security model including the permission system, cryptographic providers, device administration, and VPN handling. Essential background for understanding what Android secures by default and where gaps exist.

  • "iOS Application Security: The Definitive Guide for Hackers and Developers" by David Thiel (No Starch Press, 2016). Comprehensive coverage of iOS security from both offensive and defensive perspectives. Covers Objective-C and Swift security, data protection, network security, and runtime analysis.

  • "Learning Frida" by Andrey Parfenov (Packt, 2023). A focused guide to Frida, covering installation, JavaScript API, hooking techniques, and practical mobile security testing scenarios for both Android and iOS.

  • "Android Internals: A Confectioner's Cookbook" by Jonathan Levin (Technologeeks, ongoing updates). Deep technical coverage of Android internals including the init process, Binder IPC, SELinux, and the Linux kernel. Invaluable for understanding Android's security architecture at the system level.

Standards and Frameworks

  • OWASP Mobile Application Security Verification Standard (MASVS). The definitive standard for mobile application security requirements, organized by verification levels (L1 for all apps, L2 for defense-in-depth, R for reverse engineering resilience). Essential for structuring mobile security assessments.

  • OWASP Mobile Security Testing Guide (MSTG). The comprehensive companion to MASVS, providing detailed testing procedures for every MASVS requirement on both Android and iOS. Regularly updated and freely available. The single most important resource for mobile security testers.

  • NIST SP 800-163 Rev 1: "Vetting the Security of Mobile Applications." Guidance for organizations on evaluating the security of mobile applications, covering app vetting processes, testing approaches, and risk assessment frameworks.

  • OWASP Mobile Top 10. The categorization of the ten most critical mobile application security risks. Updated periodically to reflect evolving threat landscapes.

Research and Reports

  • Citizen Lab. Mobile Security Research Publications. Citizen Lab at the University of Toronto has published groundbreaking research on mobile surveillance, including the Pegasus investigations, Great Cannon, and Dark Basin. Their work demonstrates the intersection of mobile security and human rights.

  • Google Project Zero. "A Deep Dive Into an NSO Zero-Click iMessage Exploit" (2021). Samuel Grosse's detailed technical analysis of the FORCEDENTRY exploit is a masterclass in exploit analysis. Required reading for understanding the sophistication of advanced mobile exploitation.

  • Lookout Security Research Blog. Regular publications on mobile threat landscape, including new malware families, surveillance tools, and vulnerability disclosures.

  • Amnesty International. "Forensic Methodology Report: How to Catch NSO Group's Pegasus" (2021). Documents the forensic techniques used to detect Pegasus infections, leading to the development of the Mobile Verification Toolkit (MVT).

Tools and Documentation

  • Frida Documentation (frida.re). Official Frida documentation covering the JavaScript API, Python bindings, and platform-specific usage for Android and iOS. Includes tutorials, API reference, and community resources.

  • Objection Documentation (github.com/sensepost/objection). Documentation for the Objection runtime mobile exploration toolkit, including command reference, usage examples, and integration with Frida scripts.

  • MobSF Documentation (github.com/MobSF/Mobile-Security-Framework-MobSF). Setup guides, feature documentation, and CI/CD integration instructions for the Mobile Security Framework.

  • jadx (github.com/skylot/jadx). DEX to Java decompiler documentation, including command-line and GUI usage, and advanced decompilation options.

  • apktool (ibotpeaches.github.io/Apktool). Android APK reverse engineering tool documentation, covering decompilation, modification, and recompilation workflows.

  • Mobile Verification Toolkit (MVT) by Amnesty International (github.com/mvt-project/mvt). Documentation for the tool used to detect mobile surveillance, supporting both iOS and Android forensic analysis.

Online Resources and Training

  • OWASP MSTG CrackMes and UnCrackables. Practice applications designed to teach mobile reverse engineering and security testing. Available for both Android and iOS with progressive difficulty levels.

  • DIVA (Damn Insecure and Vulnerable App). An intentionally vulnerable Android application designed for learning mobile security testing. Covers 13 challenge categories from insecure logging to input validation issues.

  • InsecureBankv2 (github.com/dineshshetty/Android-InsecureBankv2). A vulnerable Android application for learning mobile application penetration testing, covering a wide range of vulnerabilities.

  • SANS SEC575: iOS and Android Application Security Analysis and Penetration Testing. Comprehensive course covering mobile application security testing methodology, tools, and techniques for both platforms.

  • eLearnSecurity Mobile Application Penetration Testing (eMAPT) Certification. Practical certification focused on mobile application security testing skills, requiring exploitation of real applications in a lab environment.

Blogs and Ongoing Research

  • Oversecured Blog (blog.oversecured.com). In-depth technical analysis of Android vulnerabilities, including detailed exploit write-ups for bugs in popular applications.

  • 8ksec Blog (8ksec.io/blog). iOS and Android security research, including reverse engineering tutorials, vulnerability analysis, and tool development.

  • Google Android Security Bulletins (source.android.com/security/bulletin). Monthly security bulletins documenting vulnerabilities patched in Android, providing insight into the current threat landscape.

  • Apple Security Research Blog and Security Updates (support.apple.com/en-us/HT201222). Apple's security update documentation, useful for tracking iOS vulnerability trends and understanding patched attack surfaces.

  • NowSecure Blog (nowsecure.com/blog). Mobile security research covering application testing, data privacy, and mobile threat intelligence.

  • DMCA Section 1201 Exemptions. Understanding the legal framework for reverse engineering in the United States, including exemptions for security research and interoperability testing.

  • EU Computer Programs Directive. European legal framework governing software reverse engineering, generally more permissive than U.S. law for interoperability purposes.

  • OWASP Testing Guide — Legal Considerations. Guidance on legal frameworks affecting mobile application security testing across jurisdictions.