This chapter gives an overview of attack surface of Android apps from server side. We will discuss the possible attacks on Android Apps backend, devices, and other components in application architecture. Essentially, we will build a simple threat model for a traditional application that communicates with databases over the network. It is essential to understand the possible threats that an application may come across for performing a penetration test. This chapter is a high level overview and contains less technical details as most of the server side vulnerabilities are related to web attacks and have been covered extensively in OWASP Testing and Developer guides.
This chapter covers the following topics:
- Type of mobiles apps and their threat models
- Understanding mobile app's service side attack surface
- Strategies for testing mobile backend
- Setting up burp proxy for testing
Via APN
Via Wi-Fi
- Bypassing Certificate Errors
- Bypassing HSTS
- Bypassing Certificate Chaining
- Setting up burp proxy for testing
- Few OWASP Mobile/Web Top 10 vulnerabilities
The server-side attacks on mobile backend are predominantly web application attacks. Usual attacks like SQL injection, command injection, stored XSS, and other web attacks are common in these RESTful APIs. Though we have multiple categories of attacks on Android backend, this chapter focuses mainly on attacks at web layer and transport layer. We will briefly discuss various standards and guidelines to test and secure mobile app backend. This chapter shouldn't be taken as a comprehensive guide for web attacks, however, readers who are interested in an in depth reference, can refer to the Web Application Hackers Handbook.
As discussed in the previous chapter, Android apps are broadly divided into three types based on how they are developed:
- Web based apps: A mobile web app is software that uses technologies such as JavaScript or HTML5 to provide interaction, navigation, or customization capabilities. All the web related attacks are applicable for web based apps.
- Native apps: Native mobile apps provide fast performance and a high degree of reliability. They also have access to a phone's various devices, such as its camera and address book. We have already covered the client side attacks in previous chapters and server side attacks are mostly attacks on web services, especially on RESTful APIs.
- Hybrid apps: Hybrid apps are like native apps, run on the device, and are written with web technologies (HTML5, CSS, and JavaScript). Vulnerabilities which are present on both the Web based apps and Native apps can be found in Hybrid apps. So a combined approach helps to do a thorough pentest.