In today’s era, where mobile devices have become an integral part of our
daily lives, ensuring the security of mobile applications has become
increasingly crucial. Mobile penetration testing, a specialized subfield within
the realm of cybersecurity, plays a vital role in safeguarding mobile
ecosystems against the ever-evolving landscape of threats. The ubiquity of
mobile devices has made them a prime target for cybercriminals, and the data
and functionality accessed through mobile applications make them valuable
assets to protect. Mobile penetration testing is designed to identify
vulnerabilities, weaknesses, and potential exploits within mobile applications
and the devices themselves. Unlike traditional penetration testing, which often
focuses on network and server security, mobile penetration testing zeroes in on
the unique challenges posed by mobile platforms. Mobile penetration testing, a
specialized field within cybersecurity, is an essential tool in the
Cybersecurity specialists’ toolkit to protect mobile ecosystems from emerging
threats. This article introduces mobile penetration testing, emphasizing its
significance, including comprehensive learning labs for Android and iOS
platforms, and highlighting how it distinctly differs from traditional
penetration testing methodologies.
References
[1]
Alhamed, M. and Rahman, M.H. (2023) A Systematic Literature Review on Penetration Testing in Networks: Future Research Directions. Applied Sciences, 13, Article 6986. https://doi.org/10.3390/app13126986
[2]
Falade, P.V. and Ogundele, G.B. (2023) Vulnerability Analysis of Digital Banks’ Mobile Applications. arXiv: 2302.07586.
[3]
Parveen, M. and Shaik, M.A. (2023) Review on Penetration Testing Techniques in Cyber Security. 2023 Second International Conference on Augmented Intelligence and Sustainable Systems (ICAISS), Trichy, 23-25 August 2023, 1265-1270. https://doi.org/10.1109/ICAISS58487.2023.10250659
[4]
Zwilling, M., Klien, G., Lesjak, D., Wiechetek, Ł., Cetin, F. and Basim, H.N. (2022) Cyber Security Awareness, Knowledge and Behavior: A Comparative Study. Journal of Computer Information Systems, 62, 82-97. https://doi.org/10.1080/08874417.2020.1712269
[5]
Zhang, K., Wang, J., Xin, X., Li, X., Sun, C., Huang, J. and Kong, W. (2022) A Survey on Learning-Based Model Predictive Control: Toward Path Tracking Control of Mobile Platforms. Applied Sciences, 12, Article 1995. https://doi.org/10.3390/app12041995
[6]
Eshnazarova, M.Y. and Katayeva, M.M. (2021) Theoretical Basis of Mobile Learning and Use of Mobile Platforms. International Journal on Integrated Education, 4, 184-187.
[7]
Kollnig, K., Shuba, A., Binns, R., Van Kleek, M. and Shadbolt, N. (2022) Are iPhones Really Better for Privacy? A Comparative Study of IOS and Android Apps. Proceedings on Privacy Enhancing Technologies, 2022, 6-24. https://doi.org/10.2478/popets-2022-0033
[8]
Tewari, A. and Singh, P. (2021) Android App Development: A Review. Journal of Management and Service Science, 1, 1-6. https://doi.org/10.54060/JMSS/001.02.006
[9]
Mustapha, I., Vaicondam, Y., Jahanzeb, A., Usmanovich, B.A. and Yusof, S.H.B. (2023) Cybersecurity Challenges and Solutions in the Fintech Mobile App Ecosystem. International Journal of Interactive Mobile Technologies, 17, 100-116. https://doi.org/10.3991/ijim.v17i22.45261
[10]
Sarieddine, K., Sayed, M.A., Torabi, S., Atallah, R. and Assi, C. (2023) Investigating the Security of EV Charging Mobile Applications as an Attack Surface. ACM Transactions on Cyber-Physical Systems, 7, 1-28. https://doi.org/10.1145/3609508
[11]
Zhou, K.Q. (2022) Zero-Day Vulnerabilities: Unveiling the Threat Landscape in Network Security. Mesopotamian Journal of CyberSecurity, 2022, 57-64. https://doi.org/10.58496/MJCS/2022/007
[12]
Garg, S. and Baliyan, N. (2023) Mobile OS Vulnerabilities: Quantitative and Qualitative Analysis. CRC Press, Boca Raton. https://doi.org/10.1201/9781003354574
[13]
Wong, A.Y., Chekole, E.G., Ochoa, M. and Zhou, J. (2023) On the Security of Containers: Threat Modeling, Attack Analysis, and Mitigation Strategies. Computers & Security, 128, Article ID: 103140. https://doi.org/10.1016/j.cose.2023.103140
[14]
Pour, M.S., Nader, C., Friday, K. and Bou-Harb, E. (2023) A Comprehensive Survey of Recent Internet Measurement Techniques for Cyber Security. Computers & Security, 128, Article ID: 103123. https://doi.org/10.1016/j.cose.2023.103123
[15]
Senanayake, J., Kalutarage, H., Al-Kadri, M.O., Petrovski, A. and Piras, L. (2023) Android Source Code Vulnerability Detection: A Systematic Literature Review. ACM Computing Surveys, 55, 1-37. https://doi.org/10.1145/3556974
[16]
Cinar, A.C. and Kara, T.B. (2023) The Current State and Future of Mobile Security in the Light of the Recent Mobile Security Threat Reports. Multimedia Tools and Applications, 82, 20269-20281. https://doi.org/10.1007/s11042-023-14400-6
[17]
Haris, N., Chen, K., Song, A. and Pou, B. (2023) Finding Vulnerabilities in Mobile Application APIs: A Modular Programmatic Approach. arXiv: 2310.14137.
[18]
Chimuco, F.T., Sequeiros, J.B., Lopes, C.G., Simões, T.M., Freire, M.M. and Inácio, P.R. (2023) Secure Cloud-Based Mobile Apps: Attack Taxonomy, Requirements, Mechanisms, Tests and Automation. International Journal of Information Security, 22, 833-867. https://doi.org/10.1007/s10207-023-00669-z
[19]
Zhang, X., Ye, H., Huang, Z., Ye, X., Cao, Y., Zhang, Y. and Yang, M. (2023) Understanding the (In) Security of Cross-Side Face Verification Systems in Mobile Apps: A System Perspective. 2023 IEEE Symposium on Security and Privacy (SP), San Francisco, 21-25 May 2023, 934-950. https://doi.org/10.1109/SP46215.2023.10179474
[20]
Acharya, S., Rawat, U. and Bhatnagar, R. (2022) A Comprehensive Review of Android Security: Threats, Vulnerabilities, Malware Detection, and Analysis. Security and Communication Networks.
[21]
Heiding, F., Süren, E., Olegãrd, J. and Lagerström, R. (2023) Penetration Testing of Connected Households. Computers & Security, 126, Article ID: 103067. https://doi.org/10.1016/j.cose.2022.103067
[22]
Molina-Coronado, B., Mori, U., Mendiburu, A. and Miguel-Alonso, J. (2023) Towards a Fair Comparison and Realistic Evaluation Framework of Android Malware Detectors Based on Static Analysis and Machine Learning. Computers & Security, 124, Article ID: 102996. https://doi.org/10.1016/j.cose.2022.102996
[23]
Nie, L., Said, K.S., Ma, L., Zheng, Y. and Zhao, Y. (2023) A Systematic Mapping Study for Graphical User Interface Testing on Mobile Apps. IET Software, 17, 249-267. https://doi.org/10.1049/sfw2.12123
[24]
Gomez, J., Kfoury, E.F., Crichigno, J. and Srivastava, G. (2023) A Survey on Network Simulators, Emulators, and Testbeds Used for Research and Education. Computer Networks, 237, Article ID: 110054. https://doi.org/10.1016/j.comnet.2023.110054
[25]
Kamal, K.K., Joshi, P., Bang, A. and Bhatia, K. (2023) Effective Security Testing of Mobile Applications for Building Trust in the Digital World. 2023 7th International Conference on Trends in Electronics and Informatics (ICOEI), 11-13 April 2023, Tirunelveli, 550-556.
[26]
Wang, J., Hu, P., Zhang, Y. and Wang, J. (2022) A Comparison of Discrete Event Simulator and Real-Time Emulator for Mobile Ad Hoc Network. In: Jiang, X., ed., MLICOM 2022: Machine Learning and Intelligent Communication, Springer, Cham, 63-74. https://doi.org/10.1007/978-3-031-30237-4_6
[27]
Yamin, M.M., Katt, B. and Gkioulos, V. (2020) Cyber Ranges and Security Testbeds: Scenarios, Functions, Tools and Architecture. Computers & Security, 88, Article ID: 101636. https://doi.org/10.1016/j.cose.2019.101636
[28]
Putra, R.S., Aulia, M.F., Maulana, S.A. and Jusia, P.A. (2024) Android Security: Malware Detection with Convolutional Neural Network and Feature Analysis. Media Journal of General Computer Science, 1, 7-13. https://doi.org/10.62205/mjgcs.v1i1.7
[29]
Vats, P., Mandot, M. and Gosain, A. (2020) A Comprehensive Literature Review of Penetration Testing & Its Applications. 2020 8th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO), Noida, 4-5 June 2020, 674-680. https://doi.org/10.1109/ICRITO48877.2020.9197961
[30]
Fatima, A., Khan, T.A., Abdellatif, T.M., Zulfiqar, S., Asif, M., Safi, W., Al Hamadi, H. and Al-Kassem, A.H. (2023) Impact and Research Challenges of Penetrating Testing and Vulnerability Assessment on Network Threat. 2023 International Conference on Business Analytics for Technology and Security (ICBATS), Dubai, 7-8 March 2023, 1-8. https://doi.org/10.1109/ICBATS57792.2023.10111168
[31]
Haq, I.U. and Khan, T.A. (2021) Penetration Frameworks and Development Issues in Secure Mobile Application Development: A Systematic Literature Review. IEEE Access, 9, 87806-87825. https://doi.org/10.1109/ACCESS.2021.3088229
[32]
Oconnor, T.J. and Stricklan, C. (2021) Teaching a Hands-On Mobile and Wireless Cybersecurity Course. Proceedings of the 26th ACM Conference on Innovation and Technology in Computer Science Education, 26 June-1 July 2021, 296-302. https://doi.org/10.1145/3430665.3456346
[33]
Singh, G.D. (2022) The Ultimate Kali Linux Book: Perform Advanced Penetration Testing Using Nmap, Metasploit, Aircrack-ng, and Empire. Packt Publishing Ltd, Birmingham.
[34]
Ravindran, U. and Potukuchi, R.V. (2022) A Review on Web Application Vulnerability Assessment and Penetration Testing. Review of Computer Engineering Studies, 9, 1-22. https://doi.org/10.18280/rces.090101
[35]
James, P., Powell, L., O’reilly, L. and Moller, F. (2020) Hands-On Security Testing in a University Lab Environment. Proceedings of the 2020 ACM Conference on Innovation and Technology in Computer Science Education, 68-74. https://doi.org/10.1145/3341525.3387366
[36]
Bayazit, E.C., Sahingoz, O.K. and Dogan, B. (2022) A Deep Learning Based Android Malware Detection System with Static Analysis. 2022 International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA), Ankara, 9-11 June 2022, 1-6. https://doi.org/10.1109/HORA55278.2022.9800057
[37]
Tossou, S. and Kacem, T. (2023) Mobile Threat Detection System: A Deep Learning Approach. 2023 13th International Conference on Information Science and Technology (ICIST), Cairo, 8-14 December 2023, 323-332. https://doi.org/10.1109/ICIST59754.2023.10367120
[38]
Blancaflor, E., Billo, H.K.S., Saunar, B.Y.P., Dignadice, J.M.P. and Domondon, P.T. (2023) Penetration Assessment and Ways to Combat Attack on Android Devices through StormBreaker—A Social Engineering Tool. 2023 6th International Conference on Information and Computer Technologies (ICICT), Raleigh, 24-26 March 2023, 220-225. https://doi.org/10.1109/ICICT58900.2023.00043
[39]
Gyunka, B.A., Oladele, A.T. and Adegoke, O. (2023) Adaptive Android APKs Reverse Engineering for Features Processing in Machine Learning Malware Detection. International Journal of Data Science, 4, 10-25. https://doi.org/10.18517/ijods.4.1.10-25.2023
[40]
Shimmi, S.S., Dorai, G., Karabiyik, U. and Aggarwal, S. (2020) Analysis of iOS SQLite Schema Evolution for Updating Forensic Data Extraction Tools. 2020 8th International Symposium on Digital Forensics and Security (ISDFS), Beirut, 1-2 June 2020, 1-7. https://doi.org/10.1109/ISDFS49300.2020.9116208
[41]
Asher, S.W., Jan, S., Tsaramirsis, G., Khan, F.Q., Khalil, A. and Obaidullah, M. (2021) Reverse Engineering of Mobile Banking Applications. Computer Systems Science and Engineering, 38, 265-278. https://doi.org/10.32604/csse.2021.016787
[42]
Afzal, A., Hussain, M., Saleem, S., Shahzad, M.K., Ho, A.T. and Jung, K.H. (2021) Encrypted Network Traffic Analysis of Secure Instant Messaging Application: A Case Study of Signal Messenger App. Applied Sciences, 11, Article 7789. https://doi.org/10.3390/app11177789
[43]
Soriano-Salvador, E. and Guardiola-Múzquiz, G. (2023) Detecting and Bypassing Frida Dynamic Function Call Tracing: Exploitation and Mitigation. Journal of Computer Virology and Hacking Techniques, 19, 503-513. https://doi.org/10.1007/s11416-022-00458-7
[44]
Gogolin, G. (2021) Digital Forensics Explained. CRC Press, Boca Raton. https://doi.org/10.1201/9781003049357
[45]
Omolara, A.E., Alabdulatif, A., Abiodun, O.I., Alawida, M., Alabdulatif, A. and Arshad, H. (2022) The Internet of Things Security: A Survey Encompassing Unexplored Areas and New Insights. Computers & Security, 112, Article ID: 102494. https://doi.org/10.1016/j.cose.2021.102494
[46]
Schmeelk, S.E. and Dragos, D.M. (2023) Penetration Testing and Ethical Hacking: Risk Assessments and Student Learning. 2023 IEEE Frontiers in Education Conference (FIE), College Station, 18-21 October 2023, 1-6. https://doi.org/10.1109/FIE58773.2023.10342914
[47]
Ke, T.T. and Sudhir, K. (2023) Privacy Rights and Data Security: GDPR and Personal Data Markets. Management Science, 69, 4389-4412. https://doi.org/10.1287/mnsc.2022.4614
[48]
Bharti, S.S. and Aryal, S.K. (2023) The Right to Privacy and an Implication of the EU General Data Protection Regulation (GDPR) in Europe: Challenges to the Companies. Journal of Contemporary European Studies, 31, 1391-1402. https://doi.org/10.1080/14782804.2022.2130193
[49]
Chen, S., Hao, M., Ding, F., Jiang, D., Dong, J., Zhang, S., Guo, Q. and Gao, C. (2023) Exploring the Global Geography of Cybercrime and Its Driving Forces. Humanities and Social Sciences Communications, 10, Article No. 71. https://doi.org/10.1057/s41599-023-01560-x
[50]
Shobowale, K.O., Mukhtar, Z., Yahaya, B., Ibrahim, Y. and Momoh, M.O. (2023) Latest Advances on Security Architecture for 5G Technology and Services. International Journal of Software Engineering and Computer Systems, 9, 27-38. https://doi.org/10.15282/ijsecs.9.1.2023.3.0107
[51]
Rath, K.C., Khang, A. and Roy, D. (2024) The Role of Internet of Things (IoT) Technology in Industry 4.0 Economy. CRC Press, Boca Raton. https://doi.org/10.1201/9781003434269-1
[52]
Liu, L., Lu, S., Zhong, R., Wu, B., Yao, Y., Zhang, Q. and Shi, W. (2020) Computing Systems for Autonomous Driving: State of the Art and Challenges. IEEE Internet of Things Journal, 8, 6469-6486. https://doi.org/10.1109/JIOT.2020.3043716
[53]
Wijethilaka, S. and Liyanage, M. (2021) Survey on Network Slicing for Internet of Things Realization in 5G Networks. IEEE Communications Surveys & Tutorials, 23, 957-994. https://doi.org/10.1109/COMST.2021.3067807
[54]
Olimid, R.F. and Nencioni, G. (2020) 5G Network Slicing: A Security Overview. IEEE Access, 8, 99999-100009. https://doi.org/10.1109/ACCESS.2020.2997702
[55]
Debbabi, F., Jmal, R., Fourati, L.C. and Ksentini, A. (2020) Algorithmics and Modeling Aspects of Network Slicing in 5G and beyonds Network: Survey. IEEE Access, 8, 162748-162762. https://doi.org/10.1109/ACCESS.2020.3022162
[56]
Yang, W., Wang, S., Sahri, N.M., Karie, N.M., Ahmed, M. and Valli, C. (2021) Biometrics for Internet-of-Things Security: A Review. Sensors, 21, Article 6163. https://doi.org/10.3390/s21186163
[57]
Schmitt, M. (2023) Securing the Digital World: Protecting Smart Infrastructures and Digital Industries with Artificial Intelligence (AI)-Enabled Malware and Intrusion Detection. Journal of Industrial Information Integration, 36, Article ID: 100520. https://doi.org/10.1016/j.jii.2023.100520
[58]
Waqas, M., Tu, S., Halim, Z., Rehman, S.U., Abbas, G. and Abbas, Z.H. (2022) The Role of Artificial Intelligence and Machine Learning in Wireless Networks Security: Principle, Practice and Challenges. Artificial Intelligence Review, 55, 5215-5261. https://doi.org/10.1007/s10462-022-10143-2
[59]
Gupta, C., Johri, I., Srinivasan, K., Hu, Y.C., Qaisar, S.M. and Huang, K.Y. (2022) A Systematic Review on Machine Learning and Deep Learning Models for Electronic Information Security in Mobile Networks. Sensors, 22, Article 2017. https://doi.org/10.3390/s22052017
[60]
Samet, D., Ktata, F.B. and Ghedira, K. (2024) A Security Framework for Mobile Agent Systems. Automated Software Engineering, 31, Article No. 12. https://doi.org/10.1007/s10515-023-00408-7
