Mobile Security Challenges: Swiss Knife for Android and iOS!

TL;DR: Are you interested in Mobile Application Pentesting and you don’t know where to start?

TL;DR2: Are you a developer or security analyst and want to introduce yourself in the Mobile Security World (Android/iOS)? Today is your lucky day!

The Just Mobile Security Team is glad to present a very interesting list of Mobile Security Challenges. It is a list of challenges obtained from multiple resources, such as CTFs, Hacking Communities, Hacking Blogs, etc., that we consider to be effective to practice and learn a lot about mobile security.

In this post, we will not cover the resolution of the challenges. Instead, we are going to list and briefly explain each challenge so you can decide which challenge is considered the most appropriate for you and go for it.

Let’s start with the most popular of all: DVIA-V2 by Prateek Gianchandani. We will not be explaining this application deeply because there is a lot of public information about it.

DVIA-v2

Damn Vulnerable iOS App (DVIA) is an iOS application that is vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment. This project is developed and maintained by @prateekg147. The vulnerabilities and solutions covered in this app are tested up to iOS 11.

• DVIA-v2 by prateek147

OWASP MASTG

The following are a collection of mobile reverse engineering challenges created by the OWASP Community. These challenges are used as examples throughout the OWASP Mobile Application Security Verification Standard and they are an excellent option for practicing pentesting on mobile applications.

• MASTG Android Challenge 1
• MASTG Android Challenge 2
• MASTG Android Challenge 3
• MASTG Android Challenge 4
• MASTG iOS Challenge 1
• MASTG iOS Challenge 2

Mobile Hacking Space (MHS)

Mobile Hacking Space is a Spanish community by and for mobile security enthusiasts created in 2020 and they present this space every year in the Ekoparty Security Conference and include a dozen talks on various topics related to security in mobile devices and applications, including explanations of malware campaigns, code injection in apps, analysis laboratories for iOS and Android, secure development, pentesting, exploitation of apps, and much more!

In addition, every year it carries out a mobile CTF that keeps more than one person awake all night solving challenges.

Today, we bring with great joy these challenges to you so you can solve them. Feel free to share the resolution with us.

• Mobile Hacking Space Challenges

Headbook

Headbook is an iOS CTF created by Ivan Rodriguez, which is oriented for beginners at iOS applications pentesting. Each one of the two challenges has 5 flags hidden for you to find, and the main idea is to inspire the new generation of pentesters into the mobile security world, specially in iOS.

• Headbook-v1.0 by IVRodriguez
• Headbook-v2.0 by IVRodriguez

Injured Android

Injured Android is a Vulnerable Android application created by Kyle Benac with CTF examples based on bug bounty findings and exploitation concepts. This vulnerable application can also be found in the Android Play Store. It includes tips for solving the different challenges.

• InjuredAndroid by B3nac

RootBeer

Root beers is a little bit of an old application used for root check validation. The application is quite funny because it looks like a beer and if you install it within a rooted device, it looks like a full beer. It’s very useful for checking typical and custom checks related to root implementation.

• https://github.com/scottyab/rootbeer

CyberTruckChallenge19

CyberTruckChallenge19 is a vulnerable application which stands for being an uncrackable app, it even comes with a tamper proof button that you can activate in case you are an experienced Android reverser to make the challenge more difficult. The challenge consists in a new mobile remote keyless system “CyberTruck” that has been implemented by one of the most well-known car security companies “NowSecure Mobile Vehicles”. The car security company has ensured that the system is entirely uncrackable and therefore attackers will not be able to recover secrets within the mobile application.

• Cybertruckchallenge19 by NowSecure

Also, remember that, if you don’t know where to start, you can read the amazing methodology documents maintained by the OWASP community.

• MSTG
• MASVS
• OWASP TOP TEN

If you want to read a summary about those methodologies for mobile writing, you can access here !

Stay in touch for new content related to mobile applications! #mobile #security #mobileapps #cybersecurity #owasp-mobile #owasp-top-ten #mstg #masvs