Rabbit Hole Adventures: AppSec Teaser
I’m not saying that putting on makeup will change the world or even your life, but it can be a first step in learning things about yourself you may never have discovered otherwise. At worst, you could make a big mess and have a good laugh. - Kevyn Aucoin
This is just a teaser and the adventure will be short, but I do hope you will join me on this journey.
Mobile applications, while we use them every day I had one main goal to learn how to identify vulnerabilities. Heads to google chrome, and enter text;
tools for mobile security into the search bar. Well, that was the wrong way of starting it but it got me somewhere.
While learning how to review a mobile application if you are in my shoes right now reading this blog looking for a tool to do so out of the box, just stop right there ⛔⛔⛔.
In this blog post, I am going to give four lessons that I learned and will be using in my everyday engagements.
- Lesson 1;
Set your goals; having a set of goals allows you to narrow your research and be precise about what you are looking for. (Example; what kind of test do you want to conduct and why).
- Lesson 2;
Cover the basics; you have to know what the application does, how it works and how the functions were implemented for them to work. (Example; what is SSL pinning and how does it work).
- Lesson 3;
Take your time to read and understand; once you have learned and grasped a concept the road will be easy for you to practically give it a try. If you have got the time you can create a small application that is implementing SSL pinning or you can draw how SSL pinning works down on a sketchbook.
- Lesson 4;
Do it manually first; this is something my friends who have grasped unique techniques have iterated each time when we have a sit down with them, that before you go ahead and run a tool, first try doing it manually.
Before I got to learn what application security is, I felt like I had a hammer and never knew where to start to look for holes to break. I got to learn this the hard way and I am proud that everything was a success, It was interesting and I will take this knowledge and finish a mobile application CTF series I have been sitting on, for a while now.
This time I don’t have any resources to share but I would be happy if you would share any resources to keep me going on this journey, here is my Twitter handle @th3_gr00t.