White Paper Abstract:
Mobile application penetration testing is an up and coming security testing need that has recently obtained' more attention with the introduction of Android, iPhone and iPad platforms among others. The mobile application market is expected to reach a size of $9 billion by the end of 2011 with the growing of consumer demand for smartphone applications, including banking and trading. A plethora of companies are rushing to capture a piece of the pie by developing new applications, or porting old applications to work with the smartphones. These applications often deal with personally identifiable information (PII), credit card and other sensitive data.
This paper focuses specifically on helping security professionals understand the nuances of penetration testing of Android applications. It attempts to cover the key steps the reader would need to understand such as setting up the test environment, installing the emulator, configuring the proxy tool and decompiling applications etc. It also provides an introduction to security tools available for Android platform. To be clear this paper does not attempt to discuss the security framework of the Android platform itself, identify flaws in the operating system, or try to cover the entire application penetration testing methodology.