Faudhzan
Rahman

Hi guys, It's me again. Today I'm writing to share on a module which would help starts your journey in  Mobile Application Penetration Testing.  As of year 2025, most of the application would require at least Android 10 version. That means most of the old phone you have would be out from being converted into a testing device. The thing about older android version is that, it is much easier to install a user certificate. Easier way to install user certificate means easier way to setup your Android testing device. Starting from Android 11 , the setup become much harder. You can read further below. https://httptoolkit.com/blog/android-11-trust-ca-certificates/ Below blog is the way that I used (super tedious) before to install a user certificate as root level. https://medium.com/@lightbulbr/install-burp-ca-as-a-system-level-trusted-ca-android-11-rooted-physical-device-5542fe96345f For testing purpose, we would need Burpsuite certificate to be installed as root level. Lucky for ...

Hi guys. It's been a while since I last shared anything useful here. Nothing much lately. Only normal day to day testing.  Today I would like to share something which is quite useful for mobile testing for Android devices. If you are using a real device instead of an emulator, this would help you. https://github.com/Genymobile/scrcpy This application mirrors your android devices. It is super useful when you need to share screen or doing demonstration to your client or colleagues. Like if you stumble upon an error during testing and your client wanted you to demonstrate it to them, this is the best application you can use. Below is the example of screenshot of my OnePlus device. As of this year, I managed to root and push all necessary security related things into my OnePlus 6 (Android 11) . My previous testing device which is the Nexus 5x was dead/bricked after I tried to upgrade Magisk version. Rest in pepperoni my best device. *sobs For Android 11+ , its kind of hard to actually...

 Hi guys. Been a while since I last share something. So, for today I would like to share some knowledge regarding source code review.  *I'm still beginner in doing source code review. Recently I've been tasked with doing source code review for some organization and the language used for the application is ASP .NET MVC 5.0. As you all know that this language is now EOL. The last update is on 28 November 2018. This is my first time encountering this language. Before that, below is the list of tools commonly used when doing source code review that is completely free:- 1) Visual Code Grepper (VCG) - https://github.com/nccgroup/VCG 2) Sublime Text - https://www.sublimetext.com/ 3) Notepad++ - https://notepad-plus-plus.org/downloads/ Surprisingly, when running tools such as VCG, I did not found any sql query in the file. I did some research on how the language handle sql query. Also my colleague point out that the sql query is normally handle by .dll file for the lang...

Hi peeps, It's been a while since my last post. Been busy. So, for today I would like to share on how to setup RMS (Runtime Security Mobile) in Ubuntu 18.04. RMS -  https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security "Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime." "You can easily dump all the loaded classes and relative methods, hook everything on the fly, trace methods args and return value, load custom scripts and many other useful stuff." This is a continuation of my post here  https://faudhzanrahman.blogspot.com/2019/09/setting-up-mobsf-in-ubuntu-1804.html  where I did a setup on MobSF.  I'm currently trying to set a box where it contains all sort of testing tools specifically for mobile . Now I have both MobSF and RMS setup in this box which is the Ubuntu 18.04. The same reason of setting RMS in this box is because the requirements fits Ubuntu 18.04. T...

Hi guys, Today I will share some of the tools used by me when testing Mobile Application for Android. These are the application that you might need when testing Mobile Application. Currently I'm using physical device (Nexus 5x). The apps used and how to use them might differ depending on whether you are using physical device or emulator. Below are the apps used:- Magisk Manager - to root phone or hide root from application Root Checker - to check root status RootCloak - to hide root status from application apk-signer - to sign apk after compile/decompile process SSLUnpinning - to bypass SSL pinning on application APK Editor - to edit the apk to bypass SSL pinning or root detection Xposed Framework - to add modules sqlite (Titanium Backup) - to read local database All-in-one " Frida " - multipurpose superb application that covers most of the above functions Most of the time, we need rooted device to install all of the above application. So, yo...

Hi guys. It's been awhile since I post something. Today I will share some insight on dealing with encryption on mobile application. As you all know, these days every mobile application have some sort of encryption in order to " secure " it. In most cases, encryption only been used to divert the main issue. For example, the developer does not practice secure coding that pretty much ends up with a lots of security issue in the application. So, to solve this issue, they simply use encryption to simplify their work instead of fixing the code.   In some cases, the developer might expose the secret key or hard-coded the key in the application. The secret key can be used to decrypt the data. Now, lets see some of the example. *Do note that this can only be done if you have the key 1 ) When dealing with android application ( apk file ), we can use jadx to decompile the apk and search for the key. Below is the example of the key.   2 ) After getting the key, we ca...