Logging – Mobile Application Penetration Testing #6

Mobile Application Penetration Testing Logging

Welcome back to the long awaited next entry in Brackish Security’s Mobile Application Penetration Testing series. When conducting mobile application penetration testing, inspecting logs on iOS and Android is a crucial step in understanding how an app behaves, particularly in how it handles sensitive data, error handling, and debugging information. Log files can provide insight into how the app interacts with the operating system, communicates with external services, and manages user data. Sometimes you’ll find new endpoints, sensitive information getting logged, or other errors indicating vulnerabilities in the application, and you know what this means? Some Critical or High findings and/or some of that sweet bug bounty money!

iOS Mobile Application Logs

There are several ways to view iOS logs on MacOS. To start, attach your iOS device to your Mac.

Then, press Command + Space, search for console, then open the console. You should see your attached iOS device on the left hand side. Select your device, and then select Start Streaming.

Mobile Application Penetration Testing

The device logs should now stream in the console app. You can search on the top right to filter for whatever application you need to see the logs for.

In the image above, we are filtering for logs related to the Safari web browser.

Also, on MacOS or Linux you can install libimobiledevice to view the logs in a terminal.

In the above image, after install libimobiledevice, we can run the command

idevicesyslog –process Maps

which gives us the Maps application logs.

Android Mobile Application Logs

Viewing Android application logs is very simple. First you need to install ADB, if you haven’t already.

adb logcat | grep 'com.example.yourapp'

And that is all you have to do. You logs should stream on the command line and be filtered as needed.

Links

Check out the links below for more information on what you should actually be logging in an application and some OWASP Mobile Application Security Testing Guide techniques.

https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html

https://mas.owasp.org/MASTG/tests/android/MASVS-STORAGE/MASTG-TEST-0003

https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0060

The following links are some HackerOne reports of real world bugs found in mobile applications.

https://hackerone.com/reports/56002

https://hackerone.com/reports/462416

Share the Post:

Related Posts

Join Our Newsletter