So the final section we're going to cover now is testing code quality. And this is actually kind of a broad topic because it doesn't clued reverse engineering the app. But it also kind of includes understanding the code configurations that Europe could have and making sure that you're using secure best practices, making sure that you're using, you know, the free security tools that can harden your app
like S O. R. Or, you know, disabling debugging within your application and making sure that there's no
no external is code that really isn't necessary
and now secure. We take this black box approach and a lot of people do that, too, because really, we want to take this Attackers point of view because what an attacker is going to do is they're going to pull your app off the APP store. They're gonna de compile it. They're going to disassemble it. Depending on the type of appetite is they're going to use common tools to do some analysis.
They're really gonna want to understand how that app runs.
So using developer tools using tools like Frida and radar a toe, actually, you know, reverse engineer app is really common
there's more to this than I'm leaving on. It's a difficult skill and it takes experience. It's something that you learn. Hey, this is something I've seen before. I'm gonna look back on my notes from previous assessments and see Hey, you know what? I saw this happen than the developer did this. Let me go back and look at this app and see if they're doing the same thing.
And maybe, you know,
four times out of five, that might be true. You know that? 15. It might be not true. And over time, that might decrease because developers get better at writing APS. That's the truth.
But let's talk a little bit about what that actually looks like.
So in the case of Android, we are, you know, d compiling that android Apstar Decks code, and there's a couple things we can do to reverse engineer it. If you look at the decks code, it looks pretty ugly. It's something that's not really decipherable, but we can go to small ICO or even Jarkko because remember, you know,
Andrew adapts air just Chaba
or Scotland, and basically they're running any job a machine on your device. They're actually called. It's called the Android Runtime now, but it used to be just a job machine. So what we can do is go to a smiley code, which is less lossy and, you know, we were able to actually see what that like.
Job A machine code looks like if we go a little further back within the bed char code. Easier to the cipher,
but it's a little bit more lossy
on the Iowa side. It's a little more complicated. We're dealing with excusable files that need to be disassembled. So we end up with this execute herbal code that looks kind of like a blob, and we end up with disassembled code, which is just assembly.
We are doing the same type of testing, looking at that code and trying to decipher it and, you know, using their experience to determine what that might do. But the first time you do this, you're gonna look at and wonder. Oh, is this assembly and answers yet? It's assembly.
So the last thing I want to leave you with is a checklist. You're coming to this point now where you've likely gone through these videos. You've listened, and now your kind of thinking. Well, now I have to go out into the real world test mobile lapse. Or now I have to create a policy. And now I have to actually implement everything I watched. So my tip to you is to start off real simple.
Think about these M A S P s stocks this mst g, doc, because they really are useful depending on what you're doing.
The other thing is, get a jail broken rooted device. They are really helpful. They're gonna allow you to use the testing tools that everyone in the industry uses. And that is a huge tip I will give you. And finally, keep in mind that don't trust the app. Don't trust the device. Don't trust the user.
Don't even trust the other APs that the user might have on their device.
Those are things you have to keep in mind when you're securing these APS and considering what threat model they might fall into.
So let's take a quick moment to summarize this video. We went through the pen testing processes. We talked a little bit about the tools you should be using, and finally we came up with some methodologies on how they use those tools and how you should be doing things. Remember to exercise the app.
So we're at the end of the Siri's now. I hope if you have any questions, you'll reach out to me or email me. This was really fun for me, and I hope it was fun for you. Reach out to me. I'm Tony Ramirez, senior application security analyst at Now Secure.