Bug Bounty Hunting Tips #2 —Target their mobile apps (Android Edition)
If you read through the disclosed bug bounty reports on platforms such as hackerone.com it is clear that most bug bounty hunters are targeting web applications and neglecting the mobile application landscape. This is an opportunity that you can take advantage of.
I’ve had a lot of success recently looking at mobile apps, specifically android applications. After searching online for decent training material I stumbled upon the Udemy course Android Application Penetration Testing which has proven invaluable. (Disclaimer, I get no financial gain or anything else out of linking to this course, other than more competition in the android bug bounty space.) 4.5 hours of training at 2x regular playback speed and you’re in a good starting position.
Just like web applications, you can find the OWASP Mobile Top 10 very useful for identifying vulnerabilities to look for. My personal favourites are:
- M2 — Insecure Data Storage
- M3 — Insecure Communication
- M4 — Insecure Authentication
- M6 — Insecure Authorization
Tools and Resources
To get started with android you’re going to need the following installed on your testing machine:
- Java and JDK
- Android studio to run emulated android devices and capture debug information from apps