Editor's note

Recommendations

Info

Mobile Security Testing With a new generation of mobile App developers, who have yet to be trained about secure coding practices on the new platforms, has come a wealth of vulnerabilities just waiting to be identified and exploited. The smartphone revolution hasn’t just caught businesses off guard it has also exposed security testers who are often left without the knowledge or toolkits to be able to provide assurances about the security of the mobile platforms and applications they are testing. If you want to know more about how you can become part of the smartphone security testing revolution then read on! Introduction Before we get stuck into discussing how to go about security testing mobile platforms its worth just looking at which ones you are likely to encounter if being asked to perform testing either for a client or for your own enjoyment. The major platforms are currently: • Google Android – This recently became the market leading mobile platform and is very popular with end users who run it on both phones and tablets. Android is an open source platform built on Linux that is used on cheaper lower end devices but can also be very easy to test for security vulnerabilities. • Apple iOS – The original smartphone platform that arguably started this whole revolution and the one time market leader. iOS is a Unix like platform that is derived starterkit 02/2011(2) MOBILE PENTESTING New technology brings with it new opportunities, for developers and for security consultants and penetration testers. Usually we find that new technology brings new opportunities to introduce vulnerabilities and with the mobile revolution we certainly aren’t short of them. from Mac OS X and is designed to run on Apple’s own phones and tablets and there are several challenges associated with finding security vulnerabilities. • Microsoft Phone 7 – The new kid on the block as far as the major mobile platforms are concerned and Microsoft’s partnership with Nokia is certain to help its place in the market. Phone 7 is based on the Windows CE family although it is a closed platform with little information available about its security model. • RIM Blackberry OS – The current favourite of the corporate environment is the now ubiquitous Blackberry. Older devices run a proprietary Blackberry OS but newer incarnations including the Playbook tablet now runs on top of a modified version of the QNX operating system which provides more opportunity for interrogation of its security. There are a number of other smartphone platforms that you may encounter including Nokia’s Symbian and Palm’s WebOS which are now most likely confined to the annals of history. In this article we will focus on three of the platforms mentioned above with the majority of focus on the two market leaders. The Need for Testing Before we get stuck into the mechanics of testing mobile platforms for security vulnerabilities it is worth Page 12 http://pentestmag.com
understanding why testing mobile applications and the platforms they sit on is important. Whereas in the past our phones were largely a static mass of code that let us make phone calls and send SMS messages they are now multifunction devices that run a dynamic set of applications with a complex ecosystem surrounding them. Whether you are interested in the security of an entire handset or tablet or just a single application there is now an extensive attack surface to consider. The implication of all this is that whether you are using a phone within a business or are releasing an App for your userbase you need to understand the risks that exist. Even if you are simply releasing an App to the public there are lots of risks that you need to consider, does the application expose your user’s information either to another App on the device or whilst in transit across a network? Does the application make the user’s entire phone more vulnerable to attack, thereby putting all their data at risk of compromise? If you need to find an answer to those questions you need to understand the security model of the platform in question and you need to perform some level of security testing or similar assurance activities. The Prerequisites for Testing If you are going to look at any mobile platform, just as with any other area of security testing or research, you need to have an environment you can use to for your testing. There are effectively four things you will need for any platform although the ability to obtain all of these and the cost overhead associated with them will vary across platforms: Phone or tablet hardware There is nothing like the real deal with hardware to test out your findings on and to understand how the platform works in the real world. Whilst on some platforms you can get away with just using the emulator provided by the vendor you will find these often have less attack surface than the real device. Also, If your objective is to go out and find real world vulnerabilities before anyone else don’t underestimate the benefit of looking at code written by the OEMs before they ship their own hardware as this will be a rich source of bugs just waiting to be found. Development Environment and Compiler If you want to find and exploit vulnerabilities on the platforms it certainly pays to have a development environment and compiler available to you. One of the most common methods for exploiting vulnerabilities in mobile Apps is to write your own malicious App that can attack from the inside and to do that you w ill need to either write or modify some code. On some platforms you will not be able to side load your apps without a special developer unlocked device or publishing starterkit 02/2011(2) through the platform’s application store but on many you will be able to write and run your own code. Emulator and Debugger Even if you have your own shiny hardware to play with you will find an emulator and debugging tools invaluable in your efforts to find and exploit security bugs. An emulator will give you freedom to experiment and debug to your heart’s content and in many cases will even let you test shellcode you can port directly to your hardware. Scripting language or interface In any form of security testing you will need your favourite scripting language close at hand. Whether it s for some adhoc fuzzing, sending some data over the network or delivering a payload for that remote code execution vulnerability you just found you can be sure that a scripting language will be your friend. Testing Mobile Platforms Whilst mobile platforms all have their own eccentricities and differences from those which they evolved from, if you are going to understand a mobile security model of the platform you should know about the Operating System you are interested in. It’s not within the scope of this article to talk extensively about security testing against Linux, Windows CE or any of the other platforms that are the foundation of today’s mobile platforms. If you are going to be performing a mobile security test the area you will probably need most support with is in assessing the applications that run on top of the OS and most importantly how significant any vulnerabilities you find actually are. So my message is don’t overlook the security of the mobile platform itself but there are plenty of resources out there already and certainly don’t leave your standard tools behind if looking at this! One other thing to consider is the way the platform will be used in the environment it is destined for. You may be focussing on the OS and the Apps that run on top of it but there are much wider considerations. For example, is a corporate policy being enforced, is corporate and user data segregated, can data be pushed into a cloud based service and how are backups and other important admin tasks handled. Make sure you don’t forget about these when assessing any mobile platform or solution. With the platform covered off lets now get stuck into testing the mobile Apps themselves. Google Android Testing If you are looking for vulnerabilities in applications on any of the major mobile platforms it could be argued that Android is one of the easiest to find them in, if you know what to look for! The reason why is explained here: Page 13 http://pentestmag.com
Page 3 and 4: EDITOR’S NOTE Starter Kit 02/2011
Page 5 and 6: SOCIAL FRAUD 24 Social Engineering
Page 7 and 8: QRjacking A malicious sticker can b
Page 9 and 10: Figure 4. Botnet operator screen on
Page 11: Figure 6. Citadel consulting web si
Page 15 and 16: AndroidManifest.xml file. This cent
Page 17 and 18: you need to get stuck in at the tec
Page 19 and 20: password and then end up having to
Page 21 and 22: user has an increased opportunity o
Page 23 and 24: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29 and 30: Preventing deer -in-headlights Get
Page 31 and 32: who are responsible for IT service
Page 33 and 34: analysis that should not be made by
Page 35 and 36: If we have made an in-depth risk an
Page 37 and 38: several security standards in wides
Page 39 and 40: Resource • http://www.iso.org/iso
Page 41 and 42: etc., and create mayhem. And all of
Page 43 and 44: your business managers do not appro

Editor's note

Create successful ePaper yourself

Delete template?

Save as template?