Editor's note
Editor's note
Editor's note
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
understanding why testing mobile applications and the<br />
platforms they sit on is important. Whereas in the past<br />
our phones were largely a static mass of code that let<br />
us make phone calls and send SMS messages they<br />
are now multifunction devices that run a dynamic set<br />
of applications with a complex ecosystem surrounding<br />
them. Whether you are interested in the security of an<br />
entire handset or tablet or just a single application there<br />
is now an extensive attack surface to consider.<br />
The implication of all this is that whether you are using a<br />
phone within a business or are releasing an App for your<br />
userbase you need to understand the risks that exist. Even<br />
if you are simply releasing an App to the public there are<br />
lots of risks that you need to consider, does the application<br />
expose your user’s information either to another App on<br />
the device or whilst in transit across a network? Does<br />
the application make the user’s entire phone more<br />
vulnerable to attack, thereby putting all their data at risk<br />
of compromise? If you need to find an answer to those<br />
questions you need to understand the security model of<br />
the platform in question and you need to perform some<br />
level of security testing or similar assurance activities.<br />
The Prerequisites for Testing<br />
If you are going to look at any mobile platform, just as with<br />
any other area of security testing or research, you need to<br />
have an environment you can use to for your testing. There<br />
are effectively four things you will need for any platform<br />
although the ability to obtain all of these and the cost<br />
overhead associated with them will vary across platforms:<br />
Phone or tablet hardware<br />
There is nothing like the real deal with hardware to test<br />
out your findings on and to understand how the platform<br />
works in the real world. Whilst on some platforms you<br />
can get away with just using the emulator provided by the<br />
vendor you will find these often have less attack surface<br />
than the real device. Also, If your objective is to go out<br />
and find real world vulnerabilities before anyone else<br />
don’t underestimate the benefit of looking at code written<br />
by the OEMs before they ship their own hardware as this<br />
will be a rich source of bugs just waiting to be found.<br />
Development Environment and Compiler<br />
If you want to find and exploit vulnerabilities on the<br />
platforms it certainly pays to have a development<br />
environment and compiler available to you. One of the<br />
most common methods for exploiting vulnerabilities in<br />
mobile Apps is to write your own malicious App that can<br />
attack from the inside and to do that you w ill need to<br />
either write or modify some code. On some platforms<br />
you will not be able to side load your apps without<br />
a special developer unlocked device or publishing<br />
starterkit 02/2011(2)<br />
through the platform’s application store but on many<br />
you will be able to write and run your own code.<br />
Emulator and Debugger<br />
Even if you have your own shiny hardware to play with<br />
you will find an emulator and debugging tools invaluable in<br />
your efforts to find and exploit security bugs. An emulator<br />
will give you freedom to experiment and debug to your<br />
heart’s content and in many cases will even let you test<br />
shellcode you can port directly to your hardware.<br />
Scripting language or interface<br />
In any form of security testing you will need your<br />
favourite scripting language close at hand. Whether it<br />
s for some adhoc fuzzing, sending some data over the<br />
network or delivering a payload for that remote code<br />
execution vulnerability you just found you can be sure<br />
that a scripting language will be your friend.<br />
Testing Mobile Platforms<br />
Whilst mobile platforms all have their own eccentricities<br />
and differences from those which they evolved from, if<br />
you are going to understand a mobile security model<br />
of the platform you should know about the Operating<br />
System you are interested in. It’s not within the scope<br />
of this article to talk extensively about security testing<br />
against Linux, Windows CE or any of the other platforms<br />
that are the foundation of today’s mobile platforms. If<br />
you are going to be performing a mobile security test<br />
the area you will probably need most support with is in<br />
assessing the applications that run on top of the OS and<br />
most importantly how significant any vulnerabilities you<br />
find actually are. So my message is don’t overlook the<br />
security of the mobile platform itself but there are plenty<br />
of resources out there already and certainly don’t leave<br />
your standard tools behind if looking at this!<br />
One other thing to consider is the way the platform will<br />
be used in the environment it is destined for. You may<br />
be focussing on the OS and the Apps that run on top of it<br />
but there are much wider considerations. For example,<br />
is a corporate policy being enforced, is corporate and<br />
user data segregated, can data be pushed into a cloud<br />
based service and how are backups and other important<br />
admin tasks handled. Make sure you don’t forget about<br />
these when assessing any mobile platform or solution.<br />
With the platform covered off lets now get stuck into<br />
testing the mobile Apps themselves.<br />
Google Android Testing<br />
If you are looking for vulnerabilities in applications on<br />
any of the major mobile platforms it could be argued that<br />
Android is one of the easiest to find them in, if you know<br />
what to look for! The reason why is explained here:<br />
Page 13 http://pentestmag.com