Editor's note

Recommendations

Info

Figure 1. Android test platform tool that can be used for many purposes. Some features which are particularly useful are: • The ease with which a user can find relevant information about exposed application attack vectors • Command-line interaction with applications on the device in order to find vulnerabilities • The ability to write proof-of-concept exploits for vulnerabilities using a range of pre-defined commands removing the need for custom application writing in order to perform tests against a target vulnerability The advantage of this approach is that you are able to obtain wide coverage across the phone and attempt exploitation without continually rebuilding and deploying code. The toolkit we developed at MWR is called Mercury and will soon be available so that security testers everywhere can benefit from the flexibility it brings to the testing process. The tool is still under development but it has already proven itself as a viable and scalable approach to Figure 2. Commands starterkit 02/2011(2) MOBILE PENTESTING security testing on the Android platform. As a teaser here are a couple of screenshots of what you can expect. Apple iOS Testing I will offer you a warning before you start considering auditing or testing an App that has been written for iOS, you won’t get very far without a Mac to help you! That isn’t an advert for Apple, it’s a reality check that developing for iOS is pretty near impossible without a Mac and performing security testing is going to be severely limited without one. When it comes to testing iPhone, iPod or iPad Apps you will be in one of two situations, you will have source code or you won’t. I’ll start with the case that you have source code as that is much easier and even if you do have it you will likely want to use elements of the black box approach as well. On iOS your source code review will focus on the same types of things as on any other type of code, the areas that handle user controlled data, control network activity and handle security tokens of any kind. To find vulnerabilities in iOS code you will need to know Objective C and have a good grasp of the types of poor coding practice that make more traditional C or C++ applications vulnerable to attack. One of the most effective methods of honing in on bugs is to gauge what type of background the developer or developers have come from. They will typically be either more experienced coders who have encountered C or C++ but use the wrong bits of their knowledge and thereby introduce memory corruption bugs or developers who are new to programming and more likely to stick to Apple objective C libraries; however, are generally less experienced in secure programming. So no matter who has written the code you have a good chance of finding security bugs! The more complex part of testing an iOS application often comes when you are looking to test an App that you haven’t been given the source for. Often this occurs when an organisation wants some assurance about the security of an application they bought from a 3rd party where they are only provided with it in its compiled format or when you just fancy taking a look at something from the App Store. In this situation, outside of playing with the application on the device and testing its advertised features, Page 16 http://pentestmag.com
you need to get stuck in at the technical level. You will be able to follow a similar pattern for the analysis as with Android except for the fact that the platform doesn’t have the concept of IPC endpoints for inter-app communication. Be warned though, reverse engineering Objective-C is not easy! You may also need to consider jailbreaking the device which you also do at your own risk. If you want to put together a toolkit you should ideally include the following things: • A Mac • Xcode and other Mac development tools, Instruments on Mac OS/X is handy to have • iPhone emulator • An iPhone, iPod Touch or iPad • IDA Pro for reverse engineering Maybe I’ll be able to give you some more detailed advice in the future but hopefully you can make a start with this! Microsoft Phone 7 Testing As mentioned at the start of this article the Phone 7 platform is closed and the security model was only recently talked about publicly. If you would like to know more about the platform and how security is enforced then take a look at some of the research already conducted by Alex Plaskett of MWR InfoSecurity (http:// labs.mwrinfosecurity.com/projectdetail.php?project= 15). I would recommend that as the starting point for anyone who is interested in testing any aspect of the platform. On the Phone 7 platform all Apps run in very tightly confined chambers and developers are only able to use Managed code in their Apps. In addition each App runs in its own sandbox within the least privileged Figure 3. Security levels starterkit 02/2011(2) chamber (LPC) on the device as illustrated in the following diagram (Figure 3). The security levels and chambers in the Windows Phone7 security model. Therefore, if you would like to test Apps on the platform I would suggest starting by looking at the permissions that are requested by the App to determine the exact attack surface you have available to you. Additionally, you can use tools like .Net Reflector to decompile the App although be warned that you may find it obfuscated and not easy to make progress with. One thing is certain, you should keep your eyes open for developments in the testing approach for this platform as more information could be released at any time. Conclusion It may be easy to categorise mobile technology as smartphone or tablets but it’s less easy to come up with a one size fits all approach when thinking about security testing. Each platform will require you to gain knowledge about its security features before you start your testing and you will also need to build up your toolkit which may require you to go out and buy some hardware and software. There are some free tools out there that can help you but as things stand you may be forced to dig into your pockets to buy some bits of kit. There are now mobile security testing courses starting to be run at the major security conferences but my advice would be to select one carefully before handing over your hard earned cash. If you want to use the knowledge gained to enable you to perform testing yourself you had better make sure your get a good teacher as there is still an undiscovered world of security bugs out there and a checklist approach won’t enable you to catch them all. The most important advice I can offer you though is get stuck in and give mobile bug hunting a go as you are certain to see the rewards for your efforts! MARTYN RUKS Martyn Ruks is Technical Director at MWR InfoSecurity and has over 10 years experience in the information security testing and research elds. He has previously worked as a security tester and consultant across a wide range of projects that has provided him with a wealth of knowledge about how to test a variety of platforms for security vulnerabilities. Martyn is most well known for his research into IBM’s WebSphere MQ from which he created a testing methodology and toolkit for the platform. His previous research had centred around a number of the more exotic networking protocols and is now engaged on a retro research project in an attempt to nd security bugs in networks of BBC Microcomputers from the 1980’s. Page 17 http://pentestmag.com
Page 3 and 4: EDITOR’S NOTE Starter Kit 02/2011
Page 5 and 6: SOCIAL FRAUD 24 Social Engineering
Page 7 and 8: QRjacking A malicious sticker can b
Page 9 and 10: Figure 4. Botnet operator screen on
Page 11 and 12: Figure 6. Citadel consulting web si
Page 13 and 14: understanding why testing mobile ap
Page 15: AndroidManifest.xml file. This cent
Page 19 and 20: password and then end up having to
Page 21 and 22: user has an increased opportunity o
Page 23 and 24: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29 and 30: Preventing deer -in-headlights Get
Page 31 and 32: who are responsible for IT service
Page 33 and 34: analysis that should not be made by
Page 35 and 36: If we have made an in-depth risk an
Page 37 and 38: several security standards in wides
Page 39 and 40: Resource • http://www.iso.org/iso
Page 41 and 42: etc., and create mayhem. And all of
Page 43 and 44: your business managers do not appro

Editor's note

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?