Editor's note

Recommendations

Info

MOBILE PENTESTING Mounting a Mobile Masquerade? The sensitivity and value of data on mobile devices increasingly suggests the need for protection via some form of point-of-entry authentication. This article examines some of the methods that that are available on current devices, and highlights some of the limitations that might be encountered when using them. It’s no exaggeration to suggest that mobile devices, and particularly smartphones, can now present highly valuable targets; not just because of their physical value but also thanks to the data that people are prone to storing on them. In addition to holding a wealth of personal data, they can increasingly provide a good level of access to company and corporate data (with things like email and contacts being chief amongst these). With such a valuable asset to be protected, this article examines the forms of protection that are available to thwart an impostor at the authentication level. Although mobile devices have offered authentication safeguards for many years, it is fair to say that many users have managed to ignore them. The reason here is often that they overlook the value and sensitivity of what they’re carrying around in data terms, and so similarly overlook the need to protect it. While the situation has improved with smartphones, there are still plenty of users whose security practices haven’t caught up with their technology usage. Indeed, if you ask an audience how many of them don’t use a PIN (or similar) to protect their mobile handset, a good number of hands normally go up. However, a fair few of the same hands also go up when asked whether their phone is holding data that they think ought to be protected. So, with users that don’t bother or don’t see the need to set a PIN, there are consequently many cases in which penetrating the device requires no more than physically starterkit 02/2011(2) acquiring it. Many users seem to assume that this is the very reason that they don’t need to worry about controlling access, because they intend to keep the device with them and consider that it is protected as a result. However, there’s significant evidence to show that mobiles are very much prone to loss and theft. For example, survey findings from CREDANT Technologies showed that, over a 12-month period, almost 4,400 smartphones and tablets were left behind in a cross-section of US airports (CREDANT. 2011. CREDANT Survey Finds Consumers Left Thousands of Laptops and Smartphones at Airports Across the United States, Press Release, 12 July 2011. http://www.credant.com/news-a-events/press-releases/ 238-credant-survey-finds-consumers-left-thousands-oflaptops-and-smart-phones-at-airports-across-the-unitedstates.html). Based on other survey findings, it’s then a fair bet that many of these would have been unprotected against further access. Even if a PIN is used, a 4-digit code is significantly less than we’d be encouraged to use in order to protect the same data elsewhere (e.g. on a desktop system). However, affording the same level of protection is less than straightforward. For example, while almost transparent to many users when they’re sitting at a fullsize keyboard, entering a password can prove most unfriendly when you have to tap it in one-handed on a mobile device. They keys are small and fiddly, and can be particularly awkward if you’ve used a ‘strong’ Page 18 http://pentestmag.com
password and then end up having to switch character sets to get the numbers and punctuation characters to appear. As a result, the relatively lengthy interaction required to enter the password may be too much effort to go through; particularly on a device that can be repeatedly going in and out of your pocket in order to perform quick tasks. In some cases, tapping in the password could end up taking longer than the thing you want to do. As a result, striking an acceptable balance between the protection and usability is actually quite a challenge to tackle. Predictably Insecure Numbers? The most common form of authentication on mobile devices has undoubtedly been based around Personal Identification Number (PIN) codes, with interfaces similar to Figure 1 dating back to the earliest handsets. However, for many users this has proven to be an unsatisfactory approach, with some finding it inconvenient to use and some considering it insufficient protection anyway. Add to these the folks that aren’t too fussed in the first place, and we have a variety of reasons why the available mechanism might not be used. Even if they use a PIN, there’s a fair chance that people aren’t using it particularly well, thanks to the opportunity to choose obvious and weak sequences. Research findings from Daniel Amitay help to put some numbers to this, based on a study of iPhone passcodes and the choices that users made (Amitay, D. 2011. Most Common iPhone Passcodes, 13 June 2011. http://amitay.us/blog/files/most_common_iphone_ passcodes.php). From almost 205,000 recorded passcodes, almost 4.5% of them were found to be the sequence 1234; so put another way, this means that there’s not much more than a one in twenty chance of picking up a phone and finding that it’s locked with this particular PIN. The findings further determined that, although 10,000 permutations were theoretically available, 15% of choices logged in the sample group were based upon just ten different PINs (including the starterkit 02/2011(2) aforementioned 1234, as well as 0000, 1111 and other guessable options). The prominence of 198x and 199x sequences in the wider set of results also enabled Amitay to infer that a fair number of the other owners were using their year of birth as their passcode. In the early days, such PIN protection was arguably commensurate with the range and volume of data being held on the devices, but over time security has not evolved as quickly as other capabilities. So, as handset storage, communication and software capabilities have rocketed, the most common enhancement to user authentication until relatively recently has simply been to allow a password instead of the PIN. With this in mind, let’s take a look at how the latest platforms are taking things forward. Advancing The Authentication Alternatives After years of very little changing with mobile device authentication, the last couple of years have seen a few departures from the norm, with the most obvious ones appearing on the Android platform. In addition to standard PINs and password options, this allows users to unlock their handset by drawing a secret pattern. The interface is depicted in Figure 2, and works by drawing a pattern to connect the dots. The pattern can be 4-9 dots in length, and can use them in a variety of combinations (although certain combinations cannot be achieved; for example, it is not possible to connect the corner dots directly to each other without selecting another one in between). A first comment from the security perspective is that, unless the user is careful when they’re entering the information, then the pattern unlock process can be very observable; far more so than similar length PIN. Figure 1. The traditional view of mobile authentication Figure 2. Android pattern unlock Page 19 http://pentestmag.com
Page 3 and 4: EDITOR’S NOTE Starter Kit 02/2011
Page 5 and 6: SOCIAL FRAUD 24 Social Engineering
Page 7 and 8: QRjacking A malicious sticker can b
Page 9 and 10: Figure 4. Botnet operator screen on
Page 11 and 12: Figure 6. Citadel consulting web si
Page 13 and 14: understanding why testing mobile ap
Page 15 and 16: AndroidManifest.xml file. This cent
Page 17: you need to get stuck in at the tec
Page 21 and 22: user has an increased opportunity o
Page 23 and 24: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29 and 30: Preventing deer -in-headlights Get
Page 31 and 32: who are responsible for IT service
Page 33 and 34: analysis that should not be made by
Page 35 and 36: If we have made an in-depth risk an
Page 37 and 38: several security standards in wides
Page 39 and 40: Resource • http://www.iso.org/iso
Page 41 and 42: etc., and create mayhem. And all of
Page 43 and 44: your business managers do not appro

Editor's note

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?