Editor's note

Recommendations

Info

This partly comes down to the action involved, as the drawing of the secret gives an observer a continuous action to watch rather than a series of taps (which are more difficult to keep track of if you’re trying to watch what someone else is doing). Also, if a would-be impostor actually has sight of the user’s screen, then they may be a glimpse of the overall pattern itself, as depicted in Figure 2. Although Android offers an option to make the entry of the pattern invisible, this actually becomes quite difficult for the authorized user to follow (i.e. to keep track of their position in a long pattern) and to tell if they are doing it right. The option to enable tactile feedback (by means of small vibrations) does provide some help here to an extent, but it’s still easy to make a mistake. Once an impostor gets hold of a device, then it’s sometimes possible to determine the unlock pattern from the smudges and smears that the owner’s fingers have left on the screen. In fact, my first practical encounter with the pattern unlock technique was when a one of my students had popped out of the room and left his phone on the table. One of his ‘friends’ then picked it up, looked at the screen, determined the unlock pattern … and quickly changed it to something else. Although it was all done in fun on this occasion, it was a fairly clear illustration of the vulnerability. The feasibility of such attacks has also been recognized in the research community, with academics from the University of Pennsylvania having published a detailed paper on the topic (Aviv, A.J., Gibson, K., Mossop, E., Blaze, M. and Smith, J.M. 2010. Smudge Attacks on Smartphone Touch Screens, in 4th USENIX Workshop on Offensive Technologies (WOOT’10), Washington DC, 9 August 2010. http://www.usenix.org/events/woot10/ tech/full_papers/Aviv.pdf). In the same way that they can choose guessable PINs, there is a risk of users having a tendency towards predictable patterns (indeed, users already do this with PINs, with Amitay’s study revealing ‘2580’ to be the third most popular choice – not an obviously memorable number until you look at the pattern it traces out on the keypad). In addition, there’s a reduced set of permutations compared to an equivalent length PIN, because each elements of the pattern are more likely to adjacent to each other (they don’t have to be, but it’s more likely to happen as a result of the way that many users will starterkit 02/2011(2) MOBILE PENTESTING draw them), and unlike the digits in PIN, the positions in the pattern cannot be repeated. Having said this, the range of valid permutations is still sufficient to ensure that users have the chance to select patterns that are far from trivial to break or predictable to guess. On the positive side, the use of a pattern helps to guard against sharing – it’s hard to describe your pattern to someone when compared to a passing on a password or PIN, and so a user would have to spend time showing someone. However, users may also find long patterns potentially more difficult to remember than a numerical sequence of equivalent length, because they don’t have the opportunity to remember the information as a meaningful string in its own right. However, it is arguable that users with better visual/task memory will find the action of recalling and recreating the pattern to be an easier proposition. In addition to the pattern lock, the latest version of Android, Ice Cream Sandwich (ICS), has taken things further with introduction of face recognition. This leverages the handset’s front-facing camera to enable the phone to unlock when it sees its owner. However, no sooner had this appeared than coverage and commentary started to suggest potential problems, such as the risk of being able to fool the mechanism by showing it a photo of the legitimate user, or difficulty of using it in low light conditions (Kaelin, L. 2011. Android’s face unlock feature could be fooled by photo, TechSpot, 21 October 2011. http://www.techspot.com/news/45953-androids-faceunlock-feature-could-be-fooled-by-photo.html). Given the right lighting, however, it operates very effectively and can certainly be accomplished more quickly and with less effort than entering a PIN or a pattern. Although faults might be leveled at each of the techniques in isolation, a key thing is that Android offers a range of options. So, from a usability perspective, the Figure 3. Variations of the iOS passcode (a) Simple (b) numeric-only and (c) full character set Page 20 http://pentestmag.com
user has an increased opportunity of finding something to suit their preference, and so (in theory at least) has less of a justification for leaving their device unprotected. By contrast to Android’s advancements, the offerings on the iOS platform currently feel a bit limited. Despite Apple actually having been granted a patent on unlocking a device based upon touchscreen gestures (Chaudhri, I., Ording, B., Anzures, F.A., Van Os, M., Lemay, S.O., Forstall, S. and Christie, G. 2011. Unlocking a device by performing gestures on an unlock image, United States Patent 8046721, 25 October 2011), the options available in iOS 5 at the time of writing are restricted to traditional PIN and password approaches, the interfaces for which are depicted in Figure 3. The default mechanism is what iOS terms the Simple passcode, which is basically a traditional PIN, fixed to four digits in length. Notably if you switch this option off, then in addition to letting you choose more complex strings, iOS will also let you get away with a single-digit PIN (which implicitly shows that it’s not doing anything to filter out silly choices either). In terms of enabling the protection, the phone can be set to require the passcode immediately, or after 1, 5 or 15 minutes after the device is switched off (with the further option to auto-lock if left switched on after 1, 2, 3, 4 or 5 minutes, or set not to lock). Looking at the different screenshots in Figure 3, we can make some observations about how the interface differs according to what the user has set as their passcode. With simple passcode switched on (Figure 3a), the entry screen clearly shows that four digits are required, whereas with it switched off the user does not get an indication of the number of characters being expected. It’s notable that the keys in Figure 3c are significantly smaller than those on the numeric-only keypad, and so some users may find it more difficult to enter the information, particularly if they’re trying to enter the passcode on the move. This is unfortunate, as anything that increases the chance of mistakes (and thereby the risk of being locked out after consecutive errors) is likely to reduce users’ willingness to enable it. Thus while it has the potential to offer greater security than something like Android’s pattern lock, the password approach is unlikely to be as appealing to use. Although it doesn’t exactly advertise the fact, a nice touch with iOS is that it also permits you to use a long PIN (i.e. more than the standard 4 digits) and still retain the numeric keypad rather than the full keyboard. The ‘trick’ is to opt to use a password, but then proceed to set something that is entirely numeric. iOS will recognize that it’s only using digits, and then present the numeric keypad rather than the alphabetic one for subsequent entry. This is depicted in Figure 3b, where it is clear that the user has to enter a PIN, but iOS is no longer giving away any clue starterkit 02/2011(2)
Page 3 and 4: EDITOR’S NOTE Starter Kit 02/2011
Page 5 and 6: SOCIAL FRAUD 24 Social Engineering
Page 7 and 8: QRjacking A malicious sticker can b
Page 9 and 10: Figure 4. Botnet operator screen on
Page 11 and 12: Figure 6. Citadel consulting web si
Page 13 and 14: understanding why testing mobile ap
Page 15 and 16: AndroidManifest.xml file. This cent
Page 17 and 18: you need to get stuck in at the tec
Page 19: password and then end up having to
Page 23 and 24: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29 and 30: Preventing deer -in-headlights Get
Page 31 and 32: who are responsible for IT service
Page 33 and 34: analysis that should not be made by
Page 35 and 36: If we have made an in-depth risk an
Page 37 and 38: several security standards in wides
Page 39 and 40: Resource • http://www.iso.org/iso
Page 41 and 42: etc., and create mayhem. And all of
Page 43 and 44: your business managers do not appro

Editor's note

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?