Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

AndroidManifest.xml. An important point to understandis that simply locating a vulnerability, developing anexploit, and triggering the exploit does not guaranteefull access to the Smartphone. However, even minimalpermissions may allow an attacker the ability to collectvaluable information about the victim.Since not all penetration testers have the time toconduct vulnerability analysis and write an exploit it isimportant to note that other options are available thatallow a quicker assessment of the target environment.At DefCon 19, Zimperium unveiled the AndroidNetwork Toolkit which is available from the AndroidMarket free of cost (there is a $10 corporate version).The toolkit allows a penetration tester the ability to scanthe network, check for un-patched phones, and fireolder exploits, with the ultimate goal of arbitrary codeexecution. Another resource available to a penetrationtester is the availability of free and useable exploitsfrom public repositories such as Exploit Database(Figure 3) http://www.exploit-db.com. With theseaccess methods available to penetration testers, whyeven bother analyzing Android malware?Why analyze Android malware?This article is not stating thatmalware analysis is necessarilypart of the pentesting discipline.Rather, this article is trying topoint out the importance of usingother disciplines to increase theeffectiveness of the penetrationtesting. Many in the security fieldare quick to undervalue the studyof malware, unless it reveals theinitial attack vector as they aremostly concerned with how thepenetration occurred. Once theyidentify the attack vector, applycountermeasures, and clean upafter an attack they move onwithout ever conducting in-depthanalysis of any malware placedon the network. This often occursdue to one or a combinationof reasons such as: limitedmanpower, time constraints,and lack of a malware analysisskill set. While these are allvalid problems, not reviewingmalware is a flawed approachas malware can reveal morethan some in the security fieldunderstand.Figure 3. Example of exploits available at Exploit DatabaseFigure 4. Android SDK and AVD ManagerWhen conducting a penetration test to evaluate thesecurity of a network or an aspect of the network,why wouldn’t you test the security in a way that itis actually going to be tested? Regardless of thenetwork, the security mechanisms in place willeventually be tested by an attacker. The attackmay not be targeted, in fact it may be an attempteddrive-by exploit, a user falling for a phishing attack,or simply a user downloading an application witha malicious payload. Malware analysis provides ameans of understanding the attack vector, the intentof the attack, possible persistence mechanisms,its ability to propagate through the network, andsophistication level. All of this intelligence can beleveraged to build improved tests to be used duringa penetration test to ensure that networks are beingtested in a realistic manner.Malware analysis will not usually provide the initialattack vector, but it can reveal how the attackeroperates and this is a very important piece of thepuzzle. Malware analysis can provide details into allof the functionality previously listed and insight intohow attackers are evolving as security measures areput in place to mitigate threats. Google is aggressiveabout removing malicious applications from the05/2011 (5) SeptemberPage 19http://pentestmag.com