Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

More documents

Recommendations

Info

FOCUSMobile ApplicationSecurity TestingMobile apps are more than the sum of their componentsThriving vendor marketplaces (such as iTunes and the Androidstore) encourage the rapid development and deploymentof mobile applications to consumers and businesses alike.Additionally, alternative 3 rd -party download and install marketsopen up as software writers seek opportunities, outside the walledgardens provided by the mainstream stores.Having your software purchased and downloadedby millions of people worldwide has long beenthe holy grail of mobile software developers, butit also attracts the attention of fraudsters who recognizethe accessibility and lack of security features of theseplatforms. The mobile platform opens several attackavenues for malicious software and opportunities todefraud victims due to its lax control mechanisms, andlack of standardization of the user experience offering.Therefore, mobile applications should be designed,developed, and tested having security in mind, muchlike web applications that handle sensitive information.The design and development of mobile applications issignificantly different to thatof traditional client-serversor web applications. Mobileapplications should takeinto account both theenvironment (platform,libraries, capabilities), together with major differences inend-user expectations. Mobile users demand a simpleuser experience (in terms of details), and often requirecompletely different business processes compared withother interaction channels.Security ChallengesThere are two main security challenges to mobileapplications that stem from their usage and limitations:• Insecure Connections• Simplified User ExperienceAny foreign code that runs on the mobileplatform has the potential to alter the userexperience and manipulate the locally storeddata as well as the data in transit.Insecure ConnectionsMobile devices are used in a number of unknown andoften insecure connection profiles (from public Wi-Fi, through rogue cells that proxy communication).This makes them vulnerable to simple attacks notconsidered in the threat modeling of a traditional webapplication. Additionally, insecure communications areoften used to overcome platform limitations and designconsiderations such as: battery consumption profiles,processing speed, and communication overhead.Insecure communicationsfor mobile applicationsexpose several exploitationavenues (including local andremote), and enable fraudulentapplication creation usingextremely simple tools and techniques that are freelyavailable in the market. This not only puts the end userat risk of data loss, but also allows attackers an easyaccess path into the organization that provides servicesthrough the mobile applications. Any foreign code thatruns on the mobile platform has the potential to alterthe user experience and manipulate the locally storeddata as well as the data in transit. Thus fraudsters gaina prime opportunity to conduct their attacks.05/2011 (5) SeptemberPage 22http://pentestmag.com
Simplied User ExperienceThe user interface provided by mobile applicationsdiffers wildly from other interfaces provided for endusers. It aims to provide a simpler and more interactiveexperience. Many times it actually changes theapplication logic behind the business process with thepotential to undermine theintegrity of even the mostrobust existing softwareprocesses.Mobile Application Secure Design andDevelopmentThere are a few ways to deal with these challengeswhen approaching a secure mobile application testingproject:• Mobile Application Penetration Testing• Fraud/Usability TestingMobile Application Penetration TestingMobile applications should be evaluated and testedagainst attacks that take advantage of the exposedexploitation avenues – including local and remote.In order to even start such testing, a mobileapplication testing lab is required – which usuallyconsists of a development PC for disassemblingand simulating the application runtime in a containedenvironment, a mobile device (preferably rooted, inorder to allow closer inspection of the applicationin it’s native environment), and a network thatA fraud/usability test should be conductedto find any loopholes or vulnerabilities in theprocesses or user interface handling.would simulate both the WiFi as well as the cellularconnectivity.The mobile applications and its corresponding serversidecomponents should be tested as part of thepenetration test, which covers both traditional issues (suchas SQL injections and OWAPS top 10 vulnerabilities),together with customfuzzing of any proprietaryprotocols, full analysisof the communications,and any logical issues in the application design andimplementation.One major area of focus should be the seeminglytrivial elements of the communication models usedby the applications. Issues such as establishingsecure communications over an encrypted channelare overlooked too often. Situations such as improperverification of certificate chains, and the lack of usernotification along with a fail open approach that naivelyignores such errors leave mobile applications open toman in the middle attacks that would raise many alarmson a web application.An additional element that should be looked intois the kind of media that the application considersas trusted. Many times, sensitive applications donot consider WiFi connections any different than thatof a 3G one. Moreover, in an attempt to provide abetter user experience, switching from one mediumto another while keeping the session alive is oftenimplemented in such applications. Obviously, thereare different weights to the trustworthiness of aFigure 1. The different scopes in which mobile application security should deal with, as opposed to the common approach where the focusis set almost exclusively on the application itself05/2011 (5) SeptemberPage 23http://pentestmag.com
Page 2 and 3: EDITOR’S NOTE05/2011 (05)Editor:
Page 4 and 5: POINT OF VIEWIsn’t Social Enginee
Page 6 and 7: POINT OF VIEWTrust Pentesting Team.
Page 8 and 9: FOCUSBreaking Downthe i* {Devices}P
Page 10: FOCUSListing 1. IPhone applications
Page 19 and 20: AndroidManifest.xml. An important p
Page 21: Smartphone running the version of A
Page 26 and 27: FOCUSAttacking the MobileInfrastruc
Page 28 and 29: FOCUSAt any rate, I think these ent
Page 30 and 31: FOCUSToneLoc and LoadUseful For a P
Page 32 and 33: FOCUSoperate in a degraded state; f
Page 34 and 35: FOCUSInside AndroidApplicationsBy t
Page 36 and 37: (NEW) STANDARDSNew PenetrationTesti
Page 38 and 39: (NEW) STANDARDSof Hatforce. Before
Page 40: (NEW) STANDARDSReferences• [1] So
Page 43 and 44: name, IP address and server locatio
Page 45 and 46: Figure 8. User Agent Switcher Menur
Page 47: Say Hello toRed TeamTesng!Security

Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?