Penetration Testing mailing list archives
Re: IT Audits/PT's of Smartphones
From: Andre Gironda <andreg () gmail com>
Date: Wed, 10 Aug 2011 11:20:56 -0700
On Thu, Aug 4, 2011 at 7:22 AM, Sheran Gunasekera <sheran () zenconsult net> wrote:
I'm assuming you mean application vulnerability scanners? As far as I'm aware this is an area that needs improvement. I've done several
An automated app crawler would be possible for Android using the SDK emulator and Eclipse DDMS. However, for iOS and BBOS, the apps appear to be much more difficult as there is no full emulator for testing (only simulators that do not have all of the necessary functional testing approaches/components).
pentests for applications developed by third-party vendors for my clients. I generally follow this approach: 1. Get a copy of the app (usually I get it through the developer; if its live, you could download it) and reverse engineer it. During this stage I check for:
It is much more efficient to get a copy of the build environment or steps necessary (with source code and commercial third-party components included) to re-create a successful build. This is true even with regards to Android. The arguments are clearly stated here -- http://blog.nvisiumsecurity.com/2011/06/blackbox-vs-whitebox-mobile-security.html -- "With source code for the client-side app, a security tester can execute and debug the app within an IDE. The application still runs on an actual device or emulator/simulator, but the application's flow of execution can be tightly controlled through the IDE. Methodically debugging in Eclipse or Xcode is much more efficient than other methods of testing. Having the luxury to set breakpoints at key areas within the application can give a skilled tester the ability to do magical things".
a. Storing sensitive data (like login credentials) without adequate protection - like encryption > b. Hardcoded encryption keys > c. Algorithms that encode data (e.g. base64) rather than encrypt data
Temporary storage in memory or swap is also problematic, no only for the process of the app, but also other processes (especially logging).
For the iPhone, I have my own jailbroken device that I can ssh to. Once there, I can use the standard tools like gdb to debig and otool to disassemble.
You should do a write-up on the procedures you take to do this. I would be very interested, and know many others that are interested as well. In the meantime, check out -- http://trailofbits.com/2011/08/10/ios-4-security-evaluation/
For the BlackBerry, I've written my own decompiler so that I can decompile .cod files. I just use that to read off the standard Java code.
Can you please put your code up on GitHub and send us the link? If you don't want to release at this time, could you at least point people in the direction of what libraries, system calls, or other software components you used to build the decompiler? I know that the iSec Partners "Mobile Application Security" book covers the concepts, but it's wonderful to contribute to the community, especially early-on ;>
2. Often, enterprise apps (like mobile banking, stock trading, etc) will always connect to a server. So I check the communication between client and server. I use the Mallory proxy together with my ubuntu box and usb-wifi adapter to 'break' ssl and look at the plain text traffic. Sometimes, from step (1) above, you can also collect clues as to how the client app will communicate with the server app.
Often, I find that the server app is merely a Web Service and does not appreciate normal HTTP/TLS without XML.
Sadly, there is a shortage of skilled enterprise app developers. In almost all my pentests, the apps have been nothing more than a BrowserField (BlackBerry) or UIWebView (iOS) that just displays HTML/CSS/JS content on the mobile device. It is nothing more than a web application running on the device. So in cases like these, I just end up focusing a lot on the server and it ends up in a web app pentest instead.
It is my guess that iPad apps like vudu.com will become the standard: A) Because of the dominance of the iPad and the App Store B) Because of the licensing restrictions for content, advertising, app capabilities, App Store app reviews/stipulations, etc imposed by Apple In other words, apps will not even do much except open a Safari instance to a series of HTML5 web applications that are riddled with vulnerabilities. OWASP iGoat and OWASP GoatDroid will be good starting points for anyone interested in this kind of research or work. Cheers, Andre ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- IT Audits/PT's of Smartphones cribbar (Aug 04)
- Re: IT Audits/PT's of Smartphones Sheran Gunasekera (Aug 04)
- Re: IT Audits/PT's of Smartphones Andre Gironda (Aug 16)
- Re: IT Audits/PT's of Smartphones Jeffrey Walton (Aug 16)
- Re: IT Audits/PT's of Smartphones Andre Gironda (Aug 16)
- Re: IT Audits/PT's of Smartphones Sheran Gunasekera (Aug 04)