Penetration Testing mailing list archives
Re: IT Audits/PT's of Smartphones
From: Sheran Gunasekera <sheran () zenconsult net>
Date: Thu, 4 Aug 2011 21:22:20 +0700
Hello, On Wed, Aug 3, 2011 at 8:38 PM, cribbar <crib.bar () hotmail co uk> wrote:
Hi May I ask - does there exist a (if at all possible - free) vulnerability scanner specific to smartphones, namely blackberries/iPhones (various models/versions of each)?
I'm assuming you mean application vulnerability scanners? As far as I'm aware this is an area that needs improvement. I've done several pentests for applications developed by third-party vendors for my clients. I generally follow this approach: 1. Get a copy of the app (usually I get it through the developer; if its live, you could download it) and reverse engineer it. During this stage I check for: a. Storing sensitive data (like login credentials) without adequate protection - like encryption b. Hardcoded encryption keys c. Algorithms that encode data (e.g. base64) rather than encrypt data For the iPhone, I have my own jailbroken device that I can ssh to. Once there, I can use the standard tools like gdb to debig and otool to disassemble. For the BlackBerry, I've written my own decompiler so that I can decompile .cod files. I just use that to read off the standard Java code. 2. Often, enterprise apps (like mobile banking, stock trading, etc) will always connect to a server. So I check the communication between client and server. I use the Mallory proxy together with my ubuntu box and usb-wifi adapter to 'break' ssl and look at the plain text traffic. Sometimes, from step (1) above, you can also collect clues as to how the client app will communicate with the server app.
From this point on, I can run the standard web app or web service attacks.
Sadly, there is a shortage of skilled enterprise app developers. In almost all my pentests, the apps have been nothing more than a BrowserField (BlackBerry) or UIWebView (iOS) that just displays HTML/CSS/JS content on the mobile device. It is nothing more than a web application running on the device. So in cases like these, I just end up focusing a lot on the server and it ends up in a web app pentest instead.
Aside from encryption on the device itself, if you have audited or pen tested for a client their smartphone/smartphone infrastructure - are there any common security/management issues you find with them, or any good benchmarks you use to assess the phone itself?
The Center for Internet Security has some benchmarks for mobile security. I haven't checked them out extensively, but maybe you can: http://www.cisecurity.org You may also want to take a look http://www.woodmann.com/ for all your reverse engineering needs. This is an awesome site that has a lot of info on reverse engineering BlackBerry .cod files: http://drbolsen.wordpress.com/ As a follow up to the drb0lsen site, you might also want to follow Stephen Lawler's posts here: http://dontstuffbeansupyournose.com/category/blackberry/ Regards, Sheran ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- IT Audits/PT's of Smartphones cribbar (Aug 04)
- Re: IT Audits/PT's of Smartphones Sheran Gunasekera (Aug 04)
- Re: IT Audits/PT's of Smartphones Andre Gironda (Aug 16)
- Re: IT Audits/PT's of Smartphones Jeffrey Walton (Aug 16)
- Re: IT Audits/PT's of Smartphones Andre Gironda (Aug 16)
- Re: IT Audits/PT's of Smartphones Sheran Gunasekera (Aug 04)