Re: IT Audits/PT's of Smartphones

[Sheran Gunasekera <sheran () zenconsult net>]

Hello,

On Wed, Aug 3, 2011 at 8:38 PM, cribbar <crib.bar () hotmail co uk> wrote:
> Hi
>
> May I ask - does there exist a (if at all possible - free) vulnerability
> scanner specific to smartphones, namely blackberries/iPhones (various
> models/versions of each)?

I'm assuming you mean application vulnerability scanners?  As far as
I'm aware this is an area that needs improvement.  I've done several
pentests for applications developed by third-party vendors for my
clients.  I generally follow this approach:

1. Get a copy of the app (usually I get it through the developer; if
its live, you could download it) and reverse engineer it.  During this
stage I check for:

a. Storing sensitive data (like login credentials) without adequate
protection - like encryption
b. Hardcoded encryption keys
c. Algorithms that encode data (e.g. base64) rather than encrypt data

For the iPhone, I have my own jailbroken device that I can ssh to.
Once there, I can use the standard tools like gdb to debig and otool
to disassemble.

For the BlackBerry, I've written my own decompiler so that I can
decompile .cod files.  I just use that to read off the standard Java
code.

2. Often, enterprise apps (like mobile banking, stock trading, etc)
will always connect to a server.  So I check the communication between
client and server.  I use the Mallory proxy together with my ubuntu
box and usb-wifi adapter to 'break' ssl and look at the plain text
traffic.  Sometimes, from step (1) above, you can also collect clues
as to how the client app will communicate with the server app.

> From this point on, I can run the standard web app or web service attacks.

Sadly, there is a shortage of skilled enterprise app developers.  In
almost all my pentests, the apps have been nothing more than a
BrowserField (BlackBerry) or UIWebView (iOS) that just displays
HTML/CSS/JS content on the mobile device.  It is nothing more than a
web application running on the device.  So in cases like these, I just
end up focusing a lot on the server and it ends up in a web app
pentest instead.


> Aside from encryption on the device itself, if you have audited or pen
> tested for a client their smartphone/smartphone infrastructure - are there
> any common security/management issues you find with them, or any good
> benchmarks you use to assess the phone itself?

The Center for Internet Security has some benchmarks for mobile
security.  I haven't checked them out extensively, but maybe you can:
http://www.cisecurity.org

You may also want to take a look http://www.woodmann.com/ for all your
reverse engineering needs.

This is an awesome site that has a lot of info on reverse engineering
BlackBerry .cod files: http://drbolsen.wordpress.com/

As a follow up to the drb0lsen site, you might also want to follow
Stephen Lawler's posts here:
http://dontstuffbeansupyournose.com/category/blackberry/

Regards,
Sheran

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------