CEH v10: 17 Hacking Mobile Platforms
Certified Ethical Hacker v10 Chapter 17: Hacking Mobile Platforms.
OWASP Top 10 Mobile Threats
OWASP Mobile Security Project maintain a list of the most common mobile security risks.
Top Ten (2014)
- Weak Server Side Controls
- Insecure Data Storage
- Insufficient Transport Layer Protection
- Unintended Data Leakage
- Poor Authorization and Authentication
- Broken Cryptography
- Client Side Injection
- Security Decisions via Untrusted Inputs
- Improper Session Handling
- Lack of Binary Protections
Top Ten (2016)
- Improper Platform Usage: misuse of a platform feature or failure to use a platform security controls
- Insecure Data Storage: insecure data storage + unintended data leakage
- Insecure Communication: poor handshaking, incorrect SSL, weak negotiation, cleartext communication of sensitive assets, ...
- Insecure Authentication: captures notions of authenticating the end user or bad session management
- Insufficient Cryptography: cryptography was attempted, but it wasn't done correctly
- Insecure Authorization: capture any failures in authorization
- Client Code Quality: all of the code-level implementation problem in the mobile client
- Code Tampering: binary patching, local resource modification, method hooking, dynamic memory modification, ...
- Reverse Engineering: analysis of the final core binary to determine the source code, libraries, ...
- Extraneous Functionality: internal development security controls that are not intended to be released into a production environment
Attack Vector
Basic Threats
- Malware / rootkit
- Data Loss
- Data Tampering
- Data Exfiltration
Vulnerabilities And Risks on Mobile Platforms
- Malicious third-party application / in the store
- Application vulnerability
- Data security
- Excessive permissions
- Weak encryptions
- Operating System update issue
- Application update issue
- Jailbreaking / rooting
- Physical attack
OS Sandboxing Issue
- Sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading
- Sandbox limits the app's access to files, preferences, network resources, ...
- Advanced malware designed to bypass it, by fragment code or put sleep timer in the script to bypass the inspection process
Android
Device Administration API
- Provides device administration features at the system level
- This API allows to create security-aware apps that are useful in the enterprise settings, where require rich control over employee devices
Rooting
- A process of allowing user to attain privileged control
- Needed for modify settings, get full control over the kernel or install custom ROMs
iOS
Jailbreaking
- Rooting the iOS
- Escalating the privileges on iOS to remove or bypass the factory default restrictions
Types of Jailbreaking
- Userland Exploit : allow user-level access without escalating iBoot-level access
- iBoot Exploit : allow user-level and boot-level access
- Bootrom Exploit : allow user-level and boot-level access
Jailbreaking Techniques
Untethered Jailbreak
- Does not require to reboot with a connection to your computer
- Exploit bypass the iBoot sequence
Tethered Jailbreak
- Need a connection to your computer to reboot, without it, the boot stuck with an Apple logo
- Offers complete jailbreak features
Semi-Untethered Jailbreak
- Allows to boot into the iOS device, but with limited functionality
- The jailbreak functions will be disabled until the launch of a jailbreak app
Semi-Tethered Jailbreak
- Allows you to boot with limited functionality
- To get the full functionality, a reboot with a tethered jailbreak required
- Semi-Tethered Jailbreak: tethered jailbreak + a package to allow reboot with limited functionality
Windows Phone
- Windows Phone 8 using the Windows NT Kernel
- Windows Phone 8 include app sandboxing, remote device management, native code support (C++)
BlackBerry OS
- Support for Java Micro Edition MIDP 1.0 and MIDP 2.0
- OS update with BlackBerry over the air software loading service (OTASL)
Attack Vectors
Malicious Code Signing
- Obtaining a code-signing ket from the code signing service to create a malicious application
JAD File Exploit
- Java Application Description (.jad) contains attributes of Java application
- Attacker can craft a .jad file with spoofed information
Mobile Device Management (MDM)
- Deployment, maintenance and monitoring of mobile devices
MDM Functions
- Enforce device to be locked after certain failed login
- Enforce strong password policy for all BYOD
- MDM can detect attempt of hacking BYOD device and then limit the network access of the affected device
- Enforce confidentiality by using encryption as per organization's policy
- Administration and implementation of Data Loss Prevention (DLP)
MDM Deployment Methods
Two type:
On-Site MDM Deployment
- Install MDM application on local servers
- Management is done by local staff
- Provide full control over the MDM
Cloud-Based MDM Deployment
- MDM application is installed and maintained by a third party
- Less administration needed
- The deployment and maintenance is the responsibility of the service provider
Bring Your Own Device (BYOD)
BYOD is a trend of employees using their personal devices for work. It could be a laptop, a phone, etc...
BYOD Policies
BYOD policies should include:
- Device: which devices and operating systems are supported
- Password: require all devices to be password protected
- Access: determine which data can be accessed from employee's device
- Application: which applications allowed, which should be banned
Mobile Security Guideline
- Avoid auto-upload of files
- Perform security assessment of applications
- Turn off Bluetooth
- Allow only necessary GPS-enabled applications
- Do not connect to open network
- Install applications from trusted sources
- Use strong password
- Use Mobile Device Management (MDM) softwares
- Update operating system often
- Do not allow rooting / jailbreaking
- Encrypt phone storage
- Periodic backup
- Configure mobile device policies