CEH v10: 17 Hacking Mobile Platforms

OWASP Top 10 Mobile Threats #

OWASP Mobile Security Project maintain a list of the most common mobile security risks.

Top Ten (2014) #

1. Weak Server Side Controls
2. Insecure Data Storage
3. Insufficient Transport Layer Protection
4. Unintended Data Leakage
5. Poor Authorization and Authentication
6. Broken Cryptography
7. Client Side Injection
8. Security Decisions via Untrusted Inputs
9. Improper Session Handling
10. Lack of Binary Protections

Top Ten (2016) #

1. Improper Platform Usage: misuse of a platform feature or failure to use a platform security controls
2. Insecure Data Storage: insecure data storage + unintended data leakage
3. Insecure Communication: poor handshaking, incorrect SSL, weak negotiation, cleartext communication of sensitive assets, …
4. Insecure Authentication: captures notions of authenticating the end user or bad session management
5. Insufficient Cryptography: cryptography was attempted, but it wasn’t done correctly
6. Insecure Authorization: capture any failures in authorization
7. Client Code Quality: all of the code-level implementation problem in the mobile client
8. Code Tampering: binary patching, local resource modification, method hooking, dynamic memory modification, …
9. Reverse Engineering: analysis of the final core binary to determine the source code, libraries, …
10. Extraneous Functionality: internal development security controls that are not intended to be released into a production environment

Attack Vector #

Basic Threats #

• Malware / rootkit
• Data Loss
• Data Tampering
• Data Exfiltration

Vulnerabilities And Risks on Mobile Platforms #

• Malicious third-party application / in the store
• Application vulnerability
• Data security
• Excessive permissions
• Weak encryptions
• Operating System update issue
• Application update issue
• Jailbreaking / rooting
• Physical attack

OS Sandboxing Issue #

• Sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading
• Sandbox limits the app’s access to files, preferences, network resources, …
• Advanced malware designed to bypass it, by fragment code or put sleep timer in the script to bypass the inspection process

Android Device Administration API #

• Provides device administration features at the system level
• This API allows to create security-aware apps that are useful in the enterprise settings, where require rich control over employee devices

Rooting #

• A process of allowing user to attain privileged control
• Needed for modify settings, get full control over the kernel or install custom ROMs

iOS #

Jailbreaking #

• Rooting the iOS
• Escalating the privileges on iOS to remove or bypass the factory default restrictions

Types of Jailbreaking #

• Userland Exploit : allow user-level access without escalating iBoot-level access
• iBoot Exploit : allow user-level and boot-level access
• Bootrom Exploit : allow user-level and boot-level access

Jailbreaking Techniques #

Untethered Jailbreak #

• Does not require to reboot with a connection to your computer
• Exploit bypass the iBoot sequence

Tethered Jailbreak #

• Need a connection to your computer to reboot, without it, the boot stuck with an Apple logo
• Offers complete jailbreak features

Semi-Untethered Jailbreak #

• Allows to boot into the iOS device, but with limited functionality
• The jailbreak functions will be disabled until the launch of a jailbreak app

Semi-Tethered Jailbreak #

• Allows you to boot with limited functionality
• To get the full functionality, a reboot with a tethered jailbreak required
• Semi-Tethered Jailbreak: tethered jailbreak + a package to allow reboot with limited functionality

Windows Phone #

• Windows Phone 8 using the Windows NT Kernel
• Windows Phone 8 include app sandboxing, remote device management, native code support (C++)

BlackBerry OS #

• Support for Java Micro Edition MIDP 1.0 and MIDP 2.0
• OS update with BlackBerry over the air software loading service (OTASL)

Attack Vectors #

Malicious Code Signing #

• Obtaining a code-signing ket from the code signing service to create a malicious application

JAD File Exploit #

• Java Application Description (.jad) contains attributes of Java application
• Attacker can craft a .jad file with spoofed information

Mobile Device Management (MDM) #

• Deployment, maintenance and monitoring of mobile devices

MDM Functions #

• Enforce device to be locked after certain failed login
• Enforce strong password policy for all BYOD
• MDM can detect attempt of hacking BYOD device and then limit the network access of the affected device
• Enforce confidentiality by using encryption as per organization’s policy
• Administration and implementation of Data Loss Prevention (DLP)

MDM Deployment Methods #

Two type:

On-Site MDM Deployment #

• Install MDM application on local servers
• Management is done by local staff
• Provide full control over the MDM

Cloud-Based MDM Deployment #

• MDM application is installed and maintained by a third party
• Less administration needed
• The deployment and maintenance is the responsibility of the service provider

Bring Your Own Device (BYOD) #

BYOD is a trend of employees using their personal devices for work. It could be a laptop, a phone, etc…

BYOD Policies #

BYOD policies should include:

• Device: which devices and operating systems are supported
• Password: require all devices to be password protected
• Access: determine which data can be accessed from employee’s device
• Application: which applications allowed, which should be banned

Mobile Security Guideline #

• Avoid auto-upload of files
• Perform security assessment of applications
• Turn off Bluetooth
• Allow only necessary GPS-enabled applications
• Do not connect to open network
• Install applications from trusted sources
• Use strong password
• Use Mobile Device Management (MDM) softwares
• Update operating system often
• Do not allow rooting / jailbreaking
• Encrypt phone storage
• Periodic backup
• Configure mobile device policies