Time
9 hours 47 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Transcription

00:02
Hi. Welcome back to the course. In the last module, we wrapped up our discussion on WiFi
00:07
in this module. We're gonna talk about mobile hacking,
00:11
so I want to start off with the Olaf's top 10 mobile risk from 2016. So we've got improper platform usage, insecure data storage and secure communication and secure authentication.
00:22
Insufficient cryptography, insecure authorization, client code quality, code tampering, reverse engineering and then extraneous functionality. So we're gonna talk with just a little bit about each one of those
00:34
So improper platform usage That's basically going to be your different platform permissions. And so they're either configured improperly or they're exploited.
00:42
Misuse of touch idea on the key chain ap I'm issues. So basically, this is any type of security feature that you might see in, like the APP stores that developers we need to go through. This is gonna be basically, you know, improperly using those to exploit the device.
01:00
Insecurity to storage. So and then are also correlates with unintended data leakage. So basically, the risk here are that the attacker can either steal our identity, commit fraud or four like a business that could potentially damage your reputation.
01:15
Insecure communications So you know the device might be running like an incorrect as a cell version or have a weak negotiation
01:23
with a client server side even transmitting clear text communication of sensitive data. So, like usernames passwords, you know, access codes, that sort of stuff.
01:33
Insecure authentication, fairly straightforward here, but basically, we're failing to identify the end user or were failing to maintain the user's identity. So we need to have checks at every point in saying Okay, well, who are you again? Validate who you are. You know, if if you're using this particular data, validate who you are,
01:49
insufficient cryptography is pretty self explanatory. But basically it's cryptography that's either not configured correctly or that's not even done it all.
01:57
And so what? The exploit of this would either require some type of malware, which is the more common version ing or physical access to the vice. So you either have the device stolen or lost.
02:10
You said your authorization. So basically feeling toe make authorization decisions. But on the client side. So on the on the device, not the service side
02:20
client code quality is the code itself of honorable things like buffer overflows. It all
02:27
co tampering. So here the Attackers actually modify the code and do something to it. Or they might just change. Replace system ap eyes that could also do do different things, right? Looks like binary patching method hooking methods whistling, and then local resource modifications
02:44
reverse engineering. So the attacker actually analyzes the core binary and they could use different tools like I d a pro Hopper O'Toole, etcetera, etcetera. There's many tools you can do out. There
02:53
s so then they're gonna find the by the vulnerabilities and exploit those. What they could do is harvest information about back and servers, different ciphers, potentially intellectual property, depending on if the business device or not, and then, ah, they can get the potentially get cryptographic content constants that allow them to break the cryptography
03:15
extraneous functionality. So this is where developers might put it accidentally put in a hidden backdoor functionality that they're forgotten about. They might also put in something that disables two factor authentication so that that can be exploited to then disable that on the device. And then also, some developers also will put
03:34
various passwords in hybrid apse, so
03:36
that can also be exploited. You then access what you need to on the phone.
03:42
So this is just a good graphic on the anatomy of a mobile attacks with some different avenues of attack. Right? So obviously the browser, that's, you know, same as a, uh, actual desktop computer. You know, we've got different things through the browser, like, you know, the click jacking the framing men in the middle.
03:58
You know, we could never do Ah, buffer overflow on the browser. Since it's all natural device there,
04:02
um, the phone itself through SMS. So Smith sings probably more coming. The more common one that you see out there. You know, Mike, you might get a text, indicate your bank. You know, you gotta quickly verify your can. Otherwise we're gonna shut it down. You like money? Phishing attacks is uses that sense of urgency to make you want to click on it. But if you have any
04:21
concept of common sense at all, you don't click those links
04:27
system. You know, we can basically do jail breaking on IOS or android or rooting, you know, passwords and and data will be the inaccessible. You know, we can also find out that you know hes are no encryption being used or weak encryption that we can crack
04:43
the APS themselves. We can attack, you know, the code level. We can escalate privileges on the app that s o instead of it. Just, you know, maybe accessing our camera, we can exploit it to where it Alexis your context list or it'll accessed ability to send to receive two extra calls. We can even, you know, exploit,
05:01
uh, your email on there as well.
05:06
So how can criminal hackers actually profit from this? And there's there's many ways. But, you know, one of the main ones here is doing your identity. Or if you're foolish enough to do banking on your mobile phone, they could steal your banking credentials and an access your account and drain your bank account
05:21
on. Then, you know, depending on their skill level, you may be checking your account balance on your phone. But
05:27
you think, Hey, I still got money, and then you go try to buy something and you can't because realistically your bank accounts actually been liquidated,
05:35
and then blackmail, you know, so they might get access to your camera or your photos or videos. You know, in a lot of people film. You know, adult images will call them on their phones. And so I think the attacker could get that And the black milieu. Hey, pay me x amount of Bitcoin. Otherwise, I'm gonna, you know, send this to your boss.
05:55
So as of this mission attack as I mentioned, this is just kind of an example of it, you know? Hey, it's Wells Fargo. You know your account suspended. Click on this link to, you know, update your stuff. You know, a couple things on this obviously log in dash Wells. Fargo, you know, dash wells dot com. That's not even a Wells Fargo thing, right?
06:13
S. T T p and R https.
06:15
You know, and and again, your bank's not gonna contact you via text message. It doesn't happen like that, right? You know, you need to log in online from a different device or even, you know, you know, and, uh, they were called the phone number for the bank. You just say, Hey, I got this Brandon tax. Is this really you guys? And then they have it in their database system. They'll be able to say
06:34
no, That was an Oscar or Yeah, we do that now, you know,
06:38
So just just keep that in mind.
06:41
So in this video, we just kind of went over a high level overview of mobile hacking.
06:46
In the next video, we're gonna actually move into specific towards android devices and talk a little bit about android hacking and then following that will jump into the IOS hacking.

Up Next

Penetration Testing and Ethical Hacking

If the idea of hacking as a career excites you, you will benefit greatly from completing this training here on Cybrary. You will learn how to exploit networks in the manner of an attacker, in order to find out how protect the system from them. Those interested in earning their Certified Ethical Hacker (CEH) will want to start by taking this course

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor