Time
30 minutes
Difficulty
Beginner
CEU/CPE
1

Video Transcription

00:00
the everyone is Canada Hill Master Instructor Ovary Cy Berry. In this video, we're gonna talk about mobile security
00:06
So quick, pre assessment question. As we normally do. Johnny's performing a pen test on mobile devices for a client. He knows that which one of the following is the best way to examine source code without executing it? So that's a key part there. I'll give you a hint
00:21
***. If you guessed. Answer. Be static analysis. You are correct. Again, dynamic and run time require you to actually execute the code on the service side. We'll talk about what that is and just a little bit
00:33
so static. Analysis. The whole goal here was static analysis, or sometimes, in the context of applications security testing. It's called SAS. So static applications, security, testing. Then you might see that term out there. If you get working in the industry,
00:48
the whole goal here is were as the attacker we're tryingto, you know, debug the software. So we're trying to take a look at, like the source code, the bike code, the binaries.
00:56
The key thing to remember here, especially if he ever go for any certification exams that cover this is to know and understand that there's no execution off the software. So I'm basically taking whatever code you've ridden. Whatever application, I'm breaking it open essentially for lack of better words. And then I'm taking a look and trying to figure out, like, Okay, what does it actually do?
01:17
So I always an android file format. So a p k uh, files are gonna be the android devices, and then I Pierre gonna be Iowa's very important to know that information if you ever going to work as a pen tester, especially if we're going to work with mold mobile devices at all
01:33
because you're gonna be practicing by jail breaking, you know, different devices on your own
01:38
to fully understand how the device functions in different components of data that you can get. So it's very important to understand the differences here that Iowa's think I, p. A and Android always think you know a p K. Or it starts with an A. So it must be android, right? That only works for this particular thing.
01:57
All right, so now let's talk about a static analysis little more now I mentioned that you know the goal here is we want to bug the code. We want to take a look at it and see what it's doing. And so were specifically trying to look for information. Disclose your weaknesses. You know, See if they're using any type of customer encryption.
02:15
See if there's any, you know, certain permissions
02:16
that they're leaving open or that we can escalate permissions, for example on Does it mentioned already? Were disassembly de compiling the code Really, really trying to figure out
02:25
What does it do? What's the intent of it? What are special things that they might that the developer might have put in place? And then how can we go ahead and use that for our nefarious purposes? Or, in the case of the penetration tester, how can we use that to get the client better information about their mobile devices
02:43
so dynamic and run time analysis? Obviously dynamic, something's, you know, executed there, right dynamic. It's constantly moving type of thing. S O bast is the terminology there, So dynamic application, security testing. So some of things we're trying to do here, we want to see if we can prove force a pin. So we, you know, we talked about putting things like a pin or a pass code on your phone
03:02
in the previous video. And so we're trying to brute force it. Right. We want to see
03:07
if I type, you know, different combinations. Can I Potentially guess it was a phone Locked me out permanently. What does it do? You know, binary tax, clients out injection attacks. You know, it's a sequel. Injection attacks, for example. And then what kind of sensitive information
03:23
are we able to get access to? Right. So what kind of sensitive information might be exposed
03:27
for us to get access to
03:30
network analysis? This is where we would analyze basically the communication of the device. Right. So on the network, So we can expect the web traffic. We can, uh, you know, we want to make sure that 80 s has enabled. And if you're not familiar with that, that's an apt transport security. And then we can use tools like Zap
03:47
and ah, the burbs suite, which are so us has a zap tool or burp. Sweet. If you get into penetration testing those would be
03:55
tools that you want to become familiar with, especially from the web application, penetration, testing standpoint, they're very, very popular. Tools out and use members Suite has a pro version. That's really, really cool. I'm not endorsed endorsing them, by the way. But if you decided working pen testing at this interest, you,
04:13
then those air definitely tools you want to get some hands on experience with.
04:16
And so then we have server site touch testing. As I mentioned here, we just really want to find out. Is the server so basically the Web application server that the mobile device is communicating with?
04:30
Is this server using, for example, default credentials, which is, you know, a big no no. Like we should all know not to do that. But so many people still do it, and that's why it's a It's a good way to attack a organization's network. And then also, you don't things like session time outs, right? So, like, how long is the time out? You know
04:46
for that, because potentially we could, you know, do a session hijack or something like that.
04:50
Input validation flaws. So again, going back to like sequel injection attacks as an example or command injection attacks. Are they validating it, put on the server? Or can we potentially attack it through that method
05:02
on Dhe, then also, we want to look for exposed Web service is after what's called the W S. D. L file or the Web service is description, language, documentation that will help us try to find that information.
05:16
So I was testing So some of things you're gonna want tohave, you know, laptop, preferably like a Mac book or something like that. Ah, USB cable or some other type of connection Cable, depending on, you know, like your Mac book has an example. The one I have sit next to me right now doesn't have a USB slot.
05:33
Um, I need I have to get the smaller ones I forget exactly.
05:36
Now what they're called.
05:40
You also want a jail Broken II device. So whether it's an iPad or iPhone iPhones, probably more popular, one that people use for pen testing. Don't jailbreak your own device. I just want to say that some people do. If you don't know what you're doing,
05:54
there's definitely a risk of what's called breaking your phone, where it's not usable it all. So that just think of it as a big paperweight at that point,
06:00
Um, and, you know, with an iPhone, it's probably like a you know, a six toe, 600 to start, you know, to $1000. So,
06:08
you know, expensive paperweight. So don't do that. Um, I do recommend, though, if you're gonna get into mobile pen testing, just go ahead and just purchase like an older iPhone or I You know, ipad or something to use for your pen tests, you're gonna have, You know, your credentials for iTunes, miss will.
06:24
So, basically, you know your apple idea in the password on then. Also, make sure you've got access to the IOS developer program.
06:30
So we've got different types of jail bricks that we can do. There's untethered, tethered, semi tethered and semi untethered and say all those, you know, five times fast, right? But basically untethered means that I can I can jail break the device, and then I can turn it on or off without the help of a connected computer. And it still was jail broken. Right?
06:49
Tethered means that you know, I computer or some kind of software is required to, you know, basically boot to boot the jail broken device every single time, semi tethered being, You know, if the devices rebooted, I need to go ahead and Joe break the device again
07:04
to basically, you know, past the colonel using a computer
07:08
and then semi untethered is going to be essentially the same as semi tethered, but, uh,
07:15
weaken do use like a jail breaking app that's already installed on you know, either the iPad or iPhone to continuously Joe break it. So that's kind of the difference between those two right there.
07:27
Now, one of the things we can use for Joe breaking our iPhone device eyes this what's called the city impactor? You can get it and download and play around with it at city impactor dot com. Um, one thing to note here is it.
07:41
It's four IOS devices. So I always love looking at their Web page here, and it's talking about the Pokemon go hack.
07:47
Um and I guess people were enough. People are downloading and complaining that they further android devices. They were trying to download this to install an you know, an I p o i. P. A file on their android device, which obviously was we talked about earlier, is only for IOS devices. So that's why it's not working. If you've gone ahead and use this tool and try to use it on your
08:07
jailbroken android device, obviously it's not gonna work, right.
08:11
So that was kind of funny to me. Maybe it's not funny to other people, but I don't even know if anyone plays Pokemon go any anymore. But I guess maybe they do. But anyways, this tool could be used for jail breaking your IOS device. So basically, what it allows you to do is download that I pay a file under device and, you know, and potentially jail break it. Now,
08:31
keeping in mind that you want to use this with, like, older, I was devices, you know, your iPhone. You know, 65 you know, whatever. I don't use it with, like the latest you know, iPhone X or whatever at the timing of this filming that's out there, something like that
08:46
is probably not gonna work with later versions. It's usually older versions, so just keep that in mind.
08:54
And there's many other tools that we can kind of use for the jail breaking. So a couple examples of ones we can use for IOS Yeah, Lou Pangu clutch is actually a er de encryption tool. Excuse me. Decryption tool
09:07
that's used for IOS and all. I'm gonna go ahead and, uh, some of these, like clutch, for example, I go D V I A and I d b.
09:15
I'm gonna go ahead and list links in the resource of section of the course, so just take a look for for that documents labeled as module seven mobile security. And that's gonna include wings to go ahead and download all of these if you want to play around with them.
09:30
But again, clutch is going to be used for decryption.
09:33
Now I go to A and e v i a s o the D v I. A stands for the *** vulnerable Iowa's application. If you're familiar at all with pen testing, from the Web standpoint, we've got the *** vulnerable Web application. That's ah, deliberately vulnerable Web application that's in use. And that way you can practice skills and that sort of stuff.
09:50
And then oh, us also has I goat.
09:54
So again of ah purposely vulnerable mobile application to allow you to practice your skills without, you know, doing it against, like, somebody else's mobile device, right so it's a legal type of thing. You could just practice your skills and get their hands on practice without Joe breaking somebody else's device are attacking someone else's device.
10:13
The mobile security framework or Mob S F can actually be used for IOS and Android, and you'll see me mentioned again in the next video a little bit. But just understand that that's, you know, kind of an all of one automated pen testing framework for mobile application. So again, I mentioned Android IOS. It also works on Windows. I don't know anybody that's using the Windows phone anymore,
10:33
but there's probably somebody out there. So it's good to
10:35
kind of get a good skill set as a pen tester across different areas for mobile devices.
10:41
And then we have i d. B I. D. Be again is another tool that we can use for Iowa's application security, a testament assessments. And so again, I'm gonna I'm gonna list out in the description. Excuse me. The resource section of the course all list links for those who can take a look at them.
10:58
So just a quick post assessment question here before we move on. Pangu is a tool used for a reverse engineering malware on IOS devices. That is that true riffles
11:07
we obviously know that's false, Right? I mentioned Pangu is one of the tools we can use for Joe breaking our IOS devices.

Up Next

Mobile Security Fundamentals

In Mobile Security Fundamentals, Ken Underhill discusses IOS security architecture and goes into depth about code signing, sandbox, and exploit mitigations. In addition to recognizing & scanning vulnerabilities, secure boot chain is explained through tools such as Wondershare & Kingo.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor