Pentesting smartphone environments
Discover the basics of intrusion tests on smartphones.
More and more smartphones…
According to the “Digital 2020” study by Hootsuite and We Are Social, globally, “mobile devices account for more than half of the time spent online this year.” Besides, there are 2.4% more smartphone users on the planet this year than in 2019: that’s 124 million more people… and just as many mobiles to secure.
Smartphones are more vulnerable than computers
While they contain a large amount of sensitive data, smartphones are more exposed to cyber risks than computers. Most of the time, operating systems are not updated by users.
- 39% of organizations admitted to having experienced a security compromise involving a mobile device, compared to 33% in the 2019 edition of the report.
- The consequences of mobile devices’ hacks have proven to be severe and far-reaching. Of the organizations that experienced an attack, 66% said the impact was major. 36% reported lasting impacts.
- 37% of affected organizations reported that corrective action was difficult and costly.
It is also important to know that there is a latency time between Android updates and those proposed by manufacturers and operators, who must adapt them to their model. This can sometimes take between two and three months. Thus, a cell phone will always be less up-to-date than a PC.
Moreover, after three or four years of use, some patches are simply no longer supported by the devices, which remain until a new smartphone is purchased, devoid of the latest security features.
Mobile security: a slow awareness of risks
It’s a fact: users tend to secure their mobile much less than their PC. PINs and passwords are still relatively simple, and password templates are still too easy to enter. Also, users tend to install applications without really being vigilant and to accept too many authorizations.
Aware of this problem, manufacturers are trying to compensate by increasing the security of the smartphones they sell. Today’s phone models are very well secured and therefore difficult to break into. It’s the uses that are the problem.
Pentest on smartphones: tools and techniques
Typically, companies ask us to test the applications they develop and the phones in their mobile fleet.
Testing a mobile application
A pentest on a mobile app looks very much like a very heavy client: there is a local part (file stock, logs, installed binary, execution, memory usage…) and a web part. For the web part, we use classical tools such as proxies or network traffic analyzers, reverse engineering used for the local part to disassemble and understand the binary of the application.
For the specific iOS or Android part, there are tools dedicated to mobile penetration tests, including software for dynamic patching. These are “on the fly” modifications of an app’s behavior: we target the local part and modify it while running. This allows us to bypass the security set up by the developer.
Technically auditing a phone
When we audit a smartphone, we need to find the PIN or push the user to install a malicious app to get remote access. Sometimes we use social engineering techniques, but only if it is adapted to the client’s needs and if he has previously agreed to use such methods.
The most important thing for a pentester – and therefore, a cybercriminal – is to retrieve the phone’s password. Without this first step, it is tough to access the data on a smartphone. Once we have entered the phone, we can, for example, log in to email, retrieve emails, where there is a considerable amount of important information.
In general, whether we are auditing a cell phone or an application, we start with a minimum of information. We need to know the specifics of each version. For example, between iOS 12 and iOS 13, there are significant differences.
Mobiles’ pentest: training
To train for pentest on mobile, it is advisable to have a basic understanding of application security and to have a good knowledge of the Android and iOS security models, first in theory and then quickly move on to the practical application. To do this, there are some very well done test applications made: once installed, the goal is to attack them successfully.
As the versions evolve very quickly, the Internet remains a gold mine for self-training or updating.
Avoiding cyberattacks on smartphones: advice from an ethical hacker
Too many users are unaware of the attacks they may be subjected to on their cell phone or the security techniques to protect themselves against them. Here are a few tips:
- Choose a strong PIN and password: with this protection alone, the mobile remains highly protected, with the operating system managing all the rest of the security.
- Do not install anything: read the comments, look at the notes, and only install an app when necessary, from a trusted source.
- Check application’s permissions and grant only the important ones: recent Android and iOS allow granular permissions (for example: allow access to files but not to the camera).
- Do not connect to public Wi-Fi.
- Perform all required updates.
- Use an antivirus to see if malware has been installed and get rid of it.
- Check the phone configuration: there is a debug mode, designed for developers, which allows the mobile to give access to a considerable amount of typically secure information. Once this mode is activated, a cybercriminal can penetrate the phone, even if it is locked.
Mobile Security Index 2020, Verizon
binary: file is written in “machine language”. This is what the operating system reads and executes. Since it is not humanly readable (symbols and special characters), the reverse engineering process allows to bring it back to a tangible format (such as source code, for example) to analyze and understand it.