SANS Penetration Testing: Category - Mobile

SANS Penetration Testing:

Modifying Android Apps: A SEC575 Hands-on Exercise, Part 2

By Joshua Wright

Blog1

Introduction


In the last installment of this article, we looked at the IsItDown application, and how it is designed not to run in the Android Emulator, and to include a super-annoying banner ad. We showed how the Apktool utility can be used to decompile an Android APK file, and how we can evaluate and modify the produced Smali code to manipulate the application's functionality.

In this final installment, we'll re-build the IsItDown application with our Smali file changes, then

...

Modifying Android Apps: A SEC575 Hands-on Exercise, Part 1

By Joshua Wright

Blog1

Introduction


As a security professional, I'm called on to evaluate the security of Android applications on a regular basis. This evaluation process usually takes on one of two forms:

  • Evaluate app security from an end-user perspective

  • Evaluate app security from a publisher perspective


While there is a lot of overlap between the two processes, the difference effectively boils down to this: whose risk perspective does my customer care about the most?

When an app publisher wants me to evaluate the security of their Android app, I need to determine if the app employs sufficient controls to protect the required app functionality and publisher brand. Often, this

...

How Pen Testers Can Deal with Changes to Android SD Card Permissions

By Lee Neely & Chris Crowley

Recent updates to the Android OS have changed the permission model for external storage, and these changes will likely impact the way pen testers assess the actions and corresponding risks associated with applications, both malicious and benign, particularly when analyzing how they interact with external storage.

Consider this scenario: You are provided an application from an unknown third party to assess. Your assignment is to assess both the behavior and trustworthiness of the application. Because of the permission model changes, the application behaves differently when trying to access external storage than it would have in earlier releases of the Android OS.

In this article, we'll provide information on how the permission model changed and some tips and techniques you can leverage when you are assessing an application in your next Android pen test.

What changed?


There were two changes ...

Bypassing iOS Lock Screens: A Comprehensive Arsenal of Vulns

[Editor's Note: With last week's release of iOS 8, we enter a new era of security fixes and issues for Apple's flagship mobile operating system. But, even this latest version faces an issue that comes up regularly with iOS and other mobile operating systems: Lock Screen Bypass. In fact, there are dozens of different ways to bypass the Lock Screen on a device, each applicable to different versions and subversions of iOS. Thankfully, Raul Siles has inventoried a whole bunch of them in this article, providing a useful reference for penetration testers who need to show the risks associated with a given iOS feature or version number. Raul also offers tips for hardening iPhones and iPads against these kinds of attacks. Nifty stuff! --Ed.]

By Raul Siles

The iOS mobile platform has been subject to numerous lock screen bypass vulnerabilities across multiple versions. Although Apple strives to fix these vulnerabilities in various updates to iOS (

...

Announcing the Awesome New SANS Brochure Challenge

Here's some fun news. SANS just released a new kind of challenge — one that unfolds from the pages of a SANS brochure itself. Created by Jeff McJunkin and a group of challenge-writing collaborators, we launched it this week with the mailing of the SANS Network Security brochure for the upcoming conference in Las Vegas in October 2014. This challenge will take you across many domains of knowledge, including (but not limited to!): infosec fundamentals, pen testing, digital forensics, steganography, social media, mobile devices, and much, much more, all wrapped up in some geeky fun!

You'll enjoy all these areas and more from the comfort of your brochure (paper or pdf) and local computer, along with everyone's favorite global network, the Internet itself. You'll be able to advance all the way through this challenge from anywhere in the world. If

...