By Josh Wright
[In this third installation of tips originally included in the Ultimate SANS Pen Test Poster, we'll turn to Josh Wright's tips for mobile device penetration testing. Josh shares some really useful insights here, as well as recommendations for tools (software and hardware) and resources for keeping current. Nice stuff!
Click these links for the first two articles in this series:
John Strand's tips on network penetration testing
Steve Sims' tips on exploit development
[Editor's Note: Mobile devices, their associated infrastructures, and their juicy juicy apps are a fascinating arena that we pen testers are increasingly called upon to evaluate in target environments. In this article, Chris Crowley zooms in on a particularly important part of Android permissions known as "intents", which help control interprocess communication. Chris describes their features and outlines a process and some tools penetration testers can use to analyze them. --Ed.]
By Chris Crowley
Great pen testers strive to move through target environments seamlessly, transitioning from one platform to another. With more organizations adopting a "bring your own device" approach to mobile platforms without careful enforcement of security, attackers have new avenues for undermining organizations. Even in those organizations that officially forbid personally owned mobile devices, employees still sometimes connect their own devices to their networks
[Editor's Note: Josh Wright provides some really useful insight in how penetration testers and vulnerability assessors can use tools traditionally associated with digital forensics to look for information leakage flaws from mobile applications. The techniques he describes below are powerful yet pretty easy to implement -- That's awesome. Check out the interesting issue Josh discovered in Dropbox using the technique! --Ed.]
By Joshua Wright
As a penetration tester and author of SANS Mobile Device Security and Ethical Hacking (SEC575) course, I get this kind of question a lot:
"My organization is looking at deploying the XYZ app company-wide. Is the app secure? Any significant flaws I should know about?"
With the Apple and Google Play stores each adding nearly 1,000 new apps per day, it's hard to keep up. Analyzing the security of mobile device
[Editor's Note: Last Friday, Josh Wright did an awesome webcast on how penetration testers can extract sensitive information from mobile devices during an ethical hacking project, simulating what could happen if a bad guy snags a device and uses it to gather info to attack an organization. Josh provides some commentary as well as his slides below. These slides are a sampling of Josh's brand-new 575 course on Mobile Device Security and Ethical Hacking. I have to say -- the new course is completely amazing! It gives folks the knowledge they need to help protect their organizations against the onslaught of new mobile devices popping up everywhere -- iPhones, iPads, Android devices, RIM Blackberries, and Windows Phone are all covered. The course is selling out wherever SANS offers it, usually a month or two in advance. Course details are available
[Editors note: The inimitable Josh Wright has been working his patooties off on a brand-new SANS course, SANS Security 575, Mobile Device Security and Ethical Hacking. I have to say, this is the most excited I've been about a new SANS course in years. Josh has gone all Willie-Wonka on us for several months as he forges and polishes the course behind the scenes. I've seen some sneak previews, and the stuff rocks. In his work on the course, Josh is looking in-depth at architecture, config, vuln, attack, and defense issues for the iOS, Android, RIM, and Windows Phone platforms. Weekly, Josh and I discuss his findings and insights, all based on what he's putting into the course. It's been fascinating, and an honor for me to view this space through the eyes of Josh. This article is a small snapshot of some of the things that Josh is thinking about and working on in light of the new course. I think you'll find it quite interesting. --Ed.]