Blog: SANS Penetration Testing: Category - Mobile

Blog: SANS Penetration Testing:

SANS Checklist for Securing Mobile Devices in the Enterprise

[Editor's Note: Lee Neely has developed a very useful spreadsheet checklist to help organizations better plan and mitigate security risks associated with mobile devices, including phones and tablets. It's really handy stuff, and I strongly recommend you check it out! --Ed.]

By Lee Neely

To help organizations better understand, manage, and mitigate risks associated with mobile devices and their infrastructures, we've released an updated SANS SCORE Mobile Device Checklist.This checklist is designed to provide a repeatable approach to adding mobile devices to your environment in a secure fashion. The intent is to be device agnostic, to support long-lasting results, and to provide a basis for making consistent decisions around having these devices in your environment, as well as proper protection of the information on and around them. Too often, I've seen instances where mobile devices were


Removing the Android Device Lock from any Mobile App

[Editor's note: In this blog post, Raul Siles goes in-depth exploring how to attack a vulnerability in the way Android device lock works. Although a patch was released last week for this flaw, the slow (or nonexistent) update cycle for many users means this attack mechanism will be valid for quite some time to come. The best part of Raul's write-up is his use of both static and dynamic analysis techniques and a variety of tools to tease apart the flaw. Raul ends by showing how you can test that the newly released fixes for Android block exploitation of the flaw. Nice stuff! --Ed.]

By Raul Siles

Shameless plug: I will be teaching the 6-day SANS SEC 575: Mobile Device Security and Ethical Hacking course in Abu Dhabi, UAE (Apr 26, 2014 - May 1, 2014) and


Mobile Device Tips, Tricks and Resources

By Josh Wright

[In this third installation of tips originally included in the Ultimate SANS Pen Test Poster, we'll turn to Josh Wright's tips for mobile device penetration testing. Josh shares some really useful insights here, as well as recommendations for tools (software and hardware) and resources for keeping current. Nice stuff!

Click these links for the first two articles in this series:
John Strand's tips on network penetration testing
Steve Sims' tips on exploit development

Methodology Tips


Intentional Evil: A Pen Tester's Overview of Android Intents

[Editor's Note: Mobile devices, their associated infrastructures, and their juicy juicy apps are a fascinating arena that we pen testers are increasingly called upon to evaluate in target environments. In this article, Chris Crowley zooms in on a particularly important part of Android permissions known as "intents", which help control interprocess communication. Chris describes their features and outlines a process and some tools penetration testers can use to analyze them. --Ed.]

By Chris Crowley

Great pen testers strive to move through target environments seamlessly, transitioning from one platform to another. With more organizations adopting a "bring your own device" approach to mobile platforms without careful enforcement of security, attackers have new avenues for undermining organizations. Even in those organizations that officially forbid personally owned mobile devices, employees still sometimes connect their own devices to their networks


Mobile App Analysis with NetworkMiner

[Editor's Note: Josh Wright provides some really useful insight in how penetration testers and vulnerability assessors can use tools traditionally associated with digital forensics to look for information leakage flaws from mobile applications. The techniques he describes below are powerful yet pretty easy to implement -- That's awesome. Check out the interesting issue Josh discovered in Dropbox using the technique! --Ed.]

By Joshua Wright

As a penetration tester and author of SANS Mobile Device Security and Ethical Hacking (SEC575) course, I get this kind of question a lot:

"My organization is looking at deploying the XYZ app company-wide. Is the app secure? Any significant flaws I should know about?"

With the Apple and Google Play stores each adding nearly 1,000 new apps per day, it's hard to keep up. Analyzing the security of mobile device