Re: IT Audits/PT's of Smartphones


On Wed, Aug 3, 2011 at 8:38 PM, cribbar <> wrote:


May I ask - does there exist a (if at all possible - free) vulnerability
scanner specific to smartphones, namely blackberries/iPhones (various
models/versions of each)?

I'm assuming you mean application vulnerability scanners? As far as
I'm aware this is an area that needs improvement. I've done several
pentests for applications developed by third-party vendors for my
clients. I generally follow this approach:

1. Get a copy of the app (usually I get it through the developer; if
its live, you could download it) and reverse engineer it. During this
stage I check for:

a. Storing sensitive data (like login credentials) without adequate
protection - like encryption
b. Hardcoded encryption keys
c. Algorithms that encode data (e.g. base64) rather than encrypt data

For the iPhone, I have my own jailbroken device that I can ssh to.
Once there, I can use the standard tools like gdb to debig and otool
to disassemble.

For the BlackBerry, I've written my own decompiler so that I can
decompile .cod files. I just use that to read off the standard Java

2. Often, enterprise apps (like mobile banking, stock trading, etc)
will always connect to a server. So I check the communication between
client and server. I use the Mallory proxy together with my ubuntu
box and usb-wifi adapter to 'break' ssl and look at the plain text
traffic. Sometimes, from step (1) above, you can also collect clues
as to how the client app will communicate with the server app.

From this point on, I can run the standard web app or web service attacks.

Sadly, there is a shortage of skilled enterprise app developers. In
almost all my pentests, the apps have been nothing more than a
BrowserField (BlackBerry) or UIWebView (iOS) that just displays
HTML/CSS/JS content on the mobile device. It is nothing more than a
web application running on the device. So in cases like these, I just
end up focusing a lot on the server and it ends up in a web app
pentest instead.

Aside from encryption on the device itself, if you have audited or pen
tested for a client their smartphone/smartphone infrastructure - are there
any common security/management issues you find with them, or any good
benchmarks you use to assess the phone itself?

The Center for Internet Security has some benchmarks for mobile
security. I haven't checked them out extensively, but maybe you can:

You may also want to take a look for all your
reverse engineering needs.

This is an awesome site that has a lot of info on reverse engineering
BlackBerry .cod files:

As a follow up to the drb0lsen site, you might also want to follow
Stephen Lawler's posts here:


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

Relevant Pages

  • RE: Using kerberosSecurity Throws Security Exception
    ... I am experiencing this error while trying to use a Windows XP client ... application to access a web service located on a W2k3 server. ... client app on the server, ... > Account with a Custom Principal Name using SetSPN.exe utility. ...
  • Re: Questions about Remoting, objects, threading. lease lifetime and object cleanup, and a couple of
    ... so long as the Client app is ... always refering to the same server object. ... it sets its ClassOne object to nothing and goes away. ... >>The client app at some point is going to become an ASP.Net app also. ...
  • Re: Remoting or windows service
    ... Thanks for writing up such a decent overview of the remoting dev process ... the client and the server. ... > 2) Implement this class in the server app and say that it can be accessed ...
  • Re: Schannel and Session Renegotiation
    ... Schannel does not support the server sending app ... We are discussing the option of providing support for the client blowing off ...
  • Re: Getting Events, for Windows Service
    ... else tries to run my client app he gets an timeout error. ... The server application has a public object called logger, ... So it seems that the logger is properly instantiated and works. ...